FTPShell 6.7 windows client has DOS which can be converted to RCE by a malicious server
I am an experienced Vulnerability Researcher and Security Architect with 16+ years of experience in various verticals and horizontals, be it consumer electronics, semiconductors, automotive or other. Having started in software engineer in low-level embedded devices from writing applications to kernel drivers on various operating systems and then moving to my real calling i.e. hacking. Love to stick to the older golden days of game hacking, BBS, shareware, phreaking, phrack, virus era, metal music, cheats and many more such cool stuff from the underground. I wear many hats from time to time as necessary - but I also love to help people and organizations to deal with the core cybersecurity issues and not provide them a checklist with a presentation. Opinions and posts on my site are purely my own and do not reflect my work.
This is another one of the exploits we tried to port on my local machine using immunity debugger.
Credits to original author for the exploit.
https://www.cvedetails.com/cve/CVE-2018-7573/https://www.exploit-db.com/exploits/44596/
https://www.exploit-db.com/exploits/44968/
Basic Flow to Port the exploit:
Load program Lets start the malicious FTP server now
Lets try to connect to our malicious FTP server As you can see ESI is completely overloaded with \x41
lets find jmp esi in windows memory, from which our RIP will jump to NOPS and then to payload shellcode for calc
new jmp.txt is generated by mona
Lets select any one of the address from this for our jmp
lets modify our eip for this new address
0x004539c0 – Normal
\xc0\x39\x45 – Endian Shit
Let restart ftpshell from mona something went wrong, let try with different address, I did not select correct payload calc spawned in other screen. Now i have set single screen so calc.exe should pop up now
Great — thats it.
