Create bison_ftp_bof.rb (Bisonware BisonFTP Server 3.5 BoF) #6263
Conversation
| [ | ||
| [ 'Bisonware FTP Server / Windows XP SP3 EN', | ||
| { | ||
| 'Ret' => 0x0040333f, |
There was a problem hiding this comment.
If the RET contains a NULL byte, why is \x00 included in badchars?
There was a problem hiding this comment.
seems to be working though, if I removed the NULL byte, the exploit doesn't work.
There was a problem hiding this comment.
Interesting. So perhaps the 39 bytes at the end of the exploit aren't required then?
There was a problem hiding this comment.
yep you are right, I will remove that then.
|
Will do some changes then :) |
|
@shipcod3 Roger! Thanks for the submission :) |
|
@OJ thanks for the review too 👍 |
|
thanks 👍 |
Adding constant NOP
|
@OJ done changing the NOP to constant value and the exploit seems to work.
|
|
Looks like @OJ got most of this reviewed/vetted. I think I'll grab this and test it tomorrow, and if it works for me I'll land it... sounds good? |
|
Hmmm, not working for me:
|
|
Hmm looks like it only crashed the application. Here is mine:
After sending the exploit and gaining a meterpreter:
Can you try again I added |
|
I also modified the space to 310 and verified it. The exploit still works
|
|
@shipcod3 Better now, got a shell: |
|
@wchen-r7 alright, cool :) |
This module exploits a buffer overflow vulnerability in Bisonware BisonFTP Server 3.5 and tested on Windows XP Service Pack 3 EN.
An original msf has been created by veerendragg but it's kinda unreliable and was not pushed on this repo. It is because of the FTP's prompt as shown on the image below wherein you need to login again in order to trigger the exploit. I added a check method and some fixes for the original msf and still using the same offset and return pointer
.
PoC: