New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Create bison_ftp_bof.rb (Bisonware BisonFTP Server 3.5 BoF) #6263
Conversation
[ | ||
[ 'Bisonware FTP Server / Windows XP SP3 EN', | ||
{ | ||
'Ret' => 0x0040333f, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If the RET contains a NULL
byte, why is \x00
included in badchars?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
seems to be working though, if I removed the NULL
byte, the exploit doesn't work.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Interesting. So perhaps the 39 bytes at the end of the exploit aren't required then?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
yep you are right, I will remove that then.
Will do some changes then :) |
@shipcod3 Roger! Thanks for the submission :) |
@OJ thanks for the review too 👍 |
thanks 👍 |
Adding constant NOP
@OJ done changing the NOP to constant value and the exploit seems to work. |
Looks like @OJ got most of this reviewed/vetted. I think I'll grab this and test it tomorrow, and if it works for me I'll land it... sounds good? |
@shipcod3 Better now, got a shell:
|
@wchen-r7 alright, cool :) |
This module exploits a buffer overflow vulnerability in Bisonware BisonFTP Server 3.5 and tested on Windows XP Service Pack 3 EN.
An original msf has been created by veerendragg but it's kinda unreliable and was not pushed on this repo. It is because of the FTP's prompt as shown on the image below wherein you need to login again in order to trigger the exploit. I added a check method and some fixes for the original msf and still using the same offset and return pointer
.
PoC: