EasyFTP 1.0.7.11 Exploiting FTP with an EggHunter, Limited Space and Custom Shell Code
On my way to studying from Offensive Security's OSCE exam I began to explore exploit-db.com for exploitable applications I could try to recreate. I found EasyFTP 1.0.7.11 and went about trying to own it. 1. Fuzzed using Boo-Fuzz that identified the LIST parameter as being exploitable. - I found a good Boo-Fuzz tutorial on youtube . - Note below, that i reviewed several different parameters including user, stor,retr, password and list. Generally speaking you identify these parameters by reviewing the RFC associated with the application and reviewing a wireshark snippet while regularly interacting with the application. (part of Boofuzz python script) (output of running BooFuzz python script) - You can see at 407 bytes the script fails to receive response from EasyFTP...i.e. it crashed . At this point you'd want to confirm this crash by reviewing Immunity and confirm that you see the application crashed. 2. Replicated Boo-Fuzz result