Myles Nieman
← All writeups

Rainbow

Overview

Rainbow is a medium Windows box running a custom closed-source web service alongside anonymous FTP. Sending an oversized POST body to the service on port 8080 crashes the process and overwrites a register — the first step of a classic stack-based buffer overflow chain. The investigation involves pulling the binary via FTP, debugging it locally in WinDbg, and building an exploit to gain remote code execution.

Path: anonymous FTP → binary retrieval → buffer overflow (ECX overwrite) → RCE.

Enumeration

A quick TCP scan surfaces the standard Windows RPC/SMB cluster alongside FTP (21), two HTTP ports (80 and 8080), and RDP (3389).

$ nmap -T4 10.129.234.171
PORT     STATE SERVICE
21/tcp   open  ftp
80/tcp   open  http
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
3389/tcp open  ms-wbt-server
8080/tcp open  http-proxy

Nmap results showing open ports including FTP and the custom service on 8080

Port 80 runs IIS — nothing interesting there. Port 8080 serves a custom application called “Rainbow”; a quick search finds no public source or CVEs, so it warrants closer examination.

The Rainbow service on port 8080

Foothold — Buffer Overflow

Anonymous FTP access

The FTP service accepts anonymous login and exposes the Rainbow service binary:

$ netexec ftp 10.129.234.171 -u anonymous -p anonymous --ls

Anonymous FTP listing reveals accessible files

Downloading the Rainbow binary from the FTP share

Triggering the crash

A quick fuzz confirms the service is vulnerable: sending a POST body of 1000 bytes causes the connection to reset immediately.

$ PAYLOAD=$(python3 -c 'print("A"*1000)')
$ curl http://10.129.234.171:8080 -d "$PAYLOAD"
curl: (56) Recv failure: Connection reset by peer

Local analysis in WinDbg

The binary was transferred to a Windows VM for dynamic analysis. WinDbg was installed and the Rainbow service was launched under the debugger to catch the crash.

> winget install Microsoft.WinDbg --source winget

The Rainbow binary loaded and running under WinDbg

Replaying the 1000-byte payload against the local instance confirms the crash:

WinDbg catches the access violation after the oversized POST

Register state at the time of the crash

Inspecting the registers shows that ECX has been overwritten with attacker-controlled data:

ECX overwritten with 0x41414141 from the payload

With control over ECX established, the next step is pattern-based offset finding followed by shellcode delivery to gain remote code execution.

Takeaways

  • Anonymous FTP is a quick path to the target binary — when a service has no public source, grabbing it off FTP and debugging locally is the fastest way to find the vulnerability class.
  • A register overwrite in a crash is the first signal of exploitability — confirmed control of ECX is the foundation for building a reliable ROP/shellcode chain.