Rainbow
Overview
Rainbow is a medium Windows box running a custom closed-source web service alongside anonymous FTP. Sending an oversized POST body to the service on port 8080 crashes the process and overwrites a register — the first step of a classic stack-based buffer overflow chain. The investigation involves pulling the binary via FTP, debugging it locally in WinDbg, and building an exploit to gain remote code execution.
Path: anonymous FTP → binary retrieval → buffer overflow (ECX overwrite) → RCE.
Enumeration
A quick TCP scan surfaces the standard Windows RPC/SMB cluster alongside FTP (21), two HTTP ports (80 and 8080), and RDP (3389).
$ nmap -T4 10.129.234.171
PORT STATE SERVICE
21/tcp open ftp
80/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
3389/tcp open ms-wbt-server
8080/tcp open http-proxy

Port 80 runs IIS — nothing interesting there. Port 8080 serves a custom application called “Rainbow”; a quick search finds no public source or CVEs, so it warrants closer examination.

Foothold — Buffer Overflow
Anonymous FTP access
The FTP service accepts anonymous login and exposes the Rainbow service binary:
$ netexec ftp 10.129.234.171 -u anonymous -p anonymous --ls


Triggering the crash
A quick fuzz confirms the service is vulnerable: sending a POST body of 1000 bytes causes the connection to reset immediately.
$ PAYLOAD=$(python3 -c 'print("A"*1000)')
$ curl http://10.129.234.171:8080 -d "$PAYLOAD"
curl: (56) Recv failure: Connection reset by peer
Local analysis in WinDbg
The binary was transferred to a Windows VM for dynamic analysis. WinDbg was installed and the Rainbow service was launched under the debugger to catch the crash.
> winget install Microsoft.WinDbg --source winget

Replaying the 1000-byte payload against the local instance confirms the crash:


Inspecting the registers shows that ECX has been overwritten with attacker-controlled data:

With control over ECX established, the next step is pattern-based offset finding followed by shellcode delivery to gain remote code execution.
Takeaways
- Anonymous FTP is a quick path to the target binary — when a service has no public source, grabbing it off FTP and debugging locally is the fastest way to find the vulnerability class.
- A register overwrite in a crash is the first signal of exploitability — confirmed control of ECX is the foundation for building a reliable ROP/shellcode chain.