freeFTPd-1.0.10 SEH Based Buffer Overflow

freeFTPd-1.0.10 SEH Based Buffer Overflow

on May 13, 2020

Kali Linux

Windows Vista

freeFTPD 1.0.10

Original Author, POC, and vulnerable software: https://www.exploit-db.com/exploits/27747

GitHub:https://github.com/pyt3ra/freeFTPd-1.0.10-SEH-Based-Buffer-Overflow

~~~~~~//******//~~~~~~

Vulnerable program:

Initial Proof-of-Concept

...and we get our initial crash where our SEH handler and nSEH have been overwritten with 41s.

Calculating the offset values

As usual, we use Metasploit's pattern _create.rb and pattern_offset.rb

We update our POC with the following offset values

...and we verify that we hit the correct offset values as shown with the Cs and Bs

POP-POP-RET

Since this a SEH based buffer overflow, as usual we will need a POP-POP-RET address.

I am using mona.py to find this address.

Also, note that we will need to find an address that SAFESEH and ASLR disabled.

We will use address 0x0041B865

Again, we update our POC with our SEH Handler redirect address

We send our exploit up and we have successfully redirected code execution as we hit our POP-POP-RET address.

We follow the POP-POP-RET and we hit our nSEH which is just right below our As

Note: We currently do not see our Ds.

...however, if we scroll further down, we can see that our Ds are still loaded in memory. Just need find them...aka. egghunter.

First Jump

Since our first jump is limited to just 4 bytes, we will do a 2 byte reverse short jmp

EB 80 or jmp short reverse 128 bytes.

We update our nSEH with EB 80 and added 2 more NOPs (not necessary) to complete the 4 bytes.

We fire up the POC on more time, take the pop-pop-ret, and hit our first jump

Restricted characters

After going through the 256 hex characters, we found that 0xa is the only restricted character

So far, we have accomplished the following:

1. Successfully crash the program and overwrite the SEH and nSEH

2. Calculated the offset values

3. Found POP-POP-RET address

4. Completed the first jump from nSEH which allows 127 bytes of address space

Egg...hunting!

Reminder...you can create an egghunter using mona.py

Note: I am using a slightly different egghunter shellcode.

We update our POC with our egghunter shellcode and add the egg in front of our Ds

Send the exploit up...take the first jump (EB 80) and we land on our NOP sled.

If we scroll down, our egghunter is just right below our the NOP sled.

We let the egghunter execute while adding a breakpoint at JMP EDI to check the value of EDI.

Here we can see that we have successfully located our egg...all that we need to do now is add our reverse shellcode right after our egg.

At this point we are ready to add our reverse shell

Final Proof-of-Concept: https://github.com/pyt3ra/freeFTPd-1.0.10-SEH-Based-Buffer-Overflow

Comments