Attacking ftp clients with SEH exploits P-) filezilla 2.X case of study

Written by  on August 2, 2015 

Hi there fellow pirates! Today we’ll be attacking filezilla client 2.2.X with a client side exploit. After doing a litle bit of research in oldapps.com I found this vuln. I think this is a good case of study because of the lateral thinking that’s behind ftp client side exploits and because of the SEH exploit study. Let’s go!

First of all download the filezilla client, install it and then attach it to OLLY

4

Now you done that set up the metasploit client_ftp fuzzer

2

Connect to the evil ftp server

3

And then you’ll get an error like this. Access violation error’s use to indicate that the software is vulnerable to a SEH exploit.

5

After carefully examining the stack, we saw that we don’t controll the EIP, so we’ll have to use a diferent explotation technique.

6

After examining the crash, we can realize that the SEH chain has been overwritten with our evil buffer.

7

We can see that by looking at the program heap at the crash time.

When an exception occurs, like an error or something like that (division by zero, overflow, etc) the structured exception handler tells the program what to do to get rid of that error. (https://msdn.microsoft.com/en-us/library/windows/desktop/ms680657%28v=vs.85%29.aspx) So if we can control the exception handler we can control the program’s execution and redirect it to our evil code. Nseh indicates the next seh addrr to be executed and seh indicates wich address to be ran.

As we see here, we can fully overwrite SEH chain

8

Now we can craft an evil ftp server in python to replicate the crash and start coding our exploit

9

We’ll use pattern_create.rb (metasploit) to generate a pattern and see wich bytes overwrite SEH

10

We add that string to our exploit

11

We re launch the attack

12

And we get the offset

13

Now we can start crafting our exploit. We added some piece of shellcode that will produce a msgbox

14

We can see now that we can fully controll nseh(next seh) and seh(seh value)

15

And our shellcode is right after SEH in the stack

16

Now we have to find a POP POP RET sequence, it doesn’t matter if its pop exc pop ecx ret, pop ebx pop eax ret,, etc we just need to pop 2 values at the top of the stack so ESP will be moved towards higher addresses twice and then we’ll get to esp with the RET instruction. After performing pop twice, esp will be pointing at our nseh value, then after performing the ret, we’ll execute the nseh value content. Nseh will jump over the seh value and get to the begining of our shellcode as it jumps 6 bytes -> over 2 nops and over 4 bytes of the seh address.

17

We can search for that on some program’s dll

19

And we copy the address

18

We add the pop,pop,ret sequence address to our exploit(litle endian!) and we add a short jump, 6 bytes ahead(why 6 bytes? It will jump over the 2 nops and over the 4 bytes of the SEH address, so it will land inside our shellcode)

20

We can see here that all is working fine

21

And our shellcode starts being excecuted

22

And finally it does.

23

Game over P-)

Category : Uncategorized

Leave a Reply

Your email address will not be published. Required fields are marked *