Attacking ftp clients with SEH exploits P-) filezilla 2.X case of study

Written by  on August 2, 2015 

Hi there fellow pirates! Today we’ll be attacking filezilla client 2.2.X with a client side exploit. After doing a litle bit of research in I found this vuln. I think this is a good case of study because of the lateral thinking that’s behind ftp client side exploits and because of the SEH exploit study. Let’s go!

First of all download the filezilla client, install it and then attach it to OLLY


Now you done that set up the metasploit client_ftp fuzzer


Connect to the evil ftp server


And then you’ll get an error like this. Access violation error’s use to indicate that the software is vulnerable to a SEH exploit.


After carefully examining the stack, we saw that we don’t controll the EIP, so we’ll have to use a diferent explotation technique.


After examining the crash, we can realize that the SEH chain has been overwritten with our evil buffer.


We can see that by looking at the program heap at the crash time.

When an exception occurs, like an error or something like that (division by zero, overflow, etc) the structured exception handler tells the program what to do to get rid of that error. ( So if we can control the exception handler we can control the program’s execution and redirect it to our evil code. Nseh indicates the next seh addrr to be executed and seh indicates wich address to be ran.

As we see here, we can fully overwrite SEH chain


Now we can craft an evil ftp server in python to replicate the crash and start coding our exploit


We’ll use pattern_create.rb (metasploit) to generate a pattern and see wich bytes overwrite SEH


We add that string to our exploit


We re launch the attack


And we get the offset


Now we can start crafting our exploit. We added some piece of shellcode that will produce a msgbox


We can see now that we can fully controll nseh(next seh) and seh(seh value)


And our shellcode is right after SEH in the stack


Now we have to find a POP POP RET sequence, it doesn’t matter if its pop exc pop ecx ret, pop ebx pop eax ret,, etc we just need to pop 2 values at the top of the stack so ESP will be moved towards higher addresses twice and then we’ll get to esp with the RET instruction. After performing pop twice, esp will be pointing at our nseh value, then after performing the ret, we’ll execute the nseh value content. Nseh will jump over the seh value and get to the begining of our shellcode as it jumps 6 bytes -> over 2 nops and over 4 bytes of the seh address.


We can search for that on some program’s dll


And we copy the address


We add the pop,pop,ret sequence address to our exploit(litle endian!) and we add a short jump, 6 bytes ahead(why 6 bytes? It will jump over the 2 nops and over the 4 bytes of the SEH address, so it will land inside our shellcode)


We can see here that all is working fine


And our shellcode starts being excecuted


And finally it does.


Game over P-)

Category : Uncategorized

Leave a Reply