Hi there fellow pirates! Today we’ll be attacking filezilla client 2.2.X with a client side exploit. After doing a litle bit of research in oldapps.com I found this vuln. I think this is a good case of study because of the lateral thinking that’s behind ftp client side exploits and because of the SEH exploit study. Let’s go!
First of all download the filezilla client, install it and then attach it to OLLY
Now you done that set up the metasploit client_ftp fuzzer
Connect to the evil ftp server
And then you’ll get an error like this. Access violation error’s use to indicate that the software is vulnerable to a SEH exploit.
After carefully examining the stack, we saw that we don’t controll the EIP, so we’ll have to use a diferent explotation technique.
After examining the crash, we can realize that the SEH chain has been overwritten with our evil buffer.
We can see that by looking at the program heap at the crash time.
When an exception occurs, like an error or something like that (division by zero, overflow, etc) the structured exception handler tells the program what to do to get rid of that error. (https://msdn.microsoft.com/en-us/library/windows/desktop/ms680657%28v=vs.85%29.aspx) So if we can control the exception handler we can control the program’s execution and redirect it to our evil code. Nseh indicates the next seh addrr to be executed and seh indicates wich address to be ran.
As we see here, we can fully overwrite SEH chain
Now we can craft an evil ftp server in python to replicate the crash and start coding our exploit
We’ll use pattern_create.rb (metasploit) to generate a pattern and see wich bytes overwrite SEH
We add that string to our exploit
We re launch the attack
And we get the offset
Now we can start crafting our exploit. We added some piece of shellcode that will produce a msgbox
We can see now that we can fully controll nseh(next seh) and seh(seh value)
And our shellcode is right after SEH in the stack
Now we have to find a POP POP RET sequence, it doesn’t matter if its pop exc pop ecx ret, pop ebx pop eax ret,, etc we just need to pop 2 values at the top of the stack so ESP will be moved towards higher addresses twice and then we’ll get to esp with the RET instruction. After performing pop twice, esp will be pointing at our nseh value, then after performing the ret, we’ll execute the nseh value content. Nseh will jump over the seh value and get to the begining of our shellcode as it jumps 6 bytes -> over 2 nops and over 4 bytes of the seh address.
We can search for that on some program’s dll
And we copy the address
We add the pop,pop,ret sequence address to our exploit(litle endian!) and we add a short jump, 6 bytes ahead(why 6 bytes? It will jump over the 2 nops and over the 4 bytes of the SEH address, so it will land inside our shellcode)
We can see here that all is working fine
And our shellcode starts being excecuted
And finally it does.