> * Limitations: > * > * because I've used hard coded address's for system and the command, > * the values wont be the same in others compilations of wu-ftpd. > * so, you will need to find the address for the version > * you want to exploit. > * > * because we are not using the stack to put our code, the exploit > * will work as well against a non-executable stack patch. > * > * > * RECOMENDATION = Please, run gdb through the wu.ftpd binary in order to > * find out your "system address" (ie: print system) and write it down > * so you can have more address to try - just overwrite the default addr > * and choose type (3). > /* CUSTOM ADDRESS, CHANGE IT IN ORDER TO EXPLOIT ANOTHER BOX */ > #define SYSADDR 0x40043194; > #define EGGADDR 0x805f1dc; I just checked my Redhat 5.2 system with wu-ftpd-2.4.2b18-2.1.rpm installed. Since the stock binary was stripped, I built a new one with the source RPM. Checking both the symbols and the source, I could not find any use of the system(3) call. That's pretty hard to exploit... I think at least the version of wu-ftpd supplied by Redhat isn't exploitable. I could however be terribly wrong. In that case I guess I'll have to find a very big rock to hide under :) Mathijs
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:42:31 PDT