Heh, this is a fake. It dosen't work. teli -- "Even though I walk through the valley of the shadow of death, I fear no evil, for You are with me." --Psalm 23 ----- Original Message ----- From: "Przemyslaw Frasunek" <venglinat_private> To: <vuln-devat_private> Sent: Saturday, December 01, 2001 9:02 AM Subject: exploiting wu-ftpd > I have written an exploit for recent wu-ftpd vulnerability. It works fine on > original dlmalloc implementation, but in recent glibc some sanity checks were > introduced: > > #define arena_for_ptr(ptr) \ > (((mchunkptr)(ptr) < top(&main_arena) && (char *)(ptr) >= sbrk_base) ? \ > &main_arena : heap_for_ptr(ptr)->ar_ptr) > > When fake_chunk is in proctitle buffer (my first idea, everything works when > above condition returns &main_area), ptr is lower than sbrk_base. When I put > fake_chunk on stack, ptr is higher than main_arena. > > Any ideas, how to bypass arena_for_ptr check? > > The wu-ftpd binary linked against malloc with hacked arena_for_ptr macro: > http://www.frasunek.com/ftpd.gz > > Working exploit for above binary is in attachment. > > -- > * Fido: 2:480/124 ** WWW: http://www.frasunek.com/ ** NIC-HDL: PMF9-RIPE * > * Inet: przemyslawat_private ** PGP: D48684904685DF43EA93AFA13BE170BF * >
This archive was generated by hypermail 2b30 : Sat Dec 01 2001 - 18:16:39 PST