On Sunday 02 December 2001 04:25, Fyodor wrote: > > Heh, this is a fake. > > It dosen't work. > Cuz a bit more usage of gray matter instance is needed. Actually, yes. This exploit will *not* work in the wild. Please don't send me tons of mails asking, how to use it. This is only demonstration of technique, not a release for ./script kiddos. That's why I've sent it to vuln-dev, not to bugtraq. I won't release fully functional exploit until people stop using unpatched 2.6.1. A brief description of used technique: - attacker populates heap with pointers to proctitle buf by calling few times 'STAT ~{ptrptrptrptr' - after that, attacker does 'STAT {~' which calls two times blockfree() in ftpglob() and malicious 'ptr' is passed to free() - in proctitle buf there is a fake malloc chunk, pointing to syslog() GOT entry and shellcode, also located in proctitle buf - free() when trying to deallocate fake chunk overwrites pointer to syslog() function and then segfaults in chunk_free() - segfault sighandler calls syslog() and shellcode is executed The lab box was generic Mandrake 8.1 with wu-ftpd 2.6.1 compiled from the sources and linked against dlmalloc extracted from glibc 2.2.4 with modified arena_for_ptr macro. BIG FAT WARNING FOR KIDDIES: IT WILL *NOT* *NOT* *NOT* WORK IN THE WILD. -- * Fido: 2:480/124 ** WWW: http://www.frasunek.com/ ** NIC-HDL: PMF9-RIPE * * Inet: przemyslawat_private ** PGP: D48684904685DF43EA93AFA13BE170BF *
This archive was generated by hypermail 2b30 : Sun Dec 02 2001 - 13:28:33 PST