On Sunday 02 December 2001 04:25, Fyodor wrote:
> > Heh, this is a fake.
> > It dosen't work.
> Cuz a bit more usage of gray matter instance is needed.
Actually, yes. This exploit will *not* work in the wild. Please don't send me
tons of mails asking, how to use it. This is only demonstration of technique,
not a release for ./script kiddos. That's why I've sent it to vuln-dev, not
to bugtraq. I won't release fully functional exploit until people stop using
unpatched 2.6.1.
A brief description of used technique:
- attacker populates heap with pointers to proctitle buf by calling few times
'STAT ~{ptrptrptrptr'
- after that, attacker does 'STAT {~' which calls two times blockfree() in
ftpglob() and malicious 'ptr' is passed to free()
- in proctitle buf there is a fake malloc chunk, pointing to syslog() GOT
entry and shellcode, also located in proctitle buf
- free() when trying to deallocate fake chunk overwrites pointer to syslog()
function and then segfaults in chunk_free()
- segfault sighandler calls syslog() and shellcode is executed
The lab box was generic Mandrake 8.1 with wu-ftpd 2.6.1 compiled from the
sources and linked against dlmalloc extracted from glibc 2.2.4 with modified
arena_for_ptr macro.
BIG FAT WARNING FOR KIDDIES: IT WILL *NOT* *NOT* *NOT* WORK IN THE WILD.
--
* Fido: 2:480/124 ** WWW: http://www.frasunek.com/ ** NIC-HDL: PMF9-RIPE *
* Inet: przemyslawat_private ** PGP: D48684904685DF43EA93AFA13BE170BF *
This archive was generated by hypermail 2b30 : Sun Dec 02 2001 - 13:28:33 PST