On Thu, 7 Mar 2002, H D Moore wrote: > On Thursday 07 March 2002 09:30 am, HypH wrote: > > On Thu 7. March 2002 15:18, H D Moore wrote: > > > YES. wu-ftpd will call compress with the file name as an argument if you > > > request the file name ending in .Z. You have to be able to write out a > > > file name containing the shell code to exploit the bug. > > > > The problem is that the file have to be 1100 chars long , with the > > shellcode within. But wu-ftpd doesn`t allow/handle so long filenames. > > Hmm.. What about splitting the shellcode into different directories and the > requesting the full path to the file (directories and all) ending in .Z? The total length of command is limited. I think one could fool it using a race between wildcard expansion and the code deciding whether compress should be run: you create shellcode.Z, send "get shell*.Z", and rename shellcode.Z to shellcode at the right moment. BTW: This is an ANCIENT problem. --Pavel Kankovsky aka Peak [ Boycott Microsoft--http://www.vcnet.com/bms ] "Resistance is futile. Open your source code and prepare for assimilation."
This archive was generated by hypermail 2b30 : Sat Mar 09 2002 - 18:20:02 PST