> Hi ! > I'm studing vulnerability of ftp servers and testing the glob heap > vulnerability of wu-ftpd server (version 2.6.1 installed on linux > RedHat 7.2) . > I tried to attack the server following this technique: > I logged in as anonymous user an d I send a lot of 'a' as > Password. > > As you can see this is my computer: > > ftp> open localhost > Connected to localhost (127.0.0.1). > 220 sasha FTP server (Version wu-2.6.1-18) ready. > Name (localhost:root): anonymous > Password: 'aaaaaaaaaaaaaaaaaaaaaaaaaaaaa' > 230 Guest login ok, access restrictions apply. > Remote system type is UNIX. ftp> open localhost > Connected to localhost (127.0.0.1). > 220 sasha FTP server (Version wu-2.6.1-18) ready. > Name (localhost:root): anonymous > 331 Guest login ok, send your complete e-mail address as password. > Password: > Using binary mode to transfer files. > ftp> ls ~{ > 227 Entering Passive Mode (127,0,0,1,241,205) > 421 Service not available, remote server has closed connection > > > And this is the debugging section on the attacked machine: > > 1405 ? S 0:00 ftpd: accepting connections on port 21 > 7611 tty3 S 1:29 gdb /usr/sbin/wu.ftpd > 26256 ? S 0:00 ftpd: > sasha:anonymous/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaa > 26265 tty3 R 0:00 bash -c ps ax | grep ftpd > (gdb) at 26256 > Attaching to program: /usr/sbin/wu.ftpd, process 26256 > Symbols already loaded for /lib/libcrypt.so.1 > Symbols already loaded for /lib/libnsl.so.1 > Symbols already loaded for /lib/libresolv.so.2 > Symbols already loaded for /lib/libpam.so.0 > Symbols already loaded for /lib/libdl.so.2 > Symbols already loaded for /lib/i686/libc.so.6 > Symbols already loaded for /lib/ld-linux.so.2 > Symbols already loaded for /lib/libnss_files.so.2 > Symbols already loaded for /lib/libnss_nisplus.so.2 > Symbols already loaded for /lib/libnss_nis.so.2 > 0x40165544 in __libc_read () from /lib/i686/libc.so.6 > (gdb) c > Continuing. > Program received signal SIGSEGV, Segmentation fault. > __libc_free (mem=0x4015ad68) at malloc.c:3136 > 3136 in malloc.c > Taking a quick peek at the stack > > (gdb) info stack > #0 __libc_free (mem=0x4015ad68) at malloc.c:3005 > #1 0x80587c9 in blkfree (av0=0x8086d8c) at glob.c:619 > #2 0x8056556 in yyparse () at ftpcmd.y:1158 > #3 0x804bd05 in main (argc=0, argv=0xbffffba4, envp=0xbffffbb0) > at ftpd.c:1329 > > > (gdb) x 0x8086d8c > 0x8086d8c: 0x4015ad68 <- this is where av0 pointed (begging of > the heap!!) > (gdb) x 0x8086d8d > > 0x8086d8d: 0x614015ad > (gdb) x 0x8086d8e > 0x8086d8e: 0x61614015 > (gdb) x 0x8086d8f > 0x8086d8f: 0x61616140 <- the start of the a's...what pointer mem > became.etc. > > As you can see the parameter passed to the function __libc_free() is > 0x4015ad68 stored in 0x8086d8c (block_free's parameter), and the start > of a's (my password) is 0x8086d8f. > I repeated my attack a lot of time (changing the length of password) > and never any a's was passed to the __libc_free() ! > > How it is possible execute a malicious code on the server if I can't pass a > particular address to __libc_free()? > It seems that the address passed to the __libc_free() is always fixed by the > system and it's impossible to change it by sending commands to the server. > > Can you, please, explain me where are my mistakes in my method? >
This archive was generated by hypermail 2b30 : Tue Oct 29 2002 - 15:12:42 PST