Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Possible WU-ftpd Worm ?

From: shrike () IL FONTYS NL (M.Brands)
Date: Thu, 15 Apr 1999 00:36:53 +0200


 * Limitations:
 *
 *    because I've used hard coded address's for system and the command,
 *    the  values  wont  be  the same in others compilations of wu-ftpd.
 *    so,  you will  need to  find   the  address   for   the   version
 *    you want to exploit.
 *
 *    because we are not using the stack to  put our code, the  exploit
 *    will work  as well against a non-executable stack patch.
 *
 *
 * RECOMENDATION = Please, run gdb through the wu.ftpd binary in order to
 * find out your "system address" (ie: print system) and  write it   down
 * so you can have more address to try - just overwrite the default addr
 * and choose type (3).



/* CUSTOM ADDRESS, CHANGE IT IN ORDER TO EXPLOIT ANOTHER BOX */
#define SYSADDR 0x40043194;
#define EGGADDR 0x805f1dc;


I just checked my Redhat 5.2 system with wu-ftpd-2.4.2b18-2.1.rpm installed.
Since the stock binary was stripped, I built a new one with the source RPM.
Checking both the symbols and the source, I could not find any use of the
system(3) call. That's pretty hard to exploit...

I think at least the version of wu-ftpd supplied by Redhat isn't exploitable.
I could however be terribly wrong. In that case I guess I'll have to find a
very big rock to hide under :)

Mathijs
Previous By Date Next
Previous By Thread Next

Current thread: