Security Incidents mailing list archives
wuftp exploit
From: infowar () EROLS COM (Toby Miller)
Date: Wed, 28 Jun 2000 11:47:38 -0700
All, I have been doing some analysis on the WUFTP exploit, hopefully this will help. Here is a tcpdump of the expoit running on my lab: 08:40:06.000954 attacker.com.1030 > victim.com.ftp: S 303389152:303389152(0) win 15536 <mss 3884,sackOK,timestamp 759700 0,nop,wscale 0> (DF) (ttl 64, id 69) 4500 003c 0045 4000 4006 3c75 xxxx xxxx xxxx xxxx 0406 0015 1215 59e0 0000 0000 a002 3cb0 fc2c 0000 0204 0f2c 0402 080a 000b 9794 0000 0000 0103 0300 08:40:06.000954 attacker.com.1030 > victim.com.ftp: S 303389152:303389152(0) win 15536 <mss 3884,sackOK,timestamp 759700 0,nop,wscale 0> (DF) (ttl 64, id 69) 4500 003c 0045 4000 4006 3c75 xxxx xxxx xxxx xxxx 0406 0015 1215 59e0 0000 0000 a002 3cb0 fc2c 0000 0204 0f2c 0402 080a 000b 9794 0000 0000 0103 0300 08:40:06.001148 victim.com.ftp > attacker.com.1030: R 0:0(0) ack 303389153 win 0 (ttl 255, id 70) 4500 0028 0046 0000 ff06 bd87 xxxx xxxx xxxx xxxx 0015 0406 0000 0000 1215 59e1 5014 0000 41bd 0000 08:40:06.001148 victim.com.ftp > attacker.com.1030: R 0:0(0) ack 1 win 0 (ttl 255, id 70) 4500 0028 0046 0000 ff06 bd87 xxxx xxxx xxxx xxxx 0015 0406 0000 0000 1215 59e1 5014 0000 41bd 0000 08:44:24.416022 attacker.com.1031 > victim.com.ftp: S 561979576:561979576(0) win 15536 <mss 3884,sackOK,timestamp 785541 0,nop,wscale 0> (DF) (ttl 64, id 71) 4500 003c 0047 4000 4006 3c73 xxxx xxxx xxxx xxxx 0407 0015 217f 20b8 0000 0000 a002 3cb0 c0f8 0000 0204 0f2c 0402 080a 000b fc85 0000 0000 0103 0300 08:44:24.416022 attacker.com.1031 > victim.com.ftp: S 561979576:561979576(0) win 15536 <mss 3884,sackOK,timestamp 785541 0,nop,wscale 0> (DF) (ttl 64, id 71) 4500 003c 0047 4000 4006 3c73 xxxx xxxx xxxx xxxx 0407 0015 217f 20b8 0000 0000 a002 3cb0 c0f8 0000 0204 0f2c 0402 080a 000b fc85 0000 0000 0103 0300 08:44:24.416251 victim.com.ftp > attacker.com.1031: S 556563375:556563375(0) ack 561979577 win 15536 <mss 3884,sackOK,timestamp 785541 785541,nop,wscale 0> (DF) (ttl 64, id 72) 4500 003c 0048 4000 4006 3c72 xxxx xxxx xxxx xxxx 0015 0407 212c 7baf 217f 20b9 a012 3cb0 277b 0000 0204 0f2c 0402 080a 000b fc85 000b fc85 0103 0300 08:44:24.416251 victim.com.ftp > attacker.com.1031: S 556563375:556563375(0) ack 561979577 win 15536 <mss 3884,sackOK,timestamp 785541 785541,nop,wscale 0> (DF) (ttl 64, id 72) 4500 003c 0048 4000 4006 3c72 xxxx xxxx xxxx xxxx 0015 0407 212c 7baf 217f 20b9 a012 3cb0 277b 0000 0204 0f2c 0402 080a 000b fc85 000b fc85 0103 0300 08:44:24.416348 attacker.com.1031 > victim.com.ftp: . ack 1 win 15536 <nop,nop,timestamp 785541 785541> (DF) (ttl 64, id 73) 4500 0034 0049 4000 4006 3c79 xxxx xxxx xxxx xxxx 0407 0015 217f 20b9 212c 7bb0 8010 3cb0 5fb8 0000 0101 080a 000b fc85 000b fc85 08:44:24.416348 attacker.com.1031 > victim.com.ftp: . ack 1 win 15536 <nop,nop,timestamp 785541 785541> (DF) (ttl 64, id 73) 4500 0034 0049 4000 4006 3c79 xxxx xxxx xxxx xxxx 0407 0015 217f 20b9 212c 7bb0 8010 3cb0 5fb8 0000 0101 080a 000b fc85 000b fc85 08:44:29.480632 victim.com.ftp > attacker.com.1031: F 1:1(0) ack 1 win 15536 <nop,nop,timestamp 786048 785541> (DF) (ttl 64, id 74) 4500 0034 004a 4000 4006 3c78 xxxx xxxx xxxx xxxx 0015 0407 212c 7bb0 217f 20b9 8011 3cb0 5dbc 0000 0101 080a 000b fe80 000b fc85 08:44:29.480632 victim.com.ftp > attacker.com.1031: F 1:1(0) ack 1 win 15536 <nop,nop,timestamp 786048 785541> (DF) (ttl 64, id 74) 4500 0034 004a 4000 4006 3c78 xxxx xxxx xxxx xxxx 0015 0407 212c 7bb0 217f 20b9 8011 3cb0 5dbc 0000 0101 080a 000b fe80 000b fc85 08:44:29.481022 attacker.com.1031 > victim.com.ftp: . ack 2 win 15536 <nop,nop,timestamp 786048 786048> (DF) (ttl 64, id 75) 4500 0034 004b 4000 4006 3c77 xxxx xxxx xxxx xxxx 0407 0015 217f 20b9 212c 7bb1 8010 3cb0 5bc1 0000 0101 080a 000b fe80 000b fe80 08:44:29.481022 attacker.com.1031 > victim.com.ftp: . ack 2 win 15536 <nop,nop,timestamp 786048 786048> (DF) (ttl 64, id 75) 4500 0034 004b 4000 4006 3c77 xxxx xxxx xxxx xxxx 0407 0015 217f 20b9 212c 7bb1 8010 3cb0 5bc1 0000 0101 080a 000b fe80 000b fe80 08:44:29.482652 attacker.com.1031 > victim.com.ftp: P 1:11(10) ack 2 win 15536 <nop,nop,timestamp 786048 786048> (DF) (ttl 64, id 76) 4500 003e 004c 4000 4006 3c6c xxxx xxxx xxxx xxxx 0407 0015 217f 20b9 212c 7bb1 8018 3cb0 1f29 0000 0101 080a 000b fe80 000b fe80 5553 4552 2066 7470 0d0a 08:44:29.482652 attacker.com.1031 > victim.com.ftp: P 1:11(10) ack 2 win 15536 <nop,nop,timestamp 786048 786048> (DF) (ttl 64, id 76) 4500 003e 004c 4000 4006 3c6c xxxx xxxx xxxx xxxx 0407 0015 217f 20b9 212c 7bb1 8018 3cb0 1f29 0000 0101 080a 000b fe80 000b fe80 5553 4552 2066 7470 0d0a 08:44:29.482783 victim.com.ftp > attacker.com.1031: R 556563377:556563377(0) win 0 (ttl 255, id 77) 4500 0028 004d 0000 ff06 bd80 xxxx xxxx xxxx xxxx 0015 0407 212c 7bb1 0000 0000 5004 0000 10e5 0000 08:44:29.482783 victim.com.ftp > attacker.com.1031: R 556563377:556563377(0) win 0 (ttl 255, id 77) 4500 0028 004d 0000 ff06 bd80 xxxx xxxx xxxx xxxx 0015 0407 212c 7bb1 0000 0000 5004 0000 10e5 0000 1) This exploit can be ran against the following OS's: a) Redhat 6.2 b) SuSe 6.3 & 6.4 c) FreeBsd 3.4 & 4.0 2) The ID's(highlighted in green) increment by 1. I ran this exploit 5 times and all five times the ID's incremented by one throughout out the attempt. 3) The two packets with the Psh flag set always contains ten bytes of data. The hex data looks like this: 5553 4552 2066 7470 0d0a Again, I ran this 5 times and all 5 times the data was the same. Hopefully, this analysis is helpful. I am working on the tcpdump filter to this. I will foward it to you when I am finished. Thanks, Toby
Current thread:
- Re: funky syslog entry, (continued)
- Re: funky syslog entry Jens Hektor (Jun 27)
- Re: funky syslog entry Erich Meier (Jun 28)
- Re: funky syslog entry Sean Michael Whipkey (Jun 28)
- blind forwards Keith McCammon (Jun 28)
- Re: blind forwards Ex Machina (Jun 29)
- Re: blind forwards Brock Norvell (Jun 29)
- Re: blind forwards John Hall (Jun 29)
- Re: blind forwards David Pick (Jun 30)
- Re: funky syslog entry UnixGeek (Jun 29)
- Re: funky syslog entry Chris West (Jun 29)
- wuftp exploit Toby Miller (Jun 28)
- Re: wuftp exploit Daniel Jacobowitz (Jun 28)
- Permissions Derick Schuetz (Jun 27)
- Re: Permissions Valdis Kletnieks (Jun 27)
- Re: Permissions Jon Lewis (Jun 27)
- Probes for MySQL under Linux? Ralf G. R. Bergs (Jun 27)
- Re: Probes for MySQL under Linux? Tabor J. Wells (Jun 27)
- Port scan (106 and 389) Chris Laycock (Jun 28)
- Compromise and Bind Replacement Scott Brown (Jun 28)
- Re: Port scan (106 and 389) Fabio Pietrosanti (Jun 28)
- Re: Probes for MySQL under Linux? Al Huger - Mail Account (Jun 28)