Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

wuftp exploit

From: infowar () EROLS COM (Toby Miller)
Date: Wed, 28 Jun 2000 11:47:38 -0700

All,
I have been doing some analysis on the WUFTP exploit, hopefully this will help.
 
Here is a tcpdump of the expoit running on my lab:
 
08:40:06.000954 attacker.com.1030 > victim.com.ftp: S 303389152:303389152(0) win 15536 <mss 3884,sackOK,timestamp 
759700 0,nop,wscale 0> (DF) (ttl 64, id 69)

4500 003c 0045 4000 4006 3c75 xxxx xxxx

xxxx xxxx 0406 0015 1215 59e0 0000 0000

a002 3cb0 fc2c 0000 0204 0f2c 0402 080a

000b 9794 0000 0000 0103 0300

08:40:06.000954 attacker.com.1030 > victim.com.ftp: S 303389152:303389152(0) win 15536 <mss 3884,sackOK,timestamp 
759700 0,nop,wscale 0> (DF) (ttl 64, id 69)

4500 003c 0045 4000 4006 3c75 xxxx xxxx

xxxx xxxx 0406 0015 1215 59e0 0000 0000

a002 3cb0 fc2c 0000 0204 0f2c 0402 080a

000b 9794 0000 0000 0103 0300

08:40:06.001148 victim.com.ftp > attacker.com.1030: R 0:0(0) ack 303389153 win 0 (ttl 255, id 70)

4500 0028 0046 0000 ff06 bd87 xxxx xxxx

xxxx xxxx 0015 0406 0000 0000 1215 59e1

5014 0000 41bd 0000

08:40:06.001148 victim.com.ftp > attacker.com.1030: R 0:0(0) ack 1 win 0 (ttl 255, id 70)

4500 0028 0046 0000 ff06 bd87 xxxx xxxx

xxxx xxxx 0015 0406 0000 0000 1215 59e1

5014 0000 41bd 0000

08:44:24.416022 attacker.com.1031 > victim.com.ftp: S 561979576:561979576(0) win 15536 <mss 3884,sackOK,timestamp 
785541 0,nop,wscale 0> (DF) (ttl 64, id 71)

4500 003c 0047 4000 4006 3c73 xxxx xxxx

xxxx xxxx 0407 0015 217f 20b8 0000 0000

a002 3cb0 c0f8 0000 0204 0f2c 0402 080a

000b fc85 0000 0000 0103 0300

08:44:24.416022 attacker.com.1031 > victim.com.ftp: S 561979576:561979576(0) win 15536 <mss 3884,sackOK,timestamp 
785541 0,nop,wscale 0> (DF) (ttl 64, id 71)

4500 003c 0047 4000 4006 3c73 xxxx xxxx

xxxx xxxx 0407 0015 217f 20b8 0000 0000

a002 3cb0 c0f8 0000 0204 0f2c 0402 080a

000b fc85 0000 0000 0103 0300

08:44:24.416251 victim.com.ftp > attacker.com.1031: S 556563375:556563375(0) ack 561979577 win 15536 <mss 
3884,sackOK,timestamp 785541 785541,nop,wscale 0> (DF) (ttl 64, id 72)

4500 003c 0048 4000 4006 3c72 xxxx xxxx

xxxx xxxx 0015 0407 212c 7baf 217f 20b9

a012 3cb0 277b 0000 0204 0f2c 0402 080a

000b fc85 000b fc85 0103 0300

08:44:24.416251 victim.com.ftp > attacker.com.1031: S 556563375:556563375(0) ack 561979577 win 15536 <mss 
3884,sackOK,timestamp 785541 785541,nop,wscale 0> (DF) (ttl 64, id 72)

4500 003c 0048 4000 4006 3c72 xxxx xxxx

xxxx xxxx 0015 0407 212c 7baf 217f 20b9

a012 3cb0 277b 0000 0204 0f2c 0402 080a

000b fc85 000b fc85 0103 0300

08:44:24.416348 attacker.com.1031 > victim.com.ftp: . ack 1 win 15536 <nop,nop,timestamp 785541 785541> (DF) (ttl 64, 
id 73)

4500 0034 0049 4000 4006 3c79 xxxx xxxx

xxxx xxxx 0407 0015 217f 20b9 212c 7bb0

8010 3cb0 5fb8 0000 0101 080a 000b fc85

000b fc85

08:44:24.416348 attacker.com.1031 > victim.com.ftp: . ack 1 win 15536 <nop,nop,timestamp 785541 785541> (DF) (ttl 64, 
id 73)

4500 0034 0049 4000 4006 3c79 xxxx xxxx

xxxx xxxx 0407 0015 217f 20b9 212c 7bb0

8010 3cb0 5fb8 0000 0101 080a 000b fc85

000b fc85

08:44:29.480632 victim.com.ftp > attacker.com.1031: F 1:1(0) ack 1 win 15536 <nop,nop,timestamp 786048 785541> (DF) 
(ttl 64, id 74)

4500 0034 004a 4000 4006 3c78 xxxx xxxx

xxxx xxxx 0015 0407 212c 7bb0 217f 20b9

8011 3cb0 5dbc 0000 0101 080a 000b fe80

000b fc85

08:44:29.480632 victim.com.ftp > attacker.com.1031: F 1:1(0) ack 1 win 15536 <nop,nop,timestamp 786048 785541> (DF) 
(ttl 64, id 74)

4500 0034 004a 4000 4006 3c78 xxxx xxxx

xxxx xxxx 0015 0407 212c 7bb0 217f 20b9

8011 3cb0 5dbc 0000 0101 080a 000b fe80

000b fc85

08:44:29.481022 attacker.com.1031 > victim.com.ftp: . ack 2 win 15536 <nop,nop,timestamp 786048 786048> (DF) (ttl 64, 
id 75)

4500 0034 004b 4000 4006 3c77 xxxx xxxx

xxxx xxxx 0407 0015 217f 20b9 212c 7bb1

8010 3cb0 5bc1 0000 0101 080a 000b fe80

000b fe80

08:44:29.481022 attacker.com.1031 > victim.com.ftp: . ack 2 win 15536 <nop,nop,timestamp 786048 786048> (DF) (ttl 64, 
id 75)

4500 0034 004b 4000 4006 3c77 xxxx xxxx

xxxx xxxx 0407 0015 217f 20b9 212c 7bb1

8010 3cb0 5bc1 0000 0101 080a 000b fe80

000b fe80

08:44:29.482652 attacker.com.1031 > victim.com.ftp: P 1:11(10) ack 2 win 15536 <nop,nop,timestamp 786048 786048> (DF) 
(ttl 64, id 76)

4500 003e 004c 4000 4006 3c6c xxxx xxxx

xxxx xxxx 0407 0015 217f 20b9 212c 7bb1

8018 3cb0 1f29 0000 0101 080a 000b fe80

000b fe80 5553 4552 2066 7470 0d0a

08:44:29.482652 attacker.com.1031 > victim.com.ftp: P 1:11(10) ack 2 win 15536 <nop,nop,timestamp 786048 786048> (DF) 
(ttl 64, id 76)

4500 003e 004c 4000 4006 3c6c xxxx xxxx

xxxx xxxx 0407 0015 217f 20b9 212c 7bb1

8018 3cb0 1f29 0000 0101 080a 000b fe80

000b fe80 5553 4552 2066 7470 0d0a

08:44:29.482783 victim.com.ftp > attacker.com.1031: R 556563377:556563377(0) win 0 (ttl 255, id 77)

4500 0028 004d 0000 ff06 bd80 xxxx xxxx

xxxx xxxx 0015 0407 212c 7bb1 0000 0000

5004 0000 10e5 0000

08:44:29.482783 victim.com.ftp > attacker.com.1031: R 556563377:556563377(0) win 0 (ttl 255, id 77)

4500 0028 004d 0000 ff06 bd80 xxxx xxxx

xxxx xxxx 0015 0407 212c 7bb1 0000 0000

5004 0000 10e5 0000

 

1) This exploit can be ran against the following OS's:

a) Redhat 6.2

b) SuSe 6.3 & 6.4

c) FreeBsd 3.4 & 4.0

2) The ID's(highlighted in green) increment by 1. I ran this exploit 5 times and all five times the ID's incremented by 
one throughout out the attempt.

3) The two packets with the Psh flag set always contains ten bytes of data. The hex data looks like this:  5553 4552 
2066 7470 0d0a

Again, I ran this 5 times and all 5 times the data was the same.

Hopefully, this analysis is helpful. I am working on the tcpdump filter to this. I will foward it to you when I am 
finished.

                                                                                                                        
Thanks,

                                                                                                                        
Toby
Previous By Date Next
Previous By Thread Next

Current thread: