Vulnerability Development mailing list archives
exploiting wu-ftpd
From: Przemyslaw Frasunek <venglin () freebsd lublin pl>
Date: Sat, 1 Dec 2001 16:02:57 +0100
I have written an exploit for recent wu-ftpd vulnerability. It works fine on original dlmalloc implementation, but in recent glibc some sanity checks were introduced: #define arena_for_ptr(ptr) \ (((mchunkptr)(ptr) < top(&main_arena) && (char *)(ptr) >= sbrk_base) ? \ &main_arena : heap_for_ptr(ptr)->ar_ptr) When fake_chunk is in proctitle buffer (my first idea, everything works when above condition returns &main_area), ptr is lower than sbrk_base. When I put fake_chunk on stack, ptr is higher than main_arena. Any ideas, how to bypass arena_for_ptr check? The wu-ftpd binary linked against malloc with hacked arena_for_ptr macro: http://www.frasunek.com/ftpd.gz Working exploit for above binary is in attachment. -- * Fido: 2:480/124 ** WWW: http://www.frasunek.com/ ** NIC-HDL: PMF9-RIPE * * Inet: przemyslaw () frasunek com ** PGP: D48684904685DF43EA93AFA13BE170BF *
Attachment:
wu.pl
Description:
Current thread:
- exploiting wu-ftpd Przemyslaw Frasunek (Dec 01)
- Re: exploiting wu-ftpd Krish Ahya (Dec 01)
- Message not available
- Re: exploiting wu-ftpd Przemyslaw Frasunek (Dec 02)
- Message not available
- Re: exploiting wu-ftpd Krish Ahya (Dec 01)
- <Possible follow-ups>
- Re: exploiting wu-ftpd zen-parse (Dec 12)