Vulnerability Development mailing list archives

Re: compress(vul) + ftpd(?)

From: HypH <hyphen () go2 pl>
Date: Sat, 9 Mar 2002 13:02:17 +0100

On Thu  7. March 2002 16:57, H D Moore wrote:

On Thursday 07 March 2002 09:30 am, HypH wrote:

On Thu  7. March 2002 15:18, H D Moore wrote:

YES.  wu-ftpd will call compress with the file name as an argument if
you request the file name ending in .Z. You have to be able to write
out a file name containing the shell code to exploit the bug.


The problem is that the file have to be 1100 chars long , with the
shellcode within. But wu-ftpd doesn`t allow/handle so long filenames.


Hmm.. What about splitting the shellcode into different directories and the
requesting the full path to the file (directories and all) ending in .Z?


even if you create some dirs you can`t send a command string that is 
longer than 200 chars and so you can`t get /SOME/DIRS/1100/CHRS/LONG/foo.Z
Any other ideas..?? :-))
-- 
+-+-+-+-+-+-+-+-+-+-+-+
Were All Born Original 
Most Die As Copies
+-+-+-+-+-+-+-+-+-+-+-+

Current thread:

compress(vul) + ftpd(?) HypH (Mar 05)
- Re: compress(vul) + ftpd(?) H D Moore (Mar 07)
- Message not available
  - Re: compress(vul) + ftpd(?) HypH (Mar 07)
    - Re: compress(vul) + ftpd(?) H D Moore (Mar 07)
    - Re: compress(vul) + ftpd(?) HypH (Mar 09)
    - Re: compress(vul) + ftpd(?) KF (Mar 09)
    - Re: compress(vul) + ftpd(?) HypH (Mar 09)
    - Re: compress(vul) + ftpd(?) Pavel Kankovsky (Mar 09)
    - Re: compress(vul) + ftpd(?) H D Moore (Mar 10)
    - Re: compress(vul) + ftpd(?) Pavel Kankovsky (Mar 11)
    - Re: compress(vul) + ftpd(?) H D Moore (Mar 12)
    - Re: compress(vul) + ftpd(?) Gushterul (Mar 12)
    - Re: compress(vul) + ftpd(?) HypH (Mar 11)
    - Re: compress(vul) + ftpd(?) Mats Linander (Mar 11)