Vulnerability Development mailing list archives
Re: exploiting wu-ftpd
From: zen-parse <zen-parse () gmx net>
Date: Thu, 13 Dec 2001 00:51:53 +1300 (NZDT)
The patches have been available over a week now. I think that is long enough. On the 1st of December Przemyslaw Frasunek (venglin () freebsd lublin pl) wrote something about getting a wu-ftpd exploit working. The problem he was having was to do with the following macro: #define arena_for_ptr(ptr) \ (((mchunkptr)(ptr) < top(&main_arena) && (char *)(ptr) >= sbrk_base) ? \ &main_arena : heap_for_ptr(ptr)->ar_ptr) He worked around it by making a hacked up version of the malloc function. My solution: put the chunk on the heap between sbrk_base and the top value of the main_arena. How? Get the chunk malloc()ed and stored there, then brute force it. (The exact position varies depending on a whole lot of things, and brute forcing is nice for system admins. They have pretty good evidence that there has been an attack. ;]) -- zen-parse P.S. Apparently there are earlier versions of this exploit floating around. Many of them are even buggier than this one, and all some of them will do is add a few hundred K to the log files. P.P.S Sorry, but it was too much temptation to resist posting it as wu261.c. The program is a wrapper for the archive. -- ------------------------------------------------------------------------- The preceding information is confidential and may not be redistributed without explicit permission. Legal action may be taken to enforce this. If this message was posted by zen-parse () gmx net to a public forum it may be redistributed as long as these conditions remain attached. If you are mum or dad, this probably doesn't apply to you.
Attachment:
wu261.c
Description: Real wu-ftpd 2.6.1 exploit
Current thread:
- exploiting wu-ftpd Przemyslaw Frasunek (Dec 01)
- Re: exploiting wu-ftpd Krish Ahya (Dec 01)
- Message not available
- Re: exploiting wu-ftpd Przemyslaw Frasunek (Dec 02)
- Message not available
- Re: exploiting wu-ftpd Krish Ahya (Dec 01)
- <Possible follow-ups>
- Re: exploiting wu-ftpd zen-parse (Dec 12)