Vulnerability Development mailing list archives
Re: exploiting wu-ftpd
From: "Krish Ahya" <Krish () houston rr com>
Date: Sat, 1 Dec 2001 19:40:07 -0600
Heh, this is a fake. It dosen't work. teli -- "Even though I walk through the valley of the shadow of death, I fear no evil, for You are with me." --Psalm 23 ----- Original Message ----- From: "Przemyslaw Frasunek" <venglin () freebsd lublin pl> To: <vuln-dev () securityfocus com> Sent: Saturday, December 01, 2001 9:02 AM Subject: exploiting wu-ftpd
I have written an exploit for recent wu-ftpd vulnerability. It works fine
on
original dlmalloc implementation, but in recent glibc some sanity checks
were
introduced: #define arena_for_ptr(ptr) \ (((mchunkptr)(ptr) < top(&main_arena) && (char *)(ptr) >= sbrk_base) ? \ &main_arena : heap_for_ptr(ptr)->ar_ptr) When fake_chunk is in proctitle buffer (my first idea, everything works
when
above condition returns &main_area), ptr is lower than sbrk_base. When I
put
fake_chunk on stack, ptr is higher than main_arena. Any ideas, how to bypass arena_for_ptr check? The wu-ftpd binary linked against malloc with hacked arena_for_ptr macro: http://www.frasunek.com/ftpd.gz Working exploit for above binary is in attachment. -- * Fido: 2:480/124 ** WWW: http://www.frasunek.com/ ** NIC-HDL: PMF9-RIPE * * Inet: przemyslaw () frasunek com ** PGP: D48684904685DF43EA93AFA13BE170BF *
Current thread:
- exploiting wu-ftpd Przemyslaw Frasunek (Dec 01)
- Re: exploiting wu-ftpd Krish Ahya (Dec 01)
- Message not available
- Re: exploiting wu-ftpd Przemyslaw Frasunek (Dec 02)
- Message not available
- Re: exploiting wu-ftpd Krish Ahya (Dec 01)
- <Possible follow-ups>
- Re: exploiting wu-ftpd zen-parse (Dec 12)