Vulnerability Development mailing list archives
Re: exploiting wu-ftpd
From: Przemyslaw Frasunek <venglin () freebsd lublin pl>
Date: Sun, 2 Dec 2001 15:16:49 +0100
On Sunday 02 December 2001 04:25, Fyodor wrote:
Heh, this is a fake. It dosen't work.Cuz a bit more usage of gray matter instance is needed.
Actually, yes. This exploit will *not* work in the wild. Please don't send me tons of mails asking, how to use it. This is only demonstration of technique, not a release for ./script kiddos. That's why I've sent it to vuln-dev, not to bugtraq. I won't release fully functional exploit until people stop using unpatched 2.6.1. A brief description of used technique: - attacker populates heap with pointers to proctitle buf by calling few times 'STAT ~{ptrptrptrptr' - after that, attacker does 'STAT {~' which calls two times blockfree() in ftpglob() and malicious 'ptr' is passed to free() - in proctitle buf there is a fake malloc chunk, pointing to syslog() GOT entry and shellcode, also located in proctitle buf - free() when trying to deallocate fake chunk overwrites pointer to syslog() function and then segfaults in chunk_free() - segfault sighandler calls syslog() and shellcode is executed The lab box was generic Mandrake 8.1 with wu-ftpd 2.6.1 compiled from the sources and linked against dlmalloc extracted from glibc 2.2.4 with modified arena_for_ptr macro. BIG FAT WARNING FOR KIDDIES: IT WILL *NOT* *NOT* *NOT* WORK IN THE WILD. -- * Fido: 2:480/124 ** WWW: http://www.frasunek.com/ ** NIC-HDL: PMF9-RIPE * * Inet: przemyslaw () frasunek com ** PGP: D48684904685DF43EA93AFA13BE170BF *
Current thread:
- exploiting wu-ftpd Przemyslaw Frasunek (Dec 01)
- Re: exploiting wu-ftpd Krish Ahya (Dec 01)
- Message not available
- Re: exploiting wu-ftpd Przemyslaw Frasunek (Dec 02)
- Message not available
- Re: exploiting wu-ftpd Krish Ahya (Dec 01)
- <Possible follow-ups>
- Re: exploiting wu-ftpd zen-parse (Dec 12)