Re: exploiting wu-ftpd

[Przemyslaw Frasunek <venglin () freebsd lublin pl>]

On Sunday 02 December 2001 04:25, Fyodor wrote:
> > Heh, this is a fake.
> > It dosen't work.
> Cuz a bit more usage of gray matter instance is needed.

Actually, yes. This exploit will *not* work in the wild. Please don't send me 
tons of mails asking, how to use it. This is only demonstration of technique, 
not a release for ./script kiddos. That's why I've sent it to vuln-dev, not 
to bugtraq. I won't release fully functional exploit until people stop using 
unpatched 2.6.1.

A brief description of used technique:

- attacker populates heap with pointers to proctitle buf by calling few times 
'STAT ~{ptrptrptrptr'

- after that, attacker does 'STAT {~' which calls two times blockfree() in    
ftpglob() and malicious 'ptr' is passed to free()

- in proctitle buf there is a fake malloc chunk, pointing to syslog() GOT 
entry and shellcode, also located in proctitle buf

- free() when trying to deallocate fake chunk overwrites pointer to syslog() 
function and then segfaults in chunk_free()

- segfault sighandler calls syslog() and shellcode is executed

The lab box was generic Mandrake 8.1 with wu-ftpd 2.6.1 compiled from the 
sources and linked against dlmalloc extracted from glibc 2.2.4 with modified 
arena_for_ptr macro.

BIG FAT WARNING FOR KIDDIES: IT WILL *NOT* *NOT* *NOT* WORK IN THE WILD.

-- 
* Fido: 2:480/124 ** WWW: http://www.frasunek.com/ ** NIC-HDL: PMF9-RIPE *
* Inet: przemyslaw () frasunek com ** PGP: D48684904685DF43EA93AFA13BE170BF *