Re: compress(vul) + ftpd(?)

[H D Moore <sflist () digitaloffense net>]

On Saturday 09 March 2002 05:48 pm, Pavel Kankovsky wrote:
> On Thu, 7 Mar 2002, H D Moore wrote:
> > On Thursday 07 March 2002 09:30 am, HypH wrote:
> > > On Thu  7. March 2002 15:18, H D Moore wrote:
> > > > YES.  wu-ftpd will call compress with the file name as an argument if
> > > > you request the file name ending in .Z. You have to be able to write
> > > > out a file name containing the shell code to exploit the bug.
> > >
> > > The problem is that the file have to be 1100 chars long , with the
> > > shellcode within. But wu-ftpd doesn`t allow/handle so long filenames.
> >
> > Hmm.. What about splitting the shellcode into different directories and
> > the requesting the full path to the file (directories and all) ending in
> > .Z?
>
> The total length of command is limited. I think one could fool it using a
> race between wildcard expansion and the code deciding whether compress
> should be run: you create shellcode.Z, send "get shell*.Z", and rename
> shellcode.Z to shellcode at the right moment.


How about:

ftp> mkdir A<254 * 0x90>
ftp> cd A*
ftp> mkdir B<255 * 0x90>
ftp> cd B*
ftp> mkdir C<255 * 0x90>
ftp> cd C*
ftp> mkdir D<255 * 0x90>
ftp> cd D*
ftp> put <reallysmallscode>
ftp> cd ../../../../
ftp> get A*/B*/C*/D*/reallysmallscode.Z

Every 256 bytes you would have a / character, so maybe add a jmp + 2 before 
each slash (for a nice slide). Then change the 'D' chunk so that the shell 
code starts somewhere near the end of it and just write out a filename where 
the 4 crucial bytes of eip point back somewhere in the last 1024 bytes

This hasn't been tested (yet), depending on the OS it may be impossible to 
write out the filename containing the EIP (null bytes for instance).

> BTW: This is an ANCIENT problem.

You would think it would have been fixed by now ;)