[10226] in bugtraq
Re: Possible WU-ftpd Worm ?
daemon@ATHENA.MIT.EDU (M.Brands)
Thu Apr 15 13:24:29 1999
Date: Thu, 15 Apr 1999 00:36:53 +0200
Reply-To: "M.Brands" <shrike@IL.FONTYS.NL>
From: "M.Brands" <shrike@IL.FONTYS.NL>
X-To: Stu Alchor <stu@UPD.CEFETSP.BR>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <Pine.LNX.3.96.990414021634.928A-100000@upd.cefetsp.br>; from Stu
Alchor on Wed, Apr 14, 1999 at 02:19:17AM -0300
> * Limitations:
> *
> * because I've used hard coded address's for system and the command,
> * the values wont be the same in others compilations of wu-ftpd.
> * so, you will need to find the address for the version
> * you want to exploit.
> *
> * because we are not using the stack to put our code, the exploit
> * will work as well against a non-executable stack patch.
> *
> *
> * RECOMENDATION = Please, run gdb through the wu.ftpd binary in order to
> * find out your "system address" (ie: print system) and write it down
> * so you can have more address to try - just overwrite the default addr
> * and choose type (3).
> /* CUSTOM ADDRESS, CHANGE IT IN ORDER TO EXPLOIT ANOTHER BOX */
> #define SYSADDR 0x40043194;
> #define EGGADDR 0x805f1dc;
I just checked my Redhat 5.2 system with wu-ftpd-2.4.2b18-2.1.rpm installed.
Since the stock binary was stripped, I built a new one with the source RPM.
Checking both the symbols and the source, I could not find any use of the
system(3) call. That's pretty hard to exploit...
I think at least the version of wu-ftpd supplied by Redhat isn't exploitable.
I could however be terribly wrong. In that case I guess I'll have to find a
very big rock to hide under :)
Mathijs
