Bugtraq mailing list archives

Conclusion to recent working WuFTPD Exploits

From: eric.hines () NUASIS COM (Eric Hines)
Date: Wed, 5 Jul 2000 10:20:56 -0700


Everyone:

I've been swamped with incoming emails lately regarding questions revolving
around the use of either the wuftpd2600.c source code as well as the bobek.c
release.

It has come to my discovery that some systems at MIT are for example vulnerable
to the vulnerability, and some aren't.. (All) with the same default RH 6.2
installations. The problem occurs when you attempt to execute the exploit on a
remote machine and are left with a telnet session to PORT 21 of the vulnerable
system, stuck to your typical HELP commands. This is because the exploit is
attempting to utilize the WRONG [stack retr addr] of the vulnerable ftp daemon.
The reason being it is not overflowing the stack, leaving you with this telnet
session.

I have also been informed that their are several (working) exploits separate of
these 2 aforementioned sources that will be disseminated soon. Until then,
give gdb (GNU Debugger) (ftp.gnu.org) a shot to identify the correct location of
the stack return address.

Eric Hines
Director Information Security
NUASIS Corporation

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: PGP 6.5.2

mQGiBDlP0fgRBADQ6w878kgQ0T1aQOHRHXBu1C+iVUmqDl1R2SE7x+RyoMpYvdTc
8piV4Z2VlbUqf41w9s7jNy3F3M9qj/8EriI7sdmsyyBQiJNonU1lSyaAAWYhqHZ1
DYb0o6PzD3NVctCAsqDoxrHqJlbuuj49pOU0hJcbeIjhy1yupVotV6uB3wCg/zDo
1Swb7FFDHIqDyQ7Kuf+v5r0EAMfm2A/qV4lbXdshRu1o90Wgw0wJwJgjPiU8kelr
T5yVKbBGf6AlkkPagG1+URDZZbKux4pZNn8/GXRubH61vccJ9JUVr9urAQrGhKW9
Hh1BTS1uXbpIMxu1ZquVjEKDS6lao6k6DiamuVEAzL3Ui6R5C/Lfxc0RulijUwZL
Zj6eA/9fL77pYEgDL9VToX3iI21nIDnHxzabbPYjWUBEtRuTJm1nTdBwjhwRzkfZ
h1PrWZ+pYlVMQvIbLhimT6TYRKgXuthuXlC519E81pQB9HK81E1bq5B2JtuhwrdE
hV3UtXihzJc65m4ciSYGnmbuyLMvveYN66hGgSSPrJ3dEtQi/rQiRXJpYyBIaW5l
cyA8ZXJpYy5oaW5lc0BudWFzaXMuY29tPokAVAQQEQIAFAUCOU/R+AUJOGQJAAQL
AwECAhkBAAoJEDBk0XCTfivZAdIAnRELzgdEfu7bG//ObhtZR5Ok2w0YAKCVCopD
ljrpyfJtTP48g7Cx0nbK37kCDQQ5T9H9EAgA9kJXtwh/CBdyorrWqULzBej5UxE5
T7bxbrlLOCDaAadWoxTpj0BV89AHxstDqZSt90xkhkn4DIO9ZekX1KHTUPj1WV/c
dlJPPT2N286Z4VeSWc39uK50T8X8dryDxUcwYc58yWb/Ffm7/ZFexwGq01uejaCl
cjrUGvC/RgBYK+X0iP1YTknbzSC0neSRBzZrM2w4DUUdD3yIsxx8Wy2O9vPJI8BD
8KVbGI2Ou1WMuF040zT9fBdXQ6MdGGzeMyEstSr/POGxKUAYEY18hKcKctaGxAMZ
yAcpesqVDNmWn6vQClCbAkbTCD1mpF1Bn5x8vYlLIhkmuquiXsNV6TILOwACAgf+
I5IyJ5LMKjItUVMFvgSrbR2xlNXE7iGO4OJy5dgM6tdw0r9u64XccySbFDvQO9cm
khgmF1qrpPLpdqsPxLtUEI87r3xDndejwDUjKWceDdIotbZZ8Hphf064eC4HW7S4
smJPIbuW768fkB9sAIY9aLANcVVnwRyOJBORYDhn3PLUR7xVun1SN+XxKbAJB8lP
HBZ0D6/eOl45WeOjuVh31mZt7XwbQaRl4UV8SnjxQToeOB1ivhqcT8Fmv3lFuXEu
uQZ32yfZSJs0uAj8vhyF0J+lsuwl8QK3VON6ZI/VAElH5P9YUr6AFdDEWfRmoGl+
V6HmN/yLrs2iYbV89PfluIkATAQYEQIADAUCOU/R/QUJOGQJAAAKCRAwZNFwk34r
2fbRAJ93tZZJStohApQmo2ANFtlS6eK8wQCfZvWiu70Yc2Nn9EYRa1iykp8iq34=
=7vK/
-----END PGP PUBLIC KEY BLOCK-----

Current thread:

Re: ftpd: the advisory version Valdis Kletnieks (Jun 30)
- Re: ftpd: the advisory version Tom Perrine (Jul 02)
- Conclusion to recent working WuFTPD Exploits Eric Hines (Jul 05)
- <Possible follow-ups>
- Re: ftpd: the advisory version Carson Gaspar (Jun 30)
  - Re: ftpd: the advisory version Mike Gleason (Jul 02)
  - [RHSA-2000:016-03] Multiple local imwheel vulnerabilities bugzilla () REDHAT COM (Jul 03)
  - Re: ftpd: the advisory version monti (Jul 05)
    - Re: ftpd: the advisory version D. J. Bernstein (Jul 06)
    - Re: ftpd: the advisory version monti (Jul 07)
    - Re: ftpd: the advisory version Mikael Olsson (Jul 07)
    - Re: ftpd: the advisory version David Maxwell (Jul 07)
    - Re: ftpd: the advisory version D. J. Bernstein (Jul 10)
    - Re: ftpd: the advisory version Richard Rager (Jul 11)

(Thread continues...)