Bugtraq mailing list archives
Conclusion to recent working WuFTPD Exploits
From: eric.hines () NUASIS COM (Eric Hines)
Date: Wed, 5 Jul 2000 10:20:56 -0700
Everyone: I've been swamped with incoming emails lately regarding questions revolving around the use of either the wuftpd2600.c source code as well as the bobek.c release. It has come to my discovery that some systems at MIT are for example vulnerable to the vulnerability, and some aren't.. (All) with the same default RH 6.2 installations. The problem occurs when you attempt to execute the exploit on a remote machine and are left with a telnet session to PORT 21 of the vulnerable system, stuck to your typical HELP commands. This is because the exploit is attempting to utilize the WRONG [stack retr addr] of the vulnerable ftp daemon. The reason being it is not overflowing the stack, leaving you with this telnet session. I have also been informed that their are several (working) exploits separate of these 2 aforementioned sources that will be disseminated soon. Until then, give gdb (GNU Debugger) (ftp.gnu.org) a shot to identify the correct location of the stack return address. Eric Hines Director Information Security NUASIS Corporation -----BEGIN PGP PUBLIC KEY BLOCK----- Version: PGP 6.5.2 mQGiBDlP0fgRBADQ6w878kgQ0T1aQOHRHXBu1C+iVUmqDl1R2SE7x+RyoMpYvdTc 8piV4Z2VlbUqf41w9s7jNy3F3M9qj/8EriI7sdmsyyBQiJNonU1lSyaAAWYhqHZ1 DYb0o6PzD3NVctCAsqDoxrHqJlbuuj49pOU0hJcbeIjhy1yupVotV6uB3wCg/zDo 1Swb7FFDHIqDyQ7Kuf+v5r0EAMfm2A/qV4lbXdshRu1o90Wgw0wJwJgjPiU8kelr T5yVKbBGf6AlkkPagG1+URDZZbKux4pZNn8/GXRubH61vccJ9JUVr9urAQrGhKW9 Hh1BTS1uXbpIMxu1ZquVjEKDS6lao6k6DiamuVEAzL3Ui6R5C/Lfxc0RulijUwZL Zj6eA/9fL77pYEgDL9VToX3iI21nIDnHxzabbPYjWUBEtRuTJm1nTdBwjhwRzkfZ h1PrWZ+pYlVMQvIbLhimT6TYRKgXuthuXlC519E81pQB9HK81E1bq5B2JtuhwrdE hV3UtXihzJc65m4ciSYGnmbuyLMvveYN66hGgSSPrJ3dEtQi/rQiRXJpYyBIaW5l cyA8ZXJpYy5oaW5lc0BudWFzaXMuY29tPokAVAQQEQIAFAUCOU/R+AUJOGQJAAQL AwECAhkBAAoJEDBk0XCTfivZAdIAnRELzgdEfu7bG//ObhtZR5Ok2w0YAKCVCopD ljrpyfJtTP48g7Cx0nbK37kCDQQ5T9H9EAgA9kJXtwh/CBdyorrWqULzBej5UxE5 T7bxbrlLOCDaAadWoxTpj0BV89AHxstDqZSt90xkhkn4DIO9ZekX1KHTUPj1WV/c dlJPPT2N286Z4VeSWc39uK50T8X8dryDxUcwYc58yWb/Ffm7/ZFexwGq01uejaCl cjrUGvC/RgBYK+X0iP1YTknbzSC0neSRBzZrM2w4DUUdD3yIsxx8Wy2O9vPJI8BD 8KVbGI2Ou1WMuF040zT9fBdXQ6MdGGzeMyEstSr/POGxKUAYEY18hKcKctaGxAMZ yAcpesqVDNmWn6vQClCbAkbTCD1mpF1Bn5x8vYlLIhkmuquiXsNV6TILOwACAgf+ I5IyJ5LMKjItUVMFvgSrbR2xlNXE7iGO4OJy5dgM6tdw0r9u64XccySbFDvQO9cm khgmF1qrpPLpdqsPxLtUEI87r3xDndejwDUjKWceDdIotbZZ8Hphf064eC4HW7S4 smJPIbuW768fkB9sAIY9aLANcVVnwRyOJBORYDhn3PLUR7xVun1SN+XxKbAJB8lP HBZ0D6/eOl45WeOjuVh31mZt7XwbQaRl4UV8SnjxQToeOB1ivhqcT8Fmv3lFuXEu uQZ32yfZSJs0uAj8vhyF0J+lsuwl8QK3VON6ZI/VAElH5P9YUr6AFdDEWfRmoGl+ V6HmN/yLrs2iYbV89PfluIkATAQYEQIADAUCOU/R/QUJOGQJAAAKCRAwZNFwk34r 2fbRAJ93tZZJStohApQmo2ANFtlS6eK8wQCfZvWiu70Yc2Nn9EYRa1iykp8iq34= =7vK/ -----END PGP PUBLIC KEY BLOCK-----
Current thread:
- Re: ftpd: the advisory version Valdis Kletnieks (Jun 30)
- Re: ftpd: the advisory version Tom Perrine (Jul 02)
- Conclusion to recent working WuFTPD Exploits Eric Hines (Jul 05)
- <Possible follow-ups>
- Re: ftpd: the advisory version Carson Gaspar (Jun 30)
- Re: ftpd: the advisory version Mike Gleason (Jul 02)
- [RHSA-2000:016-03] Multiple local imwheel vulnerabilities bugzilla () REDHAT COM (Jul 03)
- Re: ftpd: the advisory version monti (Jul 05)
- Re: ftpd: the advisory version D. J. Bernstein (Jul 06)
- Re: ftpd: the advisory version monti (Jul 07)
- Re: ftpd: the advisory version Mikael Olsson (Jul 07)
- Re: ftpd: the advisory version David Maxwell (Jul 07)
- Re: ftpd: the advisory version D. J. Bernstein (Jul 10)
- Re: ftpd: the advisory version Richard Rager (Jul 11)