Vulnerability Development mailing list archives
Re: compress(vul) + ftpd(?)
From: H D Moore <sflist () digitaloffense net>
Date: Sat, 9 Mar 2002 23:06:44 -0600
On Saturday 09 March 2002 05:48 pm, Pavel Kankovsky wrote:
On Thu, 7 Mar 2002, H D Moore wrote:On Thursday 07 March 2002 09:30 am, HypH wrote:On Thu 7. March 2002 15:18, H D Moore wrote:YES. wu-ftpd will call compress with the file name as an argument if you request the file name ending in .Z. You have to be able to write out a file name containing the shell code to exploit the bug.The problem is that the file have to be 1100 chars long , with the shellcode within. But wu-ftpd doesn`t allow/handle so long filenames.Hmm.. What about splitting the shellcode into different directories and the requesting the full path to the file (directories and all) ending in .Z?The total length of command is limited. I think one could fool it using a race between wildcard expansion and the code deciding whether compress should be run: you create shellcode.Z, send "get shell*.Z", and rename shellcode.Z to shellcode at the right moment.
How about: ftp> mkdir A<254 * 0x90> ftp> cd A* ftp> mkdir B<255 * 0x90> ftp> cd B* ftp> mkdir C<255 * 0x90> ftp> cd C* ftp> mkdir D<255 * 0x90> ftp> cd D* ftp> put <reallysmallscode> ftp> cd ../../../../ ftp> get A*/B*/C*/D*/reallysmallscode.Z Every 256 bytes you would have a / character, so maybe add a jmp + 2 before each slash (for a nice slide). Then change the 'D' chunk so that the shell code starts somewhere near the end of it and just write out a filename where the 4 crucial bytes of eip point back somewhere in the last 1024 bytes This hasn't been tested (yet), depending on the OS it may be impossible to write out the filename containing the EIP (null bytes for instance).
BTW: This is an ANCIENT problem.
You would think it would have been fixed by now ;)
Current thread:
- compress(vul) + ftpd(?) HypH (Mar 05)
- Re: compress(vul) + ftpd(?) H D Moore (Mar 07)
- Message not available
- Re: compress(vul) + ftpd(?) HypH (Mar 07)
- Re: compress(vul) + ftpd(?) H D Moore (Mar 07)
- Re: compress(vul) + ftpd(?) HypH (Mar 09)
- Re: compress(vul) + ftpd(?) KF (Mar 09)
- Re: compress(vul) + ftpd(?) HypH (Mar 09)
- Re: compress(vul) + ftpd(?) HypH (Mar 07)
- Re: compress(vul) + ftpd(?) Pavel Kankovsky (Mar 09)
- Re: compress(vul) + ftpd(?) H D Moore (Mar 10)
- Re: compress(vul) + ftpd(?) Pavel Kankovsky (Mar 11)
- Re: compress(vul) + ftpd(?) H D Moore (Mar 12)
- Re: compress(vul) + ftpd(?) Gushterul (Mar 12)
- Re: compress(vul) + ftpd(?) HypH (Mar 11)
- Re: compress(vul) + ftpd(?) Mats Linander (Mar 11)