Full Disclosure mailing list archives

RE: ProFTPD-1.2.9rc2 remote root exploit

From: GARCIA Lionel <lionel.garcia () airbus com>
Date: Fri, 24 Oct 2003 16:25:17 +0200

This line seems suspicious. Don't know the purpose of the shellcode, but I
won't try it.

   /* connect to the bindshell */
   printf("Trying to connect, please wait...\n");

--->   void(*sleep)()=(void*)sc;sleep(5);   <------- Hummm :-\
   if(give_me_a_shell(addr) < 0)

     {
      fprintf(stderr, "Sorry, exploit didn't work.\n");
      return(-1);

The shellcode seems to be locally launched. Anybody to "decrypt" the
shellcode ?

-----Message d'origine-----
De : Andreas Gietl [mailto:a.gietl () e-admin de]
Envoyé : vendredi 24 octobre 2003 15:36
À : Jean-Kevin Grosnakeur; full-disclosure () lists netsys com
Objet : Re: [Full-Disclosure] ProFTPD-1.2.9rc2 remote root exploit


On Friday 24 October 2003 14:22, Jean-Kevin Grosnakeur wrote:

this seems to delete sth on the local harddisk. anybody else 
seeing this 
effect?

Ladies and gentlemen, here's the source code of the exploit

for the latest

release of ProFTPD. This is a Zero-Day private exploit, please DON'T
REDISTRIBUTE. I will not take responsibility for any

damages which could

result from the usage of this exploit, use it at your own risk.

--------------------------------------------------------------
------------


Have fun ! @+

_________________________________________________________________
MSN Messenger 6  http://g.msn.fr/FR1001/866 : plus de

personnalisation,

plus de fun pour vous et vos amis...

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


-- 
e-admin internet gmbh
Andreas Gietl                                            tel 
+49 941 3810884
Ludwig-Thoma-Strasse 35                      fax +49 
(0)1805/39160 - 29104
93051 Regensburg                                  mobil +49 
171 6070008

PGP/GPG-Key unter http://www.e-admin.de/gpg.html




_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

This mail has originated outside your organization,
either from an external partner or the Global Internet. 
Keep this in mind if you answer this message.

Current thread:

Re: ProFTPD-1.2.9rc2 remote root exploit, (continued)
- - - Re: ProFTPD-1.2.9rc2 remote root exploit Lorenzo Hernandez Garcia-Hierro (Oct 24)
  - Re: ProFTPD-1.2.9rc2 remote root exploit Simon Kirby (Oct 24)
- Re: ProFTPD-1.2.9rc2 remote root exploit qobaiashi (Oct 24)
  - Re: ProFTPD-1.2.9rc2 remote root exploit upb (Oct 24)
- Re: ProFTPD-1.2.9rc2 remote root exploit Jedi/Sector One (Oct 24)
- Re: ProFTPD-1.2.9rc2 localhost delete kang (Oct 24)
  - Re: ProFTPD-1.2.9rc2 localhost delete dilema (Oct 24)
- Re: ProFTPD-1.2.9rc2 remote root exploit Cael Abal (Oct 24)
  - Re: ProFTPD-1.2.9rc2 remote root exploit Rob Lewis (Oct 24)
- ProFTPD-1.2.9rc2 remote root exploit Jean-Kevin Grosnakeur (Oct 24)
- RE: ProFTPD-1.2.9rc2 remote root exploit GARCIA Lionel (Oct 24)
  - Re: ProFTPD-1.2.9rc2 remote root exploit Philipp Buehler (Oct 24)
    - Re: ProFTPD-1.2.9rc2 remote root exploit Larry W. Cashdollar (Oct 24)
    - Re: ProFTPD-1.2.9rc2 remote root exploit zero (Oct 24)
- RE: ProFTPD-1.2.9rc2 remote root exploit amebix (Oct 24)