diff options
Diffstat (limited to 'exploits/7350proftpd/vulninfo')
| -rw-r--r-- | exploits/7350proftpd/vulninfo | 55 |
1 files changed, 55 insertions, 0 deletions
diff --git a/exploits/7350proftpd/vulninfo b/exploits/7350proftpd/vulninfo new file mode 100644 index 0000000..18f1f27 --- /dev/null +++ b/exploits/7350proftpd/vulninfo | |||
| @@ -0,0 +1,55 @@ | |||
| 1 | I know of at least 2 vulnerabilites in proftp, although looking at the | ||
| 2 | code there are probably hundreds more. | ||
| 3 | |||
| 4 | The first one is in sreplace() and is overflowable by making lots of | ||
| 5 | nested paths. The overflow is in the form of a while loop where a pointer | ||
| 6 | to a local buffer is continually written to and incremented. It is | ||
| 7 | particularly difficult to exploit because you have to overwrite many | ||
| 8 | arguments on the stack, including an array of pointers and the pointer | ||
| 9 | itself ! Unless you can preserve the stack by being very cunning this is | ||
| 10 | effectively unexploitable. (it segfaults before the function returns). | ||
| 11 | |||
| 12 | The second one is much nicer. it occurs in log_xfer when STOR command is | ||
| 13 | invoked. | ||
| 14 | -- | ||
| 15 | sprintf(buf,"%s %d %s %lu %s %c _ %c %c %s ftp 0 *\n", | ||
| 16 | fmt_time(time(NULL)),xfertime,remhost,fsize, | ||
| 17 | fname,xfertype,direction,access,user); | ||
| 18 | -- | ||
| 19 | where fname is the name of the file u are STORing and buf is the only | ||
| 20 | local buffer on the stack (1024 bytes long); | ||
| 21 | |||
| 22 | This is not so easy since you have to take account of the length of the | ||
| 23 | arguments preceding fname, i.e. fmt_time(time(NULL)), xfertime, remhost, | ||
| 24 | fsize | ||
| 25 | heres a snippet from my xferlog file: | ||
| 26 | -- | ||
| 27 | Thu Dec 2 19:19:14 1999 0 localhost 0 /tmp/blah b _ i r dave ftp 0 * | ||
| 28 | -- | ||
| 29 | ^^^^^^^^^^^^^^^^^^^^^^^^ | ||
| 30 | The formatted time is thankfully always the same size, 24 bytes, | ||
| 31 | the xfer time is dependant on how long you stay connected, preferably 0, | ||
| 32 | giving a 1 byte string. the hostname that the remote server sees, you | ||
| 33 | should be able to find out yourself for sure(try SMTP). | ||
| 34 | the fsize you should be able to control as well, in my case 0. | ||
| 35 | |||
| 36 | So adding all that up gives an inital offset into the buffer of | ||
| 37 | 30 + strlen(hostname) | ||
| 38 | therefore the distance until the end of the buffer is 996-strlen(hostname) | ||
| 39 | bytes | ||
| 40 | |||
| 41 | consider the length of the buffer to be 996-strlen(hostname) | ||
| 42 | |||
| 43 | Calculating the offset is quite difficult off hand but basically all you | ||
| 44 | have to do is create 4 big directorys (194 chars long), then another | ||
| 45 | directory approx 200 - strlen(initdir) - strlen(hostname) chars long with | ||
| 46 | the nops and shellcode. then STOR a 19 byte string with the return | ||
| 47 | addresses at the end. Note that this last directory has to have a length | ||
| 48 | <= 194 but this shouldn't be a problem unless you are writing to '/' with a | ||
| 49 | 4 char hostname.... | ||
| 50 | |||
| 51 | Hopefully this won't 'exploit' the first bug explained above because the | ||
| 52 | string we are sending is too small to overflow that buffer | ||
| 53 | (1004-strlen(hostname)). | ||
| 54 | |||
| 55 | update: I just found out there is a far better (and easier!) way to exploit proftp which requires only anonymous and a file which you can read. it is still in log_xfer(). all you have to do is log in as anonymous with a really long password and do RETR somefile. the transfer (including your password) is logged, and voila. I have to get around to adding this. | ||