-----BEGIN PGP SIGNED MESSAGE----- Hi folks in lftp v 2.2.5 has a bug, not exploitable because it dosen overwrite the return direction little detail so keep up with ur work cheers Powertech -- Edwin Meese made me wear CORDOVANS!! http://www.ezkracho.com.ar
-----BEGIN PGP SIGNATURE----- Version: PGPfreeware 5.0i for non-commercial use MessageID: gKhWwvgpmSsnsRshAq7S0QzZ9NJ7CO5n iQEVAwUBPHGUkYhDjf2eob5RAQHaZAgAoRPLlBtatvCl+4JWAB9DkJmbkqHhAQYj OHQkE+II9aiz9d/h0dy3CvI3btkKeunE6tKBQXI6ko4sh0fCHdUJzgMYbsmdImWe jkilrcIoH5MJ8QfBgu7qzIcfg9qGU/NtY8iZKJS2r5GEHU0GWv6EFhRcXx+ma5Bf 7gv5uKuCRklvMODJ/x4vERZ38HJxHxjygpvpAZ4UOXRQpmySb2QVW5zaD6qA8mFU XVWW1t3ar3niK39RK5fbSRKiGi22MOp84AkwPUbQOewYUNRJLZU5K2Cl87F0VXwm YQAXsoMlP3qArgnONttTkbE/sngIL6lOReL6365WEC5ZCv91aTXiGw== =IXLt -----END PGP SIGNATURE-----
[toor@c0ded]@[tty2]:(/tmp)#attack=`perl -e ' print "/x90" x 26685'` [toor@c0ded]@[tty2]:(/tmp)#lftp -u $attack Password: ^M -Cortado- 0/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90@:~>^M Segmentation fault (core dumped) (Good) [toor@c0ded]@[tty2]:(/tmp)#gdb /tmp/lftp -c core GNU gdb 5.0 Copyright 2000 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "i586-mandrake-linux"...(no debugging symbols found)... Core was generated by `./lftp -u /x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/'. Program terminated with signal 11, Segmentation fault. Reading symbols from /lib/libreadline.so.4.1...(no debugging symbols found)...done. Loaded symbols for /lib/libreadline.so.4.1 Reading symbols from /usr/lib/libncurses.so.5...(no debugging symbols found)...done. Loaded symbols for /usr/lib/libncurses.so.5 Reading symbols from /lib/libresolv.so.2...(no debugging symbols found)...done. Loaded symbols for /lib/libresolv.so.2 Reading symbols from /lib/libdl.so.2...(no debugging symbols found)...done. Loaded symbols for /lib/libdl.so.2 Reading symbols from /lib/libm.so.6...(no debugging symbols found)...done. Loaded symbols for /lib/libm.so.6 Reading symbols from /lib/libc.so.6...(no debugging symbols found)...done. Loaded symbols for /lib/libc.so.6 Reading symbols from /usr/lib/libgpm.so.1...(no debugging symbols found)...done. Loaded symbols for /usr/lib/libgpm.so.1 Reading symbols from /lib/ld-linux.so.2...(no debugging symbols found)...done. Loaded symbols for /lib/ld-linux.so.2 Reading symbols from /lib/libnss_files.so.2...(no debugging symbols found)...done. Loaded symbols for /lib/libnss_files.so.2 #0 0x40111815 in free () from /lib/libc.so.6 (gdb)set args -u $attack -censurado- 0/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90@:~> (no debugging symbols found)...(no debugging symbols found)...(no debugging symbols found)...(no debugging symbols found)... Program received signal SIGSEGV, Segmentation fault. 0x40111815 in free () from /lib/libc.so.6 (gdb) info registers eax 0x3039782c 809072684 ecx 0x80addd4 134929876 edx 0x80addd4 134929876 ebx 0x401a18e0 1075452128 esp 0xbffe55c4 0xbffe55c4 ebp 0xbffe55fc 0xbffe55fc esi 0x80a5950 134895952 edi 0x80a6158 134898008 eip 0x40111815 0x40111815 eflags 0x10202 66050 cs 0x23 35 ss 0x2b 43 ds 0x2b 43 es 0x2b 43 fs 0x0 0 gs 0x0 0 fctrl 0x37f 895 fstat 0x0 0 ftag 0xffff 65535 fiseg 0x23 35 fioff 0x4004f7d1 1074067409 foseg 0x2b 43 fooff 0xbfffcc4c -1073755060 fop 0x77c 1916 (gdb) ret Make selected stack frame return now? (y or n) y #0 0x401121b0 in realloc () from /lib/libc.so.6 (gdb) no es suid, busquen es otras distros y fijensen aver si sacamos un exploit, ejemplo e-fax no suid on linux , suid on fbsd -rwxr-xr-x 1 root root 274808 Oct 3 2000 /usr/bin/lftp*
public_key.asc
Description: application/pgp-keys
