The patches have been available over a week now. I think that is long
enough.

On the 1st of December Przemyslaw Frasunek (venglinfreebsd.lublin.pl)
wrote something about getting a wu-ftpd exploit working. The problem he
was having was to do with the following macro:

#define arena_for_ptr(ptr) \
 (((mchunkptr)(ptr) < top(&main_arena) && (char *)(ptr) >= sbrk_base) ? \
  &main_arena : heap_for_ptr(ptr)->ar_ptr)

He worked around it by making a hacked up version of the malloc function.

My solution: put the chunk on the heap between sbrk_base and the top value
of the main_arena.

How? Get the chunk malloc()ed and stored there, then brute force it. (The
exact position varies depending on a whole lot of things, and brute
forcing is nice for system admins. They have pretty good evidence that
there has been an attack. ;])

-- zen-parse

P.S. Apparently there are earlier versions of this exploit floating
around. Many of them are even buggier than this one, and all some of them
will do is add a few hundred K to the log files.

P.P.S Sorry, but it was too much temptation to resist posting it as
wu261.c. The program is a wrapper for the archive.

-- 
-------------------------------------------------------------------------
The preceding information is confidential and may not be redistributed
without explicit permission. Legal action may be taken to enforce this.  
If this message was posted by zen-parsegmx.net to a public forum it may
be redistributed as long as these conditions remain attached. If you are
mum or dad, this probably doesn't apply to you.

• TEXT/PLAIN attachment: Real wu-ftpd 2.6.1 exploit

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]