czwartek, 28 września 2017

Privilege Escalation in ProFTPd 1.3.0

During last few days I was preparing to another CTF competition. As a warm-up I decided to do a(nother;)) quick autopsy, this time of an old bug found in Proftpd - described as CVE-2006-6563. Below you will find some results...

For our testing purposes I used an old version of Kubutu Linux and Proftpd 1.3.0. We will start here:

Checking ftpdctl:

It works. Let's attach ltrace to proftpd now and send "A"*1000 as our buffer. Proftpd will stop:


In the ltrace-window we should see something similar to this:


Let's do it again but this time we will use gdb (not ltrace):


We will now restart the app and set a breakpoint on #5 - 0x0807387e. Our skeleton-script for now looks like this:


Sending...


Quick check for ESP and we can see that our payload ("A"*...) is indeed there. Next.


As you can see there is a canary, so now we will modify our script to overwrite the canary value and print 'deadcode':


Our results:


Looks good. Now we need to find "jmp esp" instruction (I will leave it for you as an exercise). After preparing a shellcode (by metasploit, that will provide a bindshell on 9999/tcp for us) we are ready to (restart proftpd and) re-run our script again. Result should be similar to the one presented below:


Verifying:



See you next time ;)

Cheers



Posted by at
Labels: , , , , , ,

Brak komentarzy:

Prześlij komentarz

Subskrybuj: Komentarze do posta (Atom)