Vulnerability Development mailing list archives
Re: ftp.exe buffer overflow ?
From: Benjamin Branch <ben () ACMECLICK COM>
Date: Thu, 15 Feb 2001 12:51:29 -0600
I found that the easiest way to do this is by using the -s:filename option with ftp.exe. I did the following in a text file and got it do dump the stack. 1. made a test file with the following command in it: quote site exec A x 1000 2. ran ftp.exe with the following options: ftp -n -s:test.ftp ftp.example.com soon afterwards received this little message. FTP caused an invalid page fault in module <unknown> at 0000:41414141. Registers: EAX=00000000 CS=017f EIP=41414141 EFLGS=00010206 EBX=00000000 SS=0187 ESP=0056f5f4 EBP=01008820 ECX=0056f3e8 DS=0187 ESI=010072b8 FS=3b87 EDX=0056e9a8 ES=0187 EDI=7800bb50 GS=5756 Bytes at CS:EIP: Stack dump: 41414141 41414141 41414141 41414141 41414141 41414141 41414141 41414141 41414141 41414141 41414141 41414141 41414141 41414141 41414141 41414141 I Think that this confirms Mr. Hassell's post. If i were to exploit this on a machine i think it would be easiest done by putting this in the start up somewhere on ethernet based machine. Has then been tested on NT? If so, the only thing that would need to be done is to have this run on start up and then have it add a user with admin privs. I'm not big on writing exploits, so, I could be wrong on this. I am also running Win 98 build 4.10.2222 A. So it looks like it is exploitable on Win98 and Win98 SE. I just tried in Windows 2000 Server with SP1 and it seemed to have no effect on the server. Benjamin ----- Original Message ----- From: "Riley Hassell" <riley () EEYE COM> To: <VULN-DEV () SECURITYFOCUS COM> Sent: Monday, February 12, 2001 12:36 AM Subject: Re: ftp.exe buffer overflow ?
This is actually overflowable: In my first post I put a note at the bottom showing that sending a large buffer with 'A's overwrites the EIP. Example: ftp example.com ...login... quote site exec AAAAAAAA..... <--- 1000x'A' I'm on build 2195 and it directly overwrites the EIP. ----- Original Message ----- From: "Michal Zalewski" <lcamtuf () BOS BINDVIEW COM> To: <VULN-DEV () SECURITYFOCUS COM> Sent: Sunday, February 11, 2001 5:45 PM Subject: Re: ftp.exe buffer overflow ?On Mon, 12 Feb 2001, Egemen Tas wrote:This bug is different from the ones you mentioned.. This is the bug in MS FTP Client's QUOTE command.MS FTP client is surprisingly similar to BSDish ftp client, containing - for example - some similar strings in its binary. It's been discussed on numerous forums long time ago (google.com, search for: "Regents of the University of California" ftp microsoft client). Thus, I bet this is the same as the bug in BSDish ftp client (format bug in quote command), and
is
caused by very similar code.In my opinion this is may be overflowable(because the error occurs intheStack Segment!(I may be wrong)No, never. I mean this is exploitable, but it is not an overflow and has nothing to do with stack segment.but does not pose great security risk.Because ftp.exe runs with the credidentals of currently logged on user.Right =) -- _______________________________________________________ Michal Zalewski [lcamtuf () bos bindview com] | [security] [http://lcamtuf.na.export.pl] <=--=> bash$ :(){ :|:&};: =--=> Did you know that clones never use mirrors? <=--=
Current thread:
- Re: /usr/bin/ddate buffer overflow, (continued)
- Re: /usr/bin/ddate buffer overflow Blue Boar (Feb 10)
- Re: /usr/bin/ddate buffer overflow enthh () FLASH NET (Feb 10)
- ftp.exe buffer overflow ? cyber_hunter (Feb 10)
- Re: ftp.exe buffer overflow ? Riley Hassell (Feb 10)
- Re: ftp.exe buffer overflow ? Mike Duncan (Feb 11)
- Re: ftp.exe buffer overflow ? Egemen Tas (Feb 11)
- Re: ftp.exe buffer overflow ? Perry Harrington (Feb 11)
- Re: ftp.exe buffer overflow ? Michal Zalewski (Feb 11)
- Re: ftp.exe buffer overflow ? Riley Hassell (Feb 15)
- Re: ftp.exe buffer overflow ? Michal Zalewski (Feb 15)
- Re: ftp.exe buffer overflow ? Benjamin Branch (Feb 15)
- Re: ftp.exe buffer overflow ? Bob Monkier (Feb 15)
- Re: ftp.exe buffer overflow ? Ryan Permeh (Feb 16)
- Internet explorer bug or Micromedia Flash bug ? cyber_hunter (Feb 19)
- Re: /usr/bin/ddate buffer overflow enthh () FLASH NET (Feb 10)
- Re: ftp.exe buffer overflow ? Antti Hakulinen (Feb 15)
- Re: /usr/bin/ddate buffer overflow Blue Boar (Feb 10)
- Message not available
- Re: ftp.exe buffer overflow ? Lincoln Yeoh (Feb 13)
- Re: ftp.exe buffer overflow ? Lord Soth (Feb 11)
- Message not available
- Re: /usr/bin/ddate buffer overflow enthh () FLASH NET (Feb 11)