Vulnerability Development mailing list archives
Re: ftp.exe buffer overflow ?
From: Ryan Permeh <ryan () EEYE COM>
Date: Thu, 15 Feb 2001 23:28:12 -0800
remember everyone, this is client side, and even more it's client size through the actual interface. This overflow is happening via end user input, to craft any usefulness from it would require you to somehow convince someone with administrative permissions to either cut and paste this buffer or run an ftp input script. unless I'm missing something, this vuln is not a real big deal, unless someone wants to play around with it to learn to write win32 overflow sploitcode. inserting something like this in any priveldged user's start script implies that you are able to insert other stuff there. just load a rootkit driver, or start a netcat command prompt,why even bother with an ftp client overflow at this point. also as a side note, if you are running in ring 0 in nt/2k, you are in the kernel, or have direct access to it(via a callgate, load a driver, overflowing a kernel buffer, or somesuch method). after you get to a point where you can run in ring 0 you don't need to overflow any ftp clients. you 0wn the machine. you can do as you please at that point. Signed, Ryan eEye Digital Security Team http://www.eEye.com ----- Original Message ----- From: "Bob Monkier" <bmonkey () OOK OBJECTIONABLE NET> To: <VULN-DEV () SECURITYFOCUS COM> Sent: Thursday, February 15, 2001 5:19 PM Subject: Re: ftp.exe buffer overflow ?
OiI Think that this confirms Mr. Hassell's post. If i were to exploit
this
on a machine i think it would be easiest done by putting this in the
start
up somewhere on ethernet based machine. Has then been tested on NT? If
so,
the only thing that would need to be done is to have this run on start
up
and then have it add a user with admin privs. I'm not big on writing exploits, so, I could be wrong on this.I don't have too much experience with NT, but I assume that you would need admin to have it run on startup. A simpler trick would be to hack ring0 access and do it there :) I know for a fact that its harder to do in NT than in win9x, but its not impossible. TTFN BM
Current thread:
- ftp.exe buffer overflow ?, (continued)
- ftp.exe buffer overflow ? cyber_hunter (Feb 10)
- Re: ftp.exe buffer overflow ? Riley Hassell (Feb 10)
- Re: ftp.exe buffer overflow ? Mike Duncan (Feb 11)
- Re: ftp.exe buffer overflow ? Egemen Tas (Feb 11)
- Re: ftp.exe buffer overflow ? Perry Harrington (Feb 11)
- Re: ftp.exe buffer overflow ? Michal Zalewski (Feb 11)
- Re: ftp.exe buffer overflow ? Riley Hassell (Feb 15)
- Re: ftp.exe buffer overflow ? Michal Zalewski (Feb 15)
- Re: ftp.exe buffer overflow ? Benjamin Branch (Feb 15)
- Re: ftp.exe buffer overflow ? Bob Monkier (Feb 15)
- Re: ftp.exe buffer overflow ? Ryan Permeh (Feb 16)
- Internet explorer bug or Micromedia Flash bug ? cyber_hunter (Feb 19)
- Re: ftp.exe buffer overflow ? Antti Hakulinen (Feb 15)
- Message not available
- Re: ftp.exe buffer overflow ? Lincoln Yeoh (Feb 13)
- Re: ftp.exe buffer overflow ? Lord Soth (Feb 11)
- Message not available
- Re: /usr/bin/ddate buffer overflow enthh () FLASH NET (Feb 11)
- Re: /usr/bin/ddate buffer overflow Larry W. Cashdollar (Feb 14)