Bugtraq mailing list archives
cesarFTP v0.98b 'HELP' buffer overflow
From: ByteRage <byterage () yahoo com>
Date: Sat, 30 Jun 2001 02:36:21 -0700 (PDT)
DESCRIPTION CesarFTP v0.98b is vulnerable to a buffer overflow when sending the HELP command followed by a very long string of characters. Example : Sending the following perl string : "HELP " . ("A" x 1978) . "CCCC\x00\x0D\x0A" Happily reroutes the SERVER.EXE EIP to 43434343 ("CCCC"). This way, anyone can easily compromise the win9x/NT/2k system, without the need to be logged in. The only tricky part in writing the exploit is that SERVER.EXE doesn't have LoadLibraryA & GetProcAddress in it's import table, but there are enough other functions that give away enough power to take over the computer (registry functions, CreateDirectoryA, CreateFileA, ReadFile, WriteFile, ShellExecuteA, ...) I have not written an exploit and probably I never will :) VENDOR STATUS I have sent this advisory to <cesarftp () aclogic com> greetz, [ByteRage] <byterage () yahoo com> byterage.cjb.net __________________________________________________ Do You Yahoo!? Get personalized email addresses from Yahoo! Mail http://personal.mail.yahoo.com/
Current thread:
- cesarFTP v0.98b 'HELP' buffer overflow ByteRage (Jul 01)