WarFtpd 1.65 Buffer Overflow

["Chris Davis" <cdavis () kago ca>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hey all :)

I am in the middle of pen test and the client is running warftpd 1.65
on NT4. I searched the bugtraq archives among others for issues with
this ver of warftpd. I found one post by rootshell in like '98 that
states if you send a user XXXXXXXXXXXX(long string) it will crash and
that they think it is a remotely exploitable stack overflow. So I
downloaded a copy of warftpd and sure enough windbg shows
eip=41414141 when a user string of "A"x489 is sent - So now my
problems.. I am new to writing buffer overflows, and I know I need to
find the address where the buffer starts so I can point the EIP to it
to read the shell code. I am pretty sure I have found it, but it is
like 009ad231 and I know I can't send NULL's. So I need to find an
address to get there and I am having a hell of a time finding one...
So if anyone on the list has some spare time and feels like helping
me please let me know.

Thanks

Chris Davis

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>

iQA/AwUBPBFOWrxdz+AgROihEQKfowCgyKCrovI7yEGVNUVFXqsRjwWBoZQAoIsX
4NX+BPnnWW2m9kBnQofhkQL8
=wx/H
-----END PGP SIGNATURE-----