Re: ftp.exe buffer overflow ?

[Mike Duncan <duncan () RANDOMTASK NET>]

I tired this on...

* Win98 (4.10.1998): Invalid page fault (as described).
* RedHat 7.0 NcFTP 3.0.1/448 (Library version:  LibNcFTP
3.0.1): Segmentation fault.
* RedHat 7.0 FTP (Linux NetKit (0.17-pre-20000412August 15, 1999)): "501
Cannot EXEC command line (error=2)." Appeared to be fixed?

I know this is an old bug, but I wanted to show it still exists in some
but not all apps.


On Sat, 10 Feb 2001, Riley Hassell wrote:

> That problem was discussed a while ago with the unix/linux ftp clients. It's
> very
> interesting that Microsoft's ftp client has a similiar problem. ;)
>
> Possibly a format bug.
>
> --After reviewing it it looks like there is also a standard overflow.
> 'quote site exec <Ax1000>' overwrote the EIP =)
>
> ----- Original Message -----
> From: "cyber_hunter" <cyber_hunter () LINUXBR COM BR>
> To: <VULN-DEV () SECURITYFOCUS COM>
> Sent: Saturday, February 10, 2001 11:44 PM
> Subject: ftp.exe buffer overflow ?
>
>
> > While I was reading something about wu-ftp I found an interesting buffer
> > overflow on ftp.exe ,
> > first logon on any ftp server ( any ), then :
> >
> > quote site exec %s%s%s%s%s%s
> >
> > ( this will work even if server doesn't support site exec )
> >
> > and :  "ftp caused an invalid page fault in module MSVCRT.DLL ..."
> >
> > I don't know if an exploit can be made , and if this would be used for
> > something.
> > ps: I have not tried with any ftp client .

--
------------------------------------------
Mike Duncan
security () randomtask net
http://www.randomtask.net

FLOD: The World's Perfect Cube Of Fat
Also comes in glow-in-the-dark models.
 ** Don't accept any imitations. **
------------------------------------------