Vulnerability Development mailing list archives
Re: ftp.exe buffer overflow ?
From: Antti Hakulinen <thpo () DREAMTHEATER ZZN COM>
Date: Thu, 15 Feb 2001 21:44:43 +0200
Yees. It seems it is. As u can see, i also use build 2195 Application exception occurred: App: ftp.exe (pid=828) When: 2/15/2001 @ 21:38:16.611 Exception number: c0000005 (access violation) *----> System Information <----* Windows 2000 Version: 5.0 Current Build: 2195 Service Pack: None Current Type: Uniprocessor Free Registered Organization: Flextronics Design Finland Registered Owner: Antti Hakulinen *----> Task List <----* 0 Idle.exe 8 System.exe 140 smss.exe 164 csrss.exe 160 winlogon.exe 212 services.exe 224 lsass.exe 384 svchost.exe 412 SPOOLSV.exe 444 svchost.exe 484 regsvc.exe 500 mstask.exe 556 tcpsvcs.exe 568 snmp.exe 616 winmgmt.exe 648 inetinfo.exe 1080 explorer.exe 1212 internat.exe 836 msimn.exe 828 ftp.exe 1036 drwtsn32.exe 0 _Total.exe (01000000 - 0100F000) (77F80000 - 77FF9000) (75050000 - 75058000) (77E80000 - 77F36000) (75030000 - 75044000) (78000000 - 78046000) (77DB0000 - 77E0A000) (77D40000 - 77DAF000) (75020000 - 75028000) (74FF0000 - 75002000) (77E10000 - 77E75000) (77F40000 - 77F7C000) (77980000 - 779A4000) (77840000 - 7784C000) (777E0000 - 777E8000) (77950000 - 77979000) (777F0000 - 777F5000) (77830000 - 7783E000) (74FD0000 - 74FE1000) (75010000 - 75017000) State Dump for Thread Id 0x4b4 eax=0006ed4c ebx=00000000 ecx=7803bbb0 edx=00283798 esi=00000000 edi=41414141 eip=780118e9 esp=0006eae0 ebp=0006ed34 iopl=0 nv up ei pl zr na po nc cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000 efl=00000246 function: fcloseall 780118d6 5e pop esi 780118d7 c3 ret 780118d8 55 push ebp 780118d9 8bec mov ebp,esp 780118db 81ec48020000 sub esp,0x248 780118e1 53 push ebx 780118e2 56 push esi 780118e3 57 push edi 780118e4 8b7d0c mov edi,[ebp+0xc] ss:00b3c30a=???????? 780118e7 33f6 xor esi,esi FAULT ->780118e9 8a1f mov bl,[edi] ds:41414141=?? 780118eb 47 inc edi 780118ec 84db test bl,bl 780118ee 8975f4 mov [ebp+0xf4],esi ss:00b3c30a=???????? 780118f1 8975ec mov [ebp+0xec],esi ss:00b3c30a=???????? 780118f4 897d0c mov [ebp+0xc],edi ss:00b3c30a=???????? 780118f7 7469 jz wexecve+0xe3 (7801a462) 780118f9 8b4df0 mov ecx,[ebp+0xf0] ss:00b3c30a=???????? 780118fc 33d2 xor edx,edx 780118fe 3955ec cmp [ebp+0xec],edx ss:00b3c30a=???????? 78011901 7c5f jl _RTDynamicCast+0x28b (78019962) 78011903 80fb20 cmp bl,0x20 *----> Stack Back Trace <----* FramePtr ReturnAd Param#1 Param#2 Param#3 Param#4 Function Name 0006ED34 78025B0A 0006ED4C 41414141 0006F564 78025ADD !fcloseall 0006ED6C 01004115 0006ED88 41414141 0006F564 01008050 !vsprintf 0006F558 41414141 41414141 41414141 41414141 41414141 ftp!<nosymbols> 41414141 00000000 00000000 00000000 00000000 00000000 <nosymbols> *----> Raw Stack Dump <----* 0006eae0 50 80 00 01 dd 5a 02 78 - 00 00 00 00 41 41 41 41 P....Z.x....AAAA 0006eaf0 41 41 41 41 41 41 41 41 - 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA 0006eb00 41 41 41 41 41 41 41 41 - 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA 0006eb10 41 41 41 41 41 41 41 41 - 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA 0006eb20 41 41 41 41 41 41 41 41 - 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA 0006eb30 41 41 41 41 41 41 41 41 - 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA 0006eb40 41 41 41 41 41 41 41 41 - 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA 0006eb50 41 41 41 41 41 41 41 41 - 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA 0006eb60 41 41 41 41 41 41 41 41 - 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA 0006eb70 41 41 41 41 41 41 41 41 - 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA 0006eb80 41 41 41 41 41 41 41 41 - 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA 0006eb90 41 41 41 41 41 41 41 41 - 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA 0006eba0 41 41 41 41 41 41 41 41 - 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA 0006ebb0 41 41 41 41 41 41 41 41 - 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA 0006ebc0 41 41 41 41 41 41 41 41 - 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA 0006ebd0 41 41 41 41 41 41 41 41 - 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA 0006ebe0 41 41 41 41 41 41 41 41 - 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA 0006ebf0 41 41 41 41 41 41 41 41 - 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA 0006ec00 41 41 41 41 41 41 41 41 - 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA 0006ec10 41 41 41 41 41 41 41 41 - 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA State Dump for Thread Id 0x418 eax=778321fe ebx=00000003 ecx=7ffde000 edx=00000000 esi=77f87e6c edi=00000003 eip=77f87e77 esp=0072fd24 ebp=0072fd70 iopl=0 nv up ei pl zr na po nc cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000 efl=00000246 function: ZwWaitForMultipleObjects 77f87e6c b8e9000000 mov eax,0xe9 77f87e71 8d542404 lea edx,[esp+0x4] ss:011fd2fb=???????? 77f87e75 cd2e int 2e 77f87e77 c21400 ret 0x14 77f87e7a 668b08 mov cx,[eax] ds:778321fe=8b55 77f87e7d 40 inc eax 77f87e7e 40 inc eax 77f87e7f 8945a4 mov [ebp+0xa4],eax ss:011fd346=???????? 77f87e82 6685c9 test cx,cx 77f87e85 75f3 jnz RtlExpandEnvironmentStrings_U+0x26 (77f8e57a) 77f87e87 663930 cmp [eax],si ds:778321fe=8b55 77f87e8a 75ee jnz ZwFsControlFile+0x54 (77f8bf7a) 77f87e8c 40 inc eax 77f87e8d 40 inc eax 77f87e8e 8945a4 mov [ebp+0xa4],eax ss:011fd346=???????? *----> Stack Back Trace <----* FramePtr ReturnAd Param#1 Param#2 Param#3 Param#4 Function Name 0072FD70 77E9E68A 0072FD48 00000001 00000000 00000000 ntdll!ZwWaitForMultipleObjects 0072FFB4 77E92CA8 00000004 0007BD04 7FFDE000 0007C710 kernel32!WaitForMultipleObjects 0072FFEC 00000000 00000000 00000000 00000000 00000000 kernel32!CreateFileA ----- Original Message ----- From: "Riley Hassell" <riley () EEYE COM> To: <VULN-DEV () SECURITYFOCUS COM> Sent: Monday, February 12, 2001 8:36 AM Subject: Re: ftp.exe buffer overflow ?
This is actually overflowable: In my first post I put a note at the bottom showing that sending a large buffer with 'A's overwrites the EIP. Example: ftp example.com ...login... quote site exec AAAAAAAA..... <--- 1000x'A' I'm on build 2195 and it directly overwrites the EIP. ----- Original Message ----- From: "Michal Zalewski" <lcamtuf () BOS BINDVIEW COM> To: <VULN-DEV () SECURITYFOCUS COM> Sent: Sunday, February 11, 2001 5:45 PM Subject: Re: ftp.exe buffer overflow ?On Mon, 12 Feb 2001, Egemen Tas wrote:This bug is different from the ones you mentioned.. This is the bug in MS FTP Client's QUOTE command.MS FTP client is surprisingly similar to BSDish ftp client, containing - for example - some similar strings in its binary. It's been discussed on numerous forums long time ago (google.com, search for: "Regents of the University of California" ftp microsoft client). Thus, I bet this is the same as the bug in BSDish ftp client (format bug in quote command), and
is
caused by very similar code.In my opinion this is may be overflowable(because the error occurs intheStack Segment!(I may be wrong)No, never. I mean this is exploitable, but it is not an overflow and has nothing to do with stack segment.but does not pose great security risk.Because ftp.exe runs with the credidentals of currently logged on user.Right =) -- _______________________________________________________ Michal Zalewski [lcamtuf () bos bindview com] | [security] [http://lcamtuf.na.export.pl] <=--=> bash$ :(){ :|:&};: =--=> Did you know that clones never use mirrors? <=--=
Current thread:
- Re: ftp.exe buffer overflow ?, (continued)
- Re: ftp.exe buffer overflow ? Mike Duncan (Feb 11)
- Re: ftp.exe buffer overflow ? Egemen Tas (Feb 11)
- Re: ftp.exe buffer overflow ? Perry Harrington (Feb 11)
- Re: ftp.exe buffer overflow ? Michal Zalewski (Feb 11)
- Re: ftp.exe buffer overflow ? Riley Hassell (Feb 15)
- Re: ftp.exe buffer overflow ? Michal Zalewski (Feb 15)
- Re: ftp.exe buffer overflow ? Benjamin Branch (Feb 15)
- Re: ftp.exe buffer overflow ? Bob Monkier (Feb 15)
- Re: ftp.exe buffer overflow ? Ryan Permeh (Feb 16)
- Internet explorer bug or Micromedia Flash bug ? cyber_hunter (Feb 19)
- Re: ftp.exe buffer overflow ? Antti Hakulinen (Feb 15)
- Message not available
- Re: ftp.exe buffer overflow ? Lincoln Yeoh (Feb 13)
- Re: ftp.exe buffer overflow ? Lord Soth (Feb 11)
- Message not available
- Re: /usr/bin/ddate buffer overflow enthh () FLASH NET (Feb 11)
- Re: /usr/bin/ddate buffer overflow Larry W. Cashdollar (Feb 14)