Vulnerability Development mailing list archives

Re: ftp.exe buffer overflow ?

From: Antti Hakulinen <thpo () DREAMTHEATER ZZN COM>
Date: Thu, 15 Feb 2001 21:44:43 +0200

Yees.
It seems it is.
As u can see, i also use build 2195

Application exception occurred:
        App: ftp.exe (pid=828)
        When: 2/15/2001 @ 21:38:16.611
        Exception number: c0000005 (access violation)

*----> System Information <----*
                Windows 2000 Version: 5.0
        Current Build: 2195
        Service Pack: None
        Current Type: Uniprocessor Free
        Registered Organization: Flextronics Design Finland
        Registered Owner: Antti Hakulinen

*----> Task List <----*
   0 Idle.exe
   8 System.exe
 140 smss.exe
 164 csrss.exe
 160 winlogon.exe
 212 services.exe
 224 lsass.exe
 384 svchost.exe
 412 SPOOLSV.exe
 444 svchost.exe
 484 regsvc.exe
 500 mstask.exe
 556 tcpsvcs.exe
 568 snmp.exe
 616 winmgmt.exe
 648 inetinfo.exe
1080 explorer.exe
1212 internat.exe
 836 msimn.exe
 828 ftp.exe
1036 drwtsn32.exe
   0 _Total.exe

(01000000 - 0100F000)
(77F80000 - 77FF9000)
(75050000 - 75058000)
(77E80000 - 77F36000)
(75030000 - 75044000)
(78000000 - 78046000)
(77DB0000 - 77E0A000)
(77D40000 - 77DAF000)
(75020000 - 75028000)
(74FF0000 - 75002000)
(77E10000 - 77E75000)
(77F40000 - 77F7C000)
(77980000 - 779A4000)
(77840000 - 7784C000)
(777E0000 - 777E8000)
(77950000 - 77979000)
(777F0000 - 777F5000)
(77830000 - 7783E000)
(74FD0000 - 74FE1000)
(75010000 - 75017000)

State Dump for Thread Id 0x4b4

eax=0006ed4c ebx=00000000 ecx=7803bbb0 edx=00283798 esi=00000000
edi=41414141
eip=780118e9 esp=0006eae0 ebp=0006ed34 iopl=0         nv up ei pl zr na po
nc
cs=001b  ss=0023  ds=0023  es=0023  fs=0038  gs=0000
efl=00000246


function: fcloseall
        780118d6 5e               pop     esi
        780118d7 c3               ret
        780118d8 55               push    ebp
        780118d9 8bec             mov     ebp,esp
        780118db 81ec48020000     sub     esp,0x248
        780118e1 53               push    ebx
        780118e2 56               push    esi
        780118e3 57               push    edi
        780118e4 8b7d0c           mov     edi,[ebp+0xc]
ss:00b3c30a=????????
        780118e7 33f6             xor     esi,esi
FAULT ->780118e9 8a1f             mov     bl,[edi]
ds:41414141=??
        780118eb 47               inc     edi
        780118ec 84db             test    bl,bl
        780118ee 8975f4           mov     [ebp+0xf4],esi
ss:00b3c30a=????????
        780118f1 8975ec           mov     [ebp+0xec],esi
ss:00b3c30a=????????
        780118f4 897d0c           mov     [ebp+0xc],edi
ss:00b3c30a=????????
        780118f7 7469             jz      wexecve+0xe3 (7801a462)
        780118f9 8b4df0           mov     ecx,[ebp+0xf0]
ss:00b3c30a=????????
        780118fc 33d2             xor     edx,edx
        780118fe 3955ec           cmp     [ebp+0xec],edx
ss:00b3c30a=????????
        78011901 7c5f             jl      _RTDynamicCast+0x28b (78019962)
        78011903 80fb20           cmp     bl,0x20

*----> Stack Back Trace <----*

FramePtr ReturnAd Param#1  Param#2  Param#3  Param#4  Function Name
0006ED34 78025B0A 0006ED4C 41414141 0006F564 78025ADD !fcloseall
0006ED6C 01004115 0006ED88 41414141 0006F564 01008050 !vsprintf
0006F558 41414141 41414141 41414141 41414141 41414141 ftp!<nosymbols>
41414141 00000000 00000000 00000000 00000000 00000000 <nosymbols>

*----> Raw Stack Dump <----*
0006eae0  50 80 00 01 dd 5a 02 78 - 00 00 00 00 41 41 41 41
P....Z.x....AAAA
0006eaf0  41 41 41 41 41 41 41 41 - 41 41 41 41 41 41 41 41
AAAAAAAAAAAAAAAA
0006eb00  41 41 41 41 41 41 41 41 - 41 41 41 41 41 41 41 41
AAAAAAAAAAAAAAAA
0006eb10  41 41 41 41 41 41 41 41 - 41 41 41 41 41 41 41 41
AAAAAAAAAAAAAAAA
0006eb20  41 41 41 41 41 41 41 41 - 41 41 41 41 41 41 41 41
AAAAAAAAAAAAAAAA
0006eb30  41 41 41 41 41 41 41 41 - 41 41 41 41 41 41 41 41
AAAAAAAAAAAAAAAA
0006eb40  41 41 41 41 41 41 41 41 - 41 41 41 41 41 41 41 41
AAAAAAAAAAAAAAAA
0006eb50  41 41 41 41 41 41 41 41 - 41 41 41 41 41 41 41 41
AAAAAAAAAAAAAAAA
0006eb60  41 41 41 41 41 41 41 41 - 41 41 41 41 41 41 41 41
AAAAAAAAAAAAAAAA
0006eb70  41 41 41 41 41 41 41 41 - 41 41 41 41 41 41 41 41
AAAAAAAAAAAAAAAA
0006eb80  41 41 41 41 41 41 41 41 - 41 41 41 41 41 41 41 41
AAAAAAAAAAAAAAAA
0006eb90  41 41 41 41 41 41 41 41 - 41 41 41 41 41 41 41 41
AAAAAAAAAAAAAAAA
0006eba0  41 41 41 41 41 41 41 41 - 41 41 41 41 41 41 41 41
AAAAAAAAAAAAAAAA
0006ebb0  41 41 41 41 41 41 41 41 - 41 41 41 41 41 41 41 41
AAAAAAAAAAAAAAAA
0006ebc0  41 41 41 41 41 41 41 41 - 41 41 41 41 41 41 41 41
AAAAAAAAAAAAAAAA
0006ebd0  41 41 41 41 41 41 41 41 - 41 41 41 41 41 41 41 41
AAAAAAAAAAAAAAAA
0006ebe0  41 41 41 41 41 41 41 41 - 41 41 41 41 41 41 41 41
AAAAAAAAAAAAAAAA
0006ebf0   41 41 41 41 41 41 41 41 - 41 41 41 41 41 41 41 41
AAAAAAAAAAAAAAAA
0006ec00  41 41 41 41 41 41 41 41 - 41 41 41 41 41 41 41 41
AAAAAAAAAAAAAAAA
0006ec10  41 41 41 41 41 41 41 41 - 41 41 41 41 41 41 41 41
AAAAAAAAAAAAAAAA

State Dump for Thread Id 0x418

eax=778321fe ebx=00000003 ecx=7ffde000 edx=00000000 esi=77f87e6c
edi=00000003
eip=77f87e77 esp=0072fd24 ebp=0072fd70 iopl=0         nv up ei pl zr na po
nc
cs=001b  ss=0023  ds=0023  es=0023  fs=0038  gs=0000
efl=00000246


function: ZwWaitForMultipleObjects
        77f87e6c b8e9000000       mov     eax,0xe9
        77f87e71 8d542404         lea     edx,[esp+0x4]
ss:011fd2fb=????????
        77f87e75 cd2e             int     2e
        77f87e77 c21400           ret     0x14
        77f87e7a 668b08           mov     cx,[eax]
ds:778321fe=8b55
        77f87e7d 40               inc     eax
        77f87e7e 40               inc     eax
        77f87e7f 8945a4           mov     [ebp+0xa4],eax
ss:011fd346=????????
        77f87e82 6685c9           test    cx,cx
        77f87e85 75f3             jnz   RtlExpandEnvironmentStrings_U+0x26
(77f8e57a)
        77f87e87 663930           cmp     [eax],si
ds:778321fe=8b55
        77f87e8a 75ee             jnz     ZwFsControlFile+0x54 (77f8bf7a)
        77f87e8c 40               inc     eax
        77f87e8d 40               inc     eax
        77f87e8e 8945a4           mov     [ebp+0xa4],eax
ss:011fd346=????????

*----> Stack Back Trace <----*

FramePtr ReturnAd Param#1  Param#2  Param#3  Param#4  Function Name
0072FD70 77E9E68A 0072FD48 00000001 00000000 00000000
ntdll!ZwWaitForMultipleObjects
0072FFB4 77E92CA8 00000004 0007BD04 7FFDE000 0007C710
kernel32!WaitForMultipleObjects
0072FFEC 00000000 00000000 00000000 00000000 00000000 kernel32!CreateFileA

----- Original Message -----
From: "Riley Hassell" <riley () EEYE COM>
To: <VULN-DEV () SECURITYFOCUS COM>
Sent: Monday, February 12, 2001 8:36 AM
Subject: Re: ftp.exe buffer overflow ?

This is actually overflowable:
In my first post I put a note at the bottom showing that sending a large
buffer with 'A's overwrites the EIP.

Example:
ftp example.com
...login...
quote site exec AAAAAAAA.....        <--- 1000x'A'

I'm on build 2195 and it directly overwrites the EIP.


----- Original Message -----
From: "Michal Zalewski" <lcamtuf () BOS BINDVIEW COM>
To: <VULN-DEV () SECURITYFOCUS COM>
Sent: Sunday, February 11, 2001 5:45 PM
Subject: Re: ftp.exe buffer overflow ?

On Mon, 12 Feb 2001, Egemen Tas wrote:

This bug is different from the ones you mentioned..
This is the bug in MS FTP Client's QUOTE command.


MS FTP client is surprisingly similar to BSDish ftp client, containing -
for example - some similar strings in its binary. It's been discussed on
numerous forums long time ago (google.com, search for: "Regents of the
University of California" ftp microsoft client). Thus, I bet this is the
same as the bug in BSDish ftp client (format bug in quote command), and

is

caused by very similar code.

In my opinion this is may be overflowable(because the error occurs in

the

Stack Segment!(I may be wrong)


No, never. I mean this is exploitable, but it is not an overflow and has
nothing to do with stack segment.

but does not pose great security risk.Because ftp.exe runs with the
credidentals of currently logged on user.


Right =)

--
_______________________________________________________
Michal Zalewski [lcamtuf () bos bindview com] | [security]
[http://lcamtuf.na.export.pl] <=--=> bash$ :(){ :|:&};:
=--=> Did you know that clones never use mirrors? <=--=

Current thread:

Re: ftp.exe buffer overflow ?, (continued)
- - - Re: ftp.exe buffer overflow ? Mike Duncan (Feb 11)
    - Re: ftp.exe buffer overflow ? Egemen Tas (Feb 11)
    - Re: ftp.exe buffer overflow ? Perry Harrington (Feb 11)
    - Re: ftp.exe buffer overflow ? Michal Zalewski (Feb 11)
    - Re: ftp.exe buffer overflow ? Riley Hassell (Feb 15)
    - Re: ftp.exe buffer overflow ? Michal Zalewski (Feb 15)
    - Re: ftp.exe buffer overflow ? Benjamin Branch (Feb 15)
    - Re: ftp.exe buffer overflow ? Bob Monkier (Feb 15)
    - Re: ftp.exe buffer overflow ? Ryan Permeh (Feb 16)
    - Internet explorer bug or Micromedia Flash bug ? cyber_hunter (Feb 19)
    - Re: ftp.exe buffer overflow ? Antti Hakulinen (Feb 15)
    - Message not available
    - Re: ftp.exe buffer overflow ? Lincoln Yeoh (Feb 13)
    - Re: ftp.exe buffer overflow ? Lord Soth (Feb 11)
    - Message not available
    - Re: /usr/bin/ddate buffer overflow enthh () FLASH NET (Feb 11)
  - Re: /usr/bin/ddate buffer overflow Larry W. Cashdollar (Feb 10)
- Re: /usr/bin/ddate buffer overflow poke (Feb 11)
- Re: /usr/bin/ddate buffer overflow s1gnal_9 (Feb 11)
- Re: /usr/bin/ddate buffer overflow enthh () FLASH NET (Feb 13)
  - Re: /usr/bin/ddate buffer overflow Larry W. Cashdollar (Feb 14)