| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: SkyLined at edup.tudelft.nl (Berend-Jan Wever) Subject: DreamFTP Server 1.02 Buffer Overflow Hi all, badpack3t wasn't totally wrong when he called it a BoF because the formatstring can cause BoFs. Anyway, it's a nice little formatstring to exploit, with multiple possible attack vectors. I found it easiest to overwrite the exception handler code (since it's RWE) and then cause an exception. The exploit sends about 375 bytes to the target, which causes DreamFTP to print a string of about 4 million bytes to overwrite the SEH with the right opcodes, it then causes an exception which transfers control to the SEH which jumps to our shellcode. Attached exploit has been tested with Win2k, other windows platforms have not been tested. If it shouldn't work straight away some minor adjustments can probably fix that. (Let me know) Cheers, SkyLined ----- Original Message ----- From: "badpack3t" <badpack3t@...urity-protocols.com> To: <full-disclosure@...ts.netsys.com> Sent: Saturday, February 07, 2004 6:29 Subject: [Full-Disclosure] DreamFTP Server 1.02 Buffer Overflow <snip> > Exploit: > > Not worth the time to debug and code an exploit. > <snip> I find that hard to believe ;) -------------- next part -------------- A non-text attachment was scrubbed... Name: Nightmare.c Type: application/octet-stream Size: 4227 bytes Desc: not available Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20040211/f5be469f/Nightmare.obj
Powered by blists - more mailing lists