Buffer overflow in Serve-U

From: Ryan Sweat (ryansat_private)
Date: Thu Feb 11 1999 - 19:36:13 PST

Next message: Ronny Cook: "Re: SSH 1.x and 2.x Daemon"

Previous message: Brian Gemberling: "Rainbow Six Buffer Overflow....."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This is a multi-part message in MIME format.

------=_NextPart_000_000A_01BE5606.8C4E8060
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

     I have successfully reprocuded this overflow in the newest Version =
of Serve-U.
It totally crashes the ftp program, and also causes stack fault module =
in tcp/ip stack rendering the network connectivity useless.  About 10 =
seconds later, the machine will become unresponsive and has to be hard =
rebooted.  This affects every Win98 machine i have tested on, however, =
an NT box with SP4 hung the program until the exploit was killed, but =
not crashing the serve-u itself.
     The exploit is very simple.
Send a file about 1 meg in size to serve-u's ftp port (21).  This can be =
done with
     cat filename | nc hostname 21

Ryan Sweat
ryansat_private

------=_NextPart_000_000A_01BE5606.8C4E8060
Content-Type: text/html;
	charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD W3 HTML//EN">
<HTML>
<HEAD>

<META content=3Dtext/html;charset=3Diso-8859-1 =
http-equiv=3DContent-Type>
<META content=3D'"MSHTML 4.72.3110.7"' name=3DGENERATOR>
</HEAD>
<BODY bgColor=3D#ffffff>
<DIV><FONT color=3D#000000 size=3D2>&nbsp;&nbsp;&nbsp;&nbsp; I have =
successfully=20
reprocuded this overflow in the newest Version of Serve-U.</FONT></DIV>
<DIV><FONT size=3D2>It totally crashes the ftp program, and also causes =
stack=20
fault module in tcp/ip stack rendering the network connectivity =
useless.&nbsp;=20
About 10 seconds later, the machine will become unresponsive and has to =
be hard=20
rebooted.&nbsp; This affects every Win98 machine i have tested on, =
however, an=20
NT box with SP4 hung the program until the exploit was killed, but not =
crashing=20
the serve-u itself.</FONT></DIV>
<DIV><FONT size=3D2>&nbsp;&nbsp;&nbsp;&nbsp; The exploit is very=20
simple.</FONT></DIV>
<DIV><FONT size=3D2>Send a file about 1 meg in size to serve-u's ftp =
port=20
(21).&nbsp; This can be done with</FONT></DIV>
<DIV><FONT size=3D2>&nbsp;&nbsp;&nbsp;&nbsp; cat filename | nc hostname=20
21</FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT size=3D2>Ryan Sweat</FONT></DIV>
<DIV><FONT size=3D2><A=20
href=3D"mailto:ryansat_private">ryansat_private</A></FONT></DIV></BODY>=
</HTML>

------=_NextPart_000_000A_01BE5606.8C4E8060--

Next message: Ronny Cook: "Re: SSH 1.x and 2.x Daemon"
Previous message: Brian Gemberling: "Rainbow Six Buffer Overflow....."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:34:02 PDT