This is a multi-part message in MIME format. ------=_NextPart_000_000A_01BE5606.8C4E8060 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable I have successfully reprocuded this overflow in the newest Version = of Serve-U. It totally crashes the ftp program, and also causes stack fault module = in tcp/ip stack rendering the network connectivity useless. About 10 = seconds later, the machine will become unresponsive and has to be hard = rebooted. This affects every Win98 machine i have tested on, however, = an NT box with SP4 hung the program until the exploit was killed, but = not crashing the serve-u itself. The exploit is very simple. Send a file about 1 meg in size to serve-u's ftp port (21). This can be = done with cat filename | nc hostname 21 Ryan Sweat ryansat_private ------=_NextPart_000_000A_01BE5606.8C4E8060 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD W3 HTML//EN"> <HTML> <HEAD> <META content=3Dtext/html;charset=3Diso-8859-1 = http-equiv=3DContent-Type> <META content=3D'"MSHTML 4.72.3110.7"' name=3DGENERATOR> </HEAD> <BODY bgColor=3D#ffffff> <DIV><FONT color=3D#000000 size=3D2> I have = successfully=20 reprocuded this overflow in the newest Version of Serve-U.</FONT></DIV> <DIV><FONT size=3D2>It totally crashes the ftp program, and also causes = stack=20 fault module in tcp/ip stack rendering the network connectivity = useless. =20 About 10 seconds later, the machine will become unresponsive and has to = be hard=20 rebooted. This affects every Win98 machine i have tested on, = however, an=20 NT box with SP4 hung the program until the exploit was killed, but not = crashing=20 the serve-u itself.</FONT></DIV> <DIV><FONT size=3D2> The exploit is very=20 simple.</FONT></DIV> <DIV><FONT size=3D2>Send a file about 1 meg in size to serve-u's ftp = port=20 (21). This can be done with</FONT></DIV> <DIV><FONT size=3D2> cat filename | nc hostname=20 21</FONT></DIV> <DIV> </DIV> <DIV><FONT size=3D2>Ryan Sweat</FONT></DIV> <DIV><FONT size=3D2><A=20 href=3D"mailto:ryansat_private">ryansat_private</A></FONT></DIV></BODY>= </HTML> ------=_NextPart_000_000A_01BE5606.8C4E8060--
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:34:02 PDT