-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hey all :) I am in the middle of pen test and the client is running warftpd 1.65 on NT4. I searched the bugtraq archives among others for issues with this ver of warftpd. I found one post by rootshell in like '98 that states if you send a user XXXXXXXXXXXX(long string) it will crash and that they think it is a remotely exploitable stack overflow. So I downloaded a copy of warftpd and sure enough windbg shows eip=41414141 when a user string of "A"x489 is sent - So now my problems.. I am new to writing buffer overflows, and I know I need to find the address where the buffer starts so I can point the EIP to it to read the shell code. I am pretty sure I have found it, but it is like 009ad231 and I know I can't send NULL's. So I need to find an address to get there and I am having a hell of a time finding one... So if anyone on the list has some spare time and feels like helping me please let me know. Thanks Chris Davis -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com> iQA/AwUBPBFOWrxdz+AgROihEQKfowCgyKCrovI7yEGVNUVFXqsRjwWBoZQAoIsX 4NX+BPnnWW2m9kBnQofhkQL8 =wx/H -----END PGP SIGNATURE-----
This archive was generated by hypermail 2b30 : Fri Dec 07 2001 - 17:29:21 PST