Search (keywords):  SOFT ARTICLES TIPS & TRICKS SECURITY LINKS NEWS MAN DOCUMENTATION

<< Previous INDEX Search src / Print Next >>

Date: 19 Jan 2006 20:58:38 -0000
From: [email protected]
To: [email protected]
Subject: Critical security advisory #006 tftpd32 Format string
X-Virus-Scanned: antivirus-gw at tyumen.ru

Critical security advisory #006
Tftpd32 2.81 Format String + DoS PoC
Critical Security - 22:03 2006.01.19
Critical Security research: http://www.critical.lt
Product site: http://tftpd32.jounin.net/
Credits : Critical Security Team (www.critical.lt)
Original Advisory: http://www.critical.lt/?vulnerabilities/200
Due to incorrect use of format strings there is a possibility of remote code execution. You can trigger this vulnerability
by sending SEND or GET request with a specially formated string. Vulnerable code:

LEA ECX,DWORD PTR SS:[ESP+430]
LEA EAX,DWORD PTR SS:[ESP+1C]
PUSH ECX                                 ; /Arglist
PUSH EDX                                 ; |Format
PUSH EAX                                 ; |s = 00E6F4E8
CALL DWORD PTR DS:[<&USER32.wvsprintfA>] ; \wvsprintfA

Proof of concept exploit:
http://www.critical.lt/research/tftpd32_281_dos.txt

<< Previous INDEX Search src / Print Next >>

Партнёры:

Хостинг: