Vulnerability Development mailing list archives
Re: ftp.exe buffer overflow ?
From: Antti Hakulinen <thpo () DREAMTHEATER ZZN COM>
Date: Thu, 15 Feb 2001 21:44:43 +0200
Yees.
It seems it is.
As u can see, i also use build 2195
Application exception occurred:
App: ftp.exe (pid=828)
When: 2/15/2001 @ 21:38:16.611
Exception number: c0000005 (access violation)
*----> System Information <----*
Windows 2000 Version: 5.0
Current Build: 2195
Service Pack: None
Current Type: Uniprocessor Free
Registered Organization: Flextronics Design Finland
Registered Owner: Antti Hakulinen
*----> Task List <----*
0 Idle.exe
8 System.exe
140 smss.exe
164 csrss.exe
160 winlogon.exe
212 services.exe
224 lsass.exe
384 svchost.exe
412 SPOOLSV.exe
444 svchost.exe
484 regsvc.exe
500 mstask.exe
556 tcpsvcs.exe
568 snmp.exe
616 winmgmt.exe
648 inetinfo.exe
1080 explorer.exe
1212 internat.exe
836 msimn.exe
828 ftp.exe
1036 drwtsn32.exe
0 _Total.exe
(01000000 - 0100F000)
(77F80000 - 77FF9000)
(75050000 - 75058000)
(77E80000 - 77F36000)
(75030000 - 75044000)
(78000000 - 78046000)
(77DB0000 - 77E0A000)
(77D40000 - 77DAF000)
(75020000 - 75028000)
(74FF0000 - 75002000)
(77E10000 - 77E75000)
(77F40000 - 77F7C000)
(77980000 - 779A4000)
(77840000 - 7784C000)
(777E0000 - 777E8000)
(77950000 - 77979000)
(777F0000 - 777F5000)
(77830000 - 7783E000)
(74FD0000 - 74FE1000)
(75010000 - 75017000)
State Dump for Thread Id 0x4b4
eax=0006ed4c ebx=00000000 ecx=7803bbb0 edx=00283798 esi=00000000
edi=41414141
eip=780118e9 esp=0006eae0 ebp=0006ed34 iopl=0 nv up ei pl zr na po
nc
cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000
efl=00000246
function: fcloseall
780118d6 5e pop esi
780118d7 c3 ret
780118d8 55 push ebp
780118d9 8bec mov ebp,esp
780118db 81ec48020000 sub esp,0x248
780118e1 53 push ebx
780118e2 56 push esi
780118e3 57 push edi
780118e4 8b7d0c mov edi,[ebp+0xc]
ss:00b3c30a=????????
780118e7 33f6 xor esi,esi
FAULT ->780118e9 8a1f mov bl,[edi]
ds:41414141=??
780118eb 47 inc edi
780118ec 84db test bl,bl
780118ee 8975f4 mov [ebp+0xf4],esi
ss:00b3c30a=????????
780118f1 8975ec mov [ebp+0xec],esi
ss:00b3c30a=????????
780118f4 897d0c mov [ebp+0xc],edi
ss:00b3c30a=????????
780118f7 7469 jz wexecve+0xe3 (7801a462)
780118f9 8b4df0 mov ecx,[ebp+0xf0]
ss:00b3c30a=????????
780118fc 33d2 xor edx,edx
780118fe 3955ec cmp [ebp+0xec],edx
ss:00b3c30a=????????
78011901 7c5f jl _RTDynamicCast+0x28b (78019962)
78011903 80fb20 cmp bl,0x20
*----> Stack Back Trace <----*
FramePtr ReturnAd Param#1 Param#2 Param#3 Param#4 Function Name
0006ED34 78025B0A 0006ED4C 41414141 0006F564 78025ADD !fcloseall
0006ED6C 01004115 0006ED88 41414141 0006F564 01008050 !vsprintf
0006F558 41414141 41414141 41414141 41414141 41414141 ftp!<nosymbols>
41414141 00000000 00000000 00000000 00000000 00000000 <nosymbols>
*----> Raw Stack Dump <----*
0006eae0 50 80 00 01 dd 5a 02 78 - 00 00 00 00 41 41 41 41
P....Z.x....AAAA
0006eaf0 41 41 41 41 41 41 41 41 - 41 41 41 41 41 41 41 41
AAAAAAAAAAAAAAAA
0006eb00 41 41 41 41 41 41 41 41 - 41 41 41 41 41 41 41 41
AAAAAAAAAAAAAAAA
0006eb10 41 41 41 41 41 41 41 41 - 41 41 41 41 41 41 41 41
AAAAAAAAAAAAAAAA
0006eb20 41 41 41 41 41 41 41 41 - 41 41 41 41 41 41 41 41
AAAAAAAAAAAAAAAA
0006eb30 41 41 41 41 41 41 41 41 - 41 41 41 41 41 41 41 41
AAAAAAAAAAAAAAAA
0006eb40 41 41 41 41 41 41 41 41 - 41 41 41 41 41 41 41 41
AAAAAAAAAAAAAAAA
0006eb50 41 41 41 41 41 41 41 41 - 41 41 41 41 41 41 41 41
AAAAAAAAAAAAAAAA
0006eb60 41 41 41 41 41 41 41 41 - 41 41 41 41 41 41 41 41
AAAAAAAAAAAAAAAA
0006eb70 41 41 41 41 41 41 41 41 - 41 41 41 41 41 41 41 41
AAAAAAAAAAAAAAAA
0006eb80 41 41 41 41 41 41 41 41 - 41 41 41 41 41 41 41 41
AAAAAAAAAAAAAAAA
0006eb90 41 41 41 41 41 41 41 41 - 41 41 41 41 41 41 41 41
AAAAAAAAAAAAAAAA
0006eba0 41 41 41 41 41 41 41 41 - 41 41 41 41 41 41 41 41
AAAAAAAAAAAAAAAA
0006ebb0 41 41 41 41 41 41 41 41 - 41 41 41 41 41 41 41 41
AAAAAAAAAAAAAAAA
0006ebc0 41 41 41 41 41 41 41 41 - 41 41 41 41 41 41 41 41
AAAAAAAAAAAAAAAA
0006ebd0 41 41 41 41 41 41 41 41 - 41 41 41 41 41 41 41 41
AAAAAAAAAAAAAAAA
0006ebe0 41 41 41 41 41 41 41 41 - 41 41 41 41 41 41 41 41
AAAAAAAAAAAAAAAA
0006ebf0 41 41 41 41 41 41 41 41 - 41 41 41 41 41 41 41 41
AAAAAAAAAAAAAAAA
0006ec00 41 41 41 41 41 41 41 41 - 41 41 41 41 41 41 41 41
AAAAAAAAAAAAAAAA
0006ec10 41 41 41 41 41 41 41 41 - 41 41 41 41 41 41 41 41
AAAAAAAAAAAAAAAA
State Dump for Thread Id 0x418
eax=778321fe ebx=00000003 ecx=7ffde000 edx=00000000 esi=77f87e6c
edi=00000003
eip=77f87e77 esp=0072fd24 ebp=0072fd70 iopl=0 nv up ei pl zr na po
nc
cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000
efl=00000246
function: ZwWaitForMultipleObjects
77f87e6c b8e9000000 mov eax,0xe9
77f87e71 8d542404 lea edx,[esp+0x4]
ss:011fd2fb=????????
77f87e75 cd2e int 2e
77f87e77 c21400 ret 0x14
77f87e7a 668b08 mov cx,[eax]
ds:778321fe=8b55
77f87e7d 40 inc eax
77f87e7e 40 inc eax
77f87e7f 8945a4 mov [ebp+0xa4],eax
ss:011fd346=????????
77f87e82 6685c9 test cx,cx
77f87e85 75f3 jnz RtlExpandEnvironmentStrings_U+0x26
(77f8e57a)
77f87e87 663930 cmp [eax],si
ds:778321fe=8b55
77f87e8a 75ee jnz ZwFsControlFile+0x54 (77f8bf7a)
77f87e8c 40 inc eax
77f87e8d 40 inc eax
77f87e8e 8945a4 mov [ebp+0xa4],eax
ss:011fd346=????????
*----> Stack Back Trace <----*
FramePtr ReturnAd Param#1 Param#2 Param#3 Param#4 Function Name
0072FD70 77E9E68A 0072FD48 00000001 00000000 00000000
ntdll!ZwWaitForMultipleObjects
0072FFB4 77E92CA8 00000004 0007BD04 7FFDE000 0007C710
kernel32!WaitForMultipleObjects
0072FFEC 00000000 00000000 00000000 00000000 00000000 kernel32!CreateFileA
----- Original Message -----
From: "Riley Hassell" <riley () EEYE COM>
To: <VULN-DEV () SECURITYFOCUS COM>
Sent: Monday, February 12, 2001 8:36 AM
Subject: Re: ftp.exe buffer overflow ?
This is actually overflowable: In my first post I put a note at the bottom showing that sending a large buffer with 'A's overwrites the EIP. Example: ftp example.com ...login... quote site exec AAAAAAAA..... <--- 1000x'A' I'm on build 2195 and it directly overwrites the EIP. ----- Original Message ----- From: "Michal Zalewski" <lcamtuf () BOS BINDVIEW COM> To: <VULN-DEV () SECURITYFOCUS COM> Sent: Sunday, February 11, 2001 5:45 PM Subject: Re: ftp.exe buffer overflow ?On Mon, 12 Feb 2001, Egemen Tas wrote:This bug is different from the ones you mentioned.. This is the bug in MS FTP Client's QUOTE command.MS FTP client is surprisingly similar to BSDish ftp client, containing - for example - some similar strings in its binary. It's been discussed on numerous forums long time ago (google.com, search for: "Regents of the University of California" ftp microsoft client). Thus, I bet this is the same as the bug in BSDish ftp client (format bug in quote command), and
is
caused by very similar code.In my opinion this is may be overflowable(because the error occurs intheStack Segment!(I may be wrong)No, never. I mean this is exploitable, but it is not an overflow and has nothing to do with stack segment.but does not pose great security risk.Because ftp.exe runs with the credidentals of currently logged on user.Right =) -- _______________________________________________________ Michal Zalewski [lcamtuf () bos bindview com] | [security] [http://lcamtuf.na.export.pl] <=--=> bash$ :(){ :|:&};: =--=> Did you know that clones never use mirrors? <=--=
Current thread:
- Re: ftp.exe buffer overflow ?, (continued)
- Re: ftp.exe buffer overflow ? Mike Duncan (Feb 11)
- Re: ftp.exe buffer overflow ? Egemen Tas (Feb 11)
- Re: ftp.exe buffer overflow ? Perry Harrington (Feb 11)
- Re: ftp.exe buffer overflow ? Michal Zalewski (Feb 11)
- Re: ftp.exe buffer overflow ? Riley Hassell (Feb 15)
- Re: ftp.exe buffer overflow ? Michal Zalewski (Feb 15)
- Re: ftp.exe buffer overflow ? Benjamin Branch (Feb 15)
- Re: ftp.exe buffer overflow ? Bob Monkier (Feb 15)
- Re: ftp.exe buffer overflow ? Ryan Permeh (Feb 16)
- Internet explorer bug or Micromedia Flash bug ? cyber_hunter (Feb 19)
- Re: ftp.exe buffer overflow ? Antti Hakulinen (Feb 15)
- Message not available
- Re: ftp.exe buffer overflow ? Lincoln Yeoh (Feb 13)
- Re: ftp.exe buffer overflow ? Lord Soth (Feb 11)
- Message not available
- Re: /usr/bin/ddate buffer overflow enthh () FLASH NET (Feb 11)
- Re: /usr/bin/ddate buffer overflow Larry W. Cashdollar (Feb 14)
