I talked on this issue with kf . reading unicodeproof shellcode in phrake magazine is extremely recommended . I add the replys with kf as an attachment . might be useful . c0d3r of IHS Network Security Researcher --- Damien Palmer <alacrity@xxxxxxxxx> wrote: > Seeing as how, given a large enough buffer, it is > relatively easy to > write arbitrary shell code using just ASCII > characters, the larger > unicode space would make this even easier. Unless > there are some > pretty severe unlisted restrictions on either the > length or content of > the overflow string, making an exploit is > practically trivial. > > If you want a quick'n'dirty overview of shell code > using a very > limited subset of ASCII you can refer to the lecture > notes from a unix > security class I took in Fall 2004 (starting on page > 5 of this > document): http://cr.yp.to/2004-494/0910.pdf > > -D > > > On 8/24/05, Kaveh Razavi <c0d3rz_team@xxxxxxxxx> > wrote: > > it is not a high risk vulnerability . > > chance of making an stable exploit in a unicode > > overflow is low . > > Regards > > > > c0d3r of IHS > > Network Security Reseacher > > > > > LeapFTP .lsq Buffer Overflow Vulnerability > > > > > > by Sowhat > > > > > > Last Update:2005.08.24 > > > > > > http://secway.org/advisory/AD20050824.txt > > > > > > Vendor: > > > > > > LeapWare Inc. > > > > > > Product Affected: > > > > > > LeapFTP < 2.7.6.612 > > > > > > Overview: > > > > > > LeapFTP is the award-winning shareware FTP > client > > > that combines an > > > intuitive interface with one of the most > powerful > > > client bases around. > > > > > > > > > Details: > > > > > > .LSQ is the LeapFTP Site Queue file, And it is > > > registered with Windows > > > by LeapFTP. You can save a transfer Queue to > .lsq > > > files and transfer it > > > later by opening the .lsq files. > > > > > > However, LeapFTP does not properly check the > length > > > of the "Host" fields, > > > when a overly long string is supplied, there > will be > > > a buffer overflow > > > and probably arbitrary code execution. > > > > > > This vulnerability can be exploited by sending > the > > > malformed .lsq file > > > to the victim, after the victim open the .lsq > file, > > > arbitray code may > > > executed. > > > > > > > > > //bof.lsq > > > > > > [HOSTINFO] > > > HOST=AAAAA...[ long string ]...AAAAA > > > USER=username > > > PASS=password > > > > > > [FILES] > > > > "1","/winis/ApiList.zip","477,839","E:\ApiList.zip" > > > > > > SOLUTION: > > > > > > All users are encouraged to upgrade to 2.7.6 > > > immediately > > > Vendor also released an advisory: > > > http://www.leapware.com/security/2005082301.txt > > > > > > Vendor Response: > > > > > > 2005.08.22 Vendor notified via online WebForm > > > 2005.08.23 Vendor responsed and bug fixed > > > 2005.08.24 Vendor released the new version > 2.7.6.612 > > > 2005.08.24 Advisory Released > > > > > > > > > > > ';" type="text/css"> > > > > > > __________________________________________________ > > Do You Yahoo!? > > Tired of spam? Yahoo! Mail has the best spam > protection around > > http://mail.yahoo.com > > > ';" type="text/css"> __________________________________ Do you Yahoo!? Read only the mail you want - Yahoo! Mail SpamGuard. http://promotions.yahoo.com/new_mail
Attachment:
unicode.txt
Description: 901836124-unicode.txt