The other day on exploit-db.com there was a new exploit for FreeFloat FTP 1.0. I took a quick look and decided to see if there were other commands that were vulnerable. I started fuzzing and I noticed quite a few commands were overflowing EIP with 41414141. ABOR, ACCT, ALLO etc etc.... I basically stopped looking because every single command I tried would crash the application.
It seems any unimplemented command caused the same buffer overflow. I posted my exploit on PacketStorm. I also noticed that basically any 4 letters you pretend to be a command....will overflow the buffer. PWND even worked!
If you're interested in buffer overflows or fuzzing, I highly recommend grabbing a copy of this POS software. Who ever coded this did absolutely no checking for user input at all. It really should be used as a learning tool. Everything I found was straight forward overflows. Good fun!
Post a Comment