Wednesday, July 20, 2011

FreeFloat FTP Buffer Overflow

The other day on there was a new exploit for FreeFloat FTP 1.0. I took a quick look and decided to see if there were other commands that were vulnerable. I started fuzzing and I noticed quite a few commands were overflowing EIP with 41414141. ABOR, ACCT, ALLO etc etc.... I basically stopped looking because every single command I tried would crash the application.

It seems any unimplemented command caused the same buffer overflow. I posted my exploit on PacketStorm. I also noticed that basically any 4 letters you pretend to be a command....will overflow the buffer. PWND even worked!

If you're interested in buffer overflows or fuzzing, I highly recommend grabbing a copy of this POS software. Who ever coded this did absolutely no checking for user input at all. It really should be used as a learning tool. Everything I found was straight forward overflows. Good fun!

No comments: