comsnd ftp remote format string overflow exploit

[stevenseeley]

comsnd ftp remote format string overflow exploit

[wchen-r7]

Will be looking at this today, thanks

[wchen-r7]

Module doesn't work for me. Here's my log (Windows XP SP3):

0:002> r
eax=00d6e930 ebx=00d6eb00 ecx=009b25f8 edx=00000000 esi=00000010 edi=00d6eaf8
eip=7a57354d esp=00d6f054 ebp=00d6e938 iopl=0         nv up ei pl nz ac pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010216
7a57354d ??              ???

0:002> db 0x71ac4050
71ac4050  ae 93 40 00 f0 79 15 00-f8 b8 15 00 cf 09 00 00  ..@..y..........
71ac4060  24 00 00 00 90 66 15 00-ff ff ff ff 00 00 00 00  $....f..........
71ac4070  00 00 00 00 00 00 00 00-00 00 00 00 00 00 fc 76  ...............v
71ac4080  01 00 00 00 a0 11 fc 76-00 00 ab 71 01 00 00 00  .......v...q....
71ac4090  b8 38 34 00 b8 38 34 00-68 66 15 00 ff ff ff ff  .84..84.hf......
71ac40a0  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00  ................
71ac40b0  09 00 00 00 b8 66 15 00-ff ff ff ff 00 00 00 00  .....f..........
71ac40c0  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00  ................

0:002> db 0x71ab2636
71ab2636  8b ff 55 8b ec a1 54 40-ac 71 85 c0 56 8b 75 08  ..U...T@.q..V.u.
71ab2646  57 89 06 0f 84 3c 17 00-00 ff 35 48 40 ac 71 ff  W....<....5H@.q.
71ab2656  15 ec 10 ab 71 85 c0 8b-7d 0c 89 07 0f 84 0e 17  ....q...}.......
71ab2666  00 00 33 c0 8b 0f 83 79-44 00 0f 85 e0 94 00 00  ..3....yD.......
71ab2676  5f 5e 5d c2 08 00 90 90-90 90 90 8b ff 55 8b ec  _^]..........U..
71ab2686  51 51 8d 45 fc 50 8d 45-f8 50 ff 15 50 40 ac 71  QQ.E.P.E.P..P@.q
71ab2696  c9 c3 90 90 90 90 90 3b-0d 5c 40 ac 71 0f 85 21  .......;.\@.q..!
71ab26a6  fd 00 00 f7 c1 00 00 ff-ff 0f 85 15 fd 00 00 c3  ................

0:002> u 0x00408d16
*** WARNING: Unable to verify checksum for C:\Program Files\ComSnd FTP\ComSndFTP.exe
*** ERROR: Module load completed but symbols could not be loaded for C:\Program Files\ComSnd FTP\ComSndFTP.exe
ComSndFTP+0x8d16:
00408d16 cf              iretd
00408d17 ff5260          call    dword ptr [edx+60h]
00408d1a c7472000000000  mov     dword ptr [edi+20h],0
00408d21 5f              pop     edi
00408d22 59              pop     ecx
00408d23 c3              ret
00408d24 90              nop
00408d25 90              nop

Executable modules, item 19
    Base=77C10000
    Size=00058000 (360448.)
    Entry=77C1F2A1 msvcrt.<ModuleEntryPoint>
    Name=msvcrt   (system)
    File version=7.0.2600.5512 (xpsp.080413-2111
    Path=C:\WINDOWS\system32\msvcrt.dll

[jlee-r7]

Is it a format string bug, or an overflow?

[stevenseeley]

yeah format string sorry, not 'overflow'

[stevenseeley]

can you give me a kb from the access violation? which target were you testing? why dump bytes of 0x71ab2636 and 0x00408d16?

[stevenseeley]

sorry 'kv'

[wchen-r7]

why dump bytes of 0x71ab2636 and 0x00408d16?

Oh, I thought that would be useful for you. Guess not :-)

I'll retest soon, thanks.

[wchen-r7]

My ghetto test results show it failed the very first time, and then began to work consistently over and over again. I'll do a bit more testing before committing.