[27359] in bugtraq
new vulnerability inPowerFTP Personal FTP Server
daemon@ATHENA.MIT.EDU (securma massine)
Wed Oct 9 13:20:38 2002
From: securma massine <securma@caramail.com>
To: bugtraq@securityfocus.com
Message-ID: <1034173313004052@caramail.com>
Mime-Version: 1.0
Date: Wed, 09 Oct 2002 16:21:53 GMT+1
Content-Type: multipart/mixed; boundary="=_NextPart_Caramail_0040521034173313_ID"
--=_NextPart_Caramail_0040521034173313_ID
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
PowerFTP Personal FTP Server is a multithreaded FTP server
for the MS Windows OS by Cooolsoft.
The PowerFTPd is available from vendor Cooolsoft's website:
http://www.cooolsoft.com
I found a vulnerability has PowerFTP that allows a
remote user--any user--to shut down the ftp server (tested
on v 2.24)
I alerted coolsoft (05/10/2002) and as I did not have a
response until A now
1 - by opening a session telnet towards server ftp and
sending a buffer we can crash th server
telnet 127.0.0.1 21
[banner..]
AAA(buffer)
the server is down
2- I realised an exploit being based on another
vulnerability... I still seek possibility to exploit this
fault differently.
you can download and test my exploit
http://www.securma.fr.fm/PFDOS.ZIP
when the attack is launched there is the following
message:
L exeption Exeption logicielle inconnue (0x0eedfade) s'ext
produite dans l'application a l'emplacement 0x77e7f142
Exeption EFtpCtrlsocketexeption in module FTPServer.exe at
00059DE6. Data in buffer , cant change size
This was tested against PowerFTP Personal FTP Server v2.24
securma@caramail.com
_________________________________________________________
Envoyez des messages musicaux sur le portable de vos amis
http://mobile.lycos.fr/mobile/local/sms_musicaux/
--=_NextPart_Caramail_0040521034173313_ID--
