[0day] Ability Server 2.25 - 2.34 FTP => 'APPE' Buffer Overflow - PnK:: DCN3T

[novathugz at hotmail.com (_)]

##################################################################
                    Ability Server 2.25 - 2.34 FTP => 'APPE'  Buffer
Overflow
##################################################################

APPE b0f - Found by PnK::DCN3T

Date found: 06.12.04

Affected Versions:  Ability Server 2.25
                              Ability Server 2.32
                              Ability Server 2.34

Tested OS:   Windows XP Pro SP2

Severity:   High

Remote Root:  Yes

PoC:    This is not unlike the 'STOR' b0f discovered by
'muts[at]whitehat.co.il' a week
             or 2 ago.The buffer length and RET are the same, this hole
is the _same_ issue
             just an ever-so-slightly different attack vector. Switch
the 'STOR ' for  'APPE '

Issue:  For clarity's sake, by supplying an overly long string to the
'APPE' command on
          Ability server 2.25-34 FTP  we are able to overflow a buffer
and own EIP .
           There is working remote code (tweak muts python code a little
and your there).

Patch:    No Patch for 0day

Vendor Response:   none

Props:    muts [at] whitehat.co.il  , [!nd!ca , memeng,  PhilX]::DCN3T

DCN3T contact:  Dont call us we'll call you.

*****************************************************************
*****************************************************************

                         DCN3T::B|NARY-H0L0CAUST::2005

*****************************************************************
*****************************************************************
Bug Found By Justin Walpole :: DCN3T