once I wrote a PoC "http://www.milw0rm.com/id.php?id=908" for argosoft ftp to tell that the new version is still vuln . that time I really didnt give a try to get a shell . but now for educatinal purpose I am giving a new try to get shell but listen to the story :
as it is a unicode overflow getting a shell is now easy and reliable . I went to the famus webdav unicode overflow exploits .
1) http://www.milw0rm.com/id.php?id=1 which is written by kralor , I went to undernet #coromputer and spoke to him about this he told me what to do , but as he is a bit lazy he didnt explained well (he is very nice) he mentined about high level memory addressing which could be useful , or finding a usable address which could be used in eip .
2) http://www.milw0rm.com/id.php?id=2 Roman explained very well but still many why's for me !
aha EIP = 0x00480004 he used ,
so I searched and I found some : ( xp sp1 addresses )
002E00F0 ==> call EAX
00460023 ==> call ESI
and other addresses for ESI
but I dont see any use in them :( . not pointing to anywhere useful
note that we can use SEH too .
I can send the shellcode with the command like CD before the overflow command and they wont be *censored**censored**censored**censored*ed up with 00 , but pointing to them is another problem .
I want to know any of your ideas . specially about that high level memory addressing .
until 1.4.2.9 is vuln .

he did a wise job
every long char which would be send to server it will write a nullbyte
in the middle so we cant overwrite eip or other registers normally .
The eip would be overwrite like 00410041 which seems useless .


yes its all without a patch, SlimFTPD was already patched with a similiar way wich I had been able to exploit I remember, I guess the adress of your shellcode isnt fixed , I mean you can try to overwrite eip with the fixed up address of your shellcode but this isnt really realiable, hmm you should think that now on xp sp2 and the new os, if you are using a jmp , you should catch one outside of a loaded module, take the tool I attach
(from matt miller) it dumps every address of a loaded process, then you have to script a bit to find something usuable,
else what you can do is to debug a lot the ftp server, and to see if you can redirect eip to a server function wich will helps you then to get back to your execution code, hmmm
there is so much thing that u can do beeing able to overwrite 3 bytes , Im sure you will congrats to find something ;)

and binary

thank you for the information .
I am giving a try , wont be an easy job :!: , shellcode address differs in others systems in the normal overflow , as I remember webdav exploits not used to work in many systems ! . I will do as u said ,I will work with that tool .

Another example of why I love exploit writing, theirs always so many challenges and so many ways of doing something. Constantly running ideas in attempts to better the severity of the exploit is quite enjoyable.
;)

sure nolimit !
I finished my univ entrance exam and now I am free free free to work and stick to the job heh .
a very handy tool , dumping every segment around :P

Check this -> http://www.milw0rm.com/id.php?id=1075

Was thinking of your writing, then this was planted on my desk..hehe, it actually works to, maybe move the file itself (PoC) i have bin/c here, to xpsp2k eip section, but then also, this is kinda advanced, and think it would be happier here , with some cool pizza eatin dudes ;)

(Yes, it compiles, fine, and no dont ask how or what shellcode addys to change, is not needed on this version :))

I can supply help on this, in varied form of course depending on how/who, and yes,, it ill get shell, not tested outside my LAN but this is fine example of some advanced stuff wich is working.
rehgards,
hx

I dont get the point the code you linked is not a unicode overflow nor related to this subject .

you want to help then try to help :wink:
and about those article they are great those you sent :)

How can you say that? No way!