-= Unl0ck Team Security Advisory =-

        ____ ___       __  _______           __      ___________
       |    |   \____ |  | \   _  \    ____ |  | __  \__    ___/___ _____    _____
       |    |   /    \|  | /  /_\  \_ / ___\|  |/ /    |    |_/ __ \\__  \  /     \
       |    |  /   |  \  |_\  \_/   \  \___ |    <     |    |\  ___/ / __ \|  Y Y  \
       |______/|___|  /____/\_____  /\_____ >__|_ \    |____| \___  >____  /__|_|  /
                    \/            \/       \/    \/               \/     \/      \/
                         ... the best way of protection is attack

                                  http://unl0ck.void.ru

Advisory          : #11 by unl0ck team
Product           : Win Ftp Server (latest version)
Vendor            : http://www.wftpserver.com/
Date              : 11.02.2005
Impact            : unicode buffer overflow
Advisory URL      : http://unl0ck.void.ru/papers/adv/wftpd.txt

-=[ Overview

WinFTP Server is a multithreaded FTP server for Windows 98/NT/XP.
It comes with an easy to use interface and can be accessed from
the system tray. The server handles all basic FTP commands and
offers easy  account management and support for virtual directories.
It tries to bring all the user's requested features together. It is
the most simple and powerful FTP server to install and manage.

  ]=-

-=[ Vulnerability

Unicode Buffer Overflow Vulnerability exist in many commands of this win32 server.
For example in USER, PASS, CWD, MKD etc... By sending very long command, server will crash.
If server run in debugger (i.e. OllyDbg) you will see that EIP register will overwrite to
0x00610061, this picture say to us, that this is unicode buffer overflow.
Some commands using SEH technique.
PoC exploit you can find in our site. In releases section.

  ]=-


-=[ Credits

The bug was founded by Dark Eagle
Unl0ck Team [http://unl0ck.void.ru]

  ]=-
  
-=[ Greetz

All greetz go out to: nekd0, antiq, choix, coki, tal0n, crash-x, setnf, 0xdeadbabe, gst etc...

  ]=-