Re: WarFtpd 1.65 Buffer Overflow

[dullien () gmx de]

Hey,

CD> like 009ad231 and I know I can't send NULL's. So I need to find an
CD> address to get there and I am having a hell of a time finding one...
CD> So if anyone on the list has some spare time and feels like helping
CD> me please let me know.

You can easily send that null byte. Remember, strings are terminated
with a NULL, and the addresses on the stack are stored in
little-endian notation: 0x31 0xD2 0x9A 0x00 at the end should do it.
Beware though, under NT it is usually not a wise idea to point stuff
directly at a buffer you've found -- that address is subject to quite
a bit of change due to multithreading issues etc.

Cheers,
dullien () gmx de