I know of at least 2 vulnerabilites in proftp, although looking at the code there are probably hundreds more. The first one is in sreplace() and is overflowable by making lots of nested paths. The overflow is in the form of a while loop where a pointer to a local buffer is continually written to and incremented. It is particularly difficult to exploit because you have to overwrite many arguments on the stack, including an array of pointers and the pointer itself ! Unless you can preserve the stack by being very cunning this is effectively unexploitable. (it segfaults before the function returns). The second one is much nicer. it occurs in log_xfer when STOR command is invoked. -- sprintf(buf,"%s %d %s %lu %s %c _ %c %c %s ftp 0 *\n", fmt_time(time(NULL)),xfertime,remhost,fsize, fname,xfertype,direction,access,user); -- where fname is the name of the file u are STORing and buf is the only local buffer on the stack (1024 bytes long); This is not so easy since you have to take account of the length of the arguments preceding fname, i.e. fmt_time(time(NULL)), xfertime, remhost, fsize heres a snippet from my xferlog file: -- Thu Dec 2 19:19:14 1999 0 localhost 0 /tmp/blah b _ i r dave ftp 0 * -- ^^^^^^^^^^^^^^^^^^^^^^^^ The formatted time is thankfully always the same size, 24 bytes, the xfer time is dependant on how long you stay connected, preferably 0, giving a 1 byte string. the hostname that the remote server sees, you should be able to find out yourself for sure(try SMTP). the fsize you should be able to control as well, in my case 0. So adding all that up gives an inital offset into the buffer of 30 + strlen(hostname) therefore the distance until the end of the buffer is 996-strlen(hostname) bytes consider the length of the buffer to be 996-strlen(hostname) Calculating the offset is quite difficult off hand but basically all you have to do is create 4 big directorys (194 chars long), then another directory approx 200 - strlen(initdir) - strlen(hostname) chars long with the nops and shellcode. then STOR a 19 byte string with the return addresses at the end. Note that this last directory has to have a length <= 194 but this shouldn't be a problem unless you are writing to '/' with a 4 char hostname.... Hopefully this won't 'exploit' the first bug explained above because the string we are sending is too small to overflow that buffer (1004-strlen(hostname)). update: I just found out there is a far better (and easier!) way to exploit proftp which requires only anonymous and a file which you can read. it is still in log_xfer(). all you have to do is log in as anonymous with a really long password and do RETR somefile. the transfer (including your password) is logged, and voila. I have to get around to adding this.